Posts Tagged ‘vpn’

OpenVPN Guide

June 27, 2008

I’ve finally finished my OpenVPN guide. It’s based on the guide I used from It’s a Tech World, but I’ve beefed up the security and added explanations and detail to some of the more complicated steps.

Here is the URL (it’s linked from the homepage as well): https://lockup.wordpress.com/configure-openvpn/

As I mentioned in a previous post, using this configuration of OpenVPN, you’ll be able to securely connect to your host network from anywhere, access files, services and the host internet connection, but you’re host network will remain completely invisible to ports scans.

This product is amazingly effective, simple to use (once setup) and, with the right configuration, secure. I think my guide is fairly comprehensive, but if you have any suggestions, feel free to comment.

Big thanks to Riley at It’s a Tech World for writing such a great guide.

OpenVPN: Really Good VPN

June 10, 2008

As the name suggests, OpenVPN is an open source VPN package. What isn’t immediately obvious is that, rather than using the more popular PPTP or L2TP/IPsec VPN protocols, OpenVPN uses SSL/TLS (using the OpenSSL toolkit). I’ve been playing with this free product for the last week and have been very impressed.

While PPTP and L2TP/IPsec are certainly the more popular VPN technologies, just by taking a look at their Wikipedia pages (here and here) it would seem that they are neither the most secure nor the most straight forward to set up.

While I can’t say that OpenVPN has the most user-friendly setup process, with good instructions it’s fairly straight-forward and, once it’s up and running, it’s mightily secure. In fact, from the outside world, it’s nearly impossible to detect it’s even there (but more on that later).

OpenVPN works in a client-server arrangement. On your host network, you install a copy and drop in a config file to designate it as the server. You then generate the client-server SSL/TLS certificate pairs and set up passwords, ports, etc. Once that’s done, you can port forward from your router to the OpenVPN server on your host network, allowing you to access it from remote networks.

On the client (eg. your laptop), you run the same install file, but use a client config file. You then drop the certificate files you just created onto the client machine and boom, you have yourself a VPN.

While it’s not quite as easy as I’m making it out to be, as I’ll explain, it’s well worth the hour or two (plus the inevitable time for annoying mistakes).

The reason I’m so pro-OpenVPN is that it implements some very cool technologies. The first being SSL/TLS for tunneling. Being so widely used on the web, this protocol has been proven to be secure. In addition, it is also very routable and you can change the inbound port number on your router to work on 80, 443, etc if you think you’ll be working on restrictive networks.

Using SSL/TLS also means that you’re using certificates for authentication. OpenVPN let’s you generate 2048-bit certificate pairs, so unless an attacker actually has a client certificate, they can forget it. Even if your laptop was stolen, your certificate can be password protected, giving you plenty of time to delete the certificate pair from the server to render it useless.

Another nice touch is the option to use UDP, which is much less susceptible to attack due to its connectionless nature. I also like the flexibility to choose any encryption cipher in the OpenSSL toolkit, including the speedy yet secure AES-128.

But, in my opinion, what seals the deal is a lesser known feature called TLS-AUTH. As I mentioned briefly, even with OpenVPN running and with port forwarding on, it’s impossible for anyone but the client machines to solicit a response from your OpenVPN server. That’s because, with TLS-AUTH turned on, the server requires that all handshake packets be signed with a predefined cryptographic string, called an HMAC signature. This signature is stored in one of the files you copy to each client. Any packets sent to the server that haven’t been authenticated with this signature are dropped cold, so it appears to the would-be attacker that there is no machine at all.

On top of all this, initiating a VPN tunnel from a your laptop couldn’t be easier. You double click a system tray icon, enter a password and it’s done. From then on it’s just like you are plugged into the host network. You can browse file shares, use network services (eg. VoIP or Exchange) and browse out through the host internet connection. It’s nice when you can get this level of functionality for such a small sacrifice to security and I can certainly say that OpenVPN has the best functionality to security ratio that I’ve seen. In addition, it’s free.

In the next few days I’ll be posting a comprehensive guide to setting up OpenVPN. It will be based on a couple of guides I’ve used, official documentation and a lot of Googling. I hope it’ll prove useful.

In the meantime, if you’d like to read up on OpenVPN security, just Google it. There are a bunch of good articles.

http://openvpn.net/

EDIT: The guide is finished, you can can view it here.

m0n0wall: DIY Firewall

March 29, 2008

If you have an old PC lying around that you were too lazy to throw out, don’t change your ways in a hurry. It may come in handy. If you have the need, you can turn it in to a first-rate NAT firewall router.

Why? Well, sure, you can buy a router for $80 bucks and, to be honest, a cheap D-Link or Linksys router is all you need most of the time. But if that kicks the bucket and you need a replacement or if you take a look at the m0n0wall GUI, and fall in love, you may find this great little firewall is the perfect way to get your Pentium II back in the game.

The reason old machines are perfect for DIY appliances (like m0n0wall) is that, while you won’t have much luck running XP (and Vista, you’d be dreaming) on them, they have ample grunt to run a stripped down Linux/BSD operating system.

m0n0wall is a FreeBSD-based system with a bit of a difference. It’s entire boot-time command sequence is done in PHP and all system configuration is stored in an XML file, making it ridiculously resource efficient. Not only that, but the whole install image manages to squeeze in under 6MB. That said, every megabyte sure packs a punch. It does stateful packet filtering, NAT, DHCP, SNMP, IPsec and PPTP VPN, DynDNS, Wake-on-LAN, captive portal and traffic shaping. It also has a great SVG based traffic grapher and one of the best web GUIs around.

So how do you get it up and running? If you just want to try it or you’re not bothered to do a hard drive install, you can download the CD-ROM image and run it straight from the CD. You can even do this on your primary machine (although not recommended) without it messing with Windows. Just pop a floppy or USB stick in to store the config file.

If you’re using it long term, grab the Generic-PC image. If you need a hand with setup, take a look here.

Bottom line, this product is amazing… and secure… and open source… and free. Give it a try.

lockup-m0n0wall.png

http://m0n0.ch/wall/