VPN or virtual private network is a set of technologies that allows a network to connect through a protected tunnel with other networks. VPNs are uses by an organization to provide remote access of their protected resource maybe access to some files, software access, or some client communication. A VPN Create private communication between two devices. Devices can be similar or different, I can be a mobile, router, or a computer, it allows remote access while protecting traffic/communication as well.

How a VPN works?

“Private” in VPN refers to network topology instead of privacy. VPN work based on routing, bridging, and encapsulation. Layer 3 VPN creates a new route for virtual network adopter while in bridging VPN method (or Layer 2) method like connected devices are on the same physical network.

Encapsulation means traveling information is wrapped inside packets, these encapsulated packets travel through a secure VPN tunnel between server and client. A VPN server will be only visible to clients. VPN or virtual private network is a set of technologies that allows a network to connect through a protected tunnel with other networks. VPNs are uses by an organization to provide remote access of their protected resource maybe access to some files, software access, or some client communication. A VPN Create private communication between two devices.

So, Devices can be similar or different, I can be a mobile, router, or a computer, it allows remote access while protecting traffic/communication as well.

Configure OpenVPN    

Pre requisites:

1. Ubuntu 20.04 LST
2. Internet connection
3. A mobile/remote device to test your OpenVPN services.

Install required packaged:

So, open a browser and go to the OpenVPN main site

Click on Get OpenVPN visible on upper left corner of the site.

Then, click on the Ubuntu icon.

After that, Install required packages are per instructions provided on website.

# apt update && apt -y install ca-certificates wget net-tools gnupg

wget -qO - https://as-repository.openvpn.net/as-repo-public.gpg | apt-key add -

# echo "deb http://as-repository.openvpn.net/as/debian focal main">/etc/apt/sources.list.d/openvpn-as-repo.list 

When installation process is over you will be able to see following message, where VPN server is accessible on port number 943.

Let’s access admin portal first, assign password to OpenVPN user.

# passwd OpenVPN

Then, open URL https://ip-addr:943/admin, provide user id and password created in previous step:

Then, Click on user management and go to user permissions

Create a new user (demouser in our example scenario), click on more settings, define password and save settings.

Here you have created a VPN client user which can be accessed via remote.

To check if creds are working properly or not, open https://ip-addr:943 in another browser. Provide user id and password created in above step (demouser).

After providing credential, a window something like below will appear. Here you can save your VPN profiles by click on user-locked profile.

To run a OpenVPN client on MS Windows®, download application and install.

When setup is done, open MS Windows VPN client application and provide credentials.

Enable OpenVPN connection, we can see successfully connected VPN connection on MS Windows® client.  

So, let’s try with android device as well. Download OpenVPN application on your mobile device.

Provide credentials and connect OpenVPN connection, steps are exactly as were for Desktop.  

Now both of the devices (Desktop and Android) are connected, lets see if connections are visible on OpenVPN server or not.

Open https://ip-addr:943/admin

We can see 02 active connections up and running.

Conclusion

OpenVPN is one of the most reputed VPN authentication services getting used globally. Also, OpenVPN is a standardized open-source protocol, where a maximum of the devices supports OpenVPN and can connect via that protocol.

So, the application is very easy to set up and robust platform which can be used for corporate, educational, or government organization for secure tunneled communications.

The post Setting up OpenVPN Server on Ubuntu 20.04 LTS appeared first on Linux Windows and android Tutorials.

Couple of my last documents followed up on how to setup

• OpenVPN server.
• freeRADIUS server.

Getting Started

Note that through out the document, I will stick to Ubuntu 18.04 OS version.

Step 01 — Required Package Installation

# apt-get update
# apt-get install libgcrypt11-dev build-essential

Step 02 — build radius plugin that helps to communicate from OpenVPN to freeRadius

Downloading and building

# wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
# tar xvf radiusplugin_v2.1a_beta1.tar.gz

# cd radiusplugin_v2.1a_beta1
# make

Copy the built plugin to appropriate location

# mkdir /etc/openvpn/radius
# cp -r radiusplugin.so /etc/openvpn/radius

Step 03 — Configure built Plugin to work with freeRadius server

# vim /etc/openvpn/radius/radius.cnf

NAS-Identifier=anyName

# The service type which is sent to the RADIUS server
Service-Type=5

# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1

# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5

# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=172.17.0.56

# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH   (searches for the path)
# status FILE     		   (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name  (if the option is used or not)

