Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


April 18, 2005

Putting OpenVPN to Work

Check out this free, full-featured alternative to commercial VPNs
A Web Exclusive from Windows IT Pro
Jeff Fellinge
Feature
InstantDoc #45844
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
View this exclusive article with VIP access -- click here to join | See More Products / Software Articles Here | Reprints
Or sign up for our VIP Monthly Pass!
SideBar    Encryption Modes

VPNs extend company networks beyond the LAN. Using a VPN, remote workers can securely connect to a private LAN from anywhere on the Internet. The VPN tunnel is authenticated and encrypted, and because it uses the Internet, it's much less expensive than costly point-to-point dedicated network links. You're probably familiar with Microsoft's RRAS VPN solutions, as well as commercial VPNs from vendors such as Cisco Systems and Nortel Networks, but you might not be aware of an open-source program called OpenVPN that provides VPN features—along with much flexibility. At a fraction of the cost of its commercial counterparts, OpenVPN gives you many of the same features those big-name competitors provide. (OpenVPN is free, aside from the time and effort that its configuration requires.)

If you're already running a commercial VPN, you won't want to replace it with OpenVPN. But if you need to deploy a new VPN for a branch office or lab, or if you're looking for an inexpensive, secure solution for connecting to remote networks, you should definitely check out OpenVPN. Because the program runs on many different OSs, it might even provide benefit to Windows shops as an alternative to the VPN capabilities in RRAS or Microsoft Internet Security and Acceleration (ISA) Server. In this article, I walk through the basic setup of an OpenVPN client-based VPN solution and give you a peek at the product's features.

OpenVPN Basics
OpenVPN uses the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocol to provide some of the classic VPN security features of other network-focused VPNs based on IP Security (IPsec) or PPTP. Unlike other SSL VPNs that pride themselves on a clientless installation—in which you use your Web browser to establish an SSL VPN connection—OpenVPN requires a proprietary client. Also, OpenVPN is a peer-to-peer (P2P) application, which means that you run the same program on both endpoints of the VPN tunnel.

OpenVPN supports bridged and routing modes, both of which let you tunnel network traffic over a single UDP or TCP port of your choice. (By default, OpenVPN uses the UDP protocol and port number 1194.) Any network traffic sent to or received from a network adapter will be encapsulated into an encrypted packet and delivered to another OpenVPN tunnel endpoint, where it's decrypted and dropped onto the remote network.

Getting a basic configuration up and running is extremely easy, as you'll see. However, for more complicated deployments, the learning curve gets steeper and requires more knowledge and potential tweaking of your existing network topology than commercial VPN concentrators require. You'll definitely want to first test this tool in your lab to get comfortable with its features and evaluate whether it's right for you.

The product is released under the Open Source GNU General Public License (GPL) and runs on Windows 2000 and later, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. Choose your platform and download the latest version from the OpenVPN Web site (http://openvpn .net). As of this printing, the latest version is OpenVPN 2.0-rc20. If you prefer a graphical interface, check out the optional OpenVPN GUI at the OpenVPN GUI Web site (http://www.nilings.se/openvpn) and follow the instructions for the simple installation process.

At its core, the OpenVPN program is a command-line application that you can also configure as a service. You can run the application with a huge number of configuration options by combining command-line switches and entries in a configuration file. (Visit the OpenVPN Man Page—http://openvpn.net/man.html—for a complete listing of all options.) Plus, you can use multiple configuration files to manage many tunnel endpoints on a single server.

Define Your Network Topology
You can use OpenVPN for site-to-site VPNs or client VPNs. The OpenVPN package is quite flexible, and the steps you take to configure it for either a site-to-site VPN or client-to-server VPN are similar. In fact, you must install the same OpenVPN application on both VPN endpoints. As I mentioned, a basic OpenVPN configuration is easy to set up, but the program gets more complicated depending on the features you enable. For example, to install and configure advanced security features, you'll need an understanding of cryptography and key management. OpenVPN supports a number of authentication mechanisms, including certificates, smart cards, and username/password credentials; however, such security measures represent one of the more complicated aspects of the program, and you'll need to have a good understanding of PKI fundamentals to implement these features. The OpenVPN Web site contains several helpful documents and sample configurations that can help you with the configuration of these options.

