Advice on VPN

Please let me know your thoughts on my plan for a home VPN

  • Install Ubuntu Server 14.04-2 on a Virtualbox as a Virtual Machine.
  • Allocate 256mb RAM and 15gb storage.
  • Change Virtual Machine's network setting from NAT to bridge.
  • Install OpenVPN.
  • Forward proper port from gateway to VM's IP.
  • Modify UFW to allow all on proper port.
  • Generate security keys
  • ????
  • Profit

Thoughts???

This is to connect to your home network from outside? Yeah that'll work. Although if I were you I'd go with a non LTS version of ubuntu so you get the later versions of openvpn.

You might find this helpful https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04

1 Like

As @Dexter_Kane said if this is to connect to your home network from the outside this is good.

But if you're trying to use this from internally to the outside there's very little reason as your traffic will only be encrypted from your PC to this ubuntu server, decrypted, and forwarded out to wherever you were originally trying tor reach. I suppose it'd be useful if you want to obfuscate which device on your network is making outside connections it'd be alright

1 Like

Thanks for the responses.

I'm trying to make it so I can remotely connect to my LAN outside of my house. Firstly, my plan is VPN into the network and then SSH into my servers (also other VMs) from somewhere else. Also, I guess it would be nice to have a secure connection when using public networks. Lastly, it's a feather in my hat project.

@100557662
@Dexter_Kane

If I understand correctly, all traffic going to the LAN will be encrypted but outbound traffic won't.

Does this mean that if I use my VPN to connect to my LAN, and then SSH into one of my servers that all traffic from the server back to my outside computer will be vulnerable? Or, if I pull a file off my file server to my remote laptop, will that traffic be vulnerable? Or is the connection between my remote computer and the server secure, but all other outbound connections (ie to website) not air tight?

Ah I see that makes more sense, especially if you make some firewall rules to only allow LAN SSH as that'd be nice and secure

Correct, so say you are at a coffee shop and you connect to your home ubuntu VPN server your traffic TO the server from your PC will be encrypted which is excellent, then once going FROM your server outward to the traffic destination depending on what it is (say HTTP) it will be be unencrypted traffic

In your final example you gave with the remote connection and server being secure but outbound traffic to a website is not secure is true. VPN to your network, then SSH to the server is secure there is no leaks in that example so don't worry about an insecure connection leaking your files

I hope I explained that in an understandable way, please ask for clarification if not

1 Like

All of the traffic between your remote computer and the server will be secure because of SSH no matter what you do. But to answer your question a little better, all the traffic between your remote computer and the VPN server will go though the VPN tunnel, not just the inbound traffic. So traffic from your remote computer to the LAN goes over the tunnel and traffic from the LAN to the remote computer also goes over the tunnel. But any traffic from your remote computer to the internet will only be encrypted between you and the server, from there it goes out your gateway like normal. So yeah, that will protect you on public networks.

1 Like

Alright, so far so good. So in addition to the VPN set up as listed above:

Say there is a separate file server VM on the network. On that FS I can install openssh server. I can configure the FS UFW to allow SSH connections on port whatever from the LAN. In turn, the VPN server (an independent VM) allows me to connect from a remote computer at the coffee shop to my LAN. Now I have a local IP address on my LAN. Since I'll have Ubuntu Desktop on my laptop and a local IP I can just use the SSH command to access the VM FS?

Yes, that should work well.

Just make sure to have the ports open for machines in your ufw, and then first test SSH while you're on your LAN (no VPN), see how that works and if successful try connecting to your VPN to see if traffic is still routing properly and you have access. That's what I'd do anyway

Edit: corrected typo

Making some progress with this. Got the keys generated and setting up the server.conf files now. Lastly, I'll port forward default gateway. @100557662 tested the SSH while on the LAN... it's working. Hurah!

Only thing is I need to copy the ca.crt, the client.crt, and client.key files from my VPN to my client computer. Problem is I'm using Ubuntu Server, so I can't simply copy them to usb, so I'm not really sure how to copy those files off the VPN server and onto my laptop. I do have a SSH set up on the VPN server. Is there a way I can do a FTP via SSH?

from my experience with Ubuntu 14.04.2 LTS on virtual-box 256mb of ram will not be enough, you will get memory leak errors. 384mb is the least I was ever comfortable with but all my servers run on 512mb with no issues.

Very nice! Good work

Yep, you can do SFTP which should be supported by your SSH so here is a useful link for you that should get this transfer sorted out

Another option is to mount a network share then copy or move the certs.

sudo nano /etc/fstab
--copy and paste and end--
//"ip of server/"share name" /media/"folder name" cifs credentials=/root/.smbcredentials,iocharset=utf8,file_mode=0777,dir_mode=0777 0 0
Ctrl-X
Y
Enter

sudo mkdir /media/"folder name"

sudo mount -a

--if you have permission issues--

sudo chmod -R 0777 /media/"folder name"

sudo apt-get update
sudo apt-get install cifs-utils

sudo nano /root/.smbcredentials

username="username"
password="Password"

Ctrl-X
Y
Enter

1 Like

Or use rsync :

(run on computer you want to copy the keys to)

rsync [email protected]:/path/to/ca.crt /path/to/cert/location

So the first part is like an SSH command with the absolute path to the crt and key files and the second part is where ever you want to copy those files to. You may have to run this command as root depending on your permissions.

I'm a little confused on permissions.

I get an error when using scp:

-bash: cd: keys -permission denied.

I get this same error if I SSH into my server and try to cd into the keys directory using my username. However, I can access it as root.

So, it appears the keys directory can only be accessed by root right now. When I ls -l /keys, he directory with the keys, it returns they are all owned by root. So, I think if I change the permissions (or ownership) of the file I should be able to scp the directory over to my laptop.

Can I use chown username /keys, and then when I scp the directory as my username on the server, have access to the keys?

You could do that, but could you just run the command as root or use sudo?

When I do (from Laptop to VPN server):

  • sudo scp [email protected]_address /directory/address/keys /Downloads
    I get the -permission error

  • scp [email protected]_address /directory/address/keys /Downloads

  • sudo [email protected]_address /directory/address/keys /Downloads
    Both prompt me for root's password, which I enter. Response Permission denied, try again (x3)
    Error thrown: Permission denied (public key, password).

Alright then. well if you run chown -R user:user /key/directory that will change the owner for the keys, then you can copy them but you should change it back to root afterwards.

1 Like

So in order to do that should I do the following:

  • SSH into server as username
  • sudo su
  • chown -R username:username /directory/for/keys
    //I'm a little confused on the synatax... does username:username mean change owner from username to username?
    //Should it be root:username - like change ownership from root to username?

From Laptop to VPN Server:

and then once transferred--- using username on VPN server:
sudo chown root:root /directory/for/keys

That should work. If not you could log in to the server and copy the keys as root somewhere else, change the permissions, and copy them to your client.

The syntax is owner:group so if you use user:user it changes the owner to the user and the group to the user's group. I'm not sure if it works with just user and no group but that's how I've always used it.

1 Like