Private and Secure Computing

This book takes a very different approach to the installation and configuration of (open source) software. We did not want to include dozens of pages on compiling and installing a package that is readily available and can be downloaded and installed directly from an online software repository with a single command, especially since we think that in a production environment using the packages provided with a (Linux) distribution is the best way to go. The same is true for extensive listings of all commands and their options, often a beautified dump of the man pages and already out of date when the book is printed. That’s just a waste of paper, shelf space, and your time.

Instead, we want to provide you with a hands-on book that’s concise, precise and complete. It guides you through the full installation and configuration of an OpenVPN server and gateway on Linux, followed by the set-up of clients on Linux and Android. Each section provides a quick introduction and overview of the software – basically a short description, its purpose and a list of features – followed by a task-driven manual to build a complete set-up. In addition to these instructions, screengrabs and configuration listings, we provide further options and variations, examples, tips and tricks, warnings, and security/privacy implications. Working your way through this book, each section provides you with a fully functional set-up.

We hope that you enjoy this approach – and even more important: that it works for you!

About the authorAdrian Offerman has a M.Sc. degree in Computer Engineering from Delft University of Technology and a M.Sc. degree in Psychology from Leiden University, both in the Netherlands. He has been working for over twenty years as an independent IT specialist journalist and as a consultant and engineer, focussing on technology, business and markets.

Currently, he works on projects involving internet and web technologies, building on Linux and Open Source Software. He is also involved in several technology communications projects on internet and networking technology, security, cryptography, Linux, and Open Source Software.

Hands-on: OpenVPNHands-on: OpenVPN

Installing and configuring an OpenVPN server and gateway,and setting up OpenVPN clients on Linux and Android

Adrian Offerman

Hands-on: OpenVPNInstalling and configuring an OpenVPN server and gateway,

and setting up OpenVPN clients on Linux and Android

Adrian Offerman

Offerman ConsultingRaaphorst 121

2352 KJ LeiderdorpThe Netherlands

1

ImprintHands-on: OpenVPN

Installing and configuring an OpenVPN server and gateway,and setting up OpenVPN clients on Linux and Android

by Adrian Offerman

Copyright

Copyright c© 2014, Adrian Offerman. All rights reserved.

Offerman ConsultingRaaphorst 1212352 KJ LeiderdorpThe Netherlandshttp://www.offerman.com/

Version historyI version 0.1.0, November 2014: initial release;

using OpenVPN 2.3.2 on CentOS 6.6 and Fedora 20, OpenVPN Connect 1.1.14on CyanogenMod 10.2.0

ISBN: 978-1503048485(NL: 978-9492162007)

DisclaimerAlthough the author and publisher have made every effort to ensure that theinformation in this book was correct at press time, the author and publisher donot assume and hereby disclaim any liability to any party for any loss, damage,or disruption caused by errors or omissions, whether such errors or omissionsresult from negligence, accident, or any other cause.Solutions described in this book are meant for citizens, companies and publicagents to protect their privacy and security. Make sure using these technologiesis not forbidden in your country before deploying.

2

ContentsPreface 5VPN 7VPN service providers 9OpenVPN 13Installing OpenVPN server on Linux 17Configuring OpenVPN server 19

PKI 22HMAC firewall 32Server set-up 33Opening up the firewall 35Running the server 36Redundancy and scalability 37

Configuring an OpenVPN gateway 39IP forwarding 44Routing/masquerading 45DHCP options 46DNS resolving 48Verification 49

Installing an OpenVPN client on Linux 53daemon set-up 57

Configuration 58Verification 62

NetworkManager 65Configuration 66Verification 74

Installing an OpenVPN client on Android 79OpenVPN Connect 80Installation 81Configuration 82The Android Keychain credential store 89Preferences and options 93Using a proxy 94

What’s next 97About the author 99Credits 99Colofon 99

3

PrefaceThis book takes a very different approach to the installation andconfiguration of (open source) software. We did not want to includedozens of pages on compiling and installing a package that is readilyavailable and can be downloaded and installed directly from an onlinesoftware repository with a single command, especially since we think thatin a production environment using the packages provided with a (Linux)distribution is the best way to go. The same is true for extensive listingsof all commands and their options, often a beautified dump of the manpages and already out of date when the book is printed. That’s just awaste of paper, shelf space, and your time.

Instead, we want to provide you with a hands-on book that’s concise,precise and complete. It guides you through the full installation andconfiguration of an OpenVPN server and gateway on Linux, followed bythe set-up of clients on Linux and Android. Each section provides a quickintroduction and overview of the software – basically a short description,its purpose and a list of features – followed by a task-driven manual tobuild a complete set-up. In addition to these instructions, screengrabsand configuration listings, we provide further options and variations,examples, tips and tricks, warnings, and security/privacy implications.Working your way through this book, each section provides you with afully functional set-up.

We hope that you enjoy this approach – and even more important: thatit works for you!

