OpenVPN
From Chaos Communication Camp 2007
This page describes a network service for visitors at the CCCamp 2007.
Contents |
[edit] What is OpenVPN?
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.
OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.
OpenVPN is an Open Source project and is licensed under the GPL.
- from the OpenVPN Website - more info there: http://www.openvpn.net
[edit] What is the plan?
The plan is to provide a OpenVPN network server to camp visitors. By using this server the visitors will be able to circumvent certain layer2 attacks - think wireless - if they cannot afford or do not have a own VPN and have to use insecure protocols. Thus the OpenVPN server will networkwise be situated near the internet uplink. In terms of network security: it is basically a reduction of trust, from the complete wireless subnet towards only the NOC. Technically speaking, it is an alternative to IPSec, which might be provided by the NOC. See also: http://wiki.whatthehack.org/index.php/OpenVPN
[edit] What is the status?
- currently in planning phase, todo:
- rewrite the what is the plan section. make it tasty
- modify ssh script to include statistics
- setup server
- distribute fingerprints at campsite: noc-helpdesk and MoI
- give admin access to noc
- ideas:
- admin vlan vpn
- ipsec
[edit] How do I use it?
- Just
ssh openvpn@hostname-will-be-announced
- Compare the ssh fingerprint in a secure manner (snippets with the ssh fingerprint are avaible at the NOC-Helpdesk and the Ministry of Information)
- Follow the setup process in the ssh session ( guided installation and configuration )
- Start OpenVPN on your localhost
- Access the internet in a secure manner
[edit] This is great, but... where can I give feedback?
Please send feedback concerning the key-generation ssh script and the OpenVPN service to ccc-vpn at baraddur.de. Also, in other issues contact User:lefix.
[edit] Who is working on OpenVPN avaibility?
- User:ZaphodB - will provide server hardware and is currently looking into MacOSX's native VPN capabilities
- User:lefix - initiator, but not able to visit the camp. see [1] for the scripts.