OpenVPN
Introduction
In this tutorial we'll talk about OpenVPN client connection settings, which come in handy when the connection to the OpenVPN server does not work. We'll be using GopenVPN GUI client program that can be very useful to connect/disconnect to certain OpenVPN network right from the desktop without entering command line mode. The GopenVPN is also useful, because it presents us with the status of the openvpn connection, which is red if not connected, yellow if connection is being established and green when we're successfully connected to the OpenVPN server.
The basic OpenVPN command when connecting to the OpenVPN server look like the following:
[plain]
# /usr/sbin/openvpn --config /etc/openvpn/client.ovpn --verb 4
We basically need just the config directive that specifies the configuration options for the OpenVPN connection. The verb is used to instruct the openvpn process to be more verbose; the verbosity level can be from 0 (no output), 1 (default) to 11.
The configuration file
The configuration file often specifies a lot of options that we should understand when connecting to the OpenVPN server. In this section we'll present the most often used configuration options by their intention, which are presented in a table below. The configuration options and their explanation was summarized after official OpenVPN manual residing at [1].
Options used for authentication to the OpenVPN server are the following:
- none: fatal error occurs and client exits (default)
- nointeract: client will retry the current username and password again
- 0: openvpn isn't allowed to call any external programs.
- 1: openvpn can only call the built-in executables like ifconfig, ip, route or netsh.
- 2: openvpn can call executables and scripts.
- yes: turn LZO on by default.
- no: turn LZO off by default, but allow push overrides from the server, which can dynamically change this option.
We should also take a look at the management interface provided by the OpenVPN. The table below presents all the configuration options that we can use regarding management interface.
Keep in mind that if we don't want to reenter the password every now and then, we mustn't use the auth-nocache option, which causes OpenVPN to delete the username and password from the memory. So, when the OpenVPN needs to reestablish the connection a pop-up dialog will be presented to us and we'll have to reenter the username and password. Doing this every hour quickly becomes very tedious, so we're better off by not using this option at all. Nevertheless it's more secure to use public/private keys, which are password protected and then cache the password of the private key rather than the actual password in memory.
Authenticaton Mechanisms
Usually, the OpenVPN can be used in the two modes presented below:
- Peer to Peer: is used to connect together two sites where one site is used as a server and the other site as a client. This is usually done when we have a central location and would like to connect a remote location together with central location by using VPN.
- Remote Access: is used by desktop clients to connect to VPN.
No matter which server mode type we choose there are different authentication modes that we can use and are presented below.
- User Auth: when we want to connect to the OpenVPN server with username and password directly, we have to specify the auth-user-pass directive, which will instruct the OpenVPN to ask us for username/password when connecting to the VPN server and then sending those over the secure TLS channel.
- Shared Key: instead of using username/password pairs, we're rather using a shared key, which is used to establish a connection with the VPN server.
- SSL/TLS: only public/private key pairs can be used to connect to the VPN server. This option is the most secure among the presented options.
Prevent MITM Attacks
We should pay special attention to MITM attacks when connecting to VPN server. Usually we can connect to OpenVPN server without verifying whether the server's certificate was signed by CA certificate, but that would allow an attacker to perform MITM (Man-In-The-Middle) attack. This would consequently allow him to sniff all traffic between the OpenVPN client and server, which should be secure. This is possible, because we're not verifying the identity of the VPN server and thus anyone can pretend to be our VPN server.
In order to prevent MITM attack to be possible, we need to tell the client to check whether it's connecting to the right VPN server. We can do that by one of the following options:
Using Certificate Revocation List
The CRL is useful when we have a CA certificate, the server certificate and a bunch of trusted client certificates. If one of the client certificates is no longer trusted, because the laptop containing that certificate was stolen, we need to revoke access to that certificate. Remember that we don't want to disable the whole PKI infrastructure, but rather disable just that certificate. To do that, we need to add the compromised certificate to the certificate revocation list (CRL). When that happens the certificate is no longer able to connect to the VPN server, because it's not trusted anymore.
To use that open with OpenVPN we have to specify the crl-verify option and pass the file in PEM format to it. That file contains all revoked certificates that are no longer valid.
References:
FREE role-guided training plans
[1] OpenVPN, Section: Maintenance Commands (8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage.