Serious VPN && !(Serious Cost)Serious VPN && !(Serious Cost)a.k.a. don't pay to “go-to-your-pc”a.k.a. don't pay to “go-to-your-pc”

Jeremy WilldenJeremy WilldenOpen Source EnthusiastOpen Source Enthusiast

Ad Hoc ElectronicsAd Hoc Electronicshttp://www.adhocelectronics.com/http://www.adhocelectronics.com/

Internet Security Issue: BGP spoof

● Border Gateway Protocol handles major routing● Unencrypted traffic can be monitored or

modified from anywhere in the world

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

Networking Overview

● Firewalls and NAT

Networking Overview

Networking Overview

Networking Overview

Networking Overview

Remote Access

● Problem: how to remote control your PC● Partial Solution: VNC Server & Client

Remote Access

Remote Access

Remote Access

● Problem: how to remote control your PC● Partial Solution: VNC Server & Client● Google VNC or check sourceforge.net● Use password authentication● Port forwarding (5900) remote - insecure!● Solution isn't complete

– It's not secure, only allows one service (port)

– Separate port for each client

Securely Connecting Networks

● Virtual Private Network (VPN)● Data encrypted between networks● Many closed and open-source alternatives

– Many get broken by NAT, or are limited by it

– Proprietary ones may only be obscure, not secure

● Ideal: open/free, well tested, reviewed– Use the same code base as eCommerce, TLS/SSL

– Take it further: not just one service/port

Why OpenVPN?

● Uses OpenSSL (TLS)– Heavily tested, SSL is used for HTTPS

– Many ciphers (Blowfish, AES 128/256, many more)

– Free as in Freedom

– Available ready to deploy on many platforms● Linux/Mac/Windows● Router (embedded) firmware

– Public Key Infrastructure● Certificate revocation without re-keying

TLS (SSL) Handshake

● Random keys exchanged using public key cryptography, prevents man-in-middle attacks

Image Copyleft Christian Friedrich, licensed under GFDL, with spelling corrections. Source: Wikimedia

TLS (SSL) Handshake

Image Copyleft Christian Friedrich, licensed under GFDL, with spelling corrections. Source: Wikimedia

General Setup-Linux

● http://openvpn.net/index.php/documentation/howto.html

● Pull down the source from openvpn.net– http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz

– http://openvpn.net/release/openvpn-2.0.9.tar.gz

– Unzip/untar: tar -xzf ./lzo-2.03.tar.gz, tar -xzf ./openvpn-2.0.9.tar.gz

– “cd” into each folder, do ./configure, make, make install

● Use yum or apt-get (yum -y install openvpn)● Download RPMs (including dependencies)

– rpm -ivh (path to each RPM, one at a time)

● chkconfig openvpn on (to auto-start)

General Setup-Windows

● Install Windows package from openvpn.net

<<== All config files reside here

<<== You need at least one virtual adapter

<<== Logs are useful for troubleshooting

Windows-OpenVPN GUI

● Roving computer (laptop)

OpenVPN as a service

● Desktop at home, always connected

OpenVPN as a service

● Desktop at home, always connected

Bridged VPN

● Broadcast traffic is forwarded through the VPN● Allows service easy service discovery (virtual

Ethernet connection) netBIOS, Bonjour, etc.● DHCP server shouldn't send a default gateway

to VPN clients● VPN client IP addresses are in the same subnet

as the private network

Routed VPN

● Connect to other devices by IP address (because broadcast traffic is blocked)

● Or set up DNS on both ends to include all names

● VPN IP addresses are separate from both client and server IPs

● Either way, you use the private, internal addresses to connect to your private network– All data encrypted through the tunnel

Implementation 1

● Routed VPN with public key infrastructure● Generate your own keys/certificates● Private IP range for VPN addresses● Use a server with Apache, install a status page

– http://pablohoffman.com/software/vpnstatus/vpnstatus.txt

– PHP script that connects to the management port

server.conf (Implementation 1)Port 1194proto udpdev tunca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/server.crtkey /etc/openvpn/keys/server.key # This file should be kept secretdh /etc/openvpn/keys/dh1024.pemserver 10.200.200.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "route 192.168.15.0 255.255.255.0"push "route 192.168.0.0 255.255.255.0"client-to-clientkeepalive 30 120# Generate with: openvpn --genkey --secret ta.key# The second parameter should be '0' on the server and '1' on the clients.tls-auth ta.key 0;cipher AES-128-CBC # AEScomp-lzomax-clients 30user nobodygroup nobodypersist-keypersist-tunstatus /etc/openvpn/openvpn-status.loglog-append /etc/openvpn/openvpn.logverb 4;crl-verify keys/crl.pemmanagement localhost 7505

