In association with heise online

06 February 2008, 09:19

VPNs over SSL with OpenVPN

Jürgen Schmidt

Hamachi - just a gamer's toy? Is IPSec too complicated and time-consuming? Then how about trying OpenVPN? It has proven technology, is quick to set up, flexible and cross-platform.

OpenVPN is a comparatively new Virtual Private Network technology that can be used to connect individual computers with each other over the internet, link complete networks or provide telecommuters secure access to the company network. It also works well for encryption and controlling access to wireless networks or for remote maintenance. Unlike Hamachi, it gives you complete control of the infrastructure, which also makes OpenVPN a viable professional solution. Aside from that, it also runs on just about any platform, especially Windows 2000/XP and Mac OS X.

The down side is that setting it up takes a bit of effort. Even so, it is far less complicated than IPSec. For this reason, OpenVPN is not necessarily the solution of choice for the uninitiated, but with a bit of computer and network know-how it is not a problem to set it up and get it running -- not least of all because of the excellent documentation.

For all practical purposes, all OpenVPN needs is a single TCP or UDP connection between the computers involved for it to function smoothly behind NAT routers and firewalls without dropping the connection. If necessary, you can even establish a full-fledged network connection via an HTTP-proxy. This should only be done in consultation with the network administrator, however; otherwise you may be violating security regulations and you could be denied network access.

Solid foundation

For encryption, OpenVPN relies on Secure Socket Layer (SSL) or its successor, Transport Layer Security (TLS). These have been used for years to encrypt https web pages, among other things, and to secure services like email via IMAP. For these basic security-related functions it uses proven protocols and libraries, like OpenSSL, which have been well researched and tested.

You can also choose to perform authentication using passwords or pass phrases. However, these static pre-shared keys are significantly less secure than authentication using certificates. OpenVPN simplifies certificate generation with OpenSSL using a script toolkit called Easy RSA. With just a few commands you can create certificates for your own certification authority, the server and the clients. The necessary steps are explained in detail in the OpenVPN-Howto. It is important to note that a password should not be assigned to the secret key on a server that is supposed to start the OpenVPN service automatically. The clients, on the other hand, should have password protected keys to prevent misuse of the VPN by anyone who happens to have access to the computer.

If you want to use OpenVPN on a large scale you can also use a separate tool like TinyCA. It includes the option to pack all of the necessary data, including key, CA and client certificate into a PKCS12 file client.p12 that OpenVPN can use directly.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit