FreeBSD Online

VPN Designing and Deploying

1. Few words about VPN designs

--------------------------------------------

VPN stands for Virtual Private Networks. VPN Enable organizations to interconnect different offices located in different
places via Internet to build a big Virtual Private Network. Also a VPN allow mobile users (or home users) to access from
other location the local network from their office. VPN will allow sharing of private network services over the Internet in a
secure way.

There are a lot of VPN implementations commercial and free. There are different types of VPN implementations.

Types of VPNs:
- L1VPNs (Layer 1)
- L2VPNs (Layer 2)
- L3VPNs (Layer 3)
- trusted VPNs
- secure VPNs
- network based VPNs
- C(P)E-based VPNs
- multiservice VPNs
- provider-provisioned VPNs
- customer-provisioned VPNs
- remote access VPNs
- site to site VPNs
- LAN to LAN VPNs
- VPWS VPNs
- VPLS VPNs,
- IPLS VPNs
- Internet VPNs
- intranet VPNs
- extranet VPNs
- point to point VPNs
- multipoint to multipoint VPNs
- overlay VPNs
- peer to peer VPNs
- clientless VPNs
- connection-oriented VPNs
- connectionless VPNs

Also these types of VPNs can be implemented using:

- L2TPv2 VPNs
- L2TPv3 VPNs
- PPTP VPNs
- SSL VPNs
- L2F VPNs
- AToM based VPNs
- MPLS Layer 3 VPNs

We will talk in this paper only about a typical Site to Site VPN which will implement with OpenVPN. The following image
shows implementation diagram of a Site to Site VPN (Picture 1).

Picture 1. Site to site VPN

All tunnels between Headquarters and branch offices represent VPN Backbone.

Another stituation freqvently meet is Remote Access VPN. The principles are the same as in Site to site VPN, the VPN
network is composed from dfferent tunnels to an office (see Picture 2).

Picture 2. Remote Access VPN Example

Similar with previous diagram is another one with more details, regarding VPN implementations (Picture 3).

Picture 3. VPN Implementation Example

http://www.freebsdonline.com Powered by Joomla! Generated: 18 April, 2011, 08:36
 FreeBSD Online

For testing purposes we can replace Internet connection with a switch, like in next picture (Picture 4).

To implement a Site to Site VPN we will use open source software OpenVPN.

2. Site to Site VPN with OpenVPN

----------------------------------------

2.1 Features of OpenVPN:

- it supports SSL VPN
- it supports Site to Site VPN, Remote Access VPN. - implements OSI Layer 2 and Layer 3 secure extensions (using
SSL/TLS)
- is available on FreeBSD, Linux and Windows platforms (and also Mac OS X, NetBSD, OpenBSD, Solaris).

Some advantages of OpenVPN:

- tunell any IP subnetwork over a single UDP or TCP port
- OpenSSL library is used, for enryption, authentication and certification
- use any ciphher type or size supported by OpenSSL library
- use static key based conventional encryption or certificate based public key encryption
- tunnel network over NAT

Two encryption modes can be used in OpenVPN:

a) Static Key Based Encryption (Shared Key)
b) Certificate Based Public Key Encryption (PKI - Publik Key Infrastructure).
Also it is possible to use with OpenVPN username/password base authentication.
These two setups will be described in detail later.

2.2 Bridging or Routing setup for OpenVPN

OpenVPN can be setup (regarding network point of view) in two modes: bridging and routing. Bridging is a forwarding
technique used in Local Area Networks (packet switched networks) based on broadcasting to locate network resources
(broadcasting is based on MAC addresses of network cards or devices). Bridge will maintain a list with all network
addresses, so future packets will be forwarded using informations in that list. Keep in mind that bridging is only used in
Local Area Networks (because it uses broadcasting of ARP messages).

2.3 Installing OpenVPN on FreeBSD

You can install OpenVPN from packages or build it from ports.
Installing OpenVPN from packages:
# pkg_add -r openvpn

Building OpenVPN from ports:

# cd /usr/ports/security/openvpn
# make install

After we've installed OpenVPN, type rehash to be able to access openvpn binary without restarting the shell.
We've succesfuly installed OpenVPN. Now we can do loopback test for OpenVPN:

Test cryptography:
# openvpn --genkey --secret key
# openvpn --test-crypto --secret key

Test SSL/TSL negociations:

# cd /usr/local/share/doc/openvpn/sample-config-files/
# openvpn --config loopback-client
# openvpn --config loopback-server

If you get error like "Cannot open sample-keys/dh1024.pem for DH parameters: error:02001002:system library:fopen:No
such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file" then it means certificates must be built first.

After we've installed OpenVPN under FreeBSD we will configure it as server, and then we will configure OpenVPN client
on every station that will connect to the server, from every location.

