Data Privacy Day: Day 6

Post » Sun May 13, 2012 7:05 am

Today is Data Privacy Day!!!! This is part 6 and will cover a robust method of protecting yourself while on foreign networks: OpenVPN (scroll down to the bottom for the wrap-up).

Sections:
Day 1: http://www.gamesas.com/topic/1337235-data-privacy-day-day-1/
Day 2: http://www.gamesas.com/topic/1337699-data-privacy-day-day-2/
Day 3: http://www.gamesas.com/topic/1338134-data-privacy-day-day-3/
Day 4: http://www.gamesas.com/topic/1338605-data-privacy-day-day-4/
Day 5: http://www.gamesas.com/topic/1339018-data-privacy-day-day-5/
Day 6: http://www.gamesas.com/topic/1339359-data-privacy-day-day-6/

The goal, as always, is to make you more informed about your data and your privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good Password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after this summer, I think we are all familiar with that)

Important definition for this section:
  • Man-in-the-Middle attack: Any attack wherein someone intercepts data you receive and send to someone else by acting as a relay ("in the middle"). This can be done in numerous ways (arp and DNS poisoning being two common methods, though many other methods exist) but the end effect is the same: your information and communication is compromised. Your passwords can be stolen and your sessions hijacked. This threat is an increasingly common problem on wireless networks, and can even affect mobile telecommunication networks (for around $500 and enough know-how is the current going rate, FYI).

HOW-TO: Install OpenVPN Server on Windows with Windows clients & set as default Internet Gateway


NOTES:
1. Throughout this guide I will use two words: over and over again: server and client1. Feel free to modify these, but be sure to modify them EVERYWHERE they are repeated. To help you out I bolded and italicized them everywhere you should change them (except in the config files, they need to be changed in those as well)

2. Everywhere you see quotation marks, it is to signify what you should type (which would be the stuff inside the quotation marks), DO NOT TYPE THE QUOATATION MARKS UNLESS OTHERWISE SPECIFIED!

3. I know this seems long, but it really isn't, I just broke everything down into as basic of steps as I could and explain everything as thoroughly as I can. In the end, it pays off, you have a secure multi-client VPN offering that definitely beats PPTP in terms of security and robustness.

4. A relatively common practice with OpenVPN is to configure it to use TCP port 443, as this is the port normally associated with HTTPS, so even the most most draconian of firewalls won't block it. I don't cover this, instead cover OpenVPN using the default port of 1194 UDP. Changing it is simple, just edit the server and client configuration files to use proto tcp and port 1294. Make sure to also change your forwarded port and firewall rules to match as well.

5. This guide uses the 192.168.137.0/24 block for the OpenVPN network. This is the default for Internet Connection Sharing (a needed utility to get Internet through OpenVPN on Windows) for Windows 7, which is why I chose it (it should also be the default for Windows Vista, though I cannot test this) On Windows XP, this ICS uses 192.168.0.1 by default, which isn't very useful for a VPN (as it's a popular subnet and would lead to conflicts in various situations). If you wish to change the subnet for OpenVPN, you must change it in the config file for the server as well as for ICS. This can be done through a registry setting. In HKLM\System\CurrentControlSet\services\SharedAccess\Parameters you will need to change ScopeAddress and ScopeAddressBackup to the first IP address in the range you wish to use. I am not certain if Windows XP can change it or not, but it's worth a shot. http://www.mediafire.com/download.php?9ai9b7crzodog7m, change the network numbers and run it to change to a different subnet (or do it manually). http://pastebin.com/u9HSCnj9.

Pre-Install


This guide assumes two things: You've properly set up a static IP for the will-be server and you have configured any firewall on the will-be server correctly. I will do a quick run-down of how to do this on Windows Vista/7 with Windows Firewall (which are the same in this matter).

http://www.howtogeek.com/howto/19249/how-to-assign-a-static-ip-address-in-xp-vista-or-windows-7/

Windows Firewall setup:

1. run wf.msc.

