OpenVPN Lezing NLUUG Voorjaarsconferentie 2014 Jan Just...

J.J. KeijserNikhefAmsterdam

OpenVPN LezingNLUUG Voorjaarsconferentie 2014

Jan Just KeijserNikhef

15 Mei 2014


Werkzaam als 'grid system engineer' sinds 2005

Werkzaam in de ICT sinds 1995“Ontdekte” OpenVPN in 2004Sindsdien OpenVPN gebruikt en ondersteuning

voor verleend IT interesses: open source, netwerken, VPNs,

beveiliging, openssl, socat, manycore/multicore programmeren

Over mezelf


OpenVPN 2 Cookbook, 2011


What is a VPN? Types of VPNs What is OpenVPN? OpenVPN protocol Modes of operation: preshared keys, certificates,

'tun' vs 'tap', bridging Routing Smart card support Scripting and plugins Other features Weaknesses Future work Summary

Outline


What is a VPN?

Internet / WAN

NAT&Firewall Firewall&NAT

Without the use of a VPN…

Server

Your TROL (Typical Remote Office Layout)

Client


What is a VPN?

Internet / WAN

NAT&Firewall Firewall&NAT

Using a VPN…

Server

VPN Setup

Client


Types of VPNsWeb based: Proxies, SOCKSSolutions based on SSHPPTP based: Microsoft PPTP VPN client IPSec based: OpenS/WAN, raccoon IPSec+L2TP based: Microsoft L2TP VPN clientSSL based: OpenVPN


Virtual network adapterMost VPNs use the concept of a Virtual Network

Adapter. This allows for:◦ Separate IP address;

◦ Control over the routing and protocols allowed over the VPN.

The Virtual Network Adapter is the interface between the VPN client (or server) software and the Operating System.

Virtual Network Adapter

Ethernet1

23

VPN client


Web-based VPNsAlso known as “clientless VPNs”

Work only with web-based applications

Basically, a souped-up Secure Proxy server or SOCKS server

The VPN never leaves the “sandbox” of the webbrowser:

HTTPSencrypted traffic

Ethernet 1 Web browser

VPN applet


SSH-based solutions Not a true VPN – tunnelling of specific TCP ports only

Client and server software available for nearly every platform

OpenSSH includes SOCKS server support, allowing more flexible tunnels

SSH Tunnel

hostA:80

hostB:23127.0.0.1:8080127.0.0.1:1200

127.0.0.1 port 8080

127.0.0.1 port 1200

hostA port 80 (http)

hostB port 23 (telnet)


Web&SSH Pro's and con'sPro’s:

◦ Client software for nearly all platforms;

◦ Uses standard TCP traffic so no NAT’ting issues;

◦ Easy to configure.

Con’s:

◦ Web-based (TCP, HTTPS) only;

◦ Not easy to share local data with remote site/server;

◦ Not a true VPN solution.


PPTP: the Microsoft solution

PPTP adapter

Ethernet1

23

VPN client

GREencrypted traffic

Developed by Microsoft and Ascend (RFC2637) Authentication using username/password

OR X.509 certificates (EAP-TLS) Runs over single TCP port and GRE tunnels (protocol 47) Frequently used for ADSL ethernet modems Interface to OS through PPTP adapter:


PPTP: Pro's and con'sPro’s:

◦ Client built into Microsoft platform;

◦ Other platforms supported for both client and server: Linux; FreeBSD/OpenBSD/NetBSD;

Macintosh OS X.

Con’s:

◦ PPTP considered fundamentally insecure;

◦ Secure version (EAP-TLS with X.509 certificates) supported fully only on Windows;

◦ GRE tunnelling does not work well with NAT’ting devices.


IPsec Official IEEE/IETF standard voor IP security (RFC2411)

Operates at Level2/Level3 of IP stack

Part of IPv6 specification

Introduces the concept of Security Policies

Uses Encapsulated Security Payload (ESP, IP protocol 50) for payload security, Hash-based Message Authentication Code (HMAC) for integrity

Authentication using X.509 certificates or pre-shared keys

Two modes supported:

◦ Transport mode;

◦ Tunnelling mode;


IPsec+L2TP Developed by Microsoft and Cisco Systems (RFC3193) Utilizes IPSec Transport mode Authentication using X.509 certificates or pre-shared

keys, in combination with a username/password Uses both UDP ports 500 and 4500 as well as ESP

(protocol 50) Interface to OS through L2TP adapter:

L2TP adapter

3

L2TP clientIPSec

Ethernet

IPsecencrypted traffic

2

1


IPsec: Pro's and con'sPro’s:

◦ Industry standard;

◦ Good platform support, including ADSL and Wifi routers;

◦ Security policies allow for a very modular approach.

Con’s:

◦ Configuration and troubleshooting can be difficult;

◦ Notoriously difficult to configure, especially in combination with NAT-Traversal (NAT-T);

◦ Server-side cannot be NAT’ted, often forcing the use of a DMZ;

◦ IPSec and NAT’ting devices do not go well together.


