In this article by Jan Just Keijser, author of the book OpenVPN Cookbook – Second Edition, we will cover the following recipes:
(For more resources related to this topic, see here.)
- OpenVPN secret keys
- Using IPv6
OpenVPN secret keys
This recipe uses OpenVPN secret keys to secure the VPN tunnel. This shared secret key is used to encrypt the traffic between the client and the server.
Getting ready
Install OpenVPN 2.3.9 or higher on two computers. Make sure that the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 Pro 64bit and OpenVPN 2.3.10.
How to do it…
- First, we generate a secret key on the server (listener):
[root@server]# openvpn --genkey --secret secret.key - We transfer this key to the client side over a secure channel (for example, using scp):
- Next, we launch the server (listening)-side OpenVPN process:
[root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 --dev tun --secret secret.key - Then, we launch the client-side OpenVPN process:
[WinClient] C:>"Program FilesOpenVPNbinopenvpn.exe" --ifconfig 10.200.0.2 10.200.0.1 --dev tun --secret secret.key --remote openvpnserver.example.comThe connection is established:
How it works…
The server listens to the incoming connections on the UDP port 1194. The client connects to the server on this port. After the initial handshake, the server configures the first available TUN device with the IP address 10.200.0.1 and it expects the remote end (peer address) to be 10.200.0.2. The client does the opposite.
There’s more…
By default, OpenVPN uses two symmetric keys when setting up a point-to-point connection:
- A Cipher key to encrypt the contents of the packets being exchanged.
- An HMAC key to sign packets. When packets arrive that are not signed using the appropriate HMAC key they are dropped immediately. This is the first line of defense against a “Denial of Service” attack.
The same set of keys are used on both ends, and both the keys are derived from the file specified using the –secret parameter.
An OpenVPN secret key file is formatted as follows:
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<16 lines of random bytes>
-----END OpenVPN Static key V1-----From the random bytes, the OpenVPN Cipher and HMAC keys are derived. Note that these keys are the same for each session!
Using IPv6
In this recipe, we extend the complete site-to-site network to include support for IPv6.
Getting ready
Install OpenVPN 2.3.9 or higher on two computers. Make sure that the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10. We’ll use the secret.key file from the OpenVPN Secret keys recipe here.
We use the following network layout:
How to do it…
- Create the server configuration file:
dev tun proto udp local openvpnserver.example.com lport 1194 remote openvpnclient.example.com rport 1194 secret secret.key 0 ifconfig 10.200.0.1 10.200.0.2 route 192.168.4.0 255.255.255.0 tun-ipv6 ifconfig-ipv6 2001:db8:100::1 2001:db8:100::2 user nobody group nobody # use "group nogroup" on some distros persist-tun persist-key keepalive 10 60 ping-timer-rem verb 3 daemon log-append /tmp/openvpn.log - Save it as example1-9-server.conf.
- On the client side, we create the configuration file:
dev tun proto udp local openvpnclient.example.com lport 1194 remote openvpnserver.example.com rport 1194 secret secret.key 1 ifconfig 10.200.0.2 10.200.0.1 route 172.31.32.0 255.255.255.0 tun-ipv6 ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1 user nobody group nobody # use "group nogroup" on some distros persist-tun persist-key keepalive 10 60 ping-timer-rem verb 3 - Save it as example1-9-client.conf.
- We start the tunnel on both ends:
[root@server]# openvpn --config example1-9-server.conf And: [root@client]# openvpn --config example1-9-client.conf - Now our site-to-site tunnel is established.
- After the connection comes up, the machines on the LANs behind both end points can be reached over the OpenVPN tunnel. Note that the client OpenVPN session is running in the foreground.
- Next, we ping the IPv6 address of the server endpoint to verify that IPv6 traffic over the tunnel is working:
[client]$ ping6 -c 4 2001:db8:100::1 PING 2001:db8:100::1(2001:db8:100::1) 56 data bytes 64 bytes from 2001:db8:100::1: icmp_seq=1 ttl=64 time=7.43 ms 64 bytes from 2001:db8:100::1: icmp_seq=2 ttl=64 time=7.54 ms 64 bytes from 2001:db8:100::1: icmp_seq=3 ttl=64 time=7.77 ms 64 bytes from 2001:db8:100::1: icmp_seq=4 ttl=64 time=7.42 ms --- 2001:db8:100::1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 7.425/7.546/7.778/0.177 ms - Finally, we abort the client-side session by pressing Ctrl + C. The following screenshot lists the full client-side log:
How it works…
The following command enables IPv6 support next to the default IPv4 support:
tun-ipv6
ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1Also, in the client configuration, the options daemon and log-append are not present, hence all OpenVPN output is sent to the screen and the process continues running in the foreground.
There’s more…
Log file errors
If we take a closer look at the client-side connection output, we see a few error messages after pressing Ctrl + C, most notably the following:
RTNETLINK answers: operation not permittedThis is a side-effect when using the user nobody option to protect an OpenVPN setup, and it often confuses new users. What happens is this:
- OpenVPN starts as the root user, opens the appropriate tun device, and sets the right IPv4 and IPv6 addresses on this tun interface.
- For extra security, OpenVPN then switches to the nobody user, dropping all privileges associated with the user root.
- When OpenVPN terminates (in our case, by pressing Ctrl + C), it closes access to the tun device and tries to remove the IPv4 and IPv6 addresses assigned to that device. At this point, the error messages appear, as the user nobody is not allowed to perform these operations.
- Upon termination of the OpenVPN process, the Linux kernel closes the tun device and all configuration settings are removed.
In this case, these error messages are harmless, but in general, one should pay close attention to the warning and error messages that are printed by OpenVPN.
IPv6-only tunnel
With OpenVPN 2.3, it is required to always enable IPv4 support. From OpenVPN 2.4 onward, it is possible to set up an “IPv6-only” connection.
Summary
In this article, we extended the complete site-to-site network to include support for IPv6 with OpenVPN secret keys.
Resources for Article:
Further resources on this subject:
- Introduction to OpenVPN [Article]
- A quick start – OpenCV fundamentals [Article]
- Untangle VPN Services [Article]