Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
OpenVPN Cookbook

You're reading from   OpenVPN Cookbook Get the most out of OpenVPN by exploring it's advanced features.

Arrow left icon
Product type Paperback
Published in Feb 2017
Publisher
ISBN-13 9781786463128
Length 400 pages
Edition 2nd Edition
Languages
Tools
Concepts
Arrow right icon
Author (1):
Arrow left icon
Jan Just Keijser Jan Just Keijser
Author Profile Icon Jan Just Keijser
Jan Just Keijser
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. Point-to-Point Networks FREE CHAPTER 2. Client-server IP-only Networks 3. Client-server Ethernet-style Networks 4. PKI, Certificates, and OpenSSL 5. Scripting and Plugins 6. Troubleshooting OpenVPN - Configurations 7. Troubleshooting OpenVPN - Routing 8. Performance Tuning 9. OS Integration 10. Advanced Configuration

Multiple secret keys

As stated in the previous recipe, OpenVPN uses two symmetric keys when setting up a point-to-point connection. However, it is also possible to use shared yet asymmetric keys in point-to-point mode. OpenVPN will use four keys in this case:

  • A cipher key on the client side
  • An HMAC key on the client side
  • A cipher key on the server side
  • An HMAC key on the server side

The same keying material is shared by both sides of the point-to-point connection, but the keys that are derived for encrypting and signing the data are different for each side. This recipe explains how to set up OpenVPN in this manner and how the keys can be made visible.

Getting ready

For this recipe, we use the secret.key file from the previous recipe. Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 64 bit and OpenVPN 2.3.10. We'll use the secret.key file from the OpenVPN secret keys recipe here.

How to do it...

  1. Launch the server-side (listening) OpenVPN process with an extra option to the --secret parameter and with more verbose logging:
              [root@server]# openvpn \
                --ifconfig 10.200.0.1 10.200.0.2 \
                --dev tun --secret secret.key 0 \
                --verb 7
    
  2. Then launch the client-side OpenVPN process:
             [WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \
               --ifconfig 10.200.0.2 10.200.0.1 \
               --dev tun --secret secret.key 1\
               --remote openvpnserver \
               --verb 7
    

The connection will be established with a lot of debugging messages.

If we look through the server-side messages (searching for crypt), we can find the negotiated keys on the server side. Note that the output has been reformatted for clarity:

... Static Encrypt: 
Cipher 'BF-CBC' initialized with 128 bit key 
... Static Encrypt:  
CIPHER KEY: 80797ddc 547fbdef 79eb353f 2a1f3d1f 
... Static Encrypt: 
Using 160 bit message hash 'SHA1' for HMAC authentication 
... Static Encrypt:  
HMAC KEY: c752f254 cc4ac230 83bd8daf 6141e73d 844764d8 
... Static Decrypt:  
Cipher 'BF-CBC' initialized with 128 bit key 
... Static Decrypt:  
CIPHER KEY: 8cf9abdd 371392b1 14b51523 25302c99 
... Static Decrypt:  
Using 160 bit message hash 'SHA1' for HMAC authentication 
... Static Decrypt:  
HMAC KEY: 39e06d8e 20c0d3c6 0f63b3e7 d94f35af bd744b27 

On the client side, we will find the same keys but the "Encrypt" and "Decrypt" keys would have been reversed:

... Static Encrypt:  
Cipher 'BF-CBC' initialized with 128 bit key 
... Static Encrypt:  
CIPHER KEY: 8cf9abdd 371392b1 14b51523 25302c99 
... Static Encrypt:  
Using 160 bit message hash 'SHA1' for HMAC authentication 
... Static Encrypt:  
HMAC KEY: 39e06d8e 20c0d3c6 0f63b3e7 d94f35af bd744b27 
... Static Decrypt:  
Cipher 'BF-CBC' initialized with 128 bit key 
... Static Decrypt:  
CIPHER KEY: 80797ddc 547fbdef 79eb353f 2a1f3d1f 
... Static Decrypt:  
Using 160 bit message hash 'SHA1' for HMAC authentication 
... Static Decrypt:  
HMAC KEY: c752f254 cc4ac230 83bd8daf 6141e73d 844764d8 

If you look at the keys carefully, you will see that each one of them is mirrored on the client and the server side.

How it works...

OpenVPN derives all the keys from the static.key file, provided there is enough entropy (randomness) in the file to reliably generate four keys. All the keys generated using the following will have enough entropy:

$ openvpn --genkey --secret secret.key

An OpenVPN static key file is 2,048 bits in size. The cipher keys are each 128 bits, whereas the HMAC keys are 160 bits each, for a total of 776 bits. This allows OpenVPN to easily generate four random keys from the static key file, even if a cipher is chosen that requires a larger initialization key.

There's more...

The same secret key files are used in a client/server setup when the tls-auth ta.key parameter is used.

See also

  • The Setting up the public and private keys recipe from Chapter 2Client-server IP-only Networks, in which the tls-auth key is generated in a very similar manner
You have been reading a chapter from
OpenVPN Cookbook - Second Edition
Published in: Feb 2017
Publisher:
ISBN-13: 9781786463128
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image