Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
OpenVPN Cookbook

You're reading from   OpenVPN Cookbook Get the most out of OpenVPN by exploring it's advanced features.

Arrow left icon
Product type Paperback
Published in Feb 2017
Publisher
ISBN-13 9781786463128
Length 400 pages
Edition 2nd Edition
Languages
Tools
Concepts
Arrow right icon
Author (1):
Arrow left icon
Jan Just Keijser Jan Just Keijser
Author Profile Icon Jan Just Keijser
Jan Just Keijser
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. Point-to-Point Networks 2. Client-server IP-only Networks FREE CHAPTER 3. Client-server Ethernet-style Networks 4. PKI, Certificates, and OpenSSL 5. Scripting and Plugins 6. Troubleshooting OpenVPN - Configurations 7. Troubleshooting OpenVPN - Routing 8. Performance Tuning 9. OS Integration 10. Advanced Configuration

The shortest setup possible

This recipe will explain the shortest setup possible when using OpenVPN. For this setup, you require two computers that are connected over a network (LAN or Internet). We will use both a TUN-style network and a TAP-style network and will focus on the differences between them. A TUN device is used mostly for VPN tunnels where only IP traffic is used. A TAP device allows all the Ethernet frames to be passed over the OpenVPN tunnel, hence providing support for non-IP based protocols, such as IPX and AppleTalk.

While this may seem useless at first glance, it can be very useful to quickly test whether OpenVPN can connect to a remote system.

Getting ready

Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 Pro 64bit and OpenVPN 2.3.10.

How to do it...

Here are the steps that you need to follow:

  1. Launch the server-side (listening) OpenVPN process for the TUN-style network:
              [root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \
                --dev tun
    

    Note

    The preceding command should be entered as a single line. The character \ is used to denote the fact that the command continues on the next line.

  2. Then, launch the client-side OpenVPN process:
             [WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \
                --ifconfig 10.200.0.2 10.200.0.1 --dev tun \
                --remote openvpnserver.example.com
    

    The following screenshot shows how a connection is established:

    How to do it...

    As soon as the connection is established, we can ping the other end of the tunnel.

  3. Next, stop the tunnel by pressing the F4 function key in the command window and restart both ends of the tunnel using the TAP device.
  4. Launch the server-side (listening) OpenVPN process for the TAP-style network:
    [root@server]# openvpn --ifconfig 10.200.0.1 255.255.255.0 \
            --dev tap
    
  5. Then launch the client-side OpenVPN process:
              [WinClient] C:\>"
    \Program Files\OpenVPN\bin\openvpn.exe" \
                --ifconfig 10.200.0.2 255.255.255.0 --dev tap \
                --remote openvpnserver.example.com
    

The connection will now be established and we can again ping the other end of the tunnel.

How it works...

The server listens on UDP port 1194, which is the OpenVPN default port for incoming connections. The client connects to the server on this port. After the initial handshake, the server configures the first available TUN device with the IP address 10.200.0.1 and it expects the remote end (the Peer address) to be 10.200.0.2.

The client does the opposite: after the initial handshake, the first TUN or TAP-Win32 device is configured with the IP address 10.200.0.2. It expects the remote end (the Peer address) to be 10.200.0.1. After this, the VPN is established.

Note

Notice the warning:

******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext

Here, the data is not secure: all of the data that is sent over the VPN tunnel can be read!

There's more...

Let's look at a couple of different scenarios and check whether they would modify the process.

Using the TCP protocol

In the previous example, we chose the UDP protocol. It would not have made any difference if we had chosen the TCP protocol, provided that we had done that on the server side (the side without --remote) as well as the client side. The following is the code for doing this on the server side:

[root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \
    --dev tun --proto tcp-server

Here's the code for the client side:

[root@client]# openvpn --ifconfig 10.200.0.2 10.200.0.1 \
    --dev tun --proto tcp-client --remote openvpnserver.example.com

Forwarding non-IP traffic over the tunnel

With the TAP-style interface, it is possible to run non-IP traffic over the tunnel. For example, if AppleTalk is configured correctly on both sides, we can query a remote host using the aecho command:

aecho openvpnserver
22 bytes from 65280.1: aep_seq=0. time=26. ms
22 bytes from 65280.1: aep_seq=1. time=26. ms
22 bytes from 65280.1: aep_seq=2. time=27. ms

A tcpdump -nnel -i tap0 command shows that the type of traffic is indeed non-IP-based AppleTalk.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime