OpenVPN 2 Cookbook电子书

OpenVPN 2 Cookbook

Table of Contents

OpenVPN 2 Cookbook

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. Point-to-Point Networks

Introduction

Shortest setup possible

Getting ready

How to do it...

How it works...

There's more...

Using the TCP protocol

Forwarding non-IP traffic over the tunnel

OpenVPN secret keys

Getting ready

How to do it...

How it works...

There's more...

See also

Multiple secret keys

Getting ready

How to do it...

How it works...

There's more...

See also

Plaintext tunnel

Getting ready

How to do it...

How it works...

There's more...

Routing

Getting ready

How to do it...

How it works...

There's more...

Routing issues

Automating the setup

See also

Configuration files versus the command-line

Getting ready

How to do it...

How it works...

There's more...

OpenVPN 2.1 specifics

Complete site-to-site setup

Getting ready

How to do it...

How it works...

There's more...

See also

3-way routing

Getting ready

How to do it...

How it works...

There's more...

Scalability

Routing protocols

See also

2. Client-server IP-only Networks

Introduction

Setting up the public and private keys

Getting ready

How to do it...

How it works...

There's more...

Using the easy-rsa scripts on Windows

Some notes on the different variables

See also

Simple configuration

Getting ready

How to do it...

How it works...

There's more...

'net30' addresses

Server-side routing

Getting ready

How to do it...

How it works...

There's more...

Linear addresses

Using the TCP protocol

Server certificates and ns-cert-type server

Masquerading

Using 'client-config-dir' files

Getting ready

How to do it...

How it works...

There's more...

Default configuration file

Troubleshooting

OpenVPN 2.0 'net30' compatibility

Allowed options in a 'client-config-dir' file

Routing: subnets on both sides

Getting ready

How to do it...

How it works...

There's more...

Masquerading

Client-to-client subnet routing

See also

Redirecting the default gateway

Getting ready

How to do it...

How it works...

There's more...

Redirect-gateway parameters

Split tunneling

See also

Using an 'ifconfig-pool' block

Getting ready

How to do it...

How it works...

There's more...

Configuration files on Windows

Topology subnet

Client-to-client access

Using the TCP protocol

Using the status file

Getting ready

How to do it...

How it works...

There's more...

Status parameters

Disconnecting clients

Explicit-exit-notify

Management interface

Getting ready

How to do it...

How it works...

There's more...

Server-side management interface

See Also

Proxy-arp

Getting ready

How to do it...

How it works...

There's more...

User 'nobody'

TAP-style networks

Broadcast traffic might not always work

See also

3. Client-server Ethernet-style Networks

Introduction

Simple configuration—non-bridged

Getting ready

How to do it...

How it works...

There's more...

Differences between TUN and TAP

Using the TCP protocol

Making IP fowarding permanent

See also

Enabling client-to-client traffic

Getting ready

How to do it...

How it works...

There's more...

Broadcast traffic may affect scalability

Filtering traffic

TUN-style networks

Bridging—Linux

Getting ready

How to do it...

How it works...

There's more...

Fixed addresses & the default gateway

Name resolution

See also

Bridging—Windows

Getting ready

How to do it...

How it works...

See also

Checking broadcast and non-IP traffic

Getting ready

How to do it...

How it works...

External DHCP server

Getting ready

How to do it...

How it works...

There's more...

DHCP server configuration

DHCP relay

Tweaking the /etc/sysconfig/network-scripts

Using the status file

Getting ready

How to do it...

How it works...

There's more...

Difference with TUN-style networks

Disconnecting clients

See also

Management interface

Getting ready

How to do it...

How it works...

There's more...

Client side management interface

See also

4. PKI, Certificates, and OpenSSL

Introduction

Certificate generation

Getting ready

How to do it...

How it works...

There's more...

See also

xCA: a GUI for managing a PKI (Part 1)

Getting ready

How to do it...

How it works...

There's more...

xCA : a GUI for managing a PKI (Part 2)

Getting ready

How to do it...

How it works...

There's more...

OpenSSL tricks: x509, pkcs12, verify output

Getting ready

How to do it...

How it works...

Revoking certificates

Getting ready

How to do it...

How it works...

There's more...