Configuring the Server
After you download the Windows package, copy it to the server that you want to act as your VPN server and run the installer program. A wizard walks you through the installation steps, which consist of installing OpenVPN, the OpenVPN GUI configuration program, and a tool to create a certificate request. The wizard prompts you for a variety of installation feature options, but the defaults should suffice for a basic installation. After the program is installed, you can view C:\Program Files\OpenVPN for the programs and source files.

After the installation is finished, you'll notice the addition of a network adapter—a device named TAP-Win32 Adapter V8. If you plan to configure OpenVPN in bridged mode, you'll need to manually bridge this new adapter with another network adapter already installed on the system. If you plan to set up OpenVPN in a routing configuration, Windows will recognize the device as a network adapter, complete with IP address. I discuss both configurations—bridged and routing—in a moment.

But first, let's get acquainted with the primary means of configuring OpenVPN. On the server, navigate to the OpenVPN configuration directory (by default, C:\Program Files\OpenVPN\config), copy the sample.ovpn .txt file, and rename it to any filename with the extension .ovpn (e.g., myOpenVpnConfig.ovpn). This file contains a well-annotated example of an OpenVPN configuration document. After you become familiar with how OpenVPN works, you'll be able to create your own OpenVPN configuration file that's just a few lines long.

OpenVPN works like a P2P VPN, which means that each running instance on a computer is really just another endpoint. In this example, I show you how to configure one VPN as a server that will be able to accept connections from any IP address. Open your new configuration file and look for the text

remote myremote

Because we're configuring this computer as a server, it won't be making outbound connections to a remote computer. Therefore, use a semicolon (;) to comment out this line, as follows:

; remote myremote

If you specify a remote computer address (e.g., remote 10.0.0.10), only connections from that address will be permitted. Doing so is one way to help secure a point-to-point VPN between two remote networks. However, we're configuring this endpoint as an OpenVPN VPN server, so we want to allow connections from any remote client. For this reason, we simply comment out the entire line. Later, we'll configure this VPN server as the remote computer.

By default, OpenVPN uses UDP port number 1194. If you need to change this port—for example, to use a protocol that most firewall administrators open, such as TCP 443—find the line

; port 1194

and uncomment it by removing the semicolon. Then, change it to the port number you prefer. By default, OpenVPN uses the UDP protocol, but it can also use TCP. UDP is more efficient, and it's best to use TCP only in instances when UDP doesn't work—for example, if a firewall is blocking UDP traffic. UDP doesn't have the additional overhead that TCP does, so its performance might be slightly better because headers are smaller and UDP doesn't contain the built-in packet-acknowledgment checking that TCP offers. However, OpenVPN encrypts the original TCP packets that include error checking and retransmission support, so overall reliability isn't affected.

Next, choose whether to use the dev tap or dev tun network protocols. If you want to use OpenVPN's bridged mode, you must choose dev tap. In this example, we're configuring a Windows- to-Windows connection and demonstrating a bridged configuration, so we'll configure OpenVPN to use the dev tap network protocol. In your configuration file, confirm the entry

dev tap

Next, configure the connection's authentication security. For more secure connections, configure TLS along with its own certificate/key pair on both endpoints. In this example, we'll use a static key to configure the VPN connection, but refer to the sidebar "Encryption Modes," http://www.windowsitpro.com/windowssecurity, InstantDoc ID 45946, for other encryption features of OpenVPN. Only other OpenVPN connections with this same static key will be able to connect to our server.

From Start, All Programs, OpenVPN, click Generate a static OpenVPN key. This action launches a simple console program that creates a key and copies it to C:\Program Files\OpenVPN\config\key.txt. This static key will allow anyone to connect to your OpenVPN endpoint, so keep the key safe. This functionality is similar to the way you would configure a wireless Access Point (AP) with a static key. Although a static key might be adequate for using OpenVPN to connect two remote networks, if you set up a multiclient OpenVPN server endpoint, you'll probably choose to implement stronger user authentication, such as certificates.

Next, confirm that the OpenVPN configuration file includes the Secret command, followed by the name of the key file, as follows:

secret key.txt

If you copied the OpenVPN sample .ovpn configuration file, you won't need to change this secret command because it's included as the default.

