Archive

Posts Tagged ‘VPN’

Setup your own VPN with OpenVPN

February 6th, 2017 No comments

Using the excellent Digital Ocean tutorial as my base I decided to setup an OpenVPN server on a Linux Mint 18 computer running on my home network so that I can have an extra layer of protection when connecting to those less than reputable WiFi hotspots at airports and hotels.

While this post is not meant to be an in-depth guide, you should use the original for that, it is meant to allow me to look back at this at some point in the future and easily re-create my setup.

1. Install everything you need

sudo apt-get update
sudo apt-get install openvpn easy-rsa

2. Setup Certificate Authority (CA)

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
nano vars

3. Update CA vars

Set these to something that makes sense:

export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_OU=”MyOrganizationalUnit”

Set the KEY_NAME to something that makes sense:

export KEY_NAME=”server”

4. Build the CA

source vars
./clean-all
./build-ca

5. Build server certificate and key

./build-key-server server
./build-dh
openvpn –genkey –secret keys/ta.key

6. Generate client certificate

source vars
./build-key-pass clientname

7. Configure OpenVPN

cd ~/openvpn-ca/keys
sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Edit config file:

sudo nano /etc/openvpn/server.conf

Uncomment the following:

tls-auth ta.key 0
cipher AES-128-CBC
user nobody
group nogroup
push “redirect-gateway def1 bypass-dhcp”
push “route 192.168.10.0 255.255.255.0”
push “route 192.168.20.0 255.255.255.0”

Add the following:

key-direction 0
auth SHA256

Edit config file:

sudo nano /etc/sysctl.conf

Uncomment the following:

net.ipv4.ip_forward=1

Run:

sudo sysctl -p

8. Setup UFW rules

Run:

ip route | grep default

To find the name of the network adaptor. For example:

default via 192.168.x.x dev enp3s0  src 192.168.x.x  metric 202

Edit config file:

sudo nano /etc/ufw/before.rules

Add the following, replacing your network adaptor name, above the bit that says # Don’t delete these required lines…

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o enp3s0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Edit config file:

sudo nano /etc/default/ufw

Change DEFAULT_FORWARD_POLICY to ACCEPT.

DEFAULT_FORWARD_POLICY=”ACCEPT”

Add port and OpenVPN to ufw, allow it and restart ufw to enable:

sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable

9. Start OpenVPN Service and set it to enable at boot

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

10. Setup client configuration

mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Edit config file:

nano ~/client-configs/base.conf

Replace remote server_IP_address port with the external IP address and port you are planning on using. The IP address can also be a hostname, such as a re-director.

Add the following:

cipher AES-128-CBC
auth SHA256
key-direction 1

Uncomment the following:

user nobody
group nogroup

Comment out the following:

#ca ca.crt
#cert client.crt
#key client.key

11. Make a client configuration generation script

Create the file:

nano ~/client-configs/make_config.sh

Add the following to it:

#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \
<(echo -e ‘<ca>’) \
${KEY_DIR}/ca.crt \
<(echo -e ‘</ca>\n<cert>’) \
${KEY_DIR}/${1}.crt \
<(echo -e ‘</cert>\n<key>’) \
${KEY_DIR}/${1}.key \
<(echo -e ‘</key>\n<tls-auth>’) \
${KEY_DIR}/ta.key \
<(echo -e ‘</tls-auth>’) \
> ${OUTPUT_DIR}/${1}.ovpn

And mark it executable:

chmod 700 ~/client-configs/make_config.sh

12. Generate the client config file

cd ~/client-configs
./make_config.sh clientname

13. Transfer client configuration to device

You can now transfer the client configuration file found in ~/client-configs/files to your device.


This post originally appeared on my personal website here.

Categories: Open Source Software, Tyler B Tags: ,

10 Things You Must Know About Linux Security

December 29th, 2016 No comments

Millions of users that opt out for using Linux operating system for two decades now, all on the grounds that it is much safer than most others on the market. While it’s true that Linux is less susceptible to security breaches, it is not impenetrable (no system on the planet is), which is why users should get acquainted with some security precautions that can protect their devices even more. The main topic of this article are 10 things you must know about Linux security, and we’ll try to bring this topic closer to home and closer to everyday use of your OS.

1. It All Starts with Updates

Even if you were using the most secure operating system on Earth, it still wouldn’t do you much good unless you keep it up to date. Linux distributions are usually very easy to manage when it comes to the matter at hand and we wholeheartedly suggest you setting up automated updates so that you can rest assured that everything is under control. Also, remember to keep all your apps updated as well, because cybercriminals use them as the back entrance for installing malicious software.

2. Separate Disk Partitions

This is computer security 101 and Linux is not an exemption from the rule. The fact that Linux offers more safety doesn’t mean that you can’t downgrade it by being negligent when it comes to protecting your security. As soon as you’ve set up Linux, be sure to separate disk partitions, so that you have a few different ones for different purposes. This is a form of insurance in case anything goes wrong with a program or a virus starts running rampant. Chances are bigger that the threats will stay contained only on one partition, so you don’t have to eliminate all the data from your device, but just what’s on a particular partition.

3. Security Enhanced Linux

SELinux is one of the main reasons why this operating system is considered to be so bulletproof, but it can also prove to be a bit overbearing. This is a security mechanism that comes in the kernel and it will be extremely careful for you not to stumble on anything malicious on the internet and sometimes it will be too careful. However, shutting it down completely can result in complete security failure of the OS and you don’t want to do that. It would be wise to at least have SELinux in permissive mode, where it won’t enforce its security policy, but it will actively inform you if there’s something you should be worried about.

4. Make Use of the Firewall

Maybe you’re not familiar with the fact that Linux has a very efficient firewall, but now that you know, you should use it all the time. The component is called iptables and it grants you significant amount of control when it comes to keeping your network traffic in check. The firewall is usually disabled by default, but you can turn it on easily enough, depending on which distro of Linux you’ve got.

5. Old Passwords

Using old passwords is a recipe for potential disaster, because it makes it much easier on hackers to get into your device and wreak havoc. Linux has a solution for this problem – it restricts any account from using any of the past five passwords that have been used. If you do try to reuse one of your old passwords, it will simply show an error page and request a new one.

6. Security Software

Many people think that it’s an overkill to have security software on top of already very secure Linux, but it can bring no harm. Having an antivirus program can hardly be a bad thing and if all other system defenses fail, it will be there to save the day. Furthermore, if you’re concerned about your privacy when browsing the internet, consider getting a VPN service to encrypt activities on the web and prevent surveillance.

7. Manual Account Lock

If there are users of the device that don’t inspire trust or simply won’t be using their account for a while, you can lock down their account in the OS. If the user of the locked account tries to access it, he/she will only get an error page saying that the account isn’t available. Bear in mind that the lock account option is only available for root user.

8. Think about Browser Security

Browsers are always potential security weak links unless you tend to them. No matter what browser you use, hackers can find a way to slither between the cracks, which is why you should take full advantage of security plugins that abound for any browser there is.

9. Encrypting Your Hard-Disk

This is great prevention for any unfortunate event of your laptop getting stolen or lost. Choosing to encrypt all the essential data on your device prevents anyone from misusing it and you can rest assured that no unauthorized person can reach your confidential information, because they’ll need FDE password that only you know. The best thing is that this encryption won’t in any way slow down your computer’s performance.

10. You Need Strong Password

This is another security 101 tip, which many Linux users forget about because they believe that the OS’s security can’t be breached. If you use simple and weak passwords, then a simple brute force attack can have your security crumbling down. Don’t gamble with this aspect of your safety and have a strong password for your Linux OS.

If your computer’s security is one of your primary concerns, then using Linux will definitely give you some peace of mind. Just remember that you also have to put some effort into securing your device even more so that your OS becomes a fortress against cybercriminals.


Thomas Milva is 28 and has been in an Information Security Analyst for over four years. He loves his job, but he also loves spending his time in nature, because he’s working from home, which sometimes means not getting enough fresh air. He also regularly writes for wefollowtech.com, where he often comments on the latest web trends in his articles. Thomas currently lives in Baton Rouge with his dog, two fish and his girlfriend.

How To Set Up An OpenVPN Client On Linux

September 28th, 2016 No comments

Getting a VPN set up right on your Linux machine has a number of advantages, especially today when online privacy is a must and files are being shared remotely more extensively than ever. First off, securing your connection with a virtual private network will keep your online traffic encrypted and safe from hackers and other people with malicious intents. But originally, VPNs weren’t used for that reason at all; rather, they were exactly what the name suggests: virtual private networks. By connecting to a VPN, your computer and, for example, your colleague’s remote computer (that’s not physically connected to it via a LAN cable), can “see” each other as if they were part of a local area network and share files via the Internet. VPNs can also be utilized for remotely accessing a computer to offer assistance, or for whatever other reason you’d need to.

OpenVPN is regarded as one of the most secure and most efficient tunneling protocols for VPNs, and fortunately enough it’s quite simple to set up an OpenVPN client on a Linux computer if you know your way around the terminal.

Installing and Configuring The Client

First of all, you have to install the OpenVPN package, which you can easily do via the terminal command sudo apt-get install openvpn. Enter your sudo password (the password of your account) and press Enter. A few dependencies ask for permission to be installed, so just accept all of them for the installation to finish.

Then you’ll have to grab a few certificates off the server that the client side needs in order for OpenVPN to work. Locate the following files on your server PC and put them on a flash drive, so that you can copy them to your client PC:

  • /etc/openvpn/easy-rsa/keys/hostname.crt

  • /etc/openvpn/easy-rsa/keys/hostname.key

  • /etc/openvpn/ca.crt

  • /etc/openvpn/ta.key

Copy all of the files to the /etc/openvpn directory of your client PC (note that instead of “hostname”, in the first two files, it will be the hostname of your client). To further configure the client you have to use the command sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn, which copies a sample configuration file to the right directory.

Editing The Configuration File

Use a text editor such as gpedit to open the client.conf file and locate the following text:

dev tap
remote vpn.example.com 1181
cert hostname.crt
key hostname.key
tls-auth ta.key 1

You need to make a few changes here. Instead of “vpn.example.com”, put your server’s address. “1181” should be the port of your OpenVPN server, and “hostname” should, once again, be the actual name of the certificates that you copied to etc/openvpn/easy-rsa/keys a moment ago.

Now that you’ve set all of this up, you need to restart OpenVPN with the following command: sudo /etc/init.d/openvpn restart. Your remote local area network should be accessible now, which you can check by pinging the server’s VPN IP address.

Setting Up A Graphic UI Tool for OpenVPN

Unless you feel like using the terminal to navigate to every file and folder on your virtual network, it’s a good idea to set up some kind of a GUI. The Gadmin OpenVPN client does a fantastic job at this, and it’s real simple to set up, either via the Ubuntu Software Center, Synaptic or PackageKit. No matter what you choose, once it’s installed simply run the command sudo gadmin-openvpn-client and a neat graphic user interface will appear on the screen.

Now all you have to do is input some information about the server, and you’re set. Fill in the Connection name (what you’d like the connection to your VPN to be called), the Server address (the IP address of your OpenVPN server), the Server port, and the location of the certificates (the ca.crt and ta.key files mentioned earlier). Once you’re done with that, click the Add button, select the connection that you’ve just created and click Activate. Your VPN network will now be accessible.

That’s it, you’re done! You now have your own OpenVPN server that you can use to share data. Note that there are plenty other GUI tools for VPNs to be found in the Software store, so if you don’t like Gadmin, you can always use something else and still have access to OpenVPN, just through a different interface.

Summary

As you can see, it’s pretty simple to set up an OpenVPN client and connect to an existing VPN server. Setting up an OpenVPN server on Linux is a bit more of a challenge, though it’s perfectly possible. For a better and smoother experience, though, you might want to think about subscribing to a dedicated VPN provider, such as ExpressVPN. It’s not free, but it’ll give you greater security and stability, and save you the hassle of maintaining an OpenVPN server by yourself. If you’re interested, you should check out some ExpressVPN reviews before you make your choice.

Thomas Milva is an IT Security Analyst, Web entrepreneur and Tech enthusiast. He is the co-editor of http://wefollowtech.com

vpnc and me

September 17th, 2009 4 comments

After a brief hiatus of making posts (I document my daily trials all day at work, so it’s not usually the first thing I want to do when I get home) I’ve decided to make a beneficial post about how I can now do WORK (from home) on my Fedora 11-based laptop.  Hooray!

At the corporation where I work, our network and firewall infrastructure is – of course – Cisco-based.  Naturally, in order to connect to our corporate network from home, we use Cisco’s own VPN Client.  For distribution to various users across the company, my workplace has provided discs with pre-configured installations of this client, all set and ready to go to connect to our corporate network.  This prevents the dissemination of unnecessary information (VPN IP addresses, etc.) across the ranks, and makes it much easier for the non-savvy user to get connected.

I’ve all ready had a bit of experience using this client on my Windows Vista and Windows 7-based computers.  Unfortunately for me, the Cisco VPN Client we use at work only operates in a 32-bit Windows environment… meaning that on Windows Vista, I had to run a full-fledged copy of Virtual PC with a Windows XP installation.  In Windows 7, I was fortunate enough to be able to use its own built-in Windows XP Mode.

Trial and Error

My first thought to get this software working under Fedora 11 was probably the most simple – run it in Wine!  I’ve had limited experience with Wine in the past, but figured that it was probably my best bet to get the Windows-only Cisco client functioning.  Unfortunately for me, attempting to install the program in Wine only results in a TCP/IP stack error, so that was out of the question.

My next thought – slightly better than the first – came when it was announced that I could nab a copy of the Linux version of the Cisco VPN Client from work.  As luck might have it, it’s a bitch of a program to compile and install, and I had to stop myself short of throwing my laptop into the middle of our busy street before I just gave up.

Better Ideas

At this point, I was just about ready to try anything that could possibly get VPN connectivity working for me on my laptop.  Luckily, a quick search of ‘Cisco VPN Linux’ in Google shot back the wondrous program that is vpnc.  After seeing various peoples’ success with vpnc – a fully Linux-compatible Cisco VPN equivalent – I did a bit of reading up on the documentation and quickly installed it using yum:

$ yum install vpnc.x86_64

There, easy enough.  Further reading on vpnc indicated that I needed to edit a file known as default.conf – located in the /etc/vpnc directory – to store my VPN settings for work, if desired.  Opening up the config file included with the Windows version of the client, I pretty much copied everything over verbatim:

$ cd /etc/vpnc

$ nano default.conf

IPSec gateway [corporate VPN address]

Xauth username [domain ID]

Xauth password [domain password]

Domain [corporate domain]

From there, I performed a write out to the default.conf and saved my information.  The only complaint I might have about this step is that everything in this file is stored as plain-text, and does not appear encrypted whatsoever.  Since we are using a WPA2-encrypted wireless network and the VPN tunnel is secured, I wasn’t too concerned – but still.

At this point, I was now ready to test vpnc connectivity.  Typing in at the terminal

$ vpnc default.conf

I was rewarded with a triumphant ‘vpnc started in background’.  Hooray!  But what to do from here – how to connect to my work computer?  On Windows, I just use Remote Desktop… so logic following through as it does, I typed:

$ rdesktop [computername].[domain]

Instantly, I was showered in the beauty that was a full-screen representation of my Windows XP Professional-based work computer.

A shot of vpnc running in terminal, and my desktop running in rdesktop.

A shot of vpnc running in terminal, and my desktop running in rdesktop.

It certainly was not as easy a process as I’m making it out to be here – indeed, I did have to figure out to add .[domain] to the end of my computer name, as well as allow vpnc’s ports to flow through by performing a terminal netstat command and then opening them accordingly in the Fedora firewall – but I am now connected to work flawlessly, using open-source software.

Categories: Dana H, Fedora, Linux Tags: , , , ,