Serious VPN && !(Serious Cost)Serious VPN && !(Serious Cost)a.k.a. don't pay to “go-to-your-pc”a.k.a. don't pay to “go-to-your-pc”
Jeremy WilldenJeremy WilldenOpen Source EnthusiastOpen Source Enthusiast
Ad Hoc ElectronicsAd Hoc Electronicshttp://www.adhocelectronics.com/http://www.adhocelectronics.com/
Internet Security Issue: BGP spoof
● Border Gateway Protocol handles major routing● Unencrypted traffic can be monitored or
modified from anywhere in the world
http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html
Networking Overview
● Firewalls and NAT
Networking Overview
Networking Overview
Networking Overview
Networking Overview
Remote Access
● Problem: how to remote control your PC● Partial Solution: VNC Server & Client
Remote Access
Remote Access
Remote Access
● Problem: how to remote control your PC● Partial Solution: VNC Server & Client● Google VNC or check sourceforge.net● Use password authentication● Port forwarding (5900) remote - insecure!● Solution isn't complete
– It's not secure, only allows one service (port)
– Separate port for each client
Securely Connecting Networks
● Virtual Private Network (VPN)● Data encrypted between networks● Many closed and open-source alternatives
– Many get broken by NAT, or are limited by it
– Proprietary ones may only be obscure, not secure
● Ideal: open/free, well tested, reviewed– Use the same code base as eCommerce, TLS/SSL
– Take it further: not just one service/port
Why OpenVPN?
● Uses OpenSSL (TLS)– Heavily tested, SSL is used for HTTPS
– Many ciphers (Blowfish, AES 128/256, many more)
– Free as in Freedom
– Available ready to deploy on many platforms● Linux/Mac/Windows● Router (embedded) firmware
– Public Key Infrastructure● Certificate revocation without re-keying
TLS (SSL) Handshake
● Random keys exchanged using public key cryptography, prevents man-in-middle attacks
Image Copyleft Christian Friedrich, licensed under GFDL, with spelling corrections. Source: Wikimedia
TLS (SSL) Handshake
Image Copyleft Christian Friedrich, licensed under GFDL, with spelling corrections. Source: Wikimedia
General Setup-Linux
● http://openvpn.net/index.php/documentation/howto.html
● Pull down the source from openvpn.net– http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
– http://openvpn.net/release/openvpn-2.0.9.tar.gz
– Unzip/untar: tar -xzf ./lzo-2.03.tar.gz, tar -xzf ./openvpn-2.0.9.tar.gz
– “cd” into each folder, do ./configure, make, make install
● Use yum or apt-get (yum -y install openvpn)● Download RPMs (including dependencies)
– rpm -ivh (path to each RPM, one at a time)
● chkconfig openvpn on (to auto-start)
General Setup-Windows
● Install Windows package from openvpn.net
<<== All config files reside here
<<== You need at least one virtual adapter
<<== Logs are useful for troubleshooting
Windows-OpenVPN GUI
● Roving computer (laptop)
OpenVPN as a service
● Desktop at home, always connected
OpenVPN as a service
● Desktop at home, always connected
Bridged VPN
● Broadcast traffic is forwarded through the VPN● Allows service easy service discovery (virtual
Ethernet connection) netBIOS, Bonjour, etc.● DHCP server shouldn't send a default gateway
to VPN clients● VPN client IP addresses are in the same subnet
as the private network
Routed VPN
● Connect to other devices by IP address (because broadcast traffic is blocked)
● Or set up DNS on both ends to include all names
● VPN IP addresses are separate from both client and server IPs
● Either way, you use the private, internal addresses to connect to your private network– All data encrypted through the tunnel
Implementation 1
● Routed VPN with public key infrastructure● Generate your own keys/certificates● Private IP range for VPN addresses● Use a server with Apache, install a status page
– http://pablohoffman.com/software/vpnstatus/vpnstatus.txt
– PHP script that connects to the management port
server.conf (Implementation 1)Port 1194proto udpdev tunca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/server.crtkey /etc/openvpn/keys/server.key # This file should be kept secretdh /etc/openvpn/keys/dh1024.pemserver 10.200.200.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "route 192.168.15.0 255.255.255.0"push "route 192.168.0.0 255.255.255.0"client-to-clientkeepalive 30 120# Generate with: openvpn --genkey --secret ta.key# The second parameter should be '0' on the server and '1' on the clients.tls-auth ta.key 0;cipher AES-128-CBC # AEScomp-lzomax-clients 30user nobodygroup nobodypersist-keypersist-tunstatus /etc/openvpn/openvpn-status.loglog-append /etc/openvpn/openvpn.logverb 4;crl-verify keys/crl.pemmanagement localhost 7505
