OpenVPN

These security properties can be provided by any application using suitable protocols (e.g. SSH , HTTPS , SFTP ). Alternatively, this security can also be desirable from a central point, independent of the individual applications. The advantages of this central approach lie in the only one-time implementation of the security functions, the lower maintenance requirements and the possibility of also securing the communication of software from other manufacturers over which there is no influence.

Such a centrally provided backup is a Virtual Private Network (VPN). OpenVPN is one of many implementations of a VPN.

functionality

Communication partners can be individual computers or a network of computers. Typical use cases are the connection of individual field service employees in the network of your company, the connection of a branch with the data center or the connection of locally distributed servers or data centers with one another. In any case, one of the two communication participants establishes the connection (client), and the other waits for incoming connections (server). To do this, the server must be reachable under a fixed IP address or under a fixed host name . For computers that are confronted with constantly changing IP addresses due to dial-up connections, this can also be done with the help of a dynamic DNS service .

If there is a packet filter or proxy in front of the VPN gateway , or if address translation ( NAT ) is carried out, these services must be configured in such a way that a UDP or TCP port assigned in the configuration of OpenVPN is allowed through for input , Forward and output. An OpenVPN server instance can only be configured for one port and one protocol. Mixed operation, in which a client connection is optionally possible on TCP or UDP, can only be implemented with two server instances running in parallel. After the beta phase of version 2.0, OpenVPN moved from the then standard port 5000 to port 1194, which was registered for OpenVPN. The specific port used can be changed in the configuration as required.

Recognizability

OpenVPN connections can be recognized trivially by means of a deep packet inspection on the known header data of the transmitted packets, regardless of which protocol or which port is used. Although deep packet inspection cannot determine the content in the encrypted tunnel, it can be used, for example, to block the connection, determine the communication partner and log the associated data. This point is particularly important if the use of VPN connections is not permitted in certain environments, for example in countries which prohibit encrypted communication connections or under civil law when bypassing network blocks in company networks.

Operating modes

OpenVPN knows two operating modes: Routing and Bridging which are shown in the following sections.

Routing

The routing mode is the simplest form of secure communication and creates an encrypted tunnel between two remote stations through which only IP packets are routed ( layer 3 ). For this purpose, each remote station is assigned a virtual IP address of a fictitious subnet (e.g. 10.8.0.1 and 10.8.0.2).

In principle, direct access to the network behind is not possible (point-to-point connection). To reach the addresses there, the remote station must forward the data packets using IP forwarding and entries in the routing table or use network address translation .

Bridging

A client integrates completely transparently into the dial-up network and is assigned an IP address for the subnet there so that broadcasts are also forwarded. The latter is particularly necessary for the automatic Windows name resolution of the SMB protocol.

In order to be able to connect to the existing subnet, the virtual network card used by OpenVPN, the so-called TAP device , must be connected to the actual network via a network bridge.

Bridging is somewhat more inefficient than routing (less scalable). Also, restricting client access is more difficult to manage than routing.

Authentication

OpenVPN provides two essential methods for authentication:

Pre-shared key

When exchanging a “ pre-shared key ” (a static key / password), the data is encrypted and decrypted with this. This procedure is easy to use. It is used, for example, by commercial proxy providers who also offer anonymization services based on OpenVPN. This method has two disadvantages:

• The key can be compromised by improper handling (e.g. writing down so that destruction is forgotten after use)
• Brutforce attacks on the key similar to a password

The selected key should therefore be generated with sufficient length and consist of the largest possible character set. The key itself should not be chosen like a password. The storage of the key should be reduced to a bare minimum, as the key is only on the endpoints of the VPN connection. Noting or entering the key in a password management system represents an additional security risk. The pre-shared key on the end device should be encrypted with a password in order not to endanger the network if the device is lost.

Certificates

When using certificate-based authentication via the TLS protocol, private and public key pairs or X.509 certificates are used.

The server and the respective users each have their own certificate (public / private). The OpenVPN server only allows connections that have been signed by a certification authority known to it . OpenVPN contains scripts that enable the simple creation of certificates without any prior knowledge based on OpenSSL (easy-rsa).

To establish a connection, the client sends data to the server ( SSL version and random data). The server sends back the same data and its certificate. The client authorizes the certificate. With bilateral authentication, the client also sends its certificate to the server. If the check worked, the client creates the “ pre-master secret ” and encrypts it with the public key of the server. The server decrypts the data with its private key and creates the " master secret ". This is used to create session keys. These are unique keys that are used to encrypt and decrypt the data. The client informs the server that from now on all data will be encrypted with the session key. The server confirms this, the tunnel is established. After a certain period of time, OpenVPN will automatically replace the session key.

Certificate-based authentication is considered to be the most secure form of login. To increase security, it is advisable to store the certificates on a smart card . OpenVPN supports all cards that can be accessed using Windows Crypto API or PKCS # 11.

Front ends

In addition to the command line, there are various graphical frontends for OpenVPN . So exist z. B. the OpenVPN GUI for Windows , the Tunnelblick program for macOS , OpenVPN-Admin , a C # based frontend written in Mono , KVpnc, an application integrated into the K Desktop Environment , as well as an integration into NetworkManager ( Gnome and K Desktop Environment ).

The following is a list of the popular programs for each operating system and device:

Windows

• OpenVPN GUI
• OpenVPN MI GUI, a modification of the original GUI that uses the OpenVPN management interface and does not require administrator rights.
• OpenVPN Admin
• Securepoint OpenVPN Client Windows, does not require administrator rights and has some comfort functions (saving passwords etc.).
• Viscosity (Commercial)

macOS

• Tunnel vision
• Viscosity
• Shimo

iOS

• GuizmOVPN
• OpenVPN Connect (official version)

Linux

• NetworkManager
• KVPNC
• OpenVPN Admin

OpenWRT

• OpenVPN HowTo

Fritz! Box

• Fritz! Box OpenVPN HowTo
• Freetz OpenVPN HowTo
• OpenVPN plugin for GP3

Dreambox

• OpenVPN plugin for GP3

Android

• OpenVPN Connect (official version)
• OpenVPN for Android without root by Arne Schwabe

Maemo

• OpenVPN for Maemo 5

literature

• Dirk Becker: OpenVPN - Das Praxisbuch, updated and expanded edition . Galileo Computing, Bonn 2011, ISBN 978-3-8362-1671-5 . 
• Johannes Bauer, Albrecht Liebscher, Klaus Thielking-Riechert: OpenVPN . dpunkt, Heidelberg 2006, ISBN 3-89864-396-4 . 
• Sven Riedel: OpenVPN - short & good . O'Reilly, Cologne 2007, ISBN 978-3-89721-529-0 . 
• Thomas Zeller: OpenVPN compact . bomots, Saarbrücken 2008, ISBN 978-3-939316-51-0 . 

Web links

• official page

Individual evidence

1. ↑ ^{a b} Protocol Compatibility. OpenVPN Technologies, accessed February 17, 2016 . 
2. ↑ Release 2.4.9 . April 16, 2020 (accessed April 17, 2020).
3. ↑ The openvpn Open Source Project on Open Hub: Languages ​​Page . In: Open Hub . (accessed on July 18, 2018).
4. ↑ How to hide OpenVPN traffic - an introduction. Retrieved September 18, 2018 . 
5. ↑ Security Overview. OpenVPN Technologies, accessed February 17, 2016 . 
6. ↑ Virtual private network - BSI guidelines on Internet security. Federal Office for Information Security , 2009, accessed on September 18, 2018 . 
7. ↑ Client GUI
8. ↑ Heise - Official OpenVPN client for iOS