Deployment

How to use OpenVPN-NL

OpenVPN-NL is a software package with which one can build a virtual private network (VPN) on top of another untrusted network such as the internet. The package contains both the client and the server. The information sent between the client and the server is encrypted in a way that meets the evaluation criteria. The software does not protect the endpoints of the encrypted connection other than shielding the virtual network traffic.

OpenVPN-NL can be used to extend a trusted network to remote locations. OpenVPN-NL should never be used as a way to disclose classified information to a computer which is also directly connected to an untrusted network as the trusted and untrusted network traffic may never blend. Thus, a computer which offers the possibility to (e.g.) surf the web, cannot simultaneously safely disclose sensitive information from a trusted private network.

Typical use cases

• Remote working on employer-issued laptop computer: An employee accesses from home, hotel, conference or meeting location the office network, on a well-protected, locked down computer. The computer has OpenVPN-NL installed to access the private office network.
• Remote working on employee-owned computer: The employer issues a bootable CD or USB stick. This medium is inserted to a computer which boots into a secure state, where the trusted private network can be connected to via OpenVPN-NL. This concept is used in, among others, the Dutch Military "TeleStick" and in the US Military "Lightweight Portable Security" solutions.
  
  Note that because OpenVPN-NL cannot protect against hardware attacks, this concept does not permit the use of any arbitrary computer to securely access a trusted network. Rules must restrict the use of this concept to computers very likely not to have been tampered with.
• Connecting the trusted private networks of two or more office locations: Two or more office locations which have untrusted territory (e.g. public road) between them, connect over public network infrastructure, with a dedicated computer running OpenVPN-NL on the perimeters of their trusted environments, virtually joining the physically separate trusted private office networks.

Deployment advisory

OpenVPN-NL is not a silver bullet which solves all your security problems. Security of your infrastructure depends on the architecture of your network, the way OpenVPN-NL is deployed, and the hardening of the system on top of which OpenVPN-NL runs. The deployment advisory ("inzetadvies") explains and gives pointers to necessary hardening actions, which every system administrator must undertake.

System administrators who wish to use OpenVPN-NL are advised to:

• Download the latest OpenVPN-NL for their platform from the one of the links on this site.
• Verify the fingerprint of the downloaded package
• Subscribe to the OpenVPN-NL mailinglist
• Create a system which is in compliance with the requirements of the deployment advisory ("inzetadvies")
• Install OpenVPN-NL on this system in compliance with the deployment advisory ("inzetadvies")