- •Credits
- •About the Author
- •About the Reviewers
- •www.PacktPub.com
- •Table of Contents
- •Preface
- •Introduction
- •Shortest setup possible
- •OpenVPN secret keys
- •Multiple secret keys
- •Plaintext tunnel
- •Routing
- •Configuration files versus the command-line
- •Complete site-to-site setup
- •3-way routing
- •Introduction
- •Setting up the public and private keys
- •Simple configuration
- •Server-side routing
- •Routing: subnets on both sides
- •Redirecting the default gateway
- •Using an 'ifconfig-pool' block
- •Using the status file
- •Management interface
- •Proxy-arp
- •Introduction
- •Simple configuration—non-bridged
- •Enabling client-to-client traffic
- •Bridging—Linux
- •Bridging—Windows
- •Checking broadcast and non-IP traffic
- •External DHCP server
- •Using the status file
- •Management interface
- •Introduction
- •Certificate generation
- •xCA: a GUI for managing a PKI (Part 1)
- •xCA: a GUI for managing a PKI (Part 2)
- •OpenSSL tricks: x509, pkcs12, verify output
- •Revoking certificates
- •The use of CRLs
- •Checking expired/revoked certificates
- •Intermediary CAs
- •Multiple CAs: stacking, using --capath
- •Introduction
- •Initializing a hardware token
- •Getting a hardware token ID
- •Using a hardware token
- •Selecting a PKCS#11 certificate using the management interface
- •Generating a key on the hardware token
- •Private method for getting a PKCS#11 certificate
- •Pin caching example
- •Introduction
- •Using a client-side up/down script
- •Windows login greeter
- •Using client-connect/client-disconnect scripts
- •Using a 'learn-address' script
- •Using a 'tls-verify' script
- •Using an 'auth-user-pass-verify' script
- •Script order
- •Script security and logging
- •Using the 'down-root' plugin
- •Using the PAM authentication plugin
- •Introduction
- •Cipher mismatches
- •TUN versus TAP mismatches
- •Compression mismatches
- •Key mismatches
- •Troubleshooting MTU and tun-mtu issues
- •Troubleshooting network connectivity
- •How to read the OpenVPN log files
- •Introduction
- •The missing return route
- •Missing return routes when 'iroute' is used
- •Source routing
- •Routing and permissions on Windows
- •Troubleshooting client-to-client traffic routing
- •Understanding the 'MULTI: bad source' warnings
- •Failure when redirecting the default gateway
- •Introduction
- •Optimizing performance using 'ping'
- •OpenSSL cipher speed
- •Compression tests
- •Traffic shaping
- •Tuning UDP-based connections
- •Tuning TCP-based connections
- •Analyzing performance using tcpdump
- •Introduction
- •Linux: using NetworkManager
- •MacOS: using Tunnelblick
- •Windows Vista/7: elevated privileges
- •Windows: using the CryptoAPI store
- •Windows: updating the DNS cache
- •Windows: running OpenVPN as a service
- •Windows: public versus private network adapters
- •Windows: routing methods
- •Introduction
- •Including configuration files in config files
- •Details of ifconfig-pool-persist
- •Connecting using a SOCKS proxy
- •Connecting via an HTTP proxy
- •Connecting via an HTTP proxy with authentication
- •Using dyndns
- •IP-less setups (ifconfig-noexec)
- •Introduction
- •Inline certificates
- •Connection blocks
- •Port sharing with an HTTPS server
- •Routing features: redirect-private, allow-pull-fqdn
- •OCSP support
- •New for 2.2: the 'x509_user_name' parameter
- •Index
OpenVPN 2 Cookbook
100 simple and incredibly effective recipes for harnessing the power of the OpenVPN 2 network
Jan Just Keijser
BIRMINGHAM - MUMBAI
OpenVPN 2 Cookbook
Copyright © 2011 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: February 2011
Production Reference: 1140211
Published by Packt Publishing Ltd. 32 Lincoln Road
Olton
Birmingham, B27 6PA, UK.