Also ensure that IP forwarding is enabled on the server, so either run this in a startup script somewhere:
cat > 1 /proc/sys/net/ipv4/ip_forward
or edit your /etc/sysctl.conf file and make sure this line is there (and not commented out)
net/ipv4/ip_forward=1
client1.conf (Implementation 1)clientdev tunproto udpremote my.dyndns.name 1194resolv-retry infinitenobind# Downgrade privileges after initialization (non-Windows only)user nobodygroup nobodypersist-keypersist-tunca ca.crtcert client.crtkey client.keyns-cert-type servertls-auth ta.key 1comp-lzoverb 3
Debug tool: ngrep (packet sniffer)ngrep -d eth0 -Wbyline port 1194
Router Setup (Implementation 1)
OpenVPN on dd-wrt
● dd-wrt– Open-source Linux-based router firmware
– “vpn” version includes openvpn
– Operates in client or server mode
● http://www.dd-wrt.com● http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-
Site_routed_VPN_between_two_routers
dd-wrt router client configurationcd /tmpln -s /usr/sbin/openvpn /tmp/myvpn./myvpn --mktun --dev tun0ifconfig tun0 0.0.0.0 promisc upsleep 5echo "clientdaemondev tun0proto udpremote my.server.name 1194resolv-retry infinitetls-auth ta.key 1nobindpersist-keypersist-tunca ca.crtcert client.crtkey client.keyns-cert-type servercomp-lzoverb 3" > /tmp/client.conf#CONTINUED NEXT COLUMN
echo "****CERT CONTENTS****" > ca.crt
echo "****CERTIFICATE CONTENTS****" > client.crt
echo "****KEY CONTENTS***" > client.key
echo “***ta.key contents***” > ta.key
./myvpn --config client.conf
FIREWALL SCRIPT (REMOVE #COMMENTS):iptables -I FORWARD -i br0 -o tun0 -j ACCEPT#Allows VPN traffic outiptables -I FORWARD -i tun0 -o br0 -j ACCEPT#Allows VPN traffic iniptables -I INPUT -i tun0 -j ACCEPT# Allows VPN to connect to GUI
dd-wrt router server changesAdd a client config file directorymkdir /etc/openvpn/ccd
Create a client config file for each remote router (filename must match client name!)nano -w /etc/openvpn/ccd/client2iroute my.sub.net.addr 255.255.255.0
Modify the server.conf file and add these lines:client-config-dir /etc/openvpn/ccdroute my.sub.net.addr 255.255.255.0
VITAL: make sure /etc/openvpn/ccd is world readable, along with all files inside! Otherwise, the downgraded daemon won't be able to read the files.
You can also make each remote router's subnets available to the other routers, but it's a bit more complicated – the ccd files may need to include a push-reset followed by a push off all relevant parameters except for it's own route
Implementation 2
● Routed VPN with static keys● Between two sites using dd-wrt routers
dd-wrt router 1 client configuration# STARTUP SCRIPTcd /tmpln -s /usr/sbin/openvpn /tmp/myvpnecho "remote REMOTEADDRESSproto udp port 2000dev tun0secret /tmp/static.keyverb 3comp-lzokeepalive 15 60daemon" > SiteA-SiteB.confecho "YOUR STATIC KEY" > static.key/tmp/myvpn --mktun --dev tun0ifconfig tun0 10.0.0.2 netmask 255.255.255.0 promisc uproute add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.1sleep 5/tmp/myvpn --config SiteA-SiteB.conf
#FIREWALL SCRIPTiptables -I INPUT 2 -p udp --dport 2000 -j ACCEPTiptables -I FORWARD -i br0 -o tun0 -j ACCEPTiptables -I FORWARD -i tun0 -o br0 -j ACCEPT
dd-wrt router 2 client configuration# STARTUP SCRIPTcd /tmpln -s /usr/sbin/openvpn /tmp/myvpnecho "proto udp port 2000dev tun0secret /tmp/static.keyverb 3comp-lzokeepalive 15 60daemon" > SiteA-SiteB.confecho "YOUR STATIC KEY" > static.key/tmp/myvpn --mktun --dev tun0ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc uproute add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.2sleep 5/tmp/myvpn --config SiteA-SiteB.conf
#FIREWALL SCRIPTiptables -I INPUT 2 -p udp --dport 2000 -j ACCEPTiptables -I FORWARD -i br0 -o tun0 -j ACCEPTiptables -I FORWARD -i tun0 -o br0 -j ACCEPT
References
● http://www.openvpn.net● http://openvpn.net/index.php/documentation/howto.html
● http://en.wikipedia.org/wiki/Secure_Sockets_Layer
● http://en.wikipedia.org/wiki/Transport_Layer_Security● http://pbxinaflash.com/forum/showpost.php?p=12108&postcount=24