If we use OpenVPN with routers with NAT we must forward OpenVPN's port to the LAN machine that runs OpenVPN,
and the same port. Default's OpenVPN port is 1194 (or 5000 for older than 2.0 versions), so that port must be router. If
http://www.freebsdonline.com Powered by Joomla! Generated: 18 April, 2011, 08:36
 FreeBSD Online

we start OpenVPN on other port, every connection to every port must be forwarded from router to the respective IP/Port
on LAN.

a) Static Key Based Encryption (Shared Key)

Basicaly this method use a shared static key by both endpoints of a VPN. This method is also called symetric encryption.
Shared key is practicaly generated at one endpoint and then transmited to the other endpoint using a secure channel. If
more than one tunnel is used, the key must be installed on every endpoint. The problem with this type of security
implementation is that if the key is compromised, all past messages can be decrypted by the attacker.

From speed to encrypt/decrypt point of view, symetric encryption algorithms are faster than asymetric encryption
algorithms.

This type of security implementation can be used for automated tunnel setup. If you control both sides, and don't care
about being able to reissue keys or any of those issues, there's little reason not to use them. Static key can be shared to
endpoints for example via an USB stick, so there could not be a problem of security risk.

Static Key Based Encryption Models

Trust Model - endpoints trust integrity of a single shared static key
Authentication Model - endpoints authenticate using that static key
Encryption Model - same key encrypt and decrypt data in both directions

The advantages of using Static Shared Key with OpenVPN is simple setup (you only need to create the key and share it
with the other endpoint) and there is no PKI to maintain (PKI will expire at some time in the future, configurable of course).

Disadvantages of using Static Shared Key: the main disavantage is that this type of setup is less secure than using PKI.
If somebody get your key he/she will gain access to your data. The key must be exchange using a secure channel (which
is not the case with PKI). Also with Static Shared Key you will have one server - one client connection, so if you need
multiple VPN connections you will need to run multiple OpenVPN instances/tunnels. This is less scalable than using PKI.

Example to setup a Site to Site VPN with OpenVPN and static shared key
---------------------------------------------------------------------------------------

To create a static key for VPN :

# openvpn --genkey --secret static.key

Confg file for the VPN Server:

# -------- openvpn-server.conf --------------
secret static.key
ifconfig 192.168.0.1 192.168.0.2
dev tun
# -------- end ------------------------------------

Confg file for the VPN Client:

# -------- openvpn-server.conf --------------
secret static.key
ifconfig 192.168.0.2 192.168.0.1
dev tun
# -------- end ------------------------------------

b) Certificate Based Public Key Encryption (PKI - Public Key Infrastructure).

This is also known as asymetric encryption: both endpoints use two keys, one private and one public. For example
Endpoint 1 send his public key to Endpoint 2 who encrypts data using this public key, that belongs to Endpoint 1.
Encrypted data can be decrypted only by Endpoint 1 using Endpoint 1's private key. The same principle works for
Endpoint 2 which sends his Public key to Endpoint 1. Endpoint 1 will encrypt data using Endpoint 2's public key. The
data will be decrypted only by Endpoint 2 using Endpoint 2's private key. Using this technology private keys must be
keeped secret, and only the public keys have to be exchanged.

For this purpose SSL/TSL library will be used to encrypt data.

Both are secure. PKI is nicer because you can revoke one client, and not have to rekey everyone else. also, you don't
need to give the clients private data.

Example howto setup a Site to Site VPN with Public Key Infrastructure (PKI), CA over TLS
-------------------------------------------------------------------------------------------------------------------------
http://www.freebsdonline.com Powered by Joomla! Generated: 18 April, 2011, 08:36
 FreeBSD Online

This solution is flexible but not as easy to setup as Static Shared Key sollution.
Public Key will be acompanied by a CA - Certificate Authority, a signature certificate used to verify that public key
belongs to the person issued the public key. Also it exist notion of "Web of Trust", the signature belonging to the user, a
self signed certificate.

Certificate Based Public Key Encryption Models

Trust Model - integrity of CA and endpoint private keys is trusted
Authentication Model - Endpoint posess CA public key to verify public key presented by the other endpoint
Encryption Model - PKI is used to setup TLS channel, random session keys will be used for encryption of the tunnel.

Steps to setup an OpenVPN with Public Key Encryption:

1. First we will create a CA certificate for Certificate Authority. Using this certificate we will sign and revoke client
certificates.

CA (certificate authority)
It is more safe to store CA in other place than OpenVPN server.
Then it is issued a private/public key pair:
CA key - this is a private key used to sign certificates
CA cert - signed by CA, used by everyone to check CA signatures

To create self signed CA we do:

# openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt

2. Now we will create a key and a certificate request for the client (this certificate request will be later signed using CA
key.

3. After we've created key and certificate request for the client we will sign the certificate request using CA certificate.
This process validates the request.

4. Send key and certificate to clients

5. Setup OpenVPN configuration files, with proper certificates and keys, then start OpenVPN service.

http://www.freebsdonline.com Powered by Joomla! Generated: 18 April, 2011, 08:36