2. Click Inbound rules on the left panel, and on the right panel click "New Rule..."

3. Select Port for the rule type (http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/inboundrule1.jpg) and click next.

4. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/inboundrule2.jpg

5. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/inboundrule3.jpg

6. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/inboundrule4.jpg

7. Name the rule "openvpn in" (without quotes) and click finish.
(the below isn't strictly necessary, but I've had windows firewall give me issues with it before, so I like to be explicit on outbound connections)
9. Click Outbound rules on the left panel, and on the right panel click "New Rule..."

10. Select Port for the rule type (http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/outboundrule1.jpg) and click next.

11. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/outboundrule2.jpg

12. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/outboundrule3.jpg

13. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/outboundrule4.jpg

14. Name the rule "openvpn out" (without quotes) and click finish.

You will also need to know your public IP address or set up a Dynamic DNS service. This can be done by visiting http://www.whatismyip.com/ on your server. Better is to http://www.no-ip.com/ (as it'll work even if your home IP changes). no-ip is so simple, it hardly warrants directions, but http://www.no-ip.com/getting_started.php. You will need to do this for PPTP VPN servers and SSH servers. I will mention this again when we get to the client configuration file.

Install Process


1. http://openvpn.net/index.php/open-source/downloads.html onto the server

2. Run the installer (as administrator if you are using Windows Vista/7)

3. Agree to the license and install all components

4. When you get to the Install Location part of the setup, I HIGHLY recommend http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/installfolder.jpg. Especially on Vista/7 as this will save you headaches.

5. Finish the Install.

6. Navigate to the installation folder (C:\OpenVPN if you followed my advice), then enter the config folder (C:\OpenVPN\config).

7. Here, create a file server.ovpn. It should look like this: http://pastebin.com/wU0MeHKL

About the server.ovpn configuration file:

You can modify the port number to any number you want, just remember what you set it to. Same for proto (short for protocol) you can change that to tcp, just remember you did so (udp will give you better performance, but may be blocked on some draconian networks)

Line 5 is one I am uncertain about. First, you need to keep "server" as server (it's a configuration line dictating the VPN server IP range). Later on we'll enable Internet Connection Sharing and you may need to change 192.168.137.0 to match any IP address being forced on you by Internet Connection Sharing (for me this was 192.168.137.0/24 but it may be different for you) I'll remind you of this when we get to Server Configuration.

You need to specify the DNS servers, I chose OpenVPN as it makes it easy to test if the tunnel is being used without running something like Wireshark (which is nice), but any DNS server will do.

------------------------------

8. Open up the command line (AS ADMINISTRATOR ON VISTA/7)

9. type "cd C:\OpenVPN\easy-rsa" (without quotes, everywhere you see quotes from now on, it's to signify what you should type, DO NOT TYPE THE QUOTES) and hit enter

10. type "init-config" and hit enter

11. navigate to C:\OpenVPN\easy-rsa in explorer if you haven't already. find the vars.bat file, right-click it and edit it

12. Edits to make to vars.bat:

Mandatory: change HOME path from "%programfiles%\OpenVPN\easy-rsa" to "C:\OpenVPN\easy-rsa" (if you don't do this you will get an error complaining about unable to write random state)

Optional (found near the bottom of the file):

set KEY_COUNTRY=
set KEY_PROVINCE=
set KEY_CITY=
set KEY_ORG=
set KEY_EMAIL=

They can't be left blank, but any value will do, including the default ones

really optional (but also cannot be left blank):

KEY_NAME
KEY_OU

I usually just set name to my name and OU to VPNers just because I can :shrug:

-------- DO NOT CHANGE KEY_CN, IT NEEDS TO BE CONFIGURED ON A PER-RUN BASIS ----------

------------------------------------------------

13. Save vars.bat and return to the command line (reopen it as administrator and navigate back to C:\OpenVPN\easy-rsa if you closed it)

14. type "vars" and hit enter

15. type "clean-all" and hit enter (it's normal for this to kick up an error, it just means the folder "keys" didn't exist before it was ran)

16. type "build-ca" and hit enter. This will start the creation process for the ca.crt file. You will be prompted for various things. The default values are fine until you get to COMMON NAME

17. WHEN YOU GET TO Common Name enter in "server"

18. build-key-server server

19. Leave the password blank unless you want to read OpenVPN documentation. same for company name

20. answer "y" to signing and committing to the certificates.

