simple secure and flexible vpn solution for home and
play

Simple, Secure and Flexible VPN solution for home and business me - PowerPoint PPT Presentation

Aug 20, 2023 •180 likes •576 views

Simple, Secure and Flexible VPN solution for home and business me Romain Bourgue IT Security and open source fan Works for the french Civil Service since 2003 romain.bourgue@gmail.com Summary VPN solutions : multiple choices

  1. Simple, Secure and Flexible VPN solution for home and business

  2. me ● Romain Bourgue ● IT Security and open source fan ● Works for the french Civil Service since 2003 ● romain.bourgue@gmail.com

  3. Summary ● VPN solutions : multiple choices for multiple situations ● OpenVPN ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Want more ? Need help ?

  4. Summary ● VPN solutions : multiple choices for multiple situations ● Quick reminder about secure VPN ● IPsec based solutions ● SSL based solutions ● Commercial fake SSL “ VPN “ ● OpenVPN ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Want more ? Need help ?

  5. VPN solutions overview Quick reminder about secure VPNs ● Main objective : ● securely encapsulates data between 2 or more networked devices not on the same private network. ● Responsible for : ● Authenticate (both ways) ● Insure data integrity ● Encrypt/Decrypt ● Encapsulate/”decapsulate” ● Lots of solutions, very few compatibilty

  6. VPN Solutions Ipsec based solutions ● IPSec pros : ● Widely supported ● Interoperability is achievable for lan-to-lan connectivity ● IPsec cons : ● Specific protocols AH, ESP ● No automatic negotiation ● Difficult to open in firewalls ● Bad NAT support ● IPsec in itself is not enough for VPN roadwarriors : Needs specific implementations

  7. VPN Solutions Ipsec based solutions ● Specific Implementations ● Vendor specific implementation for endusers : Cisco VPN Client, Checkpoint Secure Client, Juniper IPSec Client... ● MS PPP/L2TP/IPsec : natively supported in Windows OS and devices ● Still good for : LAN-to-LAN in heterogeneous situations

  8. VPN Solutions SSL/TLS based VPN ● Uses SSL/TLS security for authentication, key negociation and session renegociation ● Data encapsulation is still specific. ● Implementations ● Clientless : ActiveX or Java applet based SSL/TLS VPN (transport through loopback listening sockets) ● Client based commercial solution : Cisco, Juniper, Connectra ● Openssh, Openvpn ● Good for : Securing endusers connection (roadwarriors, wifi, admin networks...)

  9. VPN Solution Commercial fake SSL VPN ● Commercially called SSL VPN... they are just https servers with : ● Reverse proxy to serve internal web ressources ● Web interfaces to add functionnality : VNC/RDP for remote administration, WebMail, Web access to windows shares...

  10. Summary ● VPN solutions : multiple choices for multiple situations ● OpenVPN ● Quick facts ● In-depth presentation ● Few more things ● Performances ● Configuration basis ● Plugability & Hooks for fun and creativity ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Want more ? Need help ?

  11. Open VPN Quick facts ● Created for personal use by James Yonan ● Dual license : – Community edition : GPL v2 – Commercial edition. Adds a distribution server and Client and Management GUI ● Version history – May 2001 : v0.9 first release – .... – Dec 2009 : v2.1.1 ● Roadmap for v3.0 : Become a generic network stack with modules for everything... ● Available in : Linux, Solaris, *BSD, Windows (XP to 7 and Mobile), MAC OS, Android, Iphone...

  12. OpenVPN in-depth Architecture ● Case study : simple VPN connection

  13. OpenVPN in-depth Architecture ● Case study : simple VPN connection

  14. OpenVPN in-depth Architecture

  15. OpenVPN in-depth Architecture OpenVPN software Runs in user space. Same software in client or server mode. Only the config file differs.

