I don’t know about you but I can hardly resist an open WiFi hotspot. Sure I have a data plan for my smartphone and I can even use it as a wireless router for my laptop, but WiFi is way faster than 3G and there are usually no bandwidth caps or extra costs associated with it. On the other hand, a WiFi hotspot is inherently insecure. That’s why I use to leave my iMac running when I’m out and about, so I will be able to surf the web through an encrypted tunnel to the SSH server at home. That technique works quite well and is pretty secure. Heck, it even helped me stay off the Wall of Sheep during DEF CON 17!
A more robust and feature-rich solution than SSH tunneling is to make your laptop a member of a Virtual Private Network or VPN. Traditionally, a VPN is what a company would implement in order to provide its workers full yet secure access to the corporate network when they’re away from the office – or even at a remote branch of the same company.
But you don’t have to be a big boy to reap the benefits of VPN technology. Thanks to the free and Open Source OpenVPN you can actually setup your very own VPN server at home and then be able to securely access resources inside your home LAN from wherever you happen to be, no matter how you got online. Plus, with a few minor tweaks in your OpenVPN configuration you can also use the server for secure surfing, meaning you can re-route all network traffic through an encrypted channel from your laptop to the remote OpenVPN server.
You may install the OpenVPN software practically on any OS under the sun. In reality, you’ll be better off with a Linux or *BSD box. For me, the Linux path was the obvious one. Although at first I thought I’d go with Ubuntu Server, the Amahi Home Server quickly won me over for its dead-easy installation and configuration.
A Linux distribution is all one really needs for the software part of a similar setup. For the hardware part, a pretty modest box with a Pentium 3 class processor, 512 megs of RAM and a 20 gig hard drive will do just fine. Alternatively, you can always prepare a virtual machine for Amahi and use that instead of a physical computer. Actually that’s *exactly* what I did.
For my virtualization platform I could’ve chosen the free VirtualBox software, which by the way is available for Windows, Mac OS X and Linux hosts. But VMware has long earned my trust and, truth be told, that’s what I’m most comfortable using. My old iMac running Mac OS X Snow Leopard is more than adequate for the role of a small-time virtualization host, so I began by building an Amahi VM with VMware Fusion. If your host computer runs Windows or Linux and you want to stick with VMware, then you’ll work with the Workstation edition or with the free VMware Player.
In the remainder of this post I will demonstrate how exactly you can build your very own OpenVPN home server using the Amahi distribution, in seven easy to follow steps.
For a VPN connection to be even possible the client must be in a different subnet from the server. You can’t choose the subnet you’re connecting from, though you can make sure your OpenVPN server lives in a not-so-common subnet like 10.10.10.* or 10.20.30.* etc. All you’ll have to do is setup your residential (ADSL) router accordingly and possibly re-configure any PC within the LAN which uses a static IP address. Having said that, in some of the screenshots that follow you’ll see that our OpenVPN server lives within the extremely common subnet of 192.168.1.*. But this is because we only built *that* server for the purposes of this demonstration.
Step 1 – Configure a new VM for Amahi
It’s not necessary to take the virtualization route, especially if you happen to have a spare box laying around, doing nothing but gathering dust. As a pure virtualization junkie I rarely have spare hardware, so I happily set off for a yet another enjoyable journey to virtua-land. In the following screenshots the main aspects of my Amahi VM are shown.
Step 2 – Create a profile for your HDA and download
Amahi is a Fedora-based distribution designed for home-grade file, media and application servers. The good folks over at Amahi like to refer to such servers as Home Digital Assistants or simply HDAs – and for a good reason. If you want to know more about Amahi and find out what it can do for your home network, you’re strongly encouraged to check it out starting from this page of the official web site. Before you even download Amahi you need to register for a free account and create a profile for your HDA. See the following screenshots for more details.
For our particular setup there’s really no reason to download the Install DVD. The Amahi Express CD is more than fine and you can get it from here, either via BitTorrent or via direct HTTP download. Between the 32bit and 64bit editions I suggest you choose the former, for there’s really no benefit to go with the 64bit one. After the download finishes you’ll have an ISO image named Amahi-6.1-Express-v1-i386.iso.
Step 3 – Install Amahi
The installation of Amahi is unlike the installation of any other Linux distribution you may have performed. What that means in our particular case is that the installation procedure is easy, fast and straightforward. See the screenshots below for all the details.
Step 4 – Initial configuration
After the successful installation of Amahi you need to log into the system via its web interface, change the default admin password and create one or more regular users.
Step 5 – Test the OpenVPN server
Your home OpenVPN (virtual) server should be up and running by now. In order to test it you need to be outside of your home LAN. But don’t rush out with that laptop just yet, for you can test the server right from the Amahi website!
Step 6 – Download, install and configure a VPN client for your OS
You may download a suitable OpenVPN client from this Wiki page of the Amahi project. No matter what the OS your laptop runs, the configuration of the client is pretty easy.
In the Windows case, all you need to do is first download this client, then install and run it. See the following screenshots for the details.
The installation of a VPN client under Mac OS X is more involved. Between the two clients the Amahi guys suggest I chose Tunnelblick, which is Open Source and always has worked fine for me. There are detailed installation and configuration instructions in this page of the Amahi wiki. Here’s exactly what I did on my MacBook, running Mac OS X Leopard.
