Openswan: Building and Integrating Virtual Private Networks

Openswan: Building and Integrating Virtual Private Networks
eBook: $35.99
Formats: PDF, PacktLib, ePub and Mobi formats
save 15%!
Print + free eBook + free PacktLib access to the book: $95.98    Print cover: $59.99
save 37%!
Free Shipping!
UK, US, Europe and selected countries in Asia.
Also available on:
Table of Contents
Sample Chapters


  • Learn everything you need to know about Openswan from its core developers
  • Build VPNs that interoperate with Windows, MacOS, and other network vendors
  • Build your own secure hotspots

Book Details

Language : English
Paperback : 360 pages [ 235mm x 191mm ]
Release Date : February 2006
ISBN : 1904811256
ISBN 13 : 9781904811251
Author(s) : Ken Bantoft, Paul Wouters
Topics and Technologies : All Books, Networking and Servers, Networking & Telephony, Open Source, Virtualisation

Table of Contents

Chapter 1: VPN—Virtual Private Network
Chapter 2: VPN Security
Chapter 3: OpenVPN
Chapter 4: Installing OpenVPN
Chapter 5: Configuring an OpenVPN Server—The First Tunnel
Chapter 6: Setting Up OpenVPN with X509 Certificates
Chapter 7: The Command openvpn and its Configuration File
Chapter 8: Securing OpenVPN Tunnels and Servers
Chapter 9: Advanced Certificate Management
Chapter 10: Advanced OpenVPN Configuration
Chapter 11: Troubleshooting and Monitoring
Appendix A: Internet Resources
  • Chapter 1: VPN—Virtual Private Network
    • Branches Connected by Dedicated Lines
      • Broadband Internet Access and VPNs
    • How Does a VPN Work?
      • What are VPNs Used For?
      • Networking Concepts—Protocols and Layers
      • Tunneling and Overhead
    • VPN Concepts—Overview
      • A Proposed Standard for Tunneling
      • Protocols Implemented on OSI Layer 2
      • Protocols Implemented on OSI Layer 3
      • Protocols Implemented on OSI Layer 4
      • OpenVPN—An SSL/TLS-Based Solution
    • Summary
  • Chapter 2: VPN Security
    • VPN Security
    • Privacy—Encrypting the Traffic
      • Symmetric Encryption and Pre-Shared Keys
      • Reliability and Authentication
        • The Problem of Complexity in Classic VPNs
      • Asymmetric Encryption with SSL/TLS
    • SSL/TLS Security
      • Understanding SSL/TLS Certificates
      • Trusted Certificates
      • Self-Signed Certificates
      • SSL/TLS Certificates and VPNs
    • Summary
  • Chapter 3: OpenVPN
    • Advantages of OpenVPN
    • History of OpenVPN
      • OpenVPN Version 1
      • OpenVPN Version 2
    • Networking with OpenVPN
      • OpenVPN and Firewalls
      • Configuring OpenVPN
      • Problems with OpenVPN
    • OpenVPN Compared to IPsec VPN
    • Sources for Help and Documentation
    • The Project Community
      • Documentation in the Software Packages
    • Summary
  • Chapter 4: Installing OpenVPN
    • Prerequisites
    • Obtaining the Software
    • Installing OpenVPN on Windows
      • Downloading and Starting Installation
      • Selecting Components and Location
      • Finishing Installation
      • Testing the Installation—A First Look at the Panel Applet
    • Installing OpenVPN on Mac OS X (Tunnelblick)
      • Testing the Installation—The Tunnelblick Panel Applet
    • Installing OpenVPN on SuSE Linux
      • Using YaST to Install Software
    • Installing OpenVPN on Redhat Fedora Using yum
    • Installing OpenVPN on RPM-Based Systems
      • Using wget to Download OpenVPN RPMs
      • Testing Installation and Installing with rpm
      • Installing OpenVPN and the LZO Library with wget and RPM
      • Using rpm to Obtain Information on the Installed OpenVPN Version
    • Installing OpenVPN on Debian
      • Installing Debian Packages
      • Using Aptitude to Search and Install Packages
      • OpenVPN—The Files Installed on Debian
    • Installing OpenVPN on FreeBSD
      • Installing a Newer Version of OpenVPN on FreeBSD—The Port System
        • Installing the Port System with sysinstall
        • Downloading and Installing a BSD Port
    • Troubleshooting—Advanced Installation Methods
      • Installing OpenVPN from Source Code
      • Building Your Own RPM File from the OpenVPN Source Code
      • Building and Distributing Your Own DEB Packages
      • Enabling Linux Kernel Support for TUN/TAP Devices
        • Using Menuconfig to Enable TUN/TAP Support
    • Internet Links, Installation Guidelines, and Help
    • Summary
  • Chapter 5: Configuring an OpenVPN Server—The First Tunnel
    • OpenVPN on Microsoft Windows
      • Generating a Static OpenVPN Key
        • Creating a Sample Connection
        • Adapting the Sample Configuration File Provided by OpenVPN
        • Starting and Testing the Tunnel
      • A Brief Look at Windows OpenVPN Network Interfaces
