After registration, Nodes establish an OpenVPN tunnel to Lighthouse. All communications between Lighthouse and the Node is tunneled inside this secure connection.
Lighthouse VPN is authenticated using x.509 certificates that are unique to each Node. These certificates are automatically generated during enrollment, and signed by Lighthouse's built-in CA certificate. When a Node is unenrolled (deleted from Lighthouse), its certificate is revoked and added to Lighthouse's CRL.
Advanced users may inspect the underlying OpenVPN configurations from the CLI, on both Lighthouse and Nodes they are stored in the /etc/config/lhvpn/ directory.
By default, Lighthouse VPN uses an internal address pool of 192.168.128.0/19. Each Node is assigned an address from this pool upon enrollment.
While there are several common VPN protocols available, we have found OpenVPN the best fit for Lighthouse VPN now and for future development:
- Simple: OpenVPN can be configured to transport over either UDP or TCP connection using a single configurable port, for easy firewall, NAT and WAN traversal. OpenVPN has native support for both IP routing (tun) and Ethernet bridging (tap).
- Scalable: OpenVPN scales to many thousands of tunnels with minimal overhead, and provides tuning options for good performance over high latency and unreliable network uplinks such as a poor cellular connection.
- Open: OpenVPN is an open source project with a thriving community of developers. Open source security relies on the strength of public security algorithms rather than "security through obscurity", a code base open to peer review thwarts hidden backdoors and security bugs.
- Popular: As well as being actively developed, OpenVPN is actively used – supported by most client devices including all major desktop operating systems, smartphones and tablets. OpenVPN is the popular choice for the vast majority of VPN service providers worldwide.