http://www.osnews.com/story/5803/Introduction_to_OpenVPN Exploring the Future of Computing en-us Copyright 2001-2013, David Adams adam+nospam@osnews.com Tue, 18 Jun 2013 05:19:58 GMT http://www.osnews.com/images/osnews.gif http://www.osnews.com http://www.osnews.com/thread? http://www.osnews.com/thread? Openvpn is very good vpn solution:
- easy multiplatforms, no differences in conf like with ipsec
- very easy configuration files (about 6 to 10 short lines)
- support for win, macosx, linux, solaris, *bsd
- very good options for debugging
- and a good community (mailing-lists & co)

on the security aspect, there was once an article on slashdot on the poor security of cipe, vtun and some others. on the opposite, openvpn was granted as a very secure solution. Mon, 26 Jan 2004 05:11:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? Does openVPN Support IPX traffic?

Is it usable for WAN gaming? Mon, 26 Jan 2004 05:12:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? OpenVPN can operate in TAP mode, which is a virtual ethernet connection. Anything that will run across ethernet will run over openvpn (although I don't think its the most efficient way). I have my VPN handing out ips via dhcp.

so, yes it will do IPX. Mon, 26 Jan 2004 05:40:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? What kind of client does it comes with or support? Mon, 26 Jan 2004 06:25:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? same than server: so nearly anything than support tun/tap device:
win, macosx, *bsd, solaris, ... Mon, 26 Jan 2004 06:54:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? sorry, I mean can I use like [ Cisco VPN client, CheckPoint Secure Remote, or Lucent VPN client] connect to OPENVPN server.

Or dose the OpenVPN provide its own client? if so, does it run on Win32?

Thanks Mon, 26 Jan 2004 07:22:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? Anonymous: yes, it provides its own client for all OSes. I've tested it under Win32 and it works like a charm (both as a NT service or as a standalone application). I never had problems with it. Mon, 26 Jan 2004 07:51:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? We are using OpenVPN with a Linux server and some Linux laptops connected through WLAN for many month without hassle. Easy and no problems so far. Mon, 26 Jan 2004 07:51:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? I've been looking for a VPN solution that's based on other methods than key authentication. Does anyone know of VPN servers that is PAM based? It would be nice to intergrate this with the LDAP user database(and such). Mon, 26 Jan 2004 10:47:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? So do I understand correctly that a server requires multiple listening ports if it wants more users to connect? How does the client software know which port to use if the first handful are already in use?

Its biggest plus compared to bare-bones l2tp server is that it encrypts traffic. Everything else is pretty much the same as an l2tp tunnel. Mon, 26 Jan 2004 10:49:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? The port no is predefined per tunnel. So 5001 is set on the server and the client for that tunnel. Mon, 26 Jan 2004 11:50:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? I have to say that I've used ipsec with cisco, watchguard and FreeSwan but in the 3 months I been using OpenvVPN I nearly replaced everything with it where possible. As of ver 1.5 the quality of this software is truely fantastic. I cannot recomend it enough. Mon, 26 Jan 2004 11:55:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? "The port no is predefined per tunnel. So 5001 is set on the server and the client for that tunnel."

Do you have to do this manually? If you do this seems like it would be a nightmare to administer more than a few clients.

Also I was wondering about the speed of SSL encryption vs. hardware based IPSEC. Mon, 26 Jan 2004 12:41:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? > Also I was wondering about the speed of SSL encryption vs. hardware based IPSEC.

Aren't there also hw ssl impls? Mon, 26 Jan 2004 12:46:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? >"The port no is predefined per tunnel. So 5001 is set on >the server and the client for that tunnel."

>Do you have to do this manually? If you do this seems >like it would be a nightmare to administer more than a >few clients.

>Also I was wondering about the speed of SSL encryption >vs. hardware based IPSEC.

Yes it's manual but it takes 2 mins to create a tunnel. I've written my own scripts which cuts it down to a few seconds, but once you have good configs then you can use them as templates for the other tunnels. One template per os is fine.

