Printed by root May 07, 12 21:14

openvpn(8) openvpn(8)

Page 1/69

May 07, 12 21:14

Page 2/69

If config file is the only option to the openvpn command, the config can be removed, and the command can be given as openvpn file Note that configuration files can be nested to a reasonable depth.

NAME openvpn secure IP tunnel daemon. SYNOPSIS openvpn [ options ... ] INTRODUCTION OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN tr ies to be a universal VPN tool offering a great deal of flexibility, there are a lot of options on this manual page . If youre new to OpenVPN, you might want to skip ahead to the examples section where you will see how to construct simple VPNs on the command line without even needing a configuration file. Also note that theres more documentation and examples on the OpenVPN web site: http://openvpn.net/ mes: And if you would like to see a shorter version of this manual, see the op envpn usage message which can be obtained by running openvpn without any parameters. DESCRIPTION OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SS L/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addre sses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms. OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. OpenVPN supports conventional encryption using a preshared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. OpenVPN also supports nonencrypted TCP/UDP tunnels. OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint. OPTIONS OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a doubleleadingdash (""), this prefix c an be removed when an option is placed in a configuration file. help Show options. config file Load additional config options from file where each line correspon ds to one command line option, but with the leading removed. es.html Here is an example configuration file: # # Sample OpenVPN configuration file for # using a preshared static key. # # # or ; may be used to delimit comments. # Use a dynamic tun device. dev tun # Our remote peer remote mypeer.mydomain # 10.1.0.1 is our local VPN endpoint # 10.1.0.2 is our remote VPN endpoint ifconfig 10.1.0.1 10.1.0.2 # Our preshared static key secret static.key Tunnel Options: mode m Set OpenVPN major mode. By default, OpenVPN runs in pointtopoin t mode ("p2p"). OpenVPN 2.0 introduces a new mode ("server") which implements a multiclient server capabil ity. local host Local host name or IP address for bind. If specified, OpenVPN wil l bind to this address only. If unspeciM^@M^P fied, OpenVPN will bind to all interfaces. secret "c:\\OpenVPN\\secret.key" For examples of configuration files, see http://openvpn.net/exampl Double quotation or single quotation characters ("", ) can be us ed to enclose single parameters containM^@M^P ing whitespace, and "#" or ";" characters in the first column can be used to denote comments. Note that OpenVPN 2.0 and higher performs backslashbased shell e scaping for characters not in single quoM^@M^P tations, so the following mappings should be observed: \\ \" Maps to a single backslash character (\). Pass a literal doublequote character ("), dont interpret it as enclosing a parameter. \[SPACE] Pass a literal space or tab character, dont interpret it as a parameter delimiter. For example on Windows, use double backslashes to represent pathna

Monday May 07, 2012

1/35

Printed by root May 07, 12 21:14

Page 3/69

May 07, 12 21:14

list.

Page 4/69

remote host [port] [proto] Remote host name or IP address. On the client, multiple remote options may be specified for redundancy, each referring to a different OpenVPN server. Specifying multip le remote options for this purpose is a special case of the more general connectionprofile feature. See the <connection> documentation below. the order The OpenVPN client will try to connect to a server at host:port in specified by the list of remote options.

Here is an example of connection profile usage: client dev tun <connection> remote 198.19.34.56 1194 udp </connection> <connection> remote 198.19.34.56 443 tcp </connection> <connection> remote 198.19.34.56 443 tcp httpproxy 192.168.0.8 8080 httpproxyretry </connection> <connection> remote 198.19.36.99 443 tcp httpproxy 192.168.0.8 8080 httpproxyretry </connection> persistkey persisttun pkcs12 client.p12 nscerttype server verb 3 First we try to connect to a server at 198.19.34.56:1194 using UDP If that fails, we then try to connect to 198.19.34.56:443 using TCP. If that also fails, then try connecting through an HTTP proxy at 192.168.0.8:8080 to 198.19.34.56:443 using TCP. Finally, try to c onnect through the same proxy to a server at 198.19.36.99:443 using TCP. . The following OpenVPN options may be used inside of a <connection> block: bind, connectretry, connectretrymax, connecttimeout, float, h ttpproxy, httpproxyoption, httpproxy retry, httpproxytimeout, local, lport, nobind, port, proto, remo te, rport, socksproxy, and socksproxy retry. A defaulting mechanism exists for specifying options to apply to all <connection> profiles. If any of the above options (with the exception of remote ) appear outside of a <connection> block, but in a configuraM^@M^P tion file which has one or more <connection> blocks, the option se tting will be used as a default for <conM^@M^P nection> blocks which follow it in the configuration file. For example, suppose the nobind option were placed in the sample c onfiguration file above, near the top of the file, before the first <connection> block. The effect would b e as if nobind were declared in all <conM^@M^P

proto indicates the protocol to use when connecting with the remot e, and may be "tcp" or "udp". The client will move on to the next host in the list, in the event of connection failure. Note that at any given time, the OpenVPN client will at most be connected to one se rver. ned by the Note that since UDP is connectionless, connection failure is ping and pingrestart options. defi

Note the following corner case: If you use multiple remote opti ons, AND you are dropping root privileges on the client with user and/or group, AND the client is runnin g a nonWindows OS, if the client needs to switch to a different server, and that server pushes back different TUN/TAP or route settings, the client may lack the necessary privileges to close and reopen the T UN/TAP interface. This could cause the client to exit with a fatal error. If remote is unspecified, OpenVPN will listen for packets from any IP address, but will not act on those packets unless they pass all authentication tests. This requireme nt for authentication is binding on all potential peers, even those from known and supposedly trusted IP addresses (it is very easy to forge a source IP address on a UDP packet). When used in TCP mode, remote will act as a filter, rejecting co nnections from any host which does not match host. If host is a DNS name which resolves to multiple IP addresses, one will be randomly chosen, providing a sort of basic loadbalancing and failover capability. <connection> Define a client connection profile. Client connection profiles ar e groups of OpenVPN options that describe how to connect to a given OpenVPN server. Client connection prof iles are specified within an OpenVPN conM^@M^P figuration file, and each profile is bracketed by <connection> and </connection>. An OpenVPN client will try each connection profile sequentially un til it achieves a successful connection. remoterandom can be used to initially "scramble" the connection

Monday May 07, 2012

2/35

Printed by root May 07, 12 21:14

nection> blocks below it. remoterandom When multiple remote address/ports are specified, or if connecti on profiles are being used, initially randomize the order of the list as a kind of basic loadbalancing measure. proto p Use protocol p for communicating with remote host. tcpclient, or tcpserver. p can be udp,

Page 5/69

May 07, 12 21:14

ption API. This option exists in OpenVPN 2.1 or higher.

Page 6/69

httpproxy server port [authfile|auto|autonct] [authmethod] Connect to remote host through an HTTP proxy at address server and port port. If HTTP ProxyAuthenticate is required, authfile is a file containing a username and passw ord on 2 lines, or "stdin" to prompt from console. authmethod should be one of "none", "basic", or "ntlm". HTTP Digest authentication is supported as well, but only via the auto or autonct flags (below). The auto flag causes OpenVPN to automatically determine the authm ethod and query stdin or the management interface for username/password credentials, if required. This fl ag exists on OpenVPN 2.1 or higher. The autonct flag (no cleartext auth) instructs OpenVPN to a utomatically determine the authentication method, but to reject weak authentication protocols such as HTTP B asic Authentication. httpproxyretry Retry indefinitely on HTTP proxy errors. ccurs, simulate a SIGUSR1 reset. httpproxytimeout n Set proxy timeout to n seconds, default=5. httpproxyoption type [parm] Set extended HTTP proxy options. ). AGENT useragent Set HTTP "UserAgent" string to useragent. socksproxy server [port] Connect to remote host through a Socks5 proxy at address server an d port port (default=1080). socksproxyretry Retry indefinitely on Socks proxy errors. occurs, simulate a SIGUSR1 reset. If a Socks proxy error Repeat to set multiple options. If an HTTP proxy error o

The default protocol is udp when proto is not specified. For UDP operation, proto udp should be specified on both peers. For TCP operation, one peer must use proto tcpserver and the o ther must use proto tcpclient. A peer started with tcpserver will wait indefinitely for an incoming con nection. A peer started with tcpclient will attempt to connect, and if that fails, will sleep for 5 se conds (adjustable via the connectretry option) and try again infinite or up to N retries (adjustable via the connectretrymax option). Both TCP client and server will simulate a SIGUSR1 restart signal if ei ther side resets the connection. OpenVPN is designed to operate optimally over UDP, but TCP capabi lity is provided for situations where UDP cannot be used. In comparison with UDP, TCP will usually be somew hat less efficient and less robust when used over unreliable or congested networks. This article outlines some of problems with tunneling IP over TCP:

VERSION version Set HTTP version number to version (default=1.0 http://sites.inka.de/sites/bigred/devel/tcptcp.html There are certain cases, however, where using TCP may be advanta geous from a security and robustness perM^@M^P spective, such as tunneling nonIP or applicationlevel UDP protoc ols, or tunneling protocols which dont possess a builtin reliability layer. connectretry n For proto tcpclient, take n as the number of seconds to wait be tween connection retries (default=5). connectretrymax n For proto tcpclient, take n as the number of retries of connect ion attempt (default=infinite). autoproxy Try to sense HTTP or SOCKS proxy settings automatically. If no settings are present, a direct connection will be attempted. If both HTTP and SOCKS settings are present, H TTP will be preferred. If the HTTP proxy server requires a password, it will be queried from stdin or the management interface. If the underlying OS doesnt support an API for returning proxy settings, a direct c onnection will be attempted. Currently, only Windows clients support this option via the InternetQueryO

resolvretry n If hostname resolve fails for remote, retry resolve for n second s before failing. Set n to "infinite" to retry indefinitely. By default, resolvretry infinite is enabled. y setting n=0. float Allow remote peer to change its IP address and/or port number, suc h as due to DHCP (this is the default if remote is not used). float when specified with remote allow s an OpenVPN session to initially connect You can disable b

Monday May 07, 2012

3/35

Printed by root May 07, 12 21:14

Page 7/69

May 07, 12 21:14

Page 8/69

to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address such as a dialin user or DHCP clien t. Essentially, float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the remote option.

nobind Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advanc e by a peer, this option is only suitable for peers which will be initiating connections by using the remo te option. dev tunX | tapX | null TUN/TAP virtual network device ( X can be omitted for a dynamic de vice.) See examples section below for an example on setting up a TUN devi ce. You must use either tun devices on both ends of the connection or tap devices on both ends. You cannot mix them, as they represent different underlying network layers.

ipchange cmd Execute shell command cmd when our remote ipaddress is initially authenticated or changes. Execute as: cmd ip_address port_number Dont use ipchange in mode server mode. t script instead. See the "Environmental Variables" parameters passed as environmental variM^@M^P ables. Use a clientconnec

tun devices encapsulate IPv4 or IPv6 (OSI Layer 3) while tap devi ces encapsulate Ethernet 802.3 (OSI Layer 2). devtype devicetype Which device type are we using? devicetype should be tun (OSI La yer 3) or tap (OSI Layer 2). Use this option only if the TUN/TAP device used with dev does not begin w ith tun or tap. topology mode Configure virtual addressing topology when running in dev tu n mode. This directive has no meaning in dev tap mode, which always uses a subnet topology. If you set this directive on the server, the server and serve directives will automatically push your chosen topology setting to clients as well. This directive can also be manually pushed to clients. Like the dev directive, this directive must always be compatible between client and server. rbridge mode can be one of: net30 Use a pointtopoint topology, by allocating one /30 subn This is designed to allow pointtopoint semantics when some or all of the connecting clien ts might be Windows systems. This is the default on OpenVPN 2.0. et per client. p2p Use a pointtopoint topology where the remote endpoint of the clients tun interface always points to the local endpoint of the servers tun interface. This mode a llocates a single IP address per connectM^@M^P ing client. Only use when none of the connecting clients are Wind ows systems. This mode is functionally equivalent to the ifconfigpoollinear directive which is availa ble in OpenVPN 2.0 and is now deprecated. subnet Use onfiguring the tun interface IP address and tap and ethernet bridging a subnet rather than a pointtopoint topology by c with a local subnet mask, similar to the topology used in dev mode. This

section below for additional

Note that cmd can be a shell command with multiple arguments, in w hich case all OpenVPNgenerated arguments will be appended to cmd to build a command line which will be pass ed to the script. If you are running in a dynamic IP address environment where the IP addresses of either peer could change without notice, you can use this script, for example, to edit the /etc/hosts file with the current address of the peer. The script will be run every time the remote peer ch anges its IP address. Similarly if our IP address changes due to DHCP, we should config ure our IP address change script (see man page for dhcpcd(8) ) to deliver a SIGHUP or SIGUSR1 signal to Open VPN. OpenVPN will then reestablish a connection with its most recently authenticated peer on its new IP address. port port TCP/UDP port number ault of 1194 represents the official port number assignment 2.0beta17. Previous versions used 5000 as the default. for both local and remote. The current def IANA for OpenVPN and has been used since version port

lport port TCP/UDP port number for bind. rport port TCP/UDP port number for remote. bind Bind to local address and y of proto tcpclient , httpproxy or socksproxy are used. port. This is the default unless an

Monday May 07, 2012

4/35

Printed by root May 07, 12 21:14

Page 9/69

May 07, 12 21:14

Page 10/69

mode allocates a single IP address per connecting client and works on Windows as well. Only available when server and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x whi ch has been manually patched with the topology directive code. When used on Windows, requires versi on 8.2 or higher of the TAPWin32 driver. When used on *nix, requires that the tun driver supports an ifconf ig(8) command which sets a subnet instead of a remote endpoint IP address. This option exists in OpenVPN 2.1 or higher. tunipv6 Build a tun link capable of forwarding IPv6 traffic. Should be us ed in conjunction with dev tun or dev tunX. A warning will be displayed if no specific IPv6 TUN support for your OS has been compiled into OpenM^@M^P VPN. devnode node Explicitly set the device node rather than using /dev/net/tun, /d ev/tun, /dev/tap, etc. If OpenVPN cannot figure out whether node is a TUN or TAP device based on the name, you should also specify devtype tun or devtype tap. On Windows systems, select the TAPWin32 adapter which is name d node in the Network Connections Control Panel or the raw GUID of the adapter enclosed by braces. The sh owadapters option under Windows can also be used to enumerate all available TAPWin32 adapters and will show both the network connections control panel name and the GUID for each TAPWin32 adapter. lladdr address Specify the link layer address, more commonly known as the MAC add Only applied to TAP devices. iproute cmd Set alternate command to execute instead of default iproute2 comma May be used in order to execute OpenVPN in unprivileged environment.

are attempting to connect to a remote ethernet bridge, the IP addr ess and subnet should be set to values which would be valid on the the bridged ethernet segment (note als o that DHCP can be used for the same purM^@M^P pose). This option, while primarily a proxy for the ifconfig(8) command, simplify TUN/TAP tunnel configuration by providing a standard interface to the differ ent ifconfig implementations on different platforms. is designed to ifconfig parameters which are IP addresses can also be specified as a DNS or /etc/hosts file resolvable name. For TAP devices, ifconfig rface will be getting an IP address lease from a DHCP server. should not be used if the TAP inte

ifconfignoexec Dont actually execute ifconfig/netsh commands, instead pass ifc onfig parameters to scripts using enviM^@M^P ronmental variables. ifconfignowarn Dont output an options consistency check warning if the ifcon fig option on this side of the connection doesnt match the remote side. This is useful when you want to re tain the overall benefits of the options consistency check (also see disableocc option) while only disab ling the ifconfig component of the check. For example, if you have a configuration where the local host uses ifconfig but the remote host does not, use ifconfignowarn on the local host. nflicts which This option will also silence warnings about potential address occasionally annoy more experienced users by triggering "false positive" warnings. co

ress.

nd.

ifconfig l rn Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segM^@M^P ment which is being created or connected to. For TUN devices, which facilitate virtual pointtopoint IP conne ctions, the proper usage of ifconfig is to use two private IP addresses which are not a member of any exis ting subnet which is in use. The IP addresses may be consecutive and should have their order rever sed on the remote peer. After the VPN is established, by pinging rn, you will be pinging across the VPN. For TAP devices, which provide the ability to create virtual ether net segments, ifconfig is used to set an IP address and subnet mask just as a physical ethernet adapt er would be similarly configured. If you

route network/IP [netmask] [gateway] [metric] Add route to routing table after connection is established. Multi ple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP devic e close. This option is intended as a convenience proxy for the route(8) sh ell command, while at the same time proM^@M^P viding portable semantics across OpenVPNs platform space. netmask default 255.255.255.255 gateway default taken from routegateway or the second parame ter to ifconfig when dev tun is specM^@M^P ified. metric default taken from routemetric otherwise 0. The default can be specified by leaving an option blank or setting it to "nil".

