openvpn - brtt · •pfsense. 6 openvpnusing certificates ... •dhcp server, dns proxy and much...
TRANSCRIPT
![Page 1: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/1.jpg)
1
OpenVPNANTELOPE USER GROUP 2017, VIENNA
Stefan Radman May 30, 2017
![Page 2: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/2.jpg)
2What is OpenVPN?https://en.wikipedia.org/wiki/OpenVPN
Advancement Through Innovation | Company Proprietary and Confidential
OpenVPN isan open-source softwareapplicationthatimplements virtualprivatenetwork (VPN)techniquesforcreatingsecurepoint-to-pointorsite-to-siteconnectionsinroutedorbridgedconfigurationsandremoteaccessfacilities.Itusesacustomsecurityprotocol thatutilizes SSL/TLS forkeyexchange.Itiscapableoftraversing networkaddresstranslators (NATs)and firewalls.
![Page 3: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/3.jpg)
3What is OpenVPN?and what is it not?
Advancement Through Innovation | Company Proprietary and Confidential
• OpenVPN is a virtual private networking software• Open source (GPL)• Based on UDP/IP, TCP/IP (works through firewalls)• Certificate-based authentication (X.509)• Standard encryption cyphers (OpenSSL)
• OpenVPN is not IPSec• OpenVPN is not a firewall• OpenVPN is not proprietary
![Page 4: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/4.jpg)
4What is it good for?Why should seismologist use it?
Advancement Through Innovation | Company Proprietary and Confidential
• Create trusted private networks over the Internet
• Protect traffic between datacenter and the digitzer
• Help secure access to remote sites
• Access to stations without static IP
![Page 5: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/5.jpg)
5How can I use it?Platforms supporting OpenVPN
Advancement Through Innovation | Company Proprietary and Confidential
• Kinemetrics Rock+ digitizers (Obsidian & Etna2)
• Cellular routers (e.g. Sierra Wireless, Conel)
• Installer packages for Linux, Mac, Windows
• Increasing number of network equipment vendors
• High degree of interoperability
• pfSense
![Page 6: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/6.jpg)
6OpenVPN using CertificatesOpenVPN tunnel to Rock+ digitizer
Advancement Through Innovation | Company Proprietary and Confidential
![Page 7: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/7.jpg)
7pfSenseMore than just a firewall
Advancement Through Innovation | Company Proprietary and Confidential
• Packet filter firewall & router
• Open Source (Apache License 2.0)
• OpenVPN server & certificate management
• DHCP server, DNS proxy and much more
• BSD OS
• Easy installation from CD
• Web-based management
![Page 8: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/8.jpg)
8pfSenseUser interface
Advancement Through Innovation | Company Proprietary and Confidential
Consolemenu
WebInterface
![Page 9: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/9.jpg)
9pfSenseCertificate Manager
Advancement Through Innovation | Company Proprietary and Confidential
Certificateauthority
Client/Servercertificates
![Page 10: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/10.jpg)
10Certificates & trust relationshipHow mutual trust is established
Advancement Through Innovation | Company Proprietary and Confidential
![Page 11: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/11.jpg)
11pfSenseCertificate Manager
Advancement Through Innovation | Company Proprietary and Confidential
OpenVPN server
Clientexport
![Page 12: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/12.jpg)
12Rock+ OpenVPNFirmware requirements & configuration
Advancement Through Innovation | Company Proprietary and Confidential
• Firmware support
• Etna2 Linux Update > 1.2 (current = 1.3)
• Obsidian Linux Update > 3.4 (current)
• Configuration
• /etc/openvpn/*.conf
• service openvpn start
• initdconfig openvpn start
![Page 13: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/13.jpg)
13Rock+ SecurityNetfilter requirements & configuration
Advancement Through Innovation | Company Proprietary and Confidential
• Firmware support
• Etna2 Linux Update > 1.2 (current = 1.3)
• Obsidian Linux Update > 3.3 (current = 3.4)
• Configuration
• “Relaxed”mode: kminetfilterdefaults
• “Stealth”mode: kminetfilterstealth
![Page 14: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/14.jpg)
14Rock/Rock+ SecurityReminder - Basic cybersecurity
Advancement Through Innovation | Company Proprietary and Confidential
• Change factory default passwords!!
• Use a firewall
• Block/disable unused services
• KMI Application Note #63
Basic Cyber Securityhttp://wiki.kmi.com/wiki/index.php/Rock_Application_Notes
![Page 15: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/15.jpg)
15OpenVPN platformsLinux
Advancement Through Innovation | Company Proprietary and Confidential
• Linux• Binary openvpn packages included in most current Linux
distributions (RHEL/CentOS, Debian, …)
• Install using native mechanism (yum, apt-get,..)
• Supported in GNOME NetworkManager (including GUI)
• Configuration via GUI or config files in /etc/openvpn
![Page 16: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/16.jpg)
16OpenVPN platformsWindows/Mac
Advancement Through Innovation | Company Proprietary and Confidential
• Windows• Tunnelblick (free, with GUI)
• Mac• Tunnelblick (free)
• Viscosity (commercial)
• macports (no GUI)
![Page 17: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/17.jpg)
17ResourcesOpenVPN/pfSense/Rock+/Etna2
Advancement Through Innovation | Company Proprietary and Confidential
OpenVPN
http://www.openvpn.org
pfSense
http://www.pfsense.org
Rock+/Etna2
http://wiki.kmi.com/wiki/index.php/Rock
![Page 18: OpenVPN - BRTT · •pfSense. 6 OpenVPNusing Certificates ... •DHCP server, DNS proxy and much more •BSD OS ... OpenVPN pfSense](https://reader034.vdocument.in/reader034/viewer/2022052302/5ad2146f7f8b9a482c8c0912/html5/thumbnails/18.jpg)
18OpenVPN
Advancement Through Innovation | Company Proprietary and Confidential
Thanks for listening!
Questions?