OpenVPN like a boss

So tomorrow, I fly off to DefCON 🙂 I always have a blast when I go there! However, I always like to take a few precautions – all electronic shit that goes with me has to go completely reghosted and anonymized. And when I get back, you better believe that I wipe the hell out of it.

Each year, I try to top my last year’s config. Last year, I made do with TOR; and frankly, it’s just not secure enough. I think I can do better. So this year, I’m setting myself up with my own OpenVPN server and I’m routing all my traffic through that.

There are so many tutorials on setting up OpenVPN already, I feel a bit dumb rolling out my own. However, I didhave to combine three different tutorials to get the results I wanted… What the hell, might as well put out my own methodology.


The Server

The first thing you’re going to need is the server, of course. If you’ve got a bit of dosh, or extra hardware, you can just build your own and open it up to the world. You’ll just need to set up NAT on your router. If you don’t know what that is… Well, maybe setting up OpenVPN just isn’t for you.

If you don’t have hardware lying around, consider getting yourself a VPS. They’re inexpensive: a regular linux box will set you back $20 a month and if you don’t like the service, you can get rid of it at the end of the month lickety split, no strings attached.

Go for a *nix distro that you like and are comfortable with. No use struggling with your VPN config and your O/S. I use Ubuntu. I’m sure a lot of you out there have something to say about that – wonderful; go write your own blog post then, you trolls! 😀

OpenVPN setup

Not very complicated with Ubuntu: apt-get install openvpn. This gets you set up with the basic structure. You can’t run it right out of the box, though: you first need to set up a few things. Not complicated though, I promise.

OpenVPN provides all the sample config files you need. You start by copying /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars to /etc/openvpn/easy-rsa. You then edit the file – all you really need to change are the settings for your cert, i.e.:

export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”<your ip address>”
export KEY_EMAIL=”<some email addy you don’t care too much about>”

You then clean up that directory and generate new certs; check out the second tutorial referenced below, the code I have here is copied from there. I would clarify, though, that this code is to be executed from your /etc/openvpn/easy-rsa directory:

# source ./vars# ./clean-all# ./build-dh# ./pkitool –initca# ./pkitool –server <server IP>

# ./pkitool <put your servers’s host name or ip address here>

Do yourself a favor: don’t be lazy and actually use server names and workstation names that mean something to you. “server” and “client” don’t really cut it. Makes it easy for you to recognize your work from somebody else’s, if you know what I mean.

Copy the resulting files (which are in /etc/openvpn/easy-rsa/keys folder) to /etc/openvpn. Also, you’ll need a copy of the workstation’s keys plus the ca.crt key on your workstation’s /etc/openvpn directory – you can use scp for the transfer.

Next, you’ll need to create a server.conf file. Copy the sample file from /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz to /etc/openvpn (you can do this directly using zcat: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf)

Modify server.conf:

ca ca.crt
cert <my server’s name>.crt
key <my workstation’s name>.crt
client-config dir ccd
route 10.8.0.0 255.255.255.0 #Chg this to whatever addy suits you
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS x.x.x.x” #Use a DNS of your choice, i.e. Google DNS

The client-config directive allows you to create custom config settings for each of your clients — so create a directory in /etc/openvpn, create a new file with the name of your workstation, and insert these lines:

ifconfig-push 10.8.0.10 10.8.0.11

This will give your workstation a fixed IP address of 10.8.0.10.

Finally, start openvpn with sudo /etc/init.d/openvpn start.

Firewall

For traffic to go through the VPN, you’ll need to enable IP forwarding and set up your IP tables. This is how you do it:
run sudo apt-get install iptables-persistent
edit /etc/sysctl.conf and uncomment net.ipv4.ip_forward=1
run iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
run iptables-save > /etc/iptables/rules. IMPORTANT: this will crush your rules file. Only do this if you know what you’re doing!

Your workstation

As a quick reminder, a copy of your workstation cert, workstation key and the CA’s cert must be in your /etc/openvpn directory. Copy the sample client file from /usr/share/doc/openvpn/examples/sample-config-files/ to /etc/openvpn, then make sure that your cert and key directives have been modified to use <my workstation>.crt and <my workstation>.key (ca.crt remains unchanged). Then start up openvpn — the first few times, you may then wish to tail your /var/log/syslog file to double-check that openVPN didn’t generate any errors!). It takes a while for tun0 to come up but once it does, you should be A-OK!

I would recommend tightening up your firewall configuration!

Last but not least, here are the great tutorials I used as a reference:
Ubuntu’s community page on OpenVPN (helped me understand configuration of the certs but the bridging setup looked like a pain in the ass)
Secure Proxy using OpenVPN and Squid (great tut but I wanted to route ALL traffic)
Sébastien Wains’ post on the subject (was the third of a three-part post. I was interested in the forwarding, the iptables settings and the bit about redirect-gateway)

Thanks for reading 🙂