Escolar Documentos
Profissional Documentos
Cultura Documentos
VPN stands for Virtual Private Networks. VPN Enable organizations to interconnect different offices located in different
places via Internet to build a big Virtual Private Network. Also a VPN allow mobile users (or home users) to access from
other location the local network from their office. VPN will allow sharing of private network services over the Internet in a
secure way.
There are a lot of VPN implementations commercial and free. There are different types of VPN implementations.
Types of VPNs:
- L1VPNs (Layer 1)
- L2VPNs (Layer 2)
- L3VPNs (Layer 3)
- trusted VPNs
- secure VPNs
- network based VPNs
- C(P)E-based VPNs
- multiservice VPNs
- provider-provisioned VPNs
- customer-provisioned VPNs
- remote access VPNs
- site to site VPNs
- LAN to LAN VPNs
- VPWS VPNs
- VPLS VPNs,
- IPLS VPNs
- Internet VPNs
- intranet VPNs
- extranet VPNs
- point to point VPNs
- multipoint to multipoint VPNs
- overlay VPNs
- peer to peer VPNs
- clientless VPNs
- connection-oriented VPNs
- connectionless VPNs
We will talk in this paper only about a typical Site to Site VPN which will implement with OpenVPN. The following image
shows implementation diagram of a Site to Site VPN (Picture 1).
Another stituation freqvently meet is Remote Access VPN. The principles are the same as in Site to site VPN, the VPN
network is composed from dfferent tunnels to an office (see Picture 2).
Similar with previous diagram is another one with more details, regarding VPN implementations (Picture 3).
For testing purposes we can replace Internet connection with a switch, like in next picture (Picture 4).
To implement a Site to Site VPN we will use open source software OpenVPN.
After we've installed OpenVPN, type rehash to be able to access openvpn binary without restarting the shell.
We've succesfuly installed OpenVPN. Now we can do loopback test for OpenVPN:
Test cryptography:
# openvpn --genkey --secret key
# openvpn --test-crypto --secret key
If you get error like "Cannot open sample-keys/dh1024.pem for DH parameters: error:02001002:system library:fopen:No
such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file" then it means certificates must be built first.
After we've installed OpenVPN under FreeBSD we will configure it as server, and then we will configure OpenVPN client
on every station that will connect to the server, from every location.
If we use OpenVPN with routers with NAT we must forward OpenVPN's port to the LAN machine that runs OpenVPN,
and the same port. Default's OpenVPN port is 1194 (or 5000 for older than 2.0 versions), so that port must be router. If
http://www.freebsdonline.com Powered by Joomla! Generated: 18 April, 2011, 08:36
FreeBSD Online
we start OpenVPN on other port, every connection to every port must be forwarded from router to the respective IP/Port
on LAN.
From speed to encrypt/decrypt point of view, symetric encryption algorithms are faster than asymetric encryption
algorithms.
This type of security implementation can be used for automated tunnel setup. If you control both sides, and don't care
about being able to reissue keys or any of those issues, there's little reason not to use them. Static key can be shared to
endpoints for example via an USB stick, so there could not be a problem of security risk.
The advantages of using Static Shared Key with OpenVPN is simple setup (you only need to create the key and share it
with the other endpoint) and there is no PKI to maintain (PKI will expire at some time in the future, configurable of course).
Disadvantages of using Static Shared Key: the main disavantage is that this type of setup is less secure than using PKI.
If somebody get your key he/she will gain access to your data. The key must be exchange using a secure channel (which
is not the case with PKI). Also with Static Shared Key you will have one server - one client connection, so if you need
multiple VPN connections you will need to run multiple OpenVPN instances/tunnels. This is less scalable than using PKI.
Example to setup a Site to Site VPN with OpenVPN and static shared key
---------------------------------------------------------------------------------------
Both are secure. PKI is nicer because you can revoke one client, and not have to rekey everyone else. also, you don't
need to give the clients private data.
Example howto setup a Site to Site VPN with Public Key Infrastructure (PKI), CA over TLS
-------------------------------------------------------------------------------------------------------------------------
http://www.freebsdonline.com Powered by Joomla! Generated: 18 April, 2011, 08:36
FreeBSD Online
This solution is flexible but not as easy to setup as Static Shared Key sollution.
Public Key will be acompanied by a CA - Certificate Authority, a signature certificate used to verify that public key
belongs to the person issued the public key. Also it exist notion of "Web of Trust", the signature belonging to the user, a
self signed certificate.
CA (certificate authority)
It is more safe to store CA in other place than OpenVPN server.
Then it is issued a private/public key pair:
CA key - this is a private key used to sign certificates
CA cert - signed by CA, used by everyone to check CA signatures
2. Now we will create a key and a certificate request for the client (this certificate request will be later signed using CA
key.
3. After we've created key and certificate request for the client we will sign the certificate request using CA certificate.
This process validates the request.
5. Setup OpenVPN configuration files, with proper certificates and keys, then start OpenVPN service.