Monday, September 16, 2013

Connecting to my home network securely with OpenVPN

I know you've all been anxiously awaiting another blog post about my nerdy projects. If I recall correctly I haven't posted anything since the RaspBMC post. You are in luck because today you get another nerdy post from me

Project Inspiration:
Seems like with rare exception I spend most of my time somewhere that has wireless internet access. This is one major reason I still have a "dumb" phone and don't pay for data service. Unfortunately, the problem with using free Wifi is you don't know who else is using it and potentially watching your activity. For the last several years I've always had some type of iOS device with me in the at work all the time. I know many people disregard this issue and just use the free wifi to do whatever they would do normally. I'm a little paranoid so because of the security issue I mentioned I've never checked my e-mail or even used it to connect to any online accounts unless I'm at home connected to my own secure wireless network.

Realizing that I will be spending the rest of my working life in an operating room, where I may or may not have cellular service, but will likely have wifi. I decided it was time to have a secure way to connect to the internet through the hospital wifi and also a secure means of connecting to my server at home.

Although there are different ways to do this I chose to create a virtual private network or VPN. I know corporations use them to create secure connections between offices. Hospitals use them to allow physicians to connect to the electronic medical record over the internet.

Equipment and software:  
I'm cheap (Remember I don't have a smart phone because I don't want to pay for the data service.). I'm sure I cold have paid someone to set this all up for me, or used some integrated software solution but I don't like to pay for things I don't have to and I like to figure things out myself.  To complete this project I used all free and/or open-source services

1. Server
This was an easy choice. Although I could have used the computer that is functioning as my file server as a VPN server also, that would mean that it would have to be on all the time. Right now it is setup to go to sleep every 45 minutes until someone tries to access files. I installed DD-WRT on my router several months ago. I have a version of DD-WRT which can function as a VPN server. Since my router is on all the time anyway and uses much less power than my computer, this seemed the logical choice.

2. VPN protocol
DD-WRT has PPTP and OpenVPN built in as well as IPSec, L2TP, and PPTP passthrough capabilities. We're already established that I'm paranoid and want the best security I can get so I went with OpenVPN. Plus, it is open source and free.

The Setup:

1. Download OpenVPN - from here and install

2. Use OpenVPN to create certificates - How to outline from

Essentially, I ran cmd.exe as an administrator under windows.
Once running I executed the following commands:
  cd C:\Program Files\OpenVPN\easy-rsa
Now I edited the vars.bat file using Notepad++ to set my country, state, city, and e-mail. I then continued with the following commands
  build-ca (You must define a common name during this process)
After this is complete I built the keys for my server and on client
  build-key server server
  build-key client1 (This step can be repeated to create more client certificates)
I then generated the Diffie-Hellman parameters

All of the keys and certificates I just created were saved in C:\Program Files\OpenVPN\easy-rsa\keys
We will access these later to copy these to the appropriate areas.

3. Setup a dynamic DNS.

I need a way for to locate my OpenVPN server on the world wide web. Because I don't pay for a static IP address, which is the case for most residential customers, my IP address changes periodically. There are several dynamic DNS services which circumvent the problem of the changing IP address by associating you IP address with a domain and then changing that association when your IP address changed by your ISP.  I chose

DD-WRT has the ability to connect to and update so I don't need to install the windows client.

Here's the setup in DD-WRT

4. DD-WRT OpenVPN configuration

In addition to generating keys and certificates with OpenVPN you need server and client configuration files. The DD-WRT web GUI will create most of the server configuration file automatically. You can then provided additional configuration in the box labeled as such.

Here is the setup I used

I chose a Router (TUN) configuration because I wanted to be able to connect using my iPad and the OpenVPN application for iOS does not support TAP interfaces

I have this working with the default port 1194. What I don't yet know is whether the hospital will block that port and prevent my connection. I may have to change it later to something that won't be blocked like 443.

I may change the Hash Algorithm to something more secure than SHA1 but didn't for the initial setup. Also for security I may adopt a TLS cipher later.

