Follow us

Revealing secret functionalities of OpenVPN

It's time to reveal the secrets of the most popular tool for building virtual private networks.

Published: October 18, 2021 By Darina Shramko

Title image for Revealing secret functionalities of Open VPN

Image source – pixabay.com

We can use some product for years and not even know what secrets it hides in itself. But if you show a little curiosity, you can learn a lot about the most ordinary things. So it happened with all the OpenVPN we know.

It would seem that what else you may not know about this tool?

You will immediately say that this program has no built-in client in Windows and Linux operating systems. Still, the ability to work on top of TCP will allow OpenVPN to pass through the most complex networks with multiple NATs and other functions.

Despite a lot of competition and the emergence of new utilities, OpenVPN is still one of the most popular technical implementations due to its customization flexibility and various options!

However, I still know how to interest you. I bet you didn't know OpenVPN is the easiest way to connect two hosts or networks with a secure tunnel? In this mode, the utility can work with static keys (pre-shared keys) even without certificates.

And this is not all that I want to tell you about OpenVPN. I know many secrets of this tool, which I will whisper in your ear today.

So, let's get ready − today will be exciting!

Disclaimer: The information provided in this article is for educational purposes only. We are against using the materials of the article to obtain unauthorized access to data.

How to install OpenVPN on Windows 10?

Before revealing all the cards, let's install OpenVPN on your computer.

To do this, you need to download a client application for your operating system. Then run the installation file and click Install.

OpenVPN setup

Process of OpenVPN installation

Next, you need to download and upload the OpenVPN connection configuration file (.ovpn file). This procedure is required when setting up a connection for the first time.

A configuration file in *.ovpn format is needed to connect to the VPN Gate relay server via the OpenVPN protocol.

You can download the configuration file on the page for the list of open free relay servers.

For this, please open the site and select the VPN server you want to connect to it. After selecting a server (you can select several, as I did), click on the corresponding *.ovpn file to download it to your desktop or download folder.

Web page for the list of open free relay servers

Once loaded, the VPN server will be displayed as an OpenVPN icon. However, you still cannot establish a connection simply by double-clicking on the file.

First, you need to move the downloaded file to the "config" folder of the leading OpenVPN installation directory, as I did:

Config folder on the PC

Now the "config" folder will look like this:

Config folder with the server file

Drag all downloaded servers into this folder (if you downloaded several of them).

Now, to connect to VPN, right-click on the OpenVPN GUI icon on your desktop and select Run as administrator. Otherwise, the VPN connection will fail.

Running OpenVPN as administrator

The OpenVPN GUI icon will appear in the notification area of ​​the taskbar (system tray).

Successful installation

The icon may be hidden in some cases, so click on the arrow icon to see all hidden icons. Then, right-click on the OpenVPN GUI icon and click to Connect.

Connect to the OpenVPN GUI

If you see a dialog box asking for username and password, enter "VPN" in both fields. However, this window appears very rarely, so you are unlikely to encounter such a connection feature.

If the VPN connection is successfully established, you will see a pop-up message in the Windows notification panel.

Successful OpenVPN GUI connection

As you can see, the OpenVPN icon is green, which means that the connection is established.

Green icon of OpenVPN GUI

Successful connection

When the VPN connection is established, a virtual network adapter OpenVPN TAP-Windows6 is created on Windows.

OpenVPN TAP-Windows6 public network

To verify that the connection has been successfully established, you can go to the VPN Gate main page to view the global IP address. As you can see, I have successfully connected to the South Korea server.

Successful connection to the South Korea server

Now that the client application has been successfully installed on your PC, it's time to learn the secrets of OpenVPN!

Site-to-site OpenVPN function

Agree that usually, OpenVPN is associated with client-server settings. Many network distributions like OpenWRT and OPNSense provide a user interface just for it, but this is a significant oversight!

Few people know that OpenVPN is a simple way to connect two hosts or networks with a secure point-to-point tunnel.

As I mentioned earlier, it is in this mode that the utility can work with static keys (pre-shared keys) without certificates.

Okay, let's assume we want a persistent connection to the remote machine with the address 204.0.114.100.

First, let's generate a key:

$ openvpn --genkey --secret /etc/openvpn/shared.key

Then setting up the local side:

dev-type tun dev tun0 ifconfig 192.168.0.2 192.168.0.1 rport 1194 remote 204.0.114.100 secret /etc/openvpn/shared.key

Now let's copy the key file to the remote machine and write the opposite config there:

dev-type tun dev tun0 ifconfig 192.168.0.1 192.168.0.2 lport 1194 local 204.0.114.100 secret /etc/openvpn/shared.key

Also, if you want, you can add options for working in daemon mode there:

daemon openvpn-tun0 writepid /var/run/openvpn-tun0.pid

Then save the config to a file like /etc/openvpn/s2s.conf and run openvpn with the config /etc/openvpn/s2s.conf command.

Connections are identified only by key, and host addresses are not taken into account in any way. You need to specify the remote option on the client-side.

The side without the remote option will wait for a connection. Because of this, OpenVPN is convenient for site-to-site connections to hosts that don't have a static address and hosts behind NAT.

The local option is optional but useful for routers with multiple external interfaces. If you do not specify it, OpenVPN will be automatically configured to 0.0.0.0.

I hasten to note that the OpenVPN utility works over UDP unless otherwise specified. If you want to use TCP, then on the client-side, you need to add the proto TCP-client command to the config, and on the server-side ─ the proto TCP-server.

So, having figured out the site-to-site setup, let's talk about the implications of using static keys.

On the one hand, the leak of such a key is much more dangerous since an attacker will be able to decrypt intercepted traffic both in the past and future. It's TLS that solves this problem using session keys.

But on the other hand, such traffic is more challenging to identify as an encrypted tunnel.

You can use the site-to-site mode with TLS and certificates; however, as you may have noticed, setup takes more time and effort.

Resume: If you need to raise the connection between two machines with minimal effort, OpenVPN site to site with a static key is the best option.

Settings for clients

Dynamic routing is good but utterly impractical for client connections. You can, of course, manually configure BIRD on any UNIX-like OS, but do you need to bother like that?

As you may have guessed, OpenVPN solves this problem in a few minutes!

I am sure that most of my readers have at least once heard about the push options in the config of the server itself, like push route 172.16.20.0 255.255.255.0.

However, few people know that these settings can be not only global. Moreover, it can specify almost any option at the client level.

To be able to configure settings for individual clients, you need to specify a directory for files with these settings, namely:

client-config-dir /etc/openvpn/client-configs/

The Common Name field from their certificates is used to identify clients. Suppose you have a client with CN = jrandomuser and needs access to the 172.17.18.0/23 network.

It is enough to create the file / etc / openvpn / client-configs / jrandomuser and add the following option there:

push "route 172.17.18.0 255.255.255.0"

In the same way, you can selectively disable split tunneling for some clients if you assign them to push "route 0.0.0.0 0.0.0.0".

In addition to routes, many other options can be handed out. For example, give clients your DNS server: push "dhcp-option DNS 172.16.0.10".

OpenVPN reads client settings files each time they connect. You do not need to restart the utility to add new clients or change settings.

Resume: The ability to specify these functions globally and for individual clients allows for very flexible control of user access to the internal network without much effort.

Connecting to remote networks

The site-to-site mode, which we talked about earlier, is only suitable for a small number of connections. If you have dozens or hundreds of remote networks, setting up a tunnel for each is a thankless task.

Fortunately, OpenVPN has a built-in mechanism for this task!

Let's assume that your organization's network is 10.0.0.0/17, and for remote clients, you have 10.0.0.0/22 allocated. Let your OpenVPN server use the tun0 network interface.

