Security / Encryption
OpenVPN doesn’t use IPSEC like almost all of the other VPN solutions, for example Freeswan, Openswan, Strongswan etc.
TLS is used instead as underlying authentication and key negotiation protocol, it is the latest evolution in the OpenSSL protocol family. SSL/TLS is considered to be one of the strongest and securest protocols available. And for that reason I think SSL/TLS is a good choice for a VPN product like OpenVPN.
TLS stands for Transport Layer Security and is also licensed under the GPL.
When you compare SSL/TLS with IPSEC, in my opinion SSL/TLS is more flexible and easier to configure.
Here OpenVPN is going to be installed on a SUSE Linux machine.
For that reason you have to install the following packages first:
(If these packages are already installed you can proceed with the next step)
After this you can easily download the newest version of OpenVPN from the homepage openvpn.net (openvpn-2.0.5.tar.gz)
The Installation is not very difficult on both platforms (Linux and Windows).
If you are using a Linux distribution which supports RPM packages (like SuSE, Fedora, Redhat, etc.) then the best way would be to install OpenVPN using this mechanism. The easiest method is to find an existing binary RPM file for your distribution, then you can also build your own binary RPM file and the installation runs automatically.
You just have to type this commands on the command line:
rpmbuild -tb openvpn-2.0.5.tar.gz
This command creates the rpm file.
rpm -ivh openvpn-2.0.5.rpm
This command runs the installation.
After this step OpenVPN should be successfully installed on your Computer.
If you install it on Windows you have to download the .exe file form the homepage. In addition you have got the possibility to install a GUI (Graphical User Interface) or a console based program.
I would recommend do download the GUI from openvpn.se
Basic configuration example
For this basic configuration example I have chosen a static key encryption because it offers the simplest setup and is ideal for a point to point VPN or just a good test for the installation.
Static Key advantages
You don’t need to build a X509 PKI (Public Key Infrastructure)
Static Key disadvantages
The secret key must exist in plaintext form on each VPN peer. When the secret key file was stolen on one of the two computers by a criminal individual a new one must be generated and shared between the communication partners.
The secret key must be exchanged securely by using a pre-existing secure channel, or you have to bring it to the other Computer manually.
This example demonstrates a point-to-point OpenVPN configuration between two SUSE Linux computers. A VPN tunnel will be created with a server endpoint of 10.8.0.1 and a client endpoint of 10.8.0.2. Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN port.
Generate a static key:
(You can generate the key on any computer unless OpenVPN is installed)
openvpn --genkey --secret static.key
Now copy the static key to both client and server, over a pre-existing secure channel.
The configuration file is located in the /etc/openvpn/ folder on both machines. The name of the configuration file isn’t important, I called them server.conf and client.conf
Server configuration file /etc/openvpn/server.conf dev tun ifconfig 10.8.0.1 10.8.0.2 secret static.key
Client configuration file /etc/openvpn/client.conf remote [Public IP address of the Server] dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key
This text needs to be written in the configuration files on the two sides. After this step you just have to type the following command at the client side of the tunnel.
Openvpn –-config server.conf
At the end of the output there should stand something like established.
To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client.
In conclusion I would like to say that I have made good experiences with OpenVPN by connecting several clients (Linux and Windows) with a Linux based OpenVPN Server. For this type of VPN solution OpenVPN is the best choice, because it works fine with multiple clients in different subnets and on different Operating systems but when you have to connect several VPN servers I would recommend an IPSEC based program because in most cases it offers you a stronger encryption and a better handling of a PKI (Public Key Infrastructure).
Dieses englische Paper über VPN - OpenVPN wurde uns von unserem defense.at-Mitglied madsince85 zur Verfügung gestellt. Vielen Dank an dieser Stelle.