OpenVPN
From Telecomix Crypto Munitions Bureau
OpenVPN is a program that can be used to create VPN networks (no shit sherlock!) The program has been ported to most operating systems and is thus fairly standard in VPN networks. What it does is that it allows you to create an encrypted tunnel between computers, so that no one can see what type of traffic is being sent. Combine OpenVPN with Quagga, OpenBGPD or something similiar, and we have a darknet. The AnoNet and the DarkNET Conglomeration are two darknets that seems to have been built mostly with OpenVPN. (And now anonet has their client port up and running again, nice for them!)
There are roughly speaking two different ways you can configure OpenVPN: With a static key, or with your own Public Key Infrastructure (PKI). Static keys are very simple and forward, it takes very little time and effort to have it up and running. Using PKI is more difficult, but it is much better if you plan on having very many VPN tunnels lying around. Generally, building a PKI is better than static keying unless you have very little time or just refuse to spend an hour or so, to figure everything out.
Contents |
[edit] Interesting web sites
- OpenVPN.net - official (corporate) web site. The software is free and open though.
- OpenVPN official HOWTO - Use it!
- (Using OpenVPN example 0 can sometimes be simpler.)
- Wikipedia about OpenVPN
[edit] Nice stuff to know before you start
Stuff that is not really obvious from the official OpenVPN howto, and a dose of healthy paranoida:
[edit] Windows and OpenVPN
Windows needs extra care and patting before it will behave nicely. See this config example script.
Wiki tutorial for windows clients
[edit] Gnome's graphical network manager (default in Ubuntu)
NetworkManager does not accept key files without passphrases. This is a bug. To work around it, do:
mv my.key my.key.old rsa -aes256 -in my.key.old -out my.key
Pick something short and enter it twice - I went with "1234":
writing RSA key Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
[edit] Tun and tap-interfaces
OpenVPN will create one tun or tap interface on your computer that you can send and receive packets from. One interface will be created per VPN-tunnel you have. These are virtual network interfaces that behaves very much like ordinary physical network interfaces. However, tun interfaces can only carry IPv4 or IPv6 traffic, and nothing else. A tap interface can carry everything:
Using a tun interface means that you will not be able to send, for example, ARP packets. If you are using a tap interface instead, you can send anything through; ARP, IPX, or any other weird protocol. In most cases, a tun interface will work fine.
In *BSD operating systems (at least OpenBSD), the tap interface does not exist. This is not a problem, because you can still configure your tun interfaces to behave just as a tap interface by writing dev-type tap somewhere on a line by itself in the config file.
I have no idea how to use OpenVPN i windows. I suggest that you do not use a windows server to handle others sensitive information.
[edit] IPv6 and OpenVPN
If you plan on using IPv6 with OpenVPN you should perhaps consider not using tun interfaces. OpenVPN still has a rather poor support for handling IPv6, so treating it as some bizarre protocol is perhaps better: Use tap :)
IPv6 with OpenVPN does work. It is just a little bit more difficult. It might be worth it though, as it is nice to play around with insanely many addresses. You are also not forced to use any of the few local area network addresses. You can also spell words with the addresses: dead:b17c:15:fa7::1 (dead bitch is fat) is a valid address. The bad thing with IPv6 is perhaps that you need some sort of protocol translation if you want to reach the ordinary internets, as most of us will not have real IPv6 addresses until the corporate ISPs begin migrating.
[edit] Naming your interfaces
It is a good idea to name your interfaces so that they do not just get simple names such as tun0, tun1, tun2, and so on. Using the default and letting the operating system name the interfaces for you could spell trouble if you have lots of interfaces. It will be rather difficult for you if the VPN-tunneling server reboots and the tunnels are automatically set up, with new numbers. If you have written your firewall rules (see iptables or pf) to use the original names with their original numbers, your networking will now be all scrambled and you would need to reconfigure stuff manually. Of course, this is not a problem if you never reboots (yeah, right), or start the VPN tunnels with your own scripts.
I am not sure, but I do not think that it is possible to name the interfaces in OpenBSD. You will have to start them with a script, in a predefined order. (Hint: Include the scripts for starting the OpenVPN daemons interfaces in /etc/hostname.tunX, where X is 0, 1, 2, 3 or whatever.)
So, how do you name your tunnels? In linux, you would type something like dev tunSuitableDescribingNameHere on a line by itself in the config file.
[edit] MTU and OpenVPN
If you plan on tunneling sensitive information inside another tunnel, you might want to check your MTU-settings. (More research needs to be done here. If you experiment with it, please contribute.)
[edit] Firewalls and OpenVPN
Do not forget to set up a really, really restrictive firewall for your tunnelling server. You do not want your firewall to leak information about who you are. Imagine the following: A person knows that some people are collaborating to build a darknet. By nmap'ing the different core routers in the network from the inside of the darknet, it would be possible to gather some data. For example, it would probably be possible to see which OpenSSH-version is running on the different servers. Then, the same person also nmap's a group of computers from the ordinary internets and check if there is anything that looks like what was seen from inside the network. Most likely, it will then be a rather simple thing to figure out who is who, and all anonymity is broken.
I advice you to be REALLY careful with your firewall rules. Do not just use your firewall to protect yourself from hackers, but also use it to remove all identifying information. Consider dropping almost everything from at least inside the darknet. Also consider using a separate computer, with a separate setup, just for handling the VPN tunnel(s). You could do that with XEN, VirtualBox, KVM, QEMU, UML, or with a real physical computer on a shielded off network.
be paranoid :d
[edit] Examples of how to use OpenVPN
- OpenVPN example 0 (Goes through all steps required to build a PKI, config files and how to get started)
- OpenVPN example 0 - iptables rules (Example routing/firewall script for the linux server)
- OpenVPN example 0 - linux client iptables (Example firewall for linux clients)
- OpenVPN example 1 (About peering with other operators)
[edit] More about specific stuff
Consider to instead read the examples above, as they are currently much more detailed in how this works.