Building VPNs on OpenBSD

1. Introduction

A VPN is a network made up of multiple private networks situated at different locations, linked together using secure tunnels over a public (insecure) network, typically the Internet. Traffic inside VPN tunnels is usually encrypted and authenticated to provide security equivalent to that provided by leased lines, but at a fraction the cost. A tunnel is created by encapsulating a network protocol (e.g. IP) within another network protocol, operating at the same layer of the OSI model (e.g. IP, ICMP) or at a higher layer (e.g. ESP, TLS).

VPNs are becoming increasingly popular, as they allow companies to join the LANs of their branches or subsidiaries into a single private network (site-to-site VPNs) or to provide mobile employees, such as sales people, access to their corporate network from outside the premises (remote-access VPNs), thus making accessing and sharing internal information much easier.

Though most often associated with IPsec, VPNs are a rather broad concept and can be implemented using a number of different tunneling protocols (L2TP, MPLS, PPTP, TLS, among others). In particular, in this document, we will take a look at the three most popular VPN implementations supported by OpenBSD:

IPsec: a suite of standard protocols, defined in various RFCs (see Appendix), that operate at the network layer of the OSI model; OpenBSD natively supports IPsec protocols and provides specific tools and daemons to manage IPsec VPNs;
OpenVPN: an SSL-based VPN solution, operating at the application layer and probably the strongest contender for IPsec, thanks to its robustness, ease of use and portability;
OpenSSH: since release 4.3, OpenSSH supports the tunneling of arbitrary network packets over a connection between an OpenSSH client and server, as a true VPN (see [OBSD39]).

Besides the inherent differences in cryptographic algorithms and authentication mechanims, these three VPN implementations differ under several aspects; each one has its own advantages and drawbacks and the choice among them must consider not only the ease of installation and administration, but also factors like bandwidth, reliability and scalability. The following are the most relevant differences:

IPsec runs in kernel space, tightly integrated with the host TCP/IP stack, while OpenVPN and OpenSSH are user-space daemons. The in-kernel architecture has the advantage of being faster and more efficient, but may increase the impact of possible vulnerabilities and programming errors on the whole system;
OpenVPN and OpenSSH have a slightly higher overhead due to the encapsulation of the payload within higher layers of the OSI model;
IPsec works at the network layer of the OSI model, while both OpenVPN and OpenSSH can natively operate in either bridging mode (layer 2) or routing mode (layer 3) (for a brief overview of bridging vs. routing, please refer to [OVPN-FAQ]); to tunnel ethernet traffic over IPsec, you need the additional layer of tunneling provided by the gif(4) interface;
IPsec interoperability comes from its being a standard, but different vendors' implementations may not be entirely compatible; the interoperability of OpenVPN and OpenSSH, instead, is ensured by their high portability across the most popular OSes.

Despite the many differences, OpenVPN has some common ground with IPsec, since, as stated in [OVPN-SEC], OpenVPN's security model is heavily based on the IPSec ESP protocol for secure tunnel transport over UDP.

This document assumes that you are familiar with OpenBSD, since it won't cover topics like base system configuration, packages/ports installation or Packet Filter syntax.