Openvpn simple document

1 openvpn Overview
VPN replaces expensive leased lines to implement a virtual network on the open Internet. The virtual network itself provides security protection for data on an insecure real network.
Openvpn implements a flexible VPN. openvpn has the following advantages compared with the IPsec-based VPN implemented by modifying the Protocol Stack:
1. openvpn does not need to modify the protocol stack, and no special policies are required to solve the problem of VPN data traversing NAT. Therefore, you can plan the existing network;
2. openvpn uses virtual network cards and routes to build a virtual network. The configuration is very convenient;
3. openvpn uses the SSL protocol to provide protection for the virtual network, thus achieving "dedicated", while SSL provides a wide range of flexible security features;
4. openvpn push mode can simplify client configuration to the maximum extent, and the server and client do not have to spend too much effort to make the two ends consistent.
Openvpn is actually an application that combines Virtual Network Card devices, TCP/IP network technology, routing technology, and SSL. The first three have built a virtual network-tunnel connection network, finally, SSL ensures the security of Virtual Network Communication-authentication and encryption of tunnel communication. Therefore, the process of using openvpn is basically the process of configuring the above four aspects.
2. openvpn parameter set and configuration instance
2.1 Parameter Details
Openvpn has many parameters, but many parameters involve many details. First, if you do not consider too many details, these parameters can be roughly divided into five categories, some of which are for configuration convenience, combined with other parameters:
2.1.1 virtual Nic configuration parameters:
1) -- Dev tunx | tapx: The NIC device used to configure the virtual network. X represents the ID of the nic. in Unix/Linux, It is a character device, in Windows, it is a node in the device namespace. The difference between a tun device and a tap device is the layer-3 (IP) datagram between the Tun device and the tap device, the latter is the second layer (Ethernet) data frame.
Note: The tap device is a layer-2 device and the Tun device is a layer-3 device. The advantages and disadvantages of the two are described as follows:
Tap features:
A) the application of such devices can reuse any layer-3 datagram;
B) construct a two-tier network, such as Ethernet, so broadcast data can be freely transmitted across tunnels;
C) node communication without routing;
D) The configuration is simple, but it lacks flexibility. The excellent features of the IP layer cannot be freely applied.
Tun features:
A) all features of the IP layer can be applied, such as routing, IP-QoS, IP-fragment/de, but only IP datagram is supported;
B) create a three-tier network, and route between nodes if they are not in a single subnet;
C) there is no link layer bearer under each subnet of the L3 Virtual Network (IP datagram is exported directly), so the link layer features cannot be applied. For example, Ethernet broadcast cannot be transmitted across tunnels, therefore, the gateway cannot be specified for this virtual network.
2) -- Dev-type DT: indicates the type of the virtual network card device, which is used only when the-dev parameter cannot identify the device type.
3) -- Dev-node: Any node is indicated as a virtual Nic device. The Node path and name can be arbitrary, but if it is not in the tunx/tapx format, the-Dev-type parameter must be configured.
4) -- lladdr HW: configure the link layer address for the virtual Nic.
2.1.2 network configuration parameters:
1) -- local host: configure the IP address used locally. If it is not for bind, you do not need to configure this parameter. openvpn will handle it by itself.
2) -- remote host [port]: used to configure the IP address, host name, and port of the server connected to the client. Multiple parameters can be configured to achieve certain redundancy, the client connects to the server in order of configuration until the connection is successful.
3) -- proto P: Specifies the tunnel type, which can be UDP or TCP. TCP must specify whether the tunnel is server or client, while UDP can distinguish between server and client, therefore, P can be UDP, TCP-server, and TCP-client.
Note: do I use TCP or UDP to build a tunnel? The default value is UDP. Any connected protocol requires re-transmission or automatic timeout for re-transmission when packet loss occurs. In order to avoid packet loss due to Unknown network bandwidth or network congestion, this causes the end point to be re-transmitted, TCP implements slow start, sliding window, and adding, and reducing mechanisms. Unfortunately, the above mechanisms can only be used for one layer in the layered model, so complex implementation at different levels may lead to overlay judgment, making the above mechanism unable to make the best judgment, for example, using a TCP tunnel and carrying TCP data, once packet loss occurs, the final endpoint and tunnel must resend the data, which leads to a sudden increase in network traffic. It is difficult to predict and take measures later. In fact, if the tunnel itself is not a non-use of TCP, it is best to use UDP to ensure that the connection is the final terminal, not the tunnel. If the end user uses TCP, the connection is guaranteed by himself. If he uses UDP, it means that he does not care whether there is a connection. Therefore, the tunnel uses UDP. If the tunnel uses TCP to establish a connection, if the end user uses TCP to ensure the connection, the tunnel does not need to do so. If the end user uses UDP, the tunnel TCP reduces the efficiency of user connection, offset the result of using UDP.
4) -- connect-retry N: indicates the number of connection retries, which is only valid when the-Proto parameter is TCP-client.
5) -- connect-Timeout N: the Retry Interval of the connection.
6) -- auto-Proxy:
7)-bind:
8)-nobind:
9) -- Link-mtu n: configure the MTU of the layer-4 link, and configure the MTU of the device with the same value.
Note: This configuration may cause inexplicable problems. In essence, because openvpn does not allow any segment of data through tunnels, even IP fragmentation must be properly handled, openvpn uses a rule to send and receive socket data. The IP layer routes data to the virtual network card. If the datagram length is greater than the MTU of the virtual network card, the data packet is split. If the MTU settings of the virtual network card at both ends of the VPN are inconsistent, when openvpn receives socket data, it may cause problems, because in the most general case, when openvpn calls Recv/recvfrom, len in the parameter is always set to its own Link-MTU, assume that the link-MTU values of H1 and H2 are L1 and L2 (L1> l2) respectively, and H1 sends data to H2, the data is incomplete in H2, therefore, errors are inevitable. Even if the data received by Decryption is correct and the data length is inconsistent, an error occurs during verification. Even if no verification is performed, the IP datagram sent by openvpn to the virtual Nic is also incomplete. Therefore, it is recommended that you do not configure the link-MTU parameter so that the default value is better. If you do not need to configure the parameter, ensure that the two ends are consistent. You can use strace, tcpdump, and openvpn source code in Linux to confirm the above issues. The specific reason for this design is unclear. If it is more reasonable to ignore the security factors (program output means to prevent active attack), I think the Recv data should be received according to the MTU of the other party, after all, Recv and send are only an intermediate stage. After the data is sent from the character device of the Peer virtual network card, it is sent, and then the local data is Recv, then, it is written into the local virtual Nic character device. If it is received only according to the local MTU, it is bound to be faulty, as if data is truncated on the physical layer. (Ping the other end at one end of the tunnel. If the MTU is inconsistent and the ping packet is smaller than the MTU, it must be different. However, if the two ends are used as the middle tunnel, data arrives at the end te of the tunnel from host a through the starting ts of the tunnel, and finally to host B. If the MTU of TS and Te is smaller than the MTU of A and B, can be used without considering complicated segments). Therefore, a "almost always correct" configuration method is to configure MTU into a large value, the MTU is larger than the MTU of the known physical link, so that no error will occur. Second, you do not have to worry about inconsistency between the two ends. Third, you can send data to the maximum extent, instead, it will not reduce the data transmission rate because the tunnel is too narrow. If you do not understand the above or want to be safe, it is better to leave MTU by default.
10)-Tun-MTU: note the same as above, but the difference between link-MTU and link-MTU must be emphasized. You can configure one of the two and only one. The reason for this is their relevance, tun-MTU is the MTU of the virtual network card, while link-MTU is the MTU of the link. The difference in size is a fixed length, the difference is equivalent to the difference between tcp mss and MTU of physical links.
11)-shaper: this parameter limits the tunnel bandwidth. It is mainly used to implement strategized bandwidth allocation in each channel when multiple channels are established. If only one channel is established, that is to say, to run only one openvpn instance, this parameter is of little significance for the current version, because the speed of openvpn for a single process and a single thread is slow, and the speed limit is meaningless.
12)-txqueuelen: this parameter sets the maximum number of queuing packets for the virtual network card, that is, the queue length. The default value is 100. For a very slow VPN such as openvpn, 100 is enough, even if you set it up to be larger, the openvpn process in the user space is still useless.
2.1.3 route parameters:
1) -- route network [netmask] [gateway] [metric]: Add a route.
2) -- Max-routes N:
3) -- route-Gateway GW | 'dhcp ':
4) -- route-metric M: configure the transmission overhead of the route
5) -- route-delay N [w, therefore, a certain delay is required. Specifically, after the connection between the client and the server is established, the server needs to push some information to the client, including required information such as the virtual Nic IP address, subnet mask, and other optional information, as well as routing information, after receiving the information, the client needs to configure the local machine, such as configuring the IP address/subnet mask of the virtual Nic and adding routes, openvpn uses a lazy way to manage the virtual network card, that is, the server is only available in openvpn, the virtual Nic object is created and initialized only when the client is connected to the server. The initialization process includes setting the IP address/subnet mask, adding a route fails. Therefore, you must provide some delay to ensure that the route is added after the virtual Nic is initialized. This option is mainly designed for some unfriendly systems of the virtual NIC Driver. For example, for Windows systems based on the NDIS driver, the IP address of the virtual nic "looks" is allocated through DHCP, DHCP allocation takes time. Therefore, the request for adding a route must wait.

2.1.4 SSL and security parameters:
1)-genkey: generate a symmetric key. This parameter can only be used independently. The symmetric key is generated to share the two ends of openvpn, so that the SSL handshake protocol is no longer used for key negotiation.
2) -- secret file: Use the shared symmetric key. This actually saves the SSL handshake, which is used when both parties are sure that they already have an absolutely confidential and absolutely secure symmetric key. In fact, the SSL handshake is also used to ensure this, therefore, the difficulty lies in how one end transmits the key generated by-genkey to the other end. This is actually another big problem. You can pass it in a digital envelope, or even take the risk of sending it directly in plain text. These are not the considerations of openvpn. Generally, it is passed through the SCP program, which is convenient and secure.
3) -- reneg-XXX: this family of parameters is used to re-negotiate the session key. Openvpn is based on the SSL protocol, but its usage is also said that the SSL protocol comes with authentication and encryption functions, for openvpn, the two are separated, if you do not consider authentication, the process of key negotiation is vulnerable to man-in-the-middle attacks. Therefore, both VPN and openvpn implemented based on IPSec modifications or hook-up protocol stacks provide authentication mechanisms. Openvpn uses certificates for authentication and DH for key negotiation. The DH is used instead of the other because the tunnel security parameters need to be re-negotiated at intervals. The default time is one hour, while the DH efficiency is very high, it is not as time-consuming as RSA generates keys (because there is a restriction in the United States or there is no public key in the certificate that can be used for encryption, a temporary pair of RSA keys must be generated during SSL handshake ), the DH parameter is transmitted in the server key exchange message.
4)-Ca file: CA certificate used to verify the peer user certificate. This parameter can contain multiple certificates, that is, one certificate chain, in Unix/Linux, you can use the cat command to append multiple certificates into one file.
5) -- Cert File: your own certificate, used to pass to the Peer to indicate your identity or implement other access verification.
6) -- Key File: The key file corresponding to the-Cert parameter.
7) -- cryptoapicert select-string: used to obtain the certificate from the certificate store in windows. Therefore, the-Cert and-key parameters are no longer required. Select-string is a string, it can be considered as a "key value" that exists in the form of "Name: Value". For example, if you use a certificate issued to an individual named "Lao Li", select-string is: "subj: Lao Li ". This parameter is mostly used in environments where keys or certificates cannot be exported separately, such as some devices.
2.1.5 event parameters:
1) -- route-up cmd: CMD is a shell script with parameters. The script is executed after all routes are added.
2) -- route-noexec:
3) -- route-nopull: used on the client side. If-pull is configured on the client side, this parameter ensures that the client does not push the route from the server side.
4) -- allow-pull-FQDN:
5) -- ping N: ping the peer every n seconds.
6) -- ping-Restart N: If the peer ping packet is not received in n seconds, restart.
7) -- ping-exit N: If the peer ping packet cannot be received in n seconds, the system exits.
8) -- keepalive n m: This parameter item is 5) and 6). The following format is displayed after expansion:
If Mode Server:
Ping n
Ping-Restart 2 * m
Push "Ping N"
Push "Ping-Restart M"
Else
Ping n
Ping-Restart m
Note: Ping/ping-Restart implements a heartbeat persistence mechanism, which is different in the tunnel built by the TCP protocol and the tunnel built by the UDP protocol, the tunnel established using TCP is connected by itself. If one end of the Process exits abnormally, the OS will inevitably send a reset packet. In fact, keepalive is of little significance, however, if the network cable is unplugged or power-off, keepalive is necessary because TCP has no chance to send any packets beforehand. In this case, the keepablive configuration of the TCP tunnel is the same as that of UDP, if the Ping-Restart configuration is too large, for TCP, there will be more opportunities to rely on TCP's timeout and re-transmission mechanism to maintain the connection (provided that the machine is started or the network cable is plugged in again). For UDP, you can only rely on this Ping-Restart mechanism, otherwise, it never knows that the Peer has been disconnected. If the peer restarts during the Ping-Restart configuration time, the local end will not know that the Peer end has been disconnected and restarted. In turn, if the ping/ping-Restart configuration is too small, a large number of Ping packets will appear on the network and cause a large number of reconnection, sometimes Ping receiving times out due to network congestion and does not require reconnection. The quantity configured must be weighed based on factors such as the size of your network and protocols used.
9) -- persist-tun: when the connection is re-established because the SIGUSR1 signal is received or because of keepalive timeout (-- ping-Restart), the virtual Nic device is not disabled and re-opened. This parameter may affect network behavior. For example, if the client is sleeping or standby for some reason, or reset the network for any possible reason, the openvpn process is not terminated, the VPN route may be deleted as the network is reset. If you do not re-open the virtual Nic, after you re-connect to the server, the route pushed by the server side will not be added to the host route table of the client side. The final result is that the client side sees that the VPN network is still connected, however, because there is no route pushed by the server and the actual communication is not allowed, the VPN network is still connected to the link layer route automatically discovered by a protocol stack, and the route is as long as the virtual Nic is up, it is automatically added. If the user does not check the route table or the non-technical personnel do not understand the route table, this problem is difficult to be ruled out.
10)-persist-XXX: The above describes -- persist-Tun and its possible problems, but the significance of the parameter is not to cause problems, the opposite is to solve a series of problems. The persisit parameter exists, as the name implies, to "maintain" something, that is to say, these configurations will not change when the SIGUSR1 signal is received or the connection is reset due to ping-Restart. This is the meaning of the parameter family, for example, if the administrator wants to restart the VPN service for some reason, or keepalive times out due to network congestion, IP address reallocation, route reconfiguration, and other actions are unnecessary. A parameter associated with this family parameter is the-user parameter.
11) -- client-connect cmd: if a client is connected, the server executes cmd.
2.1.6 configuration parameters of openvpn itself:
1) -- nice N: Set the nice value of the VPN process. This parameter affects the priority of the VPN process. The smaller the value, the higher the priority.
2)-user User: Switch the UID running openvpn. User is a uid. The purpose of this parameter is security. Once an attacker obtains control of the openvpn process, he can do little. However, it is irreversible to take the initiative to give up the root permission. Otherwise, attackers can reverse the request and the parameter will lose its meaning. Therefore, if the-user parameter is used, make sure that a series of persist parameters are set so that you do not need the root permission when restarting openvpn, this is because many operations require root permissions, such as ifconfig.
3)-mlock: the behavior of this parameter is closely related to the operating system. The result of configuring this parameter is to lock the key and other sensitive information in the memory and never be swapped into the disk. If you are not focused on improving the efficiency, the significance of security alone cannot be ignored. If the key is swapped into the disk, the key may be stolen. Attackers only need to read the key from the swap partition. The key here does not refer to the key file, instead, the key file is dynamically generated to negotiate key data. The key file is usually mapped into the memory addressing space instead of being swapped into the swap space. If so, the key file itself is not secure, attackers can grasp your machine and read your disk easily. Therefore, the protection of key files depends on the security of your host. Further, the protection of data locked in the memory is further improved, it depends on the security of memory management that is more advanced than host security. Even this can still be broken. For example, if you have the root permission, in many Linux systems, you can read/dev/MEM to dump the current memory. What is the difference between this and disk reading? Is dump memory really more difficult than dump swap partition? In fact, once you have the root permission and have a solid foundation, all the objects on the entire machine are under your control. (The best way is to never export sensitive data to a "public" space. I said that disks and memory are reusable public spaces. The security of public spaces is that everyone can access them, at best, some proofs can be obtained, and the logic of joint verification is itself an extremely complex system. Therefore, it is best to complete all the confidential operations in the private space, for example, as described in PKCS #11, the private space import and export is only the result of the operation and the handle-handle of the operation. Just as you need keys and buttons to start a car, the steering wheel does not need to know the axle, cylinder, transmission consistency .)
