OpenVPN workshop

From Hackerspace Brussels
Jump to: navigation, search

OpenVPN workshop
Sat 16 Jan 2010 14:00
till Sat 16 Jan 2010 20:00
openvpn workshop
I can haz VPN-connections
HSB Brussels,Belgium
Christophe, Wouter, Askarel

Setting up VPNs, for fun and profit


HOWTO eID connections:


  • Configuring server + client with password authentication
    • Local pam auth
    • Database auth
  • with certificate authentication
  • with Belgian eID authentication

Then some more exotic things:

  • Create extremely cheap layer2 link between two datacenters
  • The fun and risks of using up and down scripts


  • Wouter
  • Thomas
  • Tazo
  • Koert
  • ptr_
  • Erik
  • Xflame
  • fs111
  • zoobab
  • F.Maulana (AcehDevelopment - Indonesia)
  • .... (you? please add your name )

We need[edit]

  • at least two switches (ok, avail at hsb)
  • >= 2 laptops (should be ok, participants laptops)
  • >= 2 machines with 2+ interfaces (can be wireless) (idem)
    • There are 2 servers in HSB that can be used for this in the DatenKlo.
    • i will bring a eid card reader (Wouter)


  • Try to connect HSB to DN42?
    • there is a workshop for connecting to dn42 during 26c3, will try to go there (fs111)
    • Yes will most probably attend that one (tazo)
    • As far as I have understood on the video recording of the talk, DN42 uses Tinc because of its peer based approach, am I right? (zoobab)
  • Create 2 openvpn TUNs on 2 machines in IPv6, and try to load balance ctorrent-ipv6 (zoobab)
  • Install Openwrt-UML, UML, Linux Containers (LXC), OpenVZ, KVM, Qemu, or any other virtualisation to play with multiple openvpn
  • Make an Howto with using OpenVPN through an HTTP proxy
  • Fon-ng: Anyone willing to improve (advanced) the openvpn support on fon-ng to make such vpn 2 vpn connections?

Final Configs[edit]

These configurations help you to build an openvpn server with PAM authentication (local users)


Files required: server.conf, ca.crt, server.crt, server.key, dh1024.pem

Generate server ssl keys:

/usr/share/doc/openvpn/examples/easy-rsa/2.0# source vars 
# ./clean-all
# ./build-ca
# ./build-key server      # dont give a passwd to the key
# ./build-dh

Copy the files keys/ca.crt, server.crt, server.key, dh1024.pem to /etc/openvpn

/etc/openvpn# grep -v -e "^#" -e "^;" -e "^$" server.conf 
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
status /var/log/openvpn-status.log
verb 3
plugin /usr/lib/openvpn/ "login login USERNAME password PASSWORD"

Firewall script to activate NAT (needs to run at system or openvpn server startup)

/etc/openvpn# cat 
/sbin/iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

Activate IP routing at boot, by uncommenting a line:

root@chri-desktop:/etc# grep -n forward /etc/sysctl.conf 
27:# Uncomment the next line to enable packet forwarding for IPv4
30:# Uncomment the next line to enable packet forwarding for IPv6

Then change the live setting:

sysctl -w net.ipv4.ip_forward=1


Configuration for authentication using user/pass. Required files: client.conf, ca.crt

/etc/openvpn# grep -v -e "^#" -e "^;" -e "^$" client.conf 
dev tun
proto tcp
remote 443
resolv-retry infinite
ca ca.crt
ns-cert-type server
verb 3
Openvpn workshop @ HSB (by chri)

Table of Contents

1. Presentation
2. Config files examples for OpenVPN server
3. Config files examples for OpenVPN client
3. Network Diagram

1. Presentation

3. Network Diagram

howto draw network schema / structure network

OSI model
*  7layers 
**  physical
** layer2: the mac address : your local lan base for connectivity
** layer3: routing etc

Please Do not Throw Sausage Pizza Away

banana-network.vsd -- basic sketch of the network (live drawing)

CROSS arrows: routers
PARALLEL arrows : switches

 // what's in a netmask  (relation of the '24' with the binary netmask) (A) wants to talk to (B)
* first A checks if B is on the same network (using the configured netmask) 
* it finds  out B is on the same network (using it's netmask)
* so A will do a ARP request (broadcast a arp question, 'who is') 
* B  responds with it's MAC,
* so A knows the MAC which to talk to, and can initiate the communication.

