What are the new features of OpenVPN 2.1 and 2.2?

Inline certificates

To ease the deployment of OpenVPN configuration, public and private key files, a new feature is available to include all of them in a single file. This is done by integrating the contents of the ca, cert, key, and optionally the tls-auth file into the client configuration file itself. So, in this recipe, we will set up such a configuration file and use it to connect to our standard OpenVPN server.

Getting ready

We use the following network layout:

Set up the client and server certificates. For this recipe, the server computers were running CentOS 5 Linux and OpenVPN 2.1.3. The client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the configuration file basic-udp-server.conf (download code- ch:2) at hand.

How to do it...

1. First, start the server:

   [root@server]# openvpn --config basic-udp-server.conf

   
   

   Copy

2. Create the client configuration file:

   client
   proto udp
   remote openvpnserver.example.com
   port 1194
   dev tun
   nobind

   
   ca [inline]
   cert [inline]
   key [inline]
   tls-auth [inline] 1
   
   <ca>
   -----BEGIN CERTIFICATE-----
   # insert base64 blob from ca.crt
   -----END CERTIFICATE-----
   </ca>
   
   <cert>
   -----BEGIN CERTIFICATE-----
   # insert base64 blob from client1.crt
   -----END CERTIFICATE-----
   </cert>
   
   <key>
   -----BEGIN PRIVATE KEY-----
   # insert base64 blob from client1.key
   -----END PRIVATE KEY-----
   </key>
   
   <tls-auth>
   -----BEGIN OpenVPN Static key V1-----
   # insert ta.key
   -----END OpenVPN Static key V1-----
   </tls-auth>

   Copy

   
   Insert the contents of the ca.crt, client1.crt, client1.key and ta.key files in the configuration. Save it as example12-1-client.conf.

3. Then, connect the client:

   [root@client]# openvpn --config example12-1-client.conf

   
   

   Copy

How it works...

When OpenVPN parses the configuration directives, ca, cert, key, and tls-auth (and dh for server configuration files), and it finds the value [inline], then an XML-like block must be present later in the configuration file. The contents of this XML-like block are then read and treated in the same manner as when a file is specified. When all the required configuration files or blocks are present, the connection is established.

Note that it is not required to treat all of the above configuration directives in the same manner. It is also possible to only specify an [inline] block for the CA certificate file, as this file tends to be static for all the clients.

Connection blocks

Similar to the inline certificates used in the previous recipe, it is also possible to specify connection blocks. These connection blocks are treated as multiple definitions for remote servers and they are tried in order until a VPN connection is established. The advantage of using a connection block is that for each remote server, server-specific parameters can be specified, such as the protocol (UDP or TCP), the remote port, whether a proxy server should be used , and so on.

In this recipe, we will set up two servers, one listening on a UDP port and the other on a TCP port. We will then configure the OpenVPN client to try the first server using a UDP connection. If the connection cannot be established, the client will attempt to connect to the second server using a TCP connection.

Getting ready

We use the following network layout:

Set up the client and server certificates. For this recipe, the server computers were running CentOS 5 Linux and OpenVPN 2.1.3. The client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf (download code- ch:2) at hand, as well as the server configuration file, example9-7-server.conf (download code- ch:9).

How to do it...

1. Start both the servers:

   [root@server1]# openvpn --config basic-udp-server.conf

   
   [root@server2]# openvpn --config example9-7-server.conf

   Copy

2. Check the log files to check that both the servers have successfully started.
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at $19.99/month. Cancel anytime
START FREE TRIAL
3. Create the client configuration file:

   client
   dev tun

   
   <connection>
   remote openvpnserver1.example.com
   proto udp
   port 1194
   </connection>
   
   <connection>
   remote openvpnserver2.example.com
   proto tcp
   port 1194
   </connection>
   
   ca /etc/openvpn/cookbook/ca.crt
   cert /etc/openvpn/cookbook/client1.crt
   key /etc/openvpn/cookbook/client1.key
   tls-auth /etc/openvpn/cookbook/ta.key 1
   
   ns-cert-type server

   Copy

   
   Save it as example12-2-client.conf.

4. Start the client:

   [root@client]# openvpn --config example12-2-client.conf

   
   

   Copy

5. After the connection has been established, stop the first OpenVPN process on the server that the client connected to:

   [root@server1]# killall openvpn

   
   

   Copy

   
   And wait for the client to reconnect. After the default timeout period, the client will reconnect to the alternate server using the TCP protocol.

How it works...

When the OpenVPN client starts up, it attempts to connect to the server specified in the first <connection> block. If that connection fails, it will try the next <connection> block entry and so forth. When an OpenVPN server becomes unavailable or is stopped, the client will automatically restart and try to connect to the first available OpenVPN server again.

The OpenVPN client first parses the global directives, which are specified outside the <connection> blocks. For each block, the global directives are then overruled using block-specific directives. This makes it easier to specify in the <connection> blocks only those parameters that are different for each connection.

There's more...

Connection blocks, as well as inline certificates, are very handy new features introduced in OpenVPN 2.1. A consequence of these features is that the use of the command line to overrule the directives specified in the configuration file becomes harder, if not impossible. There are a few other things to keep in mind when using connection blocks.

Allowed directives inside connection blocks

There are only a few directives allowed inside a connection block:

• bind
• connect-retry, connect-retry-max, connect-timeout
• float
• http-proxy, http-proxy-option, http-proxy-retry, http-proxy-timeout
• local lport
• nobind
• port
• proto
• remote, rport
• socks-proxy, socks-proxy-retry

All other directives are considered global and can only be specified once.

Pitfalls when mixing TCP and UDP-based setups

Connection blocks make it very easy to mix TCP and UDP-based setups. The downside is that the global parameters specified in the configuration file must be valid for both the TCP and UDP-based setups. This rules out the use of the commonly-used fragment directive, as well as a few other tuning parameters. It is expected that this shortcoming of <connection> blocks will be addressed in a future version of OpenVPN.