Insecure about using public WiFi? Connect to your home's OpenVPN appliance, for free.
Last year, I was pondering new ways to remotely surf the web securely, privately, from my home's IP address, even when far away from my home. The concern wasn't so much about my internet provider, Cox Communications, from knowing what I'm doing. It was more about securing in-the-clear communications when using WiFi in a hotel, for example, when sometimes no LTE is available.
So I constructed the path into my home lab's network, for remote administration in a pinch, for remote desktop, and for hitting web sites as if I was actually home, even when far from it. Yes, the US version of websites, not a localized version. Nice.
I've used Hamachi in the past. It handles wake on LAN magic packets from the one system I leave running, to other wired but asleep systems. Nice. But Hamachi VPN doesn't have an iOS client. And now costs some monthly fees. By default, Hamachi VPN uses the remote network just for private IP traffic, only "VPNing" or encrypting some network traffic.
I quickly found the perfect match for my always-ON vZilla system. It's a pre-build OpenVPN appliance, based on Ubuntu. Allows my iPhone 5 and my laptop a secure path to browsing through hotel or other open WiFi, nice. Works well, stable, even blogged and created a YouTube video of the entire process back in December of 2013 here, including the handling of dynamic DNS on a router basis.
Read more about types of VPNs at Comparison chart - OpenVPN / PPTP / SSH Tunnel
Conclusion - OpenVPN is the protocol of choice for max. security as well as for speed when connecting via OpenVPN.
Despite my success, I had a nagging concern that this posed some additional risk of home network penetration.
Along came April 2014, when Heartbleed arrived, shortly followed by a new OpenSSL patched version of the OpenVPN appliance. April also brought the opportunity to present at BSides, for my second time. Of course, I said yes, without hesitating to offer a live presentation using OpenVPN, on blind faith that I'd get it working nicely again. This time, using a better manner, so I'd be less fearful of presenting to a group of InfoSEC professionals. And with the confidence gained from recent remote display testing for iOS and Android.
I set out improve on the security and cost of my original method, which had a $20/year cost from dyn.com, to handle dynamic DNS.
As April wore on, I began to wonder, what if I could construct an isolated VM on its own NIC port, connected directly to my cable modem? This would be a way to remotely surf the web, from my home, when far away from my home. With a new home network with 30ms of latency, and a fat pipe of 150 Mbps down and 30Mbps up (that actually tests higher), the quest was on. It was the ah hah moment that occurs during downtime, that made me eager to get this working. All without resorting to running a 3rd party firmware like OpenWRT on my EA6900 router, and without having to set up a dedicated watt burning firewall or appliance, risking the scorn that any project that occasionally takes down family's network would incur. I don't like having to do "change control" at home. I have enough of that at work.
There was still that list of little hurtles I'd have to clear to succeed here, to get this to work the way I envisioned:
- no cost handling of dynamic DNS, including easy to install Ubuntu client DDNS updater
- VT-d, which passes through one of my Intel I-350 network ports directly to Ubuntu, which also happens to be compatible with that modern NIC
- my cable company Cox Communications allows "Multiple Computer Access" with support for up to 3 IPs total directly attached to the cable modem, in my case, I only needed two IPs, one for my 802.11AC router, and the other to the NIC port going to the OpenVPN appliance, using a tiny and cool running (2 watt) gigabit switch to connect both to my cable modem, directly (pictured below).
- multi-day stability of this configuration, no memory leaks, free and stable OpenVPN clients
- automatic shutdown and power up after power outages
I'm happy to now present to you the results of that effort, which was a success. And which I presented, in a live demonstration:
Presented at Security BSides Boston on May 10 2014,
Insecure about using public WiFi? Connect to your home’s OpenVPN appliance, for free.
by Paul Braren on Sat May 10th, 2014
1) Download the appliance
Quick Start Guide for Using the OpenVPN Access Server Virtual Appliance for the VMWare ESXi Virtualization Platform
Current appliance version is: 2.0.7
Last updated: April 16, 2014
openvpn.net/index.php/access-server/download-openvpn-as-vm/469-deploying-openvpn-access-server-from-an-ovf-template-in-vmware-esxi-environment.html
required)
pass through an Ubuntu compatible NIC port, in my case, one of my 2 Intel I-350 ports.
reboot ESXi
3) Deploy and configure OpenVPN Access Server Virtual Appliance
it's all explained nicely here
OpenVPN Access Server Quick Start Guide
Click HERE for OpenVPN Access Server 2.0.2 Release Notes
openvpn.net/index.php/access-server/docs.html?id=229
using the 'vSphere Web Client'
- deploy from OVF
- don't power on
- remove network
- add PCI device (for passthrough) that is natively supported by Ubuntu (one of my Intel I350 ports works)
- ran a CAT5e or CAT6 cable from this port, to a network switch, such as this energy sipping D-Link DGS-1005, which is also attached to the cable modem, and my EA6900 WiFi router WAN port (pictured below)
- 'VM Options' tab, 'VMware Tools', Time, 'Synchronize guest time with host'
- power on VM
- one port on my Intel I350 worked!
- Enter 5x, then "Use local authentication via internal DB?" say yes
- the rest are defaults as well
- dpkg-reconfigure tzdata
- (choose America, New York)
- type date (verify it's correct date/time)
- passwd
- (set root password)
- passwd openvpn
- (set openvpn password)
4) Get yourself a computer name at no-ip.com
This is where you'll create yourself a free account, then register one computer name of your choosing. There is no monthly bill, and no credit card required.
Go to noip.com/sign-up and create your account (username, password, email, and computername), turn off "Send me newsletters & special offers" checkbox, then click click "Free Sign Up."
