Yet another post about OpenVPN…

What is OpenVPN ?

OpenVPN is a SSL/TLS based user-space VPN server/client, it’s capable of

  • Creating point-to-point or server-to-multiclient encrypted tunnels between host computers.
  • Establishing direct links between computers across network address translators (NATs) and firewalls.

Certificates and PKI Infrastructure

OpenVPN can use any available PKI (Public Key Infrastructure) setup you might have in your network, however, the most easy to get hold of is OpenSSL.

SSL/TLS Certificates in a nut-shell

  • You start with a Certificate Authority (CA) which users/servers trust, each client/server will have a copy of the CA’s public key, while the CA’s private key is well guarded.
  • Users and Servers, each has its own private key, and that key isn’t shared at all.
  • Each user/server, has its own public key that is associated with its own private key, that public key is distributed/shared across all nodes by means of PKI (which is currently out of scope for this writing).
  • Certificates; When a public key is digitally signed using the CA’s private key, this can be called a certificate, and hence that signature can be re-read using the CA’s public key.

The certificate contains several important pieces of information:

  • Common Name of the certificate holder (CN)
  • CA certificate finger-print that signed this certificate
  • Public Key of the certificate holder
  • Issue Date
  • Expiration Date
  • A certificate revocation announcement system should be in place, to announce -guess what- certificates that has been revoked by the CA.

How that relates to OpenVPN ?

Each server and client has its own private key and certificate (which holds the public key within). Each server and client has a copy of the CA’s certificate (which holds the public key of the CA within). OpenVPN uses this PKI to implement authentication (in certificate-based auth) and to initialize the SSL tunnel, and to maintain the encryption during the life time of the VPN connection.

Different Modes of Authentication

  • Pre-shared key
    • this is the easiest to setup, and yet the weakest, because if the key compromised, a new key must be generated, and the configuration on both nodes must change as well
  • Certificate-based
    • based on PKI
    • allows central management of users/servers
    • a valid certificate is authorized to connect by default, unless a list of exclusive access list is defined
    • Provides the most secure encrypted channels since the ingoing and outgoing traffic is encrypted with different keys
    • Allows OpenVPN clients to run un-attended (as a service)
  • Username/Passowrd
    • OpenVPN can make use of PAM, radius, DB, or local files to authenticate users
    • Provides integration with different authentication backends, allowing SSO
    • The encryption of both incoming and outgoing traffic is encrypted with one key only
    • Cannot run un-attended
  • Combined Certificate-Username/Password
    • The most secure
    • Not so user-friendly
    • Cannot run un-attended
    • Provides the most secure encrypted channels since the ingoing and outgoing traffic is encrypted with different keys

Different modes of OpenVPN

Plain network connections

OpenVPN - Plain inet - 1

OpenVPN - Plain inet - 2

Routed mode

Here both networks (physical netowrk, and OpenVPN VPN network) are separate, and routing between the two networks is done by the box that runs OpenVPN server.

OpenVPN - Routed

Nodes on the physical network are assigned IPs in a different subnet than the nodes on the VPN network.

IP assignments is taken care of by the OpenVPN engine.

Broadcasts and multicasts don’t get past the OpenVPN server.

Only IP-based protocols can pass through the OpenVPN server.

  • The server takes control of IP assignment of Clients
  • The server can remotely configure clients for DNS Server, WINS Server, Default gateway, routes
  • Complete packet filtering/firewalling can be done from the server running OpenVPN

  • To get the best of it; the openVPN box should also be taking care of the entire network routing (ie. default gateway for all the network nodes)
  • Needs careful planning
  • Only IP-based protocols can be used

Bridged mode

Here both networks (physical network and OpenVPN VPN network) are bridged together, and OpenVPN acts just like a L2 (MAC layer) network bridge, no IP routing is done here.

OpenVPN - Bridged

Nodes on both networks are assigned IPs within the same subnet.

IP assignments can be done either manually or via DHCP on the physical network segment.

Broadcasts and multicasts are bridged across the two network segments.

All network protocols (routable and non-routable) can pass.

  • Centralized IP assignment/management is possible via local DHCP server.
  • Allows the use of non-routable protocols.
  • No routing is needed at the OpenVPN server node.

  • No control over passing packets, ie. no packet filtering
  • No possible configuration of routes
  • If physical network has broadcast storms, this will extend to the VPN network, consuming lots of precious bandwidth


Here, two network routers for two different networks can pass the traffic between the two networking seamlessly over OpenVPN tunnel. Each of the two peers is assigned an IP from a /30 network (which has only two usable IP addresses), each is assigned to a node from two participating nodes.

OpenVPN - Peer-2-Peer

Only two nodes can be involved in such setup.

IP assignment is done statically in both config files.

3 networks exist (Subnet A, Subnet B, and VPN subnet).

Only IP-based protocols is possible.

  • The easiest one to setup
  • Two internal networks can be routed internally without NAT
  • Control over packet filtering can be done on both OpenVPN nodes.

  • Each node must have a static public IP
  • IPs must be maintained within both config files and kept in sync
  • Only IP-based protocols
  • No possible route-push configuration, ie. routes must be added manually on each nodes
  • Only useful for nodes that act as network routers
  • MUST use pre-shared keys authentication

Ideas and Examples

I’ll only put a few diagrams, explanations will follow later on…

OpenVPN - Application A

The following example I actually use in my daily work…

OpenVPN - Twisted App - comms

OpenVPN - Twisted App - logical


One Response

  1. Thanks for the detailed article

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: