Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch Government Officially Trusts OpenVPN-NL

Posted by timothy on from the goot-to-goeh dept.

First time accepted submitter joost.bijl writes "Yesterday the Dutch government took a step to further improve the adoption of Open Source in its ranks. It has officialy approved a modified version of the open source VPN software OpenVPN for use on the governmental level 'Departementaal Vertrouwelijk' (Restricted). The release is called OpenVPN-NL and is fully open-source and available for use. The software has undergone a security evaluation by the Dutch government's national communications security agency (NLNCSA). The major change is the removal of OpenSSL as the cryptographic core of OpenVPN-NL. Instead, the Dutch government opted to include the smaller, better readable and documented open source library PolarSSL to provide the cryptographic and SSL/TLS functionality. The Dutch IT Security company Fox-IT worked together with both OpenVPN and PolarSSL communities and modified the stock software to support the government evaluation process. In total 8000 lines of code and 4000 lines of documentation were checked in to the OpenVPN trunk."

53 comments

  1. Awesome by MightyMartian · · Score: 5, Interesting

    This is very good news. OpenVPN is probably the easiest secure VPN software I've ever worked with. I've been running it as the link for our multi-site network for over two years now, and it's also the VPN software our road warriors are using. Simple to configure, and damnit but it just works. After years of trying to get all these weird implementations of IPSec to co-operate with each other, OpenVPN is just a marvel, fast and lightweight.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
    1. Re:Awesome by Capt.DrumkenBum · · Score: 5, Interesting

      OpenVPN rocks!
      I have a client site that needs to access some data in my local office. This client site network is locked down so tight that almost nothing goes through. Somehow OpenVPN manages to maintain several connections between here and there. Add to that the fact that they are fully cross platform and you just can't beat them.

      --
      If I were God, wouldn't I protect my churches from acts of me?
    2. Re:Awesome by impaledsunset · · Score: 3, Informative

      OpenVPN is amazing, the only downside is that it doesn't support IPv6 expect in tap mode. But you can always configure tap mode yourself, right?

    3. Re:Awesome by habalux · · Score: 5, Informative

      OpenVPN 2.3 does support IPv6 in tun mode, even point-to-multipoint. It still needs an IPv4 pool though but you can just ignore it and go IPv6 only.

      http://www.greenie.net/ipv6/openvpn.html

    4. Re:Awesome by heypete · · Score: 3, Insightful

      Hear, hear.

      Speaking of lightweight, I have it running on my WRT54GL wireless router (TomatoVPN firmware) and it works without a hitch. Even with the dinky 200MHz CPU in the router, the limiting factor is the upstream bandwidth of the network connection.

      I particularly like the fact that it uses widely-tested methods for the secure connection (TLS, certificate-based authentication, etc.), rather than depending on some proprietary system.

      Now, if only the Windows GUI client didn't need admin rights to open...

    5. Re:Awesome by MightyMartian · · Score: 4, Informative

      Yes, that is a pain. I thought they were supposed to be setting up the Windows service so that a non-admin client could control the VPN via the service to write the routing table, which seems to be the big stumbling block for OpenVPN under the UAC.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    6. Re:Awesome by mcvos · · Score: 4, Insightful

      It's great to see my government do something sensible related to IT. Most of the time they really truly suck at it (like almost every other government, I suspect). Surely you remember the Diginotar debacle? We've got tons more like that.

    7. Re:Awesome by plj · · Score: 2, Funny

      I was just thinking that, from Dutch govenment's point of view, OpenVPN must be extraordinary awesome while used in combination with Diginotar-signed certs!

      (Sorry, I just couldn't resist.)

      --
      “Wait for Hurd if you want something real” –Linus
    8. Re:Awesome by Anonymous Coward · · Score: 4, Interesting

      This is mainly going to be used to allow remote access to restricted infrastructure.
      The comments in Holland are that this is allowing unsecured & unchecked workstations (home pc's & laptops) that might be infected with general or specifically designed malways; & then via the vpn gaining access to restricted documents & information.

      The last word is not yet spoken about this.

      Dutch megan00b

    9. Re:Awesome by Fez · · Score: 3, Informative

      pfSense 2.1 has been including an IPv6 capable OpenVPN setup with tun for a few months now, though it's still in early development. The client on the firewall is capable, as is the windows client that the export package can generate with an included config.

      openvpn[32839]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011

    10. Re:Awesome by Anonymous Coward · · Score: 0

      I just looked at the configuration options for OpenVPN and no way is that simpler than IPSec. If you want simple VPN set-up use ssh based VPNs.

    11. Re:Awesome by Anonymous Coward · · Score: 2, Informative

      There's a newer version of the Windows client which uses the management interface to control the OpenVPN service.
      Can't check at the moment, but i think it's this one: http://sourceforge.net/projects/openvpn-gui/

    12. Re:Awesome by Anonymous Coward · · Score: 0

      It's been possible to do this literally for years -- it was two jobs ago when I wrote a .NET-based client for the OpenVPN management console... in Boo!

      Not linking to it here because I haven't been maintaining it in years and don't have the time to start now, but I'd be astonished if nobody else has done the same. The downside is that better authentication and access control for management clients would be a Good Thing... but again, years ago; such a thing might exist today, for all I know.

  2. Why should we trust openssl? by rkwasny · · Score: 2, Insightful

    Dutch government does not trust openssl?!
    Why should we trust it?

    1. Re:Why should we trust openssl? by MightyMartian · · Score: 2

      I think the issue is readability and documentation (and why, that's just what it says!) If there's a slight against openssl, it's probably that the source is a bit more complicated.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:Why should we trust openssl? by El_Muerte_TDS · · Score: 4, Informative

      OpenSSL only goes up to TLS1.0, which contains some vulnerabilities. (Note sure if these issue affect OpenVPN). PolarSSL (which is created by a Dutch company, which might be the reason that was chosen) supports up to TLS1.1.
      Why they didn't go for the more feature complete and mature GnuTLS would be an interesting question.

      http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations

    3. Re:Why should we trust openssl? by Rich · · Score: 5, Interesting

      That's true, though openssl has had the ability to add empty fragments to avoid the chosen plain text attack I suspect you're referring to for many years. What's strange is that the chosen solution (polarSSL) doesn't seem to have support for OCSP which is the main way to quickly revoke bad keys - particularly important in the light of the recent diginotar breach.

    4. Re:Why should we trust openssl? by Anonymous Coward · · Score: 2, Informative

      In a previous job the developer of PolarSSL worked at fox-it ...that is why fox-it choose PolarSSL

    5. Re:Why should we trust openssl? by Feyr · · Score: 1, Interesting

      i don't know about gnutls's maturity,

      but polarssl does not seem to support renegotiation, that to me indicates it's a pretty bad choice for a vpn which you expect to be up 100% of the time and pass significant traffic. looks like the dutchies just wanted SOMETHING they had made locally in an approved software, security be damned!

    6. Re:Why should we trust openssl? by Anonymous Coward · · Score: 0

      The reason to choose PolarSSL, as far as I understood, is the smaller code footprint. Then again, PolarSSL was developed by a (former) employee of Fox-IT so this might be partly a scratch-my-back situation. Note, not saying the choice is bad but there might have been some bias (or maybe regulations that demanded development by a Dutch company) that made GnuTLS a lesser option. Too bad, as I would have liked the use of GnuTLS a bit more. But hell, it's in Debian Squeeze so I'm good.

    7. Re:Why should we trust openssl? by Genda · · Score: 5, Funny

      Yeah, those silly Dutch just don't have a clue... By the way, is the United States still using Windows to control their nuclear power plants???

    8. Re:Why should we trust openssl? by Anonymous Coward · · Score: 0

      It's a lot easier to control your nuclear power plants however you choose when, like the Dutch, you only have one.

    9. Re:Why should we trust openssl? by jhaar · · Score: 5, Informative

      you don't know what you're talking about. Openvpn was never affected by the "renegotiation bug" as it doesn't use SSL for that component. As it runs over UDP and TCP, it had to come up with its own way of doing that - hence no problem.

      That in combination with HMAC authentication makes it basically immune from that issue anyway...

    10. Re:Why should we trust openssl? by Anonymous Coward · · Score: 1

      Well good luck to them is all I can say. OpenSSL, even with occasional problems, is still the most proven solution.

      Security and cryptography is hard. I mean really, really hard. Even very smart people make critical mistakes when trying to do it. Using some obscure SSL library seems like a really bad idea.

    11. Re:Why should we trust openssl? by sentimental.bryan · · Score: 1

      Unless it's made of cheese, and stamped with 'Oude Kass', the wheel is never round enough for the typical Dutch developer.

    12. Re:Why should we trust openssl? by wdef · · Score: 3, Informative

      I think the issue is readability and documentation (and why, that's just what it says!)

      Years back I wrote an encryption program in C as an exercise for myself using the OpenSSL libraries partly to learn how to use the APIs. Just a simple wrapper around well-documented APIs, knock it up in no time, right? Wrong!

      The documentation was almost unintelligible to anyone who was not an OpenSSL developer or not prepared to study up on the algorithms used and wade through the OpenSSL code base to understand what the APIs did. I doubt that has changed. I found a tutorial giving code snippets in a popular journal that were incorrect and had a crucial error resulting in much hair-pulling. I eventually solved this by pure guesswork and trial-and-error. It would have been much quicker to just cut and paste from someone else's openssl-based encryption program. This all reminded me of those frustrating time-wasting assignments as a student where lecturers forgot to tell us that it just wouldn't work or be solvable without secret Factor X and someone in the class had to discover this sideways from a tutor.

      Time OpenSSL grew up and stopped living in arcane land. It needs decent docs. There is an O'Reilly book on it - maybe that'd help next time.

    13. Re:Why should we trust openssl? by wdef · · Score: 2

      Not only is cryptography hard, it's an inexact science to begin with, full of fudges and best guesses. Which is why it is an area where you want time-proven solutions, many eyes, and a tight definition of the threat model. Of course, I always wonder how many eyes are actually reading and understanding (let alone vetting) code like OpenSSL sources anyway. And there would be an even smaller number who read more than the portion of code that they have to.

    14. Re:Why should we trust openssl? by Anonymous Coward · · Score: 0

      OpenVPN has disabled renegotiations in OpenSSL as well, so this is no difference at all. In fact that was why OpenVPN was not vulnerable to CVE-2009-3555 which affects the SSL/TLS protocol. So in this regards, PolarSSL and OpenSSL features are the same.

    15. Re:Why should we trust openssl? by Anonymous Coward · · Score: 0

      Head on! I've followed the PolarSSL integration in OpenVPN quite close from the community side, and the reason for PolarSSL is that it was way easier to review the code compared to OpenSSL. Code complexity and documentation was the key factors.

      Now, the OpenVPN 2.3 release (which is beginning to take shape now) implement configurable support of OpenSSL or PolarSSL and complete IPv6 support. And the work Fox-IT have done with OpenVPN makes it easier now to implement other SSL libraries alongside of OpenSSL or PolarSSL.

      By the way, Fox-IT also provided a lot of code comments (doxygen) in the code paths they touched, so the overall code quality of OpenVPN also increased.

    16. Re:Why should we trust openssl? by Anonymous Coward · · Score: 0

      Well, it's true that it never was affected by the "renegotiation bug" (CVE-2009-3555). And it's true that OpenVPN does some tricks to do SSL over UDP in addition to TCP. But I'm not convinced these things are that directly related.

      It was probably more a convenience thing to do, as OpenVPN have --reneg-sec, --reneg-pkts and --reneg-bytes, which gives a much more fine grained control of when OpenVPN wants the tunnel to be renegotiated. By not using the SSL protocol layer for the renegotiation, these extra controls were easier to implement.

    17. Re:Why should we trust openssl? by Anonymous Coward · · Score: 0

      The reason they choose PolarSSL is because it was created by an ex-employee of the party doing the OpenVPN work. Much easier to work with than those hairy gnus.