ISBN 978-1-849510-10-3
www.packtpub.com
Cover Image by Ed Maclean (edmaclean@gmail.com)
Credits
Author
Jan Just Keijser
Reviewers
David Sommerseth
Krzee King
Ralf Hildebrandt
Acquisition Editor
Eleanor Duffy
Development Editor
Hyacintha D'Souza
Technical Editors
Ajay Shanker
Mohd. Sahil
Indexer
Hemangini Bari
Editorial Team Leader
Aanchal Kumar
Project Team Leader
Lata Basantani
Project Coordinator
Leena Purkait
Proofreader
Aaron Nash
Graphics
Nilesh R. Mohite
Production Coordinator
Aparna Bhagat
Cover Work
Aparna Bhagat
About the Author
Jan Just Keijser is an open source professional from Utrecht, the Netherlands. He has broad experience in IT, ranging from providing user support, system administration, and systems programming to network programming. He has worked for various IT companies since 1989 and has been working mainly on UNIX/Linux platforms since 1995. He was an active USENET contributor in the early 1990s.
Currently, he is employed as a senior scientific programmer in Amsterdam, the Netherlands, at Nikhef, the institute for sub-atomic physics from the Dutch Foundation for Fundamental Research on Matter (FOM). He is working on grid computing and grid application programming, as well as smartcard applications.
His open source interests include all types of Virtual Private Networking, including IPSec, PPTP, and of course, OpenVPN. In 2004 he discovered OpenVPN and has been using it ever since. He has been providing OpenVPN community support since 2004.
The OpenVPN Cookbook is his first book.
He is interested in nature, science, birds, photography, and fantasy and science-fiction literature.
I would like to thank all the people at Packt Publishing for helping me with writing this book. I would especially like to thank my acquisition editor,
Eleanor Duffy, who convinced me to write it in the first place.
I also want to thank my employer, Nikhef, for giving me time off to write it. I mustn't forget my colleagues at the Physics Data Processing group, for sharing their thoughts with me about ideas for yet another recipe.
And I would like to thank my wife for volunteering to get a nice tan beside the swimming pool during our vacation, while I sat in the shade working on my book.
About the Reviewers
David Sommerseth, Senior Quality Assurance Engineer at Red Hat, has been working with Linux professionally since 1998. During this time, David has completed a range of tasks, from serving in system and network administration roles to developing personalization systems for payment cards and online payment transaction handling. David currently works with the Red Hat Enterprise MRG product, mostly focusing on the real-time kernel and its related tools.
David, who is originally from Norway and currently lives in the Czech Republic, enjoys hacking on open source software and has recently become more involved in the OpenVPN development. David has big plans for his own pet project, eurephia (http://www. eurephia.net/), which is tightly connected to OpenVPN.
I would like to thank the marvelous OpenVPN community members, who continue to give valuable feedback to the project and its developers. I would also like to thank Red Hat, an amazing employer that both sees the value of being involved in open source software and contributes to it. And last but not least, to my wife, for never-ending patience, support, and encouragements.
Krzee King is a self-taught BSD user who has been helping with OpenVPN for more than three years. He wrote one of the most widely used documents on routing lans over OpenVPN, and helps maintain the IRC channel.
I would like to thank Eric Crist for his work on #OpenVPN. To OpenVPN Technologies for joining with the community, which I think we all agree is for the better. To punk for phear and loathing in nl. And, of course, thanks to the Efnet #IRCpimps.
Ralf Hildebrandt is an active and well-known figure in the Postfix community. He's been a systems engineer for T-Systems, a German telecommunications company, and is now employed at Charite, Europe's largest University hospital. He has spoken about Postfix at industry conferences and contributes regularly to a number of open source mailing lists.
Together with Patrick Koetter, he has written the Book of Postfix.