- •Credits
- •About the Author
- •About the Reviewers
- •www.PacktPub.com
- •Table of Contents
- •Preface
- •Introduction
- •Shortest setup possible
- •OpenVPN secret keys
- •Multiple secret keys
- •Plaintext tunnel
- •Routing
- •Configuration files versus the command-line
- •Complete site-to-site setup
- •3-way routing
- •Introduction
- •Setting up the public and private keys
- •Simple configuration
- •Server-side routing
- •Routing: subnets on both sides
- •Redirecting the default gateway
- •Using an 'ifconfig-pool' block
- •Using the status file
- •Management interface
- •Proxy-arp
- •Introduction
- •Simple configuration—non-bridged
- •Enabling client-to-client traffic
- •Bridging—Linux
- •Bridging—Windows
- •Checking broadcast and non-IP traffic
- •External DHCP server
- •Using the status file
- •Management interface
- •Introduction
- •Certificate generation
- •xCA: a GUI for managing a PKI (Part 1)
- •xCA: a GUI for managing a PKI (Part 2)
- •OpenSSL tricks: x509, pkcs12, verify output
- •Revoking certificates
- •The use of CRLs
- •Checking expired/revoked certificates
- •Intermediary CAs
- •Multiple CAs: stacking, using --capath
- •Introduction
- •Initializing a hardware token
- •Getting a hardware token ID
- •Using a hardware token
- •Selecting a PKCS#11 certificate using the management interface
- •Generating a key on the hardware token
- •Private method for getting a PKCS#11 certificate
- •Pin caching example
- •Introduction
- •Using a client-side up/down script
- •Windows login greeter
- •Using client-connect/client-disconnect scripts
- •Using a 'learn-address' script
- •Using a 'tls-verify' script
- •Using an 'auth-user-pass-verify' script
- •Script order
- •Script security and logging
- •Using the 'down-root' plugin
- •Using the PAM authentication plugin
- •Introduction
- •Cipher mismatches
- •TUN versus TAP mismatches
- •Compression mismatches
- •Key mismatches
- •Troubleshooting MTU and tun-mtu issues
- •Troubleshooting network connectivity
- •How to read the OpenVPN log files
- •Introduction
- •The missing return route
- •Missing return routes when 'iroute' is used
- •Source routing
- •Routing and permissions on Windows
- •Troubleshooting client-to-client traffic routing
- •Understanding the 'MULTI: bad source' warnings
- •Failure when redirecting the default gateway
- •Introduction
- •Optimizing performance using 'ping'
- •OpenSSL cipher speed
- •Compression tests
- •Traffic shaping
- •Tuning UDP-based connections
- •Tuning TCP-based connections
- •Analyzing performance using tcpdump
- •Introduction
- •Linux: using NetworkManager
- •MacOS: using Tunnelblick
- •Windows Vista/7: elevated privileges
- •Windows: using the CryptoAPI store
- •Windows: updating the DNS cache
- •Windows: running OpenVPN as a service
- •Windows: public versus private network adapters
- •Windows: routing methods
- •Introduction
- •Including configuration files in config files
- •Details of ifconfig-pool-persist
- •Connecting using a SOCKS proxy
- •Connecting via an HTTP proxy
- •Connecting via an HTTP proxy with authentication
- •Using dyndns
- •IP-less setups (ifconfig-noexec)
- •Introduction
- •Inline certificates
- •Connection blocks
- •Port sharing with an HTTPS server
- •Routing features: redirect-private, allow-pull-fqdn
- •OCSP support
- •New for 2.2: the 'x509_user_name' parameter
- •Index
OS Integration
This has some implications regarding the permissions on the configuration files. Special care also needs to be taken when using the cryptoapicert directive, as by default those certificates end up in the user certificate store, which is not accessible to the SYSTEM account. It is possible to use the cryptoapicert directive, but the imported certificate must be installed as a (local) system certificate and not as a user certificate.
See also
The recipe Windows: using the CryptoAPI store earlier in this chapter, which explains how to use the Windows CryptoAPI store, to store the user certificate and private key.
Windows: public versus private network adapters
With Windows Vista and 7, Microsoft introduced the concept of network classes. Network interfaces can be part of a Private or Public network. When using OpenVPN, one must be careful in which type of network the adapter is placed. By default, OpenVPN's TAP-Win32 adapter is placed in a Public network, which has a side-effect that it is not possible to mount file shares. In this recipe, we will show how to change the network type so that the trusted services such as file sharing are possible over a VPN connection. While this has a little to do with configuring the OpenVPN per se, this issue comes up often enough to warrant a recipe.
Getting ready
For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client computer was running Windows Vista SP1 and OpenVPN 2.1.3. Keep the configuration file, basic-udp-server.conf, from the Chapter 2 recipe Server-side routing at hand, as well as the client configuration file, basic-udp-client.ovpn, from the Chapter 2 recipe
Using an ifconfig-pool block at hand.
How to do it...
1.Start the server:
[root@server]# openvpn --config basic-udp-server.conf
2.On the Windows client, launch the OpenVPN GUI application with elevated privileges and start the client.
280
Chapter 10
3.After the VPN connection is established, open the Network and Sharing Center:
4.Click on Customize behind the Unidentified network, as the VPN connection (with adapter name tun0 in this case) has been placed in this network category. A new window will come up:
281
OS Integration
5.Change the network type to Private and click on the Next button.
6.Click on Close to apply the settings.
How it works...
With Windows Vista/7, each network type has different access rights. The network type with the fewest rights is Public, which means that the applications can set up TCP/IP connections but they cannot access any of the resources available in the Private networks, such as local printers and the local disks. When sharing resources that are on the same network as the OpenVPN client, this can become an issue. By changing the network type of the OpenVPN network adapter to Private, the issue can be resolved.
See also
The recipe Windows Vista/7: elevated privileges earlier in this chapter, which explains in more detail about how to run the OpenVPN GUI application with elevated privileges.
Windows: routing methods
When routes are pushed to a Windows client, there are two methods for adding these routes to the system routing tables:
Using the IPAPI helper functions (the default)
Using the ROUTE.EXE program
In most cases, the IPAPI method works fine, but sometimes, it is necessary to overrule this behavior. In this recipe, we will show how this is done, and what to look for in the client log file to verify that the right method has been chosen.
Getting ready
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client computer was running Windows XP SP3 and OpenVPN 2.1.3. Keep the configuration file, basic-udp-server.conf, from the Chapter 2 recipe Server-side routing at hand, as well as the client configuration file basic-udp-client.ovpn from the
Chapter 2 recipe Using an ifconfig-pool block at hand.
282
Chapter 10
How to do it...
1.Start the server:
[root@server]# openvpn --config basic-udp-server.conf
2.Add the following lines to the basic-udp-client.ovpn configuration file:
verb 5 route-method ipapi
Save this configuration file as example10-9.ovpn.
3.Start the OpenVPN client.
4.After the connection has been established, bring up the Show Status window again and look at the last lines of the connection log. The log will show lines similar to the following:
…C:\WINDOWS\system32\route.exe ADD 10.198.0.0 MASK 255.255.0.0 192.168.200.1
…Route addition via IPAPI succeeded [adaptive]
…Initialization Sequence Completed
Even though the route-method was set to ipapi, the log file prints out the path of the Windows route.exe command. The second line shows that the route was actually added using the IPAPI helper functions.
5.Now, modify the configuration file example10-9.ovpn to:
verb 5 route-method exe
6.Restart the OpenVPN client.
7.Look at the last lines of the connection log again. This time the message Route addition via IPAPI succeeded [adaptive] will not be present in the log file, which means that the route.exe command was used.
How it works...
The route-method directive has three options:
adaptive: First, try the IPAPI method, fallback to the route.exe method if IPAPI fails. This is the default.
ipapi: Always use the IPAPI helper functions to add routes.
exe: Always use the external program route.exe.
In most cases, the default setting will work fine, although some users report that route-method exe worked better in the original OpenVPN 2.1 release.
283
OS Integration
Based on this directive, the OpenVPN client will choose how to add routes to the Windows routing tables. Note that if OpenVPN cannot add a route, it will not abort the connection. The current OpenVPN GUI does not detect this and will show a green icon in the taskbar, suggesting a fully successful connection.
There's more...
OpenVPN is preconfigured to look for the route.exe program in the directory C:\WINDOWS\ system32. If Windows is installed in a different directory, the win-sys directive can be used. The win-sys directive has two options:
The directory name where the Windows operating system can be found, for example
D:\WINDOWS.
The special option env, which means the OpenVPN client will use the contents of the environment variable windir to locate the Windows operating system. This environment variable is always set in a normal Windows setup.
284