  3. I have an OpenVPN link that's been up ten years! by SwedishChef · · Score: 5, Insightful

    When VPN routers were hard to find I set up several OpenVPN links. Over the years most of those networks migrated to other VPN solutions but this one never changed and it always worked. Meanwhile I had to dick with the other solutions all the damn time. When the client with that old OpenVPN link wanted another link I took a good hard look at it. I never had to reconfigure it. I never had to reboot it. It was installed on two HP desktop mini-towers that the client gave to me. And I realized just how good that product was. So I used OpenVPN for the two new links, too. But I upgraded to version 2 and used Centos. That one has been up for two months and everyone is pleased as punch. I'm about to take the old one out of service and install a newer machine running version 2. I'm sure they'll last another ten years.

    Holland has made a wise decision to support OpenVPN!

    --
    No one ever had to evacuate a city because the solar panels broke!
  4. talk about difference between governments by Anonymous Coward · · Score: 1

    In usa they're still beating up harddrives likes neanderthals.

    1. Re:talk about difference between governments by Anonymous Coward · · Score: 0

      Apparently the Dutch government doesn't care if pizza is a fruit or vegetable.

  5. Re:Who Gives A Shit by Anonymous Coward · · Score: 1

    I guess you are American?

  6. OpenVPN is really handy... by Anonymous Coward · · Score: 1

    Comparing to other VPNs... PPTP - insecure by design... L2TP - insecure without IPSec... IPSec - troublesome in IPv4, cause of many of incompatible designs. I do remember one install... cca 8y ago... temporal bridging corporate LAN between two locations for period company moving from one office to another... I've started with IPSec on Linux and after day of not very satisfying results... finished with very stable, lightweight and performant solution OpenVPN on OpenBSD. Computers/servers then worked on both offices without any change in network settings so company was able to manage migration itself. Thanks to OpenVPN adaptive compression slowdown was not so disturbing.

  7. If only apple would friggin support it. by Anonymous Coward · · Score: 0

    If only apple would support it in their iOS devices. They have a NDA api for cisco and juniper, but no way for openssl to make it in...

  8. OpenVPN help! by Veggiesama · · Score: 0

    I have been trying to use SSH and OpenVPN to help a friend play games through a university network, but my experience with VPNs is limited to Hamachi. It seems extremely easy to setup a client, but setting up a server over Windows 7 seems slightly trickier. Anyone know a good up-to-date guide for a complete noob like myself?

    1. Re:OpenVPN help! by Anonymous Coward · · Score: 2, Informative

      This might be helpful: http://openvpn.net/index.php/open-source/documentation/howto.html

  9. OpenSSL vs PolarSSL by Tomato42 · · Score: 1

    Wasn't some recent version of OpenSSL actually FIPS approved?

    Don't get me wrong, I don't see anything bad in allowing the user choose which crypto library to use.

  10. diff by core_tripper · · Score: 3, Interesting

    Differences in code between OpenVPN and OpenVPN-NL. (credits: Palatinux) openvpn_nl-v2.1.4-diffpatch.txt

    About why the chose to use PolarSSL:
    Among the notable differences between OpenVPN and OpenVPN-NL is the cryptographic library. Correct SSL functionality is essential for the protection that OpenVPN offers. OpenSSL is a large and complex library. PolarSSL is a compact and modular library, which is small enough for a fairly in-depth evaluation. Therefore, in the OpenVPN-NL package, it has been chosen to exchange PolarSSL for OpenSSL. This change does not change functionality; the two libraries (OpenSSL and PolarSSL) are mutually compatible.
    source: background OpenVPN
    But as being said in another comment, someone now working for Fox-IT was involved in PolarSSL. Extra functionality and documentation was added to PolarSSL by Fox-IT according to a comment on a tech-site (tweakers.net) by someone who claims to be the maintainer of PolarSSL.

    1. Re:diff by testie_nl · · Score: 5, Informative

      Here the guy claiming to be the maintainer :) Just to make some thing clear.. I used to work at Fox-IT for a long time. Fox-IT did a number of code additions to improve interoperability with OpenVPN and donated that code to the PolarSSL code base.

  11. IPsec by Anonymous Coward · · Score: 0

    While OpenVPN is great and I use it myself all these time, I'm stomped nobody's mentioned of IPsec. There's racoon that I've used and it works great too. Client software? Check out http://shrew.net

    1. Re:IPsec by Anonymous Coward · · Score: 0

      Why mention it? Everybody knows it's there and this is not a request for options.