  16. OpenVPN in-depth Architecture

  17. OpenVPN in-depth Architecture Tun/Tap device : Virtual interface plugged to a character device. Applications in user space can read and write IP packet (tun) or ethernet frames (tap) to this interface

  18. OpenVPN in-depth Architecture

  19. OpenVPN in-depth Architecture

  20. OpenVPN in-depth

  21. OpenVPN in-depth Transport ● OpenVPN tunnels can be transported over TCP or UDP ● With TCP transport, TCP data are tunneled over TCP . Congestion controls are runnning twice and badly interract when congestion occurs ● Still, TCP 443 might be your only way out ● HTTP proxy is also supported

  22. OpenVPN in-depth Multiplexer & Reliability ● Packets and frames transport need unreliability but SSL/TLS stuff does... ● The reliability layer provides it (only in UDP mode). ● An optional pre-openSSL HMAC (pre shared key) can be added at this layer

  23. OpenVPN in-depth 1 – Authentication & key gen ● 2 authentication modes supported : ● Static pre-shared key (doesn't scale well...) ● SSL/TLS with certificates for authentication and keys negotiation (preferred) ● easyca provided for simple PKI certificate generation ● Provides keys for encryption & HMAC validation

  24. OpenVPN in-depth Data encryption ● Data Encryption/decryption is made by standard OpenSSL EVP interface with the negociated keys. ● HMAC validation is also made with OpenSSL EVP ● An optional pre-OpenSSL HMAC header can be added.

  25. OpenVPN in-depth Encapsulation ● Packets are read/written from the tuntap device ● The MSS is adjusted by OpenVPN request to avoid fragmentation

  26. Summary ● VPN solutions : multiple choices for multiple situations ● OpenVPN ● Quick facts ● In-depth presentation ● Few more things ● Performances ● Configuration basis ● Plugability & Hooks for fun and creativity ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Want more ? Need help ?

  27. Few more things ● Authentication – Can also be : ● Without client certificate ● and/or login password validated with user script (pam, ldap, OTP, db...) – Dual factor PKCS11 and MS cryptoapi supported ● Clients management : – OpenVPN server acts as a DHCP server. DHCP options supported. – IP pool management with sticky address – Routes can be pushed from server ● LB & FailOver : – Natively supported in client config file

  28. Hardening OpenVPN ● Tls-auth : A simple but efficient HMAC A shared static key is used to add an integrity header to vpn packets. If the HMAC is false : packet drooped. Prevent bruteforce, tempering, libssl exploitation. ● root privilege dropping ● After init ● With sudo for iproute ● In chrooted environment

  29. Performances ● Due to heavy kernel space/user space data transferts, OpenVPN performances are not as good as Ipsec's Source : http://stuff.skoberne.net/IPSec_and_OpenVPN_Performance.pdf

  30. Using OpenVPN : configuration basis ● Installing and running openvpn on linux ● (apt-get|yum|urpmi|...) install openvpn ● /etc/openvpn/ for config file(s) ● /etc/init.d/openvpn start [configfile] ● Configuration ● 2 modes : commands args and/or config file

  31. Plugability & Hooks for fun and creativity Client and server side user defined scripts can be easily called on multiple events : ● Tunnel up/down ● Certificate verification ● Login/password verification ● Client authenticated ( server side) ● Remote IP address change ● Route up ( client side) ● Client disconnected ● New route/MAC address added to the server Lots of environment variables are set before calling the scripts. Telnet management interface

  32. Summary ● VPN solutions : multiple choices for multiple situations ● OpenVPN ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Tale I : “Home sweet home : The Simple 4 Lines Config“ ● Tale II : “Escaping the evil proxy“ ● Tale III : “The OpenVPN server, the CAS WebSSO, and the brave firewall“ ● Want more ? Need help ?

  33. Tale I : “Home sweet home : The Simple 4 Lines Config“ ● Goal : configure a host-to-host connection for accessing your home network (192.168.1.0/24) anywhere. ● Static key generation : openvpn --genkey --secret static.key ● Server config : dev tun ifconfig 10.1.0.1 10.1.0.2 secret static.key ● Client config : remote serveraddress dev tun ifconfig 10.1.0.2 10.1.0.1 secret static.key route 192.168.1.0 255.255.255.0

  34. Tale II : “Escaping the evil proxy“ ● Objective : transport your VPN over an http proxy and route everything to it ● Change to tcp mode : proto tcp ● And just add this to the client configuration : http-proxy [proxyaddress] [proxyport]

  35. Tale III : OpenVPN with CAS sso authentication ● Objective : Using scripts capabilities of openvpn, delegate authentication on a CAS web SSO server ● Ingredients : ● A CAS Web SSO server ● A firewall ● A gatekeeper : web application relying on CAS SSO ● An OpenVPN server ● A client ● Few scripts

  36. Tale III : OpenVPN conf ● Connection to openVPN is made without authentication : --certificate-free. ● --ha-mac is used to prevent total strangers ● User's VPN IP is blocked by a firewall ● An application relying on cas authentication allow the IP address on the firewall upon successful SSO authentication. ● An action script is triggered when client disconnects to clear the IP on the firewall

