Você está na página 1de 5

OpenVPN and Wireless Security

1. Describe in detail the steps that two OpenVPN clients and the OpenVPN server must do to communicate with each other. Describe the entire path of data packet that travels from a client to the second, including the processing made by the server ma! " pages#. OpenVPN is an open source soft that implements a SSL VPN. OpenVPN communicates using packets encapsulated in TCP segments or U P datagrams. What OpenVPN offers is a secure !ay for t!o or more de"ices to communicate o"er a pu#lic infrastructure. T!o nodes that !ant to communicate must first raise a tunnel !hich tries to transport the data in a secure manner. The data is actually encrypted$ encapsulated and released "ia the pu#lic net!ork. Considering the security measures that OpenVPN takes$ encryption$ authentication$ integrity and non%repudiation may #e mentioned. Let us consider the follo!ing simple topology.

&irstly$ in order for the communication to #e possi#le$ on the Ser"er$ "irtual net!ork interfaces must #e created. 'n this case$ since OpenVPN is configured in ser"er mode$ only one VN' is needed$ since there is only one OpenVPN instance. (lso$ on the Ser"er$ a "irtual net!ork su#net is created and routing rules are esta#lished. No! the Ser"er is practically !aiting for connections. Client) !ants to send a packet to Client*. &irstly$ the tunnel must #e esta#lished #et!een the Ser"er and the t!o clients. &or this to #e possi#le$ the t!o clients need an 'P from the "irtual net!ork su#net. (n 'P is gi"en only after authentication. +"ery client must follo! the ne,t steps. 'f the pre%shared%key authentication method is used$ on one of the t!o de"ices -ser"er or client.$ a /secret0 is generated. This /secret0 must #e securely sent to the other peer using SS1 or a physical de"ice -a floppy disk or a flash.. The generated /secret0 contains$ among other things$ the +ncryption key -used to encrypt the actual data. and the 1ash key -used in the hash algorithm.. 'f certificates are used for authentication$ than #oth de"ices must first generate a pri"ate and a pu#lic key. The pri"ate key al!ays remains secret. The de"ices generate a CS2 -Certificate Signing 2e3uest. !hich is sent to the C( -Certificate (uthority.. The C( constructs the certificates and sends them #ack to the de"ices$ along !ith its pu#lic key. Ne,t$ the process of sharing the keys for +ncryption and 1ashing may #egin. 'n our e,ample$ !e may consider the Ser"er to #e the C(. 'n our scenario$ since the case is multi%client$ this is the authentication method used. The Ser"er needs the N for each client in order to apply the right configuration. No!$ the t!o clients recei"e 'P addresses from the "irtual net!ork su#net and Client) prepares a packet using the "irtual address of Client*. The packet is pushed to the kernel and the TUN interface sends it to #e encrypted and signed using the pre"iously esta#lished key and hash4 then the data is re% encapsulated inside a pu#lic packet !hich is sent to the OpenVPN Ser"er. The Ser"er recei"es the packet$ decapsulates it and decrypts it. +ncryption must #e again made$ #ut this time using the keys and hashes esta#lished !ith the client that the packet is destined for.

OpenVPN must decide$ #ased on the routing rules$ to !hich client the packet must #e sent. The packet is then encrypted and re%encapsulated in a pu#lic packet and sent to Client* "ia the pu#lic net!ork. Client* recei"es the packet on its real interface$ decapsulates it and decrypts it. The data is then sent #y the TUN interface to the destined (pplication. 'f an attacker gains access to the Ser"er$ not only could he generate a man%in%the%middle attack$ #ut also compromise the actual data #eing sent. Of course$ the moment of the attack is also important5 #efore authentication$ #efore data transfer$ during data transfer. The attacker could easily change encryption keys and hashes and could e"en stop the authentication process$ making modifications o"er the certificates or e"en remo"ing them completely. Since the C( is esta#lished on the Ser"er$ the attacker may also generate false certificates. 'n this case$ the secure OpenVPN !ould #ecome as insecure as it could get.

