Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch Government Officially Trusts OpenVPN-NL

Posted by timothy on from the goot-to-goeh dept.

First time accepted submitter joost.bijl writes "Yesterday the Dutch government took a step to further improve the adoption of Open Source in its ranks. It has officialy approved a modified version of the open source VPN software OpenVPN for use on the governmental level 'Departementaal Vertrouwelijk' (Restricted). The release is called OpenVPN-NL and is fully open-source and available for use. The software has undergone a security evaluation by the Dutch government's national communications security agency (NLNCSA). The major change is the removal of OpenSSL as the cryptographic core of OpenVPN-NL. Instead, the Dutch government opted to include the smaller, better readable and documented open source library PolarSSL to provide the cryptographic and SSL/TLS functionality. The Dutch IT Security company Fox-IT worked together with both OpenVPN and PolarSSL communities and modified the stock software to support the government evaluation process. In total 8000 lines of code and 4000 lines of documentation were checked in to the OpenVPN trunk."

12 of 53 comments (clear)

  1. Re:Awesome by impaledsunset · · Score: 3, Informative

    OpenVPN is amazing, the only downside is that it doesn't support IPv6 expect in tap mode. But you can always configure tap mode yourself, right?

  2. Re:Why should we trust openssl? by El_Muerte_TDS · · Score: 4, Informative

    OpenSSL only goes up to TLS1.0, which contains some vulnerabilities. (Note sure if these issue affect OpenVPN). PolarSSL (which is created by a Dutch company, which might be the reason that was chosen) supports up to TLS1.1.
    Why they didn't go for the more feature complete and mature GnuTLS would be an interesting question.

    http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations

  3. Re:Why should we trust openssl? by Anonymous Coward · · Score: 2, Informative

    In a previous job the developer of PolarSSL worked at fox-it ...that is why fox-it choose PolarSSL

  4. Re:Awesome by habalux · · Score: 5, Informative

    OpenVPN 2.3 does support IPv6 in tun mode, even point-to-multipoint. It still needs an IPv4 pool though but you can just ignore it and go IPv6 only.

    http://www.greenie.net/ipv6/openvpn.html

  5. Re:Awesome by MightyMartian · · Score: 4, Informative

    Yes, that is a pain. I thought they were supposed to be setting up the Windows service so that a non-admin client could control the VPN via the service to write the routing table, which seems to be the big stumbling block for OpenVPN under the UAC.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  6. Re:Why should we trust openssl? by jhaar · · Score: 5, Informative

    you don't know what you're talking about. Openvpn was never affected by the "renegotiation bug" as it doesn't use SSL for that component. As it runs over UDP and TCP, it had to come up with its own way of doing that - hence no problem.

    That in combination with HMAC authentication makes it basically immune from that issue anyway...

  7. Re:Awesome by Fez · · Score: 3, Informative

    pfSense 2.1 has been including an IPv6 capable OpenVPN setup with tun for a few months now, though it's still in early development. The client on the firewall is capable, as is the windows client that the export package can generate with an included config.

    openvpn[32839]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011

  8. Re:OpenVPN help! by Anonymous Coward · · Score: 2, Informative

    This might be helpful: http://openvpn.net/index.php/open-source/documentation/howto.html

  9. Re:diff by testie_nl · · Score: 5, Informative

    Here the guy claiming to be the maintainer :) Just to make some thing clear.. I used to work at Fox-IT for a long time. Fox-IT did a number of code additions to improve interoperability with OpenVPN and donated that code to the PolarSSL code base.

  10. Sounds good to me by inglorion_on_the_net · · Score: 3, Informative

    This seems like a sensible move. It also seems like a major endorsement for OpenVPN. I've always had better experience with OpenVPN than with other VPN solutions, but I have the feeling it hasn't gained much traction. This may be a step in the right direction.

    Also, I hadn't heard of PolarSSL, but it sounds worth checking out. OpenSSL has always worked for me, but it is true that the interfaces and documentation aren't the best I've ever seen.

    --
    Please correct me if I got my facts wrong.
  11. Re:Awesome by Anonymous Coward · · Score: 2, Informative

    There's a newer version of the Windows client which uses the management interface to control the OpenVPN service.
    Can't check at the moment, but i think it's this one: http://sourceforge.net/projects/openvpn-gui/

  12. Re:Why should we trust openssl? by wdef · · Score: 3, Informative

    I think the issue is readability and documentation (and why, that's just what it says!)

    Years back I wrote an encryption program in C as an exercise for myself using the OpenSSL libraries partly to learn how to use the APIs. Just a simple wrapper around well-documented APIs, knock it up in no time, right? Wrong!

    The documentation was almost unintelligible to anyone who was not an OpenSSL developer or not prepared to study up on the algorithms used and wade through the OpenSSL code base to understand what the APIs did. I doubt that has changed. I found a tutorial giving code snippets in a popular journal that were incorrect and had a crucial error resulting in much hair-pulling. I eventually solved this by pure guesswork and trial-and-error. It would have been much quicker to just cut and paste from someone else's openssl-based encryption program. This all reminded me of those frustrating time-wasting assignments as a student where lecturers forgot to tell us that it just wouldn't work or be solvable without secret Factor X and someone in the class had to discover this sideways from a tutor.

    Time OpenSSL grew up and stopped living in arcane land. It needs decent docs. There is an O'Reilly book on it - maybe that'd help next time.