You're emailed a confirmation that you've successfully activated your account. Only one free account allowed, per email address.
5) Install No-IP Linux Dynamic Update Client (DUC) on your Ubuntu 12.04 LTS
There's a prerequisite. You'll need the Debian Linux Install GNU GCC Compiler and Development Environment
cyberciti.biz/faq/debian-linux-install-gnu-gcc-compiler
Simple enough to do, simply PuTTY your way to the appliance's IP address, then issue the following 2 lines of commands, one at a time:
# apt-get update && apt-get upgrade
# apt-get install build-essential
Answer 'Y' when prompted, you're done, proceed with next step, but leave PuTTY opened, you'll be needing it again.
The instructions are excellent:
noip.com/support/knowledgebase/installing-the-linux-dynamic-update-client-on-ubuntu
Here's the exact sequence of commands to paste one line at a time followed by enter (or typed carefully, one line at a time):
cd /usr/local/src
wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
tar xf noip-duc-linux.tar.gz
cd noip-2.1.9-1/
make install
Answer 0 for 'eth0'
no-ip.com login userid/password
interval (accept default of 30 by just hitting enter)
'Do you wish to run something at successful update?[N] (y/N)' choose N
now you can manually run it, type this command
/usr/local/bin/noip2
6) Set No-IP DUC to autostart with appliance
we get a description of the parts of the extracted noip-duc-linux.tar.gz file's README.FIRST. I did the work of grepping for the process for you. Here's the sequence of commands you''ll be needing to do.
sudo nano /etc/init.d/noip
Copy and paste all the following lines (in PuTTY, highlight the below code, use Ctrl+C to copy into the clipboard, then in the PuTTY window right-click to paste):
case "$1" in
start)
echo "Starting noip2."
/usr/local/bin/noip2
;;
stop)
echo -n "Shutting down noip2."
killproc -TERM /usr/local/bin/noip2
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
esac
exit 0
Next, you type exit again. Now you're ready for another cut and paste of these 3 lines
sudo chmod +x /etc/init.d/myscript.sh
sudo update-rc.d myscript.sh defaults 98 02
reboot
7) Configure the appliance through the Web UI
To get started initially, you'll need to paste in this URL, where computername is replaced with the name you chose duringn No-IP setup.
https://computername.no-ip.biz/admin
'Agree' to EULA
'Server Network Settings', 'VPN Server'
change computer name (using no-ip FQDN)
save, restart the daemon (service)
PC:
do a speed test (on vzw 149ms/11u/4d) to Connecticut Education Network (189 d / 49 u)
http://whatismyipaddress.com
(leave it running, just minimize when done)
Chrome to https://computername.no-ip.biz
- Tray icon, choose "Import", "From server..."
- paste in
computername.no-ip.biz
- type in credentials (openvpn/password)
- It'll say click here to continue to download the MSI installer
OpenVPN Connect for Windows, then install it - it'll confirm configuration has been saved
- Tray icon, choose [servername], "Go to" [servername]
bring up
whatismyipaddress.com
window again, hit Ctrl+F5 to force network refresh
do a speed test (on Verizon LTE, 189ms/6 Mbps down/1.5Mbps up)
iOS (iPhone 5):
- do a speed test (on vzw 178ms/23.7 d/3.0 u)
- Safari to
https://computername.no-ip.biz
- ignore cert error
- Username openvpn
- Password (password)
- choose User locked profile
- 'Open in "OpenVPN"'
- click green +
- type password
- click 'Save' slider
- show VPN in native iOS interface
- do a speed test (on vzw 193ms/1.3 d/2.4 u)
Android (Nexus 7):
- Chrome to
https://computername.no-ip.biz
- Use link to Google Play Store, download, and install OpenVPN Connect client
- Launch
- Import Profile
- computername.no-ip.biz
- enter "Username" and "Password", and ensure checkbox for "Save"
- turn on checkbox for "Import Autologin Profile"
- verify with checkbox "I trust this application."
- visit whatismyipaddress.com to verify
Step-by-step Video Walk-through
[later this summer, will be inserted right here]
See also
A simpler configuration method, that allows convenient remote access to all your home network IP addresses/devices, at the expense of somewhat-increased security exposure:
Using your home network’s ESXi or Hyper-V OpenVPN appliance to safely use public WiFi
by Paul Braren on Dec 13 2013
Setting your (Windows) client to automatically connect to your VPN when your computer starts:
openvpn.net/index.php/access-server/docs/admin-guides/461-setting-your-client-to-automatically-connect-to-your-vpn-when-your-computer-starts.html
UbuntuBootupHowto:
help.ubuntu.com/community/UbuntuBootupHowto
Certificate generation and distribution:
community.openvpn.net/openvpn/wiki/Easy_Windows_Guide#BuildingCertificatesandKeys
Authy Open VPN Two-Factor Authentication:
github.com/authy/authy-openvpn
OpenVPN Access Server System Administrator Guide:
openvpn.net/images/pdf/OpenVPN_Access_Server_Sysadmin_Guide_Rev.pdf
Client connect script to email:
forums.openvpn.net/topic10024.html
Dynamic IP Address? Point it to a static hostname for easy remote access.
no-ip Remote Access with Enhanced Dynamic DNS
noip.com
FOR IMMEDIATE RELEASE:
No-IP Takes Stock of Toll on Customers from Microsoft’s Service Takedown
noip.com/blog/2014/07/15/no-ip-takes-stock-of-toll-on-customers-from-microsofts-service-takedown
Security Now 463: Your Questions, Steve's Answers 191
At this spot in the podcast, recent no-ip issue explained.