Point-to-Point Networks
There's more...
By default, OpenVPN uses two symmetric keys when setting up a point-to-point connection:
A Cipher key to encrypt the contents of the packets being exchanged.
An HMAC key to sign packets. When packets arrive that are not signed using the appropriate HMAC key they are dropped immediately. This is the first line of defense against a "Denial of Service" attack.
The same set of keys are used on both ends and both keys are derived from the file specified using the --secret parameter.
An OpenVPN secret key file is formatted as follows:
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<16 lines of random bytes>
-----END OpenVPN Static key V1-----
From the random bytes, the OpenVPN Cipher and HMAC keys are derived. Note that these keys are the same for each session!
See also
The next recipe, Multiple secret keys, will explain in detail about the secret keys.
Multiple secret keys
As stated in the previous recipe, OpenVPN uses two symmetric keys when setting up a point-to-point connection. However, it is also possible to use shared, yet asymmetric keys in point-to-point mode. OpenVPN will use four keys in this case:
A Cipher key on the client side
An HMAC key on the client side
A Cipher key on the server side
An HMAC key on the server side
The same keying material is shared by both sides of the point-to-point connection but those keys that are derived for encrypting and signing the data are different for each side. This recipe explains how to set up OpenVPN in this manner and how the keys can be made visible.
12
Chapter 1
Getting ready
For this recipe, we use the secret.key file from the previous recipe. Install OpenVPN 2.0 or higher on two computers. Make sure that the computers are connected over a network. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Windows XP SP3 and OpenVPN 2.1.1.
How to do it...
1.We launch the server (listening) side OpenVPN process with an extra option to the --secret parameter and with more verbose logging:
[root@server]# openvpn \
--ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --secret secret.key 0 \ --verb 7
2. Then we launch the client-side OpenVPN process:
[WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \ --ifconfig 10.200.0.2 10.200.0.1 \
--dev tun --secret secret.key 1\ --remote openvpnserver \
--verb 7
The connection will be established with a lot of debugging messages.
3.If we look through the server-side messages (searching for crypt), we can find the negotiated keys on the server side. Note that the output has been reformatted for clarity:
… Static Encrypt:
Cipher 'BF-CBC' initialized with 128 bit key … Static Encrypt:
CIPHER KEY: 80797ddc 547fbdef 79eb353f 2a1f3d1f
… Static Encrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication … Static Encrypt:
HMAC KEY: c752f254 cc4ac230 83bd8daf 6141e73d 844764d8
… Static Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key … Static Decrypt:
CIPHER KEY: 8cf9abdd 371392b1 14b51523 25302c99
… Static Decrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication … Static Decrypt:
HMAC KEY: 39e06d8e 20c0d3c6 0f63b3e7 d94f35af bd744b27
13 
Point-to-Point Networks
On the client side, we will find the same keys but the 'Encrypt' and 'Decrypt' keys have been reversed:
… Static Encrypt:
Cipher 'BF-CBC' initialized with 128 bit key … Static Encrypt:
CIPHER KEY: 8cf9abdd 371392b1 14b51523 25302c99
… Static Encrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication … Static Encrypt:
HMAC KEY: 39e06d8e 20c0d3c6 0f63b3e7 d94f35af bd744b27
… Static Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key … Static Decrypt:
CIPHER KEY: 80797ddc 547fbdef 79eb353f 2a1f3d1f
… Static Decrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication … Static Decrypt:
HMAC KEY: c752f254 cc4ac230 83bd8daf 6141e73d 844764d8
If you look at the keys carefully, you can see that each one of them is mirrored on the client and the server side.
How it works...
OpenVPN derives all keys from the static.key file, provided that there is enough entropy (randomness) in the file to reliably generate four keys. All keys generated using the following will have enough entropy:
$ openvpn –-genkey –-secret secret.key
An OpenVPN static key file is 2048 bits in size. The Cipher keys are each 128 bits, whereas the HMAC keys are 160 bits each, for a total of 776 bits. This allows OpenVPN to easily generate four random keys from the static key file, even if a cipher is chosen that requires a larger initialization key.
There's more...
The same secret key files are used in a client/server setup when the following parameter is used: tls-auth ta.key.
See also
Chapter 2's recipe, Setting up the public and private keys, in which the tls-auth key is generated in a very similar manner.
14
Chapter 1
Plaintext tunnel
In the very first recipe, we created a tunnel in which the data traffic was not encrypted.
To create a completely plain text tunnel, we also disable the HMAC authentication. This can be useful when debugging a bad connection, as all traffic over the tunnel can now easily be monitored. In this recipe, we will look at how to do this. This type of tunnel is also useful when doing performance measurements, as it is the least CPU-intensive tunnel that can be established.
Getting ready
Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1 and the client was running Fedora 13 Linux and OpenVPN 2.1.1.
As we are not using any encryption, no secret keys are needed.
How to do it...
1.Launch the server (listening)-side OpenVPN process:
[root@server]# openvpn \
--ifconfig 10.200.0.1 10.200.0.2 \ --dev tun -–auth none
2.Then launch the client-side OpenVPN process:
[root@client]# openvpn \
--ifconfig 10.200.0.2 10.200.0.1 \ --dev tun –-auth none\
--remote openvpnserver.example.com
3.The connection is established with two warning messages in the output:
…******* WARNING *******: null cipher specified, no encryption will be used
…******* WARNING *******: null MAC specified, no authentication will be used
How it works...
With this setup, absolutely no encryption is performed. All the traffic that is sent over the tunnel is encapsulated in an OpenVPN packet and then sent "as-is".
15 