Wednesday, January 25, 2006


OpenVPNIf you haven't looked at OpenVPN yet, what the heck are you waiting for?

OpenVPN employs SSL to encrypt communcations. There are two aspects of OpenVPN that you should open your eyes to: it's very cross-platform and it uses commonly used (and unblocked) Internet protocols (tcp or udp).

When I first heard about OpenVPN, I was a bit skeptical. I had been setting up IPsec VPNs because of its known "secureness". But, I was resistent to offer VPN to those who didn't have a great need for it because IPsec is/was difficult to deploy. It is/was especially difficult to deploy in cross platform situations (eg. OSX OpenBSD or Windows Anything). Especially for free.

Also at the time, OpenVPN (1.x) did not support multiple connections to the same server. You had to set up multiple servers on multiple ports for multiple users. This didn't appeal to me. I continued to resist offering VPN when asked. There were always alternatives: SSH, <service> over SSL, etc.

Enter OpenVPN 2.0.x.

Over time, it has been proven secure. And with 2.0, you no longer have to run seperate servers for each connection. Setting up a server on Linux or OpenBSD (haven't ever had a need to try a Windows server) is a snap. With the "easy-rsa" structure, deploying an SSL CA for OpenVPN is, well, easy. With the different Graphical Interfaces, deploying clients for OS X and Windows is almost as easy. Clients on Linux and OpenBSD, without a GUI, is even easier.

For OS X, Tunnelblick is great. The soon-to-be-released 3.0 version allows for simultaneous, multiple connections, a GUI status/details option and is stable (even in Alpha). For my configuration, I had to override the new (Release Candidate 1) up/down scripts with dummy scripts soas not to kick me from my networks. I believe those scripts are to ease changes in DNS, but I've already taken care of those issues by other means (in one situation, utilizing the /etc/resolver/domain option native to OS X). Dummy script looks like:
#!/bin/bash -x
exit 0

and in openvpn.conf I added:
up ~/bin/
down ~/bin/

For Windows, Mathias Sundman's GUI and instructions to build your own setup.exe are excellent. I've started building user-specific "setup.exe" files that also install user-specific Server.ovpn and certificate files for the users. It's almost a no-brainer.

Of all the things I've implemented for my users at work, OpenVPN has gotten me the most praise.

Take a look.