Monday May 07, 2012

5/35

Printed by root May 07, 12 21:14

Page 11/69

May 07, 12 21:14

variables.

Page 12/69

The network and gateway parameters can also be specified as a DNS or /etc/hosts file resolvable name, or as one of three special keywords: vpn_gateway The remote VPN endpoint address (derived either fro m routegateway or the second parameter to ifconfig when dev tun is specified). routing net_gateway The preexisting IP default gateway, read from the table (not supported on all OSes). address if OpenVPN is being run i

routenopull When used with client or pull, accept options pushed by server EXCEPT for routes. When used on the client, this option effectively bars the server f rom adding routes to the clients routing table, however note that this option still allows the server to se t the TCP/IP properties of the clients TUN/TAP interface. allowpullfqdn Allow client to pull DNS names ng limited to IP address) for ifconfig, route, and routegateway. from server (rather than bei

remote_host The remote n client mode, and is undefined in server mode.

maxroutes n Allow a maximum number of n route options to be specified, eithe r in the local configuration file, or pulled from an OpenVPN server. By default, n=100. routegateway gw|dhcp Specify a default gateway gw for use with route. If dhcp is specified as the parameter, the gateway address will be extracted from a DHCP negotiation with the OpenVPN serverside LAN. routemetric m Specify a default metric m for use with route. routedelay [n] [w] Delay n seconds (default=0) after connection establishment, before adding routes. If n is 0, routes will be added immediately upon connection establishment. If routedelay is omitted, routes will be added immediM^@M^P ately after TUN/TAP device open and up script execution, before any user or group privilege downgrade (or chroot execution.) This option is designed to be useful in scenarios where DHCP i s used to set tap adapter addresses. The delay will give the DHCP handshake time to complete before routes are added. On Windows, routedelay tries to be more intelligent by waiting w seconds (w=30 by default) for the TAP Win32 adapter to come up before adding routes. routeup cmd Execute shell command cmd after routes are added, subject to rou tedelay. See the "Environmental Variables" parameters passed as environmental variM^@M^P ables. section below for additional

redirectgateway flags... (Experimental) Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. This option performs three steps: (1) Create a static route for the remote address which forw ards to the preexisting default gateway. This is done so that (3) will not create a routing loop. (2) Delete the default gateway route. (3) Set the new default gateway to be the VPN endpoint address (de rived either from routegateway or the second parameter to ifconfig when dev tun is specified). When the tunnel is torn down, all of the above steps are rever sed so that the original default route is restored. Option flags: onnected via a ed. def1 Use this flag to override the default gateway by us ing 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. bypassdhcp Add a direct route to the DHCP server (if it is non local) which bypasses the tunnel (AvailM^@M^P able on Windows clients, may not be available on nonWindows clien ts). bypassdns Add a direct route to the DNS server(s) (if they are nonlocal) which bypasses the tunnel (Available on Windows clients, may not be available on nonWindows clients). Using the def1 flag is highly recommended. local Add the local flag if both OpenVPN servers are directly c common subnet, such as with wireless. The local flag will cause step 1 above to be omitt

Note that cmd can be a shell command with multiple arguments. routenoexec Dont add or remove routes automatically. routeup script using environmental Instead pass routes to

Monday May 07, 2012

6/35

Printed by root May 07, 12 21:14

Page 13/69

May 07, 12 21:14

Page 14/69

linkmtu n Sets an upper bound on the size of UDP packets which are sent betw een OpenVPN peers. Its best not to set this parameter unless you know what youre doing. tunmtu n Take the TUN device MTU to be n and derive the link MTU from it (default=1500). In most cases, you will probably want to leave this parameter set to its default value. The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent unfragmented over a particular network path. OpenVPN requires that packet s on the control or data channels be sent unfragmented. MTU problems often manifest themselves as connections which hang d uring periods of active usage. Its best to use the fragment and/or mssfix options to deal wi th MTU sizing issues. tunmtuextra n Assume that the TUN/TAP device might return as many as n bytes mor e than the tunmtu size on read. This parameter defaults to 0, which is sufficient for most TUN devic es. TAP devices may introduce additional overhead in excess of the MTU size, and a setting of 32 is the def ault when TAP devices are used. This parameter only controls internal OpenVPN buffer sizing, so the re is no transmission overhead associated with using a larger value. mtudisc type Should we do Path MTU discovery on TCP/UDP channel? d on OSes such as Linux that supports the necessary system call to set. no Never send DF (Dont Fragment) frames maybe Use perroute hints yes Always DF (Dont Fragment) mtutest To empirically measure MTU on connection startup, add the mtute st option to your configuration. OpenVPN will send ping packets of various sizes to the remote peer and mea sure the largest packets which were sucM^@M^P cessfully received. The mtutest process normally takes about 3 minutes to complete. fragment max Enable internal datagram fragmentation so that no UDP datagrams ar e sent which are larger than max bytes. The max parameter is interpreted in the same way as the lin kmtu parameter, i.e. the UDP packet size after encapsulation overhead has been added in, but not including the UDP header itself. The fragment option only makes sense when you are using the UDP protocol ( proto udp ). Only supporte

fragment adds 4 bytes of overhead per datagram. See the mssfix option below for an important related option to fragment. It should also be noted that this option is not meant to replace U DP fragmentation at the IP stack level. It is only meant as a last resort when path MTU discovery is bro ken. Using this option is less efficient than fixing path MTU discovery for your IP link and using native I P fragmentation instead. Having said that, there are circumstances where using OpenVPNs in ternal fragmentation capability may be your only option, such as tunneling a UDP multicast stream which r equires fragmentation. mssfix max Announce to TCP d limit their send packet sizes after OpenVPN has that OpenVPN sends to its peer exceed max bytes. sessions running over the tunnel that they shoul such that encapsulated them, the resulting UDP packet size will not

The max parameter is interpreted in the same way as the lin kmtu parameter, i.e. the UDP packet size after encapsulation overhead has been added in, but not including the UDP header itself. The mssfix option only makes sense when you are using the UDP pr otocol for OpenVPN peertopeer communiM^@M^P cation, i.e. proto udp. mssfix and fragment can be ideally used together, where mssfix will try to keep TCP from needing packet fragmentation in the first place, and if big packets come t hrough anyhow (from protocols other than TCP), fragment will internally fragment them. Both fragment and mssfix are designed to work around cases where Path MTU discovery is broken on the network path between OpenVPN peers. The usual symptom of such a breakdown is an OpenVPN connection whi ch successfully starts, but then stalls during active usage. If fragment and mssfix are used together, mssfix will take i ts default max parameter from the fragM^@M^P ment max option. good first try Therefore, one could lower the maximum UDP packet size to 1300 (a for solving MTUrelated connection problems) with the following options: tunmtu 1500 fragment 1300 mssfix sndbuf size Set the TCP/UDP socket send buffer size. 536 bytes. rcvbuf size Currently defaults to 65

Monday May 07, 2012

7/35

Printed by root May 07, 12 21:14

65536 bytes. socketflags flags... Apply the given flags to the OpenVPN transport socket. only TCP_NODELAY is supported. Currently, ensure that

Page 15/69
Currently defaults to

May 07, 12 21:14

Page 16/69

Set the TCP/UDP socket receive buffer size.

e modes (where secret, tlsserver, or tlsclient is specified), the ping packet will be cryptographica lly secure. This option has two intended uses: (1) Compatibility with stateful firewalls. The periodic ping will a stateful firewall rule which allows OpenVPN UDP packets to pass will not time out.

The TCP_NODELAY socket flag is useful in TCP mode, and causes the kernel to send tunnel packets immediately over the TCP connection without trying to group several smaller pa ckets into a larger packet. This can result in a considerably improvement in latency. This option is pushable from server to client, and should be u sed on both client and server for maximum effect. txqueuelen n (Linux only) Set the TX queue length on the TUN/TAP interface. rrently defaults to 100. Cu

(2) To provide a basis for the remote to test the existence of its peer using the pingexit option. pingexit n Causes OpenVPN to exit after n seconds pass without reception of a ping or other packet from remote. This option can be combined with inactive, ping, and pingexit to create a twotiered inactivity disconM^@M^P nect. For example,

shaper n Limit bandwidth of outgoing tunnel data to n bytes per second on t he TCP/UDP port. If you want to limit the bandwidth in both directions, use this option on both peers. OpenVPN uses the following algorithm to implement traffic shaping : Given a shaper rate of n bytes per secM^@M^P ond, after a datagram write of b bytes is queued on the TCP/UDP po rt, wait a minimum of (b / n) seconds before queuing the next write. It should be noted that OpenVPN supports multiple tunnels between the same two peers, allowing you to conM^@M^P struct fullspeed and reduced bandwidth tunnels at the same time, routing lowpriority data such as off site backups over the reduced bandwidth tunnel, and other data ove r the fullspeed tunnel. Also note that for low bandwidth tunnels (under 1000 bytes per s econd), you should probably use lower MTU values as well (see above), otherwise the packet latency will grow so large as to trigger timeouts in the TLS layer and TCP connections running over the tunnel. OpenVPN allows n to be between 100 bytes/sec and 100 Mbytes/sec. inactive n [bytes] Causes OpenVPN to exit after n seconds of inactivity on the TUN/T AP device. The time length of inactivity is measured since the last incoming tunnel packet. If the optional bytes parameter is included, exit after n seconds of activity on tun/tap device produces a combined in/out byte count that is less than bytes. ping n Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds (specify ping on both peers to cause ping packets to be sent in both dire ctions since OpenVPN ping packets are not echoed like IP ping packets). When used in one of OpenVPNs secur

openvpn [options...] inactive 3600 ping 10 pingexit 60 when used on both peers will cause OpenVPN to exit within 60 secon ds if its peer disconnects, but will exit after one hour if no actual tunnel data is exchanged. pingrestart n Similar to pingexit, but trigger a SIGUSR1 restart after n seco nds pass without reception of a ping or other packet from remote. This option is useful in cases where the remote peer has a dyn amic IP address and a lowTTL DNS name is used to track the IP address using a service such as http://dyndns .org/ + a dynamic DNS client such as ddclient. If the peer cannot be reached, a restart will be triggered, caus ing the hostname used with remote to be reresolved (if resolvretry is also specified). In server mode, pingrestart, inactive, or any other type of i nternally generated signal will always be applied to individual client instance objects, never to whole serv er itself. Note also in server mode that any internally generated signal which would normally cause a resta rt, will cause the deletion of the client instance object instead. In client mode, the pingrestart parameter is set to 120 se conds by default. This default will hold until the client pulls a replacement value from the server, based on the keepalive setting in the server configuration. To disable the 120 second default, set pingrest art 0 on the client. See the signals section below for more information on SIGUSR1. Note that the behavior of SIGUSR1 can be modified by the persis ttun, persistkey, persistlocalip,

Monday May 07, 2012

8/35

Printed by root May 07, 12 21:14

Page 17/69

May 07, 12 21:14

Page 18/69

and persistremoteip options. Also note that pingexit and pingrestart are mutually exclusi ve and cannot be used together. keepalive n m A helper directive designed to simplify the expression of ping a nd pingrestart in server mode configuM^@M^P rations. For example, keepalive 10 60 expands as follows: if mode server: ping 10 pingrestart 120 push "ping 10" push "pingrestart 60" else ping 10 pingrestart 60 pingtimerrem Run the pingexit / pingrestart timer only if we have a re mote address. Use this option if you are starting the daemon in listen mode (i.e. without an explicit rem ote peer), and you dont want to start clocking timeouts until a remote peer connects. persisttun Dont close and reopen TUN/TAP device or run up/down scripts acros s SIGUSR1 or pingrestart restarts. SIGUSR1 is a restart signal similar to SIGHUP, but which offers fi nergrained control over reset options. persistkey Dont reread key files across SIGUSR1 or pingrestart. This option can be combined with user nobody to allow restarts t riggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot be resta rted since it will now be unable to re read protected key files. This option solves the problem by persisting keys across SIGUSR1 r esets, so they dont need to be reread. persistlocalip Preserve initially resolved local IP address and port number acros s SIGUSR1 or pingrestart restarts. persistremoteip Preserve most recently authenticated t number across SIGUSR1 or pingrestart restarts. mlock hat OpenVPN r option). Disable paging by calling the POSIX mlockall function. Requires t be initially run as root (though OpenVPN can subsequently downgrade its UID using the use remote IP address and por

Using this option ensures that key material and tunnel data are ne ver written to disk due to virtual memory paging operations which occur under most modern operating systems. It ensures that even if an attacker was able to crack the box running OpenVPN, he would not be able to sc an the system swap file to recover previM^@M^P ously used ephemeral keys, which are used for a period of time gov erned by the reneg options (see below), then are discarded. The downside of using mlock unt of physical memory available to other applications. is that it will reduce the amo

up cmd Shell command to run after successful TUN/TAP device open (pre u ser UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel. For dev tun execute as: cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip [ init | restart ] For dev tap execute as: cmd tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask [ init | restart ] ameters See the "Environmental Variables" section below for additional par passed as environmental variM^@M^P ables.

Note that cmd can be a shell command with multiple arguments, in w hich case all OpenVPNgenerated arguments will be appended to cmd to build a command line which will be pass ed to the shell. Typically, cmd will run a script to add routes to the tunnel. Normally the up script is called after the TUN/TAP device is opene context, the last command line parameter passed to the script will be init. If the upr estart option is also used, the up script will be called for restarts as well. A restart is considered to b e a partial reinitialization of OpenVPN where the TUN/TAP instance is preserved (the persisttun option will enable such preservation). A restart can be generated by a SIGUSR1 signal, a pingrestart tim eout, or a connection reset when the TCP protocol is enabled with the proto option. If a restart occurs, and uprestart has been specified, the up script will be called with restart as the last parameter. d. In this The following standalone example shows how the up script can be both an initialization and restart context. (NOTE: for security reasons, dont run the following example unless UDP port 9999 is blocked by your firewall. Also, the example will run indefinitely , so you should abort with controlc). called in

Monday May 07, 2012

9/35

Printed by root May 07, 12 21:14

o up down

Page 19/69

May 07, 12 21:14

Page 20/69

openvpn dev tun port 9999 verb 4 pingrestart 10 up ech echo down persisttun uprestart

lid reasons for wanting new software feaM^@M^P tures to gracefully degrade when encountered by older software ver sions. setenvsafe name value Set a custom environmental variable OPENVPN_name=value to pass to script. This directive is designed to be pushed by the server to clients, and the prepending of "OPENVPN_" to the environmental variable is a safety precaution to prevent a LD_PREL OAD style attack from a malicious or comM^@M^P promised server. scriptsecurity level [method] This directive offers policylevel control over OpenVPNs usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissi ve. Settings for level: 0 Strictly no calling of external programs. 1 (Default) Only call builtin executables such as ifconfig, ip , route, or netsh. 2 Allow calling of builtin executables and userdefined script s. 3 Allow passwords to be passed to scripts via environmental var iables (potentially unsafe). The method parameter indicates how OpenVPN should call external co mmands and scripts. Settings for method: execve (default) Use execve() function on Unix family OSes and CreateProcess() on Windows. system Use system() function (deprecated and less safe since the external program command line is subM^@M^P ject to shell expansion). The scriptsecurity option was introduced in OpenVPN 2.1_rc9. or configuration file compatibility with previous OpenVPN versions, use: scriptsecurity 3 system disableocc Dont output a warning message if option inconsistencies are detected between peers. An example of an option inconsistency would be where one peer uses dev tun while the other peer uses dev tap. Use of this option is discouraged, but is provided as a temporary fix in situations where a recent version of OpenVPN must connect to an old version. user user Change the user ID of the OpenVPN process to user after initializa tion, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session. Though OpenVPNs security features make this unlikely, it is provided as a second line of defense. By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what F

Note that OpenVPN also provides the ifconfig option to automatic ally ifconfig the TUN device, eliminating the need to define an up script, unless you also want to configu re routes in the up script. If ifconfig is also specified, OpenVPN will pass the ifconfig lo cal and remote endpoints on the command line to the up script so that they can be used to configure rout es such as: route add net 10.0.0.0 netmask 255.255.255.0 gw $5 updelay Delay TUN/TAP open and possible up script execution until af ter TCP/UDP connection establishment with peer. In proto udp mode, this option normally requires the use of pi ng to allow connection initiation to be sensed in the absence of tunnel data, since UDP is a "connectionle ss" protocol. On Windows, this option will delay the TAPWin32 media state tran sitioning to "connected" until connection establishment, i.e. the receipt of the first authenticated packet from the peer. down cmd Shell command to run after TUN/TAP device close (post user UID c hange and/or chroot ). Called with the same parameters and environmental variables as the up option abo ve. Note that if you reduce roup, your down script will also run at reduced privilege. privileges by using user and/or g

downpre Call down cmd/script before, rather than after, TUN/TAP close. uprestart Enable the up and down scripts to be called for restarts as we ll as initial program start. This option is described more fully above in the up option documentation. setenv name value Set a custom environmental variable name=value to pass to script. setenv FORWARD_COMPATIBLE 1 Relax config file syntax checking so that unknown directives will trigger a warning but not a fatal error, on the assumption that a given unknown directive might be valid in future OpenVPN versions. This option should be used with caution, as there are good securit y reasons for having OpenVPN fail if it detects problems in a config file. Having said that, there are va

Monday May 07, 2012

10/35

Printed by root May 07, 12 21:14

Page 21/69

May 07, 12 21:14

Page 22/69

damage they could cause. Of course once you take away privile ges, you cannot return them to an OpenVPN session. This means, for example, that if you want to reset an Op enVPN daemon with a SIGUSR1 signal (for example in response to a DHCP reset), you should make use of one o r more of the persist options to ensure that OpenVPN doesnt need to execute any privileged operations in order to restart (such as rereading key files or running ifconfig on the TUN device). group group Similar to the user option, this option changes the group ID o f the OpenVPN process to group after iniM^@M^P tialization. cd dir Change directory to dir prior to reading any files such as configu ration files, key files, scripts, etc. dir should be an absolute path, with a leading "/", and withou t any references to the current directory such as "." or "..". This option is useful when you are running OpenVPN in daemon mod e, and you want to consolidate all of your OpenVPN control files in one location. chroot dir Chroot to dir after initialization. chroot essentially redef ines dir as being the top level directory tree (/). OpenVPN will therefore be unable to access any files ou tside this tree. This can be desirable from a security standpoint. Since the chroot operation is delayed until after initialization, most OpenVPN options that reference files will operate in a prechroot context. however In many cases, the dir parameter can point to an empty directory, complications can result when scripts or restarts are executed after the chroot operation.

s are executed after the setcon operaM^@M^P tion, which is why you should really consider using the persist key and persisttun options. daemon [progname] Become a daemon after all initialization functions are completed . This option will cause all message and error output to be sent to the syslog file (such as /var/log/messa ges), except for the output of shell scripts and ifconfig commands, which will go to /dev/null unles s otherwise redirected. The syslog rediM^@M^P rection occurs immediately at the point that daemon is parsed on the command line even though the daemoM^@M^P nization point occurs later. If one of the log options is prese nt, it will supercede syslog redirection. The optional progname parameter will cause OpenVPN to report its p rogram name to the system logger as progM^@M^P name. This can be useful in linking OpenVPN messages in the sysl og file with specific tunnels. When unspecified, progname defaults to "openvpn". When OpenVPN is run with the daemon option, it will try to delay daemonization until the majority of iniM^@M^P tialization functions which are capable of generating fatal errors are complete. This means that initialM^@M^P ization scripts can test the return status of the openvpn co mmand for a fairly reliable indication of whether the command has correctly initialized and entered the pack et forwarding event loop. In OpenVPN, the vast majority of errors which occur after initiali zation are nonfatal. syslog [progname] Direct log output to system logger, but do not become a daemon. ee daemon directive above for descripM^@M^P tion of progname parameter. S

passtos Set the TOS field of the tunnel packet to what the payloads TOS i s. inetd [wait|nowait] [progname] Use this option when OpenVPN is being run from the inetd or xinetd (8) server. The wait/nowait option must match what is specified in the inetd /xinetd config file. The nowait mode can only be used with proto tcpserver. The default is wait. The n owait mode can be used to instantiate the OpenVPN daemon as a classic TCP server, where client connection re quests are serviced on a single port numM^@M^P ber. For additional information on this kind of configuratio n, see the OpenVPN FAQ: http://openM^@M^P vpn.net/faq.html#oneport This option precludes the use of daemon, local, or remote. Note that this option causes message and error output to be handled in the same way as the daemon option. The optional progname parameter is also handled exactly as in daemon.

setcon context Apply SELinux context after initialization. This essentially p rovides the ability to restrict OpenVPNs rights to only network I/O operations, thanks to SELinux. This goe s further than user and chroot in that those two, while being great security features, unfortunately do not protect against privilege escalaM^@M^P tion by exploitation of a vulnerable system call. You can of cours e combine all three, but please note that since setcon requires access to /proc you will have to provide it inside the chroot directory (e.g. with mount bind). Since the setcon operation is delayed until after initialization, OpenVPN can be restricted to just netM^@M^P workrelated system calls, whereas by applying the context before startup (such as the OpenVPN one provided in the SELinux Reference Policies) you will have to allow many thi ngs required only during initialization. Like with chroot, complications can result when scripts or restart

Monday May 07, 2012

11/35

Printed by root May 07, 12 21:14

Page 23/69

May 07, 12 21:14

terface. x.

Page 24/69

Also note that in wait mode, each OpenVPN tunnel requires a sepa rate TCP/UDP port and a separate inetd or xinetd entry. See the OpenVPN 1.x HOWTO for an example on us ing OpenVPN with xinetd: http://openM^@M^P vpn.net/1xhowto.html log file Output logging messages to file, including output to stdout/std err which is generated by called scripts. If file already exists it will be truncated. This option takes ef fect immediately when it is parsed in the command line and will supercede syslog output if daemon or inetd is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1, or pingrestart. Note that on Windows, when OpenVPN is started as a service, logg ing occurs by default without the need to specify this option. logappend file Append logging messages to file. If file does not exist, it will be created. This option behaves exactly like log except that it appends to rather than truncating the lo g file. suppresstimestamps Avoid writing timestamps to log messages, even when they otherwis e would be prepended. In particular, this applies to log messages sent to stdout. writepid file Write OpenVPNs main process ID to file. nice n Change process priority after initialization ( n greater than 0 is lower priority, n less than zero is higher priority).

Note that this option is only relevant for UDP servers and currently is only implemented on Linu

Note: clients connecting to a multihome server should always use the nobind option. echo [parms...] Echo parms to log output. Designed to be used to send messages to a controlling applicatio n which is receiving the OpenVPN log outM^@M^P put. remapusr1 signal Control whether internally or externally generated SIGUSR1 signals are remapped to SIGHUP (restart without persisting state) or SIGTERM (exit). signal can be set to "SIGHUP" or "SIGTERM". ing occurs. verb n Set output verbosity to n (default=1). Each level shows all i nfo from the previous levels. Level 3 is recommended if you want a good summary of whats happening without being swamped by output. 0 No output except fatal errors. 1 to 4 Normal usage range. 5 Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets. 6 to 11 Debug info range (see errlevel.h for additional informa tion on debug levels). status file [n] Write operational status to file every n seconds. Status can also be written to the syslog by sending a SIGUSR2 sign al. statusversion [n] Choose the status file format version number. 1, 2, or 3 and defaults to 1. By default, no remapp

fastio (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a cal l to poll/epoll/select prior to the write operation. The purpose of such a call would normally be to block until the device or socket is ready to accept the write. Such blocking is unnecessary on some platforms which dont support write blocking on UDP sockets or TUN/TAP devices. In such cases, one can optim ize the event loop by avoiding the poll/epoll/select call, improving CPU efficiency by 5% to 10%. This option can only be used on nonWindows systems, when pro to udp is specified, and when shaper is NOT specified. multihome Configure a multihomed UDP server. This option can be used when OpenVPN has been configured to listen on all interfaces, and will attempt to bind client sessions to the interface on which packets are being received, so that outgoing packets will be sent out of the same in

Currently n can be

mute n Log at most n consecutive messages in the same category. is useful to limit repetitive logging of similar message types.

This

complzo [mode] Use fast LZO compression may add up to 1 byte per packet for in compressible data. mode may be "yes", "no", or "adaptive" (default). In a server mode setup, it is possible to selectively turn compres sion on or off for individual clients. First, make sure the clientside config file enables selective c ompression by having at least one comp lzo directive, such as complzo no. This will turn off compress

Monday May 07, 2012

12/35

Printed by root May 07, 12 21:14

Page 25/69

May 07, 12 21:14

Page 26/69

ion by default, but allow a future direcM^@M^P tive push from the server to dynamically change the on/off/adaptiv e setting. Next in a clientconfigdir file, specify the compression settin g for the client, for example: complzo yes push "complzo yes" The first line sets the complzo setting for the server side of th e link, the second sets the client side. compnoadapt When used in conjunction with complzo, this option will dis able OpenVPNs adaptive compression algoM^@M^P rithm. Normally, adaptive compression is enabled with complzo. Adaptive compression tries to optimize the case where you have com pression enabled, but you are sending predominantly uncompressible (or precompressed) packets over the tunnel, such as an FTP or rsync transfer of a large, compressed file. With adaptive compression, OpenVPN w ill periodically sample the compression process to measure its efficiency. If the data being sent over t he tunnel is already compressed, the comM^@M^P pression efficiency will be very low, triggering openvpn to disabl e compression for a period of time until the next resample test. management IP port [pwfile] Enable a TCP server on IP:port to handle daemon management functio ns. pwfile, if specified, is a password file (password on first line) or "stdin" to prompt from standard i nput. The password provided will set the password which TCP clients will need to provide in order to access management functions. The management interface can also listen on a unix domain socket, for those platforms that support it. To use a unix domain socket, specify the unix socket pathname in plac e of IP and set port to unix. While the default behavior is to create a unix domain socket that may b e connected to by any process, the manM^@M^P agementclientuser and managementclientgroup directives can b e used to restrict access. The management interface provides a special mode where the TCP man agement link can operate over the tunnel itself. To enable this mode, set IP = "tunnel". Tunnel mode will cause the management interface to listen for a TCP connection on the local VPN address of the TUN/TAP inter face. While the management port is designed for programmatic control of OpenVPN by other applications, it is posM^@M^P sible to telnet to the port, using a telnet client in "raw" mode . Once connected, type "help" for a list of commands. For detailed documentation on the management interface, see the ma nagementnotes.txt file in the management

folder of the OpenVPN source distribution. It is strongly recommended that IP be set to 127.0.0.1 (localhost) to restrict accessibility of the manageM^@M^P ment server to local clients. managementquerypasswords Query management channel for private key password and authuser pass username/password. Only query the management channel for inputs which ordinarily would have been que ried from the console. managementforgetdisconnect Make OpenVPN forget passwords when management session disconnects. This directive does not affect the httpproxy username/password. It is always cached. managementhold Start OpenVPN in a hibernating state, until a client of the manag ement interface explicitly starts it with the hold release command. managementsignal Send SIGUSR1 signal to OpenVPN if management session disconnects. This is useful when you wish to disconM^@M^P nect an OpenVPN session on user logoff. managementlogcache n Cache the most recent n lines of log file history for usage by the management channel. managementclientauth Gives management interface client the responsibility to authentica te clients after their client certificate has been verified. See managementnotes.txt in OpenVPN distributi on for detailed notes. managementclientpf Management interface clients must specify a packet filter file for each connecting client. See management notes.txt in OpenVPN distribution for detailed notes. managementclientuser u When the management interface is listening on a unix domain socket , only allow connections from user u. managementclientgroup g When the management interface is listening on a unix domain socket , only allow connections from group g. plugin modulepathname [initstring] Load plugin module from the file modulepathname, passing init string as an argument to the module iniM^@M^P tialization function. Multiple plugin modules may be loaded into one OpenVPN process. For more information and examples on how to build OpenVPN plugin modules, see the README file in the plugM^@M^P in folder of the OpenVPN source distribution. If you are using an RPM install of OpenVPN, see /usr/share/openvpn

Monday May 07, 2012

13/35

Printed by root May 07, 12 21:14

/plugin.

Page 27/69

May 07, 12 21:14

serverbridge [nogw]

Page 28/69

The documentation is in doc and the actual plugin modules are in lib.

