Andrew Jorgensen

It’s better than bad, it’s good!

OpenVPN

I’ve been using OpenVPN for just over a year now. It’s excellent. I’m certain that it’s just over a year because all of my certificates expired all at once. What a pain (entirely my own fault). But in any case it was a good opportunity to revisit my configuration and see where it could improve.

First let me describe how my setup works (OpenVPN can work in many other ways). I have a server at my sister’s house which enjoys a 10Mbps fiber connection from iProvo. This server is the hub (uh, switch) of my VPN quite literally. The clients (computers that I manage for my family) all connect to the VPN as though it were just an ethernet switch and the server hands them an address. This works very well for my needs.

Because my certificates had expired I did revisit how I had set up the PKI. Last year I just followed the instructions in the mod_ssl FAQ. This time I used the included easy-rsa scripts. Honestly those were much easier, and they allowed me to create a server certificate that specifies that it’s only valid for server use. This restriction helps prevent a Man-in-the-Middle attack.

Fixing the server certificate also allowed me to connect to the VPN using NetworkManager. This was fun but NM messes with your routing table so that everything goes through the VPN even if your VPN configuration doesn’t specify that it should (well, that’s not entirely true, you can tell it not to – but you shouldn’t have to).

But the most significant change I made was to switch to UDP. I had been using TCP because BYU’s firewalls disallowed outgoing UDP (perhaps except for DNS), presumably to help prevent propagation of some worm. I knew that TCP has significant overhead and I knew that TCP over TCP has some serious problems but I really had no choice at the time. Luckily for me it seems that they have reconsidered that policy. I was shocked at the difference in performance when using UDP. Files that downloaded over HTTP through the VPN at 200 - 300Kbps before are downloading at 400 - 500Kbps. The connection feels snappier too though I don’t have a latency measurement to back that up.

Here’s my current server.conf:

dev tap proto udp ca ca.crt cert server.crt key server.key dh server.dh server-bridge 192.168.64.254 255.255.255.0 192.168.64.64 192.168.64.128 ifconfig 192.168.64.254 255.255.255.0 ifconfig-pool-persist server.ipp client-to-client keepalive 5 60 comp-lzo persist-key persist-tun mute 3 status server.log 5

And my client.conf:

client proto udp dev tap remote _host_ resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo mute 5 keepalive 5 60

OpenVPN can also be used in a username and password mode. Unfortunately for me the developers decided to disable the ability to read the password from a file by default. I can understand why they might think this was important except that the software will happily read an unencrypted private key from a file. What’s the difference? There isn’t one. At least that’s my take on it. If the file (key or password) is compromised someone can impersonate the client. It’s that simple. I brought it up with the developers but though there was some discussion about side-issues I got no reply on that particular point. In summary – though I’d love to use password authentication instead of certificate authentication I’m not going to recompile the clients just so I can do that.