    • Connecting Windows and Linux
      • File Exchange between Windows and Linux
        • Installing WinSCP
        • Transferring the Key File from Windows to Linux with WinSCP
        • The Second Pitfall—Carriage Return/End of Line
      • Configuring the Linux System
      • Testing the Tunnel
        • A Look at the Linux Network Interfaces
      • Running OpenVPN Automatically
        • OpenVPN as Server on Windows
        • OpenVPN as Server on Linux
        • Runlevels and init Scripts on Linux
        • Using runlevel and init to Change and Check Runlevels
        • The System Control for Runlevels
        • Managing init Scripts
      • Using Webmin to Manage init Scripts
      • Using SuSE's YaST Module System Services (Runlevel)
    • Troubleshooting Firewall Issues
      • Deactivating Windows XP Service Pack 2 Firewall
      • Stopping the SuSE Firewall
    • Summary
  • Chapter 6: Setting Up OpenVPN with X509 Certificates
    • Creating Certificates
    • Certificate Generation on Windows XP with easy-rsa
      • Setting Variables—Editing vars.bat
      • Creating the Diffie-Hellman Key
      • Building the Certificate Authority
      • Generating Server and Client Keys
    • Distributing the Files to the VPN Partners
    • Configuring OpenVPN to Use Certificates
    • Using easy-rsa on Linux
      • Preparing Variables in vars
      • Creating the Diffie-Hellman Key and the Certificate Authority
      • Creating the First Server Certificate/Key Pair
      • Creating Further Certificates and Keys
    • Troubleshooting
    • Summary
  • Chapter 7: The Command openvpn and its Configuration File
    • Syntax of openvpn
      • OpenVPN Command-Line Parameters
    • Using OpenVPN at the Command Line
      • Parameters Used in the Standard Configuration File for a Static Key Client
      • Compressing the Data
      • Controlling and Restarting the Tunnel
      • Debugging Output—Troubleshooting
    • Configuring OpenVPN with Certificates—Simple TLS Mode
    • Overview of OpenVPN Parameters
      • General Tunnel Options
      • Routing
      • Controlling the Tunnel
      • Scripting
      • Logging
      • Specifying a User and Group
      • The Management Interface
      • Proxies
      • Encryption Parameters
      • Testing the Crypto System with --test-crypto
      • SSL Information—Command Line
      • Server Mode
        • Server Mode Parameters
        • --client-config Options
      • Client Mode Parameters
        • Push Options
    • Important Windows-Specific Options
    • Summary
  • Chapter 8: Securing OpenVPN Tunnels and Servers
    • Securing and Stabilizing OpenVPN
    • Linux and Firewalls
      • Debian Linux and Webmin with Shorewall
        • Installing Webmin and Shorewall
        • Preparing Webmin and Shorewall for the First Start
        • Starting Webmin
        • Configuring the Shorewall with Webmin
        • Creating Zones
        • Editing Interfaces
        • Default Policies
        • Adding Firewall Rules
      • Troubleshooting Shorewall—Editing the Configuration Files
      • OpenVPN and SuSEfirewall
      • Troubleshooting OpenVPN Routing and Firewalls
        • Configuring a Router without a Firewall
        • iptables—The Standard Linux Firewall Tool
    • Configuring the Windows Firewall for OpenVPN
    • Summary
  • Chapter 9: Advanced Certificate Management
    • Certificate Management and Security
    • Installing xca
    • Using xca
      • Creating a Database
      • Importing a CA Certificate
      • Creating and Signing a New Server/Client Certificate
      • Revoking Certificates with xca
    • Using TinyCA2 to Manage Certificates
      • Importing Our CA
      • Using TinyCA2 for CA Administration
      • Creating New Certificates and Keys
      • Exporting Keys and Certificates with TinyCA2
      • Revoking Certificates with TinyCA2
  • Summary
  • Chapter 10: Advanced OpenVPN Configuration
    • Tunneling a Proxy Server and Protecting the Proxy
    • Scripting OpenVPN—An Overview
    • Using Authentication Methods
    • Using a Client Configuration Directory with Per-Client Configurations
    • Individual Firewall Rules for Connecting Clients
    • Distributed Compilation through VPN Tunnels with distcc
    • Ethernet Bridging with OpenVPN
    • Automatic Installation for Windows Clients
    • Summary
  • Chapter 11: Troubleshooting and Monitoring
    • Testing the Network Connectivity
    • Checking Interfaces, Routing, and Connectivity on the VPN Servers
    • Debugging with tcpdump and IPTraf
    • Using OpenVPN Protocol and Status Files for Debugging
    • Scanning Servers with Nmap
    • Monitoring Tools
      • ntop
      • Munin
    • Hints to Other Tools
    • Summary

