WIXLIB

Getting readyHow to do it How it works See alsoHow to read the OpenVPN log filesGetting readyHow to do it How it works There's more Chapter 7: Troubleshooting OpenVPN - RoutingIntroductionThe missing return routeGetting readyHow to do it How it works There's more MasqueradingAdding routes on the LAN hostsSee alsoMissing return routes when iroute is usedGetting readyHow to do it How it works There's more See alsoAll clients function except the OpenVPN endpointsGetting readyHow to do it How it works There's more See alsoSource routingGetting readyHow to do it How it works There's more Routing and permissions on WindowsGetting readyHow to do it [ xi 230231232232232233

How it works There's more Unable to change Windows network locationGetting readyHow to do it How it works There's more Troubleshooting client-to-client traffic routingGetting readyHow to do it How it works There's more See alsoUnderstanding the MULTI: bad source warningsGetting readyHow to do it How it works There's more Other occurrences of the MULTI: bad source messageSee alsoFailure when redirecting the default gatewayGetting readyHow to do it How it works There's more See alsoChapter 8: Performance ptimizing performance using pingGetting readyHow to do it How it works There's more See alsoOptimizing performance using iperfGetting readyHow to do it How it works There's more [ xii ]250251251251252253253253254254255255

Client versus server iperf resultsNetwork latencyGigabit networksSee alsoComparing IPv4 and IPv6 speedGetting readyHow to do it How it works There's more Client versus server iperf resultsOpenSSL cipher speedGetting readyHow to do it How it works There's more See alsoOpenVPN in Gigabit networksGetting readyHow to do it How it works There's more Plain-text tunnelWindows performanceCompression testsGetting readyHow to do it How it works There's more Traffic shapingGetting readyHow to do it How it works Tuning UDP-based connectionsGetting readyHow to do it How it works There's more See alsoTuning TCP-based connectionsGetting ready[ xiii 271272273274274274275

How to do it How it works There's more Analyzing performance using tcpdumpGetting readyHow to do it How it works See alsoChapter 9: OS Linux – using NetworkManagerGetting readyHow to do it How it works There's more Setting up routes using NetworkManagerDNS settingsScriptingLinux – using pull-resolv-confGetting readyHow to do it How it works There's more Windows – elevated privilegesGetting readyHow to do it How it works Windows – using the CryptoAPI storeGetting readyHow to do it How it works There's more The CA certificate fileCertificate fingerprintWindows – updating the DNS cacheGetting readyHow to do it How it works See alsoWindows – running OpenVPN as a service[ xiv 91293293294294297297297297297298298299300300

Getting readyHow to do it How it works There's more Automatic service startupOpenVPN user nameSee alsoWindows – public versus private network adaptersGetting readyHow to do it How it works See alsoWindows – routing methodsGetting readyHow to do it How it works There's more Windows 8 – ensuring DNS lookups are secureGetting readyHow to do it How it works There's more Android – using the OpenVPN for Android clientsGetting readyHow to do it How it works There's more See alsoPush-peer-info – pushing options to Android clientsGetting readyHow to do it How it works There's more Chapter 10: Advanced ConfigurationIntroductionIncluding configuration files in config filesGetting readyHow to do it How it works [ xv 319319319320320322

Multiple remotes and remote-randomGetting readyHow to do it How it works There's more Mixing TCP and UDP-based setupsAdvantage of using TCP-based connectionsAutomatically reverting to the first OpenVPN serverSee alsoInline certificatesGetting readyHow to do it How it works There's more Connection blocksGetting readyHow to do it How it works There's more Allowed directives inside connection blocksPitfalls when mixing TCP and UDP-based setupsSee alsoDetails of ifconfig-pool-persistGetting readyHow to do it How it works There's more Specifying the update intervalCaveat – the duplicate-cn optionWhen topology net30 is usedConnecting using a SOCKS proxyGetting readyHow to do it How it works There's more PerformanceSOCKS proxies via SSHSOCKS proxies using plain-text authenticationSee alsoConnecting via an HTTP proxyGetting ready[ xvi 339339339339339340340340

How to do it How it works There's more http-proxy optionsDodging firewallsPerformanceUsing the OpenVPN GUISee alsoConnecting via an HTTP proxy with authenticationGetting readyHow to do it How it works There's more NTLM proxy authorizationAuthentication methodsOpenVPN GUI limitationsSee alsoIP-less setups – ifconfig-noexecGetting readyHow to do it How it works There's more Point-to-point and TUN-style networksRouting and firewallingPort sharing with an HTTPS serverGetting readyHow to do it How it works There's more AlternativesRouting features – redirect-private, allow-pull-fqdnGetting readyHow to do it How it works There's more The route-nopull directiveThe max-routes directiveSee alsoFiltering out pushed optionsGetting readyHow to do it [ xvii 357357358358358358358359

How it works Handing out the public IPsGetting readyHow to do it How it works There's more See also360361361361363364364Index365[ xviii ]

PrefaceOpenVPN is one of the world's most popular packages for setting up a Virtual PrivateNetwork (VPN). OpenVPN provides an extensible VPN framework that has been designedto ease site-specific customization, such as providing the capability to distribute acustomized installation package to clients or supporting alternative authentication methodsvia OpenVPN's plugin module interface. It is widely used by many individuals andcompanies, and some service providers even offer OpenVPN access as a service to users inremote, unsecured environments.This book provides you with many different recipes for setting up, monitoring, andtroubleshooting an OpenVPN network. The author's experience in troubleshootingOpenVPN and networking configurations enables him to share his insights and solutions tohelp you get the most out of your OpenVPN setup.What this book coversChapter 1, Point-to-Point Networks, gives an introduction to configuring OpenVPN. Therecipes are based on a point-to-point-style network, meaning that only a single client canconnect at a time.Chapter 2, Client-Server IP-Only Networks, introduces the reader to the most commonly-used deployment model for OpenVPN: a single server with multiple remote clients capableof routing IP traffic. This chapter provides the foundation for many of the recipes found inthe other chapters.Chapter 3, Client-Server Ethernet-Style Networks, covers another popular deployment modelfor OpenVPN: a single server with multiple clients, capable of routing Ethernet traffic. Thisincludes non-IP traffic as well as bridging. You will also learn about the use of an externalDHCP server and the use of the OpenVPN status file.Chapter 4, PKI, Certificates, and OpenSSL, introduces you to the public key infrastructure(PKI) and X.509 certificates, which are used in OpenVPN. You will learn how to generate,manage, manipulate, and view certificates, and you will also learn about the interactionsbetween OpenVPN and the OpenSSL libraries that it depends upon.

PrefaceChapter 5, Scripting and Plugins, covers the powerful scripting and plugin capabilities thatOpenVPN offers. You will learn to use client-side scripting, which can be used to tail theconnection process to the site-specific needs. You will also learn about server-side scriptingand the use of OpenVPN plugins.Chapter 6, Troubleshooting OpenVPN - Configurations, is all about troubleshooting OpenVPNmisconfigurations. Some of the configuration directives used in this chapter have not beendemonstrated before, so even if your setup is functioning properly, this chapter will still beinsightful.Chapter 7, Troubleshooting OpenVPN - Routing, gives an insight into troubleshooting routingproblems when setting up a VPN using OpenVPN. You will learn how to detect, diagnose,and repair common routing issues.Chapter 8, Performance Tuning, explains how you can optimize the performance of yourOpenVPN setup. You will learn how to diagnose performance issues and how to tuneOpenVPN's settings to speed up your VPN.Chapter 9, OS Integration, covers the intricacies of integrating OpenVPN with the operatingsystem it is run on. You will learn how to use OpenVPN on the most commonly used clientoperating systems: Linux, Mac OS X, and Windows.Chapter 10, Advanced Configuration, goes deeper into the configuration options thatOpenVPN has to offer. The recipes will cover both advanced server configurations, such asthe use of a dynamic DNS, as well as the advanced client configuration, such as using aproxy server to connect to an OpenVPN server.What you need for this bookIn order to get the most from this book, there are some expectations of prior knowledge andexperience. It is assumed that the reader has a fair understanding of the systemadministration as well as knowledge of TCP/IP networking. Some knowledge on installingOpenVPN is required as well, for which you can refer to the book Beginning OpenVPN 2.0.9.Who this book is forThis book is for system administrators who have basic knowledge of OpenVPN and areeagerly waiting to build, secure, and manage VPNs using the latest version. This bookassumes some prior knowledge of TCP/IP networking and OpenVPN. And to get the mostout of this book, you must have network administration skills.[2]

PrefaceConventionsIn this book, you will find a number of styles of text that distinguish between differentkinds of information. Here are some examples of these styles, and an explanation of theirmeaning.Code words in text are shown as follows: "Copy over the tls-auth secret key file from the/etc/openvpn/cookbook/keys directory."A block of code is set as follows:user nobodygroup nobodypersist-tunpersist-keykeepalive 10 60ping-timer-remWhen we wish to draw your attention to a particular part of a code block, the relevant linesor items are set in bold:secret secret.key 1ifconfig 10.200.0.2 10.200.0.1route 172.31.32.0 255.255.255.0tun-ipv6ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1Any command-line input or output is written as follows:[root@server]# openvpn --genkey --secret secret.keyNew terms and important words are shown in bold. Words that you see on the screen, inmenus or dialog boxes for example, appear in the text like this: "Go to the Network andSharing Center and observe that the TAP adapter is in the section Public Network and thatit is not possible to change this."Warnings or important notes appear in a box like this.[3]