21. type "build-dh" and hit enter

22. copy ca.crt, server.crt, server.key, and dh1024.pem from the keys folder in easy-rsa to c:\OpenVPN\config

23. type "build-key client1" and hit enter

24. WHEN YOU GET TO Common Name enter in "client1"

25. Leave the password blank unless you want to read OpenVPN documentation. same for company name

26. answer "y" to signing and committing to the certificates.

27. Install OpenVPN on the client computer EXACTLY the same as on the server (ok, it doesn't really need to be exactly the same, I'm just too lazy to tell you what you do and don't need)

28. copy ca.crt, client1.crt, and client1.key from the server's keys folder to the client computer's OpenVPN config folder (C:\OpenVPN\config if you installed it like I said)

29. in the config folder on the client, you will need to create a client1.ovpn file. It should look like this: http://pastebin.com/42ekkJtL

About the client configuration file:

You need to use the same protocol as you specified on the server configuration file.

On line 5, for remote, you need to specify the PUBLIC IP address of the server OR the DNS entry for it.

- You can get the the public ip address for the server by going to http://www.whatismyip.com/ on the server. Better, though is to set up a dynamic DNS service, because if your ip address changes (as it can for anyone with a dynamic IP -- which most people have) you won't be able to connect with the old IP address. You will, however, always be able to connect with a dynamic DNS service.
- Unfortunately dyn-dns no longer offers a free dynamic dns service, but http://www.no-ip.com/ so get one from there, they provide instructions on the setup.
- After the ip address or DNS listing, specify the port. This needs to be the same port as in the server configuration file.

Almost done! Just have some configuration left on the server to go.

Server Configuration


30. On the server open up services (run services.msc). Find OpenVPN, right-click it and go to properties. Set it to automatic and start it. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/opvenvpnservice.jpg

31. Still on the server in services find Routing and Remote Access (shorthand: RRAS). Set it to automatic and start it. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/RRAS.jpg -- NOTE: At least in a couple of my goes with this, enabling RRAS made my network indicator in the notifications tray signify I had no connection -- I Still had a connection despite this fact. It only happened on a few of my computers, so it may or may not happen to you (if it does, see if you can load a random wikipedia page, if you can then it's just falsely telling you the network is down when everything is fine)

32. You will need to modify a registry entry, so open up regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. In there change IPEnableRouter to 1 (defualt is 0). http://www.mediafire.com/?2xr1n2e6ymemz4a. http://pastebin.com/0XeTubQv

33. In my experience, a reboot here is good, but I'm not certain it is necessary. I'll suggest you reboot now.

34. Still on the server, go Control Panel->Network and Sharing Center and click on http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/adaptersettings.jpg

35. I'm not certain this is absolutely necessary (Maybe I have too many physical and virtual NICs), but if you use my config it is necessary (as the default name is random). http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/mytao.jpg. Rename it to "MyTap".

36. Right-click the newly-named MyTap and go to properties. Uncheck IPv6 if it's available (Vista/7 + some XP computers with it configured).

37. Now we go onto Internet Connection Sharing (ICS) configuration. You may wish to review Note #5 as it covers some details on how to use a different subnet, as well as the "Some Things Very Important To Note" section for possible issues. A reminder is my guide assumes you are using 192.168.137.0/24, which is not the case on Windows XP. Edit as appropriate.

