OPENVPN

Created in 2002, OpenVPN is an open source tool used to build site-to-site VPNs with the SSL/TLS protocol
or with pre-share keys. It has the role to securely tunnel the data through a single TCP/UDP port over an
unsecured network such as Internet and thus establish VPNs.

EASINESS
The big strength of OpenVPN is to be extremely easy to install and configure which is rarely the case for
tools used to create VPNs
PORTABILITY
OpenVPN can be installed on nearly any platform including Linux, Windows 2000/XP/Vista, OpenBSD,
FreeBSD, NetBSD, Mac OS X, and Solaris.
The Linux systems must have a 2.4 kernel or higher. The configuration principle remains the same on any
platform.
CLIENT/SERVER ARCHITECTURE
OpenVPN is based on a client/server architecture. It must be installed on both VPN extremities, one is
designated as server the other one as client.
TUNNELLING
OpenVPN creates a TCP or UDP tunnel and then encrypts the data inside the tunnel.
OpenVPN's default port number is UDP 1194, based on an official port number assignment by IANA. You
can use any other TCP or UDP port and since the 2.0 release, a unique port can be used for several tunnels
on the OpenVPN server.
SECURITY MODES:
When using static keys the two VPN gateways share the same key to cipher and decipher the data. In this
case, the configurations will be very simple but the problem is you may need to give the key (over a secure
channel) to somebody you don't necessarily trust at the other end of the tunnel.
The Public Key Infrastructure (PKI) is used to solve this problem. It is based on the fact that each party
owns two keys, a public key known by everybody and a private key kept secret. This process is used by
OpenSSL, the free and open source SSL version intagrated in OpenVPN, to authenticate the VPN peers
before proceeding to the data encryption.
Let's see the advantages of the two modes:
OpenVPN mode

Pre-shared keys

SSL

Cryptography mode

Symmetric

Asymmetric/Symmetri
c

Implementation

Easier

Harder

Speed:

Quicker

Slower

CPU consumption:

Smaller

Higher

Key exchange:

YES

NO

Encryption keys renewal:

NO

YES

Peers authentication:

NO

YES

In the next section, we will focus our explanations on OpenVPN in SSL mode (asymmetric cryptography)
which is recommended over the pre-shared mode (symmetric cryptography).

BRIDGING/ROUTING
You can choose to build either Ethernet (Bridged) or IP (Routed) VPNs with the help of, respectively, the TAP
or TUN network drivers. TAP/TUN are available on all the platforms and are already bundled with the Linux
2.4 kernel or higher.
OPTIONS
The OpenVPN options are particularly important, for example the server can push network routes on the
client or can be used as DHCP server.
Have a look at the OpenVPN man page for information.
Check the OpenVPN tutorial to learn how to configure OpenVPN or continue below by reading explanations
about the SSL protocol.
Let's look at network and security key concepts to understand better the OpenVPN tool.
Top of the page

1. SSL

2. VPN

3. OPENSSL

4. IPSEC & SSL

5. IPSEC

SSL
INTRODUCTION:
For many years, IPSec was the only security protocol available to secure the site-to-site or client-to-server
VPNs. By chance, this is now changed with the release of the SSL protocol. Available at the beginning to
secure specific protocols like HTTP, SSL is now able to secure any application and encrypt TCP or UDP
tunnels to create site-to-site or client-to-site VPNs.
In this tutorial, we will focus our work on SSL site-to-site VPNs with the help of an excellent tool called
OpenVPN ...
SSL DESCRIPTION:
SSL (for Secure Sockets Layers) has been created by Netscape in the 90s. Two SSL versions have been
released v2 (1994) and v3 (1995). The patent was then bought and updated by the IETF in 2001. At the
same time it was renamed as TLS which stands for Transport Layer Security (RFC 2246).
The SSL word is commonly used to designate both the SSL and TLS protocols. The last version of TLS is
v1.1
SSL GOALS:
The two main SSL goals are the following:
- Authenticate the server and the client using the Public Key Infrastructure (PKI).
- Provide an encrypted connection for the client and server to exchange messages.
OpenVPN AND THE OSI MODEL:
Where could we place the SSL protocol in the OSI model?
The standard OSI model is composed of seven layers while a four layer model matches more closely
theTCP/IP architecture used by the large majority of the applications.
SSL is located between the application and transport layers and will encrypt the application layer.

