Académique Documents
Professionnel Documents
Culture Documents
u
b
m
it
1. Introduction
Ubiquitous Wi-Fi and mobile data that is on offer has made internet an integral part
of our daily lives. With so much free public Wi-Fi that is available from different
sources like airports, restaurants, libraries etc. the insatiable thirst for data is met.
Right? Yes, the Wi-Fi is free of course, but it is also generally unencrypted. This
means the users privacy is at risk. An eavesdropper can easily access the personal
data of the user when connected to such a network. Some of the other issues we
faced is that the websites continuously track our browsing patterns to rake in some
profits at the expense of our privacy. Courtesy Edward Snowden, we now know how
the Government monitors our online activities all the time. Apart from these privacy
invasions, there are also geographic restrictions. This is a scenario where the
Government of a certain country denies its general public from accessing certain
websites. Isnt there a fix to all these issues? Isnt there anyway to can keep our
privacy intact?
Well, of course there is the TOR browser that enables anonymous communication
thus fixing the issues discussed previously. The next question that immediately
arises is that if TOR is for an average internet surfer? On the downside a TOR
connection can be extremely slow - even slower than the most sluggish internet
speeds at times. Since, TOR offers such high levels of anonymity its a haven for
many crude, illegal activities. An average Joe can stumble upon some raw,
uncensored stuff on the internet that might keep him away from TOR for good.
Another silly fix to the issue would be avoid connecting on the public Wi-Fi
altogether. However, due to the impracticality of this fix we could as well use a
Virtual Private Network (VPN) to provide an anonymous, encrypted network.
Generally this paid for VPN service routes the internet traffic through a server that is
not our point of origin.
In this project we set up a free OpenVPN server on a relatively inexpensive piece of
hardware called the raspberry pi. This approach tunnels all the local traffic through
the raspberry pi which in turn routes it to the internet. Other than fixing all the
security issues, VPNs also allow users to connect on the public network as if they
were connected on the private one.
VPN allows corporate employees to securely access the corporate intranet while
travelling outside their office. Using VPN, we can connect to proxy servers so that
one can protect their personal identity. We can deploy VPN connectivity on routers
for additional security and encryption of data transmission by using various
cryptographic techniques.
2.2 OpenVPN
OpenVPN is an open-source software application that implements virtual private
network (VPN) techniques for creating secure point-to-point or site-to-site
connections in routed or bridged configurations and remote access facilities. For Key
Exchange VPN uses custom security protocol that utilizes SSL/TLS. VPN is capable of
traversing firewalls and network address translators. For authentication between
users OpenVPN uses certificates, pre-shared secret keys or username/passwords.
OpenVPN uses for encryption and authentication. It uses HMAC for additional
security. OpenVPN provides 256-bit encryption using OpenSSL. OpenVPN not only
supports IPv4 but also it fully supports IPv6. OpenVPN can run over TCP and UDP
transports.
OpenVPN is available on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X,
and Windows XP and later. It also works on mobile phones running on IOS, Windows,
Android.
3. Hardware required
Raspberry pi (Model 2B) This model of the raspberry pi comes with a quad core
Broadcom BCM2836 CPU with 1GB RAM, 40 pin extended GPIO, micro SD slot, micro
USB power source, an Ethernet port, 4 USB ports and a full size HDMI port.
8 GB class 10 micro SD with Raspbian (Debian-based computer operating system)
written on it.
Wireless adapter To connect the raspberry pi to the internet wirelessly.
HDMI display
A keyboard
4.2.
This step is optional, but can be done to remotely connect to the raspberry pi by
typing in the following command sudo raspi-config and enabling ssh on the
advanced options dialogue box.
4.3.
Updating the Pi
Update system packages and upgrade the installed packages to their latest version
on the pi by using sudo apt-get update and sudo apt-get upgrade
4.4.
The outbound traffic has to be routed out to the internet via the server. For, this
reason the server (raspberry pi) needs to have an address that doesnt change each
time we connect to the network. Type the command ifconfig to get the current IP
address on the raspberry pi. We set our router up to assign the pi the IP that it
showed up on running the ifconfig command. An alternative approach would be
hardcoding the static IP address to the pi by running sudo nano
/etc/network/interfaces command. We now reboot the pi by running sudo reboot
command for the changes to take effect.
4.5.
The Raspbian OS comes with the OpenVPN package preinstalled which can be
unpacked by typing in sudo apt-get install openvpn command. Now type in command
sudo apt-get install openvpn in the terminal to install the package that produces the
server client key pair (using RSA). A copy of the
Easy-RSA has to be made in
/etc/openvpn/easy-rsa/ by using the command cp r /usr/share/easy-rsa/*
/etc/openvpn/easy-rsa/ as a root user. Now, type cd/etc/openvpn/easy-rsa to change
directory. Type nano /etc/openvpn/easy-rsa/vars and make changes as shown in the
terminal screenshot
4.6.
