Force all traffic through openvpn tunnel

From Cryptolife

Jump to: navigation, search


Scenario: Connecting to the internet from public wireless hotspots or insecure networks using openvpn.

(my laptop)----->(wireless hotspots or insecure network)----->(My openvpn server)


Without openvpn tunnel all my traffic goes in clear text, one attacker can easily intercept my traffic and can steal passwords,files etc etc.
As you can see below.

(my laptop)-----> google.com mybank slashdot.com (wireless hotspots or insecure network) google.com mybank slashdot.com ----->(Internet)


With the openvpn tunnel all my internet traffic will be encrypted and routed to my vpn server before reaching the internet.So the attacker
will see only the encrypted and unreadable traffic.As you can see below.

(my laptop)-----> 8jf9dcjw (wireless hotspots or insecure network) 8f8jf9dcjw ----->(My openvpn server)----->(Internet)----->google.com mybank slashdot.com

Comments and suggestion are welcome by email or Twitter

Tested on Ubuntu server 9.04 and Ubuntu desktop 9.04


 Certificate and keys generation

will be a good idea to generate and store the openvpn keys and CA certificates in a 3rd  secure and trusted machine,
because you should never store the Certificate authority and the users keys in a machine directly exposed to the internet.
For this purpose i'm using a virtual machine, as well you can use your laptop.


install openvpn and openssl 

apt-get install openvpn openssl


copy the easy rsa script to the openvpn direcotry 

cp -a /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/


go to  /etc/openvpn/easy-rsa/2.0/  and open the file called vars, you must edit the last five lines according to your parameters. "US" must be replaced with your country code.


export KEY_COUNTRY="US"
export KEY_PROVINCE="US"
export KEY_CITY="mycity"
export KEY_ORG="vpn"
export KEY_EMAIL="myname@myemail.org"

Then run the following commands,the  certification authority creation it's very straightforward.

. ./vars 	
./clean-all 	
./build-ca


Now you need to create the server keys

./build-key-server server


Now you need to generate the keys for the users, user1 can be as well the username.


./build-key user1


The last step is to generate the Diffie Hellman 


./build-dh


Server side.

Install openvpn on the server

apt-get install openvpn


Create a directory called  /etc/openvpn/keys


mkdir /etc/openvpn/keys


Copy the keys and certificates from the laptop or the virtual machine to the server with scp.

scp ca.crt  server.crt server.key dh1024.pem   root@server:/etc/openvpn/keys


in /etc/openvpn/ create a file called server.conf 


#server.conf
port 1194
proto udp
dev tun
comp-lzo

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
duplicate-cn
server 10.10.5.0 255.255.255.0
client-to-client
#adjust the dhcp-option DNS according with your network parameter 
push "dhcp-option DNS 208.67.222.222 208.67.220.220"
push "redirect-gateway"
persist-key
persist-tun
user nobody
group nogroup
log openvpn.log
verb 5
ping 10
ping-restart 120


Server firewall issues
This script allow to accept remote UDP remote connection in port 1194 UDP and 22 TCP "ssh" and route the traffic from the tun0 interface to the eth0 interface. 


#!/bin/sh
ext_int="eth0" #where eth0 is the interface connected to the internet
vpn_net="10.10.5.0/24" 
tun_int="tun0"
IPT="/sbin/iptables"
# Allow from the internet
TCP="22"
UDP="1194"
echo 1  > /proc/sys/net/ipv4/ip_forward
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -j ACCEPT -i $ext_int -m state --state ESTABLISHED,RELATED
$IPT -A INPUT -i tun+ -j ACCEPT -m state --state NEW
$IPT -A INPUT -i $ext_int -p tcp -j ACCEPT  -m multiport --dports $TCP  -m state --state NEW
$IPT -A INPUT -i  $ext_int -p udp -j ACCEPT  -m multiport --dports $UDP  -m state --state NEW
$IPT -A FORWARD -j ACCEPT -i $ext_int -o tun+ -d $vpn_net
$IPT -A FORWARD -j ACCEPT -i tun+ -o $ext_int -s $vpn_net
$IPT  -t nat -A POSTROUTING -s $vpn_net -o eth0 -j MASQUERADE
$IPT -L
$IPT  -L -t nat


Starting the openvpn server

/etc/init.d/openvpn start
Starting virtual private network daemon: server.



On the client side

Install openvpn.


apt-get install openvpn


Create the keys directory

mkdir  /etc/openvpn/keys

copy in /etc/openvpn/keys the files  ca.crt   user1.crt   user1.key

in /etc/openvpn create a file called client1.conf with this configuration

#client1.conf
client
dev tun
proto udp
remote server-ip-address
port 1194
nobind
persist-key
persist-tun
comp-lzo
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/user1.crt
key /etc/openvpn/keys/user1.key
#openvpn.log #enable only for debug mode
verb 5
ping 10
ping-restart 60


Starting the openvpn client (as root)

openvpn --config /etc/openvpn/client1.conf


Debugging


On the client side enable openvpn.log 

tail -f openvpn.log

with tcpdump  on the client and the server

tcpdump  udp port 1194


to check if the nat is working on the server

iptables -L -t nat


Retrieved from "http://www.cryptolife.org/index.php/Force_all_traffic_through_openvpn_tunnel"
Personal tools
Creative Commons License