OpenVPN Guest Lecture OS3 System & Network Engineering

Jan Just Keijser Nikhef 4 December 2019 J.J. Keijser Nikhef Amsterdam A few words about me  Working as grid system engineer since 2005  Working in IT industry since 1995  “discovered” OpenVPN in 2004  Used and supported OpenVPN since then  Author of the “OpenVPN 2 Cookbook” (2011), “Mastering OpenVPN” (2015, met Eric Crist) en “OpenVPN Cookbook - 2nd Edition” (2017)  IT interests include open source, networking, VPNs, security, J.J. Keijser Nikhef openssl, socat, HPC/GPU computing Amsterdam What is a VPN? Your TROL (Typical Remote Office Layout) Client

Internet / WAN NAT&Firewall Firewall&NAT

Without the use of a VPN… J.J. Keijser Nikhef Amsterdam Server What is a VPN? VPN Setup Client

NAT&Firewall Firewall&NAT Internet / WAN

Using a VPN… J.J. Keijser Nikhef Amsterdam Server Types of VPNs  Web based: Proxies, SOCKS  Solutions based on SSH  PPTP based: Microsoft PPTP VPN client  IPSec based: OpenS/WAN, FreeS/WAN, StrongSwan, raccoon  IPSec+L2TP based: Microsoft L2TP VPN client  New kid: wireguard  SSL based: OpenVPN

J.J. Keijser Nikhef Amsterdam Virtual network adapter  Most VPNs use the concept of a Virtual Network Adapter. This allows for: ◦ Separate IP address; ◦ Control over the routing and protocols allowed over the VPN.  The Virtual Network Adapter is the interface between the VPN client (or server) software and the Operating System.

1 Ethernet VPN client J.J. Keijser 3 2 Nikhef Amsterdam Virtual Network Adapter Web-based VPNs  Also known as “clientless VPNs”  Work only with web-based applications  Basically, a souped-up Secure Proxy server or SOCKS server  The VPN never leaves the “sandbox” of the webbrowser:

HTTPS encrypted traffic Ethernet 1 Web browser J.J. Keijser Nikhef VPN applet Amsterdam SSH-based solutions  Not a true VPN – tunnelling of specific TCP ports only  Client and server software available for nearly every platform  OpenSSH includes SOCKS server support, allowing more flexible tunnels

hostA:80 SSH Tunnel

127.0.0.1:8080 127.0.0.1:1200 hostB:23

J.J. Keijser 127.0.0.1 port 8080 hostA port 80 (http) Nikhef Amsterdam 127.0.0.1 port 1200 hostB port 23 (telnet) SSH-based solutions (2)  Newer versions of OpenSSH include “tun” support  Available only on Linux/*BSD  Is a fully functional VPN, but does not scale well hostA

SSH Tunnel

tun0: 10.10.10.1 tun0: 10.10.10.2

J.J. Keijser hostB Nikhef Amsterdam Web&SSH Pro's and con's  Pro’s: ◦ Cient software for nearly all platforms; ◦ Uses standard TCP traffic so no NAT’ting issues; ◦ Easy to configure.  Con’s: ◦ Web-based (TCP, HTTPS) only; ◦ Not easy to share local data with remote site/server; J.J. Keijser ◦ Not a true VPN solution. Nikhef Amsterdam PPTP: the Microsoft solution  Developed by Microsoft and Ascend (RFC2637)  Authentication using username/password OR X.509 certificates (EAP-TLS)  Runs over single TCP port and GRE tunnels (protocol 47)  Frequently used for ADSL ethernet modems  Interface to OS through PPTP adapter: GRE encrypted traffic 1 Ethernet VPN client J.J. Keijser 3 2 Nikhef Amsterdam PPTP adapter PPTP: Pro's and con's  Pro’s: ◦ Client built into Microsoft platform; ◦ Other platforms supported for both client and server:  Linux;  FreeBSD/OpenBSD/NetBSD;  Macintosh OS X.  Con’s: ◦ PPTP considered fundamentally insecure; J.J. Keijser Nikhef ◦ Secure version (EAP-TLS) supported fully only on Windows; Amsterdam ◦ GRE tunnelling does not work well with NAT’ting devices. IPsec  Official IEEE/IETF standard voor IP security (RFC2411)  Operates at Level2/Level3 of IP stack  Part of IPv6 specification  Introduces the concept of Security Policies  Uses Encapsulated Security Payload (ESP, IP protocol 50) for payload security, Hash-based Message Authentication Code (HMAC) for integrity  Authentication using X.509 certificates or pre-shared keys  Two modes supported: J.J. Keijser Nikhef Amsterdam ◦ Transport mode; ◦ Tunnelling mode; IPsec+L2TP  Developed by Microsoft and Cisco Systems (RFC3193)  Utilizes IPSec Transport mode  Authentication using X.509 certificates or pre-shared keys, in combination with a username/password  Uses both UDP ports 500 and 4500 as well as ESP (protocol 50)  Interface to OS through L2TP adapter:

IPsec encrypted traffic IPSec 1 Ethernet L2TP client J.J. Keijser 3 2 Nikhef Amsterdam L2TP adapter IPsec: Pro's and con's  Pro’s: ◦ Industry standard; ◦ Good platform support, including ADSL and Wifi routers; ◦ Security policies allow for a very modular approach.  Con’s: ◦ Configuration and troubleshooting can be difficult; ◦ Notoriously difficult to configure, especially in combination with NAT-Traversal (NAT-T); ◦ Server-side cannot be NAT’ted, often forcing the use of a DMZ; J.J. Keijser Nikhef ◦ IPSec and NAT’ting devices do not go well together. Amsterdam Wireguard: new kid on the block  New protocol: no TLS, no SSL, no IPSec, no X.509  “WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. “  Currently implemented as a Linux kernel module  Platform support for Windows, MacOS, Android, iOS, Linux  Userspace programs still severely lacking  Works over UDP only: makes it harder to operate in a “hostile” environment J.J. Keijser Nikhef Amsterdam OpenVPN: an SSL based VPN  Uses TLS/SSL for payload security, HMAC for integrity  Authentication using X.509 certificates or pre-shared keys  UDP, TCP and SOCKS/HTTP Proxy support  Supports tunnelling (TCP/IP) and bridging (Ethernet) mode  Interface to OS through tun/tap device or TAP-Win32 adapter:

UDP/TCP encrypted traffic 1 Ethernet OpenVPN J.J. Keijser 3 Nikhef 2 Amsterdam tun/tap device What is OpenVPN?  With OpenVPN, you can: ◦ tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port, ◦ configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients, ◦ use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet, ◦ use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library, ◦ choose between static-key based conventional encryption or certificate-based public key encryption, ◦ use static, pre-shared keys or TLS-based dynamic key exchange, ◦ use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization, ◦ tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients, ◦ tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules, ◦ tunnel networks over NAT, J.J. Keijser ◦ create secure ethernet bridges using virtual tap devices, and Nikhef Amsterdam ◦ control OpenVPN using a GUI on Windows or Mac OS X. (from http://openvpn.net/index.php/open-source/333-what-is-openvpn.html) OpenVPN: some history  Started in 2002 by James Yonan  First version only supported preshared keys and site-to-site connectivity  2004: OpenVPN 2.0 which supported X509 certificates, and client/server mode  2009: OpenVPN 2.1 which added PKCS#11 and Windows Vista/7 support  2011: OpenVPN 2.2 released: first community-built version  2013: OpenVPN 2.3 released: IPv6 support, PolarSSL/mbedTLS  2017: OpenVPN 2.4 released: AEAD (AES-GCM) support, TLS-Crypt, Windows 10 J.J. Keijser st Nikhef  Latest release: Oct 31 2019: version 2.4.8 Amsterdam OpenVPN protocol  In SSL/TLS mode two channels are used: ◦ A reliable control channel for exchanging SSL/TLS information and keys ◦ A data channel for transporting actual payload. In UDP mode this channel is not reliable  Each encrypted packet is formatted as follows: ◦ HMAC(explicit IV, encrypted envelope) ◦ Explicit IV ◦ Encrypted Envelope  The content of the encrypted envelope is formatted as follows: J.J. Keijser Nikhef ◦ 64 bit sequence number Amsterdam ◦ payload data, i.e. IP packet or Ethernet frame Modes of operation OpenVPN supports several modes of operation:  Preshared static keys  AuthN using X509 certificates  AuthN using username+password  Tunnelling mode (point-to-point, aka 'tun')  Ethernet mode (aka 'tap')  J.J. Keijser Ethernet bridging Nikhef Amsterdam Basic static key example  First, generate a static key: $ openvpn --genkey --secret secret.key  Transfer the key to the remote end using a secure channel (e.g. scp)  Start the server/listener: $ openvpn --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --secret secret.key  And connect to it using the client:

J.J. Keijser $ openvpn --ifconfig 10.200.0.2 10.200.0.1 \ Nikhef Amsterdam --dev tun --secret secret.key \ --remote openvpnserver.example.com Setting up a PKI  OpenVPN supplies 'easy-rsa' scripts, which are wrappers around 'openssl ca' commands  Other PKI solutions can also be used, provided they can supply PEM-encoded certificates and keys or PKCS#12 formatted files  Example usage of 'easy-rsa': $ $ . ./vars $ ./clean-all $ ./build-ca J.J. Keijser Nikhef $ ./build-key-server Amsterdam $ ./build-key Basic X509 example (server) proto udp port 1194 dev tun server 10.8.0.0 255.255.255.0 ca ca.crt cert server.crt key server.key dh dh1024.pem tls-auth ta.key 0 persist-key persist-tun J.J. Keijser keepalive 10 60 Nikhef Amsterdam user nobody group nobody Basic X509 example (client) client proto udp remote openvpnserver.example.com port 1194 dev tun nobind ca ca.crt cert client.crt key client.key tls-auth ta.key 1

J.J. Keijser Nikhef Amsterdam Network topologies  OpenVPN 2.1 introduced a new keyword topology subnet  Previously, each client was assigned a miniature /30 network: ◦ Server uses 10.8.0.0-10.8.0.3 ◦ First client is assigned 10.8.0.4-10.8.0.7 ◦ Second client is assigned 10.8.0.8-10.8.0.11, etc. 10.8.0.4 /30 network address 10.8.0.5 remote endpoint (virtual) 10.8.0.6 actual client VPN IP 10.8.0.7 /30 broadcast address J.J. Keijser Nikhef  Amsterdam With 'topology subnet' each client is assigned only a single IP address: 10.8.0.2, 10.8.0.3, etc. 'tun' versus 'tap'  OpenVPN supports two transport modes: ◦ 'tun' mode:  Create a mini point-to-point connection to each client  The headers of each incoming packet are stripped and new headers are added  Can support IP protocols only (TCP, UDP, ICMP, IPsec, GRE) ◦ 'tap' mode:  Pass full ethernet frames between client and server  Great for supporting non-IP protocols J.J. Keijser Nikhef  Slightly higher overhead Amsterdam  Server and clients form a single broadcast domain Bridging  'tap' mode allows the creation of a full Ethernet bridge: ◦ A regular network interface and a 'tap' interface are bridged ◦ All traffic which enters on one interface is copied out to the other interface ◦ Result: the LAN and the VPN form a single broadcast domain - great for multi-player gaming! ◦ A second advantage is that the VPN clients can be incorporated almost fully into the server-side LAN (e.g. can use the same DHCP server) ◦ Downside: performance! Even the throughput speed of the LAN interface is affected, as all incoming traffic is ALWAYS copied over to the 'tap' interface J.J. Keijser Nikhef Amsterdam Bridging example (server) proto udp port 1194 dev tap0 server-bridge 10.8.0.100 255.255.255.0 10.8.0.101 \ 10.8.0.140 ca ca.crt cert server.crt key server.key dh dh1024.pem tls-auth ta.key 0 persist-key J.J. Keijser persist-tun Nikhef Amsterdam keepalive 10 60 user nobody Routing and masquerading  A VPN is one thing, routing traffic over it is another  80+ % of all OpenVPN support questions are about routing  Most commonly used trick (on Linux servers) $ echo 1 > /proc/sys/net/ipv4/ip_forward $ iptables -i FORWARD -i tun+ -j ACCEPT $ iptables -i FORWARD -o tun+ -j ACCEPT $ iptables -t nat -I POSTROUTING -o eth0 \ -j MASQUERADE