  37. Summary ● VPN solutions : multiple choices for multiple situations ● OpenVPN ● « Once upon a time... » - Few tales and demos featuring OpenVPN ● Want more ? Need help ?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Protecting Yourself from Burglary: Simple Steps You Can Take To Secure Your Home, and Your Loved

Protecting Yourself from Burglary: Simple Steps You Can Take To Secure Your Home, and Your Loved

Protecting Yourself from Burglary: Simple Steps You Can Take To Secure Your Home, and Your Loved Ones Presented by the Burlington Police Department For the majority of burglaries in Burlington, entry is gained by the use of unlocked doors or

870 views • 21 slides
Aadhaar Based Payment Services - A Simple , Secure and User friendly Mode of Payment Solution

Aadhaar Based Payment Services - A Simple , Secure and User friendly Mode of Payment Solution

Aadhaar Based Payment Services - A Simple , Secure and User friendly Mode of Payment Solution Two variants of Aadhaar based Payment Services Distribution of Electronic Benefit transfer ( crediting the bank accounts of the beneficiaries

387 views • 12 slides
Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
WireGuard zswu Computer Center, CS, NCTU WireGuard Introduction Simple and fast VPN solution

WireGuard zswu Computer Center, CS, NCTU WireGuard Introduction Simple and fast VPN solution

WireGuard zswu Computer Center, CS, NCTU WireGuard Introduction Simple and fast VPN solution Low overhead Deep integration with Linux kernel Over UDP Peer to Peer Secure Built-in Roaming Connections keep alive even

490 views • 18 slides
The Chemomentum Chemomentum Data Services Data Services The A flexible solution for data

The Chemomentum Chemomentum Data Services Data Services The A flexible solution for data

IST-5-033437 The Chemomentum Chemomentum Data Services Data Services The A flexible solution for data handling in UNICORE A flexible solution for data handling in UNICORE Katharina Rasch, Robert Schne, Hartmut Mix - Technische Universitt

354 views • 24 slides
BEHAVIOR @ HOME Simple Behavior Strategies Simple strategies that can make a big difference!

BEHAVIOR @ HOME Simple Behavior Strategies Simple strategies that can make a big difference!

BEHAVIOR @ HOME Simple Behavior Strategies Simple strategies that can make a big difference! Presented by Michelle Heid, MA, BCBA Hosted by Family Focus Resource Center Simple Behavior Strategies Proactive strategies Reminders Choices

794 views • 25 slides
Main principles of secure OS

Main principles of secure OS

Main principles of secure OS Trusted Flexible Secure Versatile modular Internet security

490 views • 26 slides
Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure OT is impossible (even against PPT adversaries) in the plain model (i.e., without the help of another functionality) But possible from simple

527 views • 16 slides
CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and

CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and

CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and Todd Austin Presented by Dan Amelang Background Rise of the Internet created demand for fast and efficient cryptographic processing

309 views • 14 slides
Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October

Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October

Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October 15, 2014 Marek Va sut < marex@denx.de > Secure and flexible boot with U-Boot bootloader Marek Vasut Software engineer at DENX S.E. since

382 views • 35 slides
Using ElasticSearch as a fast, flexible, and scalable solution to search occurrence records and

Using ElasticSearch as a fast, flexible, and scalable solution to search occurrence records and

Using ElasticSearch as a fast, flexible, and scalable solution to search occurrence records and checklists Christian Gendreau, Canadensys Marie-Elise Lecoq, GBIF France Introduction ElasticSearch is an open source, document oriented, distributed

612 views • 20 slides
PLATFORM that adapts to your needs Technical documentation Designed in France, Whaller is a

PLATFORM that adapts to your needs Technical documentation Designed in France, Whaller is a

The secure collaborative PLATFORM that adapts to your needs Technical documentation Designed in France, Whaller is a simple, yet rich, collaborative solution that allows organizations to create their own secure, tailor-made social networks.