What is needed to revoke a certificate

See also

The use of CRLs

Getting ready

How to do it...

How it works...

There's more...

See also

Checking expired/revoked certificates

Getting ready

How to do it...

How it works...

There's more...

Intermediary CAs

Getting ready

How to do it...

How it works...

There's more...

Multiple CAs: stacking, using --capath

Getting ready

How to do it...

How it works...

There's more...

Stacking CRLs

Using the --capath directive

5. Two-factor Authentication with PKCS#11

Introduction

Initializing a hardware token

Getting ready

How to do it...

How it works...

There's more...

Public and private objects

OpenSC versus Aladdin PKI Client driver

Getting a hardware token ID

Getting ready

How to do it...

How it works...

There's more...

What about automatic selection?

PKCS#11 libraries

Using a hardware token

Getting ready

How to do it...

How it works...

There's more...

What is different?

Using the OpenSC driver

Using the management interface to list PKCS#11 certificates

Getting ready

How to do it...

How it works...

See also

Selecting a PKCS#11 certificate using the management interface

Getting ready

How to do it...

How it works...

There's more...

Generating a key on the hardware token

Getting ready

How to do it...

How it works...

Private method for getting a PKCS#11 certificate

Getting ready

How to do it...

How it works...

There's more...

See also

Pin caching example

Getting ready

How to do it...

How it works...

There's more...

See also

6. Scripting and Plugins

Introduction

Using a client-side up/down script

Getting ready

How to do it...

How it works...

There's more...

Environment variables

Calling the 'down' script before the connection terminates

Advanced: verify the remote hostname

Windows login greeter

Getting ready

How to do it...

How it works...

There's more...

Spaces in filenames

setenv or setenv-safe

Security considerations

Using client-connect/client-disconnect scripts

Getting ready

How to do it...

How it works...

There's more...

'client-disconnect' scripts

Environment variables

Absolute paths

Using a 'learn-address' script

Getting ready

How to do it...

How it works...

There's more...

User 'nobody'

The 'update' action

Using a 'tls-verify' script

Getting ready

How to do it...

How it works...

There's more...

Using an 'auth-user-pass-verify' script

Getting ready

How to do it...

How it works...

There's more...

Specifying the username and password in a file on the client

Passing the password via environment variables

Script order

Getting ready

How to do it...

How it works...

There's more...

Script security and logging

Getting ready

How to do it...

How it works...

There's more...

Using the 'down-root' plugin

Getting ready

How to do it...

How it works...

There's more...

See also

Using the PAM authentication plugin

Getting ready

How to do it...

How it works...

There's more...

See also

7. Troubleshooting OpenVPN: Configurations

Introduction

Cipher mismatches

Getting ready

How to do it...

How it works...

There's more...

TUN versus TAP mismatches

Getting ready

How to do it...

How it works...

Compression mismatches

Getting ready

How to do it...

How it works...

There's more...

Key mismatches

Getting ready

How to do it...

How it works...

See also

Troubleshooting MTU and tun-mtu issues

Getting ready

How to do it...

How it works...

There's more...

See also

Troubleshooting network connectivity

Getting ready

How to do it...

How it works...

There's more...

Troubleshooting 'client-config-dir' issues

Getting ready

How to do it...

How it works...

There's more...

More verbose logging

Other frequent client-config-dir mistakes

See also

How to read the OpenVPN log files

Getting ready

How to do it...

How it works...

There's more...

8. Troubleshooting OpenVPN: Routing

Introduction

The missing return route

Getting ready

How to do it...

How it works...

There's more...

Masquerading

Adding routes on the LAN hosts

See also

Missing return routes when 'iroute' is used

Getting ready

How to do it...

How it works...

There's more...

See also

All clients function except the OpenVPN endpoints

Getting ready

How to do it...

How it works...

There's more...

See also

Source routing

Getting ready

How to do it...

How it works...

There's more...

Routing and permissions on Windows

Getting ready

How to do it...

How it works...

There's more...

See also

Troubleshooting client-to-client traffic routing

Getting ready

How to do it...

How it works...

There's more...

See also

Understanding the 'MULTI: bad source' warnings

Getting ready

How to do it...

How it works...

There's more...

