openvpn openvpn: an open source, cross platform client/server, pki based vpn
TRANSCRIPT
![Page 1: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/1.jpg)
OpenVPN
OpenVPN: an open source, cross platform client/server, PKI based VPN.
http://openvpn.net
![Page 2: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/2.jpg)
Some Definitions
● VPN – Virtual private network, an extension of a private network via an encrypted tunnel over a public network.
● SSL/TLS – Secure Socket Layer v3 ~ Transport Layer Security (SSL 3.1 = TLS 1.0)
● Public Key Infrastructure (PKI) - “an arrangement which provides for third-party vetting of, and vouching for, user identities. This is usually carried out by software at a central location together with other coordinated software at distributed locations.”
![Page 3: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/3.jpg)
Cryptographic Primitives – confidentiality, integrity,
authentication, non-repudiation● Symmetric encryption – provides confidentiality
● Message digests – function applied to block of text to produce a fixed length of cipher text, used to verify message integrity
● Asymmetric encryption – system for encrypting/decrypting and digitally signing messages. Uses public/private key pairs on either side of the connection, provides authentication and non-repudiation
![Page 4: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/4.jpg)
![Page 5: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/5.jpg)
Private IP addresses
RFC 1918 Address Allocation for Private Internets February 1996
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
![Page 6: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/6.jpg)
VPN Types
● Tunnels: PPTP, L2TP, IPsec● User space: vtun, ssh, OpenVPN● SSL application gateways:
“clientless” & proprietary
![Page 7: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/7.jpg)
Why OpenVPN?
● Cross platform client and server versions● TLS/SSL openssl library based● Easy installation and configuration● NAT traversal● Interoperates with other vpns, i.e. PPTP,
IPSec
![Page 8: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/8.jpg)
![Page 9: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/9.jpg)
OpenVPN PKI
● a separate certificate (also known as a public key) and private key for the server and each client
● a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
![Page 10: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/10.jpg)
OpenVPN PKI
● OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.
● Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).
![Page 11: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/11.jpg)
OpenVPN PKI
● The server only needs its own certificate/key● The server will only accept clients whose
certificates were signed by the master CA certificate
● If a private key is compromised, it can be disabled by adding its certificate to a CRL (certificate revocation list)
![Page 12: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/12.jpg)
![Page 13: OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN](https://reader036.vdocuments.us/reader036/viewer/2022071717/56649e2b5503460f94b198fd/html5/thumbnails/13.jpg)
References
http://www.sans.org/rr/whitepapers/vpns/1459.phpOpenVPN and the SSL VPN Revolution
OpenVPN 2.0 Howtohttp://openvpn.net/howto.html