845 views • 38 slides
RADIATOR THE MOST FLEXIBLE AAA SOLUTION IN THE WORLD Radiator AAA software -- since 1997

RADIATOR THE MOST FLEXIBLE AAA SOLUTION IN THE WORLD Radiator AAA software -- since 1997

RADIATOR THE MOST FLEXIBLE AAA SOLUTION IN THE WORLD Radiator AAA software -- since 1997 Customers in OVER 180 countries DOZENS of TOP 100 enterprises and universities OVER 50% of LARGEST 25 mobile operators OEM component in HUNDREDS of MOBILE

391 views • 28 slides
Knowledge networks of biological and medical data An exhaustive and flexible solution to model

Knowledge networks of biological and medical data An exhaustive and flexible solution to model

Knowledge networks of biological and medical data An exhaustive and flexible solution to model life sciences domains Dr. Sascha Losko, Dr. Karsten Wenger, Dr. Wenzel Kalus, Dr. Andrea Ramge, Dr. Jens Wiehler, Dr. Klaus Heumann Biomax

376 views • 19 slides
SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs

SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs

SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs Canadian Internet Registration Authority Jacques.Latour [@] cira.ca Today's home network and IoT products and solutions lack secure testing and

696 views • 24 slides
Challenges in Access Right Assignment for Secure Home Networks

Challenges in Access Right Assignment for Secure Home Networks

Challenges in Access Right Assignment for Secure Home Networks Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig (CMU) Jesse Walker

484 views • 17 slides
CS519: Computer Networks Lecture 1 (part 2): Jan 28, 2004 Intro to Computer Networking Remember

CS519: Computer Networks Lecture 1 (part 2): Jan 28, 2004 Intro to Computer Networking Remember

CS519: Computer Networks Lecture 1 (part 2): Jan 28, 2004 Intro to Computer Networking Remember this picture? CS519 How did the switch know to forward some packets to B and some to D? From the address in the packet header CS519 A

602 views • 36 slides
Virtual Private Networks with tjnc 1 Motjvatjon VPN, Virtual Private Network Extend

Virtual Private Networks with tjnc 1 Motjvatjon VPN, Virtual Private Network Extend

create your own exercise Hugues Fafard, Markus Mller Virtual Private Networks with tjnc 1 Motjvatjon VPN, Virtual Private Network Extend private network over public ones Useful for companies Remote access Network bridging

256 views • 9 slides
VPN Virtual Private Network linpc Computer Center, CS, NCTU Introduction Uses public

VPN Virtual Private Network linpc Computer Center, CS, NCTU Introduction Uses public

VPN Virtual Private Network linpc Computer Center, CS, NCTU Introduction Uses public telecommunication channels, such as the Internet or other network service, instead of leased lines channels. Described as Virtual because it is distant

563 views • 23 slides
L2TP or not L2TP? Alain Durand, ??? L2TP Configuration Latency (in authenticated mode) L2TP

L2TP or not L2TP? Alain Durand, ??? L2TP Configuration Latency (in authenticated mode) L2TP

L2TP or not L2TP? Alain Durand, ??? L2TP Configuration Latency (in authenticated mode) L2TP (8), PPP+CHAP (11), DHCPv6 (4) = 23 pkts Idea: collapse all those layers into 1 protocol with minimum packet exchange. E.g.: TSP: 10

380 views • 5 slides
acceleration Proceedings of netdev 0.1, Feb 14-17, 2015, Ottawa, On, Canada NSS acceleration

acceleration Proceedings of netdev 0.1, Feb 14-17, 2015, Ottawa, On, Canada NSS acceleration

IPQ806x Hardware acceleration Proceedings of netdev 0.1, Feb 14-17, 2015, Ottawa, On, Canada NSS acceleration model Features Designed for Home Gateways (CPE) Flow detection based All -or- nothing offload Acceleration

248 views • 8 slides
MPLS based Virtual Private Networks Sources: V. Alwayn, Advanced MPLS Design and Implementation ,

MPLS based Virtual Private Networks Sources: V. Alwayn, Advanced MPLS Design and Implementation ,

MPLS based Virtual Private Networks Sources: V. Alwayn, Advanced MPLS Design and Implementation , Cisco Press B. Davie and Y. Rekhter, MPLS Technology and Applications , Morgan Kaufmann MPLS VPN Agenda Introduction to VPNs Where do Layer

854 views • 61 slides
Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Internet Security Internet Security Secure Email Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 its335y15s2l10,

450 views • 25 slides
Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework draft-saito-mmusic-ipsec-negotiation-req-00.txt August 1, 2005 Makoto Saito (ma.saito@ntt.com) Shingo Fujimoto (shingo_fujimoto@jp.fujitsu.com) 1 Motivation To secure communication

83 views • 6 slides

More recommend