Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


mdf



2035 posts

Uber Geek
+1 received by user: 604

Trusted
Subscriber

Topic # 203143 19-Sep-2016 17:06
Send private message

I'm after some pointers on where to start with VPNs.

 

@sbiddle pointed out on this thread that:

 

 Slightly OT I hope you didn't have port forwards to your cameras and were using a VPN. Having port forwards to devices such as alarms, cameras etc is extremely insecure and should be avoided unless these are locked down to whitelisted IP's.

 

This has reminded me to actually start doing something about VPNs.

 

I've just had a Paradox alarm with an IP module installed and want to use the app (I opened the recommended Port 10000 for the duration of playing with the Paradox App to confirm it worked but then closed the port again). I'm also playing with a few other server-y bits and pieces that are all currently limited to the internal network but can see a day where it would be nice to access them from the outside. I will also very likely add IP cameras at some point too.

 

My router has OpenVPN Server built in, but I don't really understand the configuration options, so first looking for some pointers as to best practice. Googling the options is either way over my head or has at least two people arguing which is the right option. Can anyone point me at a decent guide?

 

Second, what's the best way of setting up a VPN client? I'd probably use this primarily on my (Android) phone to access the network, but also a notebook, although this would probably usually connect via tethering to the phone. Ideally, I'd like a simple toggle option for VPN on and off (I don't mind paying for an app if it offers benefits). 

 

Alternatively, is there a way to whitelist/filter by something like MAC address, rather than IP? I'll be happy limiting remote access to my phone .

 

As an aside, how does UPnP open ports safely? 


Create new topic
18 posts

Geek
+1 received by user: 1


  Reply # 1638092 21-Sep-2016 10:43
Send private message

Hi mdf,

 

 

 

for OpenVPN you may find this useful ( https://openvpn.net/index.php/open-source/documentation/howto.html ).
Feel free to ask more specific questions if you still have them once you read that information.
I think for the sake of simplicity you may want to use "bridged" mode - in this mode, when a client is connected, they are put in kind of "the same network" so any protocols and applications should work.
But that depends on how OpenVPN is implemented in your router.

 

Also OpenVPN client for your phone may be tricky to get - look in the store market which one works for you. Some may require your phone to be root-ed. For a PC this is not a problem.

 

But generally OpenVPN is a good tool, stable and reliable.

 

 

 

In regards to a MAC filtering - it is not possible for remote connection. MAC is propagated only between two directly connected devices (roughly) so when you are connecting to your home from the Internet MAC filtering won't make any good to you.
The same if true for IP filtering since you will most likely get a random IP every time (unless you are connecting from your work place which has fixed IP).
But don't be bothered with that. OpenVPN with user certificate, password AND One Time Password (OTP) is very secure (but OTP may not be implemented in your router).

 

 


2096 posts

Uber Geek
+1 received by user: 358

Lifetime subscriber

  Reply # 1638098 21-Sep-2016 10:58
Send private message

Or build a R Pi to use as an OpenVPN server (or client with server in the cloud).





Ross

 

Spark FibreMAX using Mikrotik CCR1009-8G-1S-1S+

 


Speed Test


 
 
 
 


2486 posts

Uber Geek
+1 received by user: 897

Trusted
Lifetime subscriber

  Reply # 1638206 21-Sep-2016 13:37
Send private message

I use the Android OpenVPN Connect - https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en

 

And that works beautifully. You just need to create a "Server.ovpn" file which is a standard openvpn config file with the Client and server certs all in one bundled. It's pretty easy to use.

 

If you are running OpenVPN server on a linux host then the Low End Spirit easy openvpn installer doesn't get any easier. http://forum.lowendspirit.com/viewtopic.php?id=235

 

 






1674 posts

Uber Geek
+1 received by user: 428


  Reply # 1638239 21-Sep-2016 14:34
Send private message

Find what VPN clients your devices support and try to find a common ground.

If you're running the VPN service in your primary router you don't need to port forward. Just make sure there are no firewall rules blocking the relative ports/protocols.

mdf



2035 posts

Uber Geek
+1 received by user: 604

Trusted
Subscriber

  Reply # 1638254 21-Sep-2016 14:57
Send private message

Thanks guys. I think I'm making some (slow) progress. I found this OpenVPN primer guide really helpful for background.

