Insecure about using public WiFi? Connect to your home's OpenVPN appliance, for free.

Posted by Paul Braren on Jul 5 2014 in

Last year, I was pondering new ways to remotely surf the web securely, privately, from my home's IP address, even when far away from my home. The concern wasn't so much about my internet provider, Cox Communications, from knowing what I'm doing. It was more about securing in-the-clear communications when using WiFi in a hotel, for example, when sometimes no LTE is available.

So I constructed the path into my home lab's network, for remote administration in a pinch, for remote desktop, and for hitting web sites as if I was actually home, even when far from it. Yes, the US version of websites, not a localized version. Nice.

I've used Hamachi in the past. It handles wake on LAN magic packets from the one system I leave running, to other wired but asleep systems. Nice. But Hamachi VPN doesn't have an iOS client. And now costs some monthly fees. By default, Hamachi VPN uses the remote network just for private IP traffic, only "VPNing" or encrypting some network traffic.

I quickly found the perfect match for my always-ON vZilla system. It's a pre-build OpenVPN appliance, based on Ubuntu. Allows my iPhone 5 and my laptop a secure path to browsing through hotel or other open WiFi, nice. Works well, stable, even blogged and created a YouTube video of the entire process back in December of 2013 here, including the handling of dynamic DNS on a router basis.

Read more about types of VPNs at Comparison chart - OpenVPN / PPTP / SSH Tunnel

Conclusion - OpenVPN is the protocol of choice for max. security as well as for speed when connecting via OpenVPN.

Despite my success, I had a nagging concern that this posed some additional risk of home network penetration.

Along came April 2014, when Heartbleed arrived, shortly followed by a new OpenSSL patched version of the OpenVPN appliance. April also brought the opportunity to present at BSides, for my second time. Of course, I said yes, without hesitating to offer a live presentation using OpenVPN, on blind faith that I'd get it working nicely again. This time, using a better manner, so I'd be less fearful of presenting to a group of InfoSEC professionals. And with the confidence gained from recent remote display testing for iOS and Android.

I set out improve on the security and cost of my original method, which had a $20/year cost from dyn.com, to handle dynamic DNS.

As April wore on, I began to wonder, what if I could construct an isolated VM on its own NIC port, connected directly to my cable modem? This would be a way to remotely surf the web, from my home, when far away from my home. With a new home network with 30ms of latency, and a fat pipe of 150 Mbps down and 30Mbps up (that actually tests higher), the quest was on. It was the ah hah moment that occurs during downtime, that made me eager to get this working. All without resorting to running a 3rd party firmware like OpenWRT on my EA6900 router, and without having to set up a dedicated watt burning firewall or appliance, risking the scorn that any project that occasionally takes down family's network would incur. I don't like having to do "change control" at home. I have enough of that at work.

There was still that list of little hurtles I'd have to clear to succeed here, to get this to work the way I envisioned:

no cost handling of dynamic DNS, including easy to install Ubuntu client DDNS updater
VT-d, which passes through one of my Intel I-350 network ports directly to Ubuntu, which also happens to be compatible with that modern NIC
my cable company Cox Communications allows "Multiple Computer Access" with support for up to 3 IPs total directly attached to the cable modem, in my case, I only needed two IPs, one for my 802.11AC router, and the other to the NIC port going to the OpenVPN appliance, using a tiny and cool running (2 watt) gigabit switch to connect both to my cable modem, directly (pictured below).
multi-day stability of this configuration, no memory leaks, free and stable OpenVPN clients
automatic shutdown and power up after power outages

I'm happy to now present to you the results of that effort, which was a success. And which I presented, in a live demonstration:

Presented at Security BSides Boston on May 10 2014,

Insecure about using public WiFi? Connect to your home’s OpenVPN appliance, for free.
by Paul Braren on Sat May 10th, 2014

1) Download the appliance

Quick Start Guide for Using the OpenVPN Access Server Virtual Appliance for the VMWare ESXi Virtualization Platform
Current appliance version is: 2.0.7
Last updated: April 16, 2014
openvpn.net/index.php/access-server/download-openvpn-as-vm/469-deploying-openvpn-access-server-from-an-ovf-template-in-vmware-esxi-environment.html

required)

pass through an Ubuntu compatible NIC port, in my case, one of my 2 Intel I-350 ports.
reboot ESXi

3) Deploy and configure OpenVPN Access Server Virtual Appliance

it's all explained nicely here

OpenVPN Access Server Quick Start Guide
Click HERE for OpenVPN Access Server 2.0.2 Release Notes
openvpn.net/index.php/access-server/docs.html?id=229

using the 'vSphere Web Client'

deploy from OVF
don't power on
remove network
add PCI device (for passthrough) that is natively supported by Ubuntu (one of my Intel I350 ports works)
ran a CAT5e or CAT6 cable from this port, to a network switch, such as this energy sipping D-Link DGS-1005, which is also attached to the cable modem, and my EA6900 WiFi router WAN port (pictured below)
'VM Options' tab, 'VMware Tools', Time, 'Synchronize guest time with host'
power on VM
one port on my Intel I350 worked!
Enter 5x, then "Use local authentication via internal DB?" say yes
the rest are defaults as well
dpkg-reconfigure tzdata
(choose America, New York)
type date (verify it's correct date/time)
passwd
(set root password)
passwd openvpn
(set openvpn password)

4) Get yourself a computer name at no-ip.com

This is where you'll create yourself a free account, then register one computer name of your choosing. There is no monthly bill, and no credit card required.

