Professional Documents
Culture Documents
(Serious Cost)
a.k.a. don't pay to “go-to-your-pc”
Jeremy Willden
Open Source Enthusiast
Ad Hoc Electronics
http://www.adhocelectronics.com/
Internet Security Issue: BGP spoof
● Border Gateway Protocol handles major routing
● Unencrypted traffic can be monitored or
modified from anywhere in the world
http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html
Networking Overview
● Firewalls and NAT
Networking Overview
Networking Overview
Networking Overview
Networking Overview
Remote Access
● Problem: how to remote control your PC
● Partial Solution: VNC Server & Client
Remote Access
Remote Access
Remote Access
● Problem: how to remote control your PC
● Partial Solution: VNC Server & Client
● Google VNC or check sourceforge.net
● Use password authentication
● Port forwarding (5900) remote - insecure!
● Solution isn't complete
– It's not secure, only allows one service (port)
– Separate port for each client
Securely Connecting Networks
● Virtual Private Network (VPN)
● Data encrypted between networks
● Many closed and open-source alternatives
– Many get broken by NAT, or are limited by it
– Proprietary ones may only be obscure, not secure
● Ideal: open/free, well tested, reviewed
– Use the same code base as eCommerce, TLS/SSL
– Take it further: not just one service/port
Why OpenVPN?
● Uses OpenSSL (TLS)
– Heavily tested, SSL is used for HTTPS
– Many ciphers (Blowfish, AES 128/256, many more)
– Free as in Freedom
– Available ready to deploy on many platforms
● Linux/Mac/Windows
● Router (embedded) firmware
– Public Key Infrastructure
● Certificate revocation without re-keying
TLS (SSL) Handshake
● Random keys exchanged using public key
cryptography, prevents man-in-middle attacks
Image Copyleft Christian Friedrich, licensed under GFDL, with spelling corrections. Source: Wikimedia
TLS (SSL) Handshake
Image Copyleft Christian Friedrich, licensed under GFDL, with spelling corrections. Source: Wikimedia
General Setup-Linux
● http://openvpn.net/index.php/documentation/howto.html
● Pull down the source from openvpn.net
– http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
– http://openvpn.net/release/openvpn-2.0.9.tar.gz
– Unzip/untar: tar -xzf ./lzo-2.03.tar.gz, tar -xzf ./openvpn-2.0.9.tar.gz
– “cd” into each folder, do ./configure, make, make install
Create a client config file for each remote router (filename must match client name!)
nano -w /etc/openvpn/ccd/client2
iroute my.sub.net.addr 255.255.255.0
VITAL: make sure /etc/openvpn/ccd is world readable, along with all files inside!
Otherwise, the downgraded daemon won't be able to read the files.
You can also make each remote router's subnets available to the other routers, but it's a
bit more complicated – the ccd files may need to include a push-reset followed by a
push off all relevant parameters except for it's own route
Implementation 2
● Routed VPN with static keys
● Between two sites using dd-wrt routers
dd-wrt router 1 client configuration
# STARTUP SCRIPT
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
echo "remote REMOTEADDRESS
proto udp
port 2000
dev tun0 #FIREWALL SCRIPT
secret /tmp/static.key iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
verb 3 iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
comp-lzo iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
keepalive 15 60
daemon
" > SiteA-SiteB.conf
echo "
YOUR STATIC KEY
" > static.key
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.2 netmask 255.255.255.0 promisc up
route add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.1
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf
dd-wrt router 2 client configuration
# STARTUP SCRIPT
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
echo "proto udp
port 2000
dev tun0
secret /tmp/static.key #FIREWALL SCRIPT
verb 3 iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
comp-lzo iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
keepalive 15 60 iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
daemon
" > SiteA-SiteB.conf
echo "
YOUR STATIC KEY
" > static.key
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc up
route add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.2
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf
References
● http://www.openvpn.net
● http://openvpn.net/index.php/documentation/howto.html
● http://en.wikipedia.org/wiki/Secure_Sockets_Layer
● http://en.wikipedia.org/wiki/Transport_Layer_Security
● http://pbxinaflash.com/forum/showpost.php?p=12108&postcount=24