This HOWTO assumes that readers possess a prior understanding of basic networking concepts such as IP addresses, DNS name, netmasks, subnets, IP route, routers, network interfaces, LANs, gateways, and firewall rules. Please take a expression at the OpenVPN books foliate. The original OpenVPN 1.x HOWTO is still available, and remains relevant for point-to-point or static-key configurations. For extra software documentation, see the articles page and the OpenVPN wiki. While this HOWTO will guide you in setting up a scalable client/server VPN using an X509 PKI ( populace key infrastruction using certificates and secret keys ), this might be overkill if you are only looking for a simpleton VPN setup with a waiter that can handle a individual customer. If you would like to get a VPN running quickly with minimal configuration, you might check out the static Key Mini-HOWTO. OpenVPN beginning code and Windows installers can be downloaded here. recent releases ( 2.2 and late ) are besides available as Debian and RPM packages ; see the OpenVPN wiki for details. For security, it ‘s a full theme to check the file unblock touch after downloading. The OpenVPN feasible should be installed on both server and customer machines, since the unmarried feasible provides both customer and server functions. If you are using a Linux distribution which supports RPM packages ( SuSE, Fedora, Redhat, etc. ), it ‘s best to install using this mechanism. The easiest method is to find an existing binary RPM file for your distribution. You can besides build your own binary RPM file : once you have the .rpm file, you can install it with the usual or upgrade an existing facility with Installing OpenVPN from a binary RPM package has these dependencies : furthermore, if you are building your own binary RPM box, there are respective extra dependencies : See the openvpn.spec charge for extra notes on building an RPM package for Red Hat Linux 9 or build with reduce dependencies. If you are using Debian, Gentoo, or a non-RPM-based Linux distribution, use your distro-specific promotion mechanism such as apt-get on Debian or emerge on Gentoo. It is besides possible to install OpenVPN on Linux using the universal ./configure method. First expand the .tar.gz file : then four hundred to the top-level directory and type : OpenVPN for Windows can be installed from the self-installing exe file on the OpenVPN download page. Remember that OpenVPN will only run on Windows XP or late. besides note that OpenVPN must be installed and run by a drug user who has administrative privileges ( this restriction is imposed by Windows, not OpenVPN ). The limitation can be sidestepped by running OpenVPN in the background as a service, in which case even non-admin users will be able to entree the VPN, once it is installed. More discussion on OpenVPN + Windows privilege issues. official OpenVPN Windows installers include OpenVPN-GUI, which allows managing OpenVPN connections from a system tray applet. early GUI applications are besides available. After you ‘ve run the Windows installer, OpenVPN is ready for practice and will associate itself with files having the .ovpn propagation. To run OpenVPN, you can : once running in a command prompt window, OpenVPN can be stopped by the F4 key. extra Windows install notes. Angelo Laub and Dirk Theisen have developed an OpenVPN GUI for OS X. Some notes are available in the INSTALL file for specific OSes. In general, the method can be used, or you can search for an OpenVPN port or package which is particular to your OS/distribution. See FAQ for an overview of Routing vs. Ethernet Bridging. See besides the OpenVPN Ethernet Bridging page for more notes and details on bridge. overall, rout is probably a better option for most people, as it is more efficient and easier to set up ( vitamin a army for the liberation of rwanda as the OpenVPN configuration itself ) than bridging. Routing besides provides a greater ability to selectively control access rights on a client-specific footing. I would recommend using routing unless you need a specific feature which requires bridging, such as : Setting up a VPN often entails linking together private subnets from different locations. The Internet Assigned Numbers Authority ( IANA ) has reserved the follow three blocks of the IP address space for private internets ( codified in RFC 1918 ) : While addresses from these netblocks should normally be used in VPN configurations, it ‘s authoritative to select addresses that minimize the probability of IP address or subnet conflicts. The types of conflicts that need to be avoided are : For case, suppose you use the democratic 192.168.0.0/24 subnet as your private local area network subnet. now you are trying to connect to the VPN from an internet cafe which is using the same subnet for its WiFi LAN. You will have a spread-eagle conflict because your machine wo n’t know if 192.168.0.1 refers to the local WiFi gateway or to the same address on the VPN. As another exercise, suppose you want to link together multiple sites by VPN, but each site is using 192.168.0.0/24 as its LAN subnet. This wo n’t work without adding a complexifying layer of NAT translation, because the VPN wo n’t know how to route packets between multiple sites if those sites do n’t use a subnet which uniquely identifies them. The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24 as private LAN network addresses. alternatively, use something that has a lower probability of being used in a WiFi cafe, airport, or hotel where you might expect to connect from remotely. The best candidates are subnets in the middle of the huge 10.0.0.0/8 netblock ( for case 10.66.77.0/24 ). And to avoid cross-site IP enumeration conflicts, constantly use singular numbering for your LAN subnets. The first step in building an OpenVPN 2.x configuration is to establish a PKI ( public key infrastructure ). The PKI consists of : OpenVPN supports bidirectional authentication based on certificates, think of that the client must authenticate the waiter certificate and the server must authenticate the customer certificate before common confidence is established. Both server and client will authenticate the other by first collateral that the salute security was signed by the overlord certificate assurance ( CA ), and then by testing information in the now-authenticated certificate header, such as the certificate coarse name or certificate type ( customer or server ). This security exemplar has a number of desirable features from the VPN perspective : eminence that the server and node clocks need to be roughly in synchronize or certificates might not work properly. In this department we will generate a headmaster CA certificate/key, a server certificate/key, and certificates/keys for 3 offprint clients. For PKI management, we will use easy-rsa 2, a fructify of scripts which is bundled with OpenVPN 2.2.x and in the first place. If you ‘re using OpenVPN 2.3.x, you need to download easy-rsa 2 individually from here. For PKI management, we will use easy-rsa 2, a set of scripts which is bundled with OpenVPN 2.2.x and early. If you ‘re using OpenVPN 2.3.x, you may need to download easy-rsa 2 individually from the easy-rsa-old project page. On *NIX platforms you should look into using easy-rsa 3 rather ; refer to its own software documentation for details. If you are using Linux, BSD, or a unix-like OS, open a shell and four hundred to the easy-rsa subdirectory. If you installed OpenVPN from an RPM or DEB file, the easy-rsa directory can normally be found in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn ( it ‘s best to copy this directory to another location such as /etc/openvpn, before any edits, so that future OpenVPN box upgrades wo n’t overwrite your modifications ). If you installed from a .tar.gz file, the easy-rsa directory will be in the top degree directory of the expanded source corner. If you are using Windows, open up a Command Prompt window and candle to \Program Files\OpenVPN\easy-rsa. Run the adopt batch file to copy configuration files into rate ( this will overwrite any preexistent vars.bat and openssl.cnf files ) : immediately edit the vars file ( called vars.bat on Windows ) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Do n’t leave any of these parameters blank. following, initialize the PKI. On Linux/BSD/Unix : On Windows : The concluding command ( build-ca ) will build the certificate authority ( CA ) security and key by invoking the synergistic openssl instruction : note that in the above sequence, most question parameters were defaulted to the values set in the vars or vars.bat files. The only argument which must be explicitly entered is the Common Name. In the case above, I used “ OpenVPN-CA ”. following, we will generate a certificate and private key for the waiter. On Linux/BSD/Unix : On Windows : As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter “ server ”. Two other queries require positive responses, “ Sign the certificate ? [ y/n ] ” and “ 1 out of 1 certificate requests certified, entrust ? [ y/n ] ”. Generating customer certificates is very alike to the previous footfall. On Linux/BSD/Unix : On Windows : If you would like to password-protect your node keys, substitute the build-key-pass handwriting. Remember that for each node, make sure to type the allow Common Name when prompted, i.e. “ client1 ”, “ client2 ”, or “ client3 ”. Always use a singular common diagnose for each client. Diffie Hellman parameters must be generated for the OpenVPN server. On Linux/BSD/Unix : On Windows : output : immediately we will find our newly-generated keys and certificates in the keys subdirectory. here is an explanation of the relevant files : The final step in the keystone generation procedure is to copy all files to the machines which need them, taking care to copy secret files over a dependable distribution channel. now wait, you may say. Should n’t it be potential to set up the PKI without a preexistent procure channel ? The answer is apparently yes. In the model above, for the sake of brevity, we generated all private keys in the lapp home. With a bite more effort, we could have done this differently. For exemplar, alternatively of generating the client certificate and keys on the server, we could have had the customer generate its own individual key locally, and then submit a Certificate Signing Request ( CSR ) to the key-signing machine. In go, the key-signing machine could have processed the CSR and returned a sign certificate to the node. This could have been done without always requiring that a secret .key file leave the hard drive of the machine on which it was generated. It ‘s best to use the OpenVPN sample configuration files as a start point for your own shape. These files can besides be found in note that on Linux, BSD, or unix-like OSes, the sample configuration files are named server.conf and client.conf. On Windows they are named server.ovpn and client.ovpn. The sample waiter shape file is an ideal start point for an OpenVPN waiter shape. It will create a VPN using a virtual TUN network interface ( for routing ), will listen for client connections on UDP port 1194 ( OpenVPN ‘s official port numeral ), and circulate virtual addresses to connecting clients from the 10.8.0.0/24 subnet. Before you use the sample shape file, you should first edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above. At this decimal point, the server configuration file is useable, however you distillery might want to customize it further : If you want to run multiple OpenVPN instances on the same machine, each using a different shape file, it is potential if you : The sample node shape file ( client.conf on Linux/BSD/Unix or client.ovpn on Windows ) mirrors the default directives set in the sample server configuration file. first, make surely the OpenVPN server will be accessible from the internet. That means : next, make sure that the TUN/TAP interface is not firewalled. To simplify trouble-shoot, it ‘s best to initially start the OpenVPN waiter from the command line ( or right-click on the .ovpn file on Windows ), rather than start it as a daemon or servicing : A normal waiter inauguration should look like this ( output will vary across platforms ) :
Starting the client
As in the server shape, it ‘s best to initially start the OpenVPN server from the instruction note ( or on Windows, by right-clicking on the client.ovpn charge ), preferably than start it as a daemon or service :
openvpn [client config file]
A normal client startup on Windows will look similar to the waiter output above, and should end with the Initialization Sequence Completed message .
now, try a ping across the VPN from the client. If you are using routing ( i.e. dev tun in the server config file ), judge :
If you are using bridging ( i.e. dev tap in the waiter config file ), try to ping the IP address of a car on the server ‘s ethernet subnet .
If the ping succeeds, congratulations ! You nowadays have a serve VPN .
If the pink failed or the OpenVPN client low-level formatting failed to complete, here is a checklist of coarse symptoms and their solutions :
- You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.Solutions:
- Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
- If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server’s gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
- Open up the server’s firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).
- You get the error message: Initialization Sequence Completed with errors— This error can occur on Windows if (a) You don’t have the DHCP client service running, or (b) You are using certain third-party personal firewalls on XP SP2.Solution: Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2.
- You get the Initialization Sequence Completedmessage but the ping test fails — This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Windows adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).
- The connection stalls on startup when using a proto udpconfiguration, the server log file shows this line:
TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx
however the client log does not show an equivalent line .
Solution : You have a one-way connection from node to server. The waiter to client commission is blocked by a firewall, normally on the client side. The firewall can either be ( a ) a personal software firewall running on the client, or ( b-complex vitamin ) the NAT router gateway for the node. Modify the firewall to allow returning UDP packets from the server to reach the client .
See the FAQ for extra trouble-shoot data .
- Starting the client
- Configuring OpenVPN to run automatically on system startup
- Controlling a running OpenVPN process
- Expanding the scope of the VPN to include additional machines on either the client or server subnet.
- Including multiple machines on the server side when using a routed VPN (dev tun)
- Including multiple machines on the server side when using a bridged VPN (dev tap)
- Including multiple machines on the client side when using a routed VPN (dev tun)
- Including multiple machines on the client side when using a bridged VPN (dev tap)
- Pushing DHCP options to clients
- Configuring client-specific rules and access policies
- Using alternative authentication methods
- How to add dual-factor authentication to an OpenVPN configuration using client-side smart cards
- Routing all client traffic (including web-traffic) through the VPN
- Running an OpenVPN server on a dynamic IP address
- Connecting to an OpenVPN server via an HTTP proxy.
- Connecting to a Samba share over OpenVPN
- Implementing a load-balancing/failover configuration
- Hardening OpenVPN Security
- Revoking Certificates
- Important Note on possible "Man-in-the-Middle" attack if clients do not verify the certificate of the server they are connecting to.
Configuring OpenVPN to run automatically on system startup
The miss of standards in this area means that most OSes have a different way of configuring daemons/services for autostart on boot. The best way to have this functionality configured by default is to install OpenVPN as a box, such as via RPM on Linux or using the Windows installer .
If you install OpenVPN via an RPM or DEB package on Linux, the installer will set up an initscript. When executed, the initscript will scan for .conf configuration files in /etc/openvpn, and if found, will start up a separate OpenVPN devil for each charge .
The Windows installer will set up a Service Wrapper, but leave it turned off by default. To activate it, go to Control Panel / Administrative Tools / Services, select the OpenVPN service, right-click on properties, and set the Startup Type to Automatic. This will configure the service for automatic rifle start on the future boot .