 

I've done some reading and think I've mostly narrowed down the options to use (it's a learning experience as much as anything else), but for some reason mucking around with my router and its (possible) connections to the outside world terrifies me. Probably due to forum threads like the one I linked to in my first post. So keen for a sanity check/any suggestions on improvements:

 

  • TUN vs TAP: Use TAP when bridging networks (and in certain other circumstances), but generally should be using TUN to avoid opening up anything on the client LAN to the home LAN (though there seem to be *wildly* differing opinions about this). TAP apparently also doesn't work on Android. I want to try and use TUN.
  • TCP vs UDP: TCP is more reliable; UDP is theoretically faster but YMMV. I will start with UDP.
  • Port: 1194 if you set Protocol to UDP or 443 if you chose TCP
  • Firewall: Automatic
  • Authorisation mode: TLS
  • Extra HMAC authorisation: As I understand it, the additional HMAC authorisation pre-authenticates with a shared key before doing the full authentication via asymmetric keys. Can speed things up, but for now just an added complication so I will leave off.

VPN subnet/netmask: This confused me the most (I think some of the terminology used has more than one meaning - I'm looking at you "bridge" but "gateway" and "routing" also have some things to answer for). All the instructions also give CLI examples and I'm not always sure how to read them (e.g. when there are two IP addresses, which is the source and which is the destination). Having done some reading I'm also now somewhat concerned that my TV and lightbulbs will shortly be conspiring to take over my notebook.

 

I _think_ what I want to do is have traffic arriving from the VPN client go to the TUN interface for decryption. The decrypted traffic should then go to the router for direction on to its destination within the LAN. Vice versa, when traffic from the LAN is destined for the VPN client it should go from the router to the TUN interface then on to the VPN client. However, given my OpenVPN server is my router, I can't quite get my head around how the rules work. I think this should be the same as routing between subnets or VLANs, but those instructions ain't straightforward either.

 

And I suspect I could probably avoid some of this difficulty using TAP but I'd like to figure out how it works rather than following instructions without really understanding what I'm doing.


1674 posts

Uber Geek
+1 received by user: 428


  Reply # 1638261 21-Sep-2016 15:08
Send private message

For simplicity you generally have the VPN network landing on the same subnet as your lan with the same DHCP server so that the devices can easily communicate without creating more routes, so long as arp-proxy is supported. ...

As to your question about upnp and safety? It's not particularly safe if the device opening up ports to itself is vulnerable to brute force or other backdoors, let alone some routers accepting upnp requests from their wan interface. There are webpages that can test for this. I have upnp enabled on mine but any ports opened up are blocked until I manually make an exception.

18 posts

Geek
+1 received by user: 1


  Reply # 1638271 21-Sep-2016 15:36
Send private message

mdf:

 

I think_ what I want to do is have traffic arriving from the VPN client go to the TUN interface for decryption. The decrypted traffic should then go to the router for direction on to its destination within the LAN. Vice versa, when traffic from the LAN is destined for the VPN client it should go from the router to the TUN interface then on to the VPN client. However, given my OpenVPN server is my router, I can't quite get my head around how the rules work. I think this should be the same as routing between subnets or VLANs, but those instructions ain't straightforward either.

 

You pretty much got it right! :)
In regards to TAP vs TUN - think about them as if TAP as just another RJ45 socket in your switch where you plug a computer and it becomes a part of your internal network so everything what is there is available - getting addresses from your normal DHCP server, connecting to your home PCs or NAS or even printers.

 

TUN - well, as you already mentioned - it looks like another "subnet" from the routers perspective so it would be like a routing between two different subnets.
In that case you need to take care of IP address assignment (OpenVPN normally does that for you) and all normal routing "restrictions" apply. Actually the fact that your router is your VPN "gateway" makes it little bit easier.

 

However you need to change your client device in a way that it will use VPN tunnel to send packets to your home LAN addresses.
Assuming your home LAN has 192.168.1.0/24 addresses you need to tell your OpenVPN client to change routing so any packets destined for 192.168.1.0/24 will go via tun0 interface (or whatever it is called there).
OpenVPN can make this adjustment as well when VPN is established.

 

Are you able to get a console shell to your router so you could put some commands to see the output or you are limited with GUI only?

Don't be afraid of playing with your router - it won't explode :)
Worst case - you loose connectivity to the internet.
BTW - if you try to do that being already connected to your home network - that won't work, you may need to switch off WiFi on your phone to trigger 3G access.


388 posts

Ultimate Geek
+1 received by user: 79


  Reply # 1638365 21-Sep-2016 20:06
Send private message

For best security, you need to choose a good encryption method, such as:

 

cipher AES-256-CBC   # AES 256-bit

 

and it is best to enable Perfect Forward Security.  PFS ensures that new keys are used all the time, so that if someone (eg NSA) were to manage to break one of the session keys, all they would get would be the data that was transmitted with that session key (a few minutes of data).  Without PFS, they might be able to decrypt all your traffic on that OpenVPN server, including older sessions they had recorded, and anything transmitted after they broke the key.  To enable PFS, you need to generate a further key used for TLS authorisation:

 

openvpn --genkey --secret /path/to/store/ta.key

and in the server config add:

tls-auth ta.key 0 # This file is secret

and in the client config add:

tls-auth ta.key 1 # This file is secret

The ta.key file needs to be safely copied to the each client - for the OpenVPN Android client, it can be included as a section in the .ovpn config file that is used to set the client up.

