OpenVPN: Building and Integrating Virtual Private Networks: Learn how to build secure VPNs using this powerful Open Source application

In mid 1990s, the rise of the Internet and the increase of speed for cheap Internet connections paved the way for new technologies. Many developers, administrators, and, last but not the least, managers had discovered that there might be better solutions than spending several hundreds of dollars, if not thousands of dollars, on dedicated and dial-up access lines.

The idea was to use the Internet for communication between branches and at the same time ensure safety and secrecy of the data transferred. In short: providing secure connections between enterprise branches via low-cost lines using the Internet. This is a very basic description of what VPNs are all about.

A VPN is:

With a VPN, your staff in Sydney can work with the London office as if both were in the same location. The VPN Software provides a virtual network between those sites by using a low-cost Internet connection. This network is only virtual because no real, dedicated network connection to the partner is established.

A VPN can also be described as a set of logical connections secured by special software that establishes privacy by safeguarding the connection endpoints. Today the Internet is the network medium used, and privacy is achieved by modern cryptographic methods.

In the earlier examples, we have discussed several possible scenarios for the use of VPN technology. But one typical VPN solution must be added here: More and more enterprises offer their customers or business partners a protected access to relevant data for their business relations, like ordering formulas or stocking data. Thus, we have three typical scenarios for VPN solutions in modern enterprises:

Each of these typical scenarios requires special security considerations and setups. The external home workers will need different access to servers in the company than the customers and business partners. In fact, access for business partners and customers must be restricted severely.

Now that we have seen how a VPN can securely connect a company in different ways, we will have a closer look at the way VPNs work. To understand the functionality, some basic network concepts need to be understood.

All data exchange in computer networks is based on protocols. Protocols are like languages or rituals that must be used between communication partners in networks. Without the correct use of the correct protocol, communication fails.

There is a huge number of protocols involved in any action you take when you access the Internet or a PC in your local network. Your Network Interface Card (NIC) will communicate with a hub, a switch, or a router; your application will communicate with its pendant or a server on the other PC, and many more protocol-based communication procedures are necessary to exchange data.

Because of this the Open Systems Interconnection (OSI) specification was created. Every protocol used in today's networks can be classified by this scheme.

The OSI specification defines seven numbered layers of data exchange, which start at Layer 1 (the physical layer) of the underlying network media (electrical, optical, or radio signals) and span up to Layer 7 (the application layer), where applications on PCs communicate with each other.

The layers of the OSI model are:

This set of layers is hierarchical and every layer is serving the layer above and the layer below. If the protocols of the physical layer could communicate successfully, then the control is handed to the next layer, the Data Link Layer. Only if all layers, 1 through 6, can communicate successfully, can data exchange between applications (on Layer 7) be achieved.

In the Internet, however, a slightly different approach is used.

The Internet is mainly based on the Internet Protocol (IP).

The layers of the IP model are:

A network packet consists of two parts: header and data. The header is a sort of label containing metadata on sender, recipient, and administrative information for the transfer. On the networking level of an Ethernet network, these packets are called frames. In the context of the Internet Protocol these packets are called datagrams, Internet datagrams, IP datagrams, or simply packets.

So what do VPNs do? VPN Software takes IP packets or Ethernet frames and wraps them into another packet. This may sound complicated, but it is a very simple trick, as the following examples will show:

Example 1: Sending a (not really) anonymous parcel

You want to send a parcel to a friend who lives in a community with strange people, whom you don't trust. Your parcel has the address label with sender and recipient data (like an Internet packet). If you do not want the commune to know that you sent your friend a parcel, but at the same time you want your friend to realize this before he opens it, what would you do? Just wrap the whole parcel in another packet with a different address label (e.g. without your sender information) and no one in the commune will know that this parcel is from you. But your friend will unpack the first layer and see a parcel still unpacked, and with an address label from you.

Example 2: Sending a locked parcel

OK, now let's distrust the commune still more. Somebody might want to open the parcel in order to find out what's inside. To prevent this, you will use a locked case. There are only two keys to the lock, one for you and one for your friend. Only you and your friend can unlock the case and look inside the packet.

VPN Software uses a combination of the earlier two examples:

All VPN Software systems differ only in the special way of wrapping and locking the data.

We have learned already that VPN technology often is called tunneling, because the data in a VPN connection is protected from the Internet as the walls of the a road or rail tunnel protect the traffic in the tunnel from the masses of stone of the mountain above. Let's now have a closer look at how VPN Software does this:

The VPN software in the locations A and B encrypts (lock) and decrypts (unlock) the data and sends it through the tunnel. Like cars or trains in a tunnel, the data cannot go anywhere else but the other tunnel endpoint.

The following are put together and wrapped into one new package:

The new package is then sent to the other tunnel endpoint. The payload of this package now holds the complete IP packet (or network frame), but in encrypted form and thus not readable for anyone not possessing the right key. The new header of the packet simply contains the addresses of sender and recipient and other metadata necessary for and provided by the VPN software used.

Perhaps you have noticed that the amount of data sent grows during the process of "wrapping". Depending on the VPN software used, this so called overhead can become a very important factor. The overhead is the difference between net data sent to the tunnel software and gross data sent through the tunnel by the VPN software. If a file of 1 MB is sent from user A to user B, and this file causes 1.5 MB traffic in the tunnel, then the overhead would be 50%, a very high level. (Please note that every protocol used causes overhead, so not all of that 50% might be the fault of the VPN solution.) The overhead caused by the VPN Software depends on the amount of organizational data and the encryption used. Whereas the first depends only on the VPN Software used, the latter is simply a matter of choice between security and speed. In other words, the better the encryption you use, the more overhead you will produce. Speed versus security is your choice.

The General Routing Encapsulation (GRE) provides a standard for tunneling data, which was defined in 1994 in Request for Comments (RFCs) 1701 and 1702. Perhaps, because this definition is not a protocol definition, but more or less a standard proposal on how to tunnel data, this implementation has found its way into many devices and become the basis for other protocols.

The concept of GRE is pretty simple. A protocol header and a delivery header are added to the original packet and its payload is encapsulated in the new packet. No encryption is done. The advantage of this model are almost obvious—the simplicity offers many possibilities, the transparency enables administrators and routers to look inside the packets and pass decisions based on the type of payload sent. By doing so, special applications can be privileged.

There are many implementations for GRE tunneling software under Linux; only kernel support is necessary, which is fulfilled by most modern distributions.

Encapsulating packages on the OSI Layer 2 has a significant advantage: the tunnel is able to transfer non-IP protocols. IP is a standard used widely in the Internet and in Ethernet networks. However, there are different standards too. Netware Systems, for example, uses the Internetwork Packet Exchange (IPX) protocol to communicate. VPN technologies residing in Layer 2 can theoretically tunnel any kind of packet. In most cases, a virtual Point-to-Point Protocol (PPP) device is established which is used to connect to the other tunnel endpoint. (A PPP device is normally used for modem or DSL connections.)

Four well-known Layer 2 VPN technologies, which are defined by RFCs, use encryption methods and provide user authentication:

Other distinguishing factors between the mentioned systems and protocols are:

These features will be discussed in later chapters.

IPsec is probably the most wide-spread tunneling technology. In fact, it is rather a set of protocols, standards, and mechanisms than a single technology. The wide range of definitions, specifications, and protocols are already the main disadvantages about IPsec. It is a complex technology with many different implementations and many security loopholes. IPsec was a compromise accepted by a commission and therefore is something like a least common denominator agreed upon. This means that IPsec can be used in many different setups and environments, ensuring compatibility, but almost no aspect of it offers the best possible solution.

IPsec was developed as an Internet Security Standard on Layer 3, and has been standardized by the Internet Engineering Task Force (IETF) since 1995. IPsec can be used to encapsulate any traffic of application layers, but no traffic of lower network layers. Neither network frames, IPX packets, nor broadcast messages can be transferred, and network address translation is only possible with restrictions.

Nevertheless, IPsec can use a variety of encryption mechanisms, authentication protocols, and other security associations. IPsec software exists for almost every platform, and compatibility with the implementation of other manufacturers is secured in most cases even though there are significant problems resulting from proprietary extensions.

The main advantage of IPsec is the fact that it is being used everywhere. An administrator can choose from an abundant number of hardware devices and software implementations to provide his or her networks with a secure tunnel.

Basically there are two relevant methods that IPsec uses:

IPsec's security model is probably the most complex of all existing VPN solutions and will be discussed in brief in the next chapter.

It is also possible to establish VPN tunnels only on the application layer. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) solutions follow this approach. The user can access the VPN network of a company through a browser connection between his or her client and the VPN server in the enterprise. A connection is simply started by logging into an HTTPS-secured website with a browser. Meanwhile, there are several promising products available, like SSL-Explorer from http://3sp.com/showSslExplorer.do, and products like these offer great flexibility combined with strong security and easy setup. Using the secure connection the browser offers, users can connect network drives and access services in the remote network. Security is achieved by encrypting traffic using SSL/TLS mechanisms, which have proven to be very reliable and are permanently improved and tested.

OpenVPN is a newer and an outstanding VPN solution. It implements Layer 2 or Layer 3 connections, uses the industry standard SSL/TLS for encryption, and combines almost all features of the mentioned VPN solutions. Its main disadvantage is the fact that there are still few hardware manufacturers integrating it in their solutions.