OpenVPN / openvpn3-linux

OpenVPN 3 Linux client
GNU Affero General Public License v3.0
573 stars 152 forks source link
dbus linux openvpn security vpn vpn-client vpn-tunnel

OpenVPN 3 Linux

OpenVPN 3 Linux is an OpenVPN platform which builds on capabilities available on newer Linux distributions. Compared to the more classic OpenVPN 2.x generation, OpenVPN 3 Linux covers many more aspects of the VPN configuration and session life-cycle than prior OpenVPN generations did.

To quickly compare them, OpenVPN 2.x provides a single executable which is responsible for a single VPN session. There are no configuration or session management in OpenVPN 2.x itself, it depends on the systemd openvpn-client@.service and openvpn-server@.service unit files, the Network Manager OpenVPN plug-in or other third-party management tools.

OpenVPN 3 Linux provides full configuration and session management in addition to providing the VPN tunnel itself. For example, it has built in privilege separation and execution models, for improved process security. This allows unprivileged users to start their own VPN sessions and manage them themselves. VPN configuration profiles can be shared with other users on the system or kept private. All without installing anything additionally.

Through this privilege separation model, the network configuration aspect of the VPN tunnel is split out into its own process which runs with as few privileges as possible. In practice that means it can only do network configuration changes. This process knows nothing about the connection to the VPN server, it just facilitates creating the virtual network adapter and configuring it with network routes. This network configuration service is also capable of setting up the DNS resolver out-of-the-box. For OpenVPN 2.x to do that, it would need to run additional scripts or use specific plug-ins to trigger such updates on the system.

The same OpenVPN 3 Core library which is used in the OpenVPN Connect clients is also used in this project. This implementation does not support all options OpenVPN 2.x does, but if you have a functional configuration with OpenVPN Connect (typically on Android or iOS devices) it should work with this client. In general OpenVPN 3 supports routed TUN configurations; TAP and bridged setups are not supported and will not work.

The OpenVPN 3 Linux architecture is based on splitting up the functionality into several independently running services. They are referred to as backend services. The interaction with these services happens through what is referred to as a user front-end. This project also ships with a Python 3 module which can be used to implement your own OpenVPN front-ends.

On a more technical level, the integration between the user front-end and the backend services is built on top of D-Bus. Any programming language supporting D-Bus can also be used to extend and implement a richer functionality.

Pre-built binaries

See the instructions on https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux how to install pre-built OpenVPN 3 Linux packages on Debian, Ubuntu, Fedora and Red Hat Enterprise Linux.

Getting started using OpenVPN 3 Linux

See the QUICK-START document to get started using OpenVPN 3 Linux.

Introduction to the OpenVPN 3 Linux architecture

To interact with the various OpenVPN 3 services running in the background, three different utilities are provided.

As mentioned earlier, the OpenVPN 3 Linux project is built on top of D-Bus. This provides an API which can be used to further interact with the OpenVPN 3 Linux stack. It can be used to create a new user front-end or it can be used to trigger other operations on the host when certain events happens.

The OpenVPN 3 Linux stack consists of several D-Bus services running in the background. There are six services which is good to beware of. All of these services will normally start automatically. And when they are idle for a while with no data to maintain, they will shut-down automatically.

More information can be found in the openvpn3-linux(7) man page and OpenVPN 3 D-Bus overview.

Kernel based Data Channel Offload (DCO) support

The Data Channel Offload support moves the processing of the OpenVPN data channel operations from the client process to the kernel, via the ovpn-dco-v2 kernel module. This means the encryption and decryption of the tunnelled network traffic is kept entirely in kernel space instead of being send back and forth between the kernel and the OpenVPN client process. This has the potential to improve the overall VPN throughput. This module must be installed before OpenVPN 3 Linux can make use of this feature. This is shipped in the OpenVPN 3 Linux package repositories or can be built from the source code.

The ovpn-dco kernel module currently only support Linux kernel 5.4 and newer. Currently supported distributions with DCO support:

SELinux support

The openvpn3-service-netcfg service depends on being able to pass a file descriptor to the tun device it has created on behalf of the openvpn3-service-client service (where each of these processes represents a single VPN session). This is done via D-Bus. But on systems with SELinux, the D-Bus daemon is not allowed to pass file descriptors related to /dev/net/tun.

The OpenVPN 3 Linux project ships two SELinux policy modules, which will be installed in /usr/share/selinux/packages.

The openvpn3.pp policy package adds a SELinux boolean, dbus_access_tuntap_device, which grants processes, such as dbus-daemon or dbus-broker daemon (running under the system_dbusd_t process context) access to files labelled as tun_tap_device_t; which matches the label of /dev/net/tun. Without this policy enabled, the openvpn3-service-netcfg service will not be able to create or manage TUN devices.

To install and activate this SELinux security module, as root run:

     # semodule -i /etc/openvpn3/selinux/openvpn3.pp
     # semanage boolean --m --on dbus_access_tuntap_device

For users installing the pre-built RPM binaries, this is handled by the RPM scriptlet during package install.

The second policy module, openvpn3_service.pp, will confine both the openvpn3-service-netcfg and openvpn3-service-client processes into their own SELinux process contexts (openvpn3_netcfg_t and openvpn3_client_t). See the src/selinux/openvpn3_service.te source for more details.

For the RPM builds, both SELinux policies are provided in the openvpn3-selinux package.

Logging

Logging happens via openvpn3-service-logger. If not started manually, it will automatically be started by the backend processes needing it. The default configuration sends log data to syslog or systemd-journald, depending on the Linux distribution. Unless --syslog, --journald or --log-file is provided, it will log to the console (stdout).

Real-time log events can be received on a per-session level, by using the openvpn3 log command.

This log service is managed via openvpn3-admin log-service. For systems using systemd-journald, the openvpn3-admin journal command provides a convenient approach to retrive only OpenVPN 3 Linux related log entries from the systemd journal.

For more information about logging, see the openvpn3-service-logger(8), man page, D-Bus Logging and net.openvpn.v3.log D-Bus service documentation.

Debugging

For information about debugging, please see docs/debugging.md

Building from source

For information about building OpenVPN 3 Linux from source, please see BUILD.md.

Contribution