". $%&'()N* )%%% +,".11* -./N '$)N* OP%NVPN /ND )0$ )1P/&0 /N/.2$)$ 3summary3 Wireless L(N -WL(N. is undou#tedly the most !idely used !ireless technology. 7esides the fact that it comes !ith cheapness$ fe! components and an easy use$ it pro"ides 3uick access to the 'nternet and the 'ntranet almost e"ery!here. The do!nside$ ho!e"er$ is that using the open air as medium #rings up se"ere security issues. Since Virtual Pri"ate Net!orks ha"e pro"en to #e efficient in securing communications o"er !ired net!orks$ they ha"e also #een taken into consideration for securing the WL(N. 1ere$ it is #riefly e,plained a !ay to secure '+++ 89*.))g WL(N using OpenVPN. '+++ 89*.)) contains the standards for implementing !ireless local area net!ork computer communications. 89*.))a$ # and g are mostly used. They differ in transfer rate$ num#er of supported connections$ suscepti#ility to interference and range. 'n the #eginning$ the method to secure the information transmitted in WL(N !as W+P -Wired +3ui"alent Pri"acy.. Unfortunately$ it !as later pro"en that this protocol can #e easily #roken due to a num#er of !eaknesses5 short 'Vs and keys$ cracka#le authentication message$ no key%management protocol. Some of the attacks used to determine these "ulnera#ilities are5 (ircrack$ sniff$ :ismet$ ;acStum#ler$ Wep9ff. WL(N needed confidentiality$ integrity$ origin authentication$ replay protection and this is !hat VPN offers !ith its tunneling of the data. OpenVPN is an open source soft that implements "irtual pri"ate net!orks infrastructures -VPNs.. The traffic is tunneled through the transport layer using TCP or U P. The security is gi"en #y the OpenSSL li#rary. Considering the location of the VPN code in the operating system$ the VPNs may #e kernel%#ased or user%space. 'n the user%space case$ the traffic to the VPN must #e turned to!ards the VPN application. This is made using TUN or T(P VN's -Virtual Net!ork 'nterfaces.. /pplication
(outing Process network layer# 'P "irtual destination 'P real destination )nterface Virtual -TUNCT(P. 2eal -eth9$ etc. )nterface (outing Process network layer# 'P "irtual destination 'P real destination


(pplication ) OpenVPN -encapsulation.

(pplication * OpenVPN -encapsulation

Virtual -TUNCT(P. 2eal -eth9$ etc.

. Pu#lic infrastructure
4igure 1. OpenVPN &or assessing the performances of '+++ 89*.)) g WL(N after implementing OpenVPN$ t!o e,perimental scenarios !ere settled. The first one had to measure the throughput under normal conditions and the second one had to analy<e the throughput fluctuations !hen OpenVPN !as implemented in WL(N. &or the measurements$ throughput$ latency$ frame loss and 'P packet delay "ariation !ere used as parameters and 2&C =)=8 !as follo!ed. &or the metrics$ the follo!ing 2&Cs !ere used5 2&C *>==$ 2&C *?@A$ 2&C *?89$ 2&C 66A6. &or the e,periment to #e possi#le$ the follo!ing e3uipment is necessary5 t!o laptops loaded !ith 2ed 1at +nterprise Linu, >$ +thernet Ca#les$ TL%W(?9)B )98; TP%Link Wireless (ccess point$ SPT%*999( Spirent test center.

The setup is represented in the follo!ing figure. The measurements !ere performed for U P and TCP traffic.

*9.*9.*9.) -Virtual 'nterface.

*9.*9.*9.* -Virtual 'nterface.

4igure ". %!periment setup with and without OpenVPN what is written in red corresponds to what was added with the implementation of OpenVPN# The e,periment has re"ealed that increasing the frame si<e$ the throughput for #oth U P and TCP traffic is also increased. The throughput is slightly higher !hen OpenVPN is implemented$ !ith compression and lo!er !hen OpenVPN security is applied. 'n !hat a"erage latency is concerned$ #igger frames correspond to higher latency. 1o!e"er$ the latency decreases !hen OpenVPN is not implemented. The measurements ha"e sho!n that the frame loss percentage increases !ith the traffic$ U P or TCP. The use of OpenVPN !ith compression made the 'P Packet delay "ariation to drop. 'n conclusion$ the implementation of OpenVPN does not #ring any impro"ement for 89*.)) g WL(N$ #ut if compression is used$ than the measurements sho! an increased performance.