Manoj KumarBeginner's Guide to OpenVPN: Everything You Need To Know
Updated: Jan 16
Prerequisites:
You will need the following items to complete this tutorial
A Compute Engine (VM) Instance up and running with OpenVPN Access Server.
Install OpenVPN Access Server on Compute Engine
Setup your own OpenVPN Access Server in Google Cloud Platform
The following post explains how to install Access Server in Compute Engine.
How to Setup OpenVPN-AS in Ubuntu 20.04 - Google Cloud(GCP).
An Overview of OpenVPN
Introduction
In today's society, the Internet is as common as any other public service. When a person buys a house or moves into a new apartment, or a business moves into a new location, the first utility on the list to be purchased is Internet service, followed by power, heat, trash, and sometimes (though unlikely) a landline or telephone service. It's even possible to argue that the current qualifier isn't required. With programmes like One Laptop per Child and efforts from companies like Facebook and Google, so-called third-world countries now have access to the Internet despite the lack of running water, sewerage, or even telephone lines.
When you have a large-scale service with a large number of users, it becomes vital to secure and protect the data transmitted across that network at some point. In most gatherings particularly dense crowds, there is a more malicious element attempting to take advantage of those who are less knowledgeable. Virtual Private Networks (VPNs) were developed in response to a growing demand for secure communication across an otherwise vulnerable infrastructure.
Intelligence agencies have long been targets of the government. Methods and procedures have been gradually improved and tuned over thousands of years to protect sensitive information from attackers and other inquisitive eyes. Originally, wax-sealed letters delivered by trusted individuals meant that you and the recipient could be confident that a message had arrived safely and undamaged. As time and technology progressed, intercepting those messages, reading or altering them, and sending them on their path grew easier.
What is a virtual private network (VPN)?
Simply defined, a VPN enables an administrator to establish a "local" network between numerous machines on different network segments. In certain cases, those machines may be on the same LAN, they may be separated by the huge Internet, or they may be connected via a variety of connection media such as wireless uplinks, satellite, dial-up networking, and so on. The P in VPN refers to the additional security that is used to keep that virtual network secret. Network traffic travelling through a VPN is frequently referred to as being "within the (VPN) tunnel," as opposed to all other traffic that is "outside the tunnel."
The following diagram depicts network traffic as it typically travels across numerous network segments and the general Internet. This traffic is relatively open to examination and analysis in this location. Although protected protocols like HTTPS and SSH are less vulnerable, they are still traceable; if an attacker is spying network data, they may determine what type of connection is made from which computer to which server.
Without VPN
With OpenVPN Access Server
Within a VPN, traffic can be anything that would be sent over a local or wide-area network: web traffic, e-mail, text, images, and so on. The following are some examples of applications: Automated Teller Machines (ATMs): ATMs may use a VPN to connect to banking networks more securely. Open / Free Wi-Fi: With the spread of free or open wireless networks, ordinary consumers can use a VPN to protect their whole Internet surfing session. Corporate networks: VPNs can be used by corporations and other organizations to connect several office locations or even entire data centres.
Types of VPN's
There are a variety of VPN products on the market, both commercial and open source. Almost all of these VPN products may be divided into four categories:
VPNs that use the
PPTP-protocol based VPNs
IPSec-protocol based VPNs
SSL-based VPNs
OpenVPN
Some argue that OpenVPN is also an SSL-based VPN because it establishes a secure connection using an SSL or TLS-like protocol.
Point-to-Point
The Point-to-Point Tunneling Protocol (PPTP), developed by Microsoft and Ascend in 1999, is one of the oldest VPN technologies. Nowadays, the PPTP protocol is regarded as fundamentally insecure, because the strength of the connection's security is directly proportional to the strength of the authentication mechanism used (for example, the password). As a result, a weak password results in an unsecure VPN connection. Most PPTP configurations encrypt passwords using the MS-CHAPv2 protocol, which is fundamentally flawed. The security of the PPTP protocol, including the Microsoft MS-CHAPv2 extensions, is covered in an article available at
http://people.eecs.berkeley.edu/~daw/papers/pptpv2.pdf
IPSec
The IPSec standard is the official IEEE/IETF IP security standard. It introduces the concept of security rules, which allows it to be incredibly versatile and powerful while also being infamously difficult to implement and troubleshoot. An administrator can encrypt traffic between two endpoints based on a variety of criteria, including the source and destination IP addresses, as well as the source and destination TCP or UDP ports. IPSec has two modes of operation: tunnelling mode and transport mode. This, however, necessitates obscure commands and adjustments to security policies.
