Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Anybody using\used OpenVPN?

7 views
Skip to first unread message

Mike Jones

unread,
Jun 11, 2009, 7:50:08 PM6/11/09
to

Looking for a "drop-in" solution to create encrypted connection and data
transfer over an untrusted LAN connection, and OpenVPN seems to be close
enough to what I /think/ I need.

Currently using basic NFS to export various partitions to other machines
on the network, coupled with dire threats to all potential idiots who
might decide to compromise my LAN by plugging something stupid into it,
etc.

Would OpenVPN keep the idiots out? Or do I need a bigger stick and a 24h
patrol rota? ;\

--
*===( http://www.400monkeys.com/God/
*===( http://principiadiscordia.com/
*===( http://www.slackware.com/

Tim

unread,
Jun 11, 2009, 8:42:12 PM6/11/09
to

"Mike Jones" <N...@Arizona.Bay> wrote in message
news:pan.2009.06...@Arizona.Bay...

>
>
> Looking for a "drop-in" solution to create encrypted connection and data
> transfer over an untrusted LAN connection, and OpenVPN seems to be close
> enough to what I /think/ I need.
>
> Currently using basic NFS to export various partitions to other machines
> on the network, coupled with dire threats to all potential idiots who
> might decide to compromise my LAN by plugging something stupid into it,
> etc.
>
> Would OpenVPN keep the idiots out? Or do I need a bigger stick and a 24h
> patrol rota? ;\

Please take the following as (i)MHO. I used OpenVPN over the Internet to
encrypt telnet sessions for a client, and now I SSH over my internal IP from
my laptop, which I consider extremely secure. You can edit the setup scripts
to increase the keys to, I believe, 2048 bit strenght. It may take a bit
longer to initally make the connection on a slow link (I've had mine
time-out on a slow connection) but once connected it's totally great. You
can add compression which helps lot on telnet, and maybe SSH. I've only
noticed slower speeds over a LAN, or a compressed dpwnlpad on a
cable-to-cable connection.

Tim


+Alan Hicks+

unread,
Jun 11, 2009, 10:50:16 PM6/11/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2009-06-11, Mike Jones <N...@Arizona.Bay> wrote:
> Looking for a "drop-in" solution to create encrypted connection and data
> transfer over an untrusted LAN connection, and OpenVPN seems to be close
> enough to what I /think/ I need.

Yes, OpenVPN is almost certainly what you need. There are other options
such as IPSec, but I don't recommend them.

> Currently using basic NFS to export various partitions to other machines
> on the network, coupled with dire threats to all potential idiots who
> might decide to compromise my LAN by plugging something stupid into it,
> etc.
>
> Would OpenVPN keep the idiots out? Or do I need a bigger stick and a 24h
> patrol rota? ;\

OpenVPN and some simple netfilter rules can take care of this.
Basically, you'll want to setup an OpenVPN service on one of your
machines (preferably your gateway) and allow all computers on your LAN
to connect to it on this single UDP port.[0] This machine may also need
to allow DHCP connections, but everything else could be safely
blocked.[1]

Setup the OpenVPN service to pass out IP addresses on a seperate
private subnet and allow all connections from this subnet through your
firewall. Then, each other machine receives its own encryption keys and
connects to the OpenVPN service. They will receive IP addresses on this
seperate private subnet. You can then configure each service to operate
only on this subnet (or all interfaces if you've properly blocked them
from your firewall). At this point, everything should just work.

[0] If this box is headless, you may also want to enable SSH or
something similar.
[1] You can even optionally block any traffic out to the Internet
unless the machine is connected through OpenVPN.


- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoxwmcACgkQNj1TaGS9H5KeMACggnDd49bGWjZHnvABTl8TzJ/x
H/gAnRbVl2UgPy/qLTbZlaUqGldrNDtn
=aI4L
-----END PGP SIGNATURE-----

Keith Keller

unread,
Jun 11, 2009, 11:42:08 PM6/11/09
to
On 2009-06-11, Mike Jones <N...@Arizona.Bay> wrote:
>
> Looking for a "drop-in" solution to create encrypted connection and data
> transfer over an untrusted LAN connection, and OpenVPN seems to be close
> enough to what I /think/ I need.

OpenVPN is excellent. I use it to encrypt my NFS-over-wifi connection,
as well as others' samba-from-home connections.

The OpenVPN HOWTO on their site is a great starting point. It goes into
great detail on setting up a simple (or some more complex) configuration
for many hosts connecting to a single OpenVPN server.

--keith

--
kkeller...@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

Mike Jones

unread,
Jun 12, 2009, 6:42:40 AM6/12/09
to
Responding to Mike Jones:

> Looking for a "drop-in" solution to create encrypted connection and data
> transfer over an untrusted LAN connection, and OpenVPN seems to be close
> enough to what I /think/ I need.
>
> Currently using basic NFS to export various partitions to other machines
> on the network, coupled with dire threats to all potential idiots who
> might decide to compromise my LAN by plugging something stupid into it,
> etc.
>
> Would OpenVPN keep the idiots out? Or do I need a bigger stick and a 24h
> patrol rota? ;\


Tim, Alan, Keith? Thanks for the tips.

Downloading it now.

Cheers!

Blumf

unread,
Jun 12, 2009, 8:36:59 AM6/12/09
to
Mike Jones wrote:
> Looking for a "drop-in" solution to create encrypted connection and data
> transfer over an untrusted LAN connection, and OpenVPN seems to be close
> enough to what I /think/ I need.
>
> Currently using basic NFS to export various partitions to other machines
> on the network, coupled with dire threats to all potential idiots who
> might decide to compromise my LAN by plugging something stupid into it,
> etc.

Would sshfs be an option?

Blumf

Mike Jones

unread,
Jun 12, 2009, 3:46:28 PM6/12/09
to
Responding to Blumf:


Hmmm. Interesting. More reading required. Cheers.

Grant Taylor

unread,
Jun 13, 2009, 12:54:19 AM6/13/09
to
On 6/11/2009 6:50 PM, Mike Jones wrote:
> Anybody using\used OpenVPN?

Yes, I am currently using OpenVPN between multiple Windows XP / Vista
systems and a Linux gateway. Currently I'm routing from these
individual clients to a subnet behind the router. (OpenVPN clients get
an IP in a subnet that differs from the LAN and are subsequently routed
to the LAN via the LAN's default gateway.)

I am getting ready to deploy about a dozen Asus WL-500G Premium V2
routers running OpenWRT with OpenVPN for a client back to their
corporate office (small multi-site company). Needless to say I am
extremely happy with OpenVPN.

I am also using the OpenVPN GUI on clients and have it running as a
service on one of them for the system to manage.

Grant. . . .

Grant Taylor

unread,
Jun 13, 2009, 1:04:57 AM6/13/09
to
On 6/11/2009 9:50 PM, +Alan Hicks+ wrote:
> OpenVPN and some simple netfilter rules can take care of this.
> Basically, you'll want to setup an OpenVPN service on one of your
> machines (preferably your gateway) and allow all computers on your
> LAN to connect to it on this single UDP port.

There is no doubt that this will work. However it will be extremely
inefficient and quite a load on your OpenVPN system. This is by nature
of how OpenVPN works.

OpenVPN, like all VPNs (that I'm aware of) create a point to point
tunnel. This means that it if any two systems (other than the OpenVPN
system) want to talk they will have to talk through the OpenVPN system.

The only way that I'm aware of to get around this is to configure
multiple OpenVPN connections on each machine to every other machine.
This in and of its self will become extremely complex and a nightmare to
maintain as the number of systems goes up.

