UTORvpn A Cross Platform Open Source SSL VPN Implementation Russell Sutherland University of Toronto 2007-05-18 1
UTORvpnA Cross Platform
Open Source SSL VPN Implementation
Russell SutherlandUniversity of Toronto
2007-05-18
1
What is a VPN?
2
Virtual Private Network
3
Virtual
4
5
Private
6
7
(Secure)
8
9
Network
10
11
VPNs are built using tunnels
12
13
14
Encapsulation is somethingwe are already used to
15
16
Data
UDPdata
UDPheader
IP dataIPheader
Frame DataFrameheader
Frametrailer
Application layer
Transport layer
Network layer
Data link layer
17
Header
Data
Tunnel Information
Header
Data
Data
Header
18
Layer II encapsulations
19
PPTP
20
RFC 2637 [1999]
21
Point to Point Tunneling Protocol
22
23
24
Easy to configure
25
ubiquitous
26
but...
27
according to:
28
29
“Microsoft PPTP is very broken, and there's no real way to fix it without taking the whole thing down and starting over. This isn't just one problem, but six different problems, any one of which breaks the protocol.”
30
and according to Peter Mueller:
31
PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead.
32
and finally
33
according to:
34
35
PPTPSecuritySucksMoose Rocks
36
so maybe there is justice in the world
37
38
L2TP
39
Layer 2 Tunneling Protocol
40
RFC 2661 [1999]
41
L2TP v3
42
RFC 3931 [2005]
43
security added by IPsec
44
L2TP/IPsec
45
RFC 3193 [2001]
46
difficult to set up on M$ clients
47
Layer III encapsulations
48
IPsec
49
Suite of protocols
50
RFCs 2401–2412 [1998]
51
Implemented at the kernel level
52
key exchange daemon
53
OpenBSD : Kame + isakmpd
54
OpenBSD 4.0 : added ipsecctl
55
56
57
FreeBSD, NetBSD : Kame + raccoon
58
Linux : FreeSwan/OpenSwan + pluto
59
Linux v2.6x: NetKey + isakmpd/raccoon
60
Many commercial clients
61
but...
62
according to:
63
64
“Even though the protocol is a disappointment -- our primary complaint is with its complexity -- it is the best IP security protocol available at the moment.”
65
Layer IV encapsulations
66
SSL/TLS
67
Secure Socket Layer
68
Transport Layer Security Protocol
69
RFC 2246 [1999]
70
TLS v1.1
71
RFC 4346 [2006]
72
73
74
75
OpenSSL
76
OpenVPN
77
78
according to:
79
80
The OpenVPN
LogoSucksMoose Rocks
81
multi-platform
83
84
economical
85
free*
86
* free as is in Dan Langille’s extra lunch boxes
87
tunnels either layer II or III traffic
88
requires TUN or TAP devices
89
NAT, Dynamic IP & firewall friendly
90
certificate based asymmetric keying
91
X509/PKI
92
static symmetric keying
93
UDP tunnels (standard)
94
TCP tunnels (optional)
95
road warrior
96
host network
97
branch office to central office
98
network network
99
simple configuration
100
flexibility
101
bags & bags of options
102
support for 2X authentication
103
GUIs for Windows and Mac OS X
104
Rich suite of system logging
105
106
20k staff
107
10k grad students
108
Institutional Middle Ware
109
Authentication : Kerberos
110
Authorization : LDAP
111
Identifier : UTORid
112
VPN access required for remote access
113
staff & grad students only
114
> 90% clients are Windows users
115
Sell the technocrats
116
Unix + OpenVPN a preferred solution
117
NSIS to aid Windows install
118
120
pf firewall rules!
121
# pf.conf for vpn.utoronto.ca - UTORvpn server## $Id: pf.conf,v 1.1 2007/05/09 16:51:26 matt Exp matt $
int_if = bge0ext_if = bge0vpn_if = tuninternal_net = "10.11.12.0/24"protos = "{ tcp, udp }"bad_ports = "{ 42, 67:69, 135, 137:139,\ 161:162, 445, 593,\ 4444 }"# table to hold dynamic list of hosts allowed to bypass # windows port blockingtable <blessed> persisttable <vpn_net> { 10.11.12.192/29 }set skip on lo0scrub in all
122
# Default is to block everythingblock in log all
# Allow HTTP and HTTPS access from all hostspass in quick on $ext_if proto tcp \ from any to $ext_if port http keep statepass in quick on $ext_if proto tcp \ from any to $ext_if port https keep state
# allow all UDP traffic coming in on UTORvpn portspass in quick on $ext_if proto udp \ from any to $ext_if port 1194:1196 keep statepass in quick on $ext_if proto udp \ from any to $ext_if port 5000:5001 keep state
123
# Only allow VPN traffic from good ports or special addresses# allow hosts in <blessed> table to use "bad" portspass in quick on $vpn_if proto $protos \ from <blessed> to any keep state
# block the bad ports on the tun interfaces# but let everything else throughblock in quick on $vpn_if proto $protos \ from <vpn_net> port $bad_ports to anyblock in quick on $vpn_if proto $protos \ from <vpn_net> to any port $bad_portspass in on $vpn_if proto $protos \ from <vpn_net> to any keep state
# Allow all outgoing trafficpass out on $ext_if proto $protos \ from $ext_if to any keep statepass out on $ext_if proto $protos \ from <vpn_net> to any keep state
124
Logging tools
125
126
127
128
129
130
Mac OS X + Windows Install & Demo
131