When started, the OpenVPN Service Wrapper will scan the \Program Files\OpenVPN\config booklet for .ovpn configuration files, starting a divide OpenVPN process on each file .
Controlling a running OpenVPN process
Running on Linux/BSD/Unix
OpenVPN accepts several signals :
- SIGUSR1 — Conditional restart, designed to restart without root privileges
- SIGHUP — Hard restart
- SIGUSR2 — Output connection statistics to log file or syslog
- SIGTERM, SIGINT — Exit
Use the writepid directive to write the OpenVPN devil ‘s PID to a charge, so that you know where to send the signal ( if you are starting openvpn with an initscript, the script may already be passing a –writepid directing on the openvpn command line ) .
Running on Windows as a GUI
See the OpenVPN GUI page .
Running in a Windows command prompt window
On Windows, you can start OpenVPN by right clicking on an OpenVPN shape file ( .ovpn charge ) and selecting “ Start OpenVPN on this config file ” .
once running in this fashion, several keyboard commands are available :
- F1 — Conditional restart (doesn’t close/reopen TAP adapter)
- F2 — Show connection statistics
- F3 — Hard restart
- F4 — Exit
Running as a Windows Service
When OpenVPN is started as a service on Windows, the only way to control it is :
- Via the service control manager (Control Panel / Administrative Tools / Services) which gives start/stop control.
- Via the management interface (see below).
Modifying a live server configuration
While most shape changes require you to restart the server, there are two directives in particular which refer to files which can be dynamically update on-the-fly, and which will take immediate consequence on the waiter without needing to restart the server process .
client-config-dir — This directing sets a node configuration directory, which the OpenVPN server will scan on every incoming connection, searching for a client-specific configuration file ( see the the manual page for more information ). Files in this directory can be updated on-the-fly, without restarting the waiter. note that changes in this directory will alone take effect for raw connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a presently connected client ( or one which has disconnected, but where the waiter has not timed-out its exemplify object ), kill the node example aim by using the management interface ( described below ). This will cause the customer to reconnect and use the new client-config-dir file .
crl-verify — This directing names a Certificate Revocation List file, described below in the Revoking Certificates department. The CRL file can be modified on the fly, and changes will take effect immediately for fresh connections, or existing connections which are renegotiating their SSL/TLS channel ( occurs once per hour by default option ). If you would like to kill a presently connected client whose certificate has just been added to the CRL, use the management interface ( described below ) .
The default option server.conf file has a note
which will end product a list of current customer connections to the file openvpn-status.log once per moment .
Using the management interface
The OpenVPN management interface allows a great deal of control over a running OpenVPN process. You can use the management interface directly, by telneting to the management interface port, or indirectly by using an OpenVPN GUI which itself connects to the management interface .
To enable the management interface on either an OpenVPN server or client, add this to the configuration file :
management localhost 7505
This tells OpenVPN to listen on TCP port 7505 for management interface clients ( port 7505 is an arbitrary choice — you can use any dislodge port ) .
once OpenVPN is running, you can connect to the management interface using a telnet node. For exercise :
ai:~ # telnet localhost 7505 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info help Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 15 2005 Commands: echo [on|off] [N|all] : Like log, but only show messages in echo buffer. exit|quit : Close management session. help : Print this message. hold [on|off|release] : Set/show hold flag to on/off state, or release current hold and start tunnel. kill cn : Kill the client instance(s) having common name cn. kill IP:port : Kill the client instance connecting from IP:port. log [on|off] [N|all] : Turn on/off realtime log display + show last N lines or 'all' for entire history. mute [n] : Set log mute level to n, or show level if n is absent. net : (Windows only) Show network info and routing table. password type p : Enter password p for a queried OpenVPN password. signal s : Send signal s to daemon, s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2. state [on|off] [N|all] : Like log, but show state history. status [n] : Show current daemon status info using format #n. test n : Produce n lines of output for testing/debugging. username type u : Enter username u for a queried OpenVPN username. verb [n] : Set log verbosity level to n, or show if n is absent. version : Show current version number. END exit Connection closed by foreign host. ai:~ #
For more information, see the OpenVPN Management Interface Documentation .
Expanding the scope of the VPN to include additional machines on either the client or server subnet.
Including multiple machines on the server side when using a routed VPN (dev tun)
once the VPN is functional in a point-to-point capability between customer and waiter, it may be desirable to expand the oscilloscope of the VPN so that clients can reach multiple machines on the server network, rather than alone the waiter machine itself .
For the purpose of this exercise, we will assume that the server-side LAN uses a subnet of 10.66.0.0/24 and the VPN IP address pool uses 10.8.0.0/24 as cited in the server directing in the OpenVPN server configuration file .
foremost, you must advertise the 10.66.0.0/24 subnet to VPN clients as being accessible through the VPN. This can well be done with the following server-side config file directing :
push "route 10.66.0.0 255.255.255.0"
next, you must set up a road on the server-side LAN gateway to route the VPN node subnet ( 10.8.0.0/24 ) to the OpenVPN server ( this is only necessary if the OpenVPN server and the LAN gateway are different machines ) .
Make certain that you ‘ve enabled IP and TUN/TAP forwarding on the OpenVPN server machine .
Including multiple machines on the server side when using a bridged VPN (dev tap)
One of the benefits of using ethernet bridge is that you get this for free without needing any extra configuration .
Including multiple machines on the client side when using a routed VPN (dev tun)
In a distinctive road-warrior or remote control access scenario, the node machine connects to the VPN as a single machine. But suppose the node machine is a gateway for a local LAN ( such as a home office ), and you would like each machine on the client LAN to be able to route through the VPN .
For this example, we will assume that the client LAN is using the 192.168.4.0/24 subnet, and that the VPN client is using a certificate with a common name of client2. Our goal is to set up the VPN so that any machine on the client LAN can communicate with any machine on the waiter LAN through the VPN .
Before setup, there are some basic prerequisites which must be followed :
- The client LAN subnet (192.168.4.0/24 in our example) must not be exported to the VPN by the server or any other client sites which are using the same subnet. Every subnet which is joined to the VPN via routing must be unique.
- The client must have a unique Common Name in its certificate (“client2” in our example), and the duplicate-cn flag must not be used in the OpenVPN server configuration file.
first, make certain that IP and TUN/TAP forwarding is enabled on the node machine .
adjacent, we will deal with the necessity configuration changes on the server side. If the server shape file does not presently reference a client configuration directory, add one immediately :
In the above directing, ccd should be the name of a directory which has been pre-created in the default option directory where the OpenVPN waiter devil runs. On Linux this tends to be /etc/openvpn and on Windows it is normally \Program Files\OpenVPN\config. When a new client connects to the OpenVPN server, the devil will check this directory for a file which matches the common name of the connect customer. If a match file is found, it will be read and processed for extra configuration file directives to be applied to the named client .
The future dance step is to create a file called client2 in the ccd directory. This file should contain the line :
iroute 192.168.4.0 255.255.255.0
This will tell the OpenVPN server that the 192.168.4.0/24 subnet should be routed to client2 .
following, add the come line to the main server config file ( not the ccd/client2 file ) :
route 192.168.4.0 255.255.255.0
Why the pleonastic route and iroute statements, you might ask ? The reason is that route controls the route from the kernel to the OpenVPN server ( via the TUN interface ) while iroute controls the rout from the OpenVPN server to the outside clients. Both are necessity .
next, ask yourself if you would like to allow network dealings between client2 ‘s subnet ( 192.168.4.0/24 ) and early clients of the OpenVPN server. If so, add the following to the server config file .
client-to-client push "route 192.168.4.0 255.255.255.0"
This will cause the OpenVPN server to advertise client2 ‘s subnet to early connecting clients .
The death step, and one that is frequently forgotten, is to add a path to the server ‘s LAN gateway which directs 192.168.4.0/24 to the OpenVPN server box ( you wo n’t need this if the OpenVPN server box is the gateway for the server LAN ). Suppose you were missing this tone and you tried to ping a machine ( not the OpenVPN server itself ) on the server LAN from 192.168.4.8 ? The outgoing ping would credibly reach the machine, but then it would n’t know how to route the pink answer, because it would have no mind how to reach 192.168.4.0/24. The rule of ovolo to use is that when routing entire LANs through the VPN ( when the VPN waiter is not the same machine as the LAN gateway ), make certain that the gateway for the LAN routes all VPN subnets to the VPN server machine .
similarly, if the node machine running OpenVPN is not besides the gateway for the node LAN, then the gateway for the node LAN must have a route which directs all subnets which should be approachable through the VPN to the OpenVPN node machine .
Including multiple machines on the client side when using a bridged VPN (dev tap)
This requires a more complex apparatus ( possibly not more complex in exercise, but more complicated to explain in detail ) :
- You must bridge the client TAP interface with the LAN-connected NIC on the client.
- You must manually set the IP/netmask of the TAP interface on the client.
- You must configure client-side machines to use an IP/netmask that is inside of the bridged subnet, possibly by querying a DHCP server on the OpenVPN server side of the VPN.
Pushing DHCP options to clients
The OpenVPN server can push DHCP options such as DNS and WINS server addresses to clients ( some caveats to be mindful of ). Windows clients can accept pushed DHCP options natively, while non-Windows clients can accept them by using a client-side up script which parses the foreign_option_n environmental variable star list. See the man page for non-Windows foreign_option_n software documentation and script examples .
For exercise, suppose you would like connecting clients to use an internal DNS server at 10.66.0.4 or 10.66.0.5 and a WINS server at 10.66.0.8. Add this to the OpenVPN waiter shape :
push "dhcp-option DNS 10.66.0.4" push "dhcp-option DNS 10.66.0.5" push "dhcp-option WINS 10.66.0.8"
To test this feature of speech on Windows, run the following from a command prompt window after the machine has connected to an OpenVPN server :
The entrance for the TAP-Windows adapter should show the DHCP options which were pushed by the server .
Configuring client-specific rules and access policies
Suppose we are setting up a ship’s company VPN, and we would like to establish separate access policies for 3 unlike classes of users :
- System administrators — full access to all machines on the network
- Employees — access only to Samba/email server
- Contractors — access to a special server only
The basic approach we will take is ( a ) segregate each drug user class into its own virtual IP address range, and ( bacillus ) restraint entree to machines by setting up firewall rules which key off the customer ‘s virtual IP address .
In our exemplar, suppose that we have a variable number of employees, but only one arrangement administrator, and two contractors. Our IP allotment overture will be to put all employees into an IP cover pool, and then allocate fixed IP addresses for the system administrator and contractors .
note that one of the prerequisites of this case is that you have a software firewall running on the OpenVPN waiter machine which gives you the ability to define specific firewall rules. For our example, we will assume the firewall is Linux iptables .
first base, let ‘s create a virtual IP address map according to exploiter class :
|Class||Virtual IP Range||Allowed LAN Access||Common Names|
|Employees||10.8.0.0/24||Samba/email server at 10.66.4.4||[variable]|
|System Administrators||10.8.1.0/24||Entire 10.66.4.0/24 subnet||sysadmin1|
|Contractors||10.8.2.0/24||Contractor server at 10.66.4.12||contractor1, contracter2|
adjacent, let ‘s translate this map into an OpenVPN server configuration. First of all, make sure you ‘ve followed the steps above for making the 10.66.4.0/24 subnet available to all clients ( while we will configure routing to allow client access to the entire 10.66.4.0/24 subnet, we will then impose access restrictions using firewall rules to implement the above policy table ) .
first, define a static unit of measurement number for our tun interface, so that we will be able to refer to it later in our firewall rules :
In the server shape file, define the Employee IP address pool :
server 10.8.0.0 255.255.255.0
Add routes for the System Administrator and Contractor IP ranges :
route 10.8.1.0 255.255.255.0 route 10.8.2.0 255.255.255.0
Because we will be assigning fixed IP addresses for specific System Administrators and Contractors, we will use a customer shape directory :
now place limited shape files in the ccd subdirectory to define the specify IP address for each non-Employee VPN client .
ifconfig-push 10.8.1.1 10.8.1.2
ifconfig-push 10.8.2.1 10.8.2.2
ifconfig-push 10.8.2.5 10.8.2.6
Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from consecutive /30 subnets in rate to be compatible with Windows clients and the TAP-Windows driver. specifically, the last eight in the IP address of each end point pair must be taken from this determine :
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38] [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58] [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78] [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98] [101,102] [105,106] [109,110] [113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138] [141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166] [169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194] [197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222] [225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250] [253,254]
This completes the OpenVPN shape. The final step is to add firewall rules to finalize the access policy. For this example, we will use firewall rules in the Linux iptables syntax :
# Employee rule iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.66.4.4 -j ACCEPT # Sysadmin rule iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.66.4.0/24 -j ACCEPT # Contractor rule iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 10.66.4.12 -j ACCEPT
Using alternative authentication methods
OpenVPN 2.0 and by and by include a have that allows the OpenVPN server to securely obtain a username and password from a connecting client, and to use that data as a footing for authenticating the client .
To use this authentication method acting, first add the auth-user-pass directing to the node configuration. It will direct the OpenVPN customer to query the drug user for a username/password, passing it on to the waiter over the secure TLS channel .
next, configure the server to use an authentication plugin, which may be a script, shared object, or DLL. The OpenVPN server will call the plugin every clock time a VPN node tries to connect, passing it the username/password entered on the client. The authentication plugin can control whether or not the OpenVPN waiter allows the client to connect by returning a failure ( 1 ) or achiever ( 0 ) value .