Multiple plugin modules can be cascaded, and modules can be used i n tandem with scripts. The modules will be called by OpenVPN in the order that they are declared in the config file. If both a plugin and script are configured for the same callback, the script will be called la st. If the return code of the modM^@M^P ule/script controls an authentication function (such as tlsveri fy, authuserpassverify, or clientconM^@M^P nect), then every module and script must return success (0) in ord er for the connection to be authentiM^@M^P cated. Server Mode Starting with OpenVPN 2.0, a multiclient TCP/UDP server mode is supp orted, and can be enabled with the mode server option. In server mode, OpenVPN will listen on a single port for incoming client connections. All client connections will be routed through a single tun or tap interface. This mode is designed for scalability and should be able to support hundreds or even thousands of clients on suffic iently fast hardware. SSL/TLS authentiM^@M^P cation must be used in this mode. server network netmask A helper directive designed to simplify the configuration of Op enVPNs server mode. This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the ".1" address of the given network f or use as the serverside endpoint of the local TUN/TAP interface. For example, server 10.8.0.0 255.255.255.0 expands as follows: mode server tlsserver push "topology [topology]" if dev tun AND (topology == net30 OR topology == p2p): ifconfig 10.8.0.1 10.8.0.2 if !nopool: ifconfigpool 10.8.0.4 10.8.0.251 route 10.8.0.0 255.255.255.0 if clienttoclient: push "route 10.8.0.0 255.255.255.0" else if topology == net30: push "route 10.8.0.1" if dev tap OR (dev tun AND topology == subnet): ifconfig 10.8.0.1 255.255.255.0 if !nopool: ifconfigpool 10.8.0.2 10.8.0.254 255.255.255.0 push "routegateway 10.8.0.1" Dont use server if you are ethernet bridging. dge instead. serverbridge gateway netmask poolstartIP poolendIP Use serverbri

A helper directive similar to server which is designed to simpli fy the configuration of OpenVPNs server mode in ethernet bridging configurations. If serverbridge is used without any parameters, it will enable a DHCPproxy mode, where connecting OpenM^@M^P VPN clients will receive an IP address for their TAP adapter from the DHCP server running on the OpenVPN serverside LAN. Note that only clients that support the bind ing of a DHCP client with the TAP adapter (such as Windows) can support this mode. The optional nogw flag ( advanced) indicates that gateway informaM^@M^P tion should not be pushed to the client. To configure ethernet bridging, you must first use your OSs bri dging capability to bridge the TAP interM^@M^P face with the ethernet NIC interface. For example, on Linux this is done with the brctl tool, and with Windows XP it is done in the Network Connections Panel by se lecting the ethernet and TAP adapters and rightclicking on "Bridge Connections". Next you you must manually set the IP/netmask on the bridge interf The gateway and netmask parameters to serverbridge can be set to either the IP/netmask of the b ridge interface, or the IP/netmask of the default gateway/router on the bridged subnet. ace. Finally, set aside a IP range in the bridged subnet, denoted by po olstartIP and poolendIP, for OpenVPN to allocate to connecting clients. For example, serverbridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8. 0.254 expands as follows: mode server tlsserver ifconfigpool 10.8.0.128 10.8.0.254 255.255.255.0 push "routegateway 10.8.0.4" In another example, serverbridge (without parameters) expands a s follows: mode server tlsserver push "routegateway dhcp" Or serverbridge nogw expands as follows: mode server tlsserver push option Push a config file option back to the client for remote executi on. Note that option must be enclosed in double quotes (""). The client must specify pull in its config file. The set of options which can be pushed is limited by both feasibility and security. Some options

Monday May 07, 2012

14/35

Printed by root May 07, 12 21:14

Page 29/69

May 07, 12 21:14

Page 30/69

such as those which would execute scripts are banned, since they would effectively allow a compromised serv er to execute arbitrary code on the client. Other options such as TLS or MTU parameters cannot be pus hed because the client needs to know them before the connection to the server can be initiated. This is a partial list of options which can currently be pushed: routegateway, routedelay, redirectgateway, ipwin32, dhcpoption, inactive, pin g, pingexit, pingrestart, setenv, persistkey, persisttun, echo, complzo, socketflags, sndbuf, rcvbuf route, pushreset Dont inherit the global push list for a specific client instance. Specify this option in a clientspeM^@M^P cific context such as with a clientconfigdir configurat ion file. This option will ignore push options at the global config file level. disable Disable a particular client (based on the common name) from connec ting. Dont use this option to disable a client due to key or password compromise. Use a CRL (certificate revocation list) instead (see the crl verify option). ich means This option must be associated with a specific client instance, wh that it must be specified either in a client instance config file using clientcon or dynamically generated using a clientconnect script.

Note that the entries in this file are treated by OpenVPN as sug gestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use if configpush ifconfigpoollinear Modifies the ifconfigpool directive to allocate individual T UN interface addresses for clients rather than /30 subnets. NOTE: This option is incompatible with Windows clients. This option is deprecated, and should be replaced with topology p2p which is functionally equivalent. ifconfigpush local remotenetmask Push virtual IP endpoints for client tunnel, overriding the ifco nfigpool dynamic allocation. The parameters local and remotenetmask are set according to the ifconfig directive which you want to execute on the client machine to configure the remote end of th e tunnel. Note that the parameters local and remotenetmask are from the perspective of the client, not the server. They may be DNS names rather than IP addresses, in which case they will be resolved on the serv er at the time of client connection. This option must be associated with a specific client instan ce, which means that it must be specified either in a client instance config file using clientconfig dir or dynamically generated using a clientconnect script. Remember also to include a route directive in the main OpenVPN config file which encloses local, so that the kernel will know to route it to the servers TUN/TAP interface . OpenVPNs internal client IP address selection algorithm works as follows: 1 Use clientconnect script generated file for static IP (fir

figdir

ifconfigpool startIP endIP [netmask] Set aside a pool of subnets to be dynamically allocated to connect ing clients, similar to a DHCP server. For tunstyle tunnels, each client will be given a /30 subnet (fo r interoperability with Windows clients). For tapstyle tunnels, individual addresses will be allocated, and the optional netmask parameter will also be pushed to clients. ifconfigpoolpersist file [seconds] Persist/unpersist ifconfigpool vals (default=600), as well as on program startup and shutdown. een clients

data

to

file, at seconds inter

st choice). 2 Use clientconfigdir file for static IP (next choice). 3 Use ifconfigpool allocation for dynamic IP (last choice). iroute network [netmask] Generate an internal route parameter, if omitted, defaults to 255.255.255.255. to a specific client. The netmas

The goal of this option is to provide a longterm association betw (denoted by their common name) and the virtual IP address assigned to them from the ifconfi gpool. Maintaining a longterm associaM^@M^P tion is good for clients because it allows them to effectively use the persisttun option. file is a commadelimited ASCII file, formatted as <CommonName>,< IPaddress>. If seconds = 0, file will be treated as readonly. if you would like to treat file as a configuration file. This is useful

This directive can be used to route a fixed subnet from the ser ver to a particular client, regardless of where the client is connecting from. Remember that you must also add the route to the system routing table as well (such as by using the route directive). The reason why two routes are needed is that the route directive routes the packet from the kernel to OpenVPN. Once in O penVPN, the iroute directive routes to

Monday May 07, 2012

15/35

Printed by root May 07, 12 21:14

the specific client. This option must be specified either in a client instance config file using clientconfigdir or dynamiM^@M^P cally generated using a clientconnect script. The iroute directive also has an important interaction with pu sh "route ...". iroute essentially defines a subnet which is owned by a particular client (we wil l call this client A). If you would like other clients to be able to reach As subnet, you can use push " route ..." together with clientto client to effect this. In order for all clients to see As su bnet, OpenVPN must push this route to all clients EXCEPT for A, since the subnet is already owned by A. Ope nVPN accomplishes this by not not pushing a route to a client if it matches one of the clients iroutes. clienttoclient Because the OpenVPN server mode handles multiple clients thr ough a single tun or tap interface, it is effectively a router. The clienttoclient flag tells OpenVPN t o internally route clienttoclient trafM^@M^P fic rather than pushing all clientoriginating traffic to the TUN/ TAP interface. When this option is used, each client will "see" the other clien ts which are currently connected. OtherM^@M^P wise, each client will only see the server. Dont use this option if you want to firewall tunnel traffic using custom, perclient rules. duplicatecn Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. clientconnect script Run script on client connection. The script is passed the common name and IP address of the justauthentiM^@M^P cated client as environmental variables (see environmental var iable section below). The script is also passed the pathname of a notyetcreated temporary file as $1 (i.e . the first command line argument), to be used by the script to pass dynamically generated config file direc tives back to OpenVPN. If the script wants to generate a dynamic config file to be applie d on the server when the client connects, it should write it to the file named by $1. See the clientconfigdir option below for options which can be legally used in a dynamically generated config file. Note that the return value of script is significant. returns a nonzero error status, it will cause the client to be disconnected. If script When OpenVPN is tunneling data from a TUN/TAP device to a remote c lient over a TCP connection, it is possiM^@M^P ble that the TUN/TAP device might produce data at a faster rate t han the TCP connection can support. When the number of output packets queued before sending to the TCP sock

Page 31/69

May 07, 12 21:14

Page 32/69

l not be called unless the clientconM^@M^P nect script and plugins (if defined) were previously called on this instance with successful (0) status returns. The exception to this rule is if the clientdisconnect script or plugins are cascaded, and at least one clientconnect function succeeded, then ALL of the clientdisconne ct functions for scripts and plugins will be called on client instance object deletion, even in cases where some of the related clientconnect funcM^@M^P tions returned an error status. clientconfigdir dir Specify a directory dir for custom client config files. After a connecting client has been authenticated, OpenVPN will look in this directory for a file having the same nam e as the clients X509 common name. If a matching file exists, it will be opened and parsed for clientspec ific configuration options. If no matchM^@M^P ing file is found, OpenVPN will instead try to open and parse a de fault file called "DEFAULT", which may be provided but is not required. This file can specify a fixed IP address for a given client using ifconfigpush, as well as fixed subnets owned by the client using iroute. One of the useful properties of this option is that it allows clie nt configuration files to be conveniently created, edited, or removed while the server is live, without need ing to restart the server. The following options are legal in a clientspecific context: push, pushreset, iroute, ifconfig push, and config. ccdexclusive Require, as a condition of authentication, that a connecting clien t has a clientconfigdir file. tmpdir dir Specify a directory dir for temporary files. This directory will be used by clientconnect scripts to dynamically generate clientspecific configuration files. hashsize r v Set the size of the real address hash table to r and the virt ual address table to v. By default, both tables are sized at 256 buckets. bcastbuffers n Allocate n buffers for broadcast datagrams (default=256). tcpqueuelimit n Maximum number of output packets queued before TCP (default=64).

clientdisconnect Like clientconnect but called on client instance shutdown.

Wil

Monday May 07, 2012

16/35

Printed by root May 07, 12 21:14

Page 33/69

May 07, 12 21:14

his can be

Page 34/69

et reaches this limit for a given client connection, OpenVPN will start to drop outgoing packets directed a t this client. tcpnodelay This macro sets the TCP_NODELAY socket flag on the server as well as pushes it to connecting clients. The TCP_NODELAY flag disables the Nagle algorithm on TCP sockets causi ng packets to be transmitted immediately with low latency, rather than waiting a short period of time in order to aggregate several packets into a larger containing packet. In VPN applications over TCP, TCP_NODEL AY is generally a good latency optimizaM^@M^P tion. The macro expands as follows: if mode server: socketflags TCP_NODELAY push "socketflags TCP_NODELAY" maxclients n Limit server to a maximum of n concurrent clients. maxroutesperclient n Allow a maximum of n internal routes per client (default=25 6). This is designed to help contain DoS attacks where an authenticated client floods the server with packe ts appearing to come from many unique MAC addresses, forcing the server to deplete virtual memory as its int ernal routing table expands. This direcM^@M^P tive can be used in a clientconfigdir file or autogenerated b y a clientconnect script to override the global value for a particular client. Note that this directive affects OpenVPNs internal routing table, not the kernel routing table. connectfreq n sec Allow a maximum of n new connections per sec seconds from clients. This is designed to contain DoS attacks which flood the server with connection requests using certificates which will ultimately fail to authentiM^@M^P cate. This is an imperfect solution however, because in a real DoS scena rio, legitimate connections might also be refused. For the best protection against DoS attacks in server mode, use proto udp and tlsauth. learnaddress cmd Run script or shell command cmd to validate client virtual address es or routes. cmd will be executed with 3 parameters: [1] operation "add", "update", or "delete" based on whether or not the address is being added to, modiM^@M^P fied, or deleted from OpenVPNs internal routing table. [2] address The address being learned or unlearned. T

an IPv4 address such as "198.162.10.14", an IPv4 subnet such as "198.162.10.0/24", or an e thernet MAC address (when dev tap is being used) such as "00:FF:01:02:03:04". [3] common name The common name on the certificate associate d with the client linked to this address. Only present for "add" or "update" operations, not "delete". (nonzero), On "add" or "update" methods, if the script returns a failure code OpenVPN will reject the address and will not modify its internal routing table.

Normally, the cmd script will use the information provided above t o set appropriate firewall entries on the VPN TUN/TAP interface. Since OpenVPN provides the association bet ween virtual IP or MAC address and the clients authenticated common name, it allows a userdefined scr ipt to configure firewall access policies with regard to the clients highlevel common name, rather than th e low level client virtual addresses. authuserpassverify script method Require the client to provide a username/password (possibly ddition to a client certificate) for authentication. in a

OpenVPN will execute script as a shell command to validate the use rname/password provided by the client. If method is set to "viaenv", OpenVPN will call script with the e nvironmental variables username and passM^@M^P word set to the username/password strings provided by the client. Be aware that this method is insecure on some platforms which make the environment of a process publicly vi sible to other unprivileged processes. If method is set to "viafile", OpenVPN will write the username and password to the first two lines of a temporary file. The filename will be passed as an argument to scr ipt, and the file will be automatically deleted by OpenVPN after the script returns. The location o f the temporary file is controlled by the tmpdir option, and will default to the current directory if uns pecified. For security, consider setting tmpdir to a volatile storage medium such as /dev/shm (if av ailable) to prevent the username/password file from touching the hard drive. uccess exit The script should examine the username and password, returning a s code (0) if the clients authentication request is to be accepted, or a failure code (1) to reject the client. This directive is designed to enable a pluginstyle interface for extending OpenVPNs authentication capaM^@M^P bilities. To protect against a client passing a maliciously formed username or password string, the username string must consist only of these characters: alphanumeric, underbar ( _), dash (), dot (.), or at (@). The password string can consist of any printable characters except

Monday May 07, 2012

17/35

Printed by root May 07, 12 21:14

for CR or LF. ar (_). Care must be taken by any userdefined scripts to avoid creating a security vulnerability in the way that these strings are handled. Never use these strings in such a way that they might be escaped or evaluated by a shell interpreter. For a sample script that performs PAM authentication, see sample scripts/authpam.pl in the OpenVPN source distribution. optverify Clients that connect with options that are incompatible with those of the server will be disconnected. , Options that will be compared for compatibility include tunmtu, proto, tunipv6, ifconfig, complzo, fragment, keydir, cipher, auth, secret, noreplay, noiv, tlsauth, key method, tlsserver, and tlsclient. linkmtu, This option requires that disableocc NOT be used. authuserpassoptional Allow connections by clients that do not specify a username/passwo rd. Normally, when authuserpassverM^@M^P ify or managementclientauth is specified (or an authenticatio n plugin module), the OpenVPN server daeM^@M^P mon will require connecting clients to specify a username and pass word. This option makes the submission of a username/password by clients optional, passing the responsi bility to the userdefined authentication module/script to accept or deny the client based on other factors (such as the setting of X509 certificate fields). When this option is used, and a connecting client does not submit a username/password, the user defined authentication module/script will see the username and pas sword as being set to empty strings (""). The authentication module/script MUST have logic to detect this co ndition and respond accordingly. clientcertnotrequired Dont require client certificate, client will authenticate usi ng username/password only. Be aware that using this directive is less secure than requiring certificates fr om all clients. If you use this directive, the entire responsibility of authentica tion will rest on your authuserpass verify script, so keep in mind that bugs in your script could po tentially compromise the security of your VPN. If you dont use this directive, but you also specify an authus erpassverify script, then OpenVPN will perform double authentication. The client certificate verificati on AND the authuserpassverify script will need to succeed in order for a client to be authenticated and accepted onto the VPN. devtype keysize,

Page 35/69

May 07, 12 21:14

Page 36/69

Any illegal characters in either the username or password string will be converted to underb

usernameascommonname For authuserpassverify authentication, use the authenticated username as the common name, rather than the common name from the client cert. nonameremapping Allow Common Name, X509 Subject, and username strings to include any printable character including space, but excluding control characters such as tab, newline, and carriag ereturn. By default, OpenVPN will remap any character other than alphanume (_), dash (), dot (.), and slash (/) to underbar (_). The X509 Subject strin g as returned by the tls_id environmental variable, can additionally contain colon (:) or equal (=). ric, underbar While name remapping is performed for security reasons to reduce possibility of introducing string expansion security vulnerabilities in userdefined authentica tion scripts, this option is provided for those cases where it is desirable to disable the remapping feature . Dont use this option unless you know what you are doing! the portshare host port When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a nonOpenV PN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretiM^@M^P cally possible to extend to other protocols such as ssh. Not implemented on Windows. Client Mode Use client mode when connecting to an OpenVPN server which has server, serverbridge, or mode server in its configuration. client A helper directive designed OpenVPNs client mode. This directive is equivalent to: pull tlsclient pull This option must be used on a client which is connecting to a mult iclient server. It indicates to OpenVPN that it should accept options pushed by the server, provided t hey are part of the legal set of pushable options (note that the pull option is implied by client ). In particular, pull allows the server to push routes to the clie should not use pull or client in situations where you dont trust the server to have co ntrol over the clients routing table. nt, so you authuserpass [up] to simplify the configuration of

Monday May 07, 2012

18/35

Printed by root May 07, 12 21:14

Page 37/69

May 07, 12 21:14

Page 38/69
Use preshared secre

Authenticate with server using username/password. up is a fil e containing username/password on 2 lines (Note: OpenVPN will only read passwords from a file if it has been built with the enablepasswordsave configure option, or on Windows by defining ENABLE_PASSWORD_SAVE i n configwin32.h). If up is omitted, username/password will be prompted from the cons ole. The server configuration must fy script to verify the username/password provided by the client. specify an authuserpassveri

Enable Static Key encryption mode (nonTLS). t file which was generated with genkey.

The optional direction parameter enables the use of 4 distin ct keys (HMACsend, cipherencrypt, HMAC receive, cipherdecrypt), so that each data flow direction has a d ifferent set of HMAC and cipher keys. This has a number of desirable security properties including eli minating certain kinds of DoS and message replay attacks. When the direction parameter is omitted, 2 keys are used bidirecti onally, one for HMAC and the other for encryption/decryption. The direction parameter should always be complementary on eit her side of the connection, i.e. one side should use "0" and the other should use "1", or both sides should omit it altogether. The direction parameter requires that file contains a 2048 bit key While pre1.5 versions of OpenVPN genM^@M^P erate 1024 bit key files, any version of OpenVPN which supports t he direction parameter, will also support 2048 bit key file generation using the genkey option. . Static key encryption mode has certain advantages, the primary bei ng ease of configuration. There are no certificates or certificate authorities or complicate d negotiation handshakes and protocols. The only requirement is that you have a preexisting secure chan nel with your peer (such as ssh ) to iniM^@M^P tially copy the key. This requirement, along with the fact that y our key never changes unless you manually generate a new one, makes it somewhat less secure than TLS mod e (see below). If an attacker manages to steal your key, everything that was ever encrypted with it is comp romised. Contrast that to the perfect forward secrecy features of TLS mode (using Diffie Hellman key exchange), where even if an attacker was able to steal your private key, he would gain no information to he lp him decrypt past sessions. Another advantageous aspect of Static Key encryption mode is that it is a handshakefree protocol without any distinguishing signature or feature (such as a header or pro tocol handshake sequence) that would mark the ciphertext packets as being generated by OpenVPN. Anyone eave sdropping on the wire would see nothing but randomlooking data. auth alg Authenticate packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a comM^@M^P monly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. OpenVPNs usage of HMAC is to first encrypt a packet, then HMAC th e resulting ciphertext.

authretry type Controls how OpenVPN responds to username/password verification er rors such as the clientside response to an AUTH_FAILED message from the server or verification failure of the private key password. Normally used to prevent auth errors from being fatal on the cli ent side, and to permit username/password requeries in case of error. An AUTH_FAILED message is generated by the server if the client fa ils authuserpass authentication, or if the serverside clientconnect script returns an error status when the client tries to connect. type can be one of: none Client will exit with a fatal error (this is the default). nointeract Client will retry the connection without requeryi ng for an authuserpass username/passM^@M^P word. Use this option for unattended clients. interact Client will requery for an authuserpass username /password and/or private key password before attempting a reconnection. Note that while this option cannot be pushed, it can be controlled from the management interface. serverpolltimeout n when polling possible remote servers to connect to in a roundro bin fashion, spend no more than n seconds waiting for a response before trying the next server. explicitexitnotify [n] In UDP client mode or pointtopoint mode, send server/peer an exi t notification if tunnel is restarted or OpenVPN process is exited. In client mode, on exit/restart, th is option will tell the server to immediM^@M^P ately close its client instance object rather than waiting for a t imeout. The n parameter (default=1) conM^@M^P trols the maximum number of retries that the client will attempt t o resend the exit notification message. Data Channel Encryption Options: These options are meaningful for both Static & TLSnegotiated key modes ( must be compatible between peers). secret file [direction]

Monday May 07, 2012

19/35

Printed by root May 07, 12 21:14

Page 39/69

May 07, 12 21:14

s security.

Page 40/69

In statickey encryption mode, the HMAC key is included in th e key file generated by genkey. In TLS mode, the HMAC key is dynamically generated and shared between pee rs via the TLS control channel. If OpenM^@M^P VPN receives a packet with a bad HMAC it will drop the pack et. HMAC usually adds 16 or 20 bytes per packet. Set alg=none to disable authentication. For more information on HMAC see http://www.cs.ucsd.edu/users/mihi r/papers/hmac.html cipher alg Encrypt packets with cipher algorithm alg. The default is BFCBC, an abbreviation for Blowfish in Cipher Block Chaining mode. Blowfish has the advantages of being fast, very secure, and allowing key sizes of up to 448 bits. Blowfish is designed to be used in situations where keys are changed infrequently. For more information on blowfish, see http://www.counterpane.com/b lowfish.html To see other ciphers that are available with OpenVPN, use the sh owciphers option. OpenVPN supports the CBC, CFB, and OFB cipher modes, however CBC i s recommended and CFB and OFB should be considered advanced modes. Set alg=none to disable encryption. keysize n Size of cipher key in bits (optional). If unspecified, defaults cipherspecific default. The show ciphers option (see below) shows all available OpenSSL ciphers, th default key sizes, and whether the key size can be changed. Use care in changing a ciphers defa key size. Many ciphers have not been extensively cryptanalyzed with nonstandard key lengths, and a lar key may offer no real guarantee of greater security, or may even reduce security.

pared to make a tradeoff of greater efficiency in exchange for les OpenVPN provides datagram replay protection by default. Replay protection is accomplished by tagging each outgoing datag ram with an identifier that is guaranteed to be unique for the key being used. The peer that receives the d atagram will check for the uniqueness of the identifier. If the identifier was already received in a previous datagram, OpenVPN will drop the packet. Replay protection is important to defeat attacks such as a SYN flood attack, where the attacker listens in the wire, intercepts a TCP SYN packet (identifying it b y the context in which it occurs in relaM^@M^P tion to other packets), then floods the receiving peer with copies of this packet. OpenVPNs replay protection is implemented in slightly different w ays, depending on the key management mode you have selected. In Static Key mode or when using an CFB or OFB mode cipher, Ope nVPN uses a 64 bit unique identifier that combines a time stamp with an incrementing sequence number. When using TLS mode for key exchange and a CBC cipher mode, OpenVP 32 bit sequence number without a time stamp, since OpenVPN can guarantee the uniqueness of this value for each key. As in IPSec, if the sequence number is close to wrapping back to zero, OpenVPN will trigger a new key exchange. N uses only a To check for replays, OpenVPN uses the sliding window algorithm us ed by IPSec. replaywindow n [t] Use a replay protection slidingwindow of size n and a time window of t seconds. By default n is 64 (the IPSec default) and t is 15 seconds. This option is only relevant in UDP mode, i.e. o udp is specifed, or no proto option is specified. when either prot

to eir ult ger

prng alg [nsl] (Advanced) For PRNG (Pseudorandom number generator), use digest algorithm alg (default=sha1), and set nsl (default=16) to the size in bytes of the nonce secret length (betw een 16 and 64). unction Set alg=none to disable the PRNG and use the OpenSSL RAND_bytes instead for all of OpenVPNs pseudorandom number needs. engine [enginename] Enable OpenSSL hardwarebased crypto engine functionality. If enginename is specified, use a specific crypto engine. e the showengines standalone option to list the crypto engines which are supported by OpenSSL. noreplay (Advanced) Disable OpenVPNs protection against replay attacks. ont use this option unless you are preM^@M^P Us f

When OpenVPN tunnels IP packets over UDP, there is the possibilit y that packets might be dropped or delivM^@M^P ered out of order. Because OpenVPN, like IPSec, is emulating the physical network layer, it will accept an outoforder packet sequence, and will deliver such packets in the same order they were received to the TCP/IP protocol stack, provided they satisfy several constraints. (a) The packet cannot be a replay (unless noreplay is specified , which disables replay protection altoM^@M^P gether). (b) If a packet arrives out of order, it will only be accepted if the difference between its sequence numM^@M^P ber and the highest sequence number received so far is less than n .

Monday May 07, 2012

20/35

Printed by root May 07, 12 21:14

Page 41/69

May 07, 12 21:14

Page 42/69

(c) If a packet arrives out of order, it will only be accepted if it arrives no later than t seconds after any packet containing a higher sequence number. If you are using a network link with a large pipeline (meaning tha t the product of bandwidth and latency is high), you may want to use a larger value for n. Satellite links in particular often require this. If you run OpenVPN at verb 4, you will see the message "Replayw indow backtrack occurred [x]" every time the maximum sequence number backtrack seen thus far increases. Th is can be used to calibrate n. There is some controversy on the appropriate method of handling pa cket reordering at the security layer. Namely, to what extent should the security layer protect the enca psulated protocol from attacks which masM^@M^P querade as the kinds of normal packet loss and reordering that occ ur over IP networks? The IPSec and OpenVPN approach is to allow packet reordering withi n a certain fixed sequence number window. OpenVPN adds to the IPSec model by limiting the window size in tim e as well as sequence space. OpenVPN also adds TCP transport as an option (not offered by IPSec ) in which case OpenVPN can adopt a very strict attitude towards message deletion and reordering: Dont allow it. Since TCP guarantees reliabilM^@M^P ity, any packet loss or reordering event can be assumed to be an a ttack. In this sense, it could be argued that TCP tunnel transport is pr tunneling nonIP or UDP application protocols which might be vulnerable to a message deletion or reordering attack which falls within the normal operational parameters of IP networks. eferred when So I would make the statement that one should never tunnel a nonI UDP application protocol over UDP, if the protocol might be vulnerable to a message deleti on or reordering attack that falls within the normal operating parameters of what is to be expected from the physical IP layer. The problem is easM^@M^P ily fixed by simply using TCP as the VPN transport layer. P protocol or mutereplaywarnings Silence the output of replay warnings, which are a common false alarm on WiFi networks. This option preM^@M^P serves the security of the replay protection code without the ver bosity associated with warnings about duplicate packets. replaypersist file Persist replayprotection state across sessions using file to save and reload the state. This option will strengthen protection against replay attacks, e

specially when you are using OpenVPN in a dynamic context (such as with inetd) when OpenVPN sessions are f requently started and stopped. This option will keep a disk copy of the current replay protection state (i.e. the most recent packet timeM^@M^P stamp and sequence number received from the remote peer), so that if an OpenVPN session is stopped and restarted, it will reject any replays of packets which were alread y received by the prior session. e default) This option only makes sense when replay protection is enabled (th and you are using either secret (sharedsecret key mode) or TLS mode with tlsauth.

noiv (Advanced) Disable OpenVPNs use of IV (cipher initialization v Dont use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less security. ector). OpenVPN uses an IV by default, and requires it for CFB and OFB cip (which are totally insecure without it). Using an IV is important for security when multip le messages are being encrypted/decrypted with the same key. her modes IV is implemented differently depending on the cipher mode used. In CBC mode, OpenVPN uses a pseudorandom IV for each packet. In CFB/OFB mode, OpenVPN uses a unique sequence number and time st In fact, in CFB/OFB mode, OpenVPN uses a datagram spacesaving optimization that uses the u nique identifier for datagram replay proM^@M^P tection as the IV. amp as the IV. testcrypto Do a selftest of OpenVPNs crypto options by encrypting and decry pting test packets using the data channel encryption options specified above. This option does not require a peer to function, and therefore can be specified without dev or remote. The typical usage of testcrypto would be something like this: openvpn testcrypto secret key or openvpn testcrypto secret key verb 9 This option is very useful to test OpenVPN after it has been porte d to a new platform, or to isolate probM^@M^P lems in the compiler, OpenSSL crypto library, or OpenVPNs cr ypto code. Since it is a selftest mode, problems with encryption and authentication can be debugged indepe ndently of network and tunnel issues. TLS Mode Options: TLS mode is the most powerful crypto mode of OpenVPN in both security and flexibility. TLS mode works by estabM^@M^P

Monday May 07, 2012

21/35

Printed by root May 07, 12 21:14

Page 43/69

May 07, 12 21:14

penVPN, they are totally insecure.

Page 44/69

lishing control and data channels which are multiplexed over a single TC P/UDP port. OpenVPN initiates a TLS sesM^@M^P sion over the control channel and uses it to exchange cipher and HMAC key s to protect the data channel. TLS mode uses a robust reliability layer over the UDP connection for all cont rol channel communication, while the data channel, over which encrypted tunnel data passes, is forwarded without an y mediation. The result is the best of both worlds: a fast data channel that forwards over UDP with only the ove rhead of encrypt, decrypt, and HMAC funcM^@M^P tions, and a control channel that provides all of the security feature s of TLS, including certificatebased authentication and Diffie Hellman forward secrecy. To use TLS mode, each peer that runs OpenVPN should have its own local c ertificate/key pair ( cert and key ), signed by the root certificate which is specified in ca. When two OpenVPN peers connect, each presents its local certificate to th e other. Each peer will then check that its partner peer presented a certificate which was signed by the master r oot certificate as specified in ca. If that check on both peers succeeds, then the TLS negotiation will succe ed, both OpenVPN peers will exchange temM^@M^P porary session keys, and the tunnel will begin passing data. The OpenVPN distribution contains a set of scripts for managing RSA certi ficates & keys, located in the easyrsa subdirectory. The easyrsa package is also rendered in web form here: http://openvpn.ne t/easyrsa.html tlsserver Enable TLS and assume server role during TLS handshake. Note t hat OpenVPN is designed as a peertopeer application. The designation of client or server is only for the purpose of negotiating the TLS control channel. tlsclient Enable TLS and assume client role during TLS handshake. ca file Certificate authority (CA) file in .pem format, also referred t o as the root certificate. This file can have multiple certificates in .pem format, concatenated together. You can construct your own certificate authority certificate and private key by using a command such as: openssl req nodes new x509 keyout ca.key out ca.crt Then edit your openssl.cnf ble to point to your new root certificate ca.crt. file and edit the certificate varia

dh file File containing Diffie Hellman parameters in .pem format (required for tlsserver only). Use openssl dhparam out dh1024.pem 1024 to generate your own, or use the existing dh1024.pem file included with the OpenVPN distribution. Diffie Hellman parameters may be considered public. cert file Local peers signed certificate in .pem format must be signed by a certificate authority whose certifiM^@M^P cate is in ca file. Each peer in an OpenVPN link running in TLS mode should have its own certificate and private key file. In addition, each certificate should hav e been signed by the key of a certificate authority whose public key resides in the ca certificate authori ty file. You can easily make your own certificate authority (see above) or pay money to use a commer cial service such as thawte.com (in which case you will be helping to finance the worlds second space touri st :). To generate a certificate, you can use a command such as: openssl req nodes new keyout mycert.key out mycert.csr If your certificate authority private key lives on another mach ine, copy the certificate signing request (mycert.csr) to this other machine (this can be done over an insec ure channel such as email). Now sign the certificate with a command such as: openssl ca out mycert.crt in mycert.csr Now copy the certificate (mycert.crt) back to the peer which initi ally generated the .csr file (this can be over a public medium). Note that the openssl ca command reads the location of the certificate authority key from its configuration file such as /usr/share/ssl/open ssl.cnf note also that for certificate authority functions, you must set up the files index.txt (may be e mpty) and serial (initialize to 01 ). key file Local peers private key in .pem format. Use the private key whic was generated when you built your peers certificate (see cert file above).

pkcs12 file Specify a PKCS #12 file containing local private key, local ce rtificate, and root CA certificate. This option can be used instead of ca, cert, and key. pkcs11certprivate [0|1]... Set if access to certificate object should be performed after logi Every provider has its own setting. pkcs11id name Specify the serialized certificate id to be used. The id can be go

For testing purposes only, the OpenVPN distribution includes a sam ple CA certificate (ca.crt). Of course you should never use the test certificates and test keys distribu ted with OpenVPN in a production environM^@M^P ment, since by virtue of the fact that they are distributed with O

n.