Build root certificate and root certificate authority on the server to prove itself to the
client that its authentic (it is actually who it claims to be). This is done by changing
directory to easy-rsa by typing
cd /etc/openvpn/easy-rsa and then running the
following commands source ./vars to run the vars document that was modified in the
4.7.
Now that we have created a certificate and generated a key for the server, we need
to create keys for each of the clients so that the server client pair would share a
unique pair of keys. For, demonstration and simplicity we have just created one
client and called it pc. The servers name raspi. This is done by using the following
command ./build-key-pass pc
This ensures that we have both server client certificates and key pairs. After
changing directory to keys by typing cd keys and to ensure that the keys would
work for all clients and for encryption, we type in openssl rsa in pc.key -des3 -out
pc.3des.key
In the process on creating the client keys and certificates we would be asked for a
passphrase. We need to remember this in case it is asked for in the future.
4.8.
Building Diffie-Hellman
Now that the server client pair has established a unique key pair, to establish an
end-to-end data encryption we need to generate an identical key that is used for
both encryption and decryption. This is done by using Diffie-Hellman Key exchange.
After typing in cd.. and ./build-dh we can see a recurring pattern of . and +
To provide our server additional security against certain attacks like the Denial of
Service attack we use hash based message authentication code (HMAC) so that the
server wouldnt authenticate any client without the pre-shared key. This is
implemented using the command openvpn --genkey --secret keys/ta.key
4.9.
Server configuration
Now, we would require our server (Raspi) to do a bunch of things like tunneling the
traffic through port 1194 and looking for the server client keys and certificate in a
specific folder. Setting the router as DNS and encrypting the data with AES 128 in
CBC mode. We edit the configuration of the server by using the command nano
/etc/openvpn/server.conf where we type in the following (an open-source code found
on GitHub modified according to server name and pi IP)
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/raspi.crt
key /etc/openvpn/easy-rsa/keys/raspi.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.0.20 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
After saving this server configuration, we have to let all the traffic flow through the
server. So, type nano/etc/sysctl.conf and make the following changes.
4.10.
Due to the server configuration the client that connects to the server would get an
IP in the 10.8.0.0/24 for the tunnel. Since our subnet is at 192.168.0.0/24 we need
to make use of NAT in the following format. First we type nano /etc/firewall-openvpnrules.sh and editing the openvpn-rules as
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.20
Like windows OS having an inbuilt firewall the Raspbian OS has a firewall inbuilt too.
This firewall doesnt allow all the traffic to flow through it. In order to get the traffic
flowing through the server, we should breach the firewall using the following set of
commands
chmod 700 /etc/firewall-openvpn-rules.sh
chown root /etc/firewall-openvpn-rules.sh
nano /etc/network/interfaces
4.11.
Automate the client side of things to save us a lot of work by running the
following script after typing sudo nano /etc/openvpn/easy-rsa/keys/Default.txt in the
terminal window.
Up next is the script that automates the whole process. This was a code written
by Eric Jodoin that sets up the client profiles. After typing nano /etc/openvpn/easyrsa/keys/MakeOVPN.sh enter
#!/bin/bash
# Default Variable Declarations
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".3des.key"
CA="ca.crt"
TA="ta.key"
#Ask for a Client name
echo "Please enter an existing Client Name:"
read NAME
#1st Verify that client's Public Key Exists
if [! -f $NAME$CRT]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit
fi
echo "Client's cert found: $NAME$CR"
#Then, verify that there is a private key for that client
if [! -f $NAME$KEY]; then
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
exit
fi
echo "Client's Private Key found: $NAME$KEY"
#Confirm the CA public key exists
if [! -f $CA]; then
echo "[ERROR]: CA Public Key not found: $CA"
exit
fi
echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists
if [! -f $TA]; then
4.12.
chmod 777 to copy the required files on the client device. These privileges are
undone by using chmod 600 to prevent any unauthorized access to the files on
the server. The script executes to give the following output
7. Conclusion
The ever growing concern of keeping the privacy and online anonymity intact is kind
of addressed in this project. We now have an anonymous end to end encrypted
connection set up for a particular client that changes its IP address and has all the
data encrypted using the AES-128 standard(We could set up any number of clients
for this server since OpenVPN is compatible across all OS Platforms). This is a good
measure to keep the intruders and eavesdroppers at bay. Government online
8. References
1) http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-webbrowsing/
2) https://github.com/rmurray2/RPI-TLS-VPN/blob/master/server.conf
3) https://gist.github.com/laurenorsini/10013430
4) https://openvpn.net/index.php/open-source/documentation/howto.html
5) http://pclosmag.com/html/Issues/201309/links.html
6) http://www.bbc.com/news/technology-33548728
7) http://elinux.org/RPi_Hardware