Although "Redirect default Gateway" is disabled, I enabled it again in the additional config. I had it disabled for testing and because I wasn't sure which commands that would add to the server configuration file created by the GUI.

The contents of the appropriate certificates and keys are pasted from the C:\Program Files\OpenVPN\easy-rsa\keys folder at this point.
server.crt is pasted in entirety in "Public Server Cert" box
ca.crt is pasted from begin to end certificate in the "CA Cert" box
server.key  is pasted from begin to end certificate in the "Private Serve Key" box
dh.pem is pasted from begin DH parameters to end in the DH PEM" box.

Since the config file is mostly created by GUI above you just add additional parameters below.
  push "route" - haven't tested if this is necessary as it may already be in the config file created by the GUI. The goal is to get the VPN network at to connect to my LAN at

As you can see the push "route-gateway" is commented out. This is because the GUI creates a push "route-gateway" command and I found I didn't need it.

Since I wanted to direct all my internet traffic through the VPN tunnel I included the line push "redirect-gateway def1." Unfortunately, this created a few problems. I discovered that the VPN connection was working but would not allow me to access the internet from my client when this line was included. This was resolved with 2 things. First, I had to provide a DNS server. It was not sufficient to provide the IP address of my router to then connect to a DNS server. I had to provide my Comcast DNS server IP address. I provided 2 just in case one stops working. Second, I let the router know what to do with the internet traffic sent over the VPN.  I was able to find an iptables firewall command in the OpenVPN how to which NATs the traffic to the internet. This was then modified based on some DD-WRT form posts to work with DD-WRT as follows

iptables -t nat -A POSTROUTING -s -j MASQUERADE

I wish I could say that I fully understand syntax of this command and why it fixes my problem, but I don't.

5. Client configuration

Although the DD-WRT GUI creates the server configuration file. I had to create my own client configuration file, but there are good examples all over the web including on OpenVPN. I've included it below

client #Defines the type of configuration file
dev tun #Defines the interface, either tun or tap
proto udp #Defines the protocol, either udp or tcp
remote 1194 #let the client know where to locate the server.
resolv-retry infinite
# Define security certificates and keys
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
ciper AES-256-CBC #This must match the server configuration
auth sha1 #This must match the server configuration
comp-lzo #Enable compression
verb 3 #Set log file verbosity

Further clarification on these commands is available in the OpenVPN manual.

6. Download and install OpenVPN connect for iOS

7. Transfer the appropriate certificates and keys (ca.crt, client1.key, and client1.crt in my case) to my iPad through iTunes. I chose iTunes because e-mail would be an insecure way to transfer a secure certificate.

8. Test connection

There are a few caveats with this one. First, you have to be connected to the internet through another network. That means my home wireless won't work. I used a wireless modem I purchased so we could have internet during our recent move. Second, the way windows uses system time and the way Linux based systems like DD-WRT use it are different. If you create your keys and certificates with Windows they may not be valid with DD-WRT for several hours. This will be noted in the server log in DD-WRT.

9. Accessing windows file shares.

Although I had shared files to all users on my network using Windows, the default firewall setting for this is limited to the local subnet. Since my VPN is on a different network, I had to allow sharing to that network in the windows firewall.

I was successfully able to connect to my network using my cellular modem. All of my internet traffic is routed through the VPN tunnel so that when I query my IP online it shows the same as my home address. I was also able to access my windows shares through this connection. Now I just have to test this through the hospital network to confirm functionality.

Update: I was unable to connect to my server when I tried through the hospital network. I'm guessing this is likely secondary to the UDP 1194 port being blocked to outbound traffic on their network. I will change my port and protocol to 443 and TCP respectively and test it again at the hospital. It is very unlikely that this port will be blocked; however, I'm not certain at this time if there are any other ramifications associated with this change. I do know from a bit of internet reading that this method is likely slower.

Update 2: I could not connect on UDP port 1194 at the hospital. Connecting through port 443 did work.  My major concern now is the security risk of having port 443 open for inbound traffic.

