VPN (Virtual Private Network) is an acronym used to designate the encrypted tunnel between two devices over an unsecured network, typically Internet.
The VPN will group together the two local networks behind the VPN devices and thus will create a unique private network.
The word "VPN" can be used for site-to-site as well as client-to-server secure links. As a reminder, we will use OpenVPN to create site-to-Site VPNs.
To be considered as secure a VPN must respect the following key concepts:
Confidentiality or privacy:
The data cannot be seen in a readable format.
Typical symmetric cipher algorithm: DES, 3DES, AES, Blowfish
The data cannot be altered.
Typical hash-functions algorithms: sha1, md5
The VPN gateways are sure about the identity of the other.
Typical algorithm: RSA, DH
The picture below provides the status of a packet state when travelling inside the LAN and the VPN.
OpenVPN uses a free and open source version of SSL called OpenSSL for the encryption and authentication tasks. OpenSSL is a toolkit composed of the:
- SSL library.
- Crypto library.
- Command line tool.
The cryptography library implements a wide range of cryptographic algorithms such as:
- Symmetric algorithms: Blowfish, DES, 3DES, AES, etc...
- Certificates: x509
- Hash function: HMAC, MD5
Top of the page Key concepts Menu
IPSEC - SSL COMPARISON:
The goal of SSL and IPSec is the same: create VPNs and thus encrypt traffic between two devices with the same algorithms. But as you will see, the way to accomplish this task is very different.
Of course, IPSec and SSL are not compatible.
Let's look first at a basic SSL-IPSec comparison table.
4346 (TLS 1.1)
Between Transport and Application Layers
Let's give some more explanations about the comparison table:
IPSec is a layer 3 protocol. In order to be implemented it will require a modification to the IP stack in the IPSec device kernel space. Because of this kernel related change, each operating system (i.e.: Cisco, Windows, Nortel, Linux, etc.) needs its own implementation of IPSec.
OpenVPN will behave much more like a standard application. It is implemented in the user space and thus has the advantage to be much more secure and portable.
Secure because in the IPSec case when the software is closely linked with the kernel, an application crash can damage the kernel and thus the entire system. No problem with OpenVPN because it is completely separated from the kernel. Another thing to underline concerning security is that, in case of software hacking, with IPSec the pirate will get kernel access, in other words the root access. With OpenVPN, a specific user will run the application with limited rights only.
Portable because OpenVPN can be installed on virtually any platform and this will therefore spare you time because you will have always the same software to configure.
A very common problem with IPSec is the need to change firewall rules to permit the protocol and the address translation (NAT) processing but even this has been partially solved by the NAT Traversal protocol.
Read details about problems associated with Using IPSec over NAT.
With OpenVPN, you just need to open a TCP or UDP port on a Firewall if it is not already open. OpenVPN can even work through proxy servers meaning that no firewall changes at all!
As the IP Layer is not modified by SSL, there is no problem with the NAT protocol.
Building a site-to-site SSL tunnel is much simpler than under IPSec. The complexity of the IPSec configurations leads often to security holes or missed configurations even when built by a network administrator. Furthermore, the IPSec configurations are always different for each manufacturer, whereas with SSL and OpenVPN, the configurations are very similar on any system.
The big advantage of IPSec remains that it can virtually be used on any manufacturers supporting its RFC. For example, it is normally possible to establish a VPN between a Cisco and a Nortel router. Normally, because the time has shown that even if the different manufacturers are supposed to respect the IPSec standards, it remains sometimes compatibility problems.
With OpenVPN it is, of course, not possible to install the software on the major manufacturers such as Cisco, Checkpoint, Juniper or Nortel.
SSL has now progressed very quickly in the client-to-server VPN segment compared to IPSec and will progressively replace it in the future.
In the site-to-site VPN segment, this is different because, as explained immedialely above, there are for the moment no standardized papers (RFCs) to create site-to site SSL VPNs on closed code manufacturers such as Cisco. As the big majority of site-to-site VPNs are created on closed code devices, IPSec remains for the moment king in this sector
IPSec can be composed by one of the following layer 3 protocols or both of them: ESP (IP protocol 50, RFC 2406), AH (IP protocol 51, RFC 2402). ESP can be used for integrity and confidentiality and AH for integrity only.
Two protocols are closely linked with IPSec: ISAKMP (RFC 2408) and IKE (RFC 2409).
ISAKMP (Internet Security Association and Key Management Protocol) is used to establish security associations and IKE (Internet Key Exchange) for automatic key exchange management via the UDP port 500. OpenVPN - Preshared or static keys
The preshared keys OpenVPN mode is easier to implement than the SSL/TLS mode but with the following disadvantages:
- The shared secret is not renewed.
- The shared secret has be transported on the two peers.
- The VPN peers are not authenticated.
You can create a preshared key very easily with OpenVPN on any platform. Once you have created a preshared key, you have to copy it onto the other OpenVPN peer.
You should transmit it only via a secure media like SSH or physically with a floppy disk or an USB key.
To create a key, proceed as follows:
##openvpn --genkey --secret /home/user/key.txt
Let's open the key file we have just created:
The OpenVPN key is composed by hexadecimal characters and divided into four parts.
The first part is used as a key to cipher the data, the second for the hash algorithm key. By default the key to cipher and decipher the data are similar, the principle being the same for the Hash algorithm.
The third and fourth part of the OpenVPN key is used in case you want different cipher (1st part) and decipher (3rd part) keys and different keys to hash the outgoing (2nd part) or incoming (4th part) data.
Do not confuse the OpenVPN key which is composed of 512 hexadecimal characters with the keys used by the cipher and hash function algorithm to secure the OpenVPN tunnel which are composed by hexadecimal characters inside the OpenVPN key.
By default, the blowfish encryption algorithm is used with a 128 bits keys (cipher and decipher), 160 bits being used for the hash algorithm (outgoing and incoming data).
Each hexadecimal character represents 4 bits of the key meaning, that 128 and 160 bits will represent respectively (128/4) 32 and (160/4) 40 hexadecimal characters.
In our example (default setting), the hexadecimal characters used for the keys are displayed in the red squares above.
The characters not used for the keys can be different on the two OpenVPN key files.
Examples with OpenVPN in preshared keys can be found in the case studies.