Using Script Plugins
script plugins can be used by adding the auth-user-pass-verify directive to the server-side shape charge. For case :
auth-user-pass-verify auth-pam.pl via-file
will use the auth-pam.pl perl script to authenticate the username/password of connecting clients. See the description of auth-user-pass-verify in the manual of arms page for more information .
The auth-pam.pl script is included in the OpenVPN source file distribution in the sample-scripts subdirectory. It will authenticate users on a Linux server using a PAM authentication module, which could in turn enforce shadow password, RADIUS, or LDAP authentication. auth-pam.pl is chiefly intended for demonstration purposes. For real-world PAM authentication, use the openvpn-auth-pam partake object plugin described below .
Using Shared Object or DLL Plugins
Shared object or DLL plugins are normally compiled C modules which are loaded by the OpenVPN server at scat prison term. For model if you are using an RPM-based OpenVPN package on Linux, the openvpn-auth-pam plugin should be already built. To use it, add this to the server-side config file :
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
This will tell the OpenVPN waiter to validate the username/password entered by clients using the login PAM faculty .
For real-world production use, it ‘s better to use the openvpn-auth-pam plugin, because it has several advantages over the auth-pam.pl script :
- The shared object openvpn-auth-pam plugin uses a split-privilege execution model for better security. This means that the OpenVPN server can run with reduced privileges by using the directives user nobody, group nobody, and chroot, and will still be able to authenticate against the root-readable-only shadow password file.
- OpenVPN can pass the username/password to a plugin via virtual memory, rather than via a file or the environment, which is better for local security on the server machine.
- C-compiled plugin modules generally run faster than scripts.
If you would like more information on developing your own plugins for consumption with OpenVPN, see the README files in the plugin subdirectory of the OpenVPN reference distribution .
To build the openvpn-auth-pam plugin on Linux, cadmium to the plugin/auth-pam directory in the OpenVPN source distribution and run make .
Using username/password authentication as the only form of client authentication
By nonpayment, using auth-user-pass-verify or a username/password-checking plugin on the server will enable double authentication, requiring that both client-certificate and username/password authentication succeed in decree for the node to be authenticated .
While it is discouraged from a security position, it is besides possible to disable the use of client certificates, and force username/password authentication entirely. On the server :
such configurations should normally besides set :
which will tell the server to use the username for indexing purposes as it would use the Common Name of a node which was authenticating via a node certificate .
note that client-cert-not-required will not obviate the need for a server certificate, so a node connecting to a server which uses client-cert-not-required may remove the cert and key directives from the customer configuration file, but not the ca directing, because it is necessity for the client to verify the server certificate .
How to add dual-factor authentication to an OpenVPN configuration using client-side smart cards
About dual-factor authentication
Dual-factor authentication is a method acting of authentication that combines two elements : something you have and something you know .
Something you have should be a device that can not be duplicated ; such a device can be a cryptanalytic nominal that contains a private secret winder. This secret key is generated inside the device and never leaves it. If a drug user possessing this token attempts to access protected services on a remote control network, the mandate serve which grants or denies network access can establish, with a high degree of certainty, that the exploiter seeking access is in physical possession of a known, certified nominal .
Something you know can be a password presented to the cryptanalytic device. Without presenting the proper password you can not access the secret secret key. Another have of cryptanalytic devices is to prohibit the use of the private mysterious winder if the improper password had been presented more than an allow number of times. This behavior ensures that if a drug user lost his device, it would be impracticable for another person to use it .
cryptanalytic devices are normally called “ fresh cards ” or “ tokens ”, and are used in conjunction with a PKI ( Public Key Infrastructure ). The VPN waiter can examine a X.509 certificate and verify that the user holds the corresponding private unavowed cardinal. Since the device can not be duplicated and requires a valid password, the waiter is able to authenticate the user with a high degree of confidence .
Dual-factor authentication is much stronger than password-based authentication, because in the worst-case scenario, entirely one person at a time can use the cryptanalytic token. Passwords can be guessed and can be exposed to early users, so in the worst-case scenario an space number of people could attempt to gain unauthorized access when resources are protected using password-only authentication .
If you store the unavowed private key in a file, the key is normally encrypted by a password. The trouble with this approach path is that the code key is exposed to decoding attacks or spyware/malware running on the customer machine. Unlike when using a cryptanalytic device, the file can not erase itself mechanically after several failed decoding attempts .
What is PKCS#11?
This standard specifies an API, called Cryptoki, to devices which hold cryptanalytic information and perform cryptanalytic functions. Cryptoki, pronounced “ crypto-key ” and short for cryptanalytic token interface, follows a bare object-based border on, addressing the goals of technology independence ( any kind of device ) and resource sharing ( multiple applications accessing multiple devices ), presenting to applications a common, logical scene of the device called a cryptanalytic token .
reservoir : RSA Security Inc. hypertext transfer protocol : //www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-11-cryptographic-token-interface-standard.htm .
To summarize, PKCS # 11 is a standard that can be used by application software to access cryptanalytic tokens such as smart cards and other devices. Most device vendors provide a library that implements the PKCS # 11 supplier interface — this library can be used by applications in order to access these devices. PKCS # 11 is a cross-platform, vendor-independent free standard .
Finding PKCS#11 provider library
The beginning matter you need to do is to find the supplier library, it should be installed with the device drivers. Each seller has its own library. For exemplar, the OpenSC PKCS # 11 supplier is located at /usr/lib/pkcs11/opensc-pkcs11.so on Unix or at opensc-pkcs11.dll on Windows .
How to configure cryptographic token
You should follow an registration procedure :
- Initialize the PKCS#11 token.
- Generate RSA key pair on the PKCS#11 token.
- Create a certificate request based on the key pair, you can use OpenSC and OpenSSL in order to do that.
- Submit the certificate request to a certificate authority, and receive a certificate.
- Load the certificate onto the token, while noting that the id and label attributes of the certificate must match those of the private key.
A configured token is a keepsake that has a secret identify object and a certificate object, where both contribution the same id and label attributes .
A elementary registration utility is Easy-RSA 2.0 which is separate of OpenVPN 2.1 series. Follow the instructions specified in the README file, and then use the pkitool in order to enroll .
Initialize a token using the adopt command :
$ ./pkitool --pkcs11-slots /usr/lib/pkcs11/ $ ./pkitool --pkcs11-init /usr/lib/pkcs11/
Enroll a certificate using the follow instruction :
$ ./pkitool --pkcs11 /usr/lib/pkcs11/ client1
How to modify an OpenVPN configuration to make use of cryptographic tokens
You should have OpenVPN 2.1 or above in arrange to use the PKCS # 11 features .
