Introduction
This year we've seen individual concerns regarding data privacy expand dramatically. While public interest in this topic has increased, day-to-day computing practices still haven't changed a great deal. Many old habits still persist that often put our personal information at risk. One prime example of this is the use of shared untrusted wireless connections. Individuals often grow accustomed to indiscriminately connecting to available wireless networks with little foreknowledge of the identity, trustworthiness, or goals of the operators of these services. While it is no surprise that anyone would wish to take advantage of "free"connections, by placing our traffic on untrusted shared networks, we open ourselves up to a number of privacy and security issues including:
DefCon Wall of Sheep |
- Traffic Interception/Redirection - When joining an untrusted network, there is a real risk that malicious individuals may intercept your traffic or redirect your requests to mock-up sites meant to capture your credentials. Even if you join a wireless networks secured with a static preshared-key (i.e. at a conference), you should importantly not misperceive this as a significant security measure. Other individuals with access to this key can relatively easily sniff and decrypt traffic.
- Traffic Analysis / Privacy - When you join an untrusted network, you may not be aware of the privacy practices relevant to this connection. What kind of logging is going via this network? Even when your web-traffic is encrypted, are your DNS queries being logged for analysis? What information are you giving away about yourself without your awareness? ( An interesting story from earlier this year, revealed that that even just leaving your mobile WIFI turned on can be used to track your movements and shopping habits in stores. )
- Traffic Filtering and Restrictions - Do you have unfettered access to information and sites from the location you are connecting from? Are you restricted to particular kinds of Internet applications on this link?
*Important Note: These instructions are intended for personal usage on untrusted networks only. For business or organizational systems, you should consult with your IT group to determine what VPN services may be available and approved for authorized use. Using a non-approved VPN within certain networks may be considered a violation of policy as well as an organizational security issue.
Technical Instructions
Step #1: Creating An Amazon EC2 Instance For this build, I will use Ubuntu Server 12.04 LTS running on an Amazon EC2 micro instances that is eligible for free utilization.
If you've never used EC2 before you will definitely need to familiarize yourself with this platform.
Amazon has some good getting started guides here (high recommended):
http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/GetStartedLinux.html
A good youtube video can also be found here:
The basic steps that we need to take with bring this Ubuntu Instance up is the following:
- Select Ubuntu Server 12.04 LTS x64
- Use Micro Tier (t1.micro, 613MB) for test setup. Eligible for free usage tier.
- Save and Backup Your Key Pair (PEM file). Don't lose this file! You will need to access your EC2 instance.
- Create A Customized Security Group that allows inbound access to SSH (TCP 22) and our custom OpenVPN port (UDP 443).
After your instance has started, you will need to access it using SSH and the Key file you saved.
Patches and Software Installs
Once the instance has booted, we need to perform some software updates and installs.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install openvpn -y
sudo apt-get install dnsmasq -y sudo aptget install easy-rsa -y |
Step #2: Setting Up A Certificate Authority + Generating Keys
OpenVPN supports two secure modes of operation, one employs a pre-shared static key (PSK) and another is based on SSL/TLS using RSA certificates and keys. The PSK method has the benefit of simplicity, however it is not the most secure method (if anyone intercepts this key then all traffic could potentially be decrypted). For this reason, we will use the SSL/TLS method.First off, we will want to copy the OpenVPN example files to obtain the scripts we'll need to establish a local certificate authority.
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
|
Setting Up Variables.
