Monday, December 23, 2013

Building A Cheap Personal VPN

This year we've seen individual concerns regarding data privacy expand dramatically. While public interest in this topic has increased, day-to-day computing practices still haven't changed a great deal.  Many old habits still persist that often put our personal information at risk. One prime example of this is the use of shared untrusted wireless connections. Individuals often grow accustomed to indiscriminately connecting to available wireless networks with little foreknowledge of the identity, trustworthiness, or goals of the operators of these services. While it is no surprise that anyone would wish to take advantage of "free"connections, by placing our traffic on untrusted shared networks, we open ourselves up to a number of privacy and security issues including:
DefCon Wall of Sheep
  • Traffic Interception/Redirection - When joining an untrusted network, there is a real risk that malicious individuals may intercept your traffic or redirect your requests to mock-up sites meant to capture your credentials. Even if you join a wireless networks secured with a static preshared-key (i.e. at a conference), you should importantly not misperceive this as a significant security measure. Other individuals with access to this key can relatively easily sniff and decrypt traffic
  • Traffic Analysis / Privacy - When you join an untrusted network, you may not be aware of the privacy practices relevant to this connection. What kind of logging is going via this network? Even when your web-traffic is encrypted, are your DNS queries being logged for analysis? What information are you giving away about yourself without your awareness? ( An interesting story from earlier this year, revealed that that even just leaving your mobile WIFI turned on can be used to track your movements and shopping habits in stores. )
  • Traffic Filtering and Restrictions - Do you have unfettered access to information and sites from the location you are connecting from?  Are you restricted to particular kinds of Internet applications on this link? 
These types of concerns have spurred the increasing growth and popularity of Commercial Personal VPN Services. For less than $20 per month, these providers off you the ability to encrypt and tunnel all your internet traffic.   The merit of these services is that it  raises the bar significantly for prying eyes as well as gives you greater control over your online "point of presence" -- the location where your traffic is decrypted and routed to the Internet at large (see diagram below).  Whereas in the past VPN services were usually only employed by organizations to provide secure remote access to internal resources, it is now feasible for individuals to also employ a personal VPN to enhance security and privacy of their individual network traffic.

Another factor driving the adoption of personal VPNs is the DIY community and low cost methods for deploying services using cloud computing resources.  It is possible and often less expensive to set up your own low-cost VPN using OpenVPN and Amazon EC2. For those with the time, interest, and inclination to test out their own personal vpn, the steps below provide an outline of a basic build.

*Important Note: These instructions are intended for personal usage on untrusted networks only.  For business or organizational systems, you should consult with your IT group to determine what VPN services may be available and approved for authorized use.  Using a non-approved VPN within certain networks may be considered a violation of policy as well as an organizational security issue.

Technical Instructions

Step #1: Creating An Amazon EC2 Instance 
For this build, I will use Ubuntu Server 12.04 LTS running on an Amazon EC2 micro instances that is eligible for free utilization.

If you've  never used EC2 before you will definitely need to familiarize yourself with this platform.

Amazon has some good getting started guides here (high recommended):

A good youtube video can also be found here:

The basic steps that we need to take with bring this Ubuntu Instance up is the following:
  • Select Ubuntu Server 12.04 LTS x64
  • Use Micro Tier (t1.micro, 613MB) for test setup. Eligible for free usage tier.
  • Save and Backup Your Key Pair (PEM file). Don't lose this file! You will need to access your EC2 instance.
  • Create A Customized Security Group that allows inbound access to SSH (TCP 22) and our custom OpenVPN port (UDP 443).

After your instance has started, you will need to access it using SSH and the Key file you saved.
chmod 400 example.pem
ssh -i example.pem [email protected]

Patches and Software Installs
Once the instance has booted, we need to  perform some software updates and installs.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install openvpn -y
sudo apt-get install dnsmasq -y
sudo aptget install easy-rsa -y

Step #2: Setting Up A Certificate Authority + Generating Keys
OpenVPN supports two secure modes of operation, one employs a pre-shared static key (PSK) and another is based on SSL/TLS using RSA certificates and keys.  The PSK method has the benefit of simplicity, however it is not the most secure method (if anyone intercepts this key then all traffic could potentially be decrypted). For this reason, we will use the SSL/TLS method.

