Virtual Private Network (VPN)

Intended Audience

VPN Security
The sample client configuration file client. This error indicates that the client was unable to establish a network connection with the server. Configuring client-specific rules and access policies. Redirecting all network traffic through the VPN is not entirely a problem-free proposition. Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped. Home Questions Tags Users Unanswered.

Notify me when more slots are available

VPN Penetration Testing – IKESCAN, HEARTBLEED and MitM

Run the following batch file to copy configuration files into place this will overwrite any preexisting vars. Now edit the vars file called vars. Don't leave any of these parameters blank. The final command build-ca will build the certificate authority CA certificate and key by invoking the interactive openssl command:.

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars. The only parameter which must be explicitly entered is the Common Name. As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? If you would like to password-protect your client keys, substitute the build-key-pass script. Remember that for each client, make sure to type the appropriate Common Name when prompted, i.

Always use a unique common name for each client. Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:. The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel.

Now wait, you may say. Shouldn't it be possible to set up the PKI without a pre-existing secure channel? The answer is ostensibly yes.

In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request CSR to the key-signing machine.

In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret. It's best to use the OpenVPN sample configuration files as a starting point for your own configuration. These files can also be found in. On Windows they are named server. The sample server configuration file is an ideal starting point for an OpenVPN server configuration. Before you use the sample configuration file, you should first edit the ca , cert , key , and dh parameters to point to the files you generated in the PKI section above.

At this point, the server configuration file is usable, however you still might want to customize it further:. If you want to run multiple OpenVPN instances on the same machine, each using a different configuration file, it is possible if you:. The sample client configuration file client. To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line or right-click on the.

As in the server configuration, it's best to initially start the OpenVPN server from the command line or on Windows, by right-clicking on the client. A normal client startup on Windows will look similar to the server output above, and should end with the Initialization Sequence Completed message.

Now, try a ping across the VPN from the client. If you are using routing i. If you are using bridging i. If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:. See the access policies section below. You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be a a personal software firewall running on the client, or b the NAT router gateway for the client.

Modify the firewall to allow returning UDP packets from the server to reach the client. See the FAQ for additional troubleshooting information. When executed, the initscript will scan for. The Windows installer will set up a Service Wrapper, but leave it turned off by default. This will configure the service for automatic start on the next reboot.

Use the writepid directive to write the OpenVPN daemon's PID to a file, so that you know where to send the signal if you are starting openvpn with an initscript , the script may already be passing a --writepid directive on the openvpn command line. While most configuration changes require you to restart the server, there are two directives in particular which refer to files which can be dynamically updated on-the-fly, and which will take immediate effect on the server without needing to restart the server process.

Files in this directory can be updated on-the-fly, without restarting the server. Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client or one which has disconnected, but where the server has not timed-out its instance object , kill the client instance object by using the management interface described below.

This will cause the client to reconnect and use the new client-config-dir file. If you would like to kill a currently connected client whose certificate has just been added to the CRL, use the management interface described below. You can use the management interface directly, by telneting to the management interface port, or indirectly by using an OpenVPN GUI which itself connects to the management interface.

To enable the management interface on either an OpenVPN server or client, add this to the configuration file:. This tells OpenVPN to listen on TCP port for management interface clients port is an arbitrary choice -- you can use any free port.

Once OpenVPN is running, you can connect to the management interface using a telnet client. Once the VPN is operational in a point-to-point capacity between client and server, it may be desirable to expand the scope of the VPN so that clients can reach multiple machines on the server network, rather than only the server machine itself. For the purpose of this example, we will assume that the server-side LAN uses a subnet of First, you must advertise the This can easily be done with the following server-side config file directive:.

One of the benefits of using ethernet bridging is that you get this for free without needing any additional configuration. In a typical road-warrior or remote access scenario, the client machine connects to the VPN as a single machine. But suppose the client machine is a gateway for a local LAN such as a home office , and you would like each machine on the client LAN to be able to route through the VPN.

For this example, we will assume that the client LAN is using the Next, we will deal with the necessary configuration changes on the server side. If the server configuration file does not currently reference a client configuration directory, add one now:. In the above directive, ccd should be the name of a directory which has been pre-created in the default directory where the OpenVPN server daemon runs.

When a new client connects to the OpenVPN server, the daemon will check this directory for a file which matches the common name of the connecting client. If a matching file is found, it will be read and processed for additional configuration file directives to be applied to the named client. The next step is to create a file called client2 in the ccd directory. This file should contain the line:.

This will tell the OpenVPN server that the Why the redundant route and iroute statements, you might ask? Next, ask yourself if you would like to allow network traffic between client2's subnet If so, add the following to the server config file. This will cause the OpenVPN server to advertise client2's subnet to other connecting clients. The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs The outgoing ping would probably reach the machine, but then it wouldn't know how to route the ping reply, because it would have no idea how to reach This requires a more complex setup maybe not more complex in practice, but more complicated to explain in detail:.

For example, suppose you would like connecting clients to use an internal DNS server at Add this to the OpenVPN server configuration:. To test this feature on Windows, run the following from a command prompt window after the machine has connected to an OpenVPN server:.

Suppose we are setting up a company VPN, and we would like to establish separate access policies for 3 different classes of users:. The basic approach we will take is a segregate each user class into its own virtual IP address range, and b control access to machines by setting up firewall rules which key off the client's virtual IP address. In our example, suppose that we have a variable number of employees, but only one system administrator, and two contractors.

Our IP allocation approach will be to put all employees into an IP address pool, and then allocate fixed IP addresses for the system administrator and contractors. Note that one of the prerequisites of this example is that you have a software firewall running on the OpenVPN server machine which gives you the ability to define specific firewall rules.

