Don's Pages and my Music

Saturday, October 30, 2010

OpenVPN Gateway Builder

OpenVPN Gateway Builder

Introduction
Overview Installation Usage How it works Extending Support

A build system to create a minimalistic Linux system booting off a CD or USB stick for running OpenVPN VPN gateways or endpoints.

Introduction

OpenVPN is an open and operating-system agnostic VPN solution that has become very popular in the last years, especially with the recently published 2.0 release.

With OpenVPN it is possible to create a secure VPN tunnel with as few as 5 lines in a configuration file, a feature that makes it very easy and convenient to use VPN tunneling as a solution to various network and connectivity problems. One major drawback to hardware solutions like a Cisco PIX is however the need to run a full operating system beneath an OpenVPN gateway. Even using Linux as OS, the administrative overhead of maintenance and patching remains high as opposed to a vendor hardware solution.

OpenVPN Gateway Builder (OGB) solves this problem by creating an embedded Linux system that can do exactly one job: Setup the network and run OpenVPN. There is no unneccessary software, that needs to be maintained, there is no filesystem on disk that could be compromised by an intruder (OGB runs only in RAM), there are no unneeded services installed etc. All binaries and kernel/modules for this Linux system are copied from the build machine, so that one has to first install the required software on the build machine before beeing able to use it in an OGB gateway.

Additionally OGB is very useful in the centralized administration of many OpenVPN gateways as all the configuration files and cryptographic material is stored only on the build machine, which can easily be secured. The CDs, which are used to boot the VPN gateways, are needed only to boot the gateway. After that they can be safely stored in a secure location. That way the cryptographic material is safe from spying or tampering.

The maintenance of the VPN gateway machines is reduced to maintaining the build machine using normal Linux maintenance mechanism, like RPM or debian updates. To distribute these updates to the VPN gateways one will simply re-create the boot media from the stored configuration and the updated versions of kernel, programs etc. will be used.

What is new ?

2007-10-30
debug package logs to /var/log/messages.DayOfWeek and rotates these logs
2007-10-22
OGB 1.7 released with new template support, see the sample template included in the archive. The customer packages are not recomended any more, better switch to the much cleaner template mechanism (I wrote it because I didn't like the kludge of customer packages)
2007-10-12
OGB 1.6 release with some more fixes. New features include:
  • Support the creation of customer packages (custom-*) that are not part of the OGB distribution
  • Added serial-console package to monitor boot progress and syslog on a serial console
2007-08-17
OGB 1.4 released with minor fixes and improvements. I am still working on the new documentation, though.
2007-08-08
OGB 1.3 released with lots of serious improvements and bug fixes and new packages. Expect an update to the documentation here real soon
2006-04-07
Auszeichnung OGB wins an award of the "Innovationspreis 2006 der Initiative Mittelstand" in the category of IT security. The award comes with a marketing bonus that goes to probusiness Berlin AG, the company I work for.
2005-11-04
OGB 1.1 release with various smaller bugfixes and a new package for VMware.

License

OGB is licensed under the GNU General Public License

Copyright (C) 2005-2007 Schlomo Schapiro, probusiness Berlin AG

Go there...
http://www.schapiro.org/schlomo/projects/ogb/

Don

No comments:

Post a Comment