4) -- Mode M: Specifies the VPN mode, which can be P2P or server. P2P, as the name suggests, is point-to-point. That is to say, the entire virtual network has only two hosts, one of the two hosts is a server and the other is a client. The server has different meanings than P2P. It can implement a one-to-many virtual network and multiple clients can connect to one server.
5) -- topology T: adds a parameter in version 2.1 to specify the network topology. Optional parameters include net30, P2P, and subnet. The net30 topology is mainly used for P2P networks. This network assumes that both the server and client exist on a P2P link. Therefore, a P2P gateway needs to be configured, and each pair of connections must use four IP addresses, this is exactly the meaning of 30, the client and server both occupy a 30-bit subnet mask of the network, each end of the remaining 4 IP addresses, but a subnet in the 0 IP represents the subnet itself, IP address 1 represents the broadcast address, so only two IP addresses are available. Although net30 is used for P2P links, it can also be used in Ethernet broadcast networks. This mode wastes a lot of IP addresses; the P2P topology is used in a semi-P2P network. The server assigns only one IP address to the client, so that the client can directly establish a connection with the server, instead of passing through a P2P gateway, the server still retains the P2P gateway, which is similar to the net30 mode. The subnet topology fully implements the transition from the P2P mode to the broadcast network, both the server and client use and only use one I P address, so that the server and all clients form a virtual LAN Based on the broadcast link (note not VLAN), greatly saving the IP address and reducing the configuration difficulty.
Note: the evolution process of net30-> P2P-> subnet has two meanings. The first layer indicates the version upgrade of openvpn. openvpn does not support multi-clients before 2.0, that is to say, all P2P and C/S modes are one-to-one connections. Therefore, the configuration of the virtual network card is very simple. You can directly configure the peer IP address, but after 2.0 and later, A server in openvpn can correspond to multiple clients. According to the previous ideas, you only need to configure the address of the client virtual Nic to the virtual NIC address of the server P2P, but for windows so does not work, so it leads to the second layer of meaning, in order to be compatible with the Tap-WIN32 driver, Tap-WIN32 driver does not support the "point-to-point/point-to-point" link to create a P2P connection, therefore, we have to use net30 to simulate a P2P link. For example, for the client, the Tun address configuration is:
10.8.0.6 <--> 10.8.0.5
Server Configuration:
10.8.0.1 <--> 10.8.0.2
Here ,. 5 and. 2 addresses are used to simulate P2P. for the client ,. 5 is the server, and for the server ,. 2 is the client, so these simulated addresses are only used inside openvpn and invisible to the outside world. In this way, a virtual P2P link can be configured on the Tap-WIN32 that does not support real P2P configuration, and the simulated address is only used as a route to direct data to the Real Server.
6) -- push "option": Push a configuration to the peer. If the peer needs to receive and apply the configuration, it must configure the-pull parameter.
7) -- client-to-client: enables communication between clients. It makes sense only when the-mode is configured as the server. In this case, the server is connected by the Public client, the server is the "Router" for communication between these clients ".
8)
Check the man manual of openvpn or directly execute-help. You will get another parameter classification method. Basically, the result displayed by-help is classified based on openvpn facilities, this document classifies openvpn-based behaviors.
2.2 openvpn configuration instance
Openvpn is very simple to use. There are two ways to use it. This is consistent with * nix's tradition. Generally, a configuration file is provided for programs that provide many command line parameters, therefore, if the environment is too complex, it is more convenient to use the configuration file than to directly use the command line.