How to install & configure OpenVPN on Centos 6 for use in a typical home environment

Support for security such as Firewalls and securing linux
Rocksockdoc
Posts: 414
Joined: 2012/03/29 20:12:28

How to install & configure OpenVPN on Centos 6 for use in a typical home environment

Post by Rocksockdoc » 2012/12/06 06:01:27

Having never used a VPN solution, and, knowing next to nothing about them, other than the fact that I want is to test VPN out, hoping to achieve the most basic of security and anonymity in a typical home environment, I ran a search in this Centos.org forum but I didn't find any step-by-step tutorials for installing & configuring OpenVPN on Centos 6.

Searching for "openvpn", I did find a short thread on this forum about a network plugin ([url=https://www.centos.org/modules/newbb/viewtopic.php?topic_id=39951&forum=55&post_id=173261#forumpost173261]No VPN Plugin Available[/url]), but nothing on a typical openvpn setup. Also there was a short thread on [url=https://www.centos.org/modules/newbb/viewtopic.php?topic_id=37124&forum=56&post_id=161630#forumpost161630]"selinux and openvpn"[/url], but it too didn't show how to install openvpn on Centos6 to achieve basic personal security & anonymity for a first-time user.

Using yum, I can find multiple repositories containing the openvpn package:
[code]
$ yum --noplugins --showduplicates --enablerepo \* --disablerepo c6-media,\*-source,\*debug\* provides "*/openvpn"
REPORTED:
...
openvpn-2.2.2-1.el6.rf.x86_64 : Robust and highly flexible VPN daemon
Repo : rpmforge
...
openvpn-2.2.1-1.el6.x86_64 : A full-featured SSL VPN solution
Repo : naulinux-school
...
openvpn-2.2.2-1.el6.x86_64 : A full-featured SSL VPN solution
Repo : epel
...
[/code]

Given the information above, I installed openvpn using the command:
[code]
$ sudo yum --enablerepo rpmforge install openvpn
$ sudo cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/.
$ sudo cp -r /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/.
[/code]

Now it's time to set it up for a simple test, which would be whatever any basic home user would want to set up for their very first VPN task.

I started to read the man page hoping to figure out how to set up the most basic of configurations; however, it should be noted that the [url=http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html]openvpn manpage[/url] is horrifically detailed - so it might not be the best way for a beginner to just get going to test it out in a basic home environment.

Googling for basic Centos 6 openvpn setup examples, I found this site appears to contain the canonical openvpn installation instructions:
- [url=http://openvpn.net/index.php/open-source/documentation/install.html]OpenVPN installation notes[/url]

But, before I choose the actual route to take to set it up for a basic home user test - may I ask if there is an existing tutorial for installing & configuring openvpn on Centos 6 for basic home use that I've missed? [i] (If not, any hints for making this thread that tutorial would be welcome.)[/i]

Note: Non centos.org forum references I am currently reading to find a typical home user setup procedure are the following:
1. [url=http://www.wjunction.com/13-tutorials-guides/152274-openvpn-centos-installer.html]OpenVPN Installer for Centos 5 & 6[/url]
2. [url=http://www.server-world.info/en/note?os=CentOS_6&p=openvpn]Install OpenVPN to Configure Virtual Private Network on Centos 6[/url]
3. [url=http://www.gaggl.com/2012/06/openvpn-install-on-centos-6-server/]OpenVPN Install on CentOS 6 Server[/url]
4. [url=http://freevps.us/thread-4087.html]How to install VPN Server (OpenVPN) on CentOS 6 32bit[/url]
5. [url=http://www.bentasker.co.uk/documentation/linux/152-openvpn-on-centos-6]OpenVPN on CentOS 6[/url]
6. [url=http://servertutz.wordpress.com/2011/08/14/installing-openvpn-on-centos/]Installing OPENVPN 2.1.3 Server on CentOS 6[/url]
etc.

Rocksockdoc
Posts: 414
Joined: 2012/03/29 20:12:28

Re: How to install & configure OpenVPN on Centos 6 for use in a typical home environment

Post by Rocksockdoc » 2012/12/06 22:21:44

Unfortunately, nobody provided better guidance, so, here's where I am moving forward on my own (so that my saga will help the next newbie who tries to install & run OpenVPN on Centos 6).

[b]It turns out to be extremely complicated to install OpenVPN on a standard Centos 6 computer.[/b]

The main problem isn't the Centos 6 bug that need to be worked around (this, at least, appears to be a known bug with a known workaround).
The main problem (for me anyway) seems to be the vast prior knowledge you need, just to properly follow what the basic installation steps seem to be.
A basic user has to guess too many times what the commands & settings should be. Once or thrice is ok, but dozens of times is why the installation will fail.

Unfortunately, the best openvpn installation instructions, so far, that I can find, still leave out (very) many gotchas that I ran into:
1. [url=https://safesrv.net/install-openvpn-on-centos/]https://safesrv.net/install-openvpn-on-centos/[/url]
2. [url=http://www.wjunction.com/13-tutorials-guides/152274-openvpn-centos-installer.html]OpenVPN Installer for Centos 5 & 6[/url]

For example, you need to know about [b]"iptables"[/b] (which I had never even heard of before); you have to know if you're running something called [b]"tun" or "tap"[/b] (again, something I have never heard of before); you have to learn how to '[b]create a certificate[/b]' (whatever that means); and you need to "[b]build a CA[/b]" (again, whatever that means); you have to '[b]build a key server[/b]'; you need to know what port you wish to use ([b]port 1194?[/b]); and you need to know what you want your "[b]tun-mtu[/b]" to be (whatever that means); and you need to know which protocol to use ([b]udp versus tcp[/b]); and then when the openvpn service fails, the instructions provide absolutely no guidance for figuring out why it failed; you have to change your "[b]sysctl.conf[/b]" file (whatever that is); and you have to modify your [b]CSF or ASF but not SCF[/b] firewall (if that makes any sense).

Needless to say, there is a definite need for a basic explanation of what the process is to install and test your very first most basic of OpenVPN setups - [i]but - given the huge complexity of the process - unfortunately, I won't be able to write it just yet.[/i]

All I can do is document where I am and what I've been doing to get going forward, and let others assume that I'm your basic first-time Centos 6 user who simply wishes to install and test the OpenVPN package in order to gain a bit of security and/or anonymity on the net.

Here, for example, is my installation log file to date:
Note: I would think I'm a 'classic' user who simply wants the bare minimum OpenVPN installation setup, so that I can simply install it to see 'how' it works in practice on a home Centos 6 laptop in a very typical home environment.
[code]
Thu Dec 6 12:57:35 PST 2012
Attempting to install openvpn on Centos 6 as per:
1. https://safesrv.net/install-openvpn-on-centos/
2. http://www.wjunction.com/13-tutorials-guides/152274-openvpn-centos-installer.html

Check if tun/tap are active (whatever they are):
$ sudo cat /dev/net/tun
You should see this message if tun is active (note that I saw this message, so, apparently tun, whatever it is, is active):
cat: /dev/net/tun: File descriptor in bad state

Locate a decent Centos 6 repository for openvpn:
$ yum --noplugins --showduplicates --enablerepo \* --disablerepo c6-media,\*-source,\*debug\* provides "*/openvpn"
REPORTS:
rpmforge: openvpn-2.2.2-1.el6.rf.x86_64 : Robust and highly flexible VPN daemon
naulinux-school: openvpn-2.2.1-1.el6.x86_64 : A full-featured SSL VPN solution
epel: openvpn-2.2.2-1.el6.x86_64 : A full-featured SSL VPN solution

Install openvpn using yum:
$ sudo yum --enablerepo rpmforge install openvpn -y
Locate where openvpn installed:

