Picture 1. Site to site VPN

Picture 2. Remote Access VPN Example

Picture 3. VPN Implementation Example

For testing purposes we can replace Internet connection with a switch, like in next picture (Picture 4).
- implements OSI Layer 2 and Layer 3 secure extensions (using SSL/TLS)
- is available on FreeBSD, Linux and Windows platforms (and also Mac OS X, NetBSD, OpenBSD, Solaris).

Some advantages of OpenVPN:
- tunell any IP subnetwork over a single UDP or TCP port
- OpenSSL library is used, for enryption, authentication and certification
- use any ciphher type or size supported by OpenSSL library
- use  static key based conventional encryption or certificate based public key encryption
- tunnel network over NAT

Two encryption modes can be used in OpenVPN:
a) Static Key Based Encryption (Shared Key)
b) Certificate Based Public Key Encryption (PKI - Publik Key Infrastructure).
Also it is possible to use with OpenVPN username/password base authentication.
These two setups will be described in detail later.

2.2  Bridging or Routing setup for OpenVPN
OpenVPN can be setup (regarding network point of view) in two modes: bridging and routing. Bridging is a forwarding technique used in Local Area Networks (packet switched networks) based on broadcasting to locate network resources (broadcasting is based on MAC addresses of network cards or devices). Bridge will maintain a list with all network addresses, so future packets will be forwarded using informations in that list. Keep in mind that bridging is only used in Local Area Networks (because it uses broadcasting of ARP messages).


2.3 Installing OpenVPN on FreeBSD
You can install OpenVPN from packages or build it from ports.
Installing OpenVPN from packages:
# pkg_add -r openvpn

Building OpenVPN from ports:
# cd /usr/ports/security/openvpn
# make install

After we've installed OpenVPN, type rehash to be able to access openvpn binary without restarting the shell.
We've succesfuly installed OpenVPN. Now we can do loopback test for OpenVPN:

Test cryptography:
# openvpn --genkey --secret key
# openvpn --test-crypto --secret key

Test SSL/TSL negociations:
# cd /usr/local/share/doc/openvpn/sample-config-files/
# openvpn --config loopback-client
# openvpn --config loopback-server

If you get error like "Cannot open sample-keys/dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file" then it means certificates must be built first.

After we've installed OpenVPN under FreeBSD we will configure it as server, and then we will configure OpenVPN client on every station that will connect to the server, from every location.

If we use OpenVPN with routers with NAT we must forward OpenVPN's port to the LAN machine that runs OpenVPN, and the same port. Default's OpenVPN port is 1194 (or 5000 for older than 2.0 versions), so that port must be router. If we start OpenVPN on other port, every connection to every port must be forwarded from router to the respective IP/Port on LAN.

a) Static Key Based Encryption (Shared Key)
Basicaly this method use a shared static key by both endpoints of a VPN. This method is also called symetric encryption. Shared key is practicaly generated at one endpoint and then transmited to the other endpoint using a secure channel. If more than one tunnel is used, the key must be installed on every endpoint. The problem with this type of security implementation is that if the key is compromised, all past messages can be decrypted by the attacker.

From speed to encrypt/decrypt point of view, symetric encryption algorithms are faster than asymetric encryption algorithms.

This type of security implementation can be used for automated tunnel setup. If you control both sides, and don't care about being able to reissue keys or any of those issues, there's little reason not to use them. Static key can be shared to endpoints for example via an USB stick, so there could not be a problem of security risk.

Static Key Based Encryption Models
Trust Model - endpoints trust integrity of a single shared static key
Authentication Model - endpoints authenticate using that static key
Encryption Model - same key encrypt and decrypt data in both directions

The advantages of using Static Shared Key with OpenVPN is simple setup (you only need to create the key and share it with the other endpoint) and there is no PKI to maintain (PKI will expire at some time in the future, configurable of course).

Disadvantages of using Static Shared Key: the main disavantage is that this type of setup is less secure than using PKI. If somebody get your key he/she will gain access to your data. The key must be exchange using a secure channel (which is not the case with PKI). Also with Static Shared Key you will have one server - one client connection, so if you need multiple VPN connections you will need to run multiple OpenVPN instances/tunnels. This is less scalable than using PKI.

Example to setup a Site to Site VPN with OpenVPN and static shared key
---------------------------------------------------------------------------------------

To create a static key for VPN :
# openvpn --genkey --secret static.key

Confg file for the  VPN  Server:
# --------  openvpn-server.conf --------------
secret static.key
ifconfig 192.168.0.1 192.168.0.2
dev tun
# -------- end ------------------------------------

Confg file for the  VPN  Client:
# --------  openvpn-server.conf --------------
secret static.key
ifconfig 192.168.0.2 192.168.0.1
dev tun
# -------- end ------------------------------------


b) Certificate Based Public Key Encryption (PKI - Public Key Infrastructure).
This is also known as asymetric encryption: both endpoints use two keys, one private and one public. For example Endpoint 1 send his public key to Endpoint 2 who encrypts data using this public key, that belongs to Endpoint 1. Encrypted data can be decrypted only by Endpoint 1 using Endpoint 1's private key. The same principle works for  Endpoint 2 which sends his Public key to Endpoint 1. Endpoint 1 will encrypt data using Endpoint 2's public key. The data will be decrypted only by Endpoint 2 using Endpoint 2's private key. Using this technology private keys must be keeped secret, and only the public keys have to be exchanged.

For this purpose SSL/TSL library will be used to encrypt data.

Both are secure.  PKI is nicer because you can revoke one client, and not have to rekey everyone else.  also, you don't need to give the clients private data.

Example howto setup a Site to Site VPN with Public Key Infrastructure (PKI), CA over TLS
-------------------------------------------------------------------------------------------------------------------------
This solution is flexible but not as easy to setup as Static Shared Key sollution.
Public Key will be acompanied by a CA - Certificate Authority, a signature certificate used to verify that public key belongs to the person issued the public key. Also it exist notion of "Web of Trust", the signature belonging to the user, a self signed certificate.

Certificate Based Public Key Encryption Models
Trust Model - integrity of CA and endpoint private keys is trusted
Authentication Model - Endpoint posess CA public key to verify public key presented by the other endpoint
Encryption Model - PKI is used to setup TLS channel, random session keys will be used for encryption of the tunnel.

Steps to setup an OpenVPN with Public Key Encryption:
1. First we will create a CA certificate for Certificate Authority.  Using this certificate we will sign and revoke client certificates.

CA (certificate authority)
It is more safe to store CA in other place than OpenVPN server.
Then it is issued a private/public key pair:
CA key - this is a private key used to sign certificates
CA cert - signed by CA, used by everyone to check CA signatures

To create self signed CA we do:
# openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt

2. Now we will create a key and a certificate request for the client (this certificate request will be later signed using CA key.

3. After we've created key and certificate request for the client we will sign the certificate request using CA certificate. This process validates the request.

4. Send key and certificate to clients

5. Setup OpenVPN configuration files, with proper certificates and keys, then start OpenVPN service.