Here is a new Technical Brief from our engineering team on different VPN technologies, with a focus on Open VPN.
The Easiest Remote Access Solution for Roaming Users (OpenVPN)
The Internet has made a big impact on our business models with economic activities increasingly dependent on all kinds of network technologies. VPN (Virtual Private Network) is one such technology that we use today. For example, you might get an urgent call from your boss when you are not in the office, which requires urgent access to the company’s file server. This can be done in a few clicks from a client device to establish an instant VPN connection across the Internet. It provides a rapid, simple, and protected session all the way back to the remote office, and you don’t have to worry about the exposure of sensitive data because of its robust encryption and authentication mechanisms.
Nowadays, there are various VPN technologies to choose from, but the potential pitfalls are that the technology is generally more difficult to understand. Most companies don’t know how to leverage the best VPN technology for their requirements without sacrificing features or basic security.
VPNs require detailed understanding of network security and careful configuration. This paper is a brief analysis to walk you through the VPN world, in which you will find a VPN is a convenient way to supply secure network connectivity for your business needs.
Simply put, VPN technology is leveraging the existing public network (like the Internet) to build a private network, rather than relying on private leased lines. It allows the office to be anywhere the employee is and dramatically changes the traditional business operations we have run for decades.
VPN is widely used in a corporate environment due to its low deployment cost. Any company can easily build their own VPN with a reasonable investment without implementation and maintenance fees which can prove a hidden nightmare for companies.
VPNs are not a pain-free networking technology in that they take advantage of a variety of encryption and authentication mechanisms, which are complicated in many aspects, but the VPN concept is quite straightforward.
Imagine that there are two network devices, one acts as the VPN client and the other as the VPN server, and between them there is a secure virtual path built by a mutual encryption and decryption process. Each packet will be encrypted before sending over the Internet, and decrypted by the receiving network device. Transmitting data traffic through this logical connection is called tunneling.
Via a VPN tunnel, employees or individuals can easily access remote corporate resources with a secure, temporary connection.
Types of VPN access
Client-to-Site VPN, also called remote-access VPN, is a secure connection made from an individual device, like a laptop or a handset, to a VPN gateway. This enables employees to connect to the private network from wherever they may be.
In a Site-to-Site VPN, data is encrypted from one site to the other over a public network such as the Internet, and each site is equipped with a VPN gateway. This can be used to connect a branch or remote office network to a company’s main office network.
Tunneling is the main concept of VPN technologies, using a public network to establish a logical private network instead of a private leased line. Via this logical connection, packets transmitted between the VPN client and server are encapsulated on the sending side, and then finally decapsulated on the receiving side.
The VPN has evolved along with several network protocols that mainly emphasize authentication and encryption in VPNs. Authentication allows mutual identification between VPN clients and servers to establish connections with the correct people. Encryption allows users to protect sensitive data from the general public.
The main VPN technologies used nowadays are listed below. These protocols are incompatible with each other.
A SSL VPN uses Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS), to provide a protected connection between remote users and sensitive network resources. It uses a secure and authenticated path by encrypting all network traffic to treat remote users as if they were local hosts.
Practically speaking, SSL VPNs are easy to use and in most security products they put complicated authentication and encryption into a black-box, providing a feature that simplifies installation and configuration without requiring administrators to understand their internal workings.
Enterprises should leverage SSL VPNs primarily as a remote access method for mobile devices across many locations.
IPSec is a set of related protocols that offers security to an IP communication by enabling a system (like a VPN gateway or router) to select required protocols and algorithms. IPSec provides a secure way to authenticate senders and encrypt IP traffic between network devices.
Multiple IPsec tunnels can exist between two network devices to secure different data streams, with each tunnel using a different set of IPsec protection.
Companies should leverage their needs for an always-on connection or just a temporary connection, IPSec can bridge two or more networks together from remote offices for secure and solid connections, but not a suitable solution for a timely remote access for the mobile devices.
Point-To-Point Tunneling Protocol (PPTP) is an extension of the Point-to-Point Protocol (PPP). It uses a control channel over a TCP connection and a Generic Routing Encapsulation (GRE) tunnel to encapsulate PPP packets, then finally to establish the PPTP tunnel.
In a client/server design, a TCP control connection is created between the client device and server. This is used to negotiate tunnel parameters over port 1723. Secondly, PPTP uses GRE on top of this TCP connection to encapsulate the PPP packets for secure delivery to the PPTP server. Then, the PPTP server verifies and decapsulates these packets before delivery to the destination host in the LAN.
In general, PPTPs are widely used because PPTP clients are built-in many platforms (including Windows, Linux, and Mac OSX), making them straightforward and easy to set up.
Although PPTP is integrated into common operating systems and easy to use, experts still claim it has been superceded by newer technologies and contains vulnerabilities.
The Layer 2 Tunneling Protocol (L2TP) is an extension of PPTP and merges two protocols, Microsoft PPTP and Cisco L2F. L2TP is built into various operating systems and mobile devices. It’s fairly easy to use and implement.
Like other VPN technologies, a L2TP tunnel is established by two endpoints, the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). You may consider them as a client/server concept, the LAC (client) initiates an L2TP tunnel to the LNS (server) and then they authenticate each other before the tunnel is created. Either LAC or LNS may initiate sessions, and each session is isolated by L2TP, so it’s possible to set up multiple virtual connections across a single L2TP tunnel.