Ken Bantoft

Ken Bantoft started programming in 1988, and successfully avoided doing it as a full time job until 2002. He opted instead to focus on Unix, Networking, and Linux integration.

Beginning at OLS2002, he started working alongside the FreeS/WAN project, integrating various patches into his own fork of their code – Super FreeS/WAN, which is now known as Openswan.

He currently lives in Oakville, ON, Canada, with his wife Van, two cats and too many computers.

Ken started working for Xelerance in 2003 where he works mostly on IPsec, BGP/OSPF, Asterisk, LDAP and Radius.

Paul Wouters

Paul Wouters has been involved with Linux networking and security since he co-founded the Dutch ISP 'Xtended Internet' back in 1996, where he started working with FreeS/WAN IPsec in 1999 and with DNSSEC for the .nl domain in 2001.

He has been writing since 1997, when his first article about network security was published in LinuxJournal in 1997. Since then, he has written mostly for the Dutch spin-off of the German 'c't magazine', focusing on Linux, networking and the impact of the digital world on society.

He has presented papers at SANS, OSA, CCC, HAL, Blackhat and Defcon, and several other smaller conferences.

He started working for Xelerance in 2003, focusing on IPsec, DNSSEC, Radius and delivering trainings.

Submit Errata

Please let us know if you have found any errors not listed on this list by completing our errata submission form. Our editors will check them and add them to this list. Thank you.

Sample chapters

You can view our sample chapters and prefaces of this title on PacktLib or download sample chapters in PDF format.

Frequently bought together

Openswan: Building and Integrating Virtual Private Networks +    Oracle E-Business Suite 12 Financials Cookbook =
50% Off
the second eBook
Price for both: $53.70

Buy both these recommended eBooks together and get 50% off the cheapest eBook.

What you will learn from this book

Chapter 1 presents some historical context of IPsec and Openswan, and discusses the legal aspects about using and selling cryptography such as Openswan, and discusses some of the aspects of weighing encryption privacy and law enforcement.

Chapter 2 explains in non-mathematical terms how the IPsec protocols work. It is written especially with the system administrator in mind, and should appeal to both experts and beginners in the world of cryptography.

Chapter 3 contains all you need to know to install Openswan on your Linux distribution. It covers installing available binary packages, as well as how to build Openswan from  source. It also guides you through the options your kernel needs to support, and helps you choose between the two IPsec stacks that are currently available - KLIPS and NETKEY. 

Read chapter 3: "Building and Installing Openswan" (PDF - 348KB)

Chapter 4 is a step by step tutorial on how to configure the most common type of VPN connections using Openswan. These include net-to-net, host-to-net, roaming users and head office to branch offices. In other words, all the possible Openswan-to-Openswan connections. It also discusses commonly deployed third party scenarios, including Cisco implementations using Aggressive Mode and XAUTH with Openswan as the IPsec client.

Chapter 5 introduces X.509 certificate based authentication for IPsec. It explains how X.509 certificates work, how to generate them for Linux, Windows and MacOSX clients, and how to run your own Certificate Agency.

