I mentioned before that a VPN encrypts traffic to and from your device. In much the same way as connecting to a site over HTTPS. This is done by public-key-cryptography. If any of you have ever heard me talk at Dundee Tech Talks you’ll have heard me go on at length about encryption and public key encryption is by far the coolest method of encryption. I’ll probably talk about it more in another post but at its simplest level you have two keys. One encrypts and one decrypts, you then can make the encryption key public. OpenVPN comes with a collection of helper scripts and config files called Easy_RSA which produce keys use the RSA encryption algorithms.
The next few commands are going to be run a root. You can ether stick
sudo in-front of all the commands I’ll list bellow, or to save some time just type
sudo -s and become root.
Now before we start setting up our certificates we must copy the default EasyRSA in a folder that makes sense:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Now before we can start using EasyRSA we have to tell it where to find our new directory. So edit the vars files
nano /etc/openvpn/easy-rsa/vars find the line ‘export EASY_RSA’ and update the value, once your done it should look like
Before we leave the vars file we’ll also want to adjust the level of encryption 1024 to 2048. In most cases 1024 is all you would ever need, but why settle for less when its as easy as typing three numbers to exponentially increase your VPNs security.
To exit nano simple type control+x, nano will prompt you to save the file before exiting.
One thing that give OpenVPN its security is that it doesn’t use a username and password to authenticate its users. When asked for a password the majority of people will use a relatively simple password, or reuse a previous password and where someone picks a good/strong password it can easily be forgotten. Another risk to consider is where you’ll be using the VPN. Having the password stored on devices like phones and tablets which can be lost or stolen leading you to have to change your password then update all other devices with the new password – a pain if you happen to away from home.
Instead OpenVPN uses a OpenSSL keypair. Every device has its own private key signed by the OpenVPN server which is then used to authenticate each device separately. Now if a device is lost its as easy as revoking that devices key, no other device heeds changed or updated.
So we need to create a certificate authority on the Raspberry Pi to sign user keys – which we’ll do next. The following commands still need executed as root, so remember ether add
sudo infront of them or make sure you still have root from the
sudo -s command we used when setting up the keypair.
Move into the EasyRSA folder we created earlier:
Step 2 – A
source ./vars this will setup the all the environment variables we edited before.
Step 2 – B
As pointed out by Redrerick in the comments after the most recent update to OpenVPN available for the Raspbery Pi, openvpn armhf 2.2.1-8+deb7u3, you now have to run
./clean-all this will clear out any keys and certificates and give you a clean slate to start with.
./build-ca this is where the magic happens. The Raspberry Pi is now going to hit you with a load of questions about where you are and organisation names. You can ether fill them in accurately or just accept the defaults.
What you will need to pick a name for your server. I started by trying to use my normal naming scheme but, turns out its crap, settled for VPiN – clever right?
The same as in step 3 you are going to be hit by a series of questions.
- Common Name – This has to be the same as your server name, if it hasn’t already defaulted to that change it!
- A challenge password? – You have to leave this blank
- Sign the certificate? [y/n] – The answer must be yes, if you don’t sign the certificate then nothing else will work
You’re going to get a warning saying the certificate is valid for 3,650 days. So if you still using your Raspberry Pi VPN server in ten years you’ll need to come back and go through these steps again – so you’d better bookmark the page now.
Finally it’ll say “1 out of 1 certificate requests certified, commit? [y/n]” again type ‘y’
Now we’re going to create whats called a Diffie-Hellman key exchange. This is a fundamental element to creating a secure connection between two machine when all of the ‘handshaking’ is done before the encryption is setup, meaning any 3rd party can sit in and watch the full unencrypted ‘handshake’ conversation but still not know what the final encryption keys used are, so once the connection become encrypted that’s it – there out in the cold.
Make sure you are still in the
/etc/openvpn/easy-rsa director and run
Now best to get a coffee or something cause this can take a while, especially if you followed the instructions and increased the level of encryption from 1024 to 2048.
DoS (Denial of Service)
A DoS (Denial of Service) or DDoS (Distributed Denial of Service) attack is where an attacker gets the IP address of a service online and starts issuing so many connection requests, some times in the range or a several thousand per second, that the server can not handle them all and eventually dies under the load.
OpenVPN has built in protection against these attacks called a HMAC (hash-based message authentication code). Kind of like a pre-shared secret. If the server doesn’t receive this secret it want even try to authenticate a device instead just ignoring the request. Now, while you don’t want this secret out in the wild its not a huge security risk since even with the secret a device will need a valid certificate as well.
Generating the secret is as easy as typing:
openvpn --genkey --secret keys/ta.key
OpenVPN is finally installed on our Raspberry Pi, but its fairly useless unless our devices can connect to it. So next we’ll look start creating some key for our phones and laptops.