By Nathaniel Beckstead –
Virtual Private Networks were first deployed in business settings for remote workers. They have the ability to provide secure access to a local network from a remote computer. Today, VPNs are useful even for common individuals. Masking an IP address, evading geolocation, and using a secure connection are just a few reasons any person may want to use a VPN.
Using a VPN can be as simple as installing a program and clicking a button to connect, but there is a lot more that goes on underneath. There are a few protocols VPNs use. Two different ones are PPTP and IPsec. PPTP or Point-to-Point Tunneling Protocol is an early less secure protocol. PPTP uses a tunnel and encapsulated packets as a means of security. The packets are sent with Point-to-Point Protocol (PPP). These packets are encapsulated by a GRE (Generic Routing Encapsulation) tunnel. Although it is a private connection, it is considered insecure and obsolete because there is no encryption involved.
IPsec stands for Internet Protocol Security. It works at the network layer of the OSI Model. IPsec is thought of as the standard VPN because it can work with any protocol that uses IP. IPsec traffic is secure in that it authenticates the connection and encrypts each packet. IPsec offers two modes, transport mode and tunneling mode. In transport mode, only the payload of the packet is encrypted. This leaves the originating information from the packet visible. The most common mode currently is tunneling mode. This encrypts the entire packet and attaches a new header to the encrypted packet.
I set up my VPN server using an Amazon AWS instance running Ubuntu 14.04 with OpenVPN and easy-rsa. The OpenVPN custom protocol works on layer 2 or 3 of the OSI model. OpenSSL is used to provide authentication and up to 256-bit encryption. It has the capability to authenticate with pre-shared keys, username and password, or certificates. Pre-shared keys are the simplest method when configuring a server and clients.
The initial authentication between a server and client has many checks. The client first initializes a connection to the server. The server then presents its own certificate for the client to authenticate. If the check fails or the certificate is listed as revoked in a CRL used by the client. The client then sends its own certificate to the server for authentication. Each certificate passed by the client or server contains several certificates and keys that are checked. This method is called bidirectional authentication since both sides must present certificates.
Part of a captured TLS handshake when connecting to the VPN.
Amazon AWS offers an operating system option specifically for OpenVPN, but I decided to start from stock Ubuntu 14.04 using this tutorial from Digital Ocean. The two packages that need to be installed are OpenVPN and easy-rsa. The first step is to add a rule telling the firewall to forward all traffic from clients. This will ensure that packets do not stop at the VPN server.
After the networking is configured, the Certificate Authority needs to be set up. This is what manages our keys. It’s as simple as entering a city, email, organization, and a few other fields. Running a build-key-server command will generate the certificates and keys for the server side. The build-key with a name argument will generate certificates and keys for one client. This makes it easy to generate different profiles for desktops, laptops, or phones. After generating all of the required files for a client, a single .ovpn profile makes the information easy to store. The tutorial for Ubuntu 16.04 provides a nice script to automate this process. The end format looks like this:
. . .
. . .
. . .
—–BEGIN PRIVATE KEY—–
. . .
—–END PRIVATE KEY—–
I use this VPN on my Windows laptop and Android phone. There is an easy installer for the OpenVPN GUI on Windows. It creates a small icon with a menu in the taskbar. The profile file created earlier goes in the config folder of the OpenVPN folder. The connect option in the GUI shows all profiles in this folder. After connecting, a popup pops up to display the logs as it attempts to authenticate and create a secure tunnel. On Android, the OpenVPN app allows the importing of a .ovpn file. Afterwards, connecting and disconnecting is just a button click away.
The logging popup shown while connecting.
The local IP address assigned to the PC after connecting to the VPN.
The product of visiting DNS Leak Test before and after connecting to the VPN.
A packet capture of normal traffic while using a VPN.
Encryption and routing do bring downsides to using a VPN. Bandwidth and location often limit speed and increase ping. Sending packets from Rochester to Brazil and back is not a sane thing to do for everyday traffic. In this case, the VPN server is running on an Amazon instance with limited bandwidth too.
Simple speed test without a VPN
Speed test when connected to the VPN
Finally, anyone with a tinfoil hat will tell you Amazon keeps their own logs and are not privacy oriented. For recreational use to secure communications, it shouldn’t be a concern. AWS also has the advantage of setting up an instance at any datacenter around the world, for example, Sao Paulo, Brazil.
There are several reasons an everyday person may want to use a secure VPN. When using public Wi-Fi networks, it keeps the connection private and encrypted. It also masks an IP address. Destination addresses only see the IP address of the VPN server, not the client. This can be helpful for mitigating DDOS attacks and hacking attempts. It can also help sidestep geolocation. If content is banned in the current country, connecting to a VPN can act as if the client computer is located in another country. Having an alternate IP address also enables programmers to use one while the other is blocked because of requesting from a website too much for example.
Setting up a VPN is fairly simple at first and has many advanced configurations if curious. It is definitely a quick but worthwhile project that teaches about routing, cryptography, and protocol use.