Monday May 07, 2012

22/35

Printed by root May 07, 12 21:14

tten by the standalone option. showpkcs11ids keymethod m Use data channel key negotiation method m. tch on both sides of the connection. The key method must ma

Page 45/69

May 07, 12 21:14

Page 46/69

pkcs11idmanagement Acquire PKCS#11 id from management interface. In this case a NEED STR pkcs11idrequest realtime message will be triggered, application may use pkcs11idcount command to retrieve available number of certifiM^@M^P cates, and pkcs11idget command to retrieve certificate id and ce rtificate body. pkcs11pincache seconds Specify how many seconds the PIN can be cached, the default is unt il the token is removed. pkcs11protectedauthentication [0|1]... Use PKCS#11 protected authentication and external keypad devices. Every provider has its own setting. path, useful for biome

After OpenVPN negotiates a TLS session, a new set of keys for pro tecting the tunnel data channel is generM^@M^P ated and exchanged over the TLS session. In method 1 (the default for OpenVPN 1.x), both sides generate ran dom encrypt and HMACsend keys which are forwarded to the other host over the TLS channel. In method 2, (the default for OpenVPN 2.0) the client generates a Both client and server also generate some random seed material. All key source material is ex changed over the TLS channel. The actual keys are generated using the TLS PRF function, taking source entro py from both client and server. Method 2 is designed to closely parallel the key generation process used by TLS 1.0. random key. Note that in TLS mode, two separate levels of keying occur: (1) The TLS connection is initially negotiated, with both sides of connection producing certificates and verifying the certificate (or other authentication info provi ded) of the other side. The keymethod parameter has no effect on this process. the (2) After the TLS connection is established, the tunnel session ke separately negotiated over the existing secure TLS channel. Here, keymethod determines the de rivation of the tunnel session keys. ys are tlscipher l A list l of allowable TLS ciphers delimited by a colon (":"). If you require a high level of security, you may want to set this parameter manually, to prevent a version roll back attack where a maninthemiddle attacker tries to force two peers to negotiate to the lowest level of security they both support. Use showtls to see a list of supported TLS ciphers. tlstimeout n Packet retransmit timeout on TLS control channel if no acknowl edgment from remote within n seconds (default=2). When OpenVPN sends a control packet to its peer, it will expect to receive an acknowledgement within n seconds or it will retransmit the packet, subject to a T CPlike exponential backoff algorithm. This parameter only applies to control channel packets. Data chan nel packets (which carry encrypted tunnel data) are never acknowledged, sequenced, or retransmitted by OpenV PN because the higher level network proM^@M^P tocols running on top of the tunnel such as TCP expect this role t o be left to them. renegbytes n Renegotiate data channel key disabled by default). OpenVPN allows the after n bytes sent or received (

tric

pkcs11providers provider... Specify a RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) providers to load. This option can be used instead of cert, key, and pkcs12. pkcs11privatemode mode... Specify which method to use in order to perform private key opera tions. A different mode can be specified for each provider. Mode is encoded as hex number, and can be a ma sk one of the following: 0 1 2 4 8 (default) Try to determind automatically. Use sign. Use sign recover. Use decrypt. Use unwrap.

cryptoapicert selectstring Load the certificate and private key from the Windows Certificate System Store (Windows Only). Use this option instead of cert and key. This makes it possible to use any smart card, supported by Windows any kind of certificate, residing in the Cert Store, where you have access to the private key. This option has been tested with a couple of different smart cards (GemSAFE, Cryptoflex, and Swedish Post Office eID) on the client side, and also an imported PKCS12 software certificate on the server side. , but also To select a certificate, based on a substring search in the certif icates subject: cryptoapicert "SUBJ:Peter Runestig" To select a certificate, based on certificates thumbprint: cryptoapicert "THUMB:f6 49 24 41 01 b4 ..." The thumbprint hex string can easily be copyandpasted from the W indows Certificate Store GUI.

Monday May 07, 2012

23/35

Printed by root May 07, 12 21:14

Page 47/69

May 07, 12 21:14

Page 48/69

lifetime of a key to be expressed as a number of bytes encrypted/d ecrypted, a number of packets, or a numM^@M^P ber of seconds. A key renegotiation will be forced if any of thes e three criteria are met by either peer. renegpkts n Renegotiate data channel key after n packets sent and received (di sabled by default). renegsec n Renegotiate data channel key after n seconds (default=3600). When using dualfactor authentication, note that this default valu e may cause the end user to be challenged to reauthorize once per hour. Also, keep in mind that this option can be used on both the client and server, and whichever uses the lower value will be the one to trigger the renegotiation. A common mistake is to set renegsec to a higher value on either the client or server, while the other side of the connection is still using the default value of 3600 seconds, meaning that the renegotiation will still o ccur once per 3600 seconds. The solution is to increase renegsec on both the client and server, or set i t to 0 on one side of the connection (to disable), and to your chosen value on the other side. handwindow n Handshake Window the TLSbased key exchange must finalize wi thin n seconds of handshake initiation by any peer (default = 60 seconds). If the handshake fails we will a ttempt to reset our connection with our peer and try again. Even in the event of handshake failure we will still use our expiring key for up to tranwindow seconds to maintain continuity of transmission of tu nnel data. tranwindow n Transition window our old key can live this many seconds after a new a key renegotiation begins (default = 3600 seconds). This feature allows for a graceful transition from old to new key, and removes the key renegotiation sequence from the critical path of tunnel data forwa rding. singlesession After initially connecting to a remote peer, disallow any new conn ections. Using this option means that a remote peer cannot connect, disconnect, and then reconnect. If the daemon is reset by a signal or pingrestart, it will allo w one new connection. singlesession can be used with pingexit or inactive to create a single dynamic session that will exit when finished. tlsexit Exit on TLS negotiation failure. tlsauth file [direction]

Add an additional layer of HMAC authentication on top of the TLS c ontrol channel to protect against DoS attacks. In a nutshell, tlsauth enables a kind of "HMAC firewall" on OpenVPNs TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response. file (required) is a key file which can be in one of two formats: (1) An OpenVPN static key file generated by genkey (required if direction parameter is used). (2) A freeform passphrase file. In this case the HMAC key will be derived by taking a secure hash of this file, similar to the md5sum(1) or sha1sum(1) commands. OpenVPN will first try format (1), and if the file fails to parse as a static key file, format (2) will be used. See the secret option for more information on the optional direc tion parameter. tlsauth is recommended when you are running OpenVPN in a mode w here it is listening for packets from any IP address, such as when remote is not specified, or remote is specified with float. The rationale for this feature is as follows. TLS requires a m ultipacket exchange before it is able to authenticate a peer. During this time before authentication, Open VPN is allocating resources (memory and CPU) to this potential peer. The potential peer is also expos ing many parts of OpenVPN and the OpenSSL library to the packets it is sending. Most successful network att acks today seek to either exploit bugs in programs (such as buffer overflow attacks) or force a program to consume so many resources that it becomes unusable. Of course the first line of defense is always to produc e clean, wellaudited code. OpenVPN has been written with buffer overflow attack prevention as a top pri ority. But as history has shown, many of the most widely used network applications have, from time to time, fallen to buffer overflow attacks. So as a second line of defense, OpenVPN offers this special layer of authentication on top of the TLS conM^@M^P trol channel so that every packet on the control channel is authen ticated by an HMAC signature and a unique ID for replay protection. This signature will also help protect a gainst DoS (Denial of Service) attacks. An important rule of thumb in reducing vulnerability to DoS attac ks is to minimize the amount of resources a potential, but as yet unauthenticated, client is able to consume . tlsauth does this by signing every TLS control channel packet w ith an HMAC signature, including packets which are sent before the TLS level has had a chance to authentic ate the peer. The result is that packets

Monday May 07, 2012

24/35

Printed by root May 07, 12 21:14

Page 49/69

May 07, 12 21:14

Page 50/69

without the correct signature can be dropped immediately upon rece ption, before they have a chance to conM^@M^P sume additional system resources such as by initiating a TLS hand shake. tlsauth can be strengthened by adding the replaypersist option which will keep OpenVPNs repla y protection state in a file so that it is not lost across restarts. It should be emphasized that this feature is optional and that the passphrase/key file used with tlsauth gives a peer nothing more than the power to initiate a TLS handsha ke. It is not used to encrypt or authenM^@M^P ticate any tunnel data. askpass [file] Get certificate password from console or file before we daemonize. For the extremely security conscious, it is possible to prot ect your private key with a password. Of course this means that every time the OpenVPN daemon is started yo u must be there to type the password. The askpass option allows you to start OpenVPN from the comman d line. It will query you for a password before it daemonizes. To protect a private key with a password yo u should omit the nodes option when you use the openssl command line tool to manage certificates and priva te keys. If file is specified, read the password from the first line of fi Keep in mind that storing your passM^@M^P word in a file to a certain extent invalidates the extra security provided by using an encrypted key (Note: OpenVPN will only read passwords from a file if it has been built with the enablepasswordsave configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in configw in32.h). le. authnocache Dont cache askpass or authuserpass username/passwords in vi rtual memory. If specified, this directive will cause OpenVPN to immediately for get username/password inputs after they are used. As a result, when OpenVPN needs a username/password, i t will prompt for input from stdin, which may be multiple times during the duration of an OpenVPN session. This directive does not affect the httpproxy username/password. It is always cached. tlsverify cmd Execute shell command cmd to verify the X509 name of a pending TLS connection that has otherwise passed all other tests of certification (except for revocation via crlver ify directive; the revocation test occurs after the tlsverify test). fail. cmd should return 0 to allow the TLS handshake to proceed, or 1 to cmd is executed as cmd certificate_depth X509_NAME_oneline

This feature is useful if the peer you want to trust has a certifi cate which was signed by a certificate authority who also signed many other certificates, where you don t necessarily want to trust all of them, but rather be selective about which peer certificate you will acce pt. This feature allows you to write a script which will test the X509 name on a certificate and decide w hether or not it should be accepted. For a simple perl script which will test the common name field on the certificate, see the file verifycn in the OpenVPN distribution. See the "Environmental Variables" parameters passed as environmental variM^@M^P ables. section below for additional

Note that cmd can be a shell command with multiple arguments, in w hich case all OpenVPNgenerated arguments will be appended to cmd to build a command line which will be pass ed to the script. tlsremote name Accept connections only from a host with X509 name or common name equal to name. The remote host must also pass all other tests of verification. NOTE: Because tlsremote may test against a common name prefix, on ly use this option when you are using OpenVPN with a custom CA certificate that is under your control . Never use this option when your client certificates are signed by a third party, such as a commercial web CA. client er Using a common name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates exce pt for those associated with designated servers. tlsremote is a useful replacement for the tlsverify option to verify the remote host, because tls remote works in a chroot environment too. nscerttype client|server Require that peer certificate was signed with an explicit nsCertTy pe designation of "client" or "server". This is a useful security option for clients, to ensure that the h ost they connect with is a designated server. See the easyrsa/buildkeyserver script for an example of how t o generate a certificate with the nsCertM^@M^P Type field set to "server". hen the If the server certificates nsCertType field is set to "server", t clients can verify this with to Name can also be a common name prefix, for example if you want a only accept connections to "Server1", "Server2", etc., you can simply use tlsremote Serv

Monday May 07, 2012

25/35

Printed by root May 07, 12 21:14

nscerttype server. This is an important security precaution to protect against a man inthemiddle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one o f nscerttype, tlsremote, or tls verify. remotecertku v... Require that peer certificate was signed with an explicit key usag e. ost they This is a useful security option for clients, to ensure that the h connect to is a designated server.

Page 51/69

May 07, 12 21:14

Page 52/69

crlverify crl Check peer certificate against the file crl in PEM format. A CRL (certificate revocation list) is used when a particular ke y is compromised but when the overall PKI is still intact. Suppose you had a PKI consisting of a CA, root certificate, and a number of client certificates. Suppose a laptop computer containing a client key and certificate was sto len. By adding the stolen certificate to the CRL file, you could reject any connection which attempts to use it, while preserving the overall integrity of the PKI. The only time when it would be necessary to rebuild the entire P KI from scratch would be if the root cerM^@M^P tificate key itself was compromised. SSL Library information: showciphers (Standalone) Show all cipher algorithms to use with the cipher o ption. showdigests (Standalone) Show all message digest algorithms to use with the auth option. showtls (Standalone) Show all TLS ciphers (TLS used only as a control chan The TLS ciphers will be sorted from highest preference (most secure) to lowest.