SSL-based VPNs
SSL-based VPNs, which are based on the SSL/TLS protocol, are the most often used VPNs presently. This is the primary reason why OpenVPN is classified as a different VPN type. There is no well-defined standard for SSL-based VPNs, but the majority of them employ the SSL/TLS protocol to establish and secure the connection. Despite the fact that SSL-based VPNs are frequently referred to as web-based or client-less, many providers add a browser plugin or ActiveX component to "enhance" the VPN connection. As a result, the VPN is incompatible with unsupported browsers and operating systems.
OpenVPN
Because it employs the SSL/TLS protocol to protect the connection, OpenVPN is frequently referred to as an SSL-based VPN. Furthermore, OpenVPN employs a virtual network adapter (a tun or tap device) as an interface between the OpenVPN user interface and the operating system. Although the OpenVPN protocol is not described in an RFC standard, it is publicly available because OpenVPN is open source software. The control channel is encrypted and secured with SSL/TLS, whilst the data channel is encrypted with a bespoke encryption algorithm. UDP and port 1194 are the default protocols and ports for OpenVPN.
History of OpenVPN
OpenVPN was created by James Yonan and first released as Version 0.90 under the GPL in 2001.
Better TLS support, replay protection, and portability to various operating systems were among the OpenVPN 1.x enhancements.
Prior to Version 1.1.1, the tun device required to be manually configured outside of OpenVPN.
The incorporation of OpenSSL was a major stumbling block.
OpenVPN 2.0 has made significant progress since the 1.x releases.
Multiclient server instances, enhanced threading, and a better Windows tun/tap adaptor were all included in version 2.0.
OpenVPN packages
On the Internet, there are various OpenVPN packages to choose from:
OpenVPN's open source or community edition
OpenVPN Access Server, OpenVPN Inc.'s closed-source commercial product.
OpenVPN mobile platform versions for both Android and iOS (part of the code is closed-source, as a requirement of Apple).
The open source (community) edition
Open source versions of OpenVPN are made available with each release. The community has the possibility to build binary packages for a variety of systems, including 32-bit and 64-bit Windows clients. The download alternatives that are currently accessible can be found at http://openvpn.net/index.php/download/communitydownloads.html. Some operating system package maintainers monitor development and provide snapshot releases. If you want to use the most up-to-date version of OpenVPN, check with your package maintainer first. Otherwise, you may always compile from source. The OpenVPN community edition can function as both a VPN server and a VPN client.
The commercial Access Server
Access Server is a commercial version of OpenVPN offered by OpenVPN Technologies, Inc. In comparison to the open source project, Access Server provides a wide array of capabilities and deployment options that may be appealing to some enterprises. This client software is mainly only compatible with OpenVPN Access Server. The community version of OpenVPN can also be used as a client for an OpenVPN Access Server.
OpenVPN Connect
OpenVPN Technologies, Inc. offers a unique OpenVPN Connect Client for mobile devices such as iPhones/iPads and Android devices. Because of the nature of Apple's NDA, the source for OpenVPN Connect is now unavailable and cannot be published publicly.
The iOS OpenVPN Connection client is available for free download from the Apple App Store. There are a few Android clients built by developers, but the officially supported version is Arne Schwabe's OpenVPN for Android.
One significant advantage of OpenVPN Connect is that it supports/is supported by both the open-source OpenVPN community version and the closed-source OpenVPNAccess Server.
Quick tour
Take a look at the Admin Web UI, Client UI, and OpenVPN Connect in action.
