openvpn openvpn: an open source, cross platform client/server, pki based vpn
TRANSCRIPT
OpenVPN
OpenVPN: an open source, cross platform client/server, PKI based VPN.
http://openvpn.net
Some Definitions
● VPN – Virtual private network, an extension of a private network via an encrypted tunnel over a public network.
● SSL/TLS – Secure Socket Layer v3 ~ Transport Layer Security (SSL 3.1 = TLS 1.0)
● Public Key Infrastructure (PKI) - “an arrangement which provides for third-party vetting of, and vouching for, user identities. This is usually carried out by software at a central location together with other coordinated software at distributed locations.”
Cryptographic Primitives – confidentiality, integrity,
authentication, non-repudiation● Symmetric encryption – provides confidentiality
● Message digests – function applied to block of text to produce a fixed length of cipher text, used to verify message integrity
● Asymmetric encryption – system for encrypting/decrypting and digitally signing messages. Uses public/private key pairs on either side of the connection, provides authentication and non-repudiation
Private IP addresses
RFC 1918 Address Allocation for Private Internets February 1996
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
VPN Types
● Tunnels: PPTP, L2TP, IPsec● User space: vtun, ssh, OpenVPN● SSL application gateways:
“clientless” & proprietary
Why OpenVPN?
● Cross platform client and server versions● TLS/SSL openssl library based● Easy installation and configuration● NAT traversal● Interoperates with other vpns, i.e. PPTP,
IPSec
OpenVPN PKI
● a separate certificate (also known as a public key) and private key for the server and each client
● a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
OpenVPN PKI
● OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.
● Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).
OpenVPN PKI
● The server only needs its own certificate/key● The server will only accept clients whose
certificates were signed by the master CA certificate
● If a private key is compromised, it can be disabled by adding its certificate to a CRL (certificate revocation list)
References
http://www.sans.org/rr/whitepapers/vpns/1459.phpOpenVPN and the SSL VPN Revolution
OpenVPN 2.0 Howtohttp://openvpn.net/howto.html