In this article by Jan Just Keijser, author of the book OpenVPN Cookbook – Second Edition, we will cover the following recipes:
(For more resources related to this topic, see here.)
This recipe uses OpenVPN secret keys to secure the VPN tunnel. This shared secret key is used to encrypt the traffic between the client and the server.
Install OpenVPN 2.3.9 or higher on two computers. Make sure that the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 Pro 64bit and OpenVPN 2.3.10.
[root@server]# openvpn --genkey --secret secret.key
[root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2
--dev tun --secret secret.key
[WinClient] C:>"Program FilesOpenVPNbinopenvpn.exe"
--ifconfig 10.200.0.2 10.200.0.1
--dev tun --secret secret.key
--remote openvpnserver.example.com
The connection is established:
The server listens to the incoming connections on the UDP port 1194. The client connects to the server on this port. After the initial handshake, the server configures the first available TUN device with the IP address 10.200.0.1 and it expects the remote end (peer address) to be 10.200.0.2. The client does the opposite.
By default, OpenVPN uses two symmetric keys when setting up a point-to-point connection:
The same set of keys are used on both ends, and both the keys are derived from the file specified using the –secret parameter.
An OpenVPN secret key file is formatted as follows:
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<16 lines of random bytes>
-----END OpenVPN Static key V1-----
From the random bytes, the OpenVPN Cipher and HMAC keys are derived. Note that these keys are the same for each session!
In this recipe, we extend the complete site-to-site network to include support for IPv6.
Install OpenVPN 2.3.9 or higher on two computers. Make sure that the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10. We’ll use the secret.key file from the OpenVPN Secret keys recipe here.
We use the following network layout:
dev tun
proto udp
local openvpnserver.example.com
lport 1194
remote openvpnclient.example.com
rport 1194
secret secret.key 0
ifconfig 10.200.0.1 10.200.0.2
route 192.168.4.0 255.255.255.0
tun-ipv6
ifconfig-ipv6 2001:db8:100::1 2001:db8:100::2
user nobody
group nobody # use "group nogroup" on some distros
persist-tun
persist-key
keepalive 10 60
ping-timer-rem
verb 3
daemon
log-append /tmp/openvpn.log
dev tun
proto udp
local openvpnclient.example.com
lport 1194
remote openvpnserver.example.com
rport 1194
secret secret.key 1
ifconfig 10.200.0.2 10.200.0.1
route 172.31.32.0 255.255.255.0
tun-ipv6
ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1
user nobody
group nobody # use "group nogroup" on some distros
persist-tun
persist-key
keepalive 10 60
ping-timer-rem
verb 3
[root@server]# openvpn --config example1-9-server.conf
And:
[root@client]# openvpn --config example1-9-client.conf
[client]$ ping6 -c 4 2001:db8:100::1
PING 2001:db8:100::1(2001:db8:100::1) 56 data bytes
64 bytes from 2001:db8:100::1: icmp_seq=1 ttl=64 time=7.43 ms
64 bytes from 2001:db8:100::1: icmp_seq=2 ttl=64 time=7.54 ms
64 bytes from 2001:db8:100::1: icmp_seq=3 ttl=64 time=7.77 ms
64 bytes from 2001:db8:100::1: icmp_seq=4 ttl=64 time=7.42 ms
--- 2001:db8:100::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 7.425/7.546/7.778/0.177 ms
The following command enables IPv6 support next to the default IPv4 support:
tun-ipv6
ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1
Also, in the client configuration, the options daemon and log-append are not present, hence all OpenVPN output is sent to the screen and the process continues running in the foreground.
If we take a closer look at the client-side connection output, we see a few error messages after pressing Ctrl + C, most notably the following:
RTNETLINK answers: operation not permitted
This is a side-effect when using the user nobody option to protect an OpenVPN setup, and it often confuses new users. What happens is this:
In this case, these error messages are harmless, but in general, one should pay close attention to the warning and error messages that are printed by OpenVPN.
With OpenVPN 2.3, it is required to always enable IPv4 support. From OpenVPN 2.4 onward, it is possible to set up an “IPv6-only” connection.
In this article, we extended the complete site-to-site network to include support for IPv6 with OpenVPN secret keys.
Further resources on this subject:
I remember deciding to pursue my first IT certification, the CompTIA A+. I had signed…
Key takeaways The transformer architecture has proved to be revolutionary in outperforming the classical RNN…
Once we learn how to deploy an Ubuntu server, how to manage users, and how…
Key-takeaways: Clean code isn’t just a nice thing to have or a luxury in software projects; it's a necessity. If we…
While developing a web application, or setting dynamic pages and meta tags we need to deal with…
Software architecture is one of the most discussed topics in the software industry today, and…