The key usage should be encoded in hex, more than one key usage ca n be specified. remotecerteku oid Require that peer certificate was signed with an explicit extended key usage. This is a useful security the host they connect to is a designated server. option for clients, to ensure that

The extended key usage should be encoded in oid notation, or OpenS SL symbolic representation. remotecerttls client|server Require that peer certificate was signed with an explicit key usag e and extended key usage based on RFC3280 TLS rules. This is a useful security the host they connect to is a designated server. option for clients, to ensure that

nel).

showengines (Standalone) Show currently available hardwarebased crypto acce leration engines supported by the OpenSSL library. Generate a random key: Used only for nonTLS static key encryption mode. genkey (Standalone) Generate a random key to be used as a shared secret, for use with the secret option. This file must be shared with the peer over a preexisting secure chann el such as scp(1) secret file Write key to file. TUN/TAP persistent tunnel config mode: Available with linux 2.4.7+. These options comprise a standalone mode o f OpenVPN which can be used to create and delete persistent tunnels. mktun (Standalone) Create a persistent tunnel on platforms which support Linux. Normally TUN/TAP tunnels exist only for the period of time that an application ha s them open. This option takes advantage of the TUN/TAP drivers ability to build persistent tunnels that l ive through multiple instantiations of them such as

The remotecerttls client option is equivalent to remotecert ku 80 08 88 remotecerteku "TLS Web Client Authentication" The key usage is digitalSignature and/or keyAgreement. The remotecerttls server certku a0 88 remotecerteku "TLS Web Server Authentication" ement ). This is an important security precaution to protect against a man inthemiddle attack where an authorized client attempts to connect to another client by impersonating th e server. The attack is easily prevented by having clients verify the server certificate using any one of remotecerttls, tlsremote, or tls verify. option is equivalent to remote

The key usage is digitalSignature and ( keyEncipherment or keyAgre

Monday May 07, 2012

26/35

Printed by root May 07, 12 21:14

ted. One of the advantages of persistent tunnels is that they elimin ate the need for separate up and down scripts to run the appropriate ifconfig(8) and route(8) commands. These commands can be placed in the the same shell script which starts or terminates an OpenVPN session. Another advantage is that open connections through the TUN/TAPba sed tunnel will not be reset if the OpenM^@M^P VPN peer restarts. This can be useful to provide uninterrupted co nnectivity through the tunnel in the event of a DHCP reset of the peers public IP address (see the i pchange option above). One disadvantage of persistent tunnels is that it is harder to aut omatically configure their MTU value (see linkmtu and tunmtu above). On some platforms such as Windows, TAPWin32 tunnels are persisten t by default. rmtun (Standalone) Remove a persistent tunnel. dev tunX | tapX TUN/TAP device user user Optional user to be owner of this tunnel. group group Optional group to be owner of this tunnel. WindowsSpecific Options: winsys path|env Set the Windows system directory pathname to use when looking for system executables such as route.exe and netsh.exe. By default, if this directive is not specified, the pa thname will be set to "C:\WINDOWS" The special string env indicates that the pathname should be rea d from the SystemRoot environmental variM^@M^P able. ipwin32 method When using ifconfig on Windows, set the TAPWin32 adapter IP add ress and netmask using method. Dont use this option unless you are also using ifconfig. manual Dont set the IP address or netmask automatically. Instead output a message to the console telling the user to configure the adapter manually and indicating the IP/netmask which OpenVPN expects the adapter to be set to. dynamic [offset] [leasetime] Automatically set the IP addr ess and netmask by replying to DHCP query messages generated by the kernel. This mode is probably the "clea nest" solution for setting the TCP/IP properties since it uses the wellknown DHCP protocol. There

Page 53/69

May 07, 12 21:14

Page 54/69

OpenVPN and die only when they are deleted or the machine is reboo

are, however, two prerequisites for using this mode: (1) The TCP/IP properties for the TAPWin32 adapter mus t be set to "Obtain an IP address autoM^@M^P matically," and (2) OpenVPN needs to claim an IP address in the subnet for use as the virtual DHCP server address. By default in dev tap mode, OpenVPN will take the norm ally unused first address in the subnet. For example, if your subnet is 192.168.4.0 netmask 255.255.255 .0, then OpenVPN will take the IP address 192.168.4.0 to use as the virtual DHCP server address. In dev t un mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpo int. The optional offset parameter is an integer which is > 256 and < 256 and which defaults to 0. If off set is positive, the DHCP server will masquerade as the IP address at network address + offset. If offs et is negative, the DHCP server will masM^@M^P querade as the IP address at broadcast address + offset. The Wind ows ipconfig /all command can be used to show what Windows thinks the DHCP server address is. OpenVPN w ill "claim" this address, so make sure to use a free address. Having said that, different OpenVPN instantia tions, including different ends of the same connection, can share the same virtual DHCP server addres s. The leasetime parameter controls the lease time of the DHCP assignment given to the TAPWin32 adapter, and is denoted in seconds. Normally a very long lease time is preferred because it prevents routes i nvolving the TAPWin32 adapter from being lost when the system goes to sleep. The default lease time is one year. netsh Automatically set the IP address and netmask using the Wi ndows commandline "netsh" command. This method appears to work correctly on Windows XP but not Windows 200 0. ipapi Automatically set the IP address and netmask using the W indows IP Helper API. This approach does not have ideal semantics, though testing has indicated that it wor ks okay in practice. If you use this option, it is best to leave the TCP/IP properties for the TAPW in32 adapter in their default state, i.e. "Obtain an IP address automatically." adaptive (Default) Try dynamic method initially and fail over t o netsh if the DHCP negotiation with the TAPWin32 adapter does not succeed in 20 seconds. Such failu res have been known to occur when certain thirdparty firewall packages installed on the client machine bloc k the DHCP negotiation used by the TAP Win32 adapter. Note that if the netsh failover occurs, the TA PWin32 adapter TCP/IP properties will be reset from DHCP to static, and this will cause future OpenVPN star tups using the adaptive mode to use netsh immediately, rather than trying dynamic first. To "unstick" the adaptive mode from using netsh, run OpenM^@M^P VPN at least once using the dynamic mode to restore the TAPWin32 adapter TCP/IP properties to a DHCP conM^@M^P figuration. routemethod m

Monday May 07, 2012

27/35

Printed by root May 07, 12 21:14

Page 55/69
If that fails, fal

May 07, 12 21:14

Page 56/69

Which method m to use for adding routes on Windows? adaptive (default) Try IP helper API first. l back to the route.exe shell command. ipapi Use IP helper API. exe Call the route.exe shell command.

Cause OpenVPN to sleep for n seconds immediately after the TAPWin 32 adapter state is set to "connected". This option is intended to be used to troubleshoot problems with t he ifconfig and ipwin32 options, and is used to give the TAPWin32 adapter time to come up before Win dows IP Helper API operations are applied to it. shownetup Output OpenVPNs view of the system routing table and network adap ter list to the syslog or log file after the TUN/TAP adapter has been brought up and any routes have been a dded. dhcprenew Ask Windows to renew the TAP adapter lease on startup. This o ption is normally unnecessary, as Windows automatically triggers a DHCP renegotiation on the TAP adapter whe n it comes up, however if you set the TAPWin32 adapter Media Status property to "Always Connected", you may need this flag. dhcprelease Ask Windows to release the TAP adapter lease on shutdown. tion has the same caveats as dhcprenew above. This op

dhcpoption type [parm] Set extended TAPWin32 TCP/IP properties, must be used with ipwin32 dynamic or ipwin32 adaptive. This option can be used to set additional TCP/IP properties on the TAPWin32 adapter, and is particularly useful for configuring an OpenVPN client to access a Samba server across the VPN. DOMAIN name Set Connectionspecific DNS Suffix. DNS addr Set primary t this option to set secondary DNS server addresses. Name Server). domain name server address. Repea

WINS addr Set primary WINS server address (NetBIOS over TCP/IP Repeat this option to set secondary WINS server addresses.

NBDD addr Set primary NBDD server address (NetBIOS over TCP/IP Datagram Distribution Server) Repeat this option to set secondary NBDD server addresses. . NTP addr Set primary NTP server address (Network Time Protocol) Repeat this option to set secondary NTP server addresses.

registerdns Run net stop dnscache, net start dnscache, ipconfig /flushdns and ipconfig /registerdns on connection iniM^@M^P tiation. This is known to kick Windows into recognizing pushed DN S servers. pauseexit Put up a "press any key to continue" message on the console prior to OpenVPN program exit. This option is automatically used by the Windows explorer when OpenVPN is run on a configuration file using the right click explorer menu. service exitevent [0|1] Should be used when OpenVPN is being automatically executed by another program in such a context that no interaction with the user via display or keyboard is possible. In general, endusers should never need to explicitly use this option, as it is automatically added by the O penVPN service wrapper when a given OpenM^@M^P VPN configuration is being run as a service. exitevent is the name of a Windows global event object, and OpenV PN will continuously monitor the state of this event object and exit when it becomes signaled. The second parameter indicates the initial state of exitevent and normally defaults to 0. Multiple OpenVPN processes can be simultaneously executed with the same exitevent parameter. In any case, the controlling process can signal exitevent, causing all such Op enVPN processes to exit.

NBT type Set NetBIOS over TCP/IP Node type. Possible opt ions: 1 = bnode (broadcasts), 2 = pnode (pointtopoint name queries to a WINS server), 4 = mnode (broadc ast then query name server), and 8 = h node (query name server, then broadcast). NBS scopeid Set NetBIOS over TCP/IP Scope. A NetBIOS Scope I D provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetM^@M^P BIOS traffic on a single network to only those nodes with the sam e NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The Ne tBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer name, as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, makM^@M^P ing the name unique. (This description of NetBIOS scopes courtesy of [email protected]) DISABLENBT Disable NetbiosoverTCP/IP. Note that if dhcpoption is pushed via push to a nonwindow s client, the option will be saved in the clients environment before the up script is called, under the nam e "foreign_option_{n}". tapsleep n

Monday May 07, 2012

28/35

Printed by root May 07, 12 21:14

Page 57/69

May 07, 12 21:14

tion.

Page 58/69

When executing an OpenVPN process using the service directive, O penVPN will probably not have a console window to output status/error messages, therefore it is useful to use log or logappend to write these messages to a file. showadapters (Standalone) Show available TAPWin32 adapters which can be select ed using the devnode option. On non Windows systems, the ifconfig(8) command provides similar function ality. allownonadmin [TAPadapter] (Standalone) Set TAPadapter to allow access from nonadministrat ive accounts. If TAPadapter is omitted, all TAP adapters on the system will be configured to allow nonadm in access. The nonadmin access setting will only persist for the length of time that the TAPWin32 de vice object and driver remain loaded, and will need to be reenabled after a reboot, or if the driver is unl oaded and reloaded. This directive can only be used by an administrator. showvalidsubnets (Standalone) Show valid subnets for dev tun emulation. Since the TAPWin32 driver exports an ethernet interface to Windows, and since TUN devices are pointtopoint in nature, it is necessary for the TAPWin32 driver to impose certain constraints on TUN endpoint address selec tion. Namely, the pointtopoint endpoints used in TUN device emulation must be the middle two addresses of a /30 subnet (netmask 255.255.255.252). shownet (Standalone) Show OpenVPNs view of the system routing table and n etwork adapter list. PKCS#11 Standalone Options: showpkcs11ids provider [cert_private] (Standalone) Show PKCS#11 token object list. Specify cert_private as 1 if certificates are stored as priM^@M^P vate objects. verb option can be used BEFORE this option to produce debugging information. SCRIPTING AND ENVIRONMENTAL VARIABLES OpenVPN exports a series of environmental variables for use by userdefin ed scripts. Script Order of Execution up Executed after TCP/UDP socket bind and TUN/TAP open. tlsverify Executed when we have a still untrusted remote peer. ipchange Executed after connection authentication, or remote IP address cha nge.

clientconnect Executed in mode server mode immediately after client authentica routeup Executed after connection authentication, after, or some number of seconds after as defined by the routedelay option.

either

immediately

clientdisconnect Executed in mode server mode on client instance shutdown. down Executed after TCP/UDP and TUN/TAP close. learnaddress Executed in mode server mode whenever an IPv4 address/route or M AC address is added to OpenVPNs internal routing table. authuserpassverify Executed in mode server mode on new client connections, when the client is still untrusted. String Types and Remapping In certain cases, OpenVPN will perform remapping of characters in stri ngs. Essentially, any characters outside the set of permitted characters for each string type will be converted to underbar (_). Q: Why is string remapping necessary? A: Its an important security feature to prevent the malicious coding of from untrusted sources to be passed as parameters to scripts, saved in the environment, used as a comm on name, translated to a filename, etc. strings Q: Can string remapping be disabled? A: Yes, by using the nonameremapping option, however this should be c onsidered an advanced option. Here is a brief rundown of OpenVPNs current string types and the permitt ed character class for each string: X509 Names: Alphanumeric, underbar (_), dash (), dot (.), at ( @), colon (:), slash (/), and equal (=). Alphanumeric is defined as a character which will cause the C lib rary isalnum() function to return true. Common Names: Alphanumeric, underbar (_), dash (), dot (.), and at (@). authuserpass username: Same as Common Name, with one exception: start ing with OpenVPN 2.0.1, the username is passed to the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin in its raw form , without string remapping. . authuserpass password: Any "printable" character except CR or LF Printable is defined to be a character which will cause the C library isprint() function to return true. clientconfigdir filename as derived from common name or username: Alp

Monday May 07, 2012

29/35

Printed by root May 07, 12 21:14

Page 59/69

May 07, 12 21:14

rived from

Page 60/69

hanumeric, underbar (_), dash (), and dot (.) except for "." or ".." as standalone strings. As of 2 .0.1rc6, the at (@) character has been added as well for compatibility with the common name character class. Environmental variable names: Alphanumeric or underbar (_). Environmental variable values: Any printable character. For all cases, characters in a string which are not members of the legal character class for that string type will be remapped to underbar (_). Environmental Variables Once set, a variable is persisted indefinitely until it is reset by a new value or a restart, As of OpenVPN 2.0beta12, in server mode, environmental variables s et by OpenVPN are scoped according to the client objects they are associated with, so there should not be any issue s with scripts having access to stale, previously set variables which refer to different client instances. bytes_received Total number of bytes received from client during VPN session. t prior to execution of the clientdisM^@M^P connect script. bytes_sent Total number of bytes sent to client during VPN session. r to execution of the clientdisconnect script. common_name The X509 common name of an authenticated client. cution of clientconnect, clientdisM^@M^P connect, and authuserpassverify scripts. config Name of first config file. on SIGHUP. e. Se

the ifconfig option when dev tap is used. Set prior to OpenVPN calling the ifconfig or netsh (windows version of ifconfig) comM^@M^P mands which normally occurs prior to up script execution.

ifconfig_local The local VPN endpoint IP address specified in the ifconfig opti on (first parameter). Set prior to OpenM^@M^P VPN calling the ifconfig or netsh (windows version of ifconfig ) commands which normally occurs prior to up script execution. ifconfig_remote The remote VPN endpoint IP address specified in the ifconfig opt ion (second parameter) when dev tun is used. Set prior to OpenVPN calling the ifconfig or netsh (windows version of ifconfig) commands which norM^@M^P mally occurs prior to up script execution. ifconfig_netmask The subnet mask of the virtual ethernet segment that is specified as the second parameter to ifconfig when dev tap is being used. Set prior to OpenVPN calling the ifconfig or netsh (windows version of ifconfig) commands which normally occurs prior to up script exec ution. ifconfig_pool_local_ip The local virtual IP address for the TUN/TAP tunnel taken from an ifconfigpush directive if specified, or otherwise from the ifconfig pool (controlled by the ifconf igpool config file directive). Only set for dev tun tunnels. This option is set on the server prior to execution of the clientconnect and clientdisconnect scripts. ifconfig_pool_netmask The virtual IP netmask for the TUN/TAP tunnel taken from an ifco nfigpush directive if specified, or othM^@M^P erwise from the ifconfig pool (controlled by the ifconfigpool c onfig file directive). Only set for dev tap tunnels. This option is set on the server prior to execution of the clientconnect and clientdisconnect scripts. ifconfig_pool_remote_ip The remote virtual IP address for the TUN/TAP tunnel taken from an ifconfigpush directive if specified, or otherwise from the ifconfig pool (controlled by the ifconfig pool config file directive). This option is set on the server prior to execution of the clientconnect an d clientdisconnect scripts. link_mtu The maximum packet size (not including the IP header) of tunnel da ta in UDP tunnel transport mode. Set prior to up or down script execution. local HUP. The local parameter. Set on program initiation and reset on SIG

Set prio

Set prior to exe

Set on program initiation and reset

daemon Set to "1" if the daemon directive is specified, or "0" otherwis Set on program initiation and reset on SIGHUP.

daemon_log_redirect Set to "1" if the log or logappend directives are specified, or "0" otherwise. Set on program initiaM^@M^P tion and reset on SIGHUP. dev it exists. The actual name of the TUN/TAP device, including a unit number if Set prior to up or down script execution.

foreign_option_{n} An option pushed via push to a client which does not natively su pport it, such as dhcpoption on a non Windows system, will be recorded to this environmental variable se quence prior to up script execution. ifconfig_broadcast The broadcast address for the virtual ethernet segment which is de

local_port

Monday May 07, 2012

30/35

Printed by root May 07, 12 21:14

Page 61/69
Set on pro

May 07, 12 21:14

me string.

formatted as

Page 62/69
a humanreadable ti

The local port number, specified by port or lport. gram initiation and reset on SIGHUP.