J.J. Keijser Nikhef Amsterdam Scripting (1)  OpenVPN offers several ways to influcence what happens when a client connects or disconnects, both on the server side and on the client side  On the client side the following scripts are run when the client connects: ◦ 'up' : when the virtual interface is brought up ◦ 'route-up': when routes need to be added to the local routing tables  Similarly, when the client disconnects: ◦ 'down' : when the virtual interface is taken down J.J. Keijser Nikhef Amsterdam Scripting (2)  On the server side the following scripts are run when a client connects: ◦ 'client-connect' : allows you to write out configuration statements which are pushed out to the client ◦ 'learn-address add' ◦ 'tls-verify': verify the entire certificate chain of the client ◦ 'auth-user-pass-verify': allows for authentication using username and password  Similarly, when the client disconnects: J.J. Keijser ◦ 'learn-address delete' Nikhef Amsterdam ◦ 'client-disconnect' Scripting example (server) ...

script-security 2 # run when server starts and shuts down up sample-script.sh route-up sample-script.sh down sample-script.sh # run when a client connects or disconnects client-connect sample-script.sh client-disconnect sample-script.sh learn-address sample-script.sh J.J. Keijser tls-verify sample-script.sh Nikhef Amsterdam auth-user-pass-verify sample-script.sh via-env Plugins  Next to scripts, OpenVPN can also be extended using plugins  Plugins can be inserted at almost all points where scripts are run  Most common plugins are ◦ auth-pam: for authentication users using PAM; ◦ down-root: for running a command as root when openvpn shuts down.  Why would you use a plugin? ◦ Speed: plugins are run in a separate thread ◦ Security: it's easy to make a mistake in a script which can be exploited.

J.J. Keijser Nikhef Amsterdam Encryption and HMAC signing  Control channel is encrypted and signing using a standard TLS handshake Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM- SHA384, 2048 bit RSA  Data channel is encrypting and signed using ‘Blowfish’ and ‘SHA1’ (backwards compatibility)  It is recommended to specify a mininum of “aes-256-cbc’ and ‘SHA256’  With new cipher negotation in v2.4 the client and server J.J. Keijser Nikhef negotiate AES-GCM, overruling the default cipher+HMAC Amsterdam Tls-auth and tls-crypt  For extra security, control traffic channel can be protected using either a hash (tls-auth) or fully encrypted (tls-crypt)  Tls-auth provides protection against DoS attacks for UDP setups: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication  Tls-crypt encrypts and signs all control channel traffic: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

J.J. Keijser Nikhef Amsterdam Other features  On-the-fly compression using 'lzo' or ‘lz4’ (not recommended)  Connect via a SOCKS proxy  Connect via an HTTP proxy  Share a VPN server with an HTTPS server on the same IP and port  Management interface (on both client and server): ◦ View connected clients; ◦ View statistics; ◦ Disconnect clients.

J.J. Keijser Nikhef Amsterdam Weaknesses  Windows support has always been problematic  iOS client has not been open source for a long time  Monolithic design: both a strength and a weakness, but does affect scalability  Too many options, mostly for backwards compatibility  Throughput over gigabit links could be better  Difficult to port to new OSes (such as smartphones): a 'tun' driver needs to be present (iPhone!) J.J. Keijser Nikhef Amsterdam What's wrong @ Gigabit speed?

J.J. Keijser Nikhef Amsterdam Future developments  A grand, completely modular redesign is being worked on (OpenVPN 3.0)  Improve negotiation capabilities between client and server; make client configuration as minimal as possible  ‘tls-crypt’ version 2  New Windows driver ‘wintun’ for improved performance  Network configuration layer to be replaced  TLSv1.3 J.J. Keijser  Nikhef Better VLAN support Amsterdam