Also ensure that IP forwarding is enabled on the server, so either run this in a startup script somewhere:

cat > 1 /proc/sys/net/ipv4/ip_forward

or edit your /etc/sysctl.conf file and make sure this line is there (and not commented out)

net/ipv4/ip_forward=1

client1.conf (Implementation 1)clientdev tunproto udpremote my.dyndns.name 1194resolv-retry infinitenobind# Downgrade privileges after initialization (non-Windows only)user nobodygroup nobodypersist-keypersist-tunca ca.crtcert client.crtkey client.keyns-cert-type servertls-auth ta.key 1comp-lzoverb 3

Debug tool: ngrep (packet sniffer)ngrep -d eth0 -Wbyline port 1194

Router Setup (Implementation 1)

OpenVPN on dd-wrt

● dd-wrt– Open-source Linux-based router firmware

– “vpn” version includes openvpn

– Operates in client or server mode

● http://www.dd-wrt.com● http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-

Site_routed_VPN_between_two_routers

dd-wrt router client configurationcd /tmpln -s /usr/sbin/openvpn /tmp/myvpn./myvpn --mktun --dev tun0ifconfig tun0 0.0.0.0 promisc upsleep 5echo "clientdaemondev tun0proto udpremote my.server.name 1194resolv-retry infinitetls-auth ta.key 1nobindpersist-keypersist-tunca ca.crtcert client.crtkey client.keyns-cert-type servercomp-lzoverb 3" > /tmp/client.conf#CONTINUED NEXT COLUMN

echo "****CERT CONTENTS****" > ca.crt

echo "****CERTIFICATE CONTENTS****" > client.crt

echo "****KEY CONTENTS***" > client.key

echo “***ta.key contents***” > ta.key

./myvpn --config client.conf

FIREWALL SCRIPT (REMOVE #COMMENTS):iptables -I FORWARD -i br0 -o tun0 -j ACCEPT#Allows VPN traffic outiptables -I FORWARD -i tun0 -o br0 -j ACCEPT#Allows VPN traffic iniptables -I INPUT -i tun0 -j ACCEPT# Allows VPN to connect to GUI

dd-wrt router server changesAdd a client config file directorymkdir /etc/openvpn/ccd

Create a client config file for each remote router (filename must match client name!)nano -w /etc/openvpn/ccd/client2iroute my.sub.net.addr 255.255.255.0

Modify the server.conf file and add these lines:client-config-dir /etc/openvpn/ccdroute my.sub.net.addr 255.255.255.0

VITAL: make sure /etc/openvpn/ccd is world readable, along with all files inside! Otherwise, the downgraded daemon won't be able to read the files.

You can also make each remote router's subnets available to the other routers, but it's a bit more complicated – the ccd files may need to include a push-reset followed by a push off all relevant parameters except for it's own route

Implementation 2

● Routed VPN with static keys● Between two sites using dd-wrt routers

dd-wrt router 1 client configuration# STARTUP SCRIPTcd /tmpln -s /usr/sbin/openvpn /tmp/myvpnecho "remote REMOTEADDRESSproto udp port 2000dev tun0secret /tmp/static.keyverb 3comp-lzokeepalive 15 60daemon" > SiteA-SiteB.confecho "YOUR STATIC KEY" > static.key/tmp/myvpn --mktun --dev tun0ifconfig tun0 10.0.0.2 netmask 255.255.255.0 promisc uproute add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.1sleep 5/tmp/myvpn --config SiteA-SiteB.conf

#FIREWALL SCRIPTiptables -I INPUT 2 -p udp --dport 2000 -j ACCEPTiptables -I FORWARD -i br0 -o tun0 -j ACCEPTiptables -I FORWARD -i tun0 -o br0 -j ACCEPT

dd-wrt router 2 client configuration# STARTUP SCRIPTcd /tmpln -s /usr/sbin/openvpn /tmp/myvpnecho "proto udp port 2000dev tun0secret /tmp/static.keyverb 3comp-lzokeepalive 15 60daemon" > SiteA-SiteB.confecho "YOUR STATIC KEY" > static.key/tmp/myvpn --mktun --dev tun0ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc uproute add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.2sleep 5/tmp/myvpn --config SiteA-SiteB.conf

#FIREWALL SCRIPTiptables -I INPUT 2 -p udp --dport 2000 -j ACCEPTiptables -I FORWARD -i br0 -o tun0 -j ACCEPTiptables -I FORWARD -i tun0 -o br0 -j ACCEPT

References

● http://www.openvpn.net● http://openvpn.net/index.php/documentation/howto.html

● http://en.wikipedia.org/wiki/Secure_Sockets_Layer

● http://en.wikipedia.org/wiki/Transport_Layer_Security● http://pbxinaflash.com/forum/showpost.php?p=12108&postcount=24