Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

[Gert Doering]

Hi,

On Tue, Aug 06, 2013 at 10:08:03AM -0500, Les Mikesell wrote:
> On Tue, Aug 6, 2013 at 4:52 AM, David Sommerseth
>  wrote:
> >
> > * Learn about TCP/IP networking, read especially chapter 3.1 in this
> > book: .  I'll
> > repeat: You MUST know how network traffic travels between hosts and routers.
> 
> Maybe, maybe not...   Lots of people would be perfectly happy with a
> bridged configuration - which isn't recommended because of performance
> issues on large scales.   

Which mostly isn't recommended because it's no easier than routed, it
just pretends to.  After setting "basic bridged", people usually ask how
to connect another network behind the "bridged client" node, and then
you're fully back into routing land...

> And at least an equal number would be happy
> with the openvpn host doing NAT on its LAN interface.  

Now that is why OpenVPN AS exists :-) - it does exactly this.  Default
network is assigned to the tun interface (can be changed, but default
works), iptables NAT rules added automatically (can be turned off, but
on-by-default), stuff just works.  Choices answered for you.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpSZENQ2eezE.pgp
Description: PGP signature

Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

[Gert Doering]

Hi,

On Tue, Aug 06, 2013 at 12:10:37PM +0200, Jan Just Keijser wrote:
> Configuring openvpn can be daunting at first, but it is not nearly as 
> bad as configuring PPTP , or - GASP! - IPSec+L2TP.

PPTP is actually way easier than OpenVPN :-) - why?  Because you have
much less choices regarding IP addresses and routing...  unless you
try to link two full networks (as opposed to client-to-server) with
PPTP, then it will get ... interesting :-)

[..]
> Dan also has a point however: we should watch out for introducing new 
> features that nobody really understands how to use or why you would use 
> them - the docs should be kept up to par with the features. My cookbook, 
> for example, does not cover any of the features found in 2.3 like IPv6 - 
> I hope I can write an update in the near future. 

That update would be appreciated - while nobody wants to understand IPv6,
I consider it unavoidable in the near-term future (3-5 years at the 
latest), so cooking recipes should cover it...

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgp0N_wVUEwc5.pgp
Description: PGP signature

Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

[Gert Doering]

Hi,

I'm a bit late to that, but had always planned to respond to this...

On Mon, Aug 05, 2013 at 10:52:54AM -0700, dan farmer wrote:
> But from a user's perspective - anything that can make the horror known as 
> openvpn configuration easier would improve openvpn's adoption considerably.

The issue here is that VPN is a highly complex matter, *and* that OpenVPN
is way too flexible :-)

Let me explain.

When you do commercial SSL-VPN products, usually you have a server that is 
closed, has a web interface, and you only get to select a few possible
options, like "authenticate against a radius server" or - if you're lucky -
what IP range to use.  Then the commercial VPN product will create a 
config file that you can then import into the client, and voila, zero-conf
VPN.

Now, if you want that with OpenVPN, you can use the OpenVPN Advanced Server
- commercial product, nice web interface (which actually *can* configure
most of the stuff, but the defaults work), maintenance contract, support,
and on the click of a button, it will produce a ready-made .ovpn profile
that you import into the client, with (voila!) zero-config :-)


OTOH, using the community OpenVPN, you have all the tools that you can
imagine to twiddle

  - how you want to connect your networks - network-to-network, client-to-
network, bridged client-to-network, fake bridging with proxy-ARP over
tun, you-name-it -> whatever networking problem you have, the chance
is high that you can solve it with OpenVPN.

  - how you want to authenticate your clients - certificates, user+password,
both, external sources (radius, PAM, ...)

  - and potentially even modify the server config for each client on-the-fly
with one of the umpteen script hooks

this is cool, but makes server configuration quite difficult indeed, as
you need to decide what you *want* to achieve - and as David and others have
mentioned before, most of the time the problems are not "the VPN side" but
"the IP routing side of things" (I do that for a living, but I know it from
my colleagues' faces that some of the tricks can be a *bit* hard to grok...).


If the server is done, and you know how you want the client side to look
like, the client config is actually fairly simple in most cases - tell
it where to look ("remote 1.2.3.4"), what protocol to use ("mode udp")
and how to authenticate ("ca", "cert", "key").  Most of the rest can be
pushed by the server...


Of course then you're back into crypto lala land - crypto is hard, CAs
are even harder, and *understanding* how the bits and pieces fit together
can be a challenge (especially with the lovely openssl command line tools).


Now, I'm not sure what the conclusion of that is - maybe "use raw 
OpenVPN if you're willing to dig into IP routing and crypto CA stuff, 
and want the full control - and use a product with a hide-the-details 
GUI like OpenVPN AS otherwise, and accept the choices that the GUI 
writer made for you"?


OTOH, we *do* ship quite a stack of config files in our tree...

openvpn/sample/sample-config-files$ ls -l
total 92
-rw-r--r--  1 gert  users131 Feb  2  2013 README
-rw-r--r--  1 gert  users   3426 Feb  2  2013 client.conf
-rwxr-xr-x  1 gert  users   3562 Feb  2  2013 firewall.sh
-rwxr-xr-x  1 gert  users 62 Feb  2  2013 home.up
-rw-r--r--  1 gert  users639 Feb  2  2013 loopback-client
-rw-r--r--  1 gert  users665 Feb  2  2013 loopback-server
-rwxr-xr-x  1 gert  users 62 Feb  2  2013 office.up
-rwxr-xr-x  1 gert  users 63 Feb  2  2013 openvpn-shutdown.sh
-rwxr-xr-x  1 gert  users776 Feb  2  2013 openvpn-startup.sh
-rw-r--r--  1 gert  users  10288 Feb  2  2013 server.conf
-rw-r--r--  1 gert  users   1742 Feb  2  2013 static-home.conf
-rw-r--r--  1 gert  users   1688 Feb  2  2013 static-office.conf
-rw-r--r--  1 gert  users   1937 Feb  2  2013 tls-home.conf
-rw-r--r--  1 gert  users   1948 Feb  2  2013 tls-office.conf
-rw-r--r--  1 gert  users199 Feb  2  2013 xinetd-client-config
-rw-r--r--  1 gert  users989 Feb  2  2013 xinetd-server-config

... maybe we should do more advertising for these?

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpY9H9QhpV6X.pgp
Description: PGP signature

Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

[Jan Just Keijser]

Hi David,

nice answer, David, and thanks for promoting the book ;)

Your basic points are correct , of course:
- networking is hard
- security is hard

Configuring openvpn can be daunting at first, but it is not nearly as 
bad as configuring PPTP , or - GASP! - IPSec+L2TP.
Documentation can help , of course, but to do things right will always 
require work.
Also, each setup is unique: there are some default setups, of course, 
most/some of which are covered in my cookbook, but after answering a lot 
of questions on the mailing list and forums I've found that each 
networking setup is unique and openvpn needs to be adjusted for it. I've 
always found the flexibility of openvpn its true power - but with great 
power (flexibility) comes great responsibility (about documenting things).


Dan also has a point however: we should watch out for introducing new 
features that nobody really understands how to use or why you would use 
them - the docs should be kept up to par with the features. My cookbook, 
for example, does not cover any of the features found in 2.3 like IPv6 - 
I hope I can write an update in the near future. 
I was and am hoping that an auto-negotiate feature would improve the 
usability of openvpn - if you can negotiate and or push more settings 
from the server to the clients then the client configs can be as simple 
as possible , which should reduce complexity.


JM2CW,

JJK



David Sommerseth wrote:

On 05/08/13 19:52, dan farmer wrote:
  

To start with - I really, really appreciate the work that's gone into the 
program.
I've released stuff myself, and it's not an easy process, especially for 
something
as complex and with so much functionality as openvpn.  I get that.

But from a user's perspective - anything that can make the horror known as 
openvpn configuration easier would improve openvpn's adoption considerably.


Here's a true tale.  I'm writing a little thing to use openvpn.  I'd like to think I know 
networks a bit - more on the theory at times than implementation, but whatever.


OpenVPN ranks up there with pgp and openssh for the most fucked up and 
mysterious configurations I've ever seen (it is not a coincidence that they're

all crypto programs, I believe.)  It is legendary among non-openvpn people to
be ridiculously difficult.   I'm actually pretty sure that if one is an openvpn 
person
who knows you're doing it's not that bad, or even makes some internal sense.  
But I'd wager that high-ninety% of your user base doesn't fall into that camp.  
Well, of your potential user base, that is, most don't get that far.


I am not saying this to say "everything is fuxx3d up" or something.  I'm telling
you because it took me a couple of days to get even the most basic thing really
working on a not-terribly-complex setup.  And while I understand the conceptual
matters of your program, honestly, I fear to set it up, and have little faith 
that even
if I get it running it'll do what I want it to.

I'm not even complaining for myself - I'm a big guy, I can take care of myself, 
and take it or leave it - but for others…..



[...snip...]

The documentation to OpenVPN might feel daunting, but it really isn't
that bad if you just get started on the easy paths.  And if you really
want a hand-held guide through setting up OpenVPN ... go grab this book:



I'm not aiming this message against you, Dan, so please don't take it as
an personal attack of any kind.

The biggest problem, from my experience, isn't that people don't
understand the official docs.  But they use external sources for setting
up OpenVPN, like random blog or forum posts on sites not controlled by
the OpenVPN community at all.  And really, in 99% of all those posts,
they contradict each other or basically recommend completely clueless
setups which are just plain wrong.  Why?  Because these writers often
don't understand NETWORKING at all.

First of all, if you want to setup any kind of VPN, you NEED to
understand basic networking.  If your network experience is based on
setting up a home router and you got it working, then you know NOTHING
about networking.  Go read about how TCP/IP functions and at minimum
learn the BASIC ROUTING.  Without that, you're going to get lost.

Next, OpenVPN configurations are basically 2 parts.  It's the security
part, which involves setting up security parameters (ciphers, keys, etc)
and which host to connect to.  The other part is NETWORK ROUTING.  No
matter what kind of VPN setup you configure, you must understand
routing.  Then there is the more advanced parts, such as firewalling,
MTU, fragmentation, and similar topics.

Most people I've met on #openvpn, in this mailing lists and those times
I've looked at our forum, they struggle with the latter.  Almost
everyone manages to set up and configure OpenVPN server and clients and
make them connect without much help at all (when having issues, it's
mostly related to PKI setups).  They 

Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

[James Yonan]

We've recently merged some patches allowing OpenVPN to negotiate certain 
settings (such as compression), but unfortunately at this time neither 
cipher nor auth directives can be negotiated in the 2.x branch.


The 3.0 branch has fixed this somewhat by having the client support 
cipher and auth directives that are pushed by the server (*).


However, to make cipher/auth negotiation really work, there are a few 
more things that are needed.  For one, the client would need to push a 
list of supported cipher/auth methods, so the server can choose a 
mutually supported combination.  Another possibility is to have OpenVPN 
leverage on the preexisting TLS ciphersuite negotiation, so as to use 
the same cipher/auth settings as TLS.


Some of this was discussed recently in the TLS versioning thread on 
openvpn-devel:


http://sourceforge.net/mailarchive/forum.php?thread_name=1CED409804E2164C8104F9E623B08B901455DE1C69%40FOXDFT02.FOX.local_name=openvpn-devel

James

*  The 3.0 branch is currently used by the OpenVPN Connect clients for 
Android and iOS.  Source core for the core is available from 
http://staging.openvpn.net/openvpn3/


On 01/08/2013 09:07, Jan Just Keijser wrote:

Hi Gert,

Gert Doering wrote:

Hi,

On Thu, Aug 01, 2013 at 12:02:55PM +0200, Jan Just Keijser wrote:


It should be possible to add negotiation without completely breaking
backwards compatibility; right now, when a server pushes an option to
the client that is unrecognized the client will print a warning but it
will not abort. This could be used to push a 'negotation request' - if
the client responds then a negotation phase can start , during which the
encryption key, hashing cipher, MTU settings etc can be negotiated. If
the client does not respond the server would need to assume that it's a
2.3 or older client.



Maybe I'm a bit naive, but since the data layer cipher is independent of
the TLS cipher anyway, can't we just "push cipher xxx"?

Or is push/pull crypted with the data layer cipher?



good question and one that I've asked myself as well -  there seems to
be something funny going on with the data layer cipher (or auth parm) .
I remember that I tried making the cipher and auth settings pushable and
failed miserably. The flow of when and how the data cipher (and digest)
are set up seems to be complicated and may happen (partially) *before*
the options are pushed.
Perhaps someone else (JamesY?) can comment on this.

cheers,

JJK



--
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711=/4140/ostg.clktrk



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

[Jan Just Keijser]

Hi Gert,

Gert Doering wrote:

Hi,

On Thu, Aug 01, 2013 at 12:02:55PM +0200, Jan Just Keijser wrote:
  
It should be possible to add negotiation without completely breaking 
backwards compatibility; right now, when a server pushes an option to 
the client that is unrecognized the client will print a warning but it 
will not abort. This could be used to push a 'negotation request' - if 
the client responds then a negotation phase can start , during which the 
encryption key, hashing cipher, MTU settings etc can be negotiated. If 
the client does not respond the server would need to assume that it's a 
2.3 or older client.



Maybe I'm a bit naive, but since the data layer cipher is independent of
the TLS cipher anyway, can't we just "push cipher xxx"?

Or is push/pull crypted with the data layer cipher?

  
good question and one that I've asked myself as well -  there seems to 
be something funny going on with the data layer cipher (or auth parm) . 
I remember that I tried making the cipher and auth settings pushable and 
failed miserably. The flow of when and how the data cipher (and digest) 
are set up seems to be complicated and may happen (partially) *before* 
the options are pushed.

Perhaps someone else (JamesY?) can comment on this.

cheers,

JJK

Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

[Gert Doering]

Hi,

On Thu, Aug 01, 2013 at 12:02:55PM +0200, Jan Just Keijser wrote:
> It should be possible to add negotiation without completely breaking 
> backwards compatibility; right now, when a server pushes an option to 
> the client that is unrecognized the client will print a warning but it 
> will not abort. This could be used to push a 'negotation request' - if 
> the client responds then a negotation phase can start , during which the 
> encryption key, hashing cipher, MTU settings etc can be negotiated. If 
> the client does not respond the server would need to assume that it's a 
> 2.3 or older client.

Maybe I'm a bit naive, but since the data layer cipher is independent of
the TLS cipher anyway, can't we just "push cipher xxx"?

Or is push/pull crypted with the data layer cipher?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpPLJ61OfrCS.pgp
Description: PGP signature