Advertisements
Restore Zimbra, OSE, from backups
30 Mar

Restore Zimbra, OSE, from backups

This morning I thought to take advantage of the long weekend and update my Zimbra installation – this didn’t go as well as expected. Instead I ended up with a corrupted server. I was left spending the morning restoring from my latest zmback.sh backup.

The process was simple enough, but since I couldn’t find a clear step-by-step guide I thought having an easy to find reference guide would be of use in the future – as I’m sure I’ll be in a simliar possition again one day. Read more »

Raspberry Pi Powered OpenVPN – Server, Part 1
07 Feb

Raspberry Pi Powered OpenVPN – Server, Part 1

I mentioned in a previous post that I had a spare Raspberry Pi. It’s taken me a while to finish but I’ve managed to turn it into a portable OpenVPN server.

A VPN, or Virtual Private Network, is a way of extending your private network into the outside world all fully encrypted. Free and in most cases unencrypted WiFi is available almost everywhere from universities to coffee shops or hotels and even your dentists waiting room, but you have to be careful what you are doing on internet access points.

Most people are unaware but free WiFi from places like your local coffee shop or hotel are ot safe. Sending confidential email or even web browsing can be subject to interception, what is commonly known as a man-in-the-middle attack. Because of the way WiFi works its relatively easy for someone with the right tools to get between you and the internet. So however tempting it may be you really do not want to be logging into your bank and even something as simple as checking your GMail could leave your Google username and password out in the open.

The idea behind a VPN is to connect to the internet from a trusted source. Once VPN connection has been established all your communications to or from the VPN are encrypted and hidden from prying eyes. No one else at the coffee shop will have any idea what your doing online. All they will see is encrypted traffic to your VPN without being able to delve into that traffic to find out what your doing.

There is a multitude of online services which offer VPN access, in many cases allowing you to pick where you’d like access the internet from there by bypassing geographic restrictions on services like Netflix and BBC iPlayer, but these as in all things have upsides and downsides depending on the service and what charges they make. Since I really resent paying for something I can do myself I going to turn a inexpensive (£35) Raspberry Pi into my VPN server.

Doing it this way not only means I will save myself the ongoing payments of 3rd party VPN service, but I’ll also be able to access my home network as if I was there and still have full access to my Synology file storage.

What you’ll need

Hardware

Raspberry Pi: I’m using a model B but a B+ will work equally well.

SD Card: I would recommend an 8GB card. You shouldn’t need more if all your running on the Pi is OpenVPN.

Network cable: Cat5 or Cat6 depending on your network but you need something to connect the Pi to your router.

Software

OpenVPN: Which we will be installing onto your Raspberry Pi.

Some assumptions

  1. You already have installed Raspbian on your Raspberry Pi SD Card
  2. Your Raspberry Pi has a static IP address within your home network. You can ether do this from the Pi its self or like me setup your routers DHCP settings to issue the Raspberry Pi with static IP
  3. SSH is enabled. We need to access the Raspberry Pi to change settings and setup the OpenVPN server. Using SSH will make this simpler and means we don’t need to fuss with a keyboard or monitor attached to the Raspberry Pi
  4. You have forwarded both the UDP & TCP port 1194 to your Raspberry Pi’s static IP. Instructions for doing this will vary from router to router but if you search Google for your specific router you’ll find instructions

So if you’re ready I’ll get started on my how to guide.

House Cleaning

First thing we’ll do is setup the Raspberry Pi. Assuming your using a new Raspbian installation.

  1. Change your password: The default username and password for a clean Raspbian installation is pi and raspberry. Leaving this unchanged is generally a really bad idea, but not changing it on a Pi your connecting to the internet is begging for trouble. To change it first login over SSH and type sudo passwd this will change your root password then just use passwd to change the pi user password.
  2. Update: Always a good first step after a clean install. Updating the system will make sure you’re using the latest software and libraries, and any know bug or security flaws will have been patch. Raspbian OS being just a version of Debian system updates are handled by apt-get so to update the system run sudo apt-get update; sudo apt-get upgrade from the SSH terminal window.
  3. Install OpenVPN: OpenVPN is already in the repositories so installation is as easy as running sudo apt-get install openvpn

Now that our Raspberry Pi is ready we’ll move on to the setting up the installing and setting up OpenVPN on the Pi.

Raspberry Pi Powered OpenVPN – Server, Part 4
07 Feb

Raspberry Pi Powered OpenVPN – Server, Part 4

Time to put it all together

OpenVPN Configuration

So far we have setup and new Raspberry Pi, install OpenVPN, generated some server keys and at least one user/device key and created a Certificate Authority to sign them. We are still missing something though. OpenVPN doesn’t know any of the yet. We still have to tell it where to find these new files we’ve just create, what IP or port to listen for connections on, what type of connection to make or where to send the resulting traffic.

