I. INTRODUCTION to OpenVPN is a software package used to create a VPC encrypted channel. it was first written by JamesYonan. OpenVPN allows the created VPN to use a public key, digital certificate, or user name/password for authentication. It uses a large number of SSLv3/TLSv1 protocol libraries in the OpenSSL encryption library. Currently, OpenVPN can be used in Solaris, Linux, OpenBSD, FreeBSD, NetB, and OpenVPN
OpenVPN is a software package used to create a VPC encrypted channel. it was first written by James Yonan. OpenVPN allows the created VPN to use a public key, digital certificate, or user name/password for authentication.
It uses a large number of SSLv3/TLSv1 protocol libraries in the OpenSSL encryption library.
Currently, OpenVPN can run on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, Windows 2000/XP/Vista/7/8/8.1, and Android and iOS, it also includes many security features. It is not a Web-based VPN software, and is not compatible with IPsec and other VPN software packages.
II. principle the core technology of OpenVpn is the virtual Nic, followed by the implementation of the SSL protocol. as the SSL protocol is clearly described in other terms, here we will focus on the introduction of the virtual network card and its working mechanism in OpenVpn: the virtual network card is a driver software implemented using the underlying programming technology of the network. after installation, an additional network card appears on the host, it can be configured like other NICs. The service program can open the virtual network card at the application layer. if the application software (such as IE) sends data to the virtual network card, the service program can read the data, if the service program writes appropriate data to the virtual network card, the application software can also receive the data. Virtual NICs are implemented in many operating systems, which is also an important reason for OpenVpn to be cross-platform. In OpenVpn, if a user accesses a remote virtual address (belonging to the address series used by the virtual network adapter, different from the real address), the operating system uses the routing mechanism to route the data packets (in TUN mode) or the data frame (TAP mode) is sent to the virtual network card. after the service program receives the data and processes the data, it submits the data from the Internet through the SOCKET, the remote service program receives data from the Internet through a SOCKET and sends the data to the virtual Nic after corresponding processing. then, the application software can receive the data and complete one-way transmission, and vice versa. III. Encryption
OpenVPN uses the OpenSSL library to encrypt data and control information. This means that it can use any algorithms supported by OpenSSL. It provides optional packet HMAC functions to improve connection security. In addition, OpenSSL hardware acceleration can also improve its performance.
IV. authentication OpenVPN provides multiple authentication methods to confirm the identities of both parties, including:
Pre-exclusive private key
Third-party certificate
Username/password combination
The pre-access key is the easiest, but it can only be used to create point-to-point VPNs. PKI-based third-party certificates provide the most comprehensive functions, but an additional PKI certificate system needs to be maintained. OpenVPN2.0 introduces a user name/password combination authentication method, which can omit the client certificate, but still requires a server certificate for encryption.
V. Functions and ports
All communication in OpenVPN is based on a single IP port. by default, UDP protocol communication is recommended and TCP is also supported. IANA (Internet Assigned Numbers Authority) specifies the official Port 1194 for OpenVPN. In OpenVPN 2.0 and later versions, each process can manage several concurrent tunnels at the same time. OpenVPN uses the features of common network protocols (TCP and UDP) to make it an ideal alternative to protocols such as IPsec, especially when the ISP (Internet service provider) filters certain VPN protocols.
OpenVPN connections can work well in NAT environments through most proxy servers.
The server can "push" some network configuration information to the client, including the IP address and route settings.
OpenVPN provides two virtual network interfaces: common Tun/Tap drivers, which allow you to create a layer-3 IP tunnel or a virtual layer-2 Ethernet, the latter can transmit any type of L2 Ethernet data. The transmitted data can be compressed using the LZO algorithm.
VI. security
OpenVPN has many inherent security features: it runs in the user space and does not need to modify the kernel and network protocol stack. after the initial operation, it runs in the chroot mode and gives up the root permission; use mlockall to prevent the exchange of sensitive data to the disk.
OpenVPN supports hardware-encrypted identifiers such as smart cards through PKCS #11.
VII. Comparison
OpenVPN: implements two/three-layer tunnel-based VPN.
Stunnel, which uses SSL to provide security protection for TCP services on any single port.
8. OpenVPN implements LDAP authentication
There are too many OpenVPN Server deployments on the Internet, but they are relatively old or relatively simple methods. if you need to implement Association authentication with the company's AD domain server, you may need to continue reading. OpenVPN provides many methods to implement LDAP authentication. you can choose one based on your needs. let's briefly describe the following:
1: OpenVPN-pam-ldap
Openvpn supports pam authentication. With pam, you can implement mysql or ldap verification. this pam verification can be implemented during Vsftpd deployment, which is simple and reliable.
2: OpenVPN-Radius-ldap
Radius can also be used for ldap authentication. However, you need to deploy the Radius server to implement mysql or ldap authentication.
3: OpenVPN-auth-ldap
This should be the easiest way to implement OpenVPN using ldap authentication directly through a plug-in. during the first configuration, you may need to study it carefully.