 

 

mdf



2035 posts

Uber Geek
+1 received by user: 604

Trusted
Subscriber

  Reply # 1644195 2-Oct-2016 15:44
Send private message

Pfwoah. That just about killed me. But it seems to work and I've learned heaps about networking and VPNs.

 

Now I've got it going, a couple of potentially obvious (or stupid) queries:

 

First, OpenVPN says that by default (and I haven't changed it) only data directed at the "home" LAN goes via the VPN tunnel. Other data (e.g. browsing websites etc.) goes direct via the host connection (e.g. cafe wifi, mobile data). Are there any pros and cons in leaving the VPN on constantly, or should I just connect when I need to remote into my home LAN? I assume there are system overheads of running the client and server programs, plus the transit overheads of encrypting and decrypting data?

 

Second, my main reason for using a VPN was to remote access things like an IP alarm system, IP cameras and some IOT stuff on my home network. As I understand it, it's not a great idea to port forward to such devices, as there are potential vulnerabilities that can be exploited. I'm not really that concerned about encrypting the data in transit. And in any event, could use https if this was a concern. I think. So, I'm wondering if the following would be a viable alternative?

 

Sign up for a dynamic DNS service like DynDNS or no-ip, and run the clients for those on my phone and notebook (the only devices I am concerned about using for remote access). Port forward on my router, but IP filter the allowable port forwards to the dynamic DNS hostname.

 

I appreciate that main purpose (as advertised) of dynamic DNS services is to allow remote access *to* the device, not *from* the device, but I'm wondering if it would work anyway?

 

While OpenVPN works fine, I'm not 100% sure I've set it up completely correctly (i.e. securely). And I have a feeling next time I wanted to add another device to the VPN network I would end up having to go through the whole process again to add a client properly. Simple is good for me, and so wondering about potential alternatives.


21632 posts

Uber Geek
+1 received by user: 4441

Trusted
Subscriber

  Reply # 1644244 2-Oct-2016 16:12
Send private message

Phones on mobile data do not have a constant IP, they are behind NAT so the external IP is not constant.

 

Also IP filtering doesnt usually let you put host names, as it would be constantly looking names up which would slow a firewall down massivly. You might be able to get something to re-write the firewalling periodically from the hostname, but that will mean no thruput when you change between 4G and wifi untill the DNS updates, expires, and then the firewall gets updated - Something I would find totally unacceptable.

 

VPN is the correct way to do it, and there are many low cost appliances that you can put on your lan to take the VPN if your router cant do it. Lots of consumer NAS's will do it etc.





Richard rich.ms

mdf



2035 posts

Uber Geek
+1 received by user: 604

Trusted
Subscriber

  Reply # 1645360 4-Oct-2016 18:11
Send private message

Thanks @richms, makes sense.

 

Turning back to my VPN then, is there any (easy) way of checking I've got it set up right / securely? Googling "is my VPN secure" just throws up results for "outward" connecting VPNs - when you're using it for privacy or geo-unblocking I guess?

 

I want to use mine for secure remote access to my home network. I think I've set everything up right (i.e. I followed reputable instructions), but I guess there is a chance I've left a gaping hole that anyone can log into using "Password123".


388 posts

Ultimate Geek
+1 received by user: 79


  Reply # 1645505 4-Oct-2016 23:02
Send private message

You can post your server config file and see if anyone can see any problems.  As long as there are no private keys or certificates in the file, there should be no problem making it public.  Most of what is in that file is visible to a client attempting to connect anyway.  OpenVPN relies on the security of the encryption it uses, not on the obscurity of its configuration or operation.


1674 posts

Uber Geek
+1 received by user: 428


  Reply # 1645877 5-Oct-2016 13:00
Send private message

The first thing you'll want to do is compare your IP address that is shown by whatismyip.com when your VPN is turned on vs off then also ensure that your communications are using TLS.

 

When I'm overseas having to use hotel wireless I connect my devices to my home VPN and I have them set to send all communication via the VPN.  There's some traps here that you should be aware of such as ensuring that DNS lookups also go via the VPN.  Another is that your VPN will tunnel IPv4 traffic only, yet your devices may perform IPv6 lookups that don't go over the tunnel.  Seen a similar problem where iPhone tethered laptops perform all DNS lookups - both V4 and V6 - over IPv6 to the iPhone's gateway which then stops working when non IPv4 traffic becomes non-routable or blocked by the VPN client software.

 

Not to mention that the hotel wifi may see you as being inactive with no www traffic and kick you off.


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.