The first patches are coming thru for multiple tunnels to a single port but dont expect anything in the mainline too soon.

I dont know anything about hardware acceleration but there's quite a few comments on the openvpn mailing list. Mon, 26 Jan 2004 14:43:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? Yup, this is a really good product, all the more so for being multi-platform. Mon, 26 Jan 2004 15:10:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? > multiplatform

Which should soon count one more, when I get vtun working with my tuntap driver for BeOS BONE (it currently compiles but fails in select() after connecting), I should jump on that one. Mon, 26 Jan 2004 16:30:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? I understand and use other VPN solutions (IPSEC and PPTP), but this seems at first glance to be just like creating a tunnel with SSH.. Am I missing the boat here? Mon, 26 Jan 2004 16:39:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? AFAIK ssh only tunnels *ports*, that is, it can tunnel your local port 80 (http), 6000 (X11), ..., but you need to specify each of them.
Here we want to tunnel the whole path from one box to another. Mon, 26 Jan 2004 16:55:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? @ Gabriel Ebner

Yes. See for example "Cryptographic Hardware Support" (OpenBSD's support, not OpenVPN's support) at http://www.openbsd.org/crypto.html for a list.

@ Chris Hamant

IPsec / VPN -> Transport layer.
SSL / SSH -> Application layer.

The difference or preference depends on what you want.

Imagine you work at a company and there's 2 offices. 1 in Great Britain, the main office. One in Germany, a small one. Now, a new software package got released which has to be moved to Germany over the internet in a secure way.

FTP to 10.0.200.1 which is then encrypted over the internet by VPN/IPsec. It goes a bit slower than over LAN but otherwise it is transparent.

Otherwise the internet address has to run FTP over SSL [the horror] or SSH.

VPN / IPsec also gets rid of NAT.

Those are a few practical differences...

A few years ago there was a brilliant article in C'T about VPN. Mon, 26 Jan 2004 17:12:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? The article says that I have to open a firewall port for every user. In an Enterprise environment, this is simply unacceptable. I can't go opening 500 or 1,000 ports for VPN users. Other VPN solutions run over ONE port. The firewall port issue alone is enough to discount OpenVPN as a solution. Is the port information correct, or am I misunderstanding? Mon, 26 Jan 2004 18:17:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? >The article says that I have to open a firewall port for >every user. In an Enterprise environment, this is simply >unacceptable. I can't go opening 500 or 1,000 ports for >VPN users. Other VPN solutions run over ONE port. The >firewall port issue alone is enough to discount OpenVPN >as a solution. Is the port information correct, or am I >misunderstanding?

It's messy yes, but not unacceptable. good scripting can manage the ports. It's no more insecure, the last 999 ports have the same security as the 1st 1.
If you are in an Enterprise environment then chances are this will not be your solution because it is not backed by a bluechip support company. If this is not a problem then you could write a decent management script(s) in a day. One day is nothing for 500-1000 tunnels. Mon, 26 Jan 2004 22:38:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? I don't see any reason why anyone should bother with OpenVPN.
For permanent connections or certificate based solutions, IPSEC is the way to go. Seeing how it is now part of the 2.6 Linux kernel, and has been in FreeBSD and Solaris for years, there is no reason why you should go with anything else. It is available everywhere and requires no additional installations. Also, it is simply unbeatable in security.
For VPN solutions requiring user entered authentication, PPTP is probably the best choice. Great security and almost all Unix OS support interopperability with it (they can act as both server and client). L2TP is also a great solution, providing the best of both worlds (certificate and user entered authentication) and IPSEC for security. However, it is currently proprietary to Microsoft so I would stay away from it until we get Linux clients and servers. Mon, 26 Jan 2004 23:02:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? I don't see any reason why anyone should bother with OpenVPN. For permanent connections or certificate based solutions, IPSEC is the way to go.

