[Openswan Users] Site-to-site + OpenVPN

Simon Deziel simon at xelerance.com
Fri May 10 16:02:57 UTC 2013 

On 13-05-10 11:47 AM, Nick Howitt wrote:
> Somewhere back in this thread I think a possibly incorrect statement was
> made about OpenVPN. AFAIK, OpenVPN normally binds to all the interfaces
> it can including the LAN interfaces and can be used for encrypting all
> LAN traffic. This can be especially useful if you want to secure WiFi.
> Anyway, following on from this thought, can you create an ipsec tunnel
> in tunnel mode with leftsubnet=LAN_IP/32 and
> rightsubnet=remote_LAN_IP/32? Also set left/rightsourceip. Then in
> OpenVPN, at the end initiating the connection you use "remote =
> far_end_LAN_IP port". You then use the OpenVPN configuration to do the
> subnet to subnet routing.

This would work indeed but has a slightly larger overhead when compared
to OpenVPN on top of IPsec in transport mode.

Since the OpenVPN communication is between the 2 hosts doing IPsec,
there is no point to use tunnel mode as transport was designed exactly
for that use case.

> I think this will allow all subnet-subnet traffic through the OpenVPN
> tunnel which is inside an IPsec tunnel.

Yes but whatever is the IPsec connection type (tunnel/transport) doesn't
matter as OpenVPN is just an UDP stream to protect.

IMO, using transport mode is a sensible choice especially when doing
OpenVPN on top of IPsec as the MTU keeps shrinking when you add layers.

Simon

> Nick
> 
> On 09/05/2013 19:46, Simon Deziel wrote:
>> Say the left side has 1.2.3.4 and the right has 5.6.7.8 and they are
>> connected by a transport mode IPsec connection.
>>
>> Once this IPsec connection is up, OpenVPN will connect from
>> 1.2.3.4:1399 -> 5.6.7.8:1399 and this will be covered by IPsec.
>>
>> The fact that OpenVPN will later assign a client IP (ex 10.1.2.3) to its
>> tun interface has really nothing to do with IPsec. As far as IPsec is
>> concerned it is only carrying UDP traffic between 1.2.3.4 and 5.6.7.8.
>>
>> So really close to GRE encapsulation except that with OpenVPN you get
>> another layer of encryption.
>>
>> On 13-05-09 02:29 PM, Leto wrote:
>>> if your openvpn client gets 10.1.2.3 and that source ip needs to make
>>> it to the 2nd ipsec server you cannot
>> use transport mode, as the ipsec as transport mode would only cover the
>> ipsec gw ips and not 10.1.2.3. hence needing NAT then
>>> sent from a tiny device
>>>
>>> On 2013-05-09, at 13:38, Simon Deziel <simon at xelerance.com> wrote:
>>>
>>>> On 13-05-09 12:57 PM, Leto wrote:
>>>>> openvpn gives an ip to the user.
>>>> OpenVPN creates a tun (or tap) device that gets an IP but that's not
>>>> the
>>>> point. The actual OpenVPN traffic is only between the 2 endpoints so it
>>>> is secure-able by IPsec in transport mode.
>>>>
>>>>> you cannot use transport mode to forward that using ipsec to
>>>>> another host, unless natted to the host ip. whether public or
>>>>> private ips are used for openvpn is irrelevant
>>>> No NAT'ing is needed. One other way to compare this OpenVPN over IPsec
>>>> is like GRE over IPsec.
>>>>
>>>>> sent from a tiny device
>>>>>
>>>>> On 2013-05-09, at 10:05, Simon Deziel <simon at xelerance.com> wrote:
>>>>>
>>>>>> Right, I wasn't clear in my reply. My recommendation to use IPsec in
>>>>>> transport mode isn't compatible with Neal's recommendation to use
>>>>>> private IPs for the OpenVPN connection.
>>>>>>
>>>>>> To use IPsec in transport mode and an OpenVPN tunnel on top, both
>>>>>> endpoint have to use their public IPs for the 2 VPNs.
>>>>>>
>>>>>> In that scenario, since OpenVPN will be bound to the public IP too
>>>>>> I'd
>>>>>> recommend to firewall it with something like this to require IPsec:
>>>>>>
>>>>>> iptables -A INPUT -p udp --dport 1399 -m policy --dir in \
>>>>>>           --proto esp -j ACCEPT
>>>>>> iptables -A INPUT -p udp --dport 1399 -j DROP
>>>>>>
>>>>>> Adapt for a TCP based OpenVPN configuration.
>>>>>>
>>>>>> Regards
>>>>>> Simon
>>>>>>AFAIK, OpenVPN normally binds to all the interfaces it can including the LAN in
>>>>>> On 13-05-08 07:13 PM, Leto wrote:
>>>>>>> you cannot use transport in this scenario unless you double NAT it
>>>>>>>
>>>>>>> sent from a tiny device
>>>>>>>
>>>>>>> On 2013-05-08, at 18:39, Simon Deziel <simon at xelerance.com> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> On 13-05-08 05:13 PM, Neal Murphy wrote:
>>>>>>>>> On Wednesday, May 08, 2013 04:02:34 PM Damir Reic wrote:
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> this is theoretical question:
>>>>>>>>>>
>>>>>>>>>> Let's say i have 2 servers, intermediary server and
>>>>>>>>>> destination openvpn
>>>>>>>>>> server. If i establish site-to-site VPN with openswan between
>>>>>>>>>> those 2
>>>>>>>>>> servers, can i let's say use this tunnel to tunnel openvpn
>>>>>>>>>> requests and
>>>>>>>>>> whole openvpn traffic to destination server (both server have
>>>>>>>>>> public IP).
>>>>>>>>> It's not so theoretical. It's basically what certain
>>>>>>>>> governments and
>>>>>>>>> militaries do (an encrypted tunnel in an encrypted tunnel using
>>>>>>>>> different
>>>>>>>>> technologies); the same fault is not likely to be found in both.
>>>>>>>>>
>>>>>>>>> I believe OpenVPN uses UDP packets (port 1194 by default); it's
>>>>>>>>> ordinary IP
>>>>>>>>> traffic. If you set up IPSEC with the proper LAN addresses at
>>>>>>>>> each end and use
>>>>>>>>> the private (or internal) server address, then it should work.
>>>>>>>>> Don't configure
>>>>>>>>> OpenVPN to use the servers' public addresses, and be sure to
>>>>>>>>> use different
>>>>>>>>> encryption algorithms.
>>>>>>>> I'd also recommend using transport mode instead of tunnel mode
>>>>>>>> because
>>>>>>>> of the lower overhead in terms of payload.
>>>>>>>>
>>>>>>>> Simon
>>>>>>>> _______________________________________________
>>>>>>>> Users at lists.openswan.org
>>>>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>>>>> Micropayments:
>>>>>>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>>>>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list