OpenVPN

From Chaos Communication Camp 2007

This page describes a network service for visitors at the CCCamp 2007.

Contents 1 What is OpenVPN? 2 What is the plan? 3 What is the status? 4 How do I use it? 5 This is great, but... where can I give feedback? 6 Who is working on OpenVPN avaibility?

[edit] What is OpenVPN?

OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.

OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

OpenVPN is an Open Source project and is licensed under the GPL.

• from the OpenVPN Website - more info there: http://www.openvpn.net

[edit] What is the plan?

The plan is to provide a OpenVPN network server to camp visitors. By using this server the visitors will be able to circumvent certain layer2 attacks - think wireless - if they cannot afford or do not have a own VPN and have to use insecure protocols. Thus the OpenVPN server will networkwise be situated near the internet uplink. In terms of network security: it is basically a reduction of trust, from the complete wireless subnet towards only the NOC. Technically speaking, it is an alternative to IPSec, which might be provided by the NOC. See also: http://wiki.whatthehack.org/index.php/OpenVPN

[edit] What is the status?

• currently in planning phase, todo:
  • rewrite the what is the plan section. make it tasty
  • modify ssh script to include statistics
  • setup server
  • distribute fingerprints at campsite: noc-helpdesk and MoI
  • give admin access to noc
• ideas:
  • admin vlan vpn
  • ipsec

[edit] How do I use it?

1. Just ssh openvpn@hostname-will-be-announced
2. Compare the ssh fingerprint in a secure manner (snippets with the ssh fingerprint are avaible at the NOC-Helpdesk and the Ministry of Information)
3. Follow the setup process in the ssh session ( guided installation and configuration )
4. Start OpenVPN on your localhost
5. Access the internet in a secure manner

[edit] This is great, but... where can I give feedback?

Please send feedback concerning the key-generation ssh script and the OpenVPN service to ccc-vpn at baraddur.de. Also, in other issues contact User:lefix.

[edit] Who is working on OpenVPN avaibility?

• User:ZaphodB - will provide server hardware and is currently looking into MacOSX's native VPN capabilities

• User:lefix - initiator, but not able to visit the camp. see [1] for the scripts.