Flexible VPN solution using OpenVPN

Nowadays, VPN networks are essential for most businesses, whether large or small. VPNs allows you to connect multiple locations or "road warrior" users to a geographically widespread network via an unsecured Internet connection. This is instead of the traditional approach which uses dedicated Layer 2 or Layer 3 VPN services provided by telecommunications operators.

For the past 15 years, various VPN protocols such as PPTP, SSTP, L2TP/IPSec were applied, but they all had certain flaws. PPTP is unsafe, SSTP does not support site-to-site connections, L2TP/IPSec is not flexible and can easily be blocked.

Although new, OpenVPN is a decidedly flexible and secure protocol that uses SSL/TLS cryptographic protocols for data encryption. Some of the advantages of this VPN protocol are:

  • Support for site-to-site as well as user-to-site connections
  • Authentication preformed through the use of a pre-shared key, certificate, or a key and certificate combination
  • Implementation of a powerful SSL/TLS encryption protocol
  • Support for a HMAC authentication package
  • Operations conducted via TCP and UDP transport protocols, as well as any port
  • Prompt functioning via NAT connections

 

Image: An example of a VPN network topology using OpenVPN

 

An example of a VPN network topology using OpenVPN

 

 

In places where other VPN protocols are blocked by firewalls (e.g. universities), OpenVPN can easily overcome this problem in most cases. For example, OpenVPN can be used via the TCP protocol and the TCP port 443 corresponding to the HTTPS port. TCP port 443 is only blocked in extreme situations, and is expected to run SSL/TLS encrypted traffic, just as the OpenVPN connection does. Under these circumstances, it is very difficult to distinguish between the regular browsing ofHTTPS pages and the OpenVPN connection.

All of these OpenVPN features come at a price - it may be quite complex to configure and adds a lot of overhead traffic, ultimately increasing package latency.

Below is a brief description of the OpenVPN server installation process on the Debian 8 distribution, as well as the server and user configuration. The packages used are from the official repositories.

 

 

All the required packages are installed by using the apt package manager:

 

sudo apt¬get install easy¬rsa liblzo2¬2
libpkcs11¬helper1 opensc opensc¬pkcs11 openvpn

 

A new directory for the scripts from the easy-rsa package is then created. The scripts will generate the certificates required for working.

 

sudo mkdir /etc/openvpn/easy¬rsa

 

After that, the scripts are thenmoved to the newly created directory.

 

sudo cp ¬r /usr/share/easy¬rsa/* /etc/openvpn/easy¬rsa/

 

In file /etc/openvpn/easyrsa/vars you can enter the data to be used to create certificates such as:

KEY_COUNTRY
KEY_PROVINCE
KEY_CITY
KEY_ORG
KEY_EMAIL
KEY_OU
KEY_NAME

Values to be entered are arbitrary, and have no impact on system operation. They only ensure that all issued certificates have the same general information. The only parameter that has an impact on system operation is KEY_SIZE, as it defines the size of the key. The default value is 2048 bits and can be increased to 4096 or 8192 bits in order to increase communications security.

The next step is the generation of each of the required certificates and Diffie Hellman parameters.

The following commands are entered in the console:

 

cd /etc/openvpn/easy¬rsa
. ./vars  
./clean¬all

 

The second command uploads all variables from /etc/openvpn/easyrsa/vars file in order to use them in creating the certificate, while the third command deletes all the certificates within the easyrsa directory.

For signing all subsequent certificates, Certificate Authority must be created:

 

./build¬-ca

 

After that, we generate the key for our OpenVPN server:

 

./build¬-key-¬server OpenVPN_server

 

The last step required is the creation of the Diffie Hellman parameters with the command:

 

./build¬-dh

 

Once all necessary files for the server are created, we can create user certificates:

 

./build¬-key OpenVPN_korisnik

 

Now that we have generated all the necessary keys, we move onto the production of the necessary configurations for the OpenVPN process. To facilitate easier administration, the created keys are moved to the /etc/openvpn/keys directory:

 

mkdir /etc/openvpn/keys
cp /etc/openvpn/easy‐rsa/keys/* /etc/openvpn/keys/

 

The configuration file for OpenVPN is /etc/openvpn/server.conf, and listed below are the contents of the file used in this example.

 

port 443  
proto tcp  
dev tun  
 
ca /etc/openvpn/keys/ca.crt  
cert /etc/openvpn/keys/OpenVPN_server.crt  
key /etc/openvpn/keys/OpenVPN_server.key  
dh /etc/openvpn/keys/dh2048.pem  
 
server 10.8.0.0 255.255.255.0  
client¬-to-¬client  
keepalive 5 120  
 
cipher AES¬-256-¬CBC  
comp¬-lzo  
 
max¬-clients 20  
user nobody  
group nogroup  
chroot /etc/openvpn/  
 
persist-¬key  
persist¬-tun  
 
verb 4  
mute 20

 

A more detailed explanation of particular parts of the configuration can be found on the Wiki, provided by the OpenVPN organization, and in the example of the configuration located at:

 

/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz

 

Once the configuration is adjusted and all the required certificates and files are prepared, the OpenVPN server is ready for launch:

 

/etc/init.d/openvpn start

 

The user configuration we will run is:

 

client
dev tun
proto tcp
remote IP_SERVERA 443
resolv-¬retry infinite
 
nobind
user nobody
group nogroup  
 
persist-¬key
persist¬-tun
mute¬-replay-¬warnings
 
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/OpenVPN_korisnik.crt
key /etc/openvpn/keys/OpenVPN_korisnik.key
 
cipher AES¬-256-¬CBC
 
comp¬-lzo
verb 4
mute 20

 

Depending on the user operating system, the configuration file can be placed in different locations. Linux users want the configuration file and server to be in the same directory, /etc/openvpn, with .conf extension. Windows users are not tied to the exact path of the configuration file, but to the directory with the .ovpn extension. Both operating systems use the same configuration, the only difference being in the extension.