OpenVPN

From Chaos Communication Camp 2007

Jump to: navigation, search

This page describes a network service for visitors at the CCCamp 2007.


Contents

[edit] What is OpenVPN?

OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.

OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

OpenVPN is an Open Source project and is licensed under the GPL.


[edit] What is the plan?

The plan is to provide a OpenVPN network server to camp visitors. By using this server the visitors will be able to circumvent certain layer2 attacks - think wireless - if they cannot afford or do not have a own VPN and have to use insecure protocols. Thus the OpenVPN server will networkwise be situated near the internet uplink. In terms of network security: it is basically a reduction of trust, from the complete wireless subnet towards only the NOC. Technically speaking, it is an alternative to IPSec, which might be provided by the NOC. See also: http://wiki.whatthehack.org/index.php/OpenVPN

[edit] What is the status?

  • currently in planning phase, todo:
    • rewrite the what is the plan section. make it tasty
    • modify ssh script to include statistics
    • setup server
    • distribute fingerprints at campsite: noc-helpdesk and MoI
    • give admin access to noc
  • ideas:
    • admin vlan vpn
    • ipsec

[edit] How do I use it?

  1. Just ssh openvpn@hostname-will-be-announced
  2. Compare the ssh fingerprint in a secure manner (snippets with the ssh fingerprint are avaible at the NOC-Helpdesk and the Ministry of Information)
  3. Follow the setup process in the ssh session ( guided installation and configuration )
  4. Start OpenVPN on your localhost
  5. Access the internet in a secure manner


[edit] This is great, but... where can I give feedback?

Please send feedback concerning the key-generation ssh script and the OpenVPN service to ccc-vpn at baraddur.de. Also, in other issues contact User:lefix.


[edit] Who is working on OpenVPN avaibility?

  • User:ZaphodB - will provide server hardware and is currently looking into MacOSX's native VPN capabilities
  • User:lefix - initiator, but not able to visit the camp. see [1] for the scripts.
Personal tools