L2TP doesn’t offer any encryption, so it’s usually implemented along with IPsec encryption to protect the L2TP traffic over the public network.
In reality, remote devices such as a laptop or a mobile device can run the L2TP dial-up software to create a L2TP over an IPSec connection to access the central corporate resources where the Internet is available.
L2TP sometimes has problems because it uses UDP port 500, which is easily blocked by some firewalls, and may therefore require advanced configuration (port forwarding) when used behind a firewall.
Compared to PPTP, L2TP provides secure and efficient connectivity. If deciding between L2TP and PPTP, use L2TP.
Generic Routing Encapsulation (GRE) is a method to tunnel IP packets between two endpoints. GRE encapsulates the original IP packet with a new IP header and routes it to a remote endpoint, where the new packet is de-encapsulated and then routed to its final destination. GRE tunneling is simple and can also transport multicast and IPv6 traffic between networks, whereas a VPN cannot.
A GRE tunnel creates a point-to-point link like a VPN, in which data traffic is routed by the system to the GRE endpoint over routes established in the routing table. However, as there is no information about the state or availability of the remote tunnel endpoint, the system cannot change the state of the GRE tunnel status to shut down if the remote endpoint is unreachable.
If looking to safely log into company networks for file sharing or video conferencing, you should probably implement a VPN. However, if you need to deliver traffic over an incompatible network, a GRE tunnel is a good option.
OpenVPN is an open source SSL-based VPN used to establish encrypted tunnels between two devices over the Internet. It utilizes the SSL/TLS protocol suite and can also tunnel easily through proxy, firewalls, and networks over NAT devices.
It allows both ends of a connection to mutually authenticate through various mechanisms (digital certificates, login/password, etc…) and also encrypt all content, making it almost impossible to decode the data stream.
The OpenVPN client manages connection setup, the client first gets Internet access via a wired or wireless network, and then the OpenVPN client software creates a tunnel over this live connection.
IPSec provides robust security mechanisms and protects any application traffic across an IP network. But, it’s relatively difficult for new users and might be hard to setup and maintain in all situations. IPSec should be leveraged in an always-on situation where it is required. However, enterprises can use OpenVPN primarily as a remote access method for mobile devices where a quick and secure access is crucial.
OpenVPN rejects the complexity of IPSec by using the SSL/TLS protocol for securing transactions on the Internet (e.g., think about HTTPS and the lock icon in your web browser when you are doing banking or online shopping). This protocol is robust and is easy to understand, and more simple to implement and manage by administrators.
OpenVPN is built for portability, though it requires a third-party application. An OpenVPN Android/iOS client app on your smartphone or mobile device will provide a secure anytime-anyplace access to corporate resources and applications, not to mention tons of 101 guides, which you can easily find via Internet search.
OpenVPN Client Operation
OpenVPN requires you to install a free software client on your computer to be able to function. This client is available for all the major operating systems (Windows, Mac OS X and Linux). Today, there are also OpenVPN apps available for most smartphones.
Once installed, download the OpenVPN Profile (OpenVPN client configuration (.ovpn file format)), copy and paste it into the specific folder (c:\programefile\openvpn\config), or import the client configuration via OpenVPN app.
Enter your username and password when prompted for one and click “Login” or “Connect.”
Note: Username and password may be optional depending on the OpenVPN server’s setting.
D-Link OmniSSL Introduction
The D-Link OmniSSL uses OpenVPN technology to create secure private connections for all sizes of businesses. The feature allows the user to securely connect from a remote site to the VPN server. Remote users are authenticated using certificates, which are automatically created via the OmniSSL feature during the setup of the OpenVPN server. It replaces the complicated OpenVPN setups and digital certificates installations with a few easy steps, as shown below.
The built-in certificate makes the OpenVPN server side setup much easier.
Login and Download Files from OmniSSL Client Portal
Log into the OmniSSL portal via URL (https://DSR_WAN_IP address/OmniSSLPortal/).
Download the OpenVPN client software and client configuration.
Note: For iOS and Android devices, download the OpenVPN client software via the App Store or Google Play.
Install OpenVPN Client Software
Open the client software and the pop-up Wizard will walk you through the installation step-by-step. (The following pictures are OpenVPN GUI for Windows)
Import Client Configuration
Double-click on the downloaded client configuration (client_script.bat) and then copy and paste the client configuration file (client_config.ovpn) to the OpenVPN software folder (c:\Program Files\OpenVPN\config).
Note: For Android clients, please email the client configuration file (client_config.ovpn) to your mobile device, then import it via the OpenVPN app. For iOS clients, use iTunes to import the client config to the OpenVPN app.
Connect and Success
Double-click the desktop shortcut, right-click the icon on the bottom right side, and then click “Connect”.
The connection will be made in a few seconds.
To summarize, IPSec is secure and robust, but it’s not that user-friendly for beginners. GRE is simple and convenient, but it’s not secure enough for enterprise-level networks. PPTP/L2TP are common but old and don’t represent the best choice. If only L2TP/IPsec or PPTP are available, take L2TP/IPsec. Stay away from PPTP if possible, unless you absolutely have to connect to an outdated server that allows only older VPN protocols.
OpenVPN is new and secure, although you need to install third-party software. OpenVPN is D-Link’s choice for the D-Link OmniSSL feature for enterprise to help our clients achieve the best secure remote access option for their business needs.