Chapter 6 explains the Openswan feature called Opportunistic Encryption ("OE"). This method of allows one to automate host-to-host encryption for machines without any specific configuration by the end-user. Using OE, anyone can use IPsec protected connections to your servers without even realizing they are using IPsec. The goal of OE is to make IPsec the de-facto standard for all communication on the internet.

Chapter 7 goes right down to the packet level and discusses common problems that you might face on your IPsec gateway. These include special firewalling rules, handling broken IPsec implementations and the various MTU related issues that can come up.

Chapter 8 discusses IPsec from the two most popular end-user Operating Systems: Microsoft Windows and Apple MacOSX. It helps you decide on whether you would prefer X.509 certificate based IPsec, or the less complex L2TP/IPsec. It has a step by step guide on how to setup L2TP on your Openswan VPN server. It also explains how to configure X.509 or L2TP on your Microsoft Windows or Apple MacOSX clients, and includes all the screenshots to guide your way. It closes with a description on how to configure commonly used third-party software packages for Openswan.

Chapter 9 deals with getting Openswan to properly interoperate with third party IPsec VPN servers such as Cisco, Checkpoint, Netscreen, Watchguard and various DSL based modem/router appliances commonly used by end-users.

Chapter 10 explores how to use IPsec to encrypt all traffic between local machines. It specifically focuses on 802.11 type wireless connections, but it applies in general to all LAN based computers. It discusses the Xelerance designed IPsec deployment scenario called WaveSEC: the implementation used at IETF, BlackHat and DefCon to encrypt their wireless networks.

Chapter 11 discusses the advanced use of Openswan. It discusses how to setup a proper fail-over VPN server with Openswan, and discusses large enterprise deployments bottlenecks,  as well as how to deal with BGP and OSPF using IPsec and Openswan.

Chapter 12 is the culmination of two years of end-user support on the public mailing lists. It discusses the common mistakes and issues that people who are not working with IPsec on a daily basis tend to run into. Unless you are doing something extremely specific to your particular setup, your problem will be shown in this chapter, along with the explanation of what went wrong and how to remedy your situation.

Appendix A is our last minute update to the current events of Openswan. It discusses bleeding edge Linux kernel issues, the latest security vulnerabilities and upcoming features for end-users and developers that did not exist when the authors were writing the bulk of this book. It also discusses known but unsolved bugs existing at the time this book went to the printer.


In Detail

With the widespread use of wireless and the integration of VPN capabilities in most modern laptops, PDA's and mobile phones, there is a growing desire for encrypting more and more communications to prevent eavesdropping. Can you trust the coffee shop's wireless network? Is your neighbor watching your wireless? Or are your competitors perhaps engaged in industrial espionage? Do you need to send information back to your office while on the road or on board a ship? Or do you just want to securely access your MP3's at home? IPsec is the industry standard for encrypted communication, and Openswan is the de-facto implementation of IPsec for Linux.

Whether you are just connecting your home DSL connection with your laptop when you're on the road to access your files at home, or you are building an industry size, military strength VPN infrastructure for a medium to very large organization, this book will assist you in setting up Openswan to suit those needs.

The topics discussed range from designing, to building, to configuring Openswan as the VPN gateway to deploy IPsec using Openswan. It not only for Linux clients, but also the more commonly used Operating Systems such as Microsoft Windows and MacOSX. Furthermore it discusses common interoperability examples for third party vendors, such as Cisco, Checkpoint, Netscreen and other common IPsec vendors.

The authors bring you first hand information, as they are the official developers of the Openswan code. They have included the latest developments and upcoming issues. With experience in answering questions on a daily basis on the mailing lists since the creation of Openswan, the authors are by far the most experienced in a wide range of successful and not so successful uses of Openswan by people worldwide.


Openswan Logo Building and Integrating Virtual Private Networks with Openswan is written by the Openswan development team.


This book is a comprehensive guide to using Openswan for building both basic and industry size, military strength VPNs for medium to very large organizations. Written by the core developers, this practical book is all you need to use Openswan to build any VPN infrastructure you may need. The authors have covered the latest developments and upcoming issues. This book will not only help you build the VPN you need, but also save you a lot of time.


Who this book is for

Network administrators and any one who is interested in building secure VPNs using Openswan. It presumes basic knowledge of Linux, but no knowledge of VPNs is required. 

Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software