UTORvpn: A Cross-Platform Open Source VPN Implementation...Open Source SSL VPN Implementation Russell Sutherland University of Toronto 2007-05-18 1 What is a VPN? 2 Virtual Private

UTORvpnA Cross Platform

Open Source SSL VPN Implementation

Russell SutherlandUniversity of Toronto

2007-05-18

1

What is a VPN?

2

Virtual Private Network

3

Virtual

4

5

Private

6

7

(Secure)

8

9

Network

10

11

VPNs are built using tunnels

12

13

14

Encapsulation is somethingwe are already used to

15

16

Data

UDPdata

UDPheader

IP dataIPheader

Frame DataFrameheader

Frametrailer

Application layer

Transport layer

Network layer

Data link layer

17

Header

Data

Tunnel Information

Header

Data

Data

Header

18

Layer II encapsulations

19

PPTP

20

RFC 2637 [1999]

21

Point to Point Tunneling Protocol

22

23

24

Easy to configure

25

ubiquitous

26

but...

27

according to:

28

29

“Microsoft PPTP is very broken, and there's no real way to fix it without taking the whole thing down and starting over. This isn't just one problem, but six different problems, any one of which breaks the protocol.”

30

and according to Peter Mueller:

31

PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead.

32

and finally

33

according to:

34

35

PPTPSecuritySucksMoose Rocks

36

so maybe there is justice in the world

37

38

L2TP

39

Layer 2 Tunneling Protocol

40

RFC 2661 [1999]

41

L2TP v3

42

RFC 3931 [2005]

43

security added by IPsec

44

L2TP/IPsec

45

RFC 3193 [2001]

46

difficult to set up on M$ clients

47

Layer III encapsulations

48

IPsec

49

Suite of protocols

50

RFCs 2401–2412 [1998]

51

Implemented at the kernel level

52

key exchange daemon

53

OpenBSD : Kame + isakmpd

54

OpenBSD 4.0 : added ipsecctl

55

56

57

FreeBSD, NetBSD : Kame + raccoon

58

Linux : FreeSwan/OpenSwan + pluto

59

Linux v2.6x: NetKey + isakmpd/raccoon

60

Many commercial clients

61

but...

62

according to:

63

64

“Even though the protocol is a disappointment -- our primary complaint is with its complexity -- it is the best IP security protocol available at the moment.”

65

Layer IV encapsulations

66

SSL/TLS

67

Secure Socket Layer

68

Transport Layer Security Protocol

69

RFC 2246 [1999]

70

TLS v1.1

71

RFC 4346 [2006]

72

73

74

75

OpenSSL

76

OpenVPN

77

78

according to:

79

80

The OpenVPN

LogoSucksMoose Rocks

81

http://www.openvpn.net/

82

multi-platform

83

84

economical

85

free*

86

* free as is in Dan Langille’s extra lunch boxes

87

tunnels either layer II or III traffic

88

requires TUN or TAP devices

89

NAT, Dynamic IP & firewall friendly

90

certificate based asymmetric keying

91

X509/PKI

92

static symmetric keying

93

UDP tunnels (standard)

94

TCP tunnels (optional)

95

road warrior

96

host network

97

branch office to central office

98

network network

99

simple configuration

100

flexibility

101

bags & bags of options

102

support for 2X authentication

103

GUIs for Windows and Mac OS X

104

Rich suite of system logging

105

106

20k staff

107

10k grad students

108

Institutional Middle Ware

109

Authentication : Kerberos

110

Authorization : LDAP

111

Identifier : UTORid

112

VPN access required for remote access

113

staff & grad students only

114

> 90% clients are Windows users

115

Sell the technocrats

116

Unix + OpenVPN a preferred solution

117

NSIS to aid Windows install

118

http://nsis.sourceforge.net/

119

120

pf firewall rules!

121

# pf.conf for vpn.utoronto.ca - UTORvpn server## $Id: pf.conf,v 1.1 2007/05/09 16:51:26 matt Exp matt $

int_if                  = bge0ext_if                  = bge0vpn_if                  = tuninternal_net     = "10.11.12.0/24"protos                  = "{ tcp, udp }"bad_ports               = "{ 42, 67:69, 135, 137:139,\ 161:162, 445, 593,\ 4444 }"# table to hold dynamic list of hosts allowed to bypass # windows port blockingtable <blessed> persisttable <vpn_net> { 10.11.12.192/29 }set skip on lo0scrub in all

122

# Default is to block everythingblock in log all

# Allow HTTP and HTTPS access from all hostspass  in quick on $ext_if proto tcp \ from any to $ext_if port http keep statepass  in quick on $ext_if proto tcp \ from any to $ext_if port https keep state

# allow all UDP traffic coming in on UTORvpn portspass  in quick on $ext_if proto udp \ from any to $ext_if port 1194:1196 keep statepass  in quick on $ext_if proto udp \ from any to $ext_if port 5000:5001 keep state

123

# Only allow VPN traffic from good ports or special addresses# allow hosts in <blessed> table to use "bad" portspass  in quick on $vpn_if proto $protos \ from <blessed> to any keep state

# block the bad ports on the tun interfaces# but let everything else throughblock in quick on $vpn_if proto $protos \ from <vpn_net> port $bad_ports to anyblock in quick on $vpn_if proto $protos \ from <vpn_net> to any port $bad_portspass  in on $vpn_if proto $protos \ from <vpn_net> to any keep state

# Allow all outgoing trafficpass  out on $ext_if proto $protos \ from $ext_if to any keep statepass  out on $ext_if proto $protos \ from <vpn_net> to any keep state

124

Logging tools

125

126

127

128

129

130

Mac OS X + Windows Install & Demo

131