# Path to our OpenVPN configuration file. Each OpenVPN configuration file needs its own radiusplugin configuration file as well
OpenVPNConfig=/etc/openvpn/server.conf


# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used. 
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"  
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1


# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true

# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false

# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false


# If the accounting is non essential, nonfatalaccounting can be set to true. 
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false

# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl

# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe

# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
	# The UDP port for radius accounting.
	acctport=1813
	# The UDP port for radius authentication.
	authport=1812
	# The name or ip address of the radius server.
	name=172.17.0.55
	# How many times should the plugin send the if there is no response?
	retry=1
	# How long should the plugin wait for a response?
	wait=1
	# The shared secret.
	sharedsecret=mysecret
}

Step 04 — Template OpenVPN server configuration file

# vim /etc/openvpn/server.conf

port 443 
proto tcp 
dev tun 
server 10.11.0.0 255.255.255.0 
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/server.crt 
key /etc/openvpn/easy-rsa/keys/server.key 
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf ifconfig-pool-persist ipp.txt persist-key 
persist-tun 
keepalive 10 60 
reneg-sec 0 
comp-lzo 
tun-mtu 1468 
tun-mtu-extra 32 
mssfix 1400 
push "persist-key" 
push "persist-tun" 
push "redirect-gateway def1" 
push "dhcp-option DNS 8.8.8.8" 
push "dhcp-option DNS 8.8.4.4" 
status /etc/openvpn/443.log 
verb 3
client-cert-not-required

Step 05 — Service start up

# systemctl start openvpn@server

Client Work-Station End

Step 06 — Required Package Installation

# apt-get update && apt-get install -y network-manager-openvpn

Step 07 — Launch `nm-connection-editor` & create new VPN profile

# nm-connection-editor

Next, Click (+) sign & Select “OpenVPN” from the drop-down menu

Check my previous post on getting required certificate. Also, once the new VPN profile is saved, start the launch by clicking the configured Profile name. Note that prior to VPN establishment, your credentials are being passed to OpenVPN server which in turn redirect them to freeRadius. However, actual process of credential verification is being performed at mysql database where we setup user details.

“I hope this has been informative”

The post OpenVPN authentication with freeRADIUS appeared first on Linux Windows and android Tutorials.

• Encrypt outgoing traffic
• Possible of traffic routing other than your local ISP

Getting Started

01. Installing the required packages

# apt-get update && apt-get install -y openvpn easy-rsa

02. Creating additional directory for hosting certificate which we later introduce

# mkdir -p /etc/openvpn/server/certs

# cd /etc/openvpn/server/certs

03. Build a CA & its Keys

# openssl genrsa -out ca.key 2048

# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt


Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:la 
Locality Name (eg, city) []:la
Organization Name (eg, company) [Internet Widgits Pty Ltd]:osradar
Organizational Unit Name (eg, section) []:it
Common Name (e.g. server FQDN or YOUR name) []:vpn-server.osradar.com
Email Address []:

04. Lets generate our VPN service own certificates & Keys

# openssl genrsa -out vpn.key 2048

# openssl req -new -key vpn.key -out vpn.csr

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:la
Locality Name (eg, city) []:la
Organization Name (eg, company) [Internet Widgits Pty Ltd]:osradar
Organizational Unit Name (eg, section) []:it
Common Name (e.g. server FQDN or YOUR name) []:vpn-server.osradar.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# openssl x509 -req -in vpn.csr -out vpn.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365

Signature ok
subject=C = US, ST = la, L = la, O = osradar, OU = it, CN = vpn-server.osradar.com

# openssl dhparam -out dh2048.pem 2048

05. Configuring the Open VPN server

# vim /etc/openvpn/server/server.conf

port 443    
proto tcp    
dev tun    
server 10.11.0.0 255.255.255.0    
ca /etc/openvpn/server/keys/ca.crt    
cert /etc/openvpn/server/certs/vpn.crt    
key /etc/openvpn/server/certs/vpn.key    
dh /etc/openvpn/server/certs/dh2048.pem  
persist-key    
persist-tun    
keepalive 10 60    
reneg-sec 0    
comp-lzo    
tun-mtu 1468    
tun-mtu-extra 32    
mssfix 1400    
push "persist-key"    
push "persist-tun"    
push "redirect-gateway def1"    
push "dhcp-option DNS 8.8.8.8"    
push "dhcp-option DNS 8.8.4.4"    
status /etc/openvpn/443.log    
verb 3

