Tip

OpenVPN: IPSec-like security with IPSec-less simplicity

Virtual private networks, or VPNs, are obviously the most secure solution for allowing mobile employees to access the corporate network from outside the premises. But because VPNs are easily broken by network address translation (NAT) or stifled by restrictive ACL rules, they pose interesting challenges to enterprise network administration policy and procedure in terms of configuration, implementation and usage.

IPSec-derived VPN solutions can be confusing to inexperienced administrators; they are difficult to configure because so many parameters are involved. Worse yet, IPSec operates in kernel mode, an excellent leverage point for potential attackers.

Enter OpenVPN. OpenVPN's key advantages lie in its simplified security architecture, modular network design and cross-platform compatibility. Because OpenVPN is derived from SSL/TLS, it works with virtually every firewall. It is globally accessible through an Internet connection and an HTTPS-capable Web browser. Virtual tunnel/tap (tun/tap) devices do the heavy lifting, which makes this software less complex and more flexible than kernel-based IPSec components. This architecture also provides cross-platform capability; OpenVPN can run on platforms from BSD (FreeBSD, NetBSD, OpenBSD) and Mac OS X to Linux and Windows.

The tun/tap framework also means that all remote traffic negotiated through an OpenVPN tunnel can be recognized and handled at the company firewall and subsequently shaped by internal

Requires Free Membership to View

quality-of-service policies. On the server side, OpenVPN provides proxy support for TCP and UDP tunnels and even multiple inbound connections to a single port. Because OpenVPN operates in both layer 2 bridging and layer 3 routing modes, it can handle otherwise non-routable protocols such as NETBIOS.

OpenVPN is scalable; it permits creation of numerous endpoints through scripted interactions that work with push/pull options. This lets central servers quickly configure remote computers in a way that's completely transparent to end-users. Furthermore, NAT traversal and flexible dynamic IP allocation support enables OpenVPN to cope with constantly changing client addresses with minimal interruption to ongoing communications. As a result, quick reconnect times are yet another key benefit of the OpenVPN framework.

OpenVPN's ultra portable framework means it can operate on numerous operating systems, including Windows. Its front-end client can be specially packaged to install and operate without administrative privileges using a client configuration file that's fewer than 20 lines long (shown in a text block following this paragraph). This lightweight, portable, cross-platform SSL/TLS solution is ideal for on-the-go administrators, executives, mobile service technicians and any enterprise employees that need remote access to internal company resources.

Example OpenVPN client-side configuration:

 client
 proto udp
 dev tun
 remote vpn.world-accessible-server.com 3030
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 ca ca.crt
 cert my-example.crt
 key my-example.key
 comp-lzo
 verb 2
Source: How to Run OpenVPN as a non-admin user in Windows

Justin Korelc is a longtime Linux hacker and system administrator who concentrates on hardware and software security, virtualization and high-performance Linux systems. Ed Tittel is a full-time freelance writer based in Austin, Tex., who specializes in markup languages, information security, networking and IT certification. Both Justin and Ed have contributed to books on Home Theater PCs and the Linux-based MythTV environment, and they write regularly about Linux for various TomsHardware sites.


This was first published in June 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.