This is the second in a series of projects you can use to improve your security stills. The ideas of these projects is something relatively simple, not too expensive and impactful to your skill set. This first project was on intrusion detection.
Today’s project is VPN.
Why This Project is Impactful
The reason I picked VPN and in particular this setup is that you’ll learn a bunch of foundational skills:
- Unix/Linux: We’re installing our system on Linux so if you’re not familiar with the operating system, you’ll get some exposure.
- Open Source: Our toolset today is completely open source so you’ll get experience all open tools.
- Encryption: Getting a VPN to work is actually far more complicated than you’d imagine. The key (no pun intended) is that you’ve matched up the same encryption algorithms on each side. All of the sudden, you’ll start learning the multiple different encryption methods that make up a single VPN connection.
- Networking: Also complicated. Getting the traffic to route through your computer to the remote VPN. Then getting the VPN server to route traffic to the right location. It’s a good lesson in networking.
- Privacy: When you’ve got your VPN connected, I encourage you to fire up Wireshark (or another packet capture tool) so you can see what packets still escape the VPN. This is important in thinking through how VPNs keep data private.
Install in the Cloud
I have mine installed on my home network. It allows me to VPN into my home network to access things that aren’t available otherwise. But if you’re at home trying to do this experiment it kinda doesn’t work. So to make life easy, put your VPN in the cloud.
For these types of experiments, I recommend DigitalOcean. It’s the $5 cloud. Their lowest cost server is $5 a month and you get root access to the server. If you sign up here, you’ll actually get a $10 credit. So you can play around for two months. (Or run another experiment next month.) If you end up being a paying customer, I get a few bucks too.
Setup DigitalOcean
Each server is called a droplet. So we’ll need to setup a droplet to get started. Click on Droplets, Create Droplet and you’ll see a screen something like this:
Give your droplet a name and select the $10 size. You can try to get it to run for $5 but you need more memory. You’re also welcome to use a bigger server. But my goal here is not to give you a lightening fast experience but to give you an educational experience for a few bucks.
Next you’ll need to select the image and location.
Choose any location. For our experiment, I would pick the location closest to you. The only long term use of this VPN in the cloud is to tunnel all of your traffic through it when you’re using a WiFi hotspot. Unless you travel a ton, you’ll want something close to you.
Next select our image. If you’re a Linux guru, pick anything you’d like. If not, the examples below will assume you’re running Ubuntu. There are a few checkboxes at the end.
Finally complete your setup. You’ll be provided with your IP address and password in an e-mail and you’ll need to change it when you login. Your first setup is to login using a terminal program. The most used and most boring program is PuTTY.
Update and Upgrade
All of the commands will assume you’re logged in as root. Which is a really bad idea. But this is an experiment and not the real world so such is life. In most trusted environments, you’d want to login as a user and sudo to root. You won’t see that here.
I trust Ubuntu’s repositories but I don’t always trust that the version I got is updated. So the following commands will update our server to the latest versions of all of the software running on it:> apt-get update
> apt-get upgrade
OpenVPN
OpenVPN is the de facto open source VPN software. Is it easy to use? Nope. But it is extremely powerful and worth understanding how it works. Additionally, it’s fully supported on just about every platform. Just about any client you want to connect to it, there is software that will make it happen. Let’s get it installed:> apt-get install openvpn easy-rsa
Easy_rsa makes it easy to generate some of the keys needed to configure the VPN.
Let’s run some commands to set everything up:> make-cadir /etc/ca
> cd /etc/ca
> vi vars
First, I’m a big fan of vi. Sorry if it’s not your thing. Use a text editor you’re comfortable with. We’re creating a directory for our files. We run a program called make-cadir which builds all of the files you need in that directory and then we open up the configuration file.
In the configuration file you’ll see keylength and lifetime of the certificate. Set them to what you’d like. I suggest 4096 bits for keylength and a year for the certificate but since this is an experiment, whatever you’d like will work.source ./vars → This “sources” or loads the vars document you edited above../clean-all → This will remove any previous keys, if there are any../build-ca → This final line builds your certificate authority.
This is how I filled out the build-ca questions:Next run:./build-key-server [common name from above, mine was vpn.jayschulman.com]Here are my answers to the build-key-server:Create UsersThat setups the server side certificates. Next week need to setup the client side certificates.For each user you want to access your VPN, you need to create a client side certificate. You do this here:./build-key-pass UserNameSet a password for the certificate.