Setting Up an XSCE VPN: Difference between revisions

From OLPC
Jump to navigation Jump to search
Line 69: Line 69:
George Hunt's answer:
George Hunt's answer:


There are no guarantees. I guess I could say that it's highly unlikely that an intruder will break into a school server via SSH if passwords are turned off, and if the ports used by SSH and openvpn are the only ports open to the outside world, and if the software keys used by the school server have been generated locally, and stored on the computers that use them, and worst case, a USB key is used to keep a backup copy of these keys, and this USB key is physically locked up, and it is the only copy.
There are no guarantees. I guess I could say that it's pretty unlikely that an intruder will break into a school server via SSH if passwords are turned off, and if the ports used by SSH and openvpn are the only ports open to the outside world, and if the software keys used by the school server have been generated locally, and stored on the computers that use them, and worst case, a USB key is used to keep a backup copy of these keys, and this USB key is physically locked up, and it is the only copy.

Revision as of 21:27, 18 August 2013

How does a VPN work?

The "privacy" of virtual private networks is based upon 2 software keys, one private, and the other public. In most instances, the private key is generated by a user and never shared with anyone. The public key can be used as entrance certificate. If this public key is placed in a list of "authorized_keys", the person who has the corresponding private key is given access to the resource. The ssh (secure shell) conversation is encrypted, and evesdroppers are not able to mimic the legitimate client.

The "XSCE VPN" perhaps should be called a "public connectivity network", and not really a "private network". "XSCE VPN" jumps a number of connectivity hurdles. These hurdles include firewalls specifically designed to prevent communications that start from the outside internet. Firewalls let the user ask questions, and get responses from anywhere on the internet. But when the questions come from anywhere on the internet and go to a local machine, they are blocked.

The internet uses names (technically called url's -- universal resource locators) to create connections. But there is a system for changing names to numbers (called DNS - domain name service). And the numbers are the way communications are routed to the correct destinations. But many Internet Service Providers (ISP's) do not have enough numbers to give out to their many clients. So on different days, a school might have a different number. This makes it hard to find a school from day to day, among all the numbers on the internet.

The vpn jumps these hurdles by starting the conversation, (asking the question), from the inside every day, or even every hour. The schoolserver, running openvpn, starts the conversation with the XSCE mothership that has been made available by activitycentral.com. When people want to connect to a school behind a firewall, they can connect to xsce.activitycentral.com (which always has the same number), and the communication gets routed to the correct destination, even when the number keeps changing, or when the immediate question is coming from a random person on the internet.

How can OPENVPN be Secure and Private when the Keys are Public?

For many years, the unix Secure Shell, SSH, has been the secure way to talk to remote computers. A computer is considered secure if the only way to talk to it is via SSH. Then the conversation usually moves to how SSH is configured. Are passwords enabled? If so, is there any configuration restriction which would make the passwords hard to guess?

It is recommended that for machines connected the the "XSCE virtual PUBLIC network", users just turn off passwords in the configuration of SSH -- in /etc/ssh/sshd_config change the line to "PasswordAuthentication no". Follow the instructions at http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html to generate software keys, and configure the client and server to use them.

CAUTION -- if you do not choose to disable passwords for SSH: Since the XSCE has enabled passwords for ssh conversations, and has created the "admin" user, and a standardized, and publicly known, password, It is vitally important to change the password for user: "admin". This can be done by becoming "root", and setting a new password by the terminal command "passwd admin".

How to Configure XSCE VPN

To start the openvpn tunnel automatically at every boot, you can add the following line to /etc/rc.d/rc.local: "/xs-vpn on".

To verify that the connection has been established, issue the terminal command "ifconfig", and look for the inet address of the "tun" device (wait for 30 seconds before you decide that openvpn is not working). Note the ip address that the openvpn server has assigned you. It will be 10.8.0.<some number>. The xsce.activitycentral.com server will have the address 10.8.0.1. You can verify that you are connected with the command "ping 10.8.0.1". If you get a ping response to this command, half of the connectivity is achieved.

The other half of the job is similar. If you are building more than one XSCE server, you can complete the install of XSCE on the second computer, and then verify that the two machines can ping one another.

If you want to connect to the XSCE via a personal desktop or laptop, you will need to obtain the correct openvpn application for your OS and hardware. Downloads are available at:https://openvpn.net/index.php?option=com_content&id=357

To make a second connection to xsce.activitycentral.com, you need to download openvpn client for the operating system your are using, and copy the ca.crt, client1.key, and client1.crt files from the schoolserver/etc/openvpn/keys folder to the correct location (follow downloaded instructions) .

In order to insure that the vpn tunnel remains open, after network or power outages, you can edit your /etc/crontab file to include the last line in the following listing:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
1 * * * * root /usr/bin/xs-vpn on

This will cause the computer to check that the tunnel is open at 1 minute past the hour.

How can I increase the Privacy of my VPN?

Turn off Passwords

  1. Use a text editor to search /etc/ssh/sshd_conf for "PasswordAuthentication yes" and change it to "PasswordAuthentication no"
  2. Follow the instructions at http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html to generate you own key pair. Put the private key in your home .ssh directory, and the public key in the XSCE .ssh/authorized_keys/ folder.


As indicated above, the XSCE openvpn is really an access pathway that is almost PUBLIC -- not at all very PRIVATE.

Recent headlines showing military operations to break into the computers of another country demonstrate that computers, large or small, are vulnerable to break in. But there are things you can do to decrease this vulnerability, and keep the bad guys further away:

  • Get your own computer to act as the central openvpn presence and a fixed ip address from your Internet Service Provider (you might want to rent an instance from amazon EC2 rather than set up UPS, software backups, and Uninterruptible Power Supply (UPS) etc -- all the things required to have a reliable presence on the internet).
  • Make a contract with computer experts (perhaps activitycentral.com) and pay money to have them set up a secure server for your private use (setting up secure servers requires knowledge and attention to detail).
  • Do not advertise its address
  • Configure it to ignore pings.
  • Do not run any popular services on that machine that may advertise its presence -- no web server, mail server, etc
  • Create your own software keys which you share by hand carrying a USB stick to the computers you want to connect to the VPN tunnel. Turn off ssh passwords.
  • Do not store any private data on this central computer. Assume that it will be compromised.

As in many things, what you gain in security, you may have to give up in usefulness and convenience.

what Privacy/Confidentiality can be "guaranteed" using the OpenVPN server?

George Hunt's answer:

There are no guarantees. I guess I could say that it's pretty unlikely that an intruder will break into a school server via SSH if passwords are turned off, and if the ports used by SSH and openvpn are the only ports open to the outside world, and if the software keys used by the school server have been generated locally, and stored on the computers that use them, and worst case, a USB key is used to keep a backup copy of these keys, and this USB key is physically locked up, and it is the only copy.