Go to noip.com/sign-up and create your account (username, password, email, and computername), turn off "Send me newsletters & special offers" checkbox, then click click "Free Sign Up."

You're emailed a confirmation that you've successfully activated your account. Only one free account allowed, per email address.

5) Install No-IP Linux Dynamic Update Client (DUC) on your Ubuntu 12.04 LTS

There's a prerequisite. You'll need the Debian Linux Install GNU GCC Compiler and Development Environment
cyberciti.biz/faq/debian-linux-install-gnu-gcc-compiler

Simple enough to do, simply PuTTY your way to the appliance's IP address, then issue the following 2 lines of commands, one at a time:

# apt-get update && apt-get upgrade
# apt-get install build-essential

Answer 'Y' when prompted, you're done, proceed with next step, but leave PuTTY opened, you'll be needing it again.

The instructions are excellent:
noip.com/support/knowledgebase/installing-the-linux-dynamic-update-client-on-ubuntu

Here's the exact sequence of commands to paste one line at a time followed by enter (or typed carefully, one line at a time):

cd /usr/local/src
wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
tar xf noip-duc-linux.tar.gz
cd noip-2.1.9-1/
make install

Answer 0 for 'eth0'
no-ip.com login userid/password
interval (accept default of 30 by just hitting enter)
'Do you wish to run something at successful update?[N] (y/N)' choose N
now you can manually run it, type this command
/usr/local/bin/noip2

6) Set No-IP DUC to autostart with appliance

From
howtoforge.com/how-to-install-no-ip2-on-ubuntu-12.04-lts-in-order-to-host-servers-on-a-dynamic-ip-address

we get a description of the parts of the extracted noip-duc-linux.tar.gz file's README.FIRST. I did the work of grepping for the process for you. Here's the sequence of commands you''ll be needing to do.

sudo nano /etc/init.d/noip

Next, from howtoforge.com/how-to-install-no-ip2-on-ubuntu-12.04-lts-in-order-to-host-servers-on-a-dynamic-ip-address

Copy and paste all the following lines (in PuTTY, highlight the below code, use Ctrl+C to copy into the clipboard, then in the PuTTY window right-click to paste):

case "$1" in
start)
echo "Starting noip2."
/usr/local/bin/noip2
;;
stop)
echo -n "Shutting down noip2."
killproc -TERM /usr/local/bin/noip2
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
esac
exit 0

Next, you type exit again. Now you're ready for another cut and paste of these 3 lines

sudo chmod +x /etc/init.d/myscript.sh
sudo update-rc.d myscript.sh defaults 98 02
reboot

7) Configure the appliance through the Web UI

To get started initially, you'll need to paste in this URL, where computername is replaced with the name you chose duringn No-IP setup.

https://computername.no-ip.biz/admin

'Agree' to EULA

'Server Network Settings', 'VPN Server'

change computer name (using no-ip FQDN)

save, restart the daemon (service)

PC:

do a speed test (on vzw 149ms/11u/4d) to Connecticut Education Network (189 d / 49 u)

http://whatismyipaddress.com
(leave it running, just minimize when done)

Chrome to https://computername.no-ip.biz

Tray icon, choose "Import", "From server..."
paste in computername.no-ip.biz
type in credentials (openvpn/password)
It'll say click here to continue to download the MSI installer
OpenVPN Connect for Windows, then install it
it'll confirm configuration has been saved
Tray icon, choose [servername], "Go to" [servername]
bring up
whatismyipaddress.com
window again, hit Ctrl+F5 to force network refresh

do a speed test (on Verizon LTE, 189ms/6 Mbps down/1.5Mbps up)

iOS (iPhone 5):

do a speed test (on vzw 178ms/23.7 d/3.0 u)
Safari to https://computername.no-ip.biz
ignore cert error
Username openvpn
Password (password)
choose User locked profile
'Open in "OpenVPN"'
click green +
type password
click 'Save' slider
show VPN in native iOS interface
do a speed test (on vzw 193ms/1.3 d/2.4 u)

Android (Nexus 7):

Chrome to https://computername.no-ip.biz
Use link to Google Play Store, download, and install OpenVPN Connect client
Launch
Import Profile
computername.no-ip.biz
enter "Username" and "Password", and ensure checkbox for "Save"
turn on checkbox for "Import Autologin Profile"
verify with checkbox "I trust this application."
visit whatismyipaddress.com to verify

Step-by-step Video Walk-through

[later this summer, will be inserted right here]