Other occurrences of the 'MULTI: bad source' message

See also

Failure when redirecting the default gateway

Getting ready

How to do it...

How it works...

There's more...

See also

9. Performance Tuning

Introduction

Optimizing performance using 'ping'

Getting ready

How to do it...

How it works...

There's more...

See also

Optimizing performance using 'iperf'

Getting ready

How to do it...

How it works...

There's more...

Client versus server 'iperf' results

Network latency

Gigabit networks

OpenSSL cipher speed

Getting ready

How to do it...

How it works...

There's more...

See also

Compression tests

Getting ready

How to do it...

How it works...

There's more...

Pushing compression options

Adaptive compression

Traffic shaping

Getting ready

How to do it...

How it works...

There's more...

Tuning UDP-based connections

Getting ready

How to do it...

How it works...

There's more...

See also

Tuning TCP-based connections

Getting ready

How to do it...

How it works...

There's more...

Analyzing performance using tcpdump

Getting ready

How to do it...

How it works...

See also

10. OS Integration

Introduction

Linux: using NetworkManager

Getting ready

How to do it...

How it works...

There's more...

Setting up routes using NetworkManager

DNS settings

Scripting

Linux: using 'pull-resolv-conf'

Getting ready

How to do it...

How it works...

There's more...

MacOS: using Tunnelblick

Getting ready

How to do it...

How it works...

There's more...

Name resolution

Scripting

Windows Vista/7: elevated privileges

Getting ready

How to do it...

How it works...

There's more...

Windows: using the CryptoAPI store

Getting ready

How to do it...

How it works...

There's more...

The CA certificate file

Certificate fingerprint

Windows: updating the DNS cache

Getting ready

How to do it...

How it works...

There's more...

Windows: running OpenVPN as a service

Getting ready

How to do it...

How it works...

There's more...

Automatic service startup

OpenVPN User name

See also

Windows: public versus private network adapters

Getting ready

How to do it...

How it works...

See also

Windows: routing methods

Getting ready

How to do it...

How it works...

There's more...

11. Advanced Configuration

Introduction

Including configuration files in config files

Getting ready

How to do it...

How it works...

Multiple remotes and remote-random

Getting ready

How to do it...

How it works...

There's more...

Mixing TCP and UDP-based setups

Advantage of using TCP-based connections

Automatically reverting to the first OpenVPN server

See also

Details of ifconfig-pool-persist

Getting ready

How to do it...

How it works...

There's more...

Specifying the update interval

Caveat: the duplicate-cn option

When 'topology net30' is used

Connecting using a SOCKS proxy

Getting ready

How to do it...

How it works...

There's more...

Performance

Note #1 on SOCKS proxies via SSH

Note #2 on SOCKS proxies via SSH

SOCKS proxies using plain-text authentication

See also

Connecting via an HTTP proxy

Getting ready

How to do it...

How it works...

There's more...

http-proxy options

Ducking firewalls

Performance

See also

Connecting via an HTTP proxy with authentication

Getting ready

How to do it...

How it works...

There's more...

NTLM proxy authorization

New features in OpenVPN 2.2

See also

Using dyndns

Getting ready

How to do it...

How it works...

There's more...

Failover

NetworkManager and 'ddclient'

See also

IP-less setups (ifconfig-noexec)

Getting ready

How to do it...

How it works...

There's more...

Point-to-point and TUN-style networks

Routing and firewalling

12. New Features of OpenVPN 2.1 and 2.2

Introduction

Inline certificates

Getting ready

How to do it...

How it works...

Connection blocks

Getting ready

How to do it...

How it works...

There's more...

Allowed directives inside connection blocks

Pitfalls when mixing TCP and UDP-based setups

See also

Port sharing with an HTTPS server

Getting ready

How to do it...

How it works...

There's more...

Routing features: redirect-private, allow-pull-fqdn

Getting ready

How to do it...

How it works...

There's more...

The route-nopull directive

The 'max-routes' directive

Handing out the public IPs

Getting ready

How to do it...

How it works...

There's more...

See also

OCSP support

Getting ready

How to do it...

How it works...

See also

New for 2.2: the 'x509_user_name' parameter

Getting ready

How to do it...

How it works...

There's more...

OpenVPN 2.1 behaviour

Index