Serious VPN && !(Serious Cost) Serious VPN && !(Serious Cost) a.k.a. don't pay to “go-to-your-pc” a.k.a. don't pay to “go-to-your-pc” Jeremy Willden Jeremy Willden Open Source Enthusiast Open Source Enthusiast Ad Hoc Electronics Ad Hoc Electronics http://www.adhocelectronics.com/ http://www.adhocelectronics.com/
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Serious VPN && !(Serious Cost)Serious VPN && !(Serious Cost)a.k.a. don't pay to “go-to-your-pc”a.k.a. don't pay to “go-to-your-pc”
Jeremy WilldenJeremy WilldenOpen Source EnthusiastOpen Source Enthusiast
Ad Hoc ElectronicsAd Hoc Electronicshttp://www.adhocelectronics.com/http://www.adhocelectronics.com/
● Problem: how to remote control your PC● Partial Solution: VNC Server & Client
Remote Access
Remote Access
Remote Access
● Problem: how to remote control your PC● Partial Solution: VNC Server & Client● Google VNC or check sourceforge.net● Use password authentication● Port forwarding (5900) remote - insecure!● Solution isn't complete
– It's not secure, only allows one service (port)
– Separate port for each client
Securely Connecting Networks
● Virtual Private Network (VPN)● Data encrypted between networks● Many closed and open-source alternatives
– Many get broken by NAT, or are limited by it
– Proprietary ones may only be obscure, not secure
● Ideal: open/free, well tested, reviewed– Use the same code base as eCommerce, TLS/SSL
– Take it further: not just one service/port
Why OpenVPN?
● Uses OpenSSL (TLS)– Heavily tested, SSL is used for HTTPS
– Many ciphers (Blowfish, AES 128/256, many more)
– Free as in Freedom
– Available ready to deploy on many platforms● Linux/Mac/Windows● Router (embedded) firmware
– Public Key Infrastructure● Certificate revocation without re-keying
TLS (SSL) Handshake
● Random keys exchanged using public key cryptography, prevents man-in-middle attacks
Image Copyleft Christian Friedrich, licensed under GFDL, with spelling corrections. Source: Wikimedia
TLS (SSL) Handshake
Image Copyleft Christian Friedrich, licensed under GFDL, with spelling corrections. Source: Wikimedia
● Broadcast traffic is forwarded through the VPN● Allows service easy service discovery (virtual
Ethernet connection) netBIOS, Bonjour, etc.● DHCP server shouldn't send a default gateway
to VPN clients● VPN client IP addresses are in the same subnet
as the private network
Routed VPN
● Connect to other devices by IP address (because broadcast traffic is blocked)
● Or set up DNS on both ends to include all names
● VPN IP addresses are separate from both client and server IPs
● Either way, you use the private, internal addresses to connect to your private network– All data encrypted through the tunnel
Implementation 1
● Routed VPN with public key infrastructure● Generate your own keys/certificates● Private IP range for VPN addresses● Use a server with Apache, install a status page
server.conf (Implementation 1)Port 1194proto udpdev tunca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/server.crtkey /etc/openvpn/keys/server.key # This file should be kept secretdh /etc/openvpn/keys/dh1024.pemserver 10.200.200.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "route 192.168.15.0 255.255.255.0"push "route 192.168.0.0 255.255.255.0"client-to-clientkeepalive 30 120# Generate with: openvpn --genkey --secret ta.key# The second parameter should be '0' on the server and '1' on the clients.tls-auth ta.key 0;cipher AES-128-CBC # AEScomp-lzomax-clients 30user nobodygroup nobodypersist-keypersist-tunstatus /etc/openvpn/openvpn-status.loglog-append /etc/openvpn/openvpn.logverb 4;crl-verify keys/crl.pemmanagement localhost 7505
Also ensure that IP forwarding is enabled on the server, so either run this in a startup script somewhere:
cat > 1 /proc/sys/net/ipv4/ip_forward
or edit your /etc/sysctl.conf file and make sure this line is there (and not commented out)
dd-wrt router server changesAdd a client config file directorymkdir /etc/openvpn/ccd
Create a client config file for each remote router (filename must match client name!)nano -w /etc/openvpn/ccd/client2iroute my.sub.net.addr 255.255.255.0
Modify the server.conf file and add these lines:client-config-dir /etc/openvpn/ccdroute my.sub.net.addr 255.255.255.0
VITAL: make sure /etc/openvpn/ccd is world readable, along with all files inside! Otherwise, the downgraded daemon won't be able to read the files.
You can also make each remote router's subnets available to the other routers, but it's a bit more complicated – the ccd files may need to include a push-reset followed by a push off all relevant parameters except for it's own route
Implementation 2
● Routed VPN with static keys● Between two sites using dd-wrt routers