All these setting are held in OpenVPN’s configuration file, but non is installed with the OpenVPN package so we need to create a new one. Start by creating a file on the Pi nano /etc/openvpn/server.conf then fill it with this initial template:

I’ve marked some bits you will need to change yourself most importantly PI_IP_ADDRESS and YOUR_DNS_IP_ADDRESS but read thru the comments to make sure everything else is right for your setup. Once your done just control+x and save the file.

Port Forwarding

Now that OpenVPN knows what to do we need to tell the Pi to forward internet traffic. By default a Raspbian OS is designed to be a receiving client, internet traffic goes to or from it, but in this case we want it to forward traffic it receives on somewhere else – in this case your router.

To edit the system setting open up the system control file with nano /etc/sysctl.conf and find the line “#net.ipv4.ip_forward=1” and uncomment it by removing the # leaving “net.ipv4.ip_forward=1”. Once again use control+x to save the file. Lastly we have to tell the system we have changed the file. That’s done with the sysctl command, just type sysctl -p and your done.

Raspbian Firewall

We’re almost ready to restart the Raspberry Pi and have a functional server, but before we can there is one more thing we have to do. Raspbian comes with a built in firewall called iptables, found on most Linux systems, which is there to protect your computer from the dangers of the internet but we need to poke a hole through it while leaving the rest of it intact. This is done by issuing command directly to iptables, but we want these changes to still be in place next time we reboot the Raspberry Pi so we need to make the command something the Pi will run everything it connects to the router.

This is best done in two steps. First we’ll setup the script we want to run. Make a new file nano /etc/iptables-openvpn.sh and type in:

Make sure you change PI_IP_ADDRESS to your Raspberry Pi’s IP address. The hit control+x and save the file. We now need to make the file executable, but we also want normal users from changing it.

The first line means only the file owner can execute the file, no one else can even read it. The second line just makes sure the owner is root.

Now we have our supporting files we need to tell the Pi to run this file, and so poke the same hole, in our firewall every time a network connection is setup. Network setting for Linux are commonly stored in the /etc/network/interfaces file so we can start there.

nano /etc/network/interfaces

You can see a line that says “iface eth0 inet dhcp” that simply tells Linux to ask your router for an IP address for the ethernet plug. We can now inject out iptables-openvpn.sh file here by using the pre-up option.

…becomes…

Now before asking for an IP address from a connected router the Pi will run our iptables command and the firewall will be ready. control+x to save your work.

You can finally reboot your Raspberry Pi

Your Raspberry Pi is now a fully working OpenVPN server, in the next tutorial we’ll get started preparing our clients to connect to it.

Raspberry Pi Powered OpenVPN – Server, Part 3
07 Feb

Raspberry Pi Powered OpenVPN – Server, Part 3

Client Side

So we now have a working server, what we have to do now is create certificates for our users or our selves.

If you want to you can cheat here and create one certificate per user then they can use that everywhere, but as I talked about before, if they device is every lost or stolen you will have to setup all you other devices with the new key. So I have created a separate certificate for each device.

Since I am not the only person potentially going to use my VPiN service and I alone have four or five devices all needing access I’ve gone with a naming scheme USER.DEV. So for my Nexus 5 it’s be stuart.nexus5 and my laptop is stuart.redtop (If you’d ever seen my laptop you’d understand… o what the hell here it is)

To create a device key just type

./build-key-pass KEYNAME

… and more prompts

  • Enter PEM pass phrase – Make this something you will remember, depending on the client your running you may be asked to type this ever time you want to connect.
  • A challenge password? – You still have to leave this blank
  • Sign the certificate? [y/n] – The answer must be yes. You will be creating a ten year certificate

We now have an RSA key, but RSA keys have not been perfectly implemented everywhere and if you want to connect your Android or iOS device we need a Triple DES key. Triple DES is simple another encryption algorithm that applies its encryption three times for every block of data, making it harder for hackers to break by brute force. We can do this using the openssl command. All we need to do is input the old key and tell it what to produce:

openssl rsa -in keys/KEYNAME.key -des3 -out keys/KEYNAME.3des.key

OpenSSL will now prompt you for the password of the rsa/old key, which is just entered, and ask you for a new password for the 3des/new key. I just used the same password for both keys, there is no loss of security as long as it was a good password and no need for two separate password.

And that’s it. You’ve now created your first client side key. You will have to repeat these steps for each device but its simple enough just keep changing your KEYNAME as appropriate.

In the final part of this tutorial we need to put everything together and tell OpenVPN about our configuration.