TYPE OF SSL VPN:

In the past, SSL was a protocol used with specific applications like HTTP; however for some years able it
has been able to potentially secure the transactions of any applications over Internet and to create
encrypted tunnel (VPNs) in the same manner than IPSec does.
Two types of VPNs are available:
- Client-to-server (or remote access) VPNs where the client needs a web browser such as Firefox.
- Site-to-site where a specific software is required such as OpenVPN
SSL process:
Here are the four SSL/TLS steps:
SSL
SSL
SSL
SSL

Handshake:
Change Cipher Spec:
Alert:
Record:

Top of the page

Negotiate the Cipher Suite to be used during data transfer

Establish and share a session key between client and server
Conveying SSL error messages between client and server
Transfer Data

Key concepts Menu

VPN PRINCIPLES:
VPN (Virtual Private Network) is an acronym used to designate the encrypted tunnel between two devices
over an unsecured network, typically Internet.
The VPN will group together the two local networks behind the VPN devices and thus will create a unique
private network.
The word "VPN" can be used for site-to-site as well as client-to-server secure links. As a reminder, we will
use OpenVPN to create site-to-Site VPNs.
To be considered as secure a VPN must respect the following key concepts:
- Confidentiality or privacy:
The data cannot be seen in a readable format.
Typical symmetric cipher algorithm: DES, 3DES, AES, Blowfish
- Integrity:
The data cannot be altered.
Typical hash-functions algorithms: sha1, md5
- Authentication:
The VPN gateways are sure about the identity of the other.
Typical algorithm: RSA, DH
The picture below provides the status of a packet state when travelling inside the LAN and the VPN.

Also just to remind everyone VPN is different from VPS.

Top of the page

Key concepts Menu

OPENSSL:
OpenVPN uses a free and open source version of SSL called OpenSSL for the encryption and authentication
tasks. OpenSSL is a toolkit composed of the:
- SSL library.
- Crypto library.
- Command line tool.
The cryptography library implements a wide range of cryptographic algorithms such as:
- Symmetric algorithms: Blowfish, DES, 3DES, AES, etc...
- Certificates: x509
- Hash function: HMAC, MD5
Top of the page

Key concepts Menu

IPSEC - SSL COMPARISON:

The goal of SSL and IPSec is the same: create VPNs and thus encrypt traffic between two devices with the
same algorithms. But as you will see, the way to accomplish this task is very different.
Of course, IPSec and SSL are not compatible.
Let's look first at a basic SSL-IPSec comparison table.
IPSEC

SSL

RFC:

2401

4346 (TLS 1.1)

OSI position:

Internet Layer

Between Transport and Application

Layers

Software location: Kernel space

User space

Installation:

Vendor specific

Vendor non-specific

Configuration:

Complex

Simple

NAT:

Problematic

No problem

Firewall:

Not friendly

Friendly

Interoperability:

YES

NO

Let's give some more explanations about the comparison table:

IPSec is a layer 3 protocol. In order to be implemented it will require a modification to the IP stack in the
IPSec device kernel space. Because of this kernel related change, each operating system (i.e.: Cisco,
Windows, Nortel, Linux, etc.) needs its own implementation of IPSec.
OpenVPN will behave much more like a standard application. It is implemented in the user space and thus
has the advantage to be much more secure and portable.
-

Secure because in the IPSec case when the software is closely linked with the kernel, an application crash
can damage the kernel and thus the entire system. No problem with OpenVPN because it is completely
separated from the kernel. Another thing to underline concerning security is that, in case of software hacking,
with IPSec the pirate will get kernel access, in other words the root access. With OpenVPN, a specific user will
run the application with limited rights only.
Portable because OpenVPN can be installed on virtually any platform and this will therefore spare you time
because you will have always the same software to configure.
A very common problem with IPSec is the need to change firewall rules to permit the protocol and the
address translation (NAT) processing but even this has been partially solved by the NAT Traversal protocol.
Read details about problems associated with Using IPSec over NAT.
With OpenVPN, you just need to open a TCP or UDP port on a Firewall if it is not already open. OpenVPN
can even work through proxy servers meaning that no firewall changes at all!
As the IP Layer is not modified by SSL, there is no problem with the NAT protocol.
Building a site-to-site SSL tunnel is much simpler than under IPSec. The complexity of the IPSec
configurations leads often to security holes or missed configurations even when built by a network
administrator. Furthermore, the IPSec configurations are always different for each manufacturer, whereas
with SSL and OpenVPN, the configurations are very similar on any system.
The big advantage of IPSec remains that it can virtually be used on any manufacturers supporting its RFC.
For example, it is normally possible to establish a VPN between a Cisco and a Nortel router. Normally,
because the time has shown that even if the different manufacturers are supposed to respect the IPSec
standards, it remains sometimes compatibility problems.
With OpenVPN it is, of course, not possible to install the software on the major manufacturers such as
Cisco, Checkpoint, Juniper or Nortel.
SSL has now progressed very quickly in the client-to-server VPN segment compared to IPSec and will
progressively replace it in the future.
In the site-to-site VPN segment, this is different because, as explained immedialely above, there are for the
moment no standardized papers (RFCs) to create site-to site SSL VPNs on closed code manufacturers such
as Cisco. As the big majority of site-to-site VPNs are created on closed code devices, IPSec remains for the
moment king in this sector.