« Self service at local grocery store | Main | Oral-B Braun 9500 Triumph DLX Electric Toothbrush review »

HOWTO: Free Secure web browsing and access to home network using OpenVPN

February 03, 2007
Keywords:

Public WiFi access points are getting more and more common making it easier to browse the Internet and read your emails on the run. Unfortunately tools to capture or manipulate such open traffic are getting very mature and easy to use.

Windows Remote Desktop and VNC/RealVNC are two very convenient ways of connecting to your home desktop from anywhere in the world. Unfortunately once you enable public remote connections then any person or hacker can also try and connect.

I'll admit that I am a bit late to the game but I have finally found a solution and managed to implement it.

It is called OpenVPN and has all the benefits of open source software: supported by a large community, you can inspect or improve the code, it is free, you can audit the security and much more. As a bonus it is also supported on many different operating systems.

In a nutshell OpenVPN consists of a server part which runs on a computer (or compatible router) on your home network and a client part which runs on remote machines. You use the same software for both parts; it is just the configuration that distinguishes a server from clients.

Once the remote machine has connected to your machine at home, all Internet traffic is tunneled (sent) securely to the machine and then out on the public Internet.

Instant messaging, emails, web browsing, document transfers, video conferencing, VOIP, anything and everything will be transparently encrypted and forwarded to your machine at home.

Any hacker listening to your traffic on the public WiFi will from then on just see 2048 bit encrypted traffic and any hacker wanting to connect to your home computer will require a signed certificate resigning on your home computer (unlikely).

Download
I'll assume you are using Windows in which case the OpenVPN GUI is a great addition to the OpenVPN and you should download both at the same time (choose openvpn-2.0.9-gui-1.0.3-install.exe).

Install
Run the installers (with admin privileges) and choose the default installation locations.

Configure network settings (bridge)
OpenVPN will install a new network device (TAP-Win32 Adapter V8) which is used for the encrypted traffic.

On the server machine you will have to bridge the TAP-Win32 Adapter V8 with whatever network adapter you are using to connect to the network (most likely LAN).

Select the two network adapters in Network Connections, right click and choose bridge connection. This could take up to 45s but after that your Internet connection should function normally. If it doesn't, you may have to modify the bridged connection with whatever settings your LAN connection had previously.

The good news is that you don't need to bridge adapters on the client machines.

Create keys and certificates
OpenVPN is based on PKI (public key infrastructure) for session authentication and you will need to create several certificates and private keys for connecting to the OpenVPN server.

First you will create your own CA (Certificate Authority) certificate and use it to sign your (one) server and (many) client certificates. You will also need to generate a file with Diffie hellman parameters.

The README file in the easy-rsa folder explains this very well and provides several batch (.bat) files to automate this.

One advice would be to create private keys WITHOUT a password. You do this by selecting a blank (none) password when the script asks for one.

Configure server
OpenVPN comes with sample server and client configuration scripts in the sample-config directory. Copy the server script over to the config directory and customise it for your environment. Below are some of the most important settings:

port 1194 # The default OpenVPN port
proto udp # more efficient than TCP but not always available for clients
;dev tun # you will not be using this
dev tap
dev-node OpenVPN # or whatever you renamed it to in Windows Network Connections
ca ca.crt
cert <server machine name>.crt
key <server machine name>.key
dh dh1024.pem
;server 10.8.0.0 255.255.255.0 # you will not be using this
server-bridge <gateway ip> 255.255.255.0 <start client ip> <end client ip> # Eg 192.168.0.1 255.255.255.0 192.168.0.60 192.168.0.70
push "redirect-gateway" # This will forward ALL client internet traffic over the encrypted channel to your home
client-to-client # if you want the different connected remote machines to see each other and be able to exchange files
keepalive 10 120
cipher BF-CBC # Blowfish encryption. Use DES-EDE3-CBC for ultimate security
comp-lzo # compression on
persist-key
persist-tun
status openvpn-status.log # Monitor this log file for any problems
verb 3 # use verb 6 for diagnostics

Configure clients
client
;dev tun # you will not be using this
dev tap
dev-node OpenVPN # or whatever you renamed it to in Windows Network Connections
proto udp
remote <server IP or host name> <port number> # The public IP of your
OpenVPN server
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert <client machine name>.crt
key <client machine name>.key
cipher BF-CBC # Must be same as on the server
comp-lzo
verb 3

Improve security
On server:
port 51002 # Use a high number (>10,000 for higher security)
max-clients 1 # Limit this to how many remote machines you expect to connect
cipher DES-EDE3-CBC # Triple-DES for ultimate encryption
tls-auth ta.key 0 # An additional layer of protection, the effect is a bit like using a firewall. Generate it with openvpn --genkey --secret ta.key. Use 1 in client configurations
;client-to-client # Do no allow client to client connections

On client:
ns-cert-type server # Easy-rsa automatically creates server certificates with this flag
tls-auth ta.key 1

If you have any questions feel free to leave a comment and I'll see if I can help you out!



Comments

  1. Mark H Says:

    no gravatar

    Interesting... though triple-DES does not qualify as "Ultimate security". Good security should require at least AES with 256 bit keys.

    I'm not a security expert, but suggest you check with one before entrusting important data to triple-DES.

Post a Comment

 *

 *

 
Remember Me?

* (you may use HTML tags for style)