Administrator Web User Interface:
Client Web User Interface:
OpenVPN Connect Interface:
Step - 1: OpenVPN Access Server Administrator Web User Interface Status
The status section explains how to utilise the Admin Web UI to get server status, a configuration overview, and the number of currently connected users. There are instructions for querying the log database and viewing log reports.
Status Overview
The VPN server is now on or off, as shown by the Status Overview section. If it's turned on, you may stop the OpenVPN daemons by clicking Stop the Server. If the server is not running, you may start the OpenVPN daemons by clicking Start the Server.
Active Configuration
The Active Configuration area of the Admin Web UI displays several key configuration options that are controlled in the configuration and authentication sections.
Current Users
The Current Users section provides information about actively connected users in the following columns:
Log results
The log query's results are displayed below the search and filter fields, with information in the columns below:
Step - 2: OpenVPN Access Server Configuration
Activation Key
When OpenVPN Access Server is utilised without any software licencing, it will enable two connections by default. This allows you to get a free trial of the product.
It also provides the possibility to generate subscription keys via our Access Server site, with two free connections. The benefit of utilising and enabling this is that you can easily change the number of connections permitted on a subscribed OpenVPN Access Server by modifying the subscription from our Access Server interface.
Clustering Mode
In version 2.7.3, OpenVPN adds the clustering capability to Access Server. Clustering is a high-availability technique that distributes the strain of VPN connections and data exchanges among numerous servers. Multiple Access Servers, or nodes, are used in a clustering system to offer active connections for VPN customers.
Please see this page for further information on the Cluster functionality and how to configure it.
TLS Settings
TLS Settings lets you change the TLS settings for both the OpenVPN protocol (tunnel) and the Access Server web server. When the Access Server is installed, the SSL library used is OpenSSL.
TLS Settings allows you to adjust the minimum TLS protocol used by both the OpenVPN tunnel and the Web Server. It's a basic interface that prevents the Access Server and Web Server from having to deal with different minimal protocols.
Network Settings
You may alter the hostname, protocol, daemons, and port numbers for the three network servers that make up the Access Server: the VPN Server, the Admin Web UI, and the Client Web Server, on the Server Network Settings page.
Hostname - VPN clients will use this name or IP address to connect to the VPN Server. It must be a fully qualified domain name or a public IP address (FQDN).
Protocol - Protocol choices include TCP, UDP, and Both (multi-daemon mode). The OpenVPN protocol works best when using only the UDP protocol. The downloaded Access Server connections profiles are pre-programmed to try UDP first, then TCP if that fails. TCP or both may be required for some networks that may restrict some traffic.
Network Settings offers a simple interface for configuring VPN server settings as well as website settings for the Admin and Client servers. It's a basic website that shows how easy it is to configure the Access Server in comparison to manually specifying these parameters.
VPN Settings
The VPN Settings interface allows you to change how the Access Server handles routing. You may build VPN IP subnetworks, adjust routing parameters, and provide DNS server settings for clients. Because the options on this page are global, they can be deactivated as a global setting while still being established on the user and group levels.
VPN IP network - When a VPN Client connects to your Access Server, the virtual VPN IP network assigns it a unique IP address. The Dynamic IP Address network is in charge of this.
Routing - This is where you may specify whether or not connected users have access to server-side resources, whether or not all traffic is routed through the VPN, and whether or not clients can access network services via the VPN gateway IP address.
DNS Settings - You can leave the client's DNS settings alone, utilise the Access Server's DNS settings, or provide particular DNS server IP addresses in the DNS section. If you choose Yes for Should client Internet traffic be routed through the VPN?, clients must use the same DNS servers as the Access Server host.
VPN settings allow for the simple configuration of routing settings. These are all global settings, therefore they aren't absolute. These options will take precedence if they are stated in the user/group settings.
Advanced VPN
Advanced VPN gives you more options for customising how the Access Server handles routing. Consider it an extension of VPN Settings Configuration.
Inter-Client Communication - This option defines whether or not users may communicate with one another.