Now we will want to set some initial variables that will allow easy-rsa key management scripts to function.
sudo vi /etc/openvpn/easy-rsa/vars
|
Some of the variables that you will want to set and change to establish the CA include include the following:
export KEY_SIZE=2048
export KEY_COUNTRY="US"
export KEY_PROVINCE="YourProvince" export KEY_CITY="YourCity" export KEY_ORG="YourORG" export KEY_EMAIL="[email protected]" export [email protected] export KEY_CN=changeme export KEY_NAME=changeme export KEY_OU=changeme export PKCS11_MODULE_PATH=changeme
export KEY_CONFIG=/etc/openvpn/easy-rsa/openssl-1.0.0.cnf
|
Generating the master CA and key (as root)
cd /etc/openvpn/easy-rsa/
source vars ./clean-all ./build-ca |
Diffie Hellman parameters generated for the OpenVPN server (as root)
build-dh
|
Generating Server Certificate
build-key-server myservername
|
Copying certificates and keys to /etc/openvpn/
cd /etc/openvpn/easy-rsa/keys/
cp ca.crt myservername.key myservername.crt dh2048.pem /etc/openvpn/
|
Generating Client Key-Pairs
./build-key client1
./build-key client2
|
At the end of this step you should now have several files residing in /etc/openvpn. Here is a break-down on what these files are.
Step #3: Creating OpenVPN Server Config
Here is a somewhat standard server config. This would be stored in /etc/openvpn/server.conf
Here is a somewhat standard server config. This would be stored in /etc/openvpn/server.conf
port 443
proto udp dev tun ca ca.crt cert myservername.crt dh dh2048.pem server 10.8.0.0 255.255.255.0ls ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 10.8.0.1" keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 |
Step #4: Enabling NAT Forwarding
To route Internet traffic for connecting clients we'll need to set up a basic NAT firewall config. We'll do it manually first and then drop some rules in /etc/rc.local for quick/dirty persistence.
sudo sysctl -w net.ipv4.ip_forward=1
#OPENVPN Forwarding iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE |
Step #5: DNSMasq Setup
We will set up DNSMasq to localize DNS request handling and also provide some acceleration (via caching).
/etc/dnsmasq.conf
listen-address=127.0.0.1,10.8.0.1
bind-interfaces |
Step #6: Setting RC.LOCAL Boot Options
Some quick and dirty lines in /etc/rc.local to bring NAT up and make sure that dnsmasq is running.
#OPENVPN Forwarding
sysctl -w net.ipv4.ip_forward=1 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE #START DNSMASQ /etc/init.d/dnsmasq start |
Step #7: Client Setup
Archiving + Downloading Client Key-Pairs
To setup our client, we will need the CA certificate, client certificate, client public key, a openvpn client configuration, and an openvpn client. First we can tarball the client information we need and then download this via sftp.
To setup our client, we will need the CA certificate, client certificate, client public key, a openvpn client configuration, and an openvpn client. First we can tarball the client information we need and then download this via sftp.
cd /etc/openvpn/easy-rsa/keys/
tar cvzf ~ubuntu/client1.tgz ca.crt client1.crt client1.key |
Basic Client Configuration
In addition to download this tar file, we will also need to set up a basic client config like the one below.
client
dev tun
proto udp
remote ec2-example.compute-1.amazonaws.com 443
resolv-retry infinite
nobind
persist-key persist-tun
ca ca.crt
cert client1.crt key client1.key
ns-cert-type server
comp-lzo
verb 3
|
Configuring Client Software
In general to configure a client, you will want to extract all the files from the tarball you downloaded and then copy all of these files along with the client configuration (see above) into one common folder. The last step is to import or load the client configuration file. Note that occasionally some clients will look for a file with a ovpn extension for import. This is simply a flat text configuration file (same as above).
OpenVPN Connect on Android |
Keep in mind if you are adding new clients, that you will need to create new keypairs (see step #7).
Some popular OpenVPN client software includes:
OpenVPN GUI for Windows
TunnelBlick OpenVPNGUI for OSX
OpenVPN Connect for Android
OpenVPN Connect for IOS
Troubleshooting: Most client software will give you a status indicator concerning whether your VPN tunnel is established. However you can also test this by pinging the remote tunnel interface on the OpenVPN server at 10.8.0.1.
No comments:
Post a Comment