Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
OpenVPN 2 Cookbook

You're reading from   OpenVPN 2 Cookbook Everything you need to know to master the intricacies of OpenVPN 2 is contained in this cookbook. Packed with recipes, tips, and tricks, it's the perfect companion for anybody wanting to build a secure virtual private network.

Arrow left icon
Product type Paperback
Published in Feb 2011
Publisher Packt
ISBN-13 9781849510103
Length 356 pages
Edition Edition
Tools
Concepts
Arrow right icon
Toc

Table of Contents (19) Chapters Close

OpenVPN 2 Cookbook
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
1. Point-to-Point Networks FREE CHAPTER 2. Client-server IP-only Networks 3. Client-server Ethernet-style Networks 4. PKI, Certificates, and OpenSSL 5. Two-factor Authentication with PKCS#11 6. Scripting and Plugins 7. Troubleshooting OpenVPN: Configurations 8. Troubleshooting OpenVPN: Routing 9. Performance Tuning 10. OS Integration 11. Advanced Configuration 12. New Features of OpenVPN 2.1 and 2.2 Index

Multiple secret keys


As stated in the previous recipe, OpenVPN uses two symmetric keys when setting up a point-to-point connection. However, it is also possible to use shared, yet asymmetric keys in point-to-point mode. OpenVPN will use four keys in this case:

  • A Cipher key on the client side

  • An HMAC key on the client side

  • A Cipher key on the server side

  • An HMAC key on the server side

The same keying material is shared by both sides of the point-to-point connection but those keys that are derived for encrypting and signing the data are different for each side. This recipe explains how to set up OpenVPN in this manner and how the keys can be made visible.

Getting ready

For this recipe, we use the secret.key file from the previous recipe. Install OpenVPN 2.0 or higher on two computers. Make sure that the computers are connected over a network. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Windows XP SP3 and OpenVPN 2.1.1.

How to do it...

  1. We launch the server (listening) side OpenVPN process with an extra option to the --secret parameter and with more verbose logging:

        [root@server]# openvpn \
                --ifconfig 10.200.0.1 10.200.0.2 \
                --dev tun --secret secret.key 0 \
                --verb 7
    
  2. Then we launch the client-side OpenVPN process:

      [WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \
                --ifconfig 10.200.0.2 10.200.0.1 \
                --dev tun --secret secret.key 1\
                --remote openvpnserver \
                --verb 7
    

    The connection will be established with a lot of debugging messages.

  3. If we look through the server-side messages (searching for crypt), we can find the negotiated keys on the server side. Note that the output has been reformatted for clarity:

    … Static Encrypt:
    Cipher 'BF-CBC' initialized with 128 bit key
    … Static Encrypt: 
    CIPHER KEY: 80797ddc 547fbdef 79eb353f 2a1f3d1f
    … Static Encrypt:
    Using 160 bit message hash 'SHA1' for HMAC authentication
    … Static Encrypt: 
    HMAC KEY: c752f254 cc4ac230 83bd8daf 6141e73d 844764d8
    … Static Decrypt: 
    Cipher 'BF-CBC' initialized with 128 bit key
    … Static Decrypt: 
    CIPHER KEY: 8cf9abdd 371392b1 14b51523 25302c99
    … Static Decrypt: 
    Using 160 bit message hash 'SHA1' for HMAC authentication
    … Static Decrypt: 
    HMAC KEY: 39e06d8e 20c0d3c6 0f63b3e7 d94f35af bd744b27
    

On the client side, we will find the same keys but the 'Encrypt' and 'Decrypt' keys have been reversed:

… Static Encrypt: 
Cipher 'BF-CBC' initialized with 128 bit key
… Static Encrypt: 
CIPHER KEY: 8cf9abdd 371392b1 14b51523 25302c99
… Static Encrypt: 
Using 160 bit message hash 'SHA1' for HMAC authentication
… Static Encrypt: 
HMAC KEY: 39e06d8e 20c0d3c6 0f63b3e7 d94f35af bd744b27
… Static Decrypt: 
Cipher 'BF-CBC' initialized with 128 bit key
… Static Decrypt: 
CIPHER KEY: 80797ddc 547fbdef 79eb353f 2a1f3d1f
… Static Decrypt: 
Using 160 bit message hash 'SHA1' for HMAC authentication
… Static Decrypt: 
HMAC KEY: c752f254 cc4ac230 83bd8daf 6141e73d 844764d8

If you look at the keys carefully, you can see that each one of them is mirrored on the client and the server side.

How it works...

OpenVPN derives all keys from the static.key file, provided that there is enough entropy (randomness) in the file to reliably generate four keys. All keys generated using the following will have enough entropy:

$ openvpn –-genkey –-secret secret.key

An OpenVPN static key file is 2048 bits in size. The Cipher keys are each 128 bits, whereas the HMAC keys are 160 bits each, for a total of 776 bits. This allows OpenVPN to easily generate four random keys from the static key file, even if a cipher is chosen that requires a larger initialization key.

There's more...

The same secret key files are used in a client/server setup when the following parameter is used: tls-auth ta.key.

See also

  • Chapter 2's recipe, Setting up the public and private keys, in which the tls-auth key is generated in a very similar manner.

You have been reading a chapter from
OpenVPN 2 Cookbook
Published in: Feb 2011
Publisher: Packt
ISBN-13: 9781849510103
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image