Nowadays, VPN networks are essential for most businesses, whether large or small. VPNs allows you to connect multiple locations or "road warrior" users to a geographically widespread network via an unsecured Internet connection. This is instead of the traditional approach which uses dedicated Layer 2 or Layer 3 VPN services provided by telecommunications operators.
For the past 15 years, various VPN protocols such as PPTP, SSTP, L2TP/IPSec were applied, but they all had certain flaws. PPTP is unsafe, SSTP does not support site-to-site connections, L2TP/IPSec is not flexible and can easily be blocked.
Although new, OpenVPN is a decidedly flexible and secure protocol that uses SSL/TLS cryptographic protocols for data encryption. Some of the advantages of this VPN protocol are:
- Support for site-to-site as well as user-to-site connections
- Authentication preformed through the use of a pre-shared key, certificate, or a key and certificate combination
- Implementation of a powerful SSL/TLS encryption protocol
- Support for a HMAC authentication package
- Operations conducted via TCP and UDP transport protocols, as well as any port
- Prompt functioning via NAT connections
Image: An example of a VPN network topology using OpenVPN
In places where other VPN protocols are blocked by firewalls (e.g. universities), OpenVPN can easily overcome this problem in most cases. For example, OpenVPN can be used via the TCP protocol and the TCP port 443 corresponding to the HTTPS port. TCP port 443 is only blocked in extreme situations, and is expected to run SSL/TLS encrypted traffic, just as the OpenVPN connection does. Under these circumstances, it is very difficult to distinguish between the regular browsing ofHTTPS pages and the OpenVPN connection.
All of these OpenVPN features come at a price - it may be quite complex to configure and adds a lot of overhead traffic, ultimately increasing package latency.
Below is a brief description of the OpenVPN server installation process on the Debian 8 distribution, as well as the server and user configuration. The packages used are from the official repositories.
All the required packages are installed by using the apt package manager:
sudo apt¬get install easy¬rsa liblzo2¬2 libpkcs11¬helper1 opensc opensc¬pkcs11 openvpn
A new directory for the scripts from the easy-rsa package is then created. The scripts will generate the certificates required for working.
sudo mkdir /etc/openvpn/easy¬rsa
After that, the scripts are thenmoved to the newly created directory.
sudo cp ¬r /usr/share/easy¬rsa/* /etc/openvpn/easy¬rsa/
In file /etc/openvpn/easyrsa/vars you can enter the data to be used to create certificates such as:
Values to be entered are arbitrary, and have no impact on system operation. They only ensure that all issued certificates have the same general information. The only parameter that has an impact on system operation is KEY_SIZE, as it defines the size of the key. The default value is 2048 bits and can be increased to 4096 or 8192 bits in order to increase communications security.
The next step is the generation of each of the required certificates and Diffie Hellman parameters.
The following commands are entered in the console:
cd /etc/openvpn/easy¬rsa . ./vars ./clean¬all
The second command uploads all variables from /etc/openvpn/easyrsa/vars file in order to use them in creating the certificate, while the third command deletes all the certificates within the easyrsa directory.
For signing all subsequent certificates, Certificate Authority must be created:
After that, we generate the key for our OpenVPN server:
The last step required is the creation of the Diffie Hellman parameters with the command:
Once all necessary files for the server are created, we can create user certificates:
Now that we have generated all the necessary keys, we move onto the production of the necessary configurations for the OpenVPN process. To facilitate easier administration, the created keys are moved to the /etc/openvpn/keys directory:
mkdir /etc/openvpn/keys cp /etc/openvpn/easy‐rsa/keys/* /etc/openvpn/keys/
The configuration file for OpenVPN is /etc/openvpn/server.conf, and listed below are the contents of the file used in this example.
port 443 proto tcp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/OpenVPN_server.crt key /etc/openvpn/keys/OpenVPN_server.key dh /etc/openvpn/keys/dh2048.pem server 10.8.0.0 255.255.255.0 client¬-to-¬client keepalive 5 120 cipher AES¬-256-¬CBC comp¬-lzo max¬-clients 20 user nobody group nogroup chroot /etc/openvpn/ persist-¬key persist¬-tun verb 4 mute 20
A more detailed explanation of particular parts of the configuration can be found on the Wiki, provided by the OpenVPN organization, and in the example of the configuration located at:
Once the configuration is adjusted and all the required certificates and files are prepared, the OpenVPN server is ready for launch:
The user configuration we will run is:
client dev tun proto tcp remote IP_SERVERA 443 resolv-¬retry infinite nobind user nobody group nogroup persist-¬key persist¬-tun mute¬-replay-¬warnings ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/OpenVPN_korisnik.crt key /etc/openvpn/keys/OpenVPN_korisnik.key cipher AES¬-256-¬CBC comp¬-lzo verb 4 mute 20
Depending on the user operating system, the configuration file can be placed in different locations. Linux users want the configuration file and server to be in the same directory, /etc/openvpn, with .conf extension. Windows users are not tied to the exact path of the configuration file, but to the directory with the .ovpn extension. Both operating systems use the same configuration, the only difference being in the extension.