5

VPNI OpenVPNI Installing OpenVPN server on LinuxI Configuring an OpenVPN gatewayI Installing an OpenVPN client on Linux

I daemon set-upI NetworkManager

I Installing an OpenVPN client on Android

7

Virtual Private Networking

Usage:I to safely bridge The First Mile

I that way preventing ISPs and access/network providers to log themeta data of your connections,that way protecting your privacy

I to punch a hole in outbound firewallsI that way circumventing:

I blockades, e.g. by ISPs or access/network providersI censorship, e.g. by governments

I to obfuscate your locationI that way . . .

I overcoming regional lockouts, e.g. by online media and serviceproviders

I protecting your privacy

10

VPN service providers

Security and privacy considerations

A VPN service provider offers only limited protection:I connecting to the Internet through the gateway of a VPN service

provider allows you to safely bridge The First Mile, where ISPs arerequired by law to log the meta data of all your connections

I your Internet traffic is hidden in the mass of other users’ trafficwhen leaving from the gateway to the Internet

I however, incoming and outgoing connections can be statisticallyinterrelated to each other by someone listening in to the gateway’straffic, that way breaking the anonimity of its users

The Tor network

When you need better protection of your identity, instead of a VPNgateway you better use the Tor network:

I it uses similar techniques, but in addition prevents the breaking ofyour anonimity by routing your traffic through three differentdistributed gateways consecutively.

11

Configuring OpenVPN server: PKI

Generate a key pair and certificate for each client:

[root keys]# cd /etc/openvpn/easy-rsa/[root easy-rsa]# ./build-key client1Generating a 2048 bit RSA private key...............................................................+++....................................................................+++writing new private key to ’client1.key’-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ’.’, the field will be left blank.-----Country Name (2 letter code) [OL]:State or Province Name (full name) [Franklin]:Locality Name (eg, city) [Emerald City]:Organization Name (eg, company) [Acme Corp.]:Organizational Unit Name (eg, section) [OpenVPN SSL key]:Common Name (eg, your name or your server’s hostname) [client1]:Name [EasyRSA]:Email Address [hostmaster@example.com]:

Please enter the following ’extra’ attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject’s Distinguished Name is as followscountryName :PRINTABLE:’OL’stateOrProvinceName :PRINTABLE:’Franklin’localityName :PRINTABLE:’Emerald City’organizationName :PRINTABLE:’Acme Corp.’organizationalUnitName:PRINTABLE:’OpenVPN SSL key’commonName :PRINTABLE:’client1’name :PRINTABLE:’EasyRSA’emailAddress :IA5STRING:’hostmaster@example.com’Certificate is to be certified until Jul 10 12:17:44 2024 GMT (3650 days)Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root easy-rsa]#

Leave the default values as they are; they are taken from the ./vars file weedited before;but make sure you use a unique and descriptive name for ’Common Name’.

29

Configuring OpenVPN server: PKI

NOTE:I the creation of key pairs and certificates can be performed on a

separate system which is not even connected to a network;that way, the certificates and the private keys can be distributed tothe VPN server and clients, without the master CA private key everleaving this isolated system

I another option is to have the server and each client individuallygenerate its own key pair locally and send a Certificate SigningRequest (CSR) to the signing system, where a signed certificate isgenerated and sent back;that way, the signing system never sees any other private keysexcept its own master CA private key; the private keys never have toleave the server and clients they belong to

31

Configuring an OpenVPN gateway

Routing/masquerading

To add routing/masquerading information to the firewall configuration, edit thefile /etc/sysconfig/iptables:

*nat:PREROUTING ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]:OUTPUT ACCEPT [0:0]# OpenVPN gateway-A POSTROUTING -s 10.64.81.0/24 -o eth0 -j MASQUERADECOMMIT...*filter...# OpenVPN gateway-A FORWARD -i eth0 -d 10.64.81.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT-A FORWARD -s 10.64.81.0/24 -o eth0 -j ACCEPT

And restart the firewall:

service iptables restart

Now all traffic from the VPN which does not terminate at the server is forwardedissuing NAT exactly like a non-virtual local network.

45

Configuring an OpenVPN gateway

NOTE 1:I do not enable the ‘push’ directives for OpenDNS, or for any other

public DNS serviceI or information on the DNS queries of your clients might leak to

these service providersI better set up an additional DNS server for your clients yourself

NOTE 2:I Unbound/dnssec-trigger, used to validate DNSSEC, randomly

reshuffles the nameservers defined in the resolver configuration file/etc/resolv.conf to decrease the risk of DNS poisoning

I consequently, if you use OpenDNS, Google’s Public DNS, or anyother public DNS service as a backup, information on the DNSqueries of your clients will leak to these service providers

I to prevent this, do not enable the ‘push’ directives for OpenDNS, orfor any other public DNS service

I better set up an additional DNS server for your clients yourself

47

Installing an OpenVPN client on Linux: daemon set-upCreate the OpenVPN client configuration:

cd /etc/openvpn/cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf ./client1.conf

Edit the file client1.conf:

clientdev tunproto udpremote openvpn.example.net 1194;remote-randomresolv-retry infinitenobinduser nobodygroup nobodypersist-keypersist-tun;mute-replay-warningsca ca.crtcert client1.crtkey client1.keyns-cert-type servertls-auth ta.key 1cipher AES-128-CBCcomp-lzoverb 3;mute 20

NOTE: enable the option mute-replay-warnings for clients that will be used onwireless networks.