First I fired up a Terminal window and downloaded the latest stable version of Tunnelblick on my desktop. At the time of this writing, that was version 3.1.7:
mblack:~ cvar$ cd ~/Desktop mblack:Desktop cvar$ curl -O http://tunnelblick.googlecode.com/files/Tunnelblick_3.1.7.dmg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3441k 100 3441k 0 0 706k 0 0:00:04 0:00:04 --:--:-- 802k mblack:Desktop cvar$ mblack:Desktop cvar$ ls -lh Tunnel* -rw-r--r-- 1 cvar staff 3.4M Jul 10 08:43 Tunnelblick_3.1.7.dmg mblack:Desktop cvar$
From the *.dmg file I got on my desktop I installed Tunnelblick as usual, i.e., I opened up the DMG and copied the Tunnelblick.app to the Applications folder. Back in the Terminal window, I created a folder named amahi.tblk on my desktop and changed to it:
mblack:Desktop cvar$ mkdir amahi.tblk mblack:Desktop cvar$ cd amahi.tblk mblack:amahi.tblk cvar$
Per the instructions in the Amahi wiki, I downloaded the following three files:
mblack:amahi.tblk cvar$ curl -O http://dl.amahi.org/vpn/AmahiHDAClient.crt % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3809 100 3809 0 0 6291 0 --:--:-- --:--:-- --:--:-- 14373 mblack:amahi.tblk cvar$ curl -O http://dl.amahi.org/vpn/AmahiHDAClient.key % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 887 100 887 0 0 1364 0 --:--:-- --:--:-- --:--:-- 2889 mblack:amahi.tblk cvar$ curl -O http://dl.amahi.org/vpn/ca-cert.crt % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1257 100 1257 0 0 2072 0 --:--:-- --:--:-- --:--:-- 4054 mblack:amahi.tblk cvar$ mblack:amahi.tblk cvar$ ls -lh total 24 -rw-r--r-- 1 cvar staff 3.7K Jul 10 09:08 AmahiHDAClient.crt -rw-r--r-- 1 cvar staff 887B Jul 10 09:08 AmahiHDAClient.key -rw-r--r-- 1 cvar staff 1.2K Jul 10 09:08 ca-cert.crt mblack:amahi.tblk cvar$
I created an empty file and named it openvpn.ovpn:
mblack:amahi.tblk cvar$ touch openvpn.ovpn mblack:amahi.tblk cvar$ ls -lh total 24 -rw-r--r-- 1 cvar staff 3.7K Jul 10 09:24 AmahiHDAClient.crt -rw-r--r-- 1 cvar staff 887B Jul 10 09:24 AmahiHDAClient.key -rw-r--r-- 1 cvar staff 0B Jul 10 09:27 openvpn.ovpn -rw-r--r-- 1 cvar staff 1.2K Jul 10 09:24 ca-cert.crt mblack:amahi.tblk cvar$
I opened openvpn.ovpn in TextEdit and pasted the following contents in it:
remote delta.yourhda.com 1194 client dev tun proto udp resolv-retry infinite nobind persist-key persist-tun ca Ca-cert.crt cert AmahiHDAClient.crt key AmahiHDAClient.key comp-lzo verb 3 auth-user-pass
Of course, in your particular case you’ll replace ‘delta’ with the name you gave to your HDA. I then saved openvpn.ovpn, exited TextPad and ran Tunnelblick for the first time. See the following screenshots to find out what happened :)
Last but certainly not least, there’s the case of Linux. As you may have expected, there are detailed instructions on how you can connect to your OpenVPN server right here, in the Amahi wiki. I followed the simple, generic instructions, one time on an openSUSE box and another time on a Ubuntu box. In both cases I managed to connect to the remote OpenVPN server without the slightest problem.
Step 7 – Re-route all network traffic through the OpenVPN server
Up until now you’re able to securely connect to your home network from wherever you are and access resources behind your (ADSL) router. That’s quite useful but it would be even more so if you could also securely surf the web through the OpenVPN server. That’s 100% doable and all you have to do is make a couple of changes in the main OpenVPN configuration file.
From the text console of your Amahi VM, log into Fedora as root, change to the /etc/openvpn directory and open amahi.conf with a text editor (nano is a fine choice):
[root@localhost ~]# cd /etc/openvpn/ [root@localhost openvpn]# nano amahi.conf
Look for the line
push "route 192.168.1.0 255.255.255.0"
and comment it out:
#push "route 192.168.1.0 255.255.255.0"
Warning: Your Amahi may be living within a different subnet, so instead of 192.168.1.0 you may see something like 192.168.0.0 or 10.0.0.0 or what have you. Right beneath the commented out line, insert the following:
push "redirect-gateway def1"
Save the changes to amahi.conf and exit the editor. Restart the OpenVPN service and you’re all set:
[root@localhost openvpn]# /etc/init.d/openvpn restart Shutting down openvpn: [ OK ] Starting openvpn: [ OK ] [root@localhost openvpn]#
Congratulations! From now on, whenever you connect to your OpenVPN server not only will you be accessing resources behind your home router, but you’ll also be able to securely surf the web through the remote home server!