Finally, it's useful to include the following two commands in your configuration file:

verb 4
mute 10

The Verb command specifies the verbosity of the OpenVPN logging, and you can choose a value from 0 to 11. A setting of 0 means that no output will be displayed except for fatal errors, and a setting of 11 displays a lot of debugging data. Typically, a setting of 4 is sufficient for most users. The Mute command squelches multiple error or status messages. This command is useful if a client repeatedly connects and fails and you don't want to see your log fill up with copies of the same message. A Mute setting of 10 means that OpenVPN will display a maximum of 10 instances of the same message and squelch the rest.

Configuring the Client
The OpenVPN installation process for the client is similar to that of the server. Install the same OpenVPN software and create an .opvn configuration file. The settings should match the settings you made on the server, with just a few exceptions. Using a secure medium such as a floppy disk, copy the static key that you created on your server (key.txt) to the client (e.g., to C:\Program FilesOpenVPN\config).

A sample client configuration for an OpenVPN client using the default protocol UDP and port number 1194 might look like

remote 10.0.0.2
dev tap
ifconfig 192.168.0.100 255.255.255.0
secret key.txt
verb 4
mute 10

This configuration identifies the remote VPN server that the client will connect to, specifies the network protocol as dev tap, and sets the client IP address OpenVPN should use. This configuration also sets the Secret, Verb, and Mute options. The client IP address will vary depending on whether you configure OpenVPN in bridged mode or routing mode. In bridged mode, set this address to an IP address on your local area network.

Bridged or Routing?
So far, we've configured the OpenVPN server and client. But we're not done yet. We need to make some additional configuration changes depending on whether you want to run OpenVPN in bridged or routing mode. Each mode has benefits depending on your needs. When you bridge two networks, all objects in both networks appear to be a part of a single subnet. Therefore, applications that rely on broadcasts will work across the VPN tunnel. However, more traffic must also travel through the VPN tunnel, making communications slower. Bridged is the easier method to set up because you don't need to worry about configuring new network routes to ensure that all the computers on either side of the VPN can communicate with one another. However, with bridged mode, you'll have less segregation between your LAN and your incoming VPN clients (or network) than with routing mode.

Ultimately, your choice will depend on the level of manageability you require. If you're looking for quick, easy access to your home or small network, or if you'll be the only one using the VPN, bridged's ease of configuration will appeal to you. But if you want to deploy OpenVPN as a VPN concentrator for multiple users, routing will give you more network flexibility.

Let's walk through a bridged-mode example. Bridged mode works by creating a bridge between the OpenVPN TAP-Win32 Adapter V8 and the VPN server's local LAN adapter. In this mode, any network traffic on either adapter will appear as if both network adapters are connected to the same subnet. In this mode, the bridged adapter will have one IP address. Bridging the adapters occurs in Windows rather than in the OpenVPN configuration file.

After you install the OpenVPN software, open the Control Panel Network Connections applet. While pressing the Ctrl key, select both your LAN network adapter and the OpenVPN TAP-Win32 adapter. With both adapters selected, right-click one of the adapters and select Bridge Connections in the resulting context menu. In a moment, you'll see a new bridged network-adapter object. This object behaves like a network adapter and, by default, the system will configure it with a DHCP IP address. You can create multiple VPN endpoints on a single computer by adding more than one OpenVPN TAP-Win32 adapter. If you want to bridge these, you add them to the bridge by accessing the Network Bridge's Properties and selecting the additional adapters.

If you're running OpenVPN on a multihomed computer—for example, a PC with both inside (private network) and outside (public Internet) interfaces—be careful not to bridge your external network adapter. Be sure to bridge only your internal (private) network adapter with the OpenVPN TAP-Win32 adapter, and be sure to use a firewall or other device to protect the outside interface from attack. That's all you need to do to configure your server to run OpenVPN in bridged mode. You don't need to make any changes on your servers.