38. This part is not necessary if you have checked the registry entry for ICS and made sure it is correct for your needs, but is a useful way to double-check as you'll get a warning popup. While still having the MyTap Properties open, Select IPv4 and click properties. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/ipv4.jpg. Give it a static IP of 192.168.137.1 with a 255.255.255.0 subnet mask. The default gateway and DNS server fields can be left blank (doesn't matter), otherwise repeat the static IP in the default gateway and use the OpenDNS servers for DNS. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/mytapstatic.jpg.

39. Right-click your LAN adapter (the one you gave a static IP in step zero) and go to Properties. Go to the sharing tab (advanced on Windows XP) and check "Allow other computers to connect through this computer's Internet Connection"

40. If there is a drop-down list you can select from, select MyTap. If not, don't worry: that just means you have no other adapters to share with other than MyTap. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/ICSSharingSetup.jpg.

41. Uncheck the lower box titled "Allow other network users to control or disable the shared Internet Connection" if it is checked.

42. Click OK. If you did optional step 37, you'll get a popup that http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/ICSwarning.jpg. If yours said a different IP address, you will need to modify server.ovpn to use that subnet (same first 3 sets of numbers, last one a zero) and restart the OpenVPN service, alternatively you can set the ICS network range in your registry. http://www.mediafire.com/download.php?9ai9b7crzodog7m (http://pastebin.com/u9HSCnj9) or configure it manually using regedit and navigating to HKLM\System\CurrentControlSet\services\SharedAccess\Parameters and editing ScopeAddress and ScopeAddressBackup to use the desired IP address range (you specify the first IP address in the range). You can check to make sure that the IP address for MyTap is correct by running ipconfig /all in the command line and making sure it matches that in your server.ovpn config file.

43. Port forward OpenVPN's port to the server so you can access it outside your LAN (http://portforward.com/).

Client Configuration


44. On the client, go Control Panel->Network and Sharing Center and click on http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/adaptersettings.jpg

45. I'm not certain this is absolutely necessary (Maybe I have too many physical and virtual NICs), but if you use my config it is necessary (as the default name is random). http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/mytao.jpg. rename it to MyTap.

46. You can try out OpenVPN now on your LAN to make sure all is working. Just change your client1.ovpn to connect to your server's LAN ip address (NOT the address you set for MyTAP on the server, but the static IP you set for the LAN adapter).

47. Launch OpenVPN GUI (AS ADMINISTRATOR on Vista/7). A tray Icon should appear for OpenVPN (a little red-monitored computer with a globe). http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/ovpnguiclient.jpg

48. http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/client1connecting.jpg. After a few seconds to a minute, http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/client1connect.jpg. To verify traffic is going through the tunnel, visit a site you know doesn't exist (http://i19.photobucket.com/albums/b195/DEFRON/OpenVPN/fakesite.jpg which we all know is not real as .fake is not a real TLD). Hopefully you will be greeted by the OpenDNS page, as that means you are using the VPN server and therefore the assigned OpenDNS servers for your DNS queries.

I know it's been a lot of work, but it's worth it. You now have a secure basic VPN setup More robust than Microsoft's default PPTP offering as well as allowing multiple clients. You can improve the security by looking into ta.key, maxclients, client filtering, choosing the cipher, and password authentication (which I didn't cover, just getting OpenVPN server to work on Windows was a big enough of a headache for me, so much simpler to set up on Linux).

Some Things Very Important To Note


- If you have issues with resolving DNS, uncomment register-dns from the client file.

- On some networks with a short dhcp timeout, your client may have issues with getting a new address lease, due to OpenVPN sending the request through the VPN. Disconnecting from OpenVPN and running "ipconfig /release" followed by "ipconfig /renew" in the command prompt will solve the issue (until it times out again).

- Internet Connection Sharing (ICS) is a tricky one, but I've gotten it mostly figured out through the SharedAccess registry options. http://support.microsoft.com/kb/230148. On Windows XP it uses 192.168.0.1 by default and I've yet to verify if that can be changed.

- Strictly speaking, the subnetting you are giving your OpenVPN server may not be absolutely correct. This doesn't matter for a handful (3) clients, but it may stop you from having too many clients. This appears to either be related to the version of Windows used, related to the NIC used, or related to whether the NIC used is a wireless NIC and cannot be changed. You should get subnet mask of 255.255.255.0, but may get less (lowest I got was 255.255.255.252 -- 3 clients + the server would max that out). When the OpenVPN client should pull the correct information when it connects, so as long as you don't exceed the limit, it's not an issue. Slightly related is the below:

- I don't know if this was because my virtual machine is crashy, but I noticed that the MyTap adapter would randomly change to using APIPA (Automatic Private IP-Adressing) and therefore having the 169.254.0.0/16 block. It's simple enough to fix. NOTE: This happens when RRAS runs into an issue and the DHCP server fails, to fix this issue, follow the below 3 steps:

First, disable sharing on the LAN adapter.

Second, reset the MyTap to use a static IPv4 address (IP and default gateway the same, in my case 192.168.137.1).

Third, re-enable sharing on the LAN adapter for MyTap.

- I suggest disabling sleep/hibernation on the server (I mean, if the server isn't online when you need to connect, it's kinda useless) anyway. And whenever you reboot for updates, just check to make sure the MyTap properly has the first IP address in the block your OpenVPN server gives.

- I've yet to find a way to get the OpenVPN network to be identified by anything less than a Public Network on Windows 7. It doesn't make much of a big deal unless you want to access network shares on the OpenVPN server (which may not be possible since Windows may block sharing since it's a public network). NOTE: This is due to OpenVPN's network not having a default gateway. Some steps on potential workarounds can be found on the Internet.

Final Remarks


As large as this is, it is only a fraction of what is out there. I hope you found at least some of this information useful, and will proceed to improve your data privacy/security. Just improving your privacy and security settings in a few places can dramatically increase your overall privacy and security. Also, please inform your family and friends on some methods to increase their own privacy and security to help everyone reach a more secure standing. Data Privacy Day remains greatly unknown, but it is an important holiday that should be more widely recognized.

Since this isn't nearly everything out there, feel free to share your own tips. Also: spread the word. Data Privacy Day does nothing if no one is aware of it.

If I were to make a hierarchy of what I'd like for people to take away from this it'd be:

1. Use a different password everywhere
2. Use special characters in your password
3. Secure your computer when on public wifi, and seriously consider a VPN solution.
4. Don't use insecure password managers
5. Fix back-doors to your password by using strong password reset questions/answers
6. Lock down your smart phone and set up a way to remote wipe it
7. Use secure connections whenever possible
8. Stop using WEP for your wifi network. Use WPA-AES ideally, and set the rest of your router settings properly
9. Delete at least your cookies when done browsing. Every browser can delete these on browser close.
10. Check your browser plugins and check them often. If not using a plug-in, then disable it. Try making all or at least some plugins on demand instead of always-running.
11. Don't go to short URLs, especially if randomly posted by someone you don't know/by anyone in an email/on Facebook. Use a URL unshortener
12. Consider using an ad-blocker/script-blocker
13. If using Facebook, check out all the settings mentioned and make sure they are correct AND DEFINITELY ENABLE SECURE CONNECTIONS FOR FACEBOOK ASAP
14. Take a look at your Google settings, and make a habit of becomming familiar with the Privacy Center
15. Especially if using a laptop, consider system encryption.
16. Keep your computer up-to-date and secure.
User avatar
Elena Alina
 
Posts: 3415
Joined: Sun Apr 01, 2007 7:24 am

Post » Sun May 13, 2012 1:26 pm

Awesome! Thank you for the guides and great job! (and happy Data Privacy day :wink:)

I am sure others will find this useful as well. If not, then they are the vulnerable ones :tongue:
User avatar
Chantelle Walker
 
Posts: 3385
Joined: Mon Oct 16, 2006 5:56 am


Return to Othor Games