2002.10_Charly's Column-Openvpn.pdf

Charly’s column

SYSADMIN

Secure Connections

Being able to work anywhere in the world just as if you were attached to the

company’s LAN is an appealing prospect, but far too dangerous without taking

security measures. BY CHARLY KÜHNAST

T he solution to this issue is well

we need to load the TUN driver.

known: Use an encrypted point-

to-point connection to build a

tunnel through an insecure network. For

Linux there are a few popular tools

available to help you with this task, such

as Cipe and the freeware IPSec

implementation, FreeS/WAN, and of

course OpenVPN [1] the tool we will be

investigating in this issue.

modprobe tun

should do the trick. We will also need to

enable IP forwarding using the following

syntax:

echo 1 >/proc/sys/net/ipv4/ U

ip_forward

openvpn --remote right --dev U

tun0 --ifconfig 10.0.0.1 U

10.0.0.2 --secret key

Used: OpenSSL and TUN/TAP

The prerequisites for running OpenVPN

are the OpenSSL library and the

TUN/TAP driver. Any of the current

distribution should contain both – if not,

check out [2] and [3]. Just say the magic

words, ./configure; make; make install ,

to unpack the tarball, which is slightly

over 200 KBytes.

To demonstrate the principle of

OpenVPN let’s open up an unencrypted

tunnel between two computers called

left and right . The IP addresses of the

ethernet interfaces are 1.2.3.4 for left and

4.3.2.1 for right .

We can now assign private IP

addresses to the endpoints of the tunnel

on both computers ( /dev/tun0 ). So let’s

assign 10.0.0.1 to the endpoint on left

and 10.0.0.2 to the corresponding

endpoint on right . Before we get started,

We can now type the following

command for left

and the following syntax for right :

openvpn --remote right --dev U

tun0 --ifconfig 10.0.0.1 U

10.0.0.2

openvpn --remote left --dev U

tun0 --ifconfig 10.0.0.2 U

10.0.0.1 --secret key

and a similar command for right

All done! Of course, a shared secret is

not all that secure, if you are in a tight

corner. So I would not recommend using

this method for official secrets. If you

need to keep data secret, you might want

to opt for a TLS based approach –

OpenVPN offers you that possibility.

openvpn --remote left --dev U

tun0 --ifconfig 10.0.0.2 U

10.0.0.1

The tunnel is up and running.

Encrypting the tunnel

For test purposes we can simply ping the

IP addresses of the computers at the

opposite ends of the tunnel, i.e. we ping

10.0.0.2 on left and vice-versa. If this

simple test does exactly what we expect,

we can go on to encrypt the tunnel. The

simplest way of doing this is to agree on

a shared secret. To do so, we simply type

INFO

[ 1] OpenVPN: http://openvpn.sourceforge.net

[2] OpenSSL: http://www.openssl.org

[3] TUN/TAP Drivers:

http://vtun.sourceforge.net/tun

SYSADMIN

Charly Kühnast is a

Unix System

Manager at a public

datacenter in Moers,

near Germany’s

famous River Rhine.

His tasks include

ensuring firewall

security and availability and taking

care of the DMZ (demilitarized zone).

Although Charly started out on IBM

mainframes, he has been working

predominantly with Linux since 1995.

OpenSSH Part I ...................... 50

The first in our series on OpenSSH from

the Administrator’s perspective. The stan-

dard tool for providing encrypted remote

access.

MTRG ............................................ 56

The Multi Router Traffic Grapher’s

speciality is monitoring network traffic

and displaying the results as graphs.

openvpn --genkey --secret key.

on one of the computers. This creates a

key file containing random data that still

needs to be copied securely to the

second computer – we can use scp for

this purpose.

Let’s start up the tunnel using the

following syntax for left :

www.linux-magazine.com

October 2002

The Sysadmin’s Daily Grind: OpenVPN

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: