The previous statement is false.

First things first, why not IPSEC you ask? Long story short, most IPSEC implementations suck. However, directly contrary to that statement, I will be using OpenBSD in this article, and OpenBSD has a truly excellent IPSEC implementation. So, why not use IPSEC? Because *most* IPSEC implementations suck! If both ends of our VPN were OpenBSD, or professional-level homogenius hardware solutions, then IPSEC could be ideal. Secure, high-speed, reliable, you name it - when IPSEC is done right it can be extremely powerful.

However, for remote access for employees, we need to assume the worst case, the worst case being Windows. Windows XP has an IPSEC implementation, I mean, in theory. In reality it is so craptacular that almost everyone uses either the SafeNet client or the Cisco client, both are quite good, both are not free. To be more specific, Cisco’s client is technically free, but only in combination with purchase of their hardware, which is significantly less free.

Enter OpenVPN, a free, open source, SSL based VPN solution for nearly any OS you can think, and of particular import to this discussion - a very good Windows client and a very good OpenBSD server. If you have any history with VPNs, then SSL may set off alarm bells for you as there are a number of crappy web-based SSL VPN solutions around. Don’t be worried, OpenVPN is NOT web based.

Here’s the basics:

• OpenVPN is an SSL VPN, again, please note that SSL != WEB BASED
• It works similarly to IPSEC, but is not compatible, as the cumbersome IKE algorithm is replaced with SSL/TLS
• Supports two-factor authentication (HIPAA compliance requirement)
• Relatively easy to install and manage
• It plays well with OpenBSD (ported at /usr/ports/net/openvpn)
• The Windows client GUI is solid and easy to use

Note: I love OpenBSD. I prefer to use it for any internet facing server unless there is a compelling reason not to, hence ability to play well with OpenBSD was a requirement for me.

Installation is a breeze, /usr/ports/net/openvpn/make install and you’re done.

Initial configuration is covered thoroughly in the very clear Official HOW-TO, but here’s the basics:

# mkdir -p /etc/openvpn/keys
# cp -r /usr/local/share/examples/openvpn/easy-rsa /etc/openvpn
# chown -R root:wheel /etc/openvpn
# chmod 700 /etc/openvpn/keys
# cd /etc/openvpn/easy-rsa
# . ./vars
# ./clean-all
# ./build-ca
# ./build-key-server server
# ./build-key client1
# ./build-key client2 etc.
# ./build-dh
# /usr/local/sbin/openvpn --genkey --secret ta.key
# cd keys
# mv ca.crt dh1024.pem server.crt server.key ta.key /etc/openvpn/keys
# chmod 644 /etc/openvpn/keys/{ca.crt,dh1024.pem,server.crt}
# chmod 600 /etc/openvpn/keys/{server.key,ta.key} 

ca.crt, ta.key, and your client.crts and client.keys should now be ready for secure distribution to your clients.

Next, we create the server configuration file /etc/server.conf:

daemon openvpn
writepid /var/openvpn/pid
status /var/openvpn/status 10
log-append /var/openvpn/openvpn.log
local YOUR_IP
port 1194
proto udp
dev tun0

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem

server 10.8.0.0 255.255.0.0
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS YOUR_DNS_SERVER"
push "dhcp-option WINS YOUR_WINS_SERVER"
push "redirect-gateway def1"
push "inactive 1800"

ifconfig-pool-persist /var/openvpn/ipp.txt
keepalive 10 120
inactive 1800
tls-auth /etc/openvpn/keys/ta.key 0
cipher BF-CBC
max-clients 8
user _openvpn
group _openvpn
persist-key
persist-tun
verb 6
mute 20
comp-lzo
tmp-dir /tmp
chroot /var/empty

replay-window 256
mssfix 1260
;fragment 1260

;Uncomment below if you are using openvpn-auth for two-factor authentication
;auth-user-pass-verify ./openvpn-auth via-file

Now we create the _openvpn user and group, the /var/openvpn directory, and the tunnel interface:

# groupadd -g 500 _openvpn
# useradd -u 500 -g 500 -c 'OpenVPN Server' -s /sbin/nologin -d /var/openvpn -m _openvpn
# echo 'link0 up' > /etc/hostname.tun0
# sh /etc/netstart tun0

We are now ready to try our OpenVPN server - launch by:

/usr/local/sbin/openvpn /etc/openvpn/server.conf

Check /var/log/daemon and /var/openvpn/openvpn.log for errors and add the following to /etc/rc.local to make OpenVPN start on boot:

if [ -x /usr/local/sbin/openvpn ]; then
    /usr/local/sbin/openvpn --config /etc/openvpn/server.conf
fi

The server should now be ready, so we just need a client, which we will cover in part two of this series.

DEL.ICIO.USDIGGNEWSVINEBLINKLISTREDDITSLASHDOT