PrefaceTips and tricks appear like this.Reader feedbackFeedback from our readers is always welcome. Let us know what you think about thisbook—what you liked or disliked. Reader feedback is important for us as it helps usdevelop titles that you will really get the most out of.To send us general feedback, simply e-mail feedback@packtpub.com, and mention thebook's title in the subject of your message.If there is a topic that you have expertise in and you are interested in either writing orcontributing to a book, see our author guide at www.packtpub.com/authors.Customer supportNow that you are the proud owner of a Packt book, we have a number of things to help youto get the most from your purchase.Downloading the example codeYou can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/supportand register to have the files e-mailed directly to you.You can download the code files by following these steps:1.2.3.4.5.6.7.Log in or register to our website using your e-mail address and password.Hover the mouse pointer on the SUPPORT tab at the top.Click on Code Downloads & Errata.Enter the name of the book in the Search box.Select the book for which you're looking to download the code files.Choose from the drop-down menu where you purchased this book from.Click on Code Download.[4]

PrefaceYou can also download the code files by clicking on the Code Files button on the book'swebpage at the Packt Publishing website. This page can be accessed by entering the book'sname in the Search box. Please note that you need to be logged in to your Packt account.Once the file is downloaded, please make sure that you unzip or extract the folder using thelatest version of:WinRAR / 7-Zip for WindowsZipeg / iZip / UnRarX for Mac7-Zip / PeaZip for LinuxThe code bundle for the book is also hosted on GitHub at . We also have other code bundles from our rich catalog of booksand videos available at https://github.com/PacktPublishing/. Check them out!ErrataAlthough we have taken every care to ensure the accuracy of our content, mistakes dohappen. If you find a mistake in one of our books—maybe a mistake in the text or thecode—we would be grateful if you could report this to us. By doing so, you can save otherreaders from frustration and help us improve subsequent versions of this book. If you findany errata, please report them by visiting http://www.packtpub.com/submit-errata,selecting your book, clicking on the Errata Submission Form link, and entering the details ofyour errata. Once your errata are verified, your submission will be accepted and the erratawill be uploaded to our website or added to any list of existing errata under the Erratasection of that title.To view the previously submitted errata, go to https://www.packtpub.com/books/content/supportand enter the name of the book in the search field. The required information willappear under the Errata section.[5]

PrefacePiracyPiracy of copyrighted material on the Internet is an ongoing problem across all media. AtPackt, we take the protection of our copyright and licenses very seriously. If you comeacross any illegal copies of our works in any form on the Internet, please provide us withthe location address or website name immediately so that we can pursue a remedy.Please contact us at copyright@packtpub.com with a link to the suspected pirated material.We appreciate your help in protecting our authors and our ability to bring you valuablecontent.QuestionsIf you have a problem with any aspect of this book, you can contact us atquestions@packtpub.com, and we will do our best to address the problem.[6]

1Point-to-Point NetworksIn this chapter, we will cover the following:The shortest setup possibleOpenVPN secret keysMultiple secret keysPlaintext tunnelRoutingConfiguration files versus the command lineIP-less configurationsComplete site-to-site setupThree-way routingUsing IPv6IntroductionThe recipes in this chapter will provide an introduction to configuring OpenVPN. They arebased on a point-to-point type of network, meaning that only a single client can connect at agiven time.A point-to-point network is very useful when connecting to a small number of sites orclients. It is easier to set up, as no certificates or public key infrastructure (PKI) is required.Also, routing is slightly easier to configure as no client-specific configuration filescontaining --iroute statements are required.

Point-to-Point NetworksThe drawbacks of a point-to-point network are as follows:The lack of having perfect forward secrecy-a key compromise may result in atotal disclosure of previous sessionsThe secret key must exist in plaintext form on each VPN peerThe shortest setup possibleThis recipe will explain the shortest setup possible when using OpenVPN. For this setup,you require two computers that are connected over a network (LAN or Internet). We willuse both a TUN-style network and a TAP-style network and will focus on the differencesbetween them. A TUN device is used mostly for VPN tunnels where only IP traffic is used.A TAP device allows all the Ethernet frames to be passed over the OpenVPN tunnel, henceproviding support for non-IP based protocols, such as IPX and AppleTalk.While this may seem useless at first glance, it can be very useful to quickly test whetherOpenVPN can connect to a remote system.Getting readyInstall OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connectedover a network. For this recipe, the server computer was running CentOS 6 Linux andOpenVPN 2.3.9 and the client was running Windows 7 Pro 64bit and OpenVPN 2.3.10.How to do it Here are the steps that you need to follow:1. Launch the server-side (listening) OpenVPN process for the TUN-style network:[root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \--dev tunThe preceding command should be entered as a single line. The charac

OpenVPN Cookbook Second Edition Discover over 90 practical and exciting recipes that leverage the power of OpenVPN 2.4 to help you obtain a reliable and