Raspberry Pi Powered OpenVPN – Server, Part 2
07 Feb

Raspberry Pi Powered OpenVPN – Server, Part 2

Groundwork

Keypair

I mentioned before that a VPN encrypts traffic to and from your device. In much the same way as connecting to a site over HTTPS. This is done by public-key-cryptography. If any of you have ever heard me talk at Dundee Tech Talks you’ll have heard me go on at length about encryption and public key encryption is by far the coolest method of encryption. I’ll probably talk about it more in another post but at its simplest level you have two keys. One encrypts and one decrypts, you then can make the encryption key public. OpenVPN comes with a collection of helper scripts and config files called Easy_RSA which produce keys use the RSA encryption algorithms.

The next few commands are going to be run a root. You can ether stick sudo in-front of all the commands I’ll list bellow, or to save some time just type sudo -s and become root.

Now before we start setting up our certificates we must copy the default EasyRSA in a folder that makes sense:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa

Now before we can start using EasyRSA we have to tell it where to find our new directory. So edit the vars files nano /etc/openvpn/easy-rsa/vars find the line ‘export EASY_RSA’ and update the value, once your done it should look like export EASY_RSA="/etc/openvpn/easy-rsa"

Before we leave the vars file we’ll also want to adjust the level of encryption 1024 to 2048. In most cases 1024 is all you would ever need, but why settle for less when its as easy as typing three numbers to exponentially increase your VPNs security.

To exit nano simple type control+x, nano will prompt you to save the file before exiting.

The Authority

One thing that give OpenVPN its security is that it doesn’t use a username and password to authenticate its users. When asked for a password the majority of people will use a relatively simple password, or reuse a previous password and where someone picks a good/strong password it can easily be forgotten. Another risk to consider is where you’ll be using the VPN. Having the password stored on devices like phones and tablets which can be lost or stolen leading you to have to change your password then update all other devices with the new password – a pain if you happen to away from home.

Instead OpenVPN uses a OpenSSL keypair. Every device has its own private key signed by the OpenVPN server which is then used to authenticate each device separately. Now if a device is lost its as easy as revoking that devices key, no other device heeds changed or updated.

So we need to create a certificate authority on the Raspberry Pi to sign user keys – which we’ll do next. The following commands still need executed as root, so remember ether add sudo infront of them or make sure you still have root from the sudo -s command we used when setting up the keypair.

Step 1

Move into the EasyRSA folder we created earlier: cd /etc/openvpn/easy-rsa

Step 2 – A

Run source ./vars this will setup the all the environment variables we edited before.

Step 2 – B

As pointed out by Redrerick in the comments after the most recent update to OpenVPN available for the Raspbery Pi, openvpn armhf 2.2.1-8+deb7u3, you now have to run ./clean-all this will clear out any keys and certificates and give you a clean slate to start with.

Step 3

./build-ca this is where the magic happens. The Raspberry Pi is now going to hit you with a load of questions about where you are and organisation names. You can ether fill them in accurately or just accept the defaults.

Step 4

What you will need to pick a name for your server. I started by trying to use my normal naming scheme but, turns out its crap, settled for VPiN – clever right?

./build-key-server VPiN

The same as in step 3 you are going to be hit by a series of questions.

  • Common Name – This has to be the same as your server name, if it hasn’t already defaulted to that change it!
  • A challenge password? – You have to leave this blank
  • Sign the certificate? [y/n] – The answer must be yes, if you don’t sign the certificate then nothing else will work

You’re going to get a warning saying the certificate is valid for 3,650 days. So if you still using your Raspberry Pi VPN server in ten years you’ll need to come back and go through these steps again – so you’d better bookmark the page now.

Finally it’ll say “1 out of 1 certificate requests certified, commit? [y/n]” again type ‘y’

Diffie-Hellman

Now we’re going to create whats called a Diffie-Hellman key exchange. This is a fundamental element to creating a secure connection between two machine when all of the ‘handshaking’ is done before the encryption is setup, meaning any 3rd party can sit in and watch the full unencrypted ‘handshake’ conversation but still not know what the final encryption keys used are, so once the connection become encrypted that’s it – there out in the cold.

Make sure you are still in the /etc/openvpn/easy-rsa director and run

./build-dh

Now best to get a coffee or something cause this can take a while, especially if you followed the instructions and increased the level of encryption from 1024 to 2048.

DoS (Denial of Service)

A DoS (Denial of Service) or DDoS (Distributed Denial of Service) attack is where an attacker gets the IP address of a service online and starts issuing so many connection requests, some times in the range or a several thousand per second, that the server can not handle them all and eventually dies under the load.

OpenVPN has built in protection against these attacks called a HMAC (hash-based message authentication code). Kind of like a pre-shared secret. If the server doesn’t receive this secret it want even try to authenticate a device instead just ignoring the request. Now, while you don’t want this secret out in the wild its not a huge security risk since even with the secret a device will need a valid certificate as well.

Generating the secret is as easy as typing:

openvpn --genkey --secret keys/ta.key

OpenVPN is finally installed on our Raspberry Pi, but its fairly useless unless our devices can connect to it. So next we’ll look start creating some key for our phones and laptops.