Debian Package a Day ([info]debaday) wrote,
@ 2004-09-20 08:00:00
Previous Entry  Add to memories!  Tell a Friend!  Next Entry
openvpn - Virtual Private Network daemon
An application to securely tunnel IP networks over a single UDP port, with support for TLS-based session authentication and key exchange, packet encryption, packet authentication, and packet compression.

Another one from Robert Waldner:
OpenVPN is great, especially because it gets everything about right that's wrong with IPSec and FreeS/WAN (read: ease of installation, configuration and usage). Especially nice is the possibility to, easily!, and securely bridge LANs together over a WAN. In our (limited) tests, we also got about twice the performance compared to FreeS/WAN, and that's with AES256. Another feature is that you don't have to patch your kernel to death just to get useful encryption.

Additional information from http://openvpn.sourceforge.net/

With OpenVPN, you can:

  • tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,

  • create cross-platform tunnels between any of the operating systems supported by OpenVPN including Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows 2000/XP,

  • configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients (OpenVPN 2.0),

  • use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet,

  • use any cipher, key size, or HMAC digest (for datagram authentication) supported by the OpenSSL library,

  • choose between static-key based conventional encryption or certificate-based public key encryption,

  • use static, pre-shared keys or TLS-based dynamic key exchange,

  • use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,

  • tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,

  • tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules,

  • tunnel networks over NAT, and

  • create secure ethernet bridges using virtual tap devices.


More information on this package can be found on the Debian web site.
(If there is a package you would like to see featured here, go to the userinfo page and follow the directions there to submit your entry.)

Now available in RSS and ATOM flavors too.

(Post a new comment)


[info]pjc50
2004-09-20 08:20 am UTC (link)
I'll second this, OpenVPN is really easy to use and the only cross-platform VPN solution I've found that works consistently. Because it can use TCP, it's the only VPN protocol that reliably works over random ISP connections, which tend to drop IPsec and PPTP. You can use it with any dial-up provider. The lack of kernel patches is a big benefit as well.

Key or certificate distribution is the only disadvantage, there's no password authentication scheme.

(Reply to this)(Thread)
Password Authentication
[info]jamesyonan
2005-02-12 11:34 pm UTC (link)
There's actually two levels of optional password verification now, with the latest 2.0 RCs:
  • Password-encrypted private keys.

  • The new auth-user-pass and auth-user-pass-verify directives which allow the server to use a username/password entered on the client as a basis for authentication.

James

(Reply to this)(Parent)

[info]skx
2004-09-20 08:42 am UTC (link)
I installed this alongside a PPTP solution, after reading this entry. It really is a stunningly simple thing to setup, and handles keep-alives as well as IP address changes. Total install time was less than ten minutes.

The simple examples were all I needed to read to get two gateway machines, (one Sun box runing Unstable and one x86 box running Woody), to route their private networks to each other.

There's a backport available for Woody and it's not incompatible with the unstable revision like tinc is. (The other VPN server I've used along with IPSEC/PPTPd)

(Reply to this)
security?
[info]k8to
2004-09-21 05:33 pm UTC (link)
Sorry to be a party pooper, but:

I admit I'm doing basically no research into the package beyond looking at the web page. That it uses SSL/TLS is somewhat reassuring but "gets rid of all the baggage of IPsec" is definitely NOT.

Basically whenever I hear about an encryption related tool that "gets rid of the complexity" of the conventional solutions, it turns out under cryptanalysis (if any is ever done) that it's got a number of glaring errors that render the security greatly reduced if not totally compromised. Does anyone know what qualified minds have reviewed this system?

(Reply to this)(Thread)
Re: security?
[info]lstep
2004-09-21 11:46 pm UTC (link)
You can read the OpenVPN FAQ (http://openvpn.sourceforge.net/faq.html), there's an entry about it. The FAQ links to a review made by the cryptography expert Peter Gutmann who reviewed several opensoure PVN solutions, including OpenVPN where he said good things about it (direct link to the review: http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt). To quote him: "the author knows what he's doing."

Btw several commercial vendors (CISCO, Checkpoint) are orienting themselves to similar solutions (using SSL/TLS or no), but at a higher level than IPSEC which has too much requirements.

(Reply to this)(Parent)(Thread)
Re: security?
(Anonymous)
2004-10-14 03:30 pm UTC (link)
OpenVPN has been favorably reviewed by those who have examined its security layer. In addition to Peter Gutmann's article, you might also take a look at this article by Charlie Hosner:

http://www.sans.org/rr/papers/20/1459.pdf

In a nutshell, OpenVPN uses SSL/TLS for session authentication and IPSec's ESP protocol (cipher, HMAC, explicit-IV, and replay protection) for tunnel data security.

OpenVPN is also designed to be able to run as user nobody in a chroot jail.

To learn more, the security model is described more in depth here:

http://openvpn.sourceforge.net/security.html

James Yonan

(Reply to this)(Parent)
PPTP maintainer says use OpenVPN
(Anonymous)
2004-09-22 02:41 am UTC (link)
As the maintainer by default for the PPTP client and server on Linux, I'm often asked "is there something better we should be using." My reply is "OpenVPN".
Usually the only remaining objection is "it's not already on the clients". To those for which that matters, upgrade your clients. :-) Quozl.

(Reply to this)
OpenVPN
(Anonymous)
2004-09-22 10:35 am UTC (link)
I am using OpenVPN since the half of a year and i am very pleased about it. The installation* and configuration is rather simple (as long as you know what you are doing), it has a windows version which works with WinXP, WinXP, it's configuration is much more easy than all what i have seen about IPSEC, it's independent from the Linux kernel version, it directly supports NATed private networks, ...

(Reply to this)

[info]noogiewoo
2004-10-20 06:29 pm UTC (link)
this is really cheeky, but could anyone here help me setup my debian woody box to run openvpn? , i'm having trouble with the tap part and have been racking my brains for hours. i know that after the network interface is setup it's supposed to be easy but i cant get the interface setup!.

if anyone can help please reply here,

thanks, Si.

(Reply to this)(Thread)
openvpn gui faq can tell you that
(Anonymous)
2004-10-21 11:17 pm UTC (link)
check the file INSTALL-win32.txt located in the OpenVPN dir after you install the windows version. Under "Notes -- Ethernet bridgeing, Windoes Client, Linux server" there is a full guide on how to configure linux openvpn server .

Martin

(Reply to this)(Parent)
OpenVPN web site URL change
[info]jamesyonan
2005-02-12 11:24 pm UTC (link)
The OpenVPN project has moved to its own domain.

The new URL is http://openvpn.net/

(Reply to this)
Openvpn installation help
(Anonymous)
2005-09-11 03:05 pm UTC (link)
Hi everyone,
I hope you can give me a hand. I have installed openvpn as a port on FreeBSD 5.4. The installation went flawlessly.

I did
. ./vars
./clean-all - also run fine, then I issue the command.
./build-ca and it barfs with the following error

error on line 1 of /usr/local/share/doc/openvpn/easy-rsa/openssl.cnf
86416:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:366:line 1


Can someone please clarify for me why clean-all has to delete the openssl.cnf directory. I don't undersand why it has to be there if it has to be deleted.

Thanks a million for any insights at all.

(Reply to this)

Create an Account
Forgot your login?
Login w/ OpenID
English • Español • Deutsch • Русский…