OpenVPN: an SSL based VPN

tun/tap device

Ethernet1

23

OpenVPN

Uses TLS/SSL for payload security, HMAC for integrity

Authentication using X.509 certificates or pre-shared keys

UDP, TCP and SOCKS/HTTP Proxy support

Supports tunnelling (TCP/IP) and bridging (Ethernet) mode

Interface to OS through tun/tap device or TAP-Windows adapter:

UDP/TCPencrypted traffic


OpenVPN: an SSL based VPN

Client/Server:◦ Linux

◦ FreeBSD/OpenBSD/NetBSD

◦ Solaris

◦ (AIX port in the works)

◦ Windows XP/Vista/7/8/8.1 32bit and 64bit

◦ MacOS X

Client only:◦ Android 4.0+

◦ iOS (not fully open source)


What is OpenVPN?With OpenVPN, you can:◦ tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,

◦ configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients,

◦ use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet,

◦ use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library,

◦ choose between static-key based conventional encryption or certificate-based public key encryption,

◦ use static, pre-shared keys or TLS-based dynamic key exchange,

◦ use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,

◦ tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,

◦ tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules,

◦ tunnel networks over NAT,

◦ create secure ethernet bridges using virtual tap devices, and

◦ control OpenVPN using a GUI on Windows or Mac OS X.

(from http://openvpn.net/index.php/open-source/333-what-is-openvpn.html)


OpenVPN: some history Started in 2002 by James Yonan

First version only supported preshared keys and site-to-site connectivity

2004: OpenVPN 2.0

◦ X.509 certificates

◦ Multiple clients to same server 2009: OpenVPN 2.1

◦ PKCS#11 support (smartcards and hardware tokens)

◦ Windows Vista/7 support 2011: OpenVPN 2.2

◦ First community-built version 2014: OpenVPN 2.3.4

◦ IPv6 support, TLSv1.2 support


OpenVPN protocol In SSL/TLS mode two channels are used:◦ A reliable control channel for exchanging SSL/TLS

information and keys

◦ A data channel for transporting actual payload. In UDP mode this channel is secure, but not reliable

Each encrypted packet is formatted as follows:◦ HMAC(explicit IV, encrypted envelope)

◦ Explicit IV

◦ Encrypted Envelope

The content of the encrypted envelope is formatted as follows:◦ 64 bit sequence number

◦ payload data, i.e. IP packet or Ethernet frame


Modes of operation

OpenVPN supports several modes of operation: Preshared static keys

Authentication using X509 certificates

Authentication using username+password

Tunnelling mode (point-to-point, aka 'tun')

Ethernet mode (aka 'tap')

Ethernet bridging


Basic static key exampleFirst, generate a static key:$ openvpn --genkey --secret secret.key

Transfer the key to the remote end using a secure channel (e.g. scp)

Start the server/listener:$ openvpn --ifconfig 10.200.0.1 10.200.0.2 \

--dev tun --secret secret.key

And connect to it using the client:$ openvpn --ifconfig 10.200.0.2 10.200.0.1 \

--dev tun --secret secret.key \

--remote openvpnserver.example.com


Setting up a PKIPKI: Public Key Infrastructure◦ Use public/private keypairs for cryptography

OpenVPN supplies 'easy-rsa' scripts, which are wrappers around 'openssl ca' commands

Other PKI solutions can also be used, provided they can supply PEM-encoded certificates and keys or PKCS#12 formatted files

Example usage of 'easy-rsa':

$ <edit vars file>

$ . ./vars

$ ./clean-all

$ ./build-ca

$ ./build-key-server <servername>

$ ./build-key <clientname>


Basic X.509 example (server)proto udp

port 1194

dev tun

server 10.8.0.0 255.255.255.0

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

tls-auth ta.key 0

persist-key

persist-tun

keepalive 10 60

user nobody

group nobody


Basic X.509 example (client)client

proto udp

remote openvpnserver.example.com

port 1194

dev tun

nobind

ca ca.crt

cert client.crt

key client.key

tls-auth ta.key 1


X.509 example (server, ipv6)proto udp6

Port 1194

dev tun

server-ipv6 2001:db8:123::/64

ca ca.crt

cert server.crt

key server.key

dh dh2048.pem

tls-auth ta.key 0

persist-key

persist-tun

keepalive 10 60

user nobody

group nobody


Network topologiesOpenVPN 2.1 introduced a new keyword topology subnet

Previously, each client was assigned a miniature /30 network:◦ Server uses 10.8.0.0-10.8.0.3

◦ First client is assigned 10.8.0.4-10.8.0.7

◦ Second client is assigned 10.8.0.8-10.8.0.11, etc. 10.8.0.4 /30 network address

10.8.0.5 remote endpoint (virtual)

10.8.0.6 actual client VPN IP

10.8.0.7 /30 broadcast address

With 'topology subnet' each client is assigned only a single IP address: 10.8.0.2, 10.8.0.3, etc.