A wants to talk with C ( -- 
  * C is in a different network (IP-A && netmask != IP-B && netmask)
    * A looks at the routing table if it can find C
    * (let's say it doesn't find it in it's routing table)
    * A sends the packet to the MAC of the gateway/router, witch forwards it to C's network (the router can talk locally on both networks alike previous case)

(so a router needs an ip for each network it want to directly talk  to)

'''bridge''': you throw packets in at one side, they come out the other end (eg a hub, Wifi Access Point,  etc.) A switch is an intelligent kind of bridge.

'''firewall''':  filters according to rules
eg. routers most of the time support simple filtering
firewall also keeps state of opened connections etc

NAT-ing : connect your whole local thingy to the big bad stormy internet

* 1-1NAT: just replace the IP-address field in the IP-packet
* Hide NAT: keeps a table of which local ip should be forwarded the connection on specific port (on the internet side) (eg. think your little home internet connection box) -- in linux this is called masquerading.
* port forwarding: 

=2 OpenVPN specifics=

libssl (apparently ssl has default way to format packets)

===those damn certificates===
kinds of certificates
* Public Key + Private Key = valid Keypair 

(little comment on PGP which doesn't have the hierarchical nature of PKI/SSL )

* tun - layer3 ipv4
* tun6 - layer3 ipv6
* tap - layer2 -- like you're on the same switch
why would i use tun then ? tap seems so much cooler & easier ?
 - a lot of layer2 protocols broadcast their info (ARP etc), so all these msgs will also end up coming to you, which is mostly not desirable
  (so layer2 is only used when you're got a big pipe, and want to connect two sites)

authentication means verifying you're talking to the person you think you're talking to.

user auth : username+passwd or using PKI (certificates)
server auth: using PKI (certificates)


who can access what : user rights

IT-dude: access everything over VPN
financial dude: should only access fin. server
--> not possible with OpenVPN unless you go scripting the thing

==up & down scripts==
a whole bunch

=3 practical stuff=

== install openvpn  ==

get sources
or use yr beloved packagemanager

== example directory ==

static-home.conf    -- not using certificates for auth
it's a client config will connect to remote
setting static ip config for client -- chri doesn't like it so we get out of here

== config the server ==

server.conf.gz -- extracted the bunch & put it to /etc/openvpn

# ; are both comments !

default sending traffic over udp (for efficiency reasons)
proto udp  
( or use tcp if you want to traverse nat etc)

ssl aka UFBP protocol - 'universal firewall bypass'

ca : certificate authority the server certificate is signed with
cert : public key of yr server
key : private key of yr server
 dh  : diffie-hellman: this will be used for the encryption (instead of using some random value?)
 in the default config: any user with a certificate, signed by this ca is granted access

server : ip settings for our tun device
(for tap interfaces openvpn won't play yr mam)

push:  pushed from server to client
(the client can setup/change routes on it's own of course)

push "redirect-gateway def1 bypass-dhcp"

def1: a hack to be sure openvpn doesn't delete your  gateway config -- just adds it's own routing - which is nice when you disconnect yr vpn, as openvpn will delete it's routing rules, and your old gateway routing will be effective again.

client-to-client: default as tun is a point-to-point link, clients don't see each other (and end up in separate networks!)

keepalive: tcp will monitor the state of the link through connection status, udp will use keepalive settings

reduce privileges (only be aware that the openvpn server upon disconnecting will not be able to do full cleanup (routes etc)

== add some PAM ==

plugin /usr/lib/openvpn/ "loging login USERNAME etc

to add some authentication mechanism to your server

== now generate some certificates & get them signed ==

we need a
certificates signed by this CA

=== generate a CA ===
easy-rsa (in the examples of openvpn)

#source ./vars  
(execute the 'vars' script:  puts some parameters in yr environment)


=== generate and sign a certificate for yr server ===

./build-key-server servername

===  startup openvpn ===

openvpn --config server.conf

=== get some clients connected ===

./build-key myuser

(off course in a real world, the user would create his own private,public key, generate a CSR (certificate signing request), which you can sign and send back)

== config the client ==

find a sample conf here

-- if you configured the PAM thing,
to the config

Certificate based authentication:

This looks interesting:

other material (not related to workshop, but good intro to openvpn)[edit]