CentOS6.6OpenVPN server combined with AD domain authentication

Source: Internet
Author: User
Tags openssl library domain server
I. INTRODUCTION to OpenVPN is a software package used to create a VPC encrypted channel. it was first written by JamesYonan. OpenVPN allows the created VPN to use a public key, digital certificate, or user name/password for authentication. It uses a large number of SSLv3/TLSv1 protocol libraries in the OpenSSL encryption library. Currently, OpenVPN can be used in Solaris, Linux, OpenBSD, FreeBSD, NetB, and OpenVPN

OpenVPN is a software package used to create a VPC encrypted channel. it was first written by James Yonan. OpenVPN allows the created VPN to use a public key, digital certificate, or user name/password for authentication.

It uses a large number of SSLv3/TLSv1 protocol libraries in the OpenSSL encryption library.

Currently, OpenVPN can run on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, Windows 2000/XP/Vista/7/8/8.1, and Android and iOS, it also includes many security features. It is not a Web-based VPN software, and is not compatible with IPsec and other VPN software packages.

II. principle the core technology of OpenVpn is the virtual Nic, followed by the implementation of the SSL protocol. as the SSL protocol is clearly described in other terms, here we will focus on the introduction of the virtual network card and its working mechanism in OpenVpn: the virtual network card is a driver software implemented using the underlying programming technology of the network. after installation, an additional network card appears on the host, it can be configured like other NICs. The service program can open the virtual network card at the application layer. if the application software (such as IE) sends data to the virtual network card, the service program can read the data, if the service program writes appropriate data to the virtual network card, the application software can also receive the data. Virtual NICs are implemented in many operating systems, which is also an important reason for OpenVpn to be cross-platform. In OpenVpn, if a user accesses a remote virtual address (belonging to the address series used by the virtual network adapter, different from the real address), the operating system uses the routing mechanism to route the data packets (in TUN mode) or the data frame (TAP mode) is sent to the virtual network card. after the service program receives the data and processes the data, it submits the data from the Internet through the SOCKET, the remote service program receives data from the Internet through a SOCKET and sends the data to the virtual Nic after corresponding processing. then, the application software can receive the data and complete one-way transmission, and vice versa. III. Encryption

OpenVPN uses the OpenSSL library to encrypt data and control information. This means that it can use any algorithms supported by OpenSSL. It provides optional packet HMAC functions to improve connection security. In addition, OpenSSL hardware acceleration can also improve its performance.

IV. authentication OpenVPN provides multiple authentication methods to confirm the identities of both parties, including:

Pre-exclusive private key

Third-party certificate

Username/password combination

The pre-access key is the easiest, but it can only be used to create point-to-point VPNs. PKI-based third-party certificates provide the most comprehensive functions, but an additional PKI certificate system needs to be maintained. OpenVPN2.0 introduces a user name/password combination authentication method, which can omit the client certificate, but still requires a server certificate for encryption.

V. Functions and ports

All communication in OpenVPN is based on a single IP port. by default, UDP protocol communication is recommended and TCP is also supported. IANA (Internet Assigned Numbers Authority) specifies the official Port 1194 for OpenVPN. In OpenVPN 2.0 and later versions, each process can manage several concurrent tunnels at the same time. OpenVPN uses the features of common network protocols (TCP and UDP) to make it an ideal alternative to protocols such as IPsec, especially when the ISP (Internet service provider) filters certain VPN protocols.

OpenVPN connections can work well in NAT environments through most proxy servers.

The server can "push" some network configuration information to the client, including the IP address and route settings.

OpenVPN provides two virtual network interfaces: common Tun/Tap drivers, which allow you to create a layer-3 IP tunnel or a virtual layer-2 Ethernet, the latter can transmit any type of L2 Ethernet data. The transmitted data can be compressed using the LZO algorithm.

VI. security

OpenVPN has many inherent security features: it runs in the user space and does not need to modify the kernel and network protocol stack. after the initial operation, it runs in the chroot mode and gives up the root permission; use mlockall to prevent the exchange of sensitive data to the disk.

OpenVPN supports hardware-encrypted identifiers such as smart cards through PKCS #11.

VII. Comparison

OpenVPN: implements two/three-layer tunnel-based VPN.

Stunnel, which uses SSL to provide security protection for TCP services on any single port.

8. OpenVPN implements LDAP authentication

There are too many OpenVPN Server deployments on the Internet, but they are relatively old or relatively simple methods. if you need to implement Association authentication with the company's AD domain server, you may need to continue reading. OpenVPN provides many methods to implement LDAP authentication. you can choose one based on your needs. let's briefly describe the following:

1: OpenVPN-pam-ldap

Openvpn supports pam authentication. With pam, you can implement mysql or ldap verification. this pam verification can be implemented during Vsftpd deployment, which is simple and reliable.

2: OpenVPN-Radius-ldap

Radius can also be used for ldap authentication. However, you need to deploy the Radius server to implement mysql or ldap authentication.

3: OpenVPN-auth-ldap

This should be the easiest way to implement OpenVPN using ldap authentication directly through a plug-in. during the first configuration, you may need to study it carefully.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.