Why have I preferred a VPN instead of a typical access such as SSH, VNC, etc.? Because in this way, I will be able to accomplish an encrypted tunnel between my laptop and home network, and over that secure line, to establish other types of connections later. Furthermore, I will be able to connect from any kind of insecure networks.
Why have I chosen OpenVPN? Because this application allows you to quickly build SSL/TLS channels, and this sort of VPN is really handy and straightforward to configure. OpenVPN is an open source software which easily implements VPNs over a public network, such as Internet. One of the main advantages of OpenVPN is that it just needs a single TCP or UDP port for transmissions and runs in userspace, rather than requiring IP stack operations, as for instance IPSec or PPTP.
Bellow you can observe a detailed outline of my infraestructure. It is a point to point link between my laptop and a PC connected inside the local network. The PC acts in the server role (takes care of listening for possible connection requests) and the laptop is the client (initiates the connection). Once I am connected to the PC via OpenVPN, I will be able to jump safely to any device located in the network. Both computers run Ubuntu 11.10.
One of the first things that I had to face up to is the issue of the dynamic IP address used by my ADSL service. Every time that I turn on the router, a temporary public IP address is assigned by the ADSL provider. To overcome it, I have signed up for a free dynamic DNS service: DNSdynamic. The registration process is pretty simple.
In this manner, I have obtained a subdomain which points to my router. To that end, I have installed ddclient on the PC, an address updating utility which keeps up to date the current public IP of the router. In order to show you my configuration, I will use a fictitious subdomain called test.dnsdynamic.com.
root@javi-pc:~# aptitude install ddclient root@javi-pc:~# cat /etc/ddclient.conf # Log messages to syslog syslog=yes # Support SSL updates ssl=yes # Obtain IP address from provider's IP by checking page use=web, web=myip.dnsdynamic.com # Update DNS information from server server=www.dnsdynamic.org # Login and password for server email@example.com password='xxxxxx' # Update protocol used protocol=dyndns2 # Subdomain test.dnsdynamic.com root@javi-pc:~# cat /etc/default/ddclient ... # ddclient runs in daemon mode run_daemon="true" # Time interval between the updates of the dynamic DNS name (in seconds) daemon_interval="3600" root@javi-pc:~# /etc/init.d/ddclient start
The SSL/TLS connection configured by me is authenticated through digital certificates. So I have needed to make a couple of certificates, one for each end of the VPN tunnel. In addition, I have also had to create a CA (Certification Authority) in order to validate both certificates. OpenVPN allows peers to authenticate each other by using username/password, a pre-shared secret key or digital certificates. I have picked out the last option due to it is the most robust system.
So as to manage digital certificates, I am used to treating with easy-rsa, a small RSA key management package which contains a series of openssl scripts aimed at handling PKIs (Public Key Infrastructures). This tool is included within the OpenVPN source file.
javi@javi-pc:~/tmp$ wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz javi@javi-pc:~/tmp$ tar xvzf openvpn-2.2.2.tar.gz javi@javi-pc:~/tmp$ mv openvpn-2.2.2/easy-rsa/2.0/ . ; rm -rf openvpn-2.2.2*