Multiple Sessions per User - This option defines whether a single user can connect to the server many times at the same time. Each such connection is counted as a distinct concurrent user for purposes of user limitations. No matter what option a user has, they cannot have numerous concurrent VPN connections if they have a static IP address.
Web Server
Web Server Configuration gives you access to general information about SSL web server certificates and keys, as well as the ability to upload CA bundle files, certificates, and keys, and validate selected certificates and keys.
It allows you to customise your Access Server's certification settings. You can learn more about the certification package, upload your own certification, and revert to the prior certification.
CWS Settings
CWS Settings allows you to customise how users interact with the webserver. Certain features may be configured, such as blocking access to administration, allowing only specified OpenVPN user interfaces to access the webserver, or changing how users update their own passwords worldwide.
Configure XML-RPC/REST API - You may use the settings in this area to block people from using the API or to enable them to do so.
Customize Client Web Server UI - You may manage the choices users see on the CWS using these setting options. Restriction can be applied to any of the available downloads/profiles. For example, if you don't want users to be able to download their own profiles, you can disable user-locked profiles.
CWS Settings allows you to control who has access to the Client Web Server. It also allows you to customise what appears on the page when a user has successfully logged in.
Failover
Failover Settings allows the administrator to enable Access Server's built-in failover capability. You have the option of using this functionality, which allows you to configure a secondary node with access to both the primary and secondary nodes.
CA Management
It allows you to examine and create certificate authority (CA) certificates for your Access Server. It's a new feature included in version 2.9 that allows you to see the information of current and previous CA certificates and, if required, issue a new one.
Step - 3: User Management
After you've installed Access Server on your server, you'll need to provide access to users. The Admin Web UI provides an administrator with a simple interface for controlling access control for your users, such as adding or removing credentials, defining permissions for sub-networks, and managing privileges.
User Permissions
User Permissions is where you configure all user settings for Local Authentication. You may change the passwords of users, assign them to groups, grant or remove admin access, and ban them from the server.
User Profiles
It allows you to browse all of your users' profiles, create and download new ones, and remove old ones.
User Profiles gives you general information on how to manage your VPN client user profiles. This area of the Admin Web UI is applicable to version 2.9 and above.
Group Permissions
Group Permissions allows you to configure Access Server Client settings at the group level. These preferences take precedence over any global setting. The group configurations are used if no user settings are provided.
User Permissions and Group Permissions are quite similar. In terms of the combinations they provide, they are practically identical.
Step - 3: Authentication
Authentication refers to the process of selecting an authentication mechanism for users.
Users can be authenticated using one of four network protocols provided by Access Server. The setup requirements for each of them are different. Other parameters will need to be configured depending on the protocol used. Each of these protocols will have its own database, which will store the various user permissions and credentials.
General - You have four alternative choices for user authentication using General. For Access Server, you may establish local, PAM, RADIUS, and LDAP authentication.
PAM - It shows whether your Access Server is using Pluggable Authentication Modules (PAM). It's the mechanism that allows users to log in to a Unix host's access server. It has a Use PAM button that allows you to switch to PAM when it's not in use.
RADIUS - It allows you to set up RADIUS servers for user authentication and accounting (optionally). You can pick from three different RADIUS configuration techniques. You may also set up five RADIUS servers to function as authentication servers.
LDAP - The settings for authenticating users using an LDAP server may be configured using LDAP. If you wish to secure authentication using the limitations specified by your LDAP server, you must establish these parameters. You may validate user credentials using LDAP by using an Active Directory domain controller or another LDAP server. For Access Server to properly search for user credentials while attempting to authenticate.
Step - 3: Tools
Profiles - It allows you to select the configuration profiles to use for the Access Server as well as customise the various profiles.
DB Convert - Converting from SQLite to MySQL is a function provided by Access Server to assist with the transition from the default setup to the Cluster configuration. When converting from one format to another, you have the option of maintaining your credentials. It adds to Access Server's already extensive failover capabilities.
Conclusion:
Here are some more setup options that are recommended for beginners.