      Just because you feel the need to shill some particular client doesn't mean IPsec has any relevance to the article.

  12. Sounds good to me by inglorion_on_the_net · · Score: 3, Informative

    This seems like a sensible move. It also seems like a major endorsement for OpenVPN. I've always had better experience with OpenVPN than with other VPN solutions, but I have the feeling it hasn't gained much traction. This may be a step in the right direction.

    Also, I hadn't heard of PolarSSL, but it sounds worth checking out. OpenSSL has always worked for me, but it is true that the interfaces and documentation aren't the best I've ever seen.

    --
    Please correct me if I got my facts wrong.
    1. Re:Sounds good to me by Anonymous Coward · · Score: 0

      Also the license sucks.

  13. Re:I have an OpenVPN link that's been up ten years by Anonymous Coward · · Score: 0

    Not rebooting your 10 year old link, means you haven't done software updates (esp. kernels, which requires reboots), which means you got a setup which is much more insecure than what you would like. After updating glibc, it's also recommended to do a reboot as well - so that all programs use the last glibc. If not doing that, you will have some programs running on the old (removed) glibc - as the kernel keeps the data available for programs which uses libs. All programs started after the glibc update completed will use the new glibc. (This also covers for all kinds of libraries, but glibc is one of the more crucial ones)

    Taking your link down for a couple of minutes once every month or every other to update kernels and system libraries, isn't a bad habit. And it'll make you sleep better too. File systems gets their regular checks, so you won't need to spend days saving an outdated file system if your old box suddenly died.

    Just my 2cents.

  14. Shameful by ameen.ross · · Score: 1

    I'm Dutch and I feel ashamed!

    Apparently to them, less is more. Less code means verifiability?? I thought it was just a matter of checking how well a certain standard was implemented. And if only 1 standard is implemented, well, less code to check?

    They could have just taken GnuTLS and removed everything they didn't need. And even that would be plain stupid, as it would simply mean you're disabling a feature (instead of just choosing not to use said feature).

    --
    $(echo cm0gLXJmIC8= | base64 --decode)
    1. Re:Shameful by Anonymous Coward · · Score: 0

      De beste stuurlui staan nog steeds aan wal...

  15. <3 OpenVPN by pak9rabid · · Score: 2

    I use it for all our RoadWarrior VPN connections...I have yet to have a problem using it on any network we've tried it on. For everything I can't use it for (site-to-site tunnels between PIX/ASA firewalls), I resort to IPSEC (which, is a pain in the ass to deal with compared to OpenVPN).

  16. TLS 1.1 vs. perfect forward secrecy by bill_mcgonigle · · Score: 1

    TLS 1.1 may be excellent, but Google recently added support for perfect forward secrecy to OpenSSL, which would seem like a nice feature to have for governments. If they're sending secrets over OpenVPN with standard TLS, those secrets will only be secrets until computers are powerful enough to factor the primes used to negotiate the session. That might only be a decade - hard to say.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  17. Re:I have an OpenVPN link that's been up ten years by SwedishChef · · Score: 1

    One of the other interesting things about using OpenVPN is that it doesn't have to be on the edge of your network. Both OpenVPN boxes are inside the firewall and WAN router... both have only one physical interface and both have internal IP addresses. So all the boxes do is OpenVPN and only that port is open to the Internet and *that* one is filtered by the firewall so that only the other box gets to pass. The firewall also blocks the OpenVPN boxes from sending packets to any IP address other than the firewall at the other end. So they may technically be vulnerable but it's way down on the list because even if they're cracked they can't be used for anything and don't have anything on them of interest.

    As an aside, I have had numerous instances of an update breaking something important. There are times when it's just not worth the risk.

    In addition, no one was interested in paying for updates. It just worked. Not the only Linux installation I've put in that I never got called back on, by the way. One client didn't call me for 5 years after I put in a Linux box that worked as a file/print server. When he called me (because he had to move to MSSQL runtime and was forced to move to MS Server as a result) I told him that I thought he had found someone else to take care of things. He seemed surprised. He never called me because nothing broke. Everything just worked.

    --
    No one ever had to evacuate a city because the solar panels broke!