58

Installing an OpenVPN client on Linux: daemon set-up

Enable and start the OpenVPN daemon:

[root openvpn]# restorecon -Rv /etc/openvpn[root system]# cd /lib/systemd/system/[root system]# ln -s openvpn@.service openvpn@client1.service[root system]# systemctl enable openvpn@client1.serviceln -s ’/usr/lib/systemd/system/openvpn@client1.service’

’/etc/systemd/system/multi-user.target.wants/openvpn@client1.service’[root system]# systemctl start openvpn@client1.service[root system]#

I NOTE 1: if the OpenVPN daemon can not be started due to SELinuxblocking access to the configurations files in the /etc/openvpn/ directory,use the restorecon command

I NOTE 2: if you are certain that you do not need to adjust the service file,you can also directly link to it:

ln -s ’/usr/lib/systemd/system/openvpn@.service’’/etc/systemd/system/multi-user.target.wants/openvpn@client1.service’

systemctl start openvpn@client1.service

61

Installing an OpenVPN client on Linux: NetworkManager

Configuring OpenVPN III open NetworkManager by right-clicking the icon in the status bar,

then click ‘Edit Connections’ → ‘Add’I in the ‘Choose a Connection Type’ window, select the ‘OpenVPN’

option and click the ‘Create’ buttonI alternatively, you can select the ‘Import a saved VPN configuration’

option, allowing you to load an OpenVPN profile from a clientconfiguration file

68

Installing an OpenVPN client on Linux: NetworkManager

Running OpenVPN II after the client configuration has been completed, you can enable

the VPN on top of your running network connections by clicking theNetworkManager icon and then ‘VPN Connections’, where you willfind the newly created OpenVPN client

I the active VPN connection is indicated by the little yellow padlockadded to the NetworkManager icon

72

Installing an OpenVPN client on Android

Using the Android Keychain credentials store III at the Android device, import these credentials by clicking ’Menu’

→ ’Import’ → ’Import PKCS#12 from SD card’I select the PKCS #12 file and click the ‘Select’ buttonI Android now asks you for the password you used when creating the

PKCS #12 fileI followed by the name you would like to use to identify these

credentialsI after which the credentials are added to the Android Keychain

90

About the authorAdrian Offerman has a M.Sc. degree in Computer Engineering from DelftUniversity of Technology and a M.Sc. degree in Psychology from LeidenUniversity, both in the Netherlands. He has been working for over twentyyears as an independent IT specialist journalist and as a consultant andengineer, focussing on technology, business and markets.Currently, he works on projects involving internet and web technologies,building on Linux and Open Source Software. He is also involved inseveral technology communications projects on internet and networkingtechnology, security, cryptography, Linux, and Open Source Software.

CreditsI Samsung Galaxy SIII: WilliamTheaker@Wikipedia

Colophon

This book was composed using a version of the LaTeX Beamerpresentation package that was modified to mimic a book layout.

99

Private and Secure Computing

This book takes a very different approach to the installation and configuration of (open source) software. We did not want to include dozens of pages on compiling and installing a package that is readily available and can be downloaded and installed directly from an online software repository with a single command, especially since we think that in a production environment using the packages provided with a (Linux) distribution is the best way to go. The same is true for extensive listings of all commands and their options, often a beautified dump of the man pages and already out of date when the book is printed. That’s just a waste of paper, shelf space, and your time.

Instead, we want to provide you with a hands-on book that’s concise, precise and complete. It guides you through the full installation and configuration of an OpenVPN server and gateway on Linux, followed by the set-up of clients on Linux and Android. Each section provides a quick introduction and overview of the software – basically a short description, its purpose and a list of features – followed by a task-driven manual to build a complete set-up. In addition to these instructions, screengrabs and configuration listings, we provide further options and variations, examples, tips and tricks, warnings, and security/privacy implications. Working your way through this book, each section provides you with a fully functional set-up.

We hope that you enjoy this approach – and even more important: that it works for you!

About the authorAdrian Offerman has a M.Sc. degree in Computer Engineering from Delft University of Technology and a M.Sc. degree in Psychology from Leiden University, both in the Netherlands. He has been working for over twenty years as an independent IT specialist journalist and as a consultant and engineer, focussing on technology, business and markets.

Currently, he works on projects involving internet and web technologies, building on Linux and Open Source Software. He is also involved in several technology communications projects on internet and networking technology, security, cryptography, Linux, and Open Source Software.

Hands-on: OpenVPNHands-on: OpenVPN

Installing and configuring an OpenVPN server and gateway,and setting up OpenVPN clients on Linux and Android

Adrian Offerman