Professional Documents
Culture Documents
In recent years, OpenVPN has been available on many mobile phones as well. The
first was available for Android, OpenVPN for Android by Arne Schwabe. This utilized a
ported tun driver and did not support tap mode (bridged) VPNs.
The OpenVPN application for iOS (Apple) didn't come until much later, however.
It took OpenVPN Technologies, Inc. nearly a year to negotiate with Apple to support
an external VPN API and grant access to that API for their use. On Android, the
OpenVPN source could be ported to the platform, with some omissions for tap,
since the tap driver was not available on the platform. Due to the development
environment on iOS, the client had to be written from the ground up. James Yonen
wrote a nearly feature-complete client in a few months in C++ and OpenVPN Connect
was published to the App Store®.
Copyright © 2015. Packt Publishing, Limited. All rights reserved.
[ 321 ]
Keijser, Jan Just, and Crist, Eric F. Mastering OpenVPN : Master Building and Integrating Secure Private Networks Using OpenVPN, Packt Publishing, Limited, 2015. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/linkgroup-ebooks/detail.action?docID=4191311.
Created from linkgroup-ebooks on 2023-10-18 17:38:22.
Future Directions
Current strengths
OpenVPN 2.3 is light years ahead of where we stood in the recent past. A quick
glance at the change list from around 2008 until now shows quite a significant
number of important updates, bug fixes, and enhancements.
Current weaknesses
There are notable weaknesses in the current version of OpenVPN. First, the entire
application is written as a single, monolithic application. The same binary that is
used for client connections is also used as the server instance. This isn't too much
of a problem, but there is no modularization of code, so all of the logic needs to be
handled regardless of the context in which the application is executed.
Working through the monolithic design woes, developers will have an easier time
implementing features such as IPv6, additional compression algorithms, and so
on. Also, changes to improve the network stack need to be updated in many places
within the code, rather than a single library or component. This is the reason the IPv6
and IPv4 stacks are handled separately today.
Today, however, gigabit connections at home aren't rare, and even where they are
unavailable now, these high-speed uplinks will be available in the very near future.
Copyright © 2015. Packt Publishing, Limited. All rights reserved.
With the right high-clock speed processor, OpenVPN is capable of (nearly) saturating
a gigabit Ethernet link.
[ 322 ]
Keijser, Jan Just, and Crist, Eric F. Mastering OpenVPN : Master Building and Integrating Secure Private Networks Using OpenVPN, Packt Publishing, Limited, 2015. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/linkgroup-ebooks/detail.action?docID=4191311.
Created from linkgroup-ebooks on 2023-10-18 17:38:22.
Chapter 10
This requires the AES encryption instructions (known as AES-NI) found in modern
processors, such as Intel's Core i7 and Xeon E5 processors, as well as modern AMD
processors. It also requires the encryption cipher to be set to AES, for example, by
using --cipher aes-256-cbc in both server and client configurations.
The operating system and encryption library also play a role here. Most server setups
use the OpenSSL libraries for encryption and decryption. Support for the AES-NI
instruction set was included only in OpenSSL 1.0.0. CentOS 5, for example, still uses
OpenSSL library (0.9.8e-fips), which does not have support for these instructions.
It is quite easy to verify whether a processor and the operating system make use
of the AES-NI instructions. Using the openssl speed command, you can quickly
determine encryption performance for both OpenVPN's default cipher (BlowFish or
bf-cbc) and the AES cipher (aes-256-cbc):
This test was run on an Intel Core i7-4810MQ processor running Fedora 20 and
clearly, AES is much faster than BlowFish. We can safely conclude that AES-NI
is supported by both the CPU and the operating system. If we disable OpenSSL's
support for AES-NI instructions, the effect on performance is quite dramatic:
$ OPENSSL_ia32cap=0 openssl speed -evp aes-256-cbc
type … 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 120009.39k 264001.19k 262821.68k
Copyright © 2015. Packt Publishing, Limited. All rights reserved.
[ 323 ]
Keijser, Jan Just, and Crist, Eric F. Mastering OpenVPN : Master Building and Integrating Secure Private Networks Using OpenVPN, Packt Publishing, Limited, 2015. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/linkgroup-ebooks/detail.action?docID=4191311.
Created from linkgroup-ebooks on 2023-10-18 17:38:22.
Future Directions
Using a processor such as the Core i7, it is possible to achieve performance of over
500 Mbps in both directions, as was shown in Chapter 9, Troubleshooting and Tuning.
• http://community.openvpn.net/openvpn/wiki/OpenVPN2.4
• http://community.openvpn.net/openvpn/wiki/RoadMap
More specifically, modularization for plugins, even making the OpenSSL and
PolarSSL support modules, has been discussed. This will allow for easier integration
of other libraries as they become available, and even support for something entirely
different from SSL could be achieved with this approach. Better threading and
process offloading is also being considered to improve the client connection volume
and bandwidth utilization.
Copyright © 2015. Packt Publishing, Limited. All rights reserved.
Despite the great advancements we've already made, there's much room for
improvement. A key issue, with no solution in sight, is support for the development
team. There are only a very small number of developers active and devoted to the
project. The end result is a slow development cycle and new features are rare.
[ 324 ]
Keijser, Jan Just, and Crist, Eric F. Mastering OpenVPN : Master Building and Integrating Secure Private Networks Using OpenVPN, Packt Publishing, Limited, 2015. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/linkgroup-ebooks/detail.action?docID=4191311.
Created from linkgroup-ebooks on 2023-10-18 17:38:22.
Chapter 10
Some items currently being worked on include better IPv6 support, proper Windows
privilege separation, and TLS roaming.
A full list of current bugs is available on the OpenVPN community bug tracker.
Patches are always welcome on the mailing list and well-written and tested patches
are certain to get quick approval. The link http://community.openvpn.net/
openvpn/report/1 takes you directly to the open bug reports.
Per-client compression
In Version 2.3 and below, if compression is enabled at the server, it must also be
enabled at the client. This has proven difficult to identify from client logs in the
past, as the tunnel just appeared to fail passing traffic. On the v2.4 roadmap, there
is compression negotiation. This would allow per-client compression, and even
compression protocol/algorithm negotiation.
Hopefully, we will also see support for GCM-based encryption in Version 2.4.
GCM (Galois/Counter Mode) encryption, is more efficient and performant than the
currently used CBC (Cipher Block Chain) encryption routines.
Copyright © 2015. Packt Publishing, Limited. All rights reserved.
Authenticated Encryption with Associated Data (AEAD) will also debut in v2.4.
[ 325 ]
Keijser, Jan Just, and Crist, Eric F. Mastering OpenVPN : Master Building and Integrating Secure Private Networks Using OpenVPN, Packt Publishing, Limited, 2015. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/linkgroup-ebooks/detail.action?docID=4191311.
Created from linkgroup-ebooks on 2023-10-18 17:38:22.
Future Directions
In Version 2.4, it will be possible to support clients that connect using either a
certificate, or a username and password, or both. This allows for greater flexibility
when granting users different levels of access to your VPN setup. For this, a new
option is added.
IPv6 support
The networking code within OpenVPN uses separate functions for IPv4 and IPv6
code paths. A couple of years ago, there was a major overhaul of how IPv4 was
handled, but the work was never done for the IPv6 functions. OpenVPN 2.3 does
support a completely native IPv6 transport as well as encapsulated traffic. Using
IPv6 DNS servers and garnering that information from DHCP isn't supported, but is
on the roadmap for v2.4.
push "redirect-gateway ipv6" is also on the list. You can still imitate a default
route with IPv6 by pushing the special routes manually:
push "route-ipv6 ::/0 2600:dead:beef::1"
Copyright © 2015. Packt Publishing, Limited. All rights reserved.
[ 326 ]
Keijser, Jan Just, and Crist, Eric F. Mastering OpenVPN : Master Building and Integrating Secure Private Networks Using OpenVPN, Packt Publishing, Limited, 2015. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/linkgroup-ebooks/detail.action?docID=4191311.
Created from linkgroup-ebooks on 2023-10-18 17:38:22.
Chapter 10
To be complete, the wrapper [=interactive service] must also own the OpenVPN
private key – otherwise the configuration would be copyable by a non-privileged
user, something that the enterprise model is determined to prevent. Protecting the
private key can be accomplished by storing the key in the system certificate/key
store, and accessing the key through a Cryptographic Provider API such as Crypto
API on Windows, PKCS#11 on Linux, or Keychain on Mac.
James Yonan
Second, the interactive service must not allow access from other processes (non-
OpenVPN) running as the same (current) user:
James Yonan
[ 327 ]
Keijser, Jan Just, and Crist, Eric F. Mastering OpenVPN : Master Building and Integrating Secure Private Networks Using OpenVPN, Packt Publishing, Limited, 2015. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/linkgroup-ebooks/detail.action?docID=4191311.
Created from linkgroup-ebooks on 2023-10-18 17:38:22.
Future Directions
Third:
Other non-privileged software might be able to access the APIs for these wrappers
[=interactive service], for example by pushing routes into the API. Malware that
would normally be confined to user space can now perform privileged operations
such as modifying the default route. The end user can now connect to any
VPN server of their choice (a major violation of enterprise model). What you've
essentially done with this model is introduce a privilege escalation vulnerability
because operations that would normally require privilege, such as adding routes,
can now be done by a non-privileged user.
James Yonan
The second approach utilizes two or three separate COM+ objects, as suggested by
Alon Bar-Lev in March 2012 (http://thread.gmane.org/gmane.network.openvpn.
devel/5755/focus=5869). With this approach, three components are needed: the
OpenVPN GUI, the OpenVPN service, and the OpenVPN network handler.
The OpenVPN GUI would not change much from what it is today. It would continue
to hand tasks and updates to a backend process. As there is no current privilege
separation, the current GUI does not need to handle any authorization. With the
use of COM+ and the network OpenVPN module, the GUI can be completely
unprivileged.
Summary
After spending years in the OpenVPN IRC channel and on the OpenVPN support
forum, there are some recurring difficulties among the server administration user
base: basic networking and routing, X.509 certificate management, and user or client
authentication. Having now read this book, you should have a solid grasp of these
concepts and understand the underlying mechanisms. The differences between the
tun and tap virtual network adapters have been discussed as well.
OpenVPN is a very active open source project and is ever evolving. The techniques
and examples within Mastering OpenVPN will likely not go stale in the near future.
Inefficiencies within the code are anticipated, however, so we strongly recommend
that you read the manual (man page) available at https://openvpn.net/index.
php/open-source/documentation/manuals.html.
Copyright © 2015. Packt Publishing, Limited. All rights reserved.
[ 328 ]
Keijser, Jan Just, and Crist, Eric F. Mastering OpenVPN : Master Building and Integrating Secure Private Networks Using OpenVPN, Packt Publishing, Limited, 2015. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/linkgroup-ebooks/detail.action?docID=4191311.
Created from linkgroup-ebooks on 2023-10-18 17:38:22.
Chapter 10
Like most open source projects, OpenVPN needs more help—more volunteers
to help moderate the forum and help on IRC, and additional developers to help
increase the speed of development are all needed. There are aspirations to build
a bounty system to aid in this effort. The community is strong and the protocol is
widely recognized.
There is a lot of work to do, but the feature set of OpenVPN compared to other
VPN applications puts it right in line with expectations. If you would like to get
involved with the OpenVPN project, look through the following resources to identify
interesting work and contact someone to help you get started:
[ 329 ]
Keijser, Jan Just, and Crist, Eric F. Mastering OpenVPN : Master Building and Integrating Secure Private Networks Using OpenVPN, Packt Publishing, Limited, 2015. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/linkgroup-ebooks/detail.action?docID=4191311.
Created from linkgroup-ebooks on 2023-10-18 17:38:22.
Copyright © 2015. Packt Publishing, Limited. All rights reserved.
Keijser, Jan Just, and Crist, Eric F. Mastering OpenVPN : Master Building and Integrating Secure Private Networks Using OpenVPN, Packt Publishing, Limited, 2015. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/linkgroup-ebooks/detail.action?docID=4191311.
Created from linkgroup-ebooks on 2023-10-18 17:38:22.