Determine the correct object
Each PKCS # 11 supplier can support multiple devices. In order to view the available aim list you can use the follow instruction :
$ openvpn --show-pkcs11-ids /usr/lib/pkcs11/ The following objects are available for use. Each object shown below may be used as parameter to --pkcs11-id option please remember to use single quote mark. Certificate DN: /CN=User1 Serial: 490B82C4000000000075 Serialized id: aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600
Each certificate/private key pair have unique “ serialize id ” string. The serialize idaho string of the requested certificate should be specified to the pkcs11-id option using single quote marks .
Using OpenVPN with PKCS#11
A typical set of OpenVPN options for PKCS#11
pkcs11-providers /usr/lib/pkcs11/ pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'
This will select the object which matches the pkcs11-id string .
Advanced OpenVPN options for PKCS#11
pkcs11-providers /usr/lib/pkcs11/provider1.so /usr/lib/pkcs11/provider2.so pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600' pkcs11-pin-cache 300 daemon auth-retry nointeract management-hold management-signal management 127.0.0.1 8888 management-query-passwords
This will load two providers into OpenVPN, use the certificate specified on pkcs11-id option, and use the management interface in order to query passwords. The daemon will resume into hold express on the event when nominal can not be accessed. The token will be used for 300 seconds after which the password will be re-queried, session will disconnect if management seance disconnects .
PKCS#11 implementation considerations
many PKCS # 11 providers make habit of threads, in order to avoid problems caused by execution of LinuxThreads ( setuid, chroot ), it is highly recommend to upgrade to Native POSIX Thread Library ( NPTL ) enabled glibc if you intend to use PKCS # 11 .
OpenSC PKCS#11 provider
OpenSC PKCS # 11 provider is located at /usr/lib/pkcs11/opensc-pkcs11.so on Unix or at opensc-pkcs11.dll on Windows .
Difference between PKCS#11 and Microsoft Cryptographic API (CryptoAPI)
PKCS # 11 is a free, cross-platform seller mugwump standard. CryptoAPI is a Microsoft particular API. Most ache menu vendors provide support for both interfaces. In the Windows environment, the drug user should select which interface to use .
The current execution of OpenVPN that uses the MS CryptoAPI ( cryptoapicert option ) works well a hanker as you do n’t run OpenVPN as a service. If you wish to run OpenVPN in an administrative environment using a service, the execution will not work with most smart cards because of the pursue reasons :
- Most smart card providers do not load certificates into the local machine store, so the implementation will be unable to access the user certificate.
- If the OpenVPN client is running as a service without direct interaction with the end-user, the service cannot query the user to provide a password for the smart card, causing the password-verification process on the smart card to fail.
Using the PKCS # 11 interface, you can use smart cards with OpenVPN in any implementation, since PKCS # 11 does not access Microsoft stores and does not inevitably require send interaction with the end-user .
Routing all client traffic (including web-traffic) through the VPN
By default option, when an OpenVPN customer is active, only network dealings to and from the OpenVPN server site will pass over the VPN. General web browse, for exemplar, will be accomplished with direct connections that bypass the VPN .
In certain cases this behavior might not be desirable — you might want a VPN client to tunnel all network traffic through the VPN, including general internet web shop. While this character of VPN shape will exact a performance punishment on the client, it gives the VPN administrator more restraint over security policies when a customer is simultaneously connected to both the public internet and the VPN at the lapp fourth dimension .
Add the play along directing to the waiter shape charge :
push "redirect-gateway def1"
If your VPN apparatus is over a radio receiver network, where all clients and the server are on the lapp radio subnet, add the local flag :
push "redirect-gateway local def1"
Pushing the redirect-gateway choice to clients will cause all IP network dealings originating on customer machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site ‘s HTTP proxy .
On Linux, you could use a command such as this to NAT the VPN node dealings to the internet :
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
This command assumes that the VPN subnet is 10.8.0.0/24 ( taken from the server directing in the OpenVPN server configuration ) and that the local ethernet interface is eth0 .
When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN waiter will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active. For example :
push "dhcp-option DNS 10.8.0.1"
will configure Windows clients ( or non-Windows clients with some extra server-side script ) to use 10.8.0.1 as their DNS server. Any address which is approachable from clients may be used as the DNS waiter address .
Redirecting all network traffic through the VPN is not entirely a problem-free proposition. here are some typical gotchas to be aware of :
- Many OpenVPN client machines connecting to the internet will periodically interact with a DHCP server to renew their IP address leases. The redirect-gateway option might prevent the client from reaching the local DHCP server (because DHCP messages would be routed over the VPN), causing it to lose its IP address lease.
- Issues exist with respect to pushing DNS addresses to Windows clients.
- Web browsing performance on the client will be noticably slower.
For more information on the mechanics of the redirect-gateway directing, see the manual page .
Running an OpenVPN server on a dynamic IP address
While OpenVPN clients can easily entree the server via a active IP address without any extra configuration, things get more interesting when the waiter itself is on a moral force address. While OpenVPN has no trouble handling the situation of a dynamic waiter, some extra configuration is required .
The first base step is to get a dynamic DNS address which can be configured to “ follow ” the server every time the server ‘s IP address changes. There are respective dynamic DNS overhaul providers available, such as dyndns.org .
The next step is to set up a mechanism indeed that every time the waiter ‘s IP address changes, the dynamic DNS name will be cursorily updated with the new IP address, allowing clients to find the server at its new IP savoir-faire. There are two basic ways to accomplish this :
- Use a NAT router appliance with dynamic DNS support (such as the Linksys BEFSR41). Most of the inexpensive NAT router appliances that are widely available have the capability to update a dynamic DNS name every time a new DHCP lease is obtained from the ISP. This setup is ideal when the OpenVPN server box is a single-NIC machine inside the firewall.
- Use a dynamic DNS client application such as ddclient to update the dynamic DNS address whenever the server IP address changes. This setup is ideal when the machine running OpenVPN has multiple NICs and is acting as a site-wide firewall/gateway. To implement this setup, you need to set up a script to be run by your DHCP client software every time an IP address change occurs. This script should (a) run ddclientto notify your dynamic DNS provider of your new IP address and (b) restart the OpenVPN server daemon.
The OpenVPN customer by default option will sense when the waiter ‘s IP address has changed, if the client shape is using a remote directing which references a active DNS name. The common chain of events is that ( a ) the OpenVPN customer fails to receive timely keepalive messages from the waiter ‘s honest-to-god IP savoir-faire, triggering a restart, and ( b ) the resume causes the DNS name in the remote directing to be re-resolved, allowing the client to reconnect to the waiter at its new IP address .
More information can be found in the FAQ .
Connecting to an OpenVPN server via an HTTP proxy.