06. Starting up the service

# systemctl start openvpn@server

07. Enable IPV4 routing between interfaces

# vim /etc/sysctl.d/60-ipv4-forward.conf

net.ipv4.ip_forward=1

# sysctl -p /etc/sysctl.d/60-ipv4-forward.conf

08. Changing the firewall rules

# vim /etc/ufw/before.rules

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/16 -o main_nic -j MASQUERADE
COMMIT
# END OPENVPN RULES

main_nic => replace this with your outgoing NIC device name

Allow 443/tcp which we setup our VPN service

# ufw allow 443/tcp
# ufw disable
# ufw enable

09. Prepare user certificate. In the example below, I assume the username is bob.

# openssl genrsa -out bob.key 2048

# openssl req -new -key bob.key -out bob.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:LK
State or Province Name (full name) [Some-State]:CMB
Locality Name (eg, city) []:colombo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:private
Organizational Unit Name (eg, section) []:it
Common Name (e.g. server FQDN or YOUR name) []:bob
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

10. Sign the user certificate using the CA certificate which we generated at step 03.

# openssl x509 -req -in bob.csr -out bob.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365

bob.crt should be shared with the user in order to them to launch OpenVPN client from their work-station.

Client Work-Station End.

11. Open the terminal and install the the required packages and then launch “nm-connection-editor”

# apt-get update && apt-get install -y network-manager-openvpn

$ nm-connection-editor

12. Setting up the VPN client profile

Click (+) Sign and then Select the OpenVPN option under the drop-down menu

That’s it. Now you can start newly created VPN connection which then initiate a encrypted tunnel between local station to the destination VPN server.

You can verify the result by looking at the IP address space

# ip addr show

“I hope this has been informative”

The post Setup VPN access provisioning server on top of Ubuntu 18.04 appeared first on Linux Windows and android Tutorials.

The name of the attack is quite charming – VORACLE. The attack was discovered by security researcher Ahamed Nafeez. The finding about the attack was presented at the Black Hat and DEF CON security conferences.

What is VORACLE?

To be honest, VORACLE isn’t a brand new attack method. Instead, it’s a combo and variation of some already-existing older cryptographic attacks like BREACH, TIME and CRIME.

In the previous attacks, researchers discovered that data was recoverable from TLS-encrypted connections if the compression of data happened before encrypting. Fixes for those attacks were out in 2012 and 2013 and since then, HTTP connection was safe.

What Nafeez discovered that the theoretical points of those attacks are still valid in the case of some VPN traffic types. He pointed out that the VPN clients/services that compress the HTTP web traffic before the encryption as a part of the connection are still vulnerable to those older attacks.

VORACLE can decrypt HTTP traffic sent via VPNs

According to Nafeez, VORACLE still allows an attacker to decrypt the original content of the HTTP traffic that’s going through the VPN connection. He explains that the aim of this attack is to leak secrets like cookies, page with sensitive info etc.

Nafeez also pointed out that VORACLE only works against the VPN services/clients that use the OpenVPN protocol as their core. OpenVPN is open-source and uses a default setting – compressing all the data before encryption via TLS and later, sending it via the VPN tunnel. Thus, it satisfies the conditions of the old attacks – BREACH, TIME and CRIME.

VORACLE is preventable

Despite VORACLE is so dangerous, it is still preventable in a very simple way. For example, some VPN services/clients allow modifying this setting to switch to a non-OpenVPN protocol.

Second, when surfing the net, users can decide not to surf websites that only offer HTTP. Thus, by only browsing the HTTPS sites, even if the attacker gets their hand on the traffic, it won’t be understandable to them.

Third, the attack doesn’t seem to be working in the case of Chromium-based browsers that split the HTTP requests in multiple parts like header and body. It means that even if you access HTTP sites using Chrome and other Chrome-based browsers, you won’t be susceptible to VORACLE.

TunnelBear removed the compression support for its OpenVPN-based servers. Private Internet Access also confirmed that they disabled the pre-compression back in 2014.

Stay safe on the internet!

The post VORCLE – Recovering HTTP Data from VPN Connections Made Easy appeared first on Linux Windows and android Tutorials.