For our example, we will assume the firewall is Linux iptables. Next, let's translate this map into an OpenVPN server configuration. First of all, make sure you've followed the steps above for making the First, define a static unit number for our tun interface, so that we will be able to refer to it later in our firewall rules:. Because we will be assigning fixed IP addresses for specific System Administrators and Contractors, we will use a client configuration directory:.

Now place special configuration files in the ccd subdirectory to define the fixed IP address for each non-Employee VPN client. Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:.

This completes the OpenVPN configuration. The final step is to add firewall rules to finalize the access policy. For this example, we will use firewall rules in the Linux iptables syntax:. To use this authentication method, first add the auth-user-pass directive to the client configuration.

Next, configure the server to use an authentication plugin, which may be a script, shared object, or DLL. The authentication plugin can control whether or not the OpenVPN server allows the client to connect by returning a failure 1 or success 0 value. Script plugins can be used by adding the auth-user-pass-verify directive to the server-side configuration file. See the description of auth-user-pass-verify in the manual page for more information.

For real-world PAM authentication, use the openvpn-auth-pam shared object plugin described below. To use it, add this to the server-side config file:. For real-world production use, it's better to use the openvpn-auth-pam plugin, because it has several advantages over the auth-pam.

Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.

Dual-factor authentication is a method of authentication that combines two elements: Something you have should be a device that cannot be duplicated; such a device can be a cryptographic token that contains a private secret key.

This private key is generated inside the device and never leaves it. If a user possessing this token attempts to access protected services on a remote network, the authorization process which grants or denies network access can establish, with a high degree of certainty, that the user seeking access is in physical possession of a known, certified token.

Something you know can be a password presented to the cryptographic device. Without presenting the proper password you cannot access the private secret key. Another feature of cryptographic devices is to prohibit the use of the private secret key if the wrong password had been presented more than an allowed number of times.

This behavior ensures that if a user lost his device, it would be infeasible for another person to use it. Cryptographic devices are commonly called "smart cards" or "tokens", and are used in conjunction with a PKI Public Key Infrastructure. The VPN server can examine a X. Since the device cannot be duplicated and requires a valid password, the server is able to authenticate the user with a high degree of confidence.

Dual-factor authentication is much stronger than password-based authentication, because in the worst-case scenario, only one person at a time can use the cryptographic token. Passwords can be guessed and can be exposed to other users, so in the worst-case scenario an infinite number of people could attempt to gain unauthorized access when resources are protected using password-only authentication. If you store the secret private key in a file, the key is usually encrypted by a password. Unlike when using a cryptographic device, the file cannot erase itself automatically after several failed decryption attempts.

This standard specifies an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions. Cryptoki, pronounced "crypto-key" and short for cryptographic token interface, follows a simple object-based approach, addressing the goals of technology independence any kind of device and resource sharing multiple applications accessing multiple devices , presenting to applications a common, logical view of the device called a cryptographic token.

To summarize, PKCS 11 is a standard that can be used by application software to access cryptographic tokens such as smart cards and other devices.

Most device vendors provide a library that implements the PKCS 11 provider interface -- this library can be used by applications in order to access these devices. PKCS 11 is a cross-platform, vendor-independent free standard. The first thing you need to do is to find the provider library, it should be installed with the device drivers.

Each vendor has its own library. A configured token is a token that has a private key object and a certificate object, where both share the same id and label attributes. I know with SSH, only the first connection to a server is possibly open to an active man in the middle attack. Every connection after that checks this file to make sure the public keys match.

But how does VPN encryption work with connection set-up? If not, does this not make VPNs vulnerable to active man in the middle attacks during key exchanges? In order to protect from a man-in-the-middle attack, at least one of the endpoints of the communication needs to have some prior knowledge about the other endpoint. It's usually up to the client to verify that it's talking to the right server, because servers tend to allow potentially any client to connect to them.

The general term for the kind of infrastructure that provides this prior knowledge is a public-key infrastructure. In the case of HTTPS, the prior knowledge normally comes with the intermediate step of a certificate authority. A web browser contains a predefined list of CA with their public keys, and accepts a website as genuine if it can demonstrate that its public key has been signed by the private key a CA.

In the case of SSH, the prior knowledge normally comes from having contacted the server previously: On the first connection, it's up to the SSH user to verify the public key. There is no standard followed by VPN software. Here is my configuration:. Then as described here you should implement a method to check that your clients connect to the correct server and that no man-in-middle attack is possible. There is a full list of problems here and you should take the warnings given by OpenVPN serious.

But there are just warnings and not the reason for your problem to get a connection. I don't know which relation your client. Was it used to import the vpn settings into NetworkManager? Anyway you have to check the TCP connection checkbox in the advanced settings dialog of your vpn connection profile.

Search form

Leave a Reply

A VPN will typically protect against most MiTM's between one's computer and the gateway of the VPN, but once the message/traffic has reaches its destination it is only semi-anonymized and not 'fully anonymous' meaning there will be one or (typically +) more than one attack that can infilitrate and modify traffic contents. Does a VPN help protect against MiTM? Yes and no. Using a VPN will shut down many of the places where a MiTM attack might happen, but not all of them. Specifically, it will protect your traffic between your device and the VPN gateway, preventing your ISP (or most governments) from performing a MiTM attack targeted toward you. MitM means that you encrypt to the wrong key (and/or accept signatures from the from key). If you use public keys for a VPN then this is theoretically possible (but I assume that every serious VPN software takes care about that).