OpenVPN counters censorship
Journalists at the 2008 Olympic Games in Beijing will not have unfettered access to the Internet. However, GPL software OpenVPN can be used to easily circumvent such censorship.
IOC President, Jacques Rogge, was recently forced to back-pedal under a barrage of criticism when it became clear that assurances that the press corps would have "unrestricted" Internet access were no more than piecrust promises. Nevertheless, the technology behind the "Golden Shield Project", which is apparently a means of protecting the Chinese from criminal content and has earned the nickname "Great Firewall of China", is relatively simple. Journalists in the Olympic village, as well as western corporations and even private individuals have a range of tools at their disposal to ensure their Internet access is both full and unmonitored. However, most of these are based on anonymizing services, such as gateways, proxies or web services, that massage the content and smuggle it in under the censor's nose. In the past, the Chinese authorities have regularly blocked web sites that offer such services. Furthermore, mass anonymizer services such as gateways have a bad reputation, since they also provide a safe haven for users wishing to conduct other, potentially illegal or criminal dealings. Courts in Europe have already revealed the darker side of these services.
There is, though, a solution that is available for those running Windows, Linux and Mac systems, which can be implemented in many different ways and which Chinese authorities have a real problem in counteracting - OpenVPN. Since this free (as in beer and as in speech) GPL software uses technologies that are vitally important for many Chinese companies, simply closing down this solution is not really an option to the Chinese government. Users can work on their own servers, without needing to tell any other users about them, in complete security.
At the same time, OpenVPN helps users to surf the web, send and receive e-mail, and use all the usual web services at all times, quickly and with full access to the Internet, away from the eyes of the snoops. Since this is all done under the protection of secure, military-grade encryption, unwanted eavesdroppers such as the Chinese state apparatus, security services, hackers or restrictive local network administrators must stand aside, relatively powerless. Most of the time, they won't even know there is an OpenVPN tunnel on their network.
According to the opinions of many experts, encrypted HTTPS connections are not affected by the censors. Research into the "Golden Shield" (see box) advises, therefore, that HTTPS can provide free, unrestricted access to the Internet.
OpenVPN - a solution
Normally, Virtual Private Networks (VPNs) provide field workers and telecommuters with secure access to corporate networks, or use the Internet to connect several branches of the same company. Computers that connect to the VPN then form part of a single, virtual network, on which staff can work as though they were sitting in an office at the company's headquarters. The classic examples of VPN are the many variants of IPSEC, or the PPTP protocol which is often used by Microsoft. However, since these solutions are either unsecure (PPTP) or complex (IPSEC) they do not always live up to expectations. James Yonan, the man behind OpenVPN, experienced this at first hand as he traveled around the countries of the former Soviet Union at the time of the millennium, trying to keep in touch with his employers as he went.
Out of necessity, he initiated Openvp, a software solution that had to be both flexible and simple, yet meet the ultimate demands in terms of security. The project gained momentum rapidly, and now Openvp is the coolest VPN solution there is - and represents the third generation of VPN system. Thanks to the numerous encryption methods that it supports, and the comprehensive program options, users can enjoy fast, secure connections with military-grade encryption almost anywhere.
Since the tool uses the same common mechanisms as are used by HTTPS connections, access to private networks is available from any location at which clients have unrestricted access to URLs that start with the https:// prefix. The broad use of the SSL/TLS libraries in many different fields ensures that programming errors, exploits and bugs are found and fixed immediately by those operating the numerous electronic banking and e-commerce portals that also use the technology.
OpenVPN - as easy as 1-2-3
The way OpenVPN works is extremely simple: The software creates its own virtual network interface on the client system, and establishes an encrypted connection to the server. Any network packets that are sent through the virtual interface (which uses standardized TUN/TAP devices) are sent by the software in encrypted form to the OpenVPN server. If the "redirect-gateway" option is set, then the client routes all traffic via this tunnel, rather than just the packets that are intended for the local network.
A local firewall on the client device (such as a notebook) and a central, corporate firewall on the server provide almost perfect protection for remote employees. Full Internet access can be granted and encrypted through the VPN tunnel. Malicious eavesdroppers in the local network and at all points in between will merely see encrypted packets, while the firewalls prevent undesired connections. In ideal situations, the central firewall will also allow the remote notebook to access the Internet through the tunnel, at best using the technique of IP masquerading.
OpenVPN has also proven itself to be very flexible, especially in comparison with other VPN solutions. It requires just one port and one protocol (either UDP or TCP) to establish a connection - both are freely definable. Users that find themselves on networks on which connections are severely restricted should use port 21 (FTP) or 443 (HTTPS), for example. Whether administrators want to use UDP or TCP is of lesser importance. UDP provides significantly greater performance, but also supports fewer options than TCP.
When it comes to the most demanding requirements, OpenVPN can even offer a simple cluster solution. The client configuration then contains several servers that the software addresses in turn. Any IP address blacklists imposed by suspicious network operators can then be circumvented easily, but if even that is not enough, how about port sharing? Since version 2.1, OpenVPN has supported the option of sharing a port with other software, for example an Apache web server. Users or attackers that access the port with non-OpenVPN packets simply see the web server, while authenticated users end up in the VPN. Anyone snooping on this traffic could only begin to guess what web sites are being visited on the basis of the quantity of data being sent and the traffic profile.
In order for this solution to work, the client software requires direct access to the port of a specific server (for example, port 443). In China's case, this is obviously permitted, so that any sports journalist who can access his newspaper's content management system (CMS) via HTTPS from Beijing can also obtain full and uncensored Internet access through an OpenVPN tunnel.
Since OpenVPN uses the standardized TUN/TAP devices, both the VPN server and clients work on Linux, Windows and also Mac systems. Connections are stable, very tolerant of errors and thanks to adaptive compression and freely definable encryption key lengths, both fast and secure. The author has used the software on his laptop for almost five years to surf secretly, without problems and independent of the bandwidth available, using connections as diverse as GPRS, UMTS, Wireless LAN, dial-up or Ethernet.
Occasionally it is necessary to provide OpenVPN with the IP address of a proxy server, for example using the "http-proxy" option in the configuration file. The software is then able to disguise itself, and appear to the proxy as a Mozilla or Internet Explorer web browser of whatever generation you choose. Authenticating proxies that use NTLM, for example, are also supported. As long as the proxy permits direct connection to HTTPS pages, as is required by the operators of secure banking portals, online shops or intranets, then the OpenVPN connection can be established and uncensored surfing is possible.
An impressive number of GUI tools is available for OpenVPN. The software comes in Windows, Mac and Linux versions, and it has been a standard part of the major Linux distributions for years. Users of Debian, Ubuntu, Red Hat and openSUSE can install the software comfortably using their distribution's package management systems, while more and more appliances are also integrating OpenVPN. Over the course of its development, the VPN software has won over many fans, thanks to its comprehensive functionality and high degree of flexibility. Ease of configuration and great performance and security mean it is a practical tool that can solve a wide range of networking problems with ease. With OpenVPN even able to speed up typical setups considerably, the software is also very popular among those who like to play games online. Perhaps they will soon be joined by the journalists in their fervor for the solution.
See article on configuring openVPN here.