VPNs extend company networks beyond the LAN. Using a VPN, remote workers can securely connect to a private LAN from anywhere on the Internet. The VPN tunnel is authenticated and encrypted, and because it uses the Internet, it's much less expensive than costly point-to-point dedicated network links. You're probably familiar with Microsoft's RRAS VPN solutions, as well as commercial VPNs from vendors such as Cisco Systems and Nortel Networks, but you might not be aware of an open-source program called OpenVPN that provides VPN features—along with much flexibility. At a fraction of the cost of its commercial counterparts, OpenVPN gives you many of the same features those big-name competitors provide. (OpenVPN is free, aside from the time and effort that its configuration requires.)
If you're already running a commercial VPN, you won't want to replace it with OpenVPN. But if you need to deploy a new VPN for a branch office or lab, or if you're looking for an inexpensive, secure solution for connecting to remote networks, you should definitely check out OpenVPN. Because the program runs on many different OSs, it might even provide benefit to Windows shops as an alternative to the VPN capabilities in RRAS or Microsoft Internet Security and Acceleration (ISA) Server. In this article, I walk through the basic setup of an OpenVPN client-based VPN solution and give you a peek at the product's features.
OpenVPN uses the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocol to provide some of the classic VPN security features of other network-focused VPNs based on IP Security (IPsec) or PPTP. Unlike other SSL VPNs that pride themselves on a clientless installation—in which you use your Web browser to establish an SSL VPN connection—OpenVPN requires a proprietary client. Also, OpenVPN is a peer-to-peer (P2P) application, which means that you run the same program on both endpoints of the VPN tunnel.
OpenVPN supports bridged and routing modes, both of which let you tunnel network traffic over a single UDP or TCP port of your choice. (By default, OpenVPN uses the UDP protocol and port number 1194.) Any network traffic sent to or received from a network adapter will be encapsulated into an encrypted packet and delivered to another OpenVPN tunnel endpoint, where it's decrypted and dropped onto the remote network.
Getting a basic configuration up and running is extremely easy, as you'll see. However, for more complicated deployments, the learning curve gets steeper and requires more knowledge and potential tweaking of your existing network topology than commercial VPN concentrators require. You'll definitely want to first test this tool in your lab to get comfortable with its features and evaluate whether it's right for you.
The product is released under the Open Source GNU General Public License (GPL) and runs on Windows 2000 and later, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. Choose your platform and download the latest version from the OpenVPN Web site (http://openvpn .net). As of this printing, the latest version is OpenVPN 2.0-rc20. If you prefer a graphical interface, check out the optional OpenVPN GUI at the OpenVPN GUI Web site (http://www.nilings.se/openvpn) and follow the instructions for the simple installation process.
At its core, the OpenVPN program is a command-line application that you can also configure as a service. You can run the application with a huge number of configuration options by combining command-line switches and entries in a configuration file. (Visit the OpenVPN Man Page—http://openvpn.net/man.html—for a complete listing of all options.) Plus, you can use multiple configuration files to manage many tunnel endpoints on a single server.
Define Your Network Topology
You can use OpenVPN for site-to-site VPNs or client VPNs. The OpenVPN package is quite flexible, and the steps you take to configure it for either a site-to-site VPN or client-to-server VPN are similar. In fact, you must install the same OpenVPN application on both VPN endpoints. As I mentioned, a basic OpenVPN configuration is easy to set up, but the program gets more complicated depending on the features you enable. For example, to install and configure advanced security features, you'll need an understanding of cryptography and key management. OpenVPN supports a number of authentication mechanisms, including certificates, smart cards, and username/password credentials; however, such security measures represent one of the more complicated aspects of the program, and you'll need to have a good understanding of PKI fundamentals to implement these features. The OpenVPN Web site contains several helpful documents and sample configurations that can help you with the configuration of these options.
Configuring the Server
After you download the Windows package, copy it to the server that you want to act as your VPN server and run the installer program. A wizard walks you through the installation steps, which consist of installing OpenVPN, the OpenVPN GUI configuration program, and a tool to create a certificate request. The wizard prompts you for a variety of installation feature options, but the defaults should suffice for a basic installation. After the program is installed, you can view C:\Program Files\OpenVPN for the programs and source files.
After the installation is finished, you'll notice the addition of a network adapter—a device named TAP-Win32 Adapter V8. If you plan to configure OpenVPN in bridged mode, you'll need to manually bridge this new adapter with another network adapter already installed on the system. If you plan to set up OpenVPN in a routing configuration, Windows will recognize the device as a network adapter, complete with IP address. I discuss both configurations—bridged and routing—in a moment.
But first, let's get acquainted with the primary means of configuring OpenVPN. On the server, navigate to the OpenVPN configuration directory (by default, C:\Program Files\OpenVPN\config), copy the sample.ovpn .txt file, and rename it to any filename with the extension .ovpn (e.g., myOpenVpnConfig.ovpn). This file contains a well-annotated example of an OpenVPN configuration document. After you become familiar with how OpenVPN works, you'll be able to create your own OpenVPN configuration file that's just a few lines long.
OpenVPN works like a P2P VPN, which means that each running instance on a computer is really just another endpoint. In this example, I show you how to configure one VPN as a server that will be able to accept connections from any IP address. Open your new configuration file and look for the text
Because we're configuring this computer as a server, it won't be making outbound connections to a remote computer. Therefore, use a semicolon (;) to comment out this line, as follows:
; remote myremote
If you specify a remote computer address (e.g., remote 10.0.0.10), only connections from that address will be permitted. Doing so is one way to help secure a point-to-point VPN between two remote networks. However, we're configuring this endpoint as an OpenVPN VPN server, so we want to allow connections from any remote client. For this reason, we simply comment out the entire line. Later, we'll configure this VPN server as the remote computer.
By default, OpenVPN uses UDP port number 1194. If you need to change this port—for example, to use a protocol that most firewall administrators open, such as TCP 443—find the line
; port 1194
and uncomment it by removing the semicolon. Then, change it to the port number you prefer. By default, OpenVPN uses the UDP protocol, but it can also use TCP. UDP is more efficient, and it's best to use TCP only in instances when UDP doesn't work—for example, if a firewall is blocking UDP traffic. UDP doesn't have the additional overhead that TCP does, so its performance might be slightly better because headers are smaller and UDP doesn't contain the built-in packet-acknowledgment checking that TCP offers. However, OpenVPN encrypts the original TCP packets that include error checking and retransmission support, so overall reliability isn't affected.
Next, choose whether to use the dev tap or dev tun network protocols. If you want to use OpenVPN's bridged mode, you must choose dev tap. In this example, we're configuring a Windows- to-Windows connection and demonstrating a bridged configuration, so we'll configure OpenVPN to use the dev tap network protocol. In your configuration file, confirm the entry
Next, configure the connection's authentication security. For more secure connections, configure TLS along with its own certificate/key pair on both endpoints. In this example, we'll use a static key to configure the VPN connection, but refer to the sidebar "Encryption Modes," http://www.windowsitpro.com/windowssecurity, InstantDoc ID 45946, for other encryption features of OpenVPN. Only other OpenVPN connections with this same static key will be able to connect to our server.
From Start, All Programs, OpenVPN, click Generate a static OpenVPN key. This action launches a simple console program that creates a key and copies it to C:\Program Files\OpenVPN\config\key.txt. This static key will allow anyone to connect to your OpenVPN endpoint, so keep the key safe. This functionality is similar to the way you would configure a wireless Access Point (AP) with a static key. Although a static key might be adequate for using OpenVPN to connect two remote networks, if you set up a multiclient OpenVPN server endpoint, you'll probably choose to implement stronger user authentication, such as certificates.
Next, confirm that the OpenVPN configuration file includes the Secret command, followed by the name of the key file, as follows:
If you copied the OpenVPN sample .ovpn configuration file, you won't need to change this secret command because it's included as the default.
Finally, it's useful to include the following two commands in your configuration file:
verb 4 mute 10
The Verb command specifies the verbosity of the OpenVPN logging, and you can choose a value from 0 to 11. A setting of 0 means that no output will be displayed except for fatal errors, and a setting of 11 displays a lot of debugging data. Typically, a setting of 4 is sufficient for most users. The Mute command squelches multiple error or status messages. This command is useful if a client repeatedly connects and fails and you don't want to see your log fill up with copies of the same message. A Mute setting of 10 means that OpenVPN will display a maximum of 10 instances of the same message and squelch the rest.
Configuring the Client
The OpenVPN installation process for the client is similar to that of the server. Install the same OpenVPN software and create an .opvn configuration file. The settings should match the settings you made on the server, with just a few exceptions. Using a secure medium such as a floppy disk, copy the static key that you created on your server (key.txt) to the client (e.g., to C:\Program FilesOpenVPN\config).
A sample client configuration for an OpenVPN client using the default protocol UDP and port number 1194 might look like
remote 10.0.0.2 dev tap ifconfig 192.168.0.100 255.255.255.0 secret key.txt verb 4 mute 10
This configuration identifies the remote VPN server that the client will connect to, specifies the network protocol as dev tap, and sets the client IP address OpenVPN should use. This configuration also sets the Secret, Verb, and Mute options. The client IP address will vary depending on whether you configure OpenVPN in bridged mode or routing mode. In bridged mode, set this address to an IP address on your local area network.
Bridged or Routing?
So far, we've configured the OpenVPN server and client. But we're not done yet. We need to make some additional configuration changes depending on whether you want to run OpenVPN in bridged or routing mode. Each mode has benefits depending on your needs. When you bridge two networks, all objects in both networks appear to be a part of a single subnet. Therefore, applications that rely on broadcasts will work across the VPN tunnel. However, more traffic must also travel through the VPN tunnel, making communications slower. Bridged is the easier method to set up because you don't need to worry about configuring new network routes to ensure that all the computers on either side of the VPN can communicate with one another. However, with bridged mode, you'll have less segregation between your LAN and your incoming VPN clients (or network) than with routing mode.
Ultimately, your choice will depend on the level of manageability you require. If you're looking for quick, easy access to your home or small network, or if you'll be the only one using the VPN, bridged's ease of configuration will appeal to you. But if you want to deploy OpenVPN as a VPN concentrator for multiple users, routing will give you more network flexibility.
Let's walk through a bridged-mode example. Bridged mode works by creating a bridge between the OpenVPN TAP-Win32 Adapter V8 and the VPN server's local LAN adapter. In this mode, any network traffic on either adapter will appear as if both network adapters are connected to the same subnet. In this mode, the bridged adapter will have one IP address. Bridging the adapters occurs in Windows rather than in the OpenVPN configuration file.
After you install the OpenVPN software, open the Control Panel Network Connections applet. While pressing the Ctrl key, select both your LAN network adapter and the OpenVPN TAP-Win32 adapter. With both adapters selected, right-click one of the adapters and select Bridge Connections in the resulting context menu. In a moment, you'll see a new bridged network-adapter object. This object behaves like a network adapter and, by default, the system will configure it with a DHCP IP address. You can create multiple VPN endpoints on a single computer by adding more than one OpenVPN TAP-Win32 adapter. If you want to bridge these, you add them to the bridge by accessing the Network Bridge's Properties and selecting the additional adapters.
If you're running OpenVPN on a multihomed computer—for example, a PC with both inside (private network) and outside (public Internet) interfaces—be careful not to bridge your external network adapter. Be sure to bridge only your internal (private) network adapter with the OpenVPN TAP-Win32 adapter, and be sure to use a firewall or other device to protect the outside interface from attack. That's all you need to do to configure your server to run OpenVPN in bridged mode. You don't need to make any changes on your servers.
After you customize the configuration files on both the server and the client, save them and start the OpenVPN program, first on the server. From the system tray, start OpenVPN by right-clicking the OpenVPN icon and clicking Connect. The resulting OpenVPN dialog box will display a number of status messages. If the connection is successful, the icon will turn yellow and the program will begin waiting for new connections. To start the OpenVPN connection from a command prompt, type
Next, connect the client by repeating the above steps, as Figure 1 shows. The icon will turn green when a successful connection is established, and you'll see the message in Figure 2. Once you're connected, you should be able to access any network-based application on the remote network—for example, you can test the connection by pinging a server on the remote network from the client. You have now configured your free, open-source VPN.
Right for You?
OpenVPN is reliable and resilient to network outages. If your network connection is interrupted while you have a VPN connected, OpenVPN does a good job of automatically reconnecting after the network connection is restored.
For basic installations, such as the one this article describes, OpenVPN lets you create a VPN tunnel quickly, without a lot of additional resources. The learning curve gets steeper with more advanced configurations—for example, if you require user-based authentication, VPN address pool allocation, or multiple tunnels behind a Network Address Translation (NAT) based firewall. OpenVPN supports these options but requires a deeper understanding of OpenVPN's nuances. For such scenarios, commercial VPNs tend to be easier to set up simply because they typically offer an online interface and technical support to assist with advanced features.
Commercial VPNs have also dropped quite a bit in price: You can purchase a commercial VPN concentrator for just a few thousand dollars that can support hundreds of users. Plus, the UDP- or TCP-based VPN solves many of the VPN firewall incompatibilities that plagued early versions of IPsec tunnels. OpenVPN isn't for everyone; midsized to large companies will find solace in continuing to run commercial VPN products. However, labs or small offices for which purchase cost is a large factor and configuration requirements aren't generally as sophisticated, OpenVPN provides a terrific solution at an unbeatable price.