Client connection timestamp, Set prior to execution of the clientconnect script.

password The password provided by a connecting client. Set prior to au thuserpassverify script execution only when the viaenv modifier is specified, and deleted from the envir onment after the script returns. proto HUP. remote_{n} The remote parameter. GHUP. remote_port_{n} The remote port number, specified by port or rport. ogram initiation and reset on SIGHUP. Set on pr Set on program initiation and reset on SI The proto parameter. Set on program initiation and reset on SIG

time_duration The duration (in seconds) of the client session which is now disco nnecting. Set prior to execution of the clientdisconnect script. time_unix Client connection timestamp, ime value. Set prior to execution of the clientconnect script. formatted as a unix integer date/t

tls_id_{n} A series of certificate fields from the remote peer, where n is th e verification level. Only set for TLS connections. Set prior to execution of tlsverify script. tls_serial_{n} The serial number of the certificate from the remote peer, where n is the verification level. Only set for TLS connections. Set prior to execution of tlsverify script. tun_mtu The MTU of the TUN/TAP device. execution. trusted_ip Actual IP address of connecting client or peer which has been auth enticated. Set prior to execution of ipchange, clientconnect, and clientdisconnect scripts. trusted_port Actual port number of connecting client or peer which has been authenticated. Set prior to execution of ipchange, clientconnect, and clientdisconnect scripts. untrusted_ip Actual IP address of connecting client or peer which has not been authenticated yet. Sometimes used to nmap the connecting host in a tlsverify script to ensure it is firewalled properly. Set prior to execuM^@M^P tion of tlsverify and authuserpassverify scripts. untrusted_port Actual port number of connecting client or peer which has not been authenticated yet. Set prior to execuM^@M^P tion of tlsverify and authuserpassverify scripts. username The username provided by a connecting client. thuserpassverify script execution only when the viaenv modifier is specified. Set prior to au Set prior to up or down script

route_net_gateway The preexisting default IP gateway in the system routing table. Set prior to up script execution. route_vpn_gateway The default gateway used by route options, as specified in eithe r the routegateway option or the secM^@M^P ond parameter to ifconfig when dev tun is specified. Set prio r to up script execution. route_{parm}_{n} A set of variables which define each route to be added, and are se t prior to up script execution. parm will be one of "network", "netmask", "gateway", or "metric". n is the OpenVPN route number, starting from 1. If the network or gateway are resolvable DNS names, their IP add ress translations will be recorded rather than their names as denoted on the command line or configuration f ile. script_context Set to "init" or "restart" prior to up/down script execution. more information, see documentation for up. For

script_type One of up, down, ipchange, routeup, tlsverify, authuserpassv erify, clientconnect, clientdisconnect, or learnaddress. Set prior to execution of any script. signal The reason for exit or restart. Can be one of sigusr1, sighup, si gterm, sigint, inactive (controlled by inactive option), pingexit (controlled by pingexit opt ion), pingrestart (controlled by ping restart option), connectionreset (triggered on TCP connection res et), error, or unknown (unknown signal). This variable is set just prior to down script execution. time_ascii

X509_{n}_{subject_field} An X509 subject field from the remote peer certificate, where n is the verification level. Only set for TLS connections. Set prior to execution of tlsverify script . This variable is similar to tls_id_{n} except the component X509 subject fields are broken out, and no st ring remapping occurs on these field valM^@M^P

Monday May 07, 2012

31/35

Printed by root May 07, 12 21:14

Page 63/69

May 07, 12 21:14

Page 64/69

ues (except for remapping of control characters to "_"). For exam ple, the following variables would be set on the OpenVPN server using the sample client certificate in sampl ekeys (client.crt). Note that the veriM^@M^P fication level is 0 for the client certificate and 1 for the CA ce rtificate. [email protected] X509_0_CN=TestClient X509_0_O=OpenVPNTEST X509_0_ST=NA X509_0_C=KG [email protected] X509_1_O=OpenVPNTEST X509_1_L=BISHKEK X509_1_ST=NA X509_1_C=KG SIGNALS SIGHUP Cause OpenVPN to close all TUN/TAP and network connections, re start, reread the configuration file (if any), and reopen TUN/TAP and network connections. SIGUSR1 Like SIGHUP, except dont reread configuration file, and possibly dont close and reopen TUN/TAP device, reread key files, preserve local IP address/port, or prese rve most recently authenticated remote IP address/port based on persisttun, persistkey, persistloc alip, and persistremoteip options respectively (see above). This signal may also be internally generated by a timeout conditio n, governed by the pingrestart option. This signal, when combined with persistremoteip, may be s ent when the underlying parameters of the hosts network interface change such as when the host is a DHCP cl ient and is assigned a new IP address. See ipchange above for more information. SIGUSR2 Causes OpenVPN to display its current statistics (to the syslog f ile if daemon is used, or stdout otherM^@M^P wise). SIGINT, SIGTERM Causes OpenVPN to exit gracefully. TUN/TAP DRIVER SETUP If you are running Linux 2.4.7 or higher, you probably have the TUN/TAP d river already installed. If so, there are still a few things you need to do: Make device: mknod /dev/net/tun c 10 200 Load driver: modprobe tun If you have Linux 2.2 or earlier, you should obtain version 1.1 of th e TUN/TAP driver from http://vtun.sourceM^@M^P forge.net/tun/ and follow the installation instructions.

EXAMPLES Prior to running these examples, you should have OpenVPN installed on t wo machines with network connectivity between them. If you have not yet installed OpenVPN, consult the INSTA LL file included in the OpenVPN distribuM^@M^P tion. TUN/TAP Setup: If you are using Linux 2.4 or higher, make the tun device node and load t he tun module: mknod /dev/net/tun c 10 200 modprobe tun If you installed from RPM, the mknod step may be omitted, because the RPM install does that for you. r from If you have Linux 2.2, you should obtain version 1.1 of the TUN/TAP drive http://vtun.sourceforge.net/tun/ and follow the installation instructions.

For other platforms, consult the INSTALL file at http://openvpn.net/insta ll.html for more information. Firewall Setup: If firewalls exist between the two machines, they should be set to forw ard UDP port 1194 in both directions. If you do not have control over the firewalls between the two machines, you may still be able to use OpenVPN by adding ping 15 to each of the openvpn commands used below in the exampl es (this will cause each peer to send out a UDP ping to its remote peer once every 15 seconds which will cause many stateful firewalls to forward packets in both directions without an explicit firewall rule). If you are using a Linux iptablesbased firewall, you may need to ente r the following command to allow incoming packets on the TUN device: iptables A INPUT i tun+ j ACCEPT See the firewalls section below for more information on configuring firew alls for use with OpenVPN. VPN Address Setup: For purposes of our example, our two machines will be called may.kg and j une.kg. If you are constructing a VPN over the internet, then replace may.kg and june.kg with the internet host name or IP address that each machine will use to contact the other over the internet. Now we will choose the tunnel endpoints. Tunnel endpoints are private IP addresses that only have meaning in the context of the VPN. Each machine will use the tunnel endpoint of the oth er machine to access it over the VPN. In our example, the tunnel endpoint for may.kg will be 10.4.0.1 and for june .kg, 10.4.0.2. Once the VPN is established, you have essentially created a secure altern ate path between the two hosts which is addressed by using the tunnel endpoints. You can control which network

Monday May 07, 2012

32/35

Printed by root May 07, 12 21:14

Page 65/69

May 07, 12 21:14

verb 5 secret key

Page 66/69

traffic passes between the hosts (a) over the VPN or (b) independently of the VPN, by choosing whether to use (a) t he VPN endpoint address or (b) the public internet address, to access the remote host. For example if you are on may.kg and you wish to connect to june.kg via ssh without using the VPN (since ssh has its own builtin security) y ou would use the command ssh june.kg. However in the same scenario, you could also use the command telnet 10.4.0.2 to create a telnet session with june.kg over the VPN, that would use the VPN to secure the session rather than ssh. You can use any address you wish for the tunnel endpoints but make sure t hat they are private addresses (such as those that begin with 10 or 192.168) and that they are not part of any existing subnet on the networks of either peer, unless you are bridging. If you use an address that is part of you r local subnet for either of the tunnel endpoints, you will get a weird feedback loop. Example 1: A simple tunnel without security On may: openvpn remote june.kg dev tun1 ifconfig 10.4.0.1 10.4.0.2 verb 9 On june: openvpn remote may.kg dev tun1 ifconfig 10.4.0.2 10.4.0.1 verb 9 Now verify the tunnel is working by pinging across the tunnel. On may: ping 10.4.0.2 On june: ping 10.4.0.1 The verb 9 option will produce verbose output, similar to the tcpdump (8) program. Omit the verb 9 option to have OpenVPN run quietly. Example 2: A tunnel with statickey security (i.e. using a preshared secret) First build a static key on may. openvpn genkey secret key

Now verify the tunnel is working by pinging across the tunnel. On may: ping 10.4.0.2 On june: ping 10.4.0.1 Example 3: A tunnel with full TLSbased security For this test, we will designate may as the TLS client and june as th e TLS server. Note that client or server designation only has meaning for the TLS subsystem. It has no bearing on OpenVPNs peertopeer, UDPbased commuM^@M^P nication model. First, build a separate certificate/key pair for both may and june (see above where cert is discussed for more info). Then construct Diffie Hellman parameters (see above where dh is discussed for more info). You can also use the included test files client.crt, client.key, server.crt, server .key and ca.crt. The .crt files are cerM^@M^P tificates/publickeys, the .key files are private keys, and ca.crt is a c ertification authority who has signed both client.crt and server.crt. For Diffie Hellman parameters you ca n use the included file dh1024.pem. Note that all client, server, and certificate authority certificates and keys included in the OpenVPN distribution are totally insecure and should be used for testing only. On may: openvpn remote june.kg dev tun1 ifconfig 10.4.0.1 10.4.0.2 tlsclient ca ca.crt cert client.crt key client.key renegsec 60 verb 5 On june: openvpn remote may.kg dev tun1 ifconfig 10.4.0.2 10.4.0.1 tlsserver dh dh1024.pem ca ca.crt cert server.crt key server.key renegsec 60 verb 5 Now verify the tunnel is working by pinging across the tunnel. On may: ping 10.4.0.2

This command will build a random key file called key (in ascii format). Now copy key to june over a secure medium such as by using the scp(1) program. On may: openvpn remote june.kg dev tun1 ifconfig 10.4.0.1 10.4.0.2 verb 5 secret key On june: openvpn remote may.kg dev tun1 ifconfig 10.4.0.2 10.4.0.1

On june: ping 10.4.0.1 Notice the renegsec 60 option we used above. That tells OpenVPN t o renegotiate the data channel keys every minute. Since we used verb 5 above, you will see status information on each new key negotiation. For production operations, a key renegotiation interval of 60 seconds is probably too frequent. Omit the reneg

Monday May 07, 2012

33/35

Printed by root May 07, 12 21:14

hour. Routing: Assuming you can ping across the tunnel, the next step is to route a rea l subnet over the secure tunnel. Suppose that may and june have two network interfaces each, one connected to the internet, and the other to a private netM^@M^P work. Our goal is to securely connect both private networks. We will assume that mays private subnet is 10.0.0.0/24 and junes is 10.0.1.0/24. First, ensure that IP forwarding is enabled on both peers. ble routing: echo 1 > /proc/sys/net/ipv4/ip_forward and enable TUN packet forwarding through the firewall: iptables A INPUT i tap+ j ACCEPT iptables A FORWARD i tun+ j ACCEPT to allow input packets from tap devices, and On may: iptables A FORWARD i tap+ j ACCEPT route add net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2 On june: route add net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1 Now any machine on the 10.0.0.0/24 subnet can access any machine on the 1 0.0.1.0/24 subnet over the secure tunnel (or vice versa). In a production environment, you a shell script and execute with the up option. could put the route command(s) in HOWTO n FIREWALLS OpenVPNs usage of a single UDP port makes it fairly firewallfriendly. You should add an entry to your firewall rules to allow incoming OpenVPN packets. On Linux 2.4+: iptables A INPUT p udp s 1.2.3.4 dport 1194 j ACCEPT WEB This will allow incoming packets on UDP port 1194 (OpenVPNs default UDP port) from an OpenVPN peer at 1.2.3.4. If you are using HMACbased packet authentication (the default in any of OpenVPNs secure modes), having the fireM^@M^P wall filter on source address can be considered optional, since HMAC pack et authentication is a much more secure method of verifying the authenticity of a packet source. In that case: iptables A INPUT p udp dport 1194 j ACCEPT would be adequate and would not render the host inflexible with respect t o its peer having a dynamic IP address. OpenVPN also works well on stateful firewalls. In some cases, you ma y not need to add any static rules to the firewall list if you are using a stateful firewall that knows how to trac k UDP connections. If you specify ping OpenVPNs web site is at http://openvpn.net/ Go here to download the latest version of OpenVPN, subscribe to the maili ng lists, read the mailing list archives, or browse the SVN repository. BUGS Report all bugs to the OpenVPN team <[email protected]>. SEE ALSO dhcpcd(8), ifconfig(8), openssl(1), route(8), scp(1) ssh(1) NOTES This product includes software developed by the OpenSSL Project ( http:// www.openssl.org/ ) For more information on the TLS protocol, see http://www.ietf.org/rfc/rfc 2246.txt For a more comprehensive guide to setting setting, see the OpenVPN HOWTO at http://openvpn.net/howto.html up OpenVPN in a productio to allow input packets from tap devices to be forwarded to other hosts on the local network. These rules are secure if you use packet authentication, since no inc oming packets will arrive on a TUN or TAP virtual device unless they first pass an HMAC authentication test. FAQ http://openvpn.net/faq.html On Linux, ena iptables A FORWARD i tun+ j ACCEPT to allow input packets from tun devices to be forwarded to other hosts on the local network,

Page 67/69

May 07, 12 21:14

Page 68/69

sec 60 option to use OpenVPNs default key renegotiation interval of one

n, OpenVPN will be guaranteed to send a packet to its peer at least onc e every n seconds. If n is less than the stateful firewall connection timeout, you can maintain an OpenVPN connect ion indefinitely without explicit fireM^@M^P wall rules. You should also add firewall rules to allow incoming IP traffic on TUN or TAP devices such as: iptables A INPUT i tun+ j ACCEPT to allow input packets from tun devices,

PROTOCOL For a description of OpenVPNs underlying protocol, see http://openvpn.ne t/security.html

Monday May 07, 2012

34/35

Printed by root May 07, 12 21:14

Page 69/69

For more information on the LZO realtime compression library see http:// www.oberhumer.com/opensource/lzo/ COPYRIGHT Copyright (C) 20022010 OpenVPN Technologies, Inc. This program is free s oftware; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software FoundaM^@M^P tion. AUTHORS James Yonan <[email protected]>

17 November 2008 openvpn(8)

Monday May 07, 2012

35/35