A Virtual Private Network (VPN) can be used to connect multiple smaller internal networks into a bigger internal network across a public network, like the Internet, without sacrificing security. The nodes located in each of the internal networks appear as if they are part of the same private network, but in reality they can be located on different continents. Since the communication is taking over the existing public network, it needs to be properly encrypted, so the intermediary nodes won’t be able to sniff the packets off the wire and gain sensitive information. Therefore, a VPN can be used to access extended network services the same way as if they were part of the local private network.
A VPN is normally used by employees to securely access the company’s internal network from outside the office, which is typically called a remote-access VPN. This enables the employees working from home to have secure access to the internal servers and applications needed to do their jobs. A company that has VPN in place can only have one port open on the outside, and that is the VPN port (OpenVPN uses UDP port 1194), while the rest of the ports can be closed.
A user connecting over the VPN will have access to the systems and applications on their respective ports inside the internal network, since regarding the network location, he’s also located inside the internal network. When a company uses a VPN to give their employees access to the internal servers and applications, only the VPN port is open to the outside world, so the attacker’s only chance to get into the internal network is actually attacking the VPN service.
At this point let’s not focus on other kinds of attacks, which could also be used by an attacker to gain access to the internal network through convincing the users to do some action, like clicking on a URL contained in an email (this is regarded as a social engineering attack).
If the company doesn’t want to use a VPN, but still wants their employees to have access to the internal systems, they have to open appropriate ports on the firewall, which exposes the services to the outside world and therefore makes them a likely target for attackers.
Attackers scanning the company’s network IP range can quickly discover the open ports and attack all of the services running behind them. An attack is successful if the attacker is able to successfully attack just one of the services that will most probably give him access to the internal network. Therefore, the attacker has multiple targets he can choose from and will probably go for the easiest one and won’t bother with security hardened services.
Therefore, a company using a VPN can greatly enhance their security, because it’s not exposing unnecessary services to the outside world. Thus the attack surface is greatly minimized, since the attacker can possibly gain access only through the VPN service running on a predefined port, while the rest of the services are not accessible and are safe behind the firewall.
Introduction to VPN Settings
In this tutorial we’ll talk about OpenVPN client connection settings, which come in handy when the connection to the OpenVPN server does not work. We’ll be using the GOpenVPN GUI client program that can be very useful to connect/disconnect to a certain OpenVPN network right from the desktop without entering command line mode. GOpenVPN is also useful because it presents us with the status of the OpenVPN connection, which is red if not connected, yellow if connection is being established, and green when we’re successfully connected to the OpenVPN server.
The basic OpenVPN command when connecting to the OpenVPN server looks like the following:
# /usr/sbin/openvpn –config /etc/openvpn/client.ovpn –verb 4
We basically need just the config directive that specifies the configuration options for the OpenVPN connection. The verb is used to instruct the OpenVPN process to be more verbose; the verbosity level can be from 0 (no output), 1 (default) to 11.
The configuration file
The configuration file often specifies a lot of options that we should understand when connecting to the OpenVPN server. In this section we’ll present the most often used configuration options by their intention, presented in a table below. The configuration options and their explanation are summarized in the official OpenVPN manual.
Options used for authentication to the OpenVPN server are the following:
ca: CA root certificate that was signed with the public/private key pair and is used to check the authenticity of the client as well as of the server.
Key: The private key of the certificate key pair.
Cert: The public key of the certificate key pair used when establishing a connection.
pkcs12: The .p12 file, which contains the private key, the public key and the CA certificate. If we use this option, then we don’t need the ca, key and cert options at all.
tls-auth: Provides an additional layer of protection to protect against DoS attacks, where the packets with invalid HMAC signature are dropped without response. This option is needed when we’re running a VPN server that’s accepting connections from anybody, not just the predefined trustworthy IP addresses.
askpass: Asks the user for password of the private key on stdin or reads it from a file if we’re using a password protected certificate.
auth-user-pass : Specifies a file that contains the username and password, where the username is written on the first line and password is written on the second line. OpenVPN will only read password from a file if it was compiled with ENABLE_PASSWORD_SAVE option or passwordsave USE flag in Gentoo. If we don’t specify the file, the OpenVPN process will prompt us to enter it in stdin.
auth-nocache: Causes the OpenVPN to not cache the passwords of askpass or auth-user-pass directives in memory. As soon as we enter the password, the OpenVPN program will delete it from memory, and when the password is needed again, we will have to type it again manually.
auth-retry-type: Is used to control the actions taken when the username and password have been rejected by the server because they were invalid, which can happen if we made a mistake in typing in the password. We can use the following options:
- none: fatal error occurs and client exits (default)
- nointeract: client will retry the current username and password again
- interact: client will ask the user for username and password again before reconnecting, so the user can correct the possible mistake he made previously.
script-security : Defines the policy used when calling external programs. The level can be one of the following:
- 0: OpenVPN isn’t allowed to call any external programs.
- 1: OpenVPN can only call the built-in executables like ifconfig, ip, route or netsh.
- 2: OpenVPN can call executables and scripts.
- 3: OpenVPN can pass passwords to other programs in environmental variables.
up : After successful TUN/TAP device has been opened, the cmd command is executed.
down : After TUN/TAP device has been closed, the cmd command is executed.
cd: Changes directory to dir before reading any files like configuration files, key files, scripts, etc.
chroot: Redefines the root directory to be the dir directory, so OpenVPN won’t be able to access files outside this chroot directory.
Daemon: Will start OpenVPN in daemon mode, where all the logs will be sent to /var/log/messages, except for the output of the scripts specified with up/down directives, which will go to /dev/null.
log : All output from stdout as well as stderr is redirected to the file, including the output of the scripts specified with the up/down directives.
comp-lzo mode: Used to compress the data with LZO algorithm, where the mode can be one of the following:
- yes: turn LZO on by default.
- no: turn LZO off by default, but allow push overrides from the server, which can dynamically change this option.
- adaptive (default): selectively turn on or off the LZO compression.
We should also take a look at the management interface provided by the OpenVPN. The table below presents all the configuration options that we can use regarding management interface.
management : Enables the management server, which will listen on ip:port. If a file is used, when connecting, we need to specify the same password as written in this file to be able to execute commands. The management interface enables other programs to connect to it and administer the OpenVPN. We can also connect to it with the telnet program, where we can type ‘help’ to print a list of support commands. For security reasons, the IP must be set to 127.0.0.1 to prevent unauthorized access from other clients on the network.
management-query-passwords: The management interface is used to prompt the user to enter the username and password for the private key, which is more intuitive than having to telnet to the management interface and input the desired command.
management-forget-disconnect: Makes the OpenVPN forget the password when we disconnect from the management interface.
management-hold: Starts the OpenVPN in hibernating state until we connect to the management interface and manually start it with the “hold release” command.
management-signal: Sends the SIGUSR1 signal to OpenVPN when we disconnect from the management interface. This is useful when we close the connection in GOpenVPN that disconnects from the OpenVPN management interface, which in turn sends the signal to OpenVPN, thus terminating the OpenVPN connection.
Keep in mind that if we don’t want to reenter the password every now and then, we mustn’t use the auth-nocache option, which causes OpenVPN to delete the username and password from the memory. So, when OpenVPN needs to reestablish the connection, a pop-up dialog will be presented to us and we’ll have to reenter the username and password. Doing this every hour quickly becomes very tedious, so we’re better off by not using this option at all. Nevertheless, it’s more secure to use public/private keys, which are password protected and then cache the password of the private key rather than the actual password in memory.