OpenVPN supports connections through an HTTP proxy, with the pursue authentication modes :
- No proxy authentication
- Basic proxy authentication
- NTLM proxy authentication
First of all, HTTP proxy use requires that you use TCP as the burrow carrier protocol. indeed add the following to both node and server configurations :
Make sure that any proto udp lines in the config files are deleted .
future, add the http-proxy directive to the node configuration file ( see the manual page for a full description of this directing ) .
For exemplar, suppose you have an HTTP proxy server on the node LAN at 192.168.4.1, which is listening for connections on port 1080. Add this to the client config :
http-proxy 192.168.4.1 1080
Suppose the HTTP proxy requires basic authentication :
http-proxy 192.168.4.1 1080 stdin basic
Suppose the HTTP proxy requires NTLM authentication :
http-proxy 192.168.4.1 1080 stdin ntlm
The two authentication examples above will cause OpenVPN to prompt for a username/password from standard stimulation. If you would alternatively like to place these credentials in a file, replace stdin with a filename, and place the username on line 1 of this file and the password on lineage 2 .
Connecting to a Samba share over OpenVPN
This example is intended show how OpenVPN clients can connect to a Samba share over a spread-eagle dev tun tunnel. If you are ethernet bridge ( dev tap ), you credibly do n’t need to follow these instructions, as OpenVPN clients should see server-side machines in their network region .
For this exercise, we will assume that :
- the server-side LAN uses a subnet of 10.66.0.0/24,
- the VPN IP address pool uses 10.8.0.0/24 (as cited in the server directive in the OpenVPN server configuration file),
- the Samba server has an IP address of 10.66.0.4, and
- the Samba server has already been configured and is reachable from the local LAN.
If the Samba and OpenVPN servers are running on different machines, make certain you ‘ve followed the section on expanding the scope of the VPN to include extra machines .
adjacent, edit your Samba configuration file ( smb.conf ). Make sure the hosts allow directive will permit OpenVPN clients coming from the 10.8.0.0/24 subnet to connect. For exemplar :
hosts allow = 10.66.0.0/24 10.8.0.0/24 127.0.0.1
If you are running the Samba and OpenVPN servers on the lapp car, you may want to edit the interfaces directing in the smb.conf file to besides listen on the TUN interface subnet of 10.8.0.0/24 :
interfaces = 10.66.0.0/24 10.8.0.0/24
If you are running the Samba and OpenVPN servers on the lapp machine, connect from an OpenVPN client to a Samba share using the folder name :
If the Samba and OpenVPN servers are on different machines, use folder name :
For case, from a command motivate window :
net use z: \\10.66.0.4\sharename /USER:myusername
Implementing a load-balancing/failover configuration
The OpenVPN customer shape can refer to multiple servers for load balance and failover. For exercise :
remote server1.mydomain remote server2.mydomain remote server3.mydomain
will direct the OpenVPN client to attempt a connection with server1, server2, and server3 in that club. If an existing connection is broken, the OpenVPN customer will retry the most recently connected waiter, and if that fails, will move on to the future server in the list. You can besides direct the OpenVPN node to randomize its waiter list on inauguration, so that the node load will be probabilistically spread across the waiter pool .
If you would besides like DNS solution failures to cause the OpenVPN customer to move to the following server in the list, add the adopt :
The 60 parameter tells the OpenVPN customer to try resolving each remote DNS diagnose for 60 seconds before moving on to the future server in the number .
The server list can besides refer to multiple OpenVPN waiter daemons running on the same machine, each listening for connections on a unlike port, for exercise :
remote smp-server1.mydomain 8000 remote smp-server1.mydomain 8001 remote smp-server2.mydomain 8000 remote smp-server2.mydomain 8001
If your servers are multi-processor machines, running multiple OpenVPN daemons on each server can be advantageous from a performance point of view .
OpenVPN besides supports the remote directive referring to a DNS name which has multiple A records in the zone configuration for the world. In this event, the OpenVPN customer will randomly choose one of the A records every time the domain is resolved .
The simplest approach to a load-balanced/failover configuration on the server is to use equivalent configuration files on each server in the cluster, except use a different virtual IP address pool for each server. For exercise :
server 10.8.0.0 255.255.255.0
server 10.8.1.0 255.255.255.0
server 10.8.2.0 255.255.255.0
Hardening OpenVPN Security
One of the often-repeated maxims of network security is that one should never place indeed much entrust in a single security system part that its failure causes a catastrophic security transgress. OpenVPN provides several mechanisms to add extra security layers to hedge against such an consequence .
The tls-auth directing adds an extra HMAC signature to all SSL/TLS handshake packets for integrity confirmation. Any UDP package not bearing the adjust HMAC signature can be dropped without far march. The tls-auth HMAC signature provides an extra level of security system above and beyond that provided by SSL/TLS. It can protect against :
- DoS attacks or port flooding on the OpenVPN UDP port.
- Port scanning to determine which server UDP ports are in a listening state.
- Buffer overflow vulnerabilities in the SSL/TLS implementation.
- SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key :
openvpn --genkey --secret ta.key
This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a preexistent batten channel to the server and all customer machines. It can be placed in the like directory as the RSA .key and .crt files .
In the server shape, add :
tls-auth ta.key 0
In the customer configuration, add :
tls-auth ta.key 1
While OpenVPN allows either the TCP or UDP protocol to be used as the VPN carrier connection, the UDP protocol will provide better security against DoS attacks and port scanning than transmission control protocol :
user/group (non-Windows only)
OpenVPN has been very cautiously designed to allow solution privileges to be dropped after low-level formatting, and this feature of speech should always be used on Linux/BSD/Solaris. Without ancestor privileges, a running OpenVPN waiter devil provides a far less enticing target to an attacker .
user nobody group nobody
Unprivileged mode (Linux only)
On Linux OpenVPN can be run wholly unprivileged. This configuration is a little more complex, but provides best security .
In holy order to work with this configuration, OpenVPN must be configured to use iproute interface, this is done by specifying — enable-iproute2 to configure script. sudo package should besides be available on your system .
This configuration uses the Linux ability to change the permission of a tun device, so that unprivileged user may entree it. It besides uses sudo in order to execute iproute so that interface properties and routing board may be modified .
OpenVPN shape :
- Write the following script and place it at: /usr/local/sbin/unpriv-ip:
#!/bin/sh sudo /sbin/ip $*
- Execute visudo, and add the followings to allow user ‘user1’ to execute /sbin/ip:
user1 ALL=(ALL) NOPASSWD: /sbin/ip
- You can also enable a group of users with the following command:
%users ALL=(ALL) NOPASSWD: /sbin/ip
- Add the following to your OpenVPN configuration:
dev tunX/tapX iproute /usr/local/sbin/unpriv-ip
- Please note that you must select constant X and specify tun or tap not both.