Copying Configuration Files
First off, we will want to copy the OpenVPN example files to obtain the scripts we'll need to establish a local certificate authority.
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ 
sudo ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Setting Up Variables.
Now we will want to set some initial variables that will allow easy-rsa key management scripts to function.
sudo vi /etc/openvpn/easy-rsa/vars

Some of the variables that you will want to set and change to establish the CA include include the following:
export KEY_SIZE=2048
export KEY_PROVINCE="YourProvince"
export KEY_CITY="YourCity"
export KEY_ORG="YourORG"
export KEY_EMAIL="[email protected]"
export [email protected]
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme 
export KEY_CONFIG=/etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Note that we are using a 2048 bit key for additional paranoia.

Generating the master CA and key (as root)
cd /etc/openvpn/easy-rsa/
source vars

Diffie Hellman parameters  generated for the OpenVPN server (as root)

Generating Server Certificate
build-key-server myservername

Copying certificates and keys to /etc/openvpn/
cd /etc/openvpn/easy-rsa/keys/
cp ca.crt myservername.key myservername.crt dh2048.pem /etc/openvpn/

Generating Client Key-Pairs
./build-key client1
./build-key client2

At the end of this step you should now have several files residing in /etc/openvpn. Here is a break-down on what these files are.

Step #3: Creating OpenVPN Server Config
Here is a somewhat standard server config.  This would be stored in /etc/openvpn/server.conf  

port 443
proto udp
dev tun
ca ca.crt
cert myservername.crt
dh dh2048.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
keepalive 10 120
status openvpn-status.log
verb 3
Note the push directives.  These route all traffic through our VPN server and also change the DNS settings for the client upon connection (moving DNS handling to VPN server).

Step #4: Enabling NAT Forwarding
To route Internet traffic for connecting clients we'll need to set up a basic NAT firewall config. We'll do it manually first and then drop some rules in /etc/rc.local for quick/dirty persistence.

sudo sysctl -w net.ipv4.ip_forward=1

#OPENVPN Forwarding

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Step #5: DNSMasq Setup
We will set up DNSMasq to localize DNS request handling and also provide some acceleration (via caching).


Step #6: Setting RC.LOCAL Boot Options
Some quick and dirty lines in /etc/rc.local to bring NAT up and make sure that dnsmasq is running.
#OPENVPN Forwarding
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE


/etc/init.d/dnsmasq start

Step #7: Client Setup 

Archiving + Downloading Client Key-Pairs
To setup our client, we will need the CA certificate, client certificate, client public key, a openvpn client configuration, and an openvpn client.  First we can tarball the client information we need and then download this via sftp.
cd /etc/openvpn/easy-rsa/keys/ 
tar cvzf ~ubuntu/client1.tgz ca.crt client1.crt client1.key

Basic Client Configuration
In addition to download this tar file, we will also need to set up a basic client config like the one below.
dev tun
proto udp
remote 443
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
verb 3

Configuring Client Software
In general to configure a client,  you will want to extract all the files from the tarball you downloaded and then copy all of these files along with the client configuration (see above) into one common folder.  The last step is to import or load the client configuration file. Note that occasionally some clients will look for a file with a ovpn extension for import.  This is simply a flat text configuration file (same as above).
OpenVPN Connect on Android

Keep in mind if you are adding new clients, that you will need to create new keypairs (see step #7).

Some popular OpenVPN client software includes:

OpenVPN GUI for Windows

TunnelBlick OpenVPNGUI for OSX

OpenVPN Connect for Android

OpenVPN Connect for IOS

Troubleshooting: Most client software will give you a status indicator concerning whether your VPN tunnel is established.  However you can also test this by pinging the remote tunnel interface on the OpenVPN server at

No comments:

Post a Comment