security

Synology OpenVPN connection from Android

Connecting securely to your home network has always been a bit of a challenge since common home ADSL routers not normally contain any VPN Servers (those which do contain such are generally PPTP servers which I would hardly call secure these days). Which is probably a good thing as they would be horribly out of date considering the firmware release policies of retail router manufacturers. You could run/maintain your own dedicated server, but for most home networks that is overkill and out of the technical depth of most hobbyists. However NAS Appliances are becoming more useful in home networks for storage and other common tasks. I have had good experiences with Synology NAS devices over a number of years and the latest iteration also has a very useful VPN Server package available based on OpenVPN (as most Synology Apps are common Open Source components). Server Requirements This is a very straight forward procedure via the Synology Web UI (http://www.synology.com/en-uk/support/tutorials/459#t3.2) Installing the VPN Server via Synology Package Manager Enabling OpenVPN Server Export the certificate using the button "Export configuration" (openvpn.zip) and extract the CA Certificate file (ca.crt) Forward UDP Port 1194 from your modem/router to the Synology NAS Make sure your Diskstation user account has OpenVPN privileges Android Client Configuration This part turned out a little more difficult than I expected. Initially I tried the "OpenVPN Connect" app by OpenVPN.net the makers of OpenVPN. However this seems to have no facility to edit the configuration and would not work at all…

Continue ReadingSynology OpenVPN connection from Android

OpenVPN – forward all client traffic through tunnel using UFW

By default OpenVPN only routes traffic to and from the OpenVPN Server. If you need all traffic from a client through the OpenVPN tunnel there are several options listed in the OpenVPN docs (http://openvpn.net/index.php/open-source/documentation/howto.html#redirect). Since I don't have any control over the server in some cases I needed a client side solution. As I already have ufw running with Ubuntu I wanted to use the existing software. Here is how to configure ufw to enable routing all traffic from your client machines through the OpenVPNĀ Server. Forwarding policy Change default forward policy, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. (Note: This will take effect at next boot). sudo vim /etc/sysctl.conf # Enable packet forwarding net.ipv4.ip_forward=1 UFW config And then configure ufw in /etc/default/ufw sudo vim /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT" UFW before rules Change /etc/ufw/before.rules to add the following code after the header and before the "*filter" line. Match the IP/subnet mask to the same one as in /etc/openvpn/server.conf. sudo vim /etc/ufw/before.rules # START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES Enable OpenVPN Open openvpn port 1194 sudo ufw allow 1194 Start UFW sudo service ufw start

Continue ReadingOpenVPN – forward all client traffic through tunnel using UFW

OpenVPN Install on CentOS 6 Server

I recently had a need to install a VPN service in a OpenVZ container. Since I normally only use Hardware emulating VM's I ran into quite a few issues in terms of low-level networking support on this Container Virtualisation System. Turns out that you are stuck with a TUN/TAP solution as most services won't enable PPP services on their infrastructure. Also Ethernet bridging is not available (at least on the service I used) so you're stuck with NAT IP masquerading. Considering the options I thought best served with using OpenVPN server. Install Server yum --enablerepo=epel -y install openvpn Server configuration cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/ These are the contents of /etc/openvpn/server.conf local XXX.XXX.XXX.XXX #Server External IP port 1194 proto udp dev tun ca ca.crt cert SERVER.crt key SERVER.key #keep file secret dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" #using Google Public DNS push "dhcp-option DNS 8.8.4.4" #using Google Public DNS keepalive 10 120 comp-lzo max-clients 5 user nobody group nobody persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log verb 3 mkdir -p /etc/openvpn/easy-rsa/keys cd /etc/openvpn/easy-rsa cp -rf /usr/share/openvpn/easy-rsa/2.0/* . vim vars #Set the country (KEY_COUNTRY) #state (KEY_PROVINCE) #locality (KEY_CITY) #organisation name (KEY_ORG) #support email (KEY_EMAIL) Create certificate authority ./vars ./clean-all ./build-ca The CA key and certificate should not be in the keys directory inside the easy-rsa directory. Create certificate for the server ./build-key-server NAME_OF_SERVER Answer the questions and commit the certificate into the database Create the Diffie Hellman files These files are used for the actual…

Continue ReadingOpenVPN Install on CentOS 6 Server

Installing Poptop (pptpd) VPN Server on CentOS 6

For roaming mobile clients PPTP (Point-to-Point Tunneling Protocol) is still the quickest way to get VPN connections to tunnel traffic over a secure link. Installation I always prefer installation via a yum repository as this will ensure patches are applied during regular system updates sudo rpm --import http://poptop.sourceforge.net/yum/RPM-GPG-KEY-PPTP sudo rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm sudo yum install ppp pptpd -y Configuration Note: replace $USERNAME and $PASSWORD with actual values IP configuration echo "localip 192.168.0.1" >> /etc/pptpd.conf echo "remoteip 192.168.0.100-199" >> /etc/pptpd.conf DNS configuration echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd echo "ms-dns 4.2.2.1" >> /etc/ppp/options.pptpd Authentication configuration echo "$USERNAME pptpd $PASSWORD *" >> /etc/ppp/chap-secrets Firewall config service iptables start echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p echo "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" >> /etc/rc.local iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables restart service iptables save chkconfig iptables on Start ppptd chkconfig pptpd on service pptpd start

Continue ReadingInstalling Poptop (pptpd) VPN Server on CentOS 6