So, you need to create a route to the entire network through this interface. On Linux, the command would be like this:

$sudo ip route add 10.0.0.0/21 dev tun0

The Linux kernel removes routes when the interface disappears or goes down. The most optimal solution is to use a routing daemon like Quagga/FRRouting or BIRD, which monitors the states of network interfaces and recreates routes as needed. The simplest thing is to add a command to the startup script.

We will allocate one subnet for the client interfaces and specify it in the server option. In addition, you need to specify the topology subnet in the config. To specify which network belongs to which client, we again need client-config-dir.

Of course, clients will need access to the corporate network, so we'll push them to 10.0.0.0/17.

Add the following to the server config:

server 10.0.0.0 255.255.255.0
topology subnet
persist-tun
client-config-dir / etc / openvpn / client-configs /
push "route 10.0.0.0 255.255.0.0"

Now let's create a client config. Suppose you want to connect an office with the 10.0.1.0/26 network, and you have created a certificate for its router with CN = my-remote-office.

Add the following to / etc / openvpn / client-configs / my-remote-office:

iroute 10.0.1.0 255.255.255.0

Now when this client connects, OpenVPN will associate the 10.0.1.0/26 network with its connection.

Resume: This mechanism is the best option for connecting remote networks.

Storing settings in one file

You can often get the OpenVPN config for connecting to the server and separate files with a client certificate and key from the remote side. It's acceptable for admins but highly inconvenient to end-users.

Fortunately, keys and certificates can be stored along with settings. For example:

client
dev tun
proto udp
remote 202.0.113.20 1195
<ca>
----- BEGIN CERTIFICATE -----
...
----- END CERTIFICATE -----
</ca>
<cert>
----- BEGIN CERTIFICATE -----
...
----- END CERTIFICATE -----
</cert>
<key>
----- BEGIN RSA PRIVATE KEY -----
...
----- END RSA PRIVATE KEY -----
</key>

The user needs to save this file (for example, in my-vpn.ovpn) and run openvpn --config my-vpn.ovpn or specify this file in the client's graphical interface.

Resume: This method is tailored for end-users; now, keys and certificates can be stored in one file.

Accessing an OpenVPN process over a socket

OpenVPN provides an interface through which you can view connection information and perform several administrative tasks. You can interact with it through a TCP/IP or UNIX socket.

So, first, you need to add the following command to the server config:

management / tmp / openvpn-mgmt unix

You can connect to this socket using the socat utility:

$ sudo socat  UNIX-CONNECT: / tmp / openvpn-mgmt
> INFO: OpenVPN Management Interface Version 1 - type 'help' for more info

If you are interested in information about client tunnels and you want to receive it without having to connect to the socket every time, you can add this option to the config:

status /tmp/openvpn.status

The data in the file /tmp/openvpn.status will be written in the same format as the output of the status command, for example:

OpenVPN CLIENT LIST
Updated, Tue Oct 13 12:45:49 2021
Common Name, Real Address, Bytes Received, Bytes Sent, Connected Since
jrandomuser, 192.0.2.57: 56422,51036248,505028963, Tue Oct 13 08:04:02 2021

Resume: This method makes it very easy to secure UNIX domain socket

Conclusion

Today we had an extremely productive conversation about the hidden functions of OpenVPN, agree! You have learned a lot of new information that is unlikely to be written in the technical documentation for the utility.

However, if you show curiosity, you can also find many exciting things in the manual for OpenVPN.

For example, suppose you specify several remote options in the client config. In that case, the client will automatically switch to the following server address if it cannot connect to the first one.

Cyber enthusiasts, maybe you also know some secret chips of OpenVPN? Share your knowledge in the comments − it will be fascinating for other readers and me to learn something new!

I hope my today's guide was helpful to you, and you have already tested some of the OpenVPN secrets.

And if not yet, then I wish you successful experiments! If suddenly something does not work out for you, write in the comments. I will be happy to analyze your problem and help you find a solution.

See you soon!

Author
Darina Shramko
Cybersecurity specialist and researcher.

Leave a comment

click to select