After you customize the configuration files on both the server and the client, save them and start the OpenVPN program, first on the server. From the system tray, start OpenVPN by right-clicking the OpenVPN icon and clicking Connect. The resulting OpenVPN dialog box will display a number of status messages. If the connection is successful, the icon will turn yellow and the program will begin waiting for new connections. To start the OpenVPN connection from a command prompt, type

openvpn —config

Next, connect the client by repeating the above steps, as Figure 1 shows. The icon will turn green when a successful connection is established, and you'll see the message in Figure 2. Once you're connected, you should be able to access any network-based application on the remote network—for example, you can test the connection by pinging a server on the remote network from the client. You have now configured your free, open-source VPN.

Right for You?
OpenVPN is reliable and resilient to network outages. If your network connection is interrupted while you have a VPN connected, OpenVPN does a good job of automatically reconnecting after the network connection is restored.

For basic installations, such as the one this article describes, OpenVPN lets you create a VPN tunnel quickly, without a lot of additional resources. The learning curve gets steeper with more advanced configurations—for example, if you require user-based authentication, VPN address pool allocation, or multiple tunnels behind a Network Address Translation (NAT)­ based firewall. OpenVPN supports these options but requires a deeper understanding of OpenVPN's nuances. For such scenarios, commercial VPNs tend to be easier to set up simply because they typically offer an online interface and technical support to assist with advanced features.

Commercial VPNs have also dropped quite a bit in price: You can purchase a commercial VPN concentrator for just a few thousand dollars that can support hundreds of users. Plus, the UDP- or TCP-based VPN solves many of the VPN firewall incompatibilities that plagued early versions of IPsec tunnels. OpenVPN isn't for everyone; midsized to large companies will find solace in continuing to run commercial VPN products. However, labs or small offices for which purchase cost is a large factor and configuration requirements aren't generally as sophisticated, OpenVPN provides a terrific solution at an unbeatable price.

End of Article

Reader Comments
Excellent article. Very relevant information and thourough explanation.

Anonymous User May 18, 2005 (Article Rating: )

very comprehensive tutorial

Anonymous User July 27, 2005 (Article Rating: )

Good introduction to the topic!

Anonymous User August 10, 2005 (Article Rating: )

Excellent article to start working with OpenVPN in Windows...

Anonymous User August 18, 2005 (Article Rating: )

OpenVPN gives the VPN into a new point of view

lukas_h March 11, 2007 (Article Rating: )

Fine

engman July 14, 2008 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Remote Control Software

Control remote machines from home or the office. ...

WinInfo Short Takes: Week of July 21, 2008

An often irreverent look at some of the week's other news, including an iPhone 3G defeat, 180 million copies of Windows Vista in the wild, Microsoft earnings some more Yahoo silliness, Wii vs. Xbox 360, EU vs. Intel, AMD ousts its CEO, and so much more ...
Security Whitepapers Anti-Virus Is Dead: The Advent of the Graylist Approach to Computer Protection

Getting the Job Done: Comparing Approaches for Desktop Software Lockdown

Instant Messaging, VoIP, P2P, and games in the workplace: How to take back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.


ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Shortcut Guide to SQL Server Infrastructure Optimization
With right tools and techniques, you can have a top-performing SQL Server infrastructure without having to cram your data centers so that they're overflowing. Download this eBook to learn how.

WinConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Continuous Data Protection and Recovery for Exchange
Read this white paper to learn about Continuous Data Protection (CDP), Exchange 2007's local continuous replication and cluster continuous replication features.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Tips to Managing Messaging
Discover three fundamental mail and messaging management services - security, availability and control services - and how you can implement them in a Microsoft-centric mail and messaging environment.

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Drag & Drop Data Mapping Tool
Try this award-winning data mapping, & transformation tool that supports multiple databases, flat files, Web services, EDI, Excel 2007, & more! Free trial for 30 days!

Overcome bloated Windows file systems
Crossroads FMA delivers powerful yet inexpensive data migration

Bandwidth Monitoring Tool from SolarWinds
Identify largest bandwidth users in seconds. Get the free download now.

Speed Deployment of Vista and Microsoft Office
Read this white paper to learn how you can maximize your Vista and Office investments while lowering costs and increasing efficiency.

Integrated Virtualization Done Right
Download this white paper on server virtualization to begin improving resource utilization and lowering operating costs.

Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.

KVM over IP Solutions
Learn about a KVM over IP solution that is specifically designed to meet the needs of the distributed IT environment.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound
IT Library Technical Resources Directory Connected Home Windows Excavator SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing