官术网_书友最值得收藏!

  • OpenVPN 2 Cookbook
  • Jan Just Keijser
  • 377字
  • 2021-04-09 22:05:45

OpenVPN secret keys

This recipe uses OpenVPN secret keys to secure the VPN tunnel. It is very similar to the previous recipe but this time a shared secret key is used to encrypt the traffic between the client and the server.

Getting ready

Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1 and the client was running Windows XP SP3 and OpenVPN 2.1.1.

How to do it...

  1. First, we generate a secret key on the server (listener):
     [root@server]# openvpn --genkey --secret secret.key
    
  2. We transfer this key to the client side over a secure channel (for example, using scp).
  3. Next, we launch the server (listening)-side OpenVPN process:
     [root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \
     --dev tun --secret secret.key
    
  4. Then, we launch the client-side OpenVPN process:
     [WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \
     --ifconfig 10.200.0.2 10.200.0.1 \
     --dev tun --secret secret.key \
     --remote openvpnserver.example.com
    

    The connection is established:

How to do it...

How it works...

This example works exactly as the very first: the server listens to the incoming connections on UDP port 1194. The client connects to the server on this port. After the initial handshake, the server configures the first available TUN device with IP address 10.200.0.1 and it expects the remote end (Peer address) to be 10.200.0.2. The client does the opposite.

There's more...

By default, OpenVPN uses two symmetric keys when setting up a point-to-point connection:

  • A Cipher key to encrypt the contents of the packets being exchanged.
  • An HMAC key to sign packets. When packets arrive that are not signed using the appropriate HMAC key they are dropped immediately. This is the first line of defense against a "Denial of Service" attack.

The same set of keys are used on both ends and both keys are derived from the file specified using the --secret parameter.

An OpenVPN secret key file is formatted as follows:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<16 lines of random bytes>
-----END OpenVPN Static key V1-----

From the random bytes, the OpenVPN Cipher and HMAC keys are derived. Note that these keys are the same for each session!

See also

The next recipe, Multiple secret keys, will explain in detail about the secret keys.

主站蜘蛛池模板: 银川市| 格尔木市| 中方县| 门源| 沐川县| 修水县| 栾城县| 乌什县| 长岛县| 璧山县| 桦川县| 中宁县| 泗阳县| 绿春县| 景谷| 龙山县| 壶关县| 新乡市| 于田县| 抚顺市| 蓬溪县| 军事| 日照市| 宁都县| 英山县| 法库县| 泸溪县| 佛山市| 德庆县| 宣恩县| 安仁县| 定结县| 六枝特区| 伊金霍洛旗| 南漳县| 邵阳市| 平南县| 宁德市| 凤阳县| 客服| 大埔区|