ZNHOO Whatever you are, be a good one!

Virtual Private Network (VPN)

ABCs

  1. VPN is a tunneling protocol (TP) designed to facilitate travel employees' networking connection back to office (i.e. headquarter).

    However VPN can do more than that. For example, we use VPN to bypass firewall, ISP censorship etc. We call such VPN as Personal VPN.

  2. There are many VPNs implementations over the world to choose from, which includes but are not limited to:

    PPTP, L2TP/IPSec, SSTP, OpenVPN, etc. Among of them, OpenVPN is the most widely deployed but rather complicated.

    Wireguard emerges as a state-of-the-art VPN technology based on DH key exchange and Poly1305 encryption.

  3. Logically, most VPNs locate at link layer (layer 2) offering services to IP layer (layer 3). On the other hand VPN itself sits on top of TCP/UDP layer. Almost all VPNs create virtual interface at system level to which kernel transmits application IP packets.

    VPN service either resides in kernel (i.e. WireGuard kernel module or built-in tree) or run as a daemon at userspace space. Obviously, the former has greater performance.

    Upon receving IP payload, VPN encapsulates application's IP payload into VPN TCP or UDP packets which in turn are encapsulated into the Internet IP packets again.

  4. Generally, UDP VPN (i.e. WireGuard) is faster than TCP VPN (OpenVPN) but less reliable.

PPTP

Point-to-Point Tunneling Protocol (PPTP). A specification for PPTP was published in July 1999 as RFC 2637.

PPTP has many known security issues, and it's likely the NSA (and probably other intelligence agencies) are decrypting these supposedly "secure" connections. That means attackers and more repressive governments would have an easier way to compromise these connections.

PPTP is common and easy to set up. PPTP clients are built into many platforms, including Windows, Android etc. That's the only advantage, and it's not worth it. It's time to move on.

In Summary: PPTP is an obselete, old and vulnerable, although integrated into common operating systems and easy to set up. Stay away!

L2TP/IPsec

L2TPv3 was proposed as standard RFC 3931 in 2005.

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy.

Since L2TP is a VPN protocol that doesn't offer any encryption, it's usually implemented along with IPsec encryption. This is a slower solution than OpenVPN. The traffic must be converted into L2TP form, and then encryption added on top with IPsec. It's a two-step process.

SSTP

Secure Socket Tunneling Protocol (SSTP) was introduced in Windows Vista Service Pack 1. It's a proprietary Microsoft protocol, and is best supported on Windows. It may be more stable on Windows because it's integrated into the operating system whereas OpenVPN isn't — that's the biggest potential advantage. Some support for it is available on other operating systems, but it's nowhere near as widespread.

OpenVPN

Unlike PPTP and L2TP (proposed to RFC as standards), OpenVPN is actively maintained by OpenVPN Technologies, Inc.. Apart from the free OpenVPN Community Edition (CE), OpenVPN Technologies, Inc. provides proprietary solution - OpenVPN Access Server (AS). The proprietary OpenVPN AS is almost the same to free OpenVPN CE, with advantage of easy configuration and deployment (web interface).

OpenVPN uses open-source technologies like the OpenSSL encryption library and SSL v3/TLS v1 protocols. It can be configured to run on any port, so you could configure a server to work over TCP port 443.

OpenVPN support isn't integrated into popular desktop or mobile operating systems. Connecting to an OpenVPN network requires extra installation - either a desktop application or a mobile app. Yes, you can even use mobile apps to connect to OpenVPN networks on Apple's iOS.

Client

  1. Android: OpenVPN for Android and OpenConnect (open source; no root requirement).
  2. iOS: OpenVPN Connect (closed source).
  3. GNU/Linux: net-vpn/openvpn.

Create PKI

Username/password authentication is discouraged for sake of anonymity and privacy.

To set up OpenVPN server/client, we need to create Public Key Infrastructure (PKI).

OpenVPN relies on a bidirectional authentication strategy, so the client must authenticate the server's certificate and in parallel, the server must authenticate the client's certificate. This is accomplished by the 3rd party's signature (the CA) on both the client and server certificates. Once this is established, further checks are performed before the authentication is complete.

  1. CA

    A public master Certificate Authority (CA) certificate and a private key thereof. CA is the root of trust web.

    (ca.key, ca.pub, ca.crt).

  2. Server/Client key

    A separate public certificate and private key pair (hereafter referred to as a certificate) for each server and each client.

    (server.key, server.pub. server.crt); (client.key, client.pub, client.crt).

  3. Other files

    tls-auth key file; crl-verify pem file; dh pem file etc.

  4. An .ovpn file (can be imported) simplifies configuration.