Using your home network's ESXi or Hyper-V OpenVPN appliance to safely use public WiFi

Posted by Paul Braren on Dec 12 2013 (updated on Feb 16 2014) in
  • Appliances
  • ESXi
  • HowTo
  • Mobile
  • Network

    • Are you interested in being able to use public WiFi, with considerably less fear unscrupulous folks around you might be sniffing your packets, looking for tasty morsels of unencrypted goodness? You know, things like an email account that might be pulling IMAP messages over an unencrypted connection, giving your username and password out to anybody who knows just a little about WiFi packet sniffing. Or worse.

    If you have a corporate VPN, great, best to use it whenever you leave the house. But does it encrypt all traffic, or just corporate intranet traffic?

    If you have an always-on server on your home network, this article discussed an intermediate skill level project of setting up a VPN, for free, for up to 2 remote devices. Perfect for say one laptop (Windows or Mac) and one mobile device (iOS or Android), since the OpenVPN client software is widely available, or $6 more per year per additional client, with a minimum 10 client purchase required, explained here. Optionally, if you'd like for dynamic DNS to be handled, you may want to sign up for DDNS services from dyndns.org for $25 per year, so if your IP address for your home's broadband connection changes while you're away, you'll still be able to get in.

    Oh yeah, another very helpful thing about this? You can get to your home's network resources, even printing to networked printers back at home, for example, or checking on router settings.

    My primary focus was to do a proof of concept for myself, with the aim of achieving a one time setup that I could leave running. Ideally, a simple and secure VPN, that soon becomes largely set-it-and-forget it thing you take for granted.

    It's reasonable to expect to be able to tackle this project within an hour or two, from starting to read this article, read the background material, then trying it for yourself.

    Remember, your network security is entirely up to you, and I take not responsibility for what might happen to you, your data, or your home network. Yes, this is intended to politely try to steer less advanced users from attempting this, as you could make your network rather vulnerable to attacks from the outside, if you don't do this configuration correctly. Take the time to really harden the appliance, particularly if you plan to leave it running 24x7. It's also up to you to be sure you're precisely following all appropriate use guidelines from your ISP, or risk termination.

    So the objective of this post is to get you going with a "pilot" test of remote VPN, using a 14 day trial of dyndns.org services to avoid any sign-ups or monthly charges, before you decide if you want to pursue such a solution on a more permanent basis. Honestly, for most folks, going with a subscription to something like proXPN is probably a whole lot more sensible. This article is for those who really want to see if something (nearly) free can work for them, especially if they're already running a home lab machine 24x7 anyway, like my own beloved vZilla, running a datacenter that I built in about an hour, based on VMware's vCenter/ESXi 5.5.

    My focus is therefore on the ESXi version of the largely preconfigured Ubuntu appliance that OpenVPN provides. Even if you choose the Hyper-V (Ubuntu) appliance, or the installable Windows version, once that web/VPN server is up, configuration from there is largely the same. My client tests were with a Windows 8.1 64 bit laptop, and an iPhone 5 running iOS 7.0.4, and finally, a first-gen Nexus 7 with Android 4.3.

    When I went to try this for the first time in mid November, I encountered some issues with trying to get the iOS client to work at all, those have been resolved.

    Hurtles to clear (the secret sauce)

    1. Oct 24 2013's appliance 2.0.1 doesn't work with iOS clients, gets you nothing but a "Verification of the message MAC failed" error, explained in the OpenVPN support forum.
      My workaround involves manually tweaking the publicly listed download URL slightly, to get you to the the later 2.0.2 version that works just fine!
    2. Promiscuous mode must be set on the network port group (in ESXi 5.5), nowhere does OpenVPN's instructions warn you of this, but I'm familiar since I had to set that for Hamachi VPN as well.
    3. You really must tell your appliance that it's name isn't just an IP, give it the full name (configured in dyndns.org), so you're then good to go, with those autoconfig ovpn config bundles on those mobile clients now working just grand.

    Configuration

    1) Kick off the download of the appliance

    Virtual Appliance Downloads

    Current appliance version is: 2.0.2, the only version I tested**
    To download the virtual appliance, 2.0.2 or later required for Windows 8.1/iOS 7 compatibility, I've created a custom link for you:

    DOWNLOAD Virtual Appliance 2.0.2 for VMware ESXi

    Once you've installed the appliance, you're going to need to assign it to a virtual network that has promiscuous mode on.

    2) Read all about it

    Quick Start Guide for Using the OpenVPN Access Server Virtual Appliance for the VMWare ESXi Virtualization Platform

    3) Sign-up for DynDNS Pro services (optionally)

    account.dyn.com/dns/dyndns/add.html

    Add your hostname to your router's DDNS settings tab.

    , and port forwarding of 443 to the fixed IP of the appliance

    5) Download the OpenVPN Windows client to your PC

    The version I tested on Windows 8.1 was found at openvpn.net/index.php/open-source/downloads.html as
    openvpn-install-2.3.2-I003-x86_64.exe

    6) Visit your OpenVPN's web page from Windows browser or iOS browser (which also tests whether you have DDNS working)

    https://ovpnas20.dyndns.org/admin/server_network_settings

    The OpenVPN Connect iOS verification problem folks are having with 2.0.1 version of the appliance is a known issue.

    Admittedly, I'm only beginning to tinker with OpenVPN, and I'm sure there are suggestions for improvements to my process. Depending upon interest, I may go forward with trying to hardening the configuration, including trying alternative port numbers. For now, here's a 35 minute step by step video of the entire process, a first attempt at a working solution. I have a Nexus 7 shown at left, and an iPhone 5 at right. I'm not claiming this particular exact configuration has been properly vetted for good security practices. Any risk you decide to take is entirely your own responsibility.

    Feb 16 2014 Update:

    Interesting sound bite from Feb 11 2014's Security Now 442: Q&A 183, where Steve Gibson explains that he's using OpenVPN servers too, with keys that he generated, avoiding remote client's password prompts entirely. The video below is queued up to just the right spot (1h 42m), but the whole episode is a particularly worthwhile listen.

    TinkerTry - PCs, EVs, home tech, efficiency and more, including virtualization. My opinions here, not my employer's.

    Paul Braren, MCSE in 1998, VCP #2681 in 2005, vExpert 2014 to 2024, Veeam Vanguard Emeritus, 2015 to 2019.

    Support TinkerTry

    PayPal | Patreon | VMware Store

    After 6 successful years testing then shipping well over 1,000 Xeon D Bundles, Wiredzone had to stop selling them in mid-2021 due to cost, supply, and logistics challenges. So far, Xeon D-1700/2700 (Ice Lake D) was a minor refresh for 2023, with Xeon D-1800/2800 (Granite Rapids D) refresh looking a little better for 2024. More cores, but still just PCIe Gen4 and DDR4. Looking ahead, I'm glad it's Pat Gelsinger at Intel's helm. I'm also grateful to have had the honor of working at VMware when Pat was the CIO there. I'll leave it at that, given the whole Broadcom thing.

    Easily update VMware ESXi at TinkerTry.com/easy-update-to-latest-esxi