I would suggest that you look at some other solution. The first thing
that comes to mind is IPSec (which can be configured as a VPN tunnel)
which can (also) be configured to encrypt traffic between multiple
systems in a LAN. (I've never done this my self so I can't say much.)
The idea is that all the systems that you want to participate in the
encrypted LAN have common settings and thus can communicate with each
other with out having to necessarily be pre-configured for each other.

Another option that comes to mind is to use another different protocol,
say IPv6 that is not (and will not be) automatically configured. This
way you are effectively running a second parallel network on the main
network that your systems know about and can communicate with each other
with out others knowing about it.

I suppose you could add a second (IPv4) subnet to your existing network
(though this will be harder to do if you are DHCPing your existing
interfaces) so that you can do the same type of thing as with the IPv6,
just with your existing protocol. I.e. your private network could be on
192.168.144.x and your public network could be on 10.20.30.x which is
offering DHCP. In this config, have each of your systems use a static
IP in both the 192.168.144.x and 10.20.30.x networks with a default
gateway in the 10.20.30.x network. This way your systems can talk to
each other on the 192.168.144.x network and access the internet on the
10.20.30.x network.

Grant. . . .

Mike Jones

unread,
Jun 13, 2009, 11:08:37 AM6/13/09
to
Responding to Mike Jones:

> Responding to Blumf:
>
>> Mike Jones wrote:
>>> Looking for a "drop-in" solution to create encrypted connection and
>>> data transfer over an untrusted LAN connection, and OpenVPN seems to
>>> be close enough to what I /think/ I need.
>>>
>>> Currently using basic NFS to export various partitions to other
>>> machines on the network, coupled with dire threats to all potential
>>> idiots who might decide to compromise my LAN by plugging something
>>> stupid into it, etc.
>>
>> Would sshfs be an option?
>>
>> Blumf
>
>
> Hmmm. Interesting. More reading required. Cheers.


Progress so far...

I've been messing about with the sshfs option, and though it feels like
some kind of pocket-knife tool compared to my first impressions of
OpenVPN (not yet played with) and NFS, it dows seem to get the job done,
and witht he added benefits that:

A: With a little script I whipped up, the clients can chose to mount up a
resource as they need it (can be done for them on user log-in if
required) and have related mountpoints created as needed, and removed
when the resource is unmounted.

B: Things are nailed down to SSH, so unauthorised machines can't spoof
another (I'm thinking about malware laden WinBotted machines here). (I
only have one communications process to focus on too!)

C: Though the process of entering a password for each remote mount might
initially seem a little irritating to clients, it will get them into the
habit of EXPECTING security, and therefore maybe even ANTICIPATING
it. !!! (There is always ssh-add, and adding a request for the ssh_key
password on account startup, etc.)

As the "A-Team" mindset behind sshfs appeals to me, I think I'll play
around a bit more with it and see what it takes to break it, and what it
can SNAFU when it does get knotted up (if at all).

Further hints and tips (and cautions) welcome.

Thanks for the help so far guys. Much appreciated.

Vincent Batts

unread,
Jul 3, 2009, 12:35:09 PM7/3/09
to
> C: Though the process of entering a password for each remote mount might
> initially seem a little irritating to clients, it will get them into the
> habit of EXPECTING security, and therefore maybe even ANTICIPATING
> it. !!! (There is always ssh-add, and adding a request for the ssh_key
> password on account startup, etc.)

if the clients are windows, you can put the shortcut to pagent in the
'startup' folder, so that it will prompt them for their passphrase
during login.
if the client is linux, you can check out x11-ssh-askpass.
(http://slackbuilds.org/repository/12.2/network/x11-ssh-askpass/)
then its just a matter of having the $HOME/.xprofile file in each users
home folder. you could add it to /etc/skel/ for future users


Take care,
vb

Mike Jones

unread,
Jul 3, 2009, 7:19:21 PM7/3/09
to
Responding to Vincent Batts:


Looks useful. Cheers!

0 new messages