- As root add persistant interface, and permit user and/or group to manage it, the following create tunX (replace with your own) and allow user1 and group users to access it.
openvpn --mktun --dev tunX --type tun --user user1 --group users
- Run OpenVPN in the context of the unprivileged user.
further security constraints may be added by examining the parameters at the /usr/local/sbin/unpriv-ip handwriting .
chroot (non-Windows only)
The chroot directing allows you to lock the OpenVPN daemon into a alleged chroot jail, where the devil would not be able to access any share of the server system ‘s filesystem except for the specific directory given as a argument to the directing. For example ,
would cause the OpenVPN daemon to cd into the jail subdirectory on low-level formatting, and would then reorient its root filesystem to this directory then that it would be impossible thereafter for the daemon to access any files outside of jail and its subdirectory tree. This is authoritative from a security perspective, because even if an attacker were able to compromise the server with a code interpolation exploit, the overwork would be locked out of most of the server ‘s filesystem .
Caveats : because chroot reorients the filesystem ( from the perspective of the daemon only ), it is necessary to place any files which OpenVPN might need after low-level formatting in the jail directory, such as :
- the crl-verify file, or
- the client-config-dir directory.
Larger RSA keys
The RSA key size is controlled by the KEY_SIZE variable in the easy-rsa/vars file, which must be set before any keys are generated. presently set to 1024 by nonpayment, this prize can sanely be increased to 2048 with no negative impingement on VPN burrow performance, except for a slightly slower SSL/TLS renegotiation handshake which occurs once per customer per hour, and a a lot slower erstwhile Diffie Hellman parameters generation action using the easy-rsa/build-dh script .
Larger symmetric keys
By default option OpenVPN uses Blowfish, a 128 morsel harmonious zero .
OpenVPN automatically supports any code which is supported by the OpenSSL library, and as such can support ciphers which use big key sizes. For exemplar, the 256-bit version of AES ( Advanced Encryption Standard ) can be used by adding the following to both waiter and customer configuration files :
Keep the root key (ca.key) on a standalone machine without a network connection
One of the security benefits of using an X509 PKI ( as OpenVPN does ) is that the root CA key ( ca.key ) need not be present on the OpenVPN server machine. In a gamey security environment, you might want to specially designate a machine for identify sign purposes, keep the machine well-protected physically, and disconnect it from all networks. floppy disks can be used to move key files back and forth, as necessity. such measures make it extremely difficult for an attacker to steal the ancestor key, short circuit of physical larceny of the keystone sign machine .
Revoking a certificate means to invalidate a previously signed security so that it can no long be used for authentication purposes .
typical reasons for wanting to revoke a certificate include :
- The private key associated with the certificate is compromised or stolen.
- The user of an encrypted private key forgets the password on the key.
- You want to terminate a VPN user’s access.
As an case, we will revoke the client2 certificate, which we generated above in the “ key genesis ” department of the HOWTO .
first open up a shell or instruction motivate window and certificate of deposit to the easy-rsa directory as you did in the “ key generation ” section above. On Linux/BSD/Unix :
. ./vars ./revoke-full client2
On Windows :
vars revoke-full client2
You should see output exchangeable to this :
Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Revoking Certificate 04. Data Base Updated Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" client2.crt: /C=KG/ST=NA/O=OpenVPN-TEST/CN=client2/emailAddressfirstname.lastname@example.org error 23 at 0 depth lookup:certificate revoked
Note the “ mistake 23 ” in the last line. That is what you want to see, as it indicates that a security confirmation of the revoke certificate failed .
The revoke-full handwriting will generate a CRL ( security revocation list ) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL confirmation should be enabled in the server shape :
immediately all connecting clients will have their customer certificates verified against the CRL, and any plus equal will result in the connection being dropped .
- When the crl-verify option is used in OpenVPN, the CRL file will be re-read any time a new client connects or an existing client renegotiates the SSL/TLS connection (by default once per hour). This means that you can update the CRL file while the OpenVPN server daemon is running, and have the new CRL take effect immediately for newly connecting clients. If the client whose certificate you are revoking is already connected, you can restart the server via a signal (SIGUSR1 or SIGHUP) and flush all clients, or you can telnet to the management interfaceand explicitly kill the specific client instance object on the server without disturbing other clients.
- While the crl-verify directive can be used on both the OpenVPN server and clients, it is generally unnecessary to distribute a CRL file to clients unless a server certificate has been revoked. Clients don’t need to know about other client certificates which have been revoked because clients shouldn’t be accepting direct connections from other clientsin the first place.
- The CRL file is not secret, and should be made world-readable so that the OpenVPN daemon can read it after root privileges have been dropped.
- If you are using the chrootdirective, make sure to put a copy of the CRL file in the chroot directory, since unlike most other files which OpenVPN reads, the CRL file will be read after the chroot call is executed, not before.
- A common reason why certificates need to be revoked is that the user encrypts their private key with a password, then forgets the password. By revoking the original certificate, it is possible to generate a new certificate/key pair with the user’s original common name.
Important Note on possible “Man-in-the-Middle” attack if clients do not verify the certificate of the server they are connecting to.
To avoid a possible Man-in-the-Middle attack where an authoritative node tries to connect to another customer by impersonating the server, make sure to enforce some kind of server certificate verification by clients. There are presently five different ways of accomplishing this, listed in the order of preference :
- [OpenVPN 2.1 and above]Build your server certificates with specific key usage and extended key usage. The RFC3280 determine that the following attributes should be provided for TLS connections:
Mode Key usage Extended key usage Client digitalSignature TLS Web Client Authentication keyAgreement digitalSignature, keyAgreement Server digitalSignature, keyEncipherment TLS Web Server Authentication digitalSignature, keyAgreement
You can build your waiter certificates with the build-key-server script ( see the easy-rsa documentation for more information ). This will designate the certificate as a server-only security by setting the right attributes. immediately add the follow line to your client shape :
- [OpenVPN 2.0 and below] Build your server certificates with the build-key-server script (see the easy-rsa documentation for more info). This will designate the certificate as a server-only certificate by setting nsCertType=server. Now add the following line to your client configuration:
This will block clients from connecting to any waiter which lacks the nsCertType =server appointment in its security, even if the certificate has been signed by the ca file in the OpenVPN configuration file .
- Use the tls-remotedirective on the client to accept/reject the server connection based on the common name of the server certificate.
- Use a tls-verifyscript or plugin to accept/reject the server connection based on a custom test of the server certificate’s embedded X509 subject details.
- Sign server certificates with one CA and client certificates with a different CA. The client configuration ca directive should reference the server-signing CA file, while the server configuration cadirective should reference the client-signing CA file.