This article will guide you in the basics of OpenVPN installations on an Ubuntu server running 12.04 or 14.04
OpenVPN is configurable to support various scenarios to accommodate your specific needs.
For connection types, you can use:
For Authentication, you can use:
- Enable ID and Password Authentication for Road Warrior Setups
- Enable Two-Factor Authentication for Road Warrior Setups
Road Warrior VPN with TAP or TUN
A ‘Road Warrior’ is slang for any remote end user device that could connect from anywhere in the world such as a laptop at a coffee shop, a PC in a home office, or a mobile device on a Cellular data network. The end user may need access to only the hosts on your private network, or they may want to encrypt all traffic over the VPN. These are questions you need to ask when planning on the OpenVPN configuration.
I get asked alot about the differences between TAP and TUN in the OpenVPN server config and which is better to use. Neither one is necessarily ‘better’ than the other as both can get the job done. However, one style may fit your needs better the other.
Road Warrior with TAP
TAP uses a ‘bridged interface’ so that VPN clients appear to be directly connected on the subnet to your internal hosts. So if you use 192.168.1.0/24 on your internal network, you might give the VPN clients IPs in the range of 192.168.1.200-210 so that it appears all internal and VPN systems share the same, single subnet. You would like this type of setup if you want to run a single subnet, if you use a service that has strict subnet control in security groups (like a service provider), or don’t have a router/gateway device that supports static routes (e.g. Apple Airports). You don’t want to use TAP if you need to support Android devices (Android does not support TAP based tunnels), have more than 1 internal subnet, or want to easily control source/destination.
Road Warrior with TUN
TUN is a routed solution where the VPN clients are allocated IPs from a separate subnet. So if you use 192.168.1.0/24 on your internal network, the VPN clients might be given IPs in the 192.168.2.0/24 subnet. Your hosts in 192.168.1.0 would see traffic coming from 192.168.2.0. This is the default way to setup a Road Warrior. This method requires that you have a default gateway in your internal LAN that supports the use of static routes or you are prepared to add individual static routes to every internal host. Use a TUN solution if you have multiple internal subnets on your private LAN and already have a routed solution in place to control traffic. In addition, TUN is the mode supported by Android devices.
Site to Site
Site to Site means setting up an encrypted tunnel connecting two remote networks. Office-A and Office-B can security send data to and from each other over the VPN tunnel. This type of solution is ideal for 2 locations that you want to have connected 24/7 (or close to that anyway).
“I promise to have a site to site example up here soon”
Obviously, you want to control who can access your VPN. OpenVPN gives you several ways to do this using either Certificates, user-credentials, or a combination of the two. There are many ways to implement those types of auth, of course, but these are the basic examples.
Site to Site uses a static.key file which is generated from the Command line and is used just like a pre-shared key. The same static.key must be used on each side of the VPN in order for the tunnel to build properly. The Site to Site HOW TO shows this type of setup.
Certificates can be used in the Road Warrior setups. Certs are generated on the OpenVPN server and distributed to your end-user devices. The cert is used to establish the tunnel without any user input. Certs can be revoked at the server level which cuts off access (i.e. in case you lose a device with a cert). The Road Warrior examples above show how to set this up.
ID and Password auth can be setup to use the local user list on the OpenVPN host, or for more advanced setups, you can back-end it into Radius or LDAP.
Two factor uses both an issued certificate and an ID/PW. This is by far the most secure since you need to have a valid cert and a valid id/pw combo. A stolen cert is useless without the id/pw, and the id/pw is useless without the cert.