Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
OpenVPN 2 Cookbook

You're reading from   OpenVPN 2 Cookbook Everything you need to know to master the intricacies of OpenVPN 2 is contained in this cookbook. Packed with recipes, tips, and tricks, it's the perfect companion for anybody wanting to build a secure virtual private network.

Arrow left icon
Product type Paperback
Published in Feb 2011
Publisher Packt
ISBN-13 9781849510103
Length 356 pages
Edition Edition
Tools
Concepts
Arrow right icon
Toc

Table of Contents (19) Chapters Close

OpenVPN 2 Cookbook
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
1. Point-to-Point Networks FREE CHAPTER 2. Client-server IP-only Networks 3. Client-server Ethernet-style Networks 4. PKI, Certificates, and OpenSSL 5. Two-factor Authentication with PKCS#11 6. Scripting and Plugins 7. Troubleshooting OpenVPN: Configurations 8. Troubleshooting OpenVPN: Routing 9. Performance Tuning 10. OS Integration 11. Advanced Configuration 12. New Features of OpenVPN 2.1 and 2.2 Index

Shortest setup possible


This recipe will explain the shortest setup possible when using OpenVPN. For this setup two computers are used that are connected over a network (LAN or Internet). We will use both a TUN-style network and a TAP-style network and will focus on the differences between them. A TUN device is used mostly for VPN tunnels where only IP-traffic is used. A TAP device allows full Ethernet frames to be passed over the OpenVPN tunnel, hence providing support for non-IP based protocols such as IPX and AppleTalk.

While this may seem useless at first glance, it can be very useful to quickly test whether OpenVPN can connect to a remote system.

Getting ready

Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1 and the client was running Windows XP SP3 and OpenVPN 2.1.1.

How to do it...

  1. We launch the server (listening)-side OpenVPN process for the TUN-style network:

    [root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \
    --dev tun
    

    Tip

    The above command should be entered as a single line. The character '\' is used to denote the fact that the command continues on the next line.

  2. Then we launch the client-side OpenVPN process:

        [WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \
        --ifconfig 10.200.0.2 10.200.0.1 --dev tun \
                --remote openvpnserver.example.com
    

    The following screenshot shows how a connection is established:

    As soon as the connection is established, we can ping the other end of the tunnel.

  3. Next, we stop the tunnel by pressing the F4 function key in the Command window and we restart both ends of the tunnel using the TAP device:

  4. We launch the server (listening)-side OpenVPN process for the TAP-style network:

        [root@server]# openvpn --ifconfig 10.200.0.1 255.255.255.0 \
                --dev tap 
    
  5. Then we launch the client-side OpenVPN process:

        [WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \
                --ifconfig 10.200.0.2 255.255.255.0 --dev tap \
                --remote openvpnserver.example.com
    

The connection is established and we can again ping the other end of the tunnel.

How it works...

The server listens on UDP port 1194, which is the OpenVPN default port for incoming connections. The client connects to the server on this port. After the initial handshake, the server configures the first available TUN device with IP address 10.200.0.1 and it expects the remote end (Peer address) to be 10.200.0.2.

The client does the opposite: after the initial handshake, the first TUN or TAP-Win32 device is configured with IP address 10.200.0.2. It expects the remote end (Peer address) to be 10.200.0.1. After this, the VPN is established.

In case of a TAP-style network, the server configures the first available TAP device with the IP address 10.200.0.01 and netmask 255.255.255.0. Similarly, the client is configured with IP address 10.200.0.2 and netmask 255.255.255.0.

Note

Notice the warning:

******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext

Here, the data is not secure: all the data that is sent over the VPN tunnel can be read!

There's more...

Using the TCP protocol

In the previous example, we chose the UDP protocol. For this example, it would not have made any difference if we had chosen the TCP protocol, provided that we do that on the server side (the side without --remote):

[root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \
    –-dev tun --proto tcp-server

And also on the client side:

[root@server]# openvpn --ifconfig 10.200.0.2 10.200.0.1 \
    --dev tun --proto tcp-client

Forwarding non-IP traffic over the tunnel

It is now possible to run non-IP traffic over the tunnel. For example, if AppleTalk is configured correctly on both sides, we can query a remote host using the aecho command:

aecho openvpnserver
22 bytes from 65280.1: aep_seq=0. time=26. ms
22 bytes from 65280.1: aep_seq=1. time=26. ms
22 bytes from 65280.1: aep_seq=2. time=27. ms

A tcpdump -nnel -i tap0 shows that the type of traffic is indeed non-IP based AppleTalk.

You have been reading a chapter from
OpenVPN 2 Cookbook
Published in: Feb 2011
Publisher: Packt
ISBN-13: 9781849510103
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image