Virtual private networks (VPN) are obviously the most secure solution for allowing mobile employees to access the corporate network from outside the premises. But because VPNs are easily broken by network address translation (NAT) or stifled by restrictive ACL rules, they pose interesting challenges to enterprise network administration policy and procedure in terms of configuration, implementation and usage.
IPsec-derived VPN solutions can be confusing to inexperienced administrators; they are difficult to configure because so many parameters are involved. Worse yet, IPsec operates in kernel mode, an excellent leverage point for potential attackers.
Enter OpenVPN. OpenVPN's key advantages lie in its simplified security architecture, modular network design and cross-platform compatibility. Because OpenVPN is derived from SSL/TLS, it works with virtually every firewall. It is globally accessible through an Internet connection and an HTTPS-capable Web browser. Virtual tunnel/tap (tun/tap) devices do the heavy lifting, which makes this software less complex and more flexible than kernel-based IPsec components. This architecture also provides cross-platform capability; OpenVPN can run on platforms from BSD (FreeBSD, NetBSD, OpenBSD) and Mac OS X to Linux and Windows.
The tun/tap framework also means that all remote traffic negotiated through an OpenVPN tunnel can be recognized and handled at the company firewall and subsequently shaped by internal quality-of-service policies. On the server side, OpenVPN provides proxy support for TCP and UDP tunnels and even multiple inbound connections to a single port. OpenVPN also operates in both Layer 2 bridging and Layer 3 routing modes, so it can handle otherwise non-routable protocols such as NETBIOS.
OpenVPN is scalable; it permits creation of numerous endpoints through scripted interactions that work with push/pull options. This lets central servers quickly configure remote computers in a way that is completely transparent to end users. Furthermore, NAT traversal and flexible dynamic IP allocation support enables OpenVPN to cope with constantly changing client addresses with minimal interruption to ongoing communications. As a result, quick reconnect times are yet another key benefit of the OpenVPN framework.
OpenVPN's ultra portable framework means it is compatible with numerous operating systems, including Windows. Its front-end client can be specially packaged to install and operate without administrative privileges using a client configuration file that's fewer than 20 lines long (shown in a text block following this paragraph). This lightweight, portable, cross-platform SSL/TLS solution is ideal for on-the-go administrators, executives, mobile service technicians and any enterprise employees that need remote access to internal company resources.
Example OpenVPN client-side configuration:
client proto udp dev tun remote vpn.world-accessible-server.com 3030 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert my-example.crt key my-example.key comp-lzo verb 2
This tip originally appeared on SearchOpenSource.com.
About the authors:
Justin Korelc is a longtime Linux hacker and system administrator who concentrates on hardware and software security, virtualization and high-performance Linux systems. Ed Tittel is a full-time freelance writer based in Austin, Tex., who specializes in markup languages, information security, networking and IT certification. Both Justin and Ed have contributed to books on Home Theater PCs and the Linux-based MythTV environment, and they write regularly about Linux for various TomsHardware sites.