'tun' versus 'tap'OpenVPN supports two transport modes:◦ 'tun' mode:

Create a mini point-to-point connection to each client

The headers of each incoming packet are stripped and new headers are added

Can support IP protocols only (TCP, UDP, ICMP, IPsec, GRE)

◦ 'tap' mode: Pass full ethernet frames between client and server Great for supporting non-IP protocols Slightly higher overhead Server and clients form a single broadcast domain


Bridging 'tap' mode allows the creation of a full Ethernet

bridge:◦ A regular network interface and a 'tap' interface are

bridged

◦ All traffic which enters on one interface is copied out to the other interface

◦ Result: the LAN and the VPN form a single broadcast domain - great for multi-player gaming!

◦ A second advantage is that the VPN clients can be incorporated almost fully into the server-side LAN (e.g. can use the same DHCP server)

◦ Downside: performance! Even the throughput speed of the LAN interface is affected, as all incoming traffic is ALWAYS copied over to the 'tap' interface


Bridging example (server)proto udp

port 1194

dev tap0

server-bridge 10.8.0.100 255.255.255.0 10.8.0.101 \

10.8.0.140

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

tls-auth ta.key 0

persist-key

persist-tun

keepalive 10 60

user nobody


Routing and masquerading A VPN is one thing, routing traffic over it is another 80+ % of all OpenVPN support questions are about routing Most commonly used trick (on Linux servers)

$ echo 1 > /proc/sys/net/ipv4/ip_forward

$ iptables -i FORWARD -i tun+ -j ACCEPT

$ iptables -i FORWARD -o tun+ -j ACCEPT

$ iptables -t nat -I POSTROUTING -o eth0 \

-j MASQUERADE


Smart card support

What is a smartcard?

Card or USB token with miniature Operating System The Smartcard contains the private key, which can never be

copied off the card All keying information necessary for establishing a secure

connection is generated on the card


Smart card support Two factor authentication: you can connect to my

system based on something you KNOW (a password) and something you HAVE (hardware token or smart card)

OpenVPN supports the PKCS#11 interface Any smart card or hardware security device with a PKCS#11

interface can be used (in theory...) However: PKCS#11 support on Linux (and MacOS) is far from

perfect Known to work:

◦ Aladdin eToken PRO (now SafeNet)

◦ Feitian ePass


PKCS#11 example (client)client

proto udp

remote openvpnserver.example.com

port 1194

dev tun

nobind

ca ca.crt

pkcs11-providers etpkcs11.dll

pkcs11-id "Aladdin\\x20Ltd\\x2E/eToken/001a0ab6/Jan\\x20Just\\x20Keijser/39453945373335312D333545442D343031612D384637302D3238463636393036363042303A30"

tls-auth ta.key 1


Scripting (1)OpenVPN offers several ways to influcence what

happens when a client connects or disconnects, both on the server side and on the client side

On the client side the following scripts are run when the client connects:◦ 'up' : when the virtual interface is brought up

◦ 'route-up': when routes need to be added to the local routing tables

Similarly, when the client disconnects:◦ 'down' : when the virtual interface is taken down


Scripting (2)On the server side the following scripts are run when

a client connects:◦ 'client-connect' : allows you to write out configuration

statements which are pushed out to the client

◦ 'learn-address add'

◦ 'tls-verify': verify the entire certificate chain of the client

◦ 'auth-user-pass-verify': allows for authentication using username and password

Similarly, when the client disconnects:◦ 'learn-address delete'

◦ 'client-disconnect'


Scripting example (server)...

script-security 2

# run when server starts and shuts down

up sample-script.sh

route-up sample-script.sh

down sample-script.sh

# run when a client connects or disconnects

client-connect sample-script.sh

client-disconnect sample-script.sh

learn-address sample-script.sh

tls-verify sample-script.sh

auth-user-pass-verify sample-script.sh via-env


PluginsNext to scripts, OpenVPN can also be extended

using pluginsPlugins can be inserted at almost all points where

scripts are runMost common plugins are◦ auth-pam: for authentication users using PAM;

◦ down-root: for running a command as root when openvpn shuts down.

Why would you use a plugin?◦ Speed: plugins are run in a separate thread

◦ Security: it's easy to make a mistake in a script which can be exploited.


Other featuresDifferent cipher algorithms for encryptionDifferent signing algorithms for HMAC signingOn-the-fly compression using 'lzo'Connect via a SOCKS proxyConnect via an HTTP proxyShare a VPN server with an HTTPS server on the

same IP and portManagement interface (on both client and server):◦ View connected clients;

◦ View statistics;

◦ Disconnect clients.


WeaknessesMonolithic design: both a strength and a weakness,

but does affect scalabilityThroughput over gigabit+ links


What's wrong @ Gigabit speed?


Future developmentsA grand, completely modular redesign is being

worked on (OpenVPN 3.0) Improve negotiation capabilities between client and

server; make client configuration as minimal as possible

Add ability to 'mimick' HTTPS traffic for ducking firewalls

New transport protocols next to UDP and TCP:◦ sctp

◦ ICMP

OpenVPN Lezing NLUUG Voorjaarsconferentie 2014 Jan Just...

Documents

Transcript of OpenVPN Lezing NLUUG Voorjaarsconferentie 2014 Jan Just...