Have you tried to deal with IPSec through NAT? It's doable, but if you're a small company that cannot buy a commercial IPSec solution (one that comes with Windows clients that can tunnel IPSec through UDP), it won't work.

I played with FreeS/WAN and Win2K IPSec and it's a nightmare if you must open a VPN link through NAT (you must be able to do that if you want to give your road warriors enough flexibility).
OpenVPN deals with that issue gracefully.

I know the issue is not the protocol itself, but a lack of a free Win2K client that can tunnel IPSec through NAT, but whatever the cause, if it doesn't work, then you must search for something else. Mon, 26 Jan 2004 23:40:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? slash: As Florin said, IPSec isn't easy. Having commercial solutions - Watchguard, Checkpoint, Cisco makes the pain easier, but having both protocol types as well as port types (IPSec) makes NAT hard. ALGs are often required in NAT deployments to keep it all working nicely.

PPTP is similar in that you need a TCP port and another protocol to be supported in your NAT gateway.

As I said earlier, L2TP is great that it's only one port and protocol type to support. This is pretty much L2TP but with encryption.

Also the more complicated with your security you get, the harder it is to support. Suddenly you have you get a self-signed CA for your organisation if you don't want a commercial variety. How do you distribute the PKIs and revocation servers for IPSec? You'll have to face all these questions, and more. Tue, 27 Jan 2004 03:34:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? This looks very promising. I've been having a headache about setting a vpn network up for a while, and this looks like just the ticket. I bought that fvs318 netgear router and it only really has good support with router to router vpn networking. Otherwise you have to pay hundred plus bucks for an exceptionally confusing client program that doesn't seem to work half the time with the windows version you are using.

I will say one thing about the fvs318, it is very easy to configure if it is a router to router connection, and does the best job of a vpn router setup that I have ever seen outside of the CISCO relm. Tue, 27 Jan 2004 08:30:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? I have worked with FreesWan Linux and Win2k roadwarriors over NAT and it works like a charm. I guess you need to combine the Freeswan Nat support and IPtables firewall rules
(i prefer using shorewall to get the job done).
Configuring many ports for OPen VPN is a nightmare. Tue, 27 Jan 2004 14:38:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? I moved all VPN type functions to SSH. One port, no management. Clients can be pre-configured to tunnel the needed ports, so no configuration by the client needed. Very secure. All the applications we needed (file transfer, email, intranet web access, remote GUI application execution, etc.) can be transferred over SSH tunnels. Wide availability of clients (even Java implementations, loadable via web browser). Available for every platform and architecture, and cross-platform compatible. As an ad-hoc solution, no resources are consumed when the connection is not in use. Works easily with NAT (port forward) and firewalls. Support one client or 10,000 makes no different (size the server for concurrent use). Tue, 27 Jan 2004 16:11:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? Ok, can someone explain me what this program is for? I dont know what VPN is, i already have a router with a firewall Tue, 27 Jan 2004 18:05:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? Let's say that you have a private local area network (LAN) at your house and your friend has a private LAN at his house and you want to connect your LAN and your friend's LAN together as though it was one big LAN. A VPN solution will enable you to do it. You can also limit what your friend sees in your LAN and vice-versa. I hope that this helps. Wed, 28 Jan 2004 00:07:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? How does OpenVPN compare to IPSec when it comes to re-establish a broken tunnel (say 1 of the boxes loses connection to Net for 1/2 hour).
Compare to PPTP, IPSec is fantastic as you dont't to worry
about re-establishing the link. IPSec does it automatically, unlike PPTP. Does OPenVPN automatically re-establish the link?
And how to long does it take to establish it?

Dom Wed, 28 Jan 2004 13:07:00 GMT donotreply@osnews.com (Anonymous) Comments http://www.osnews.com/thread? http://www.osnews.com/thread? muito bom realmente Wed, 04 Feb 2004 23:21:00 GMT donotreply@osnews.com (Anonymous) Comments