Over the last few weeks we’ve looked at using symmetric key encryption to protect stored computer data using TrueCrypt, and using asymmetric (public key) encryption to protect data being sent by email over the Internet using OpenPGP. But what if, while traveling, you want to create a secure link from your laptop back to an office computer—or perhaps your home office network—over the Internet?
The problem is that data sent over the Internet is not secure since it can be sniffed (intercepted and analyzed) relatively easily. In fact it is particularly vulnerable to sniffing when you are connected to the Internet using a public wireless hotspot, or using a wired connection at a hotel or conference center on a local network that uses hubs instead of switches.
The solution is to use a virtual private network, or VPN. Put in simple terms a VPN secures your data by encrypting each packet and wrapping it in an envelope which has its destination printed on it. Anyone intercepting this envelope could see its intended destination, but not the contents (because the contents is encrypted.) Once the packet arrives at its destination it is removed from the VPN envelope, decrypted, and then handled in the normal way.
There are a number or ways to implement a VPN, and larger organizations often have dedicated hardware to handle encryption and decryption at the corporate network gateway. But for smaller companies and individuals one excellent solution is to use an open-source VPN system called OpenVPN.
OpenVPN runs on Windows, OS X, Linux and UNIX over a single TCP or UDP connection, it can work through firewalls and routers (once port forwarding has been set up) and needs no dedicated hardware to run. And, importantly, it is completely free to use. The only downside is that perhaps because of its power and flexibility OpenVPN can be extremely hard for a beginner to get going. This need not be the case though, and in the second part of this article I’ll explain how to set up a simple OpenVPN system in about 15 minutes.
But first let’s take a closer look at OpenVPN. It’s an SSL VPN, which means it uses Secure Sockets Layer (SSL) or its successor, Transport Layer Security (TLS) for encryption. It uses open-source and proven routines such as OpenSSL to achieve this. Since it’s an SSL VPN no dedicated VPN clients are required to use it (unlike VPNs based on IPSec), but having said that every client must have OpenVPN software installed and running, as well as suitable authentication credentials to connect to the OpenVPN server. More of that in a moment.
OpenVPN can be implemented in a number of ways, including as a secure bridge between two networks, or a secure tunnel between a client machine and a server. For the purposes of this article we’ll be looking setting up a simple client to server Ethernet tunnel VPN. This is ideal for connecting a laptop (the client machine) to a desktop machine running in an office or at home (the server) and from there to other devices including computers and printers connected to the office or home LAN. It will also route all Internet traffic from the laptop through the VPN to the Internet router at the home or office, and from there out onto the Internet.
Why would you want to do this? It’s not hard to imagine a situation in which you might be traveling with your laptop and want to access files stored on your desktop computer or other computers such as a file server on your network. Since your laptop is effectively connected to your LAN when the VPN is active you can also use any software on your laptop that relies on a connection to a local server on your LAN just as if you were at your desktop computer and connected to the LAN directly. Shared printers on the LAN can also be used (although obviously you wouldn’t be able to see the printouts while traveling.)
You can also access computers on your network remotely using their local IP addresses, and operate them using RDP or remote access software such as VNC. The VPN takes care of security worries, as access passwords and other data is encrypted by the VPN.
The ability to route all Internet traffic through your office or home Internet gateway is an important security bonus. This means that any Internet traffic to and from your laptop can be secured by the VPN when it is most vulnerable—at a public wireless hotspot or wired access point—and only released onto the Internet in an unencrypted form when it leaves your office or home router.
For the VPN to be secure it’s obviously critical that some effective authentication system exists, to ensure that only authorized users are given VPN access on to the network. To do this it’s possible to use a simple password or passphrase, but its more secure to take advantage of public key cryptography. OpenVPN provides a suite of utilities called Easy RSA which makes it very easy to create certificates and key pairs for your own certification authority (CA) and for your server and client machines, and the client keys can optionally be secured with passwords as well.
In the concluding part of this article I’ll go through the process of installing OpenVPN, using Easy RSA to create certificates and keys for a server and one or more clients, and creating the all important configuration files you’ll need to get OpenVPN up and running whenever you need it in a couple of seconds.