Secure remote access to home through OpenVPN (I)

I have prepared a secure access so that when I am living in London, I can connect to my home network securely. I have set up a VPN (Virtual Private Network) by means of OpenVPN.

Why have I preferred a VPN instead of a typical access such as SSH, VNC, etc.? Because in this way, I will be able to accomplish an encrypted tunnel between my laptop and home network, and over that secure line, to establish other types of connections later. Furthermore, I will be able to connect from any kind of insecure networks.

Why have I chosen OpenVPN? Because this application allows you to quickly build SSL/TLS channels, and this sort of VPN is really handy and straightforward to configure. OpenVPN is an open source software which easily implements VPNs over a public network, such as Internet. One of the main advantages of OpenVPN is that it just needs a single TCP or UDP port for transmissions and runs in userspace, rather than requiring IP stack operations, as for instance IPSec or PPTP.

Bellow you can observe a detailed outline of my infraestructure. It is a point to point link between my laptop and a PC connected inside the local network. The PC acts in the server role (takes care of listening for possible connection requests) and the laptop is the client (initiates the connection). Once I am connected to the PC via OpenVPN, I will be able to jump safely to any device located in the network. Both computers run Ubuntu 11.10.

One of the first things that I had to face up to is the issue of the dynamic IP address used by my ADSL service. Every time that I turn on the router, a temporary public IP address is assigned by the ADSL provider. To overcome it, I have signed up for a free dynamic DNS service: DNSdynamic. The registration process is pretty simple.

In this manner, I have obtained a subdomain which points to my router. To that end, I have installed ddclient on the PC, an address updating utility which keeps up to date the current public IP of the router. In order to show you my configuration, I will use a fictitious subdomain called test.dnsdynamic.com.

root@javi-pc:~# aptitude install ddclient

root@javi-pc:~# cat /etc/ddclient.conf
# Log messages to syslog
syslog=yes              

# Support SSL updates               
ssl=yes

# Obtain IP address from provider's IP by checking page                               
use=web, web=myip.dnsdynamic.com

# Update DNS information from server
server=www.dnsdynamic.org

# Login and password for server
login=test@gmail.com
password='xxxxxx'

# Update protocol used              
protocol=dyndns2

# Subdomain                        
test.dnsdynamic.com

root@javi-pc:~# cat /etc/default/ddclient 
...
# ddclient runs in daemon mode
run_daemon="true"

# Time interval between the updates of the dynamic DNS name (in seconds)
daemon_interval="3600"

root@javi-pc:~# /etc/init.d/ddclient start

The SSL/TLS connection configured by me is authenticated through digital certificates. So I have needed to make a couple of certificates, one for each end of the VPN tunnel. In addition, I have also had to create a CA (Certification Authority) in order to validate both certificates. OpenVPN allows peers to authenticate each other by using username/password, a pre-shared secret key or digital certificates. I have picked out the last option due to it is the most robust system.

So as to manage digital certificates, I am used to treating with easy-rsa, a small RSA key management package which contains a series of openssl scripts aimed at handling PKIs (Public Key Infrastructures). This tool is included within the OpenVPN source file.

javi@javi-pc:~/tmp$ wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz

javi@javi-pc:~/tmp$ tar xvzf openvpn-2.2.2.tar.gz

javi@javi-pc:~/tmp$ mv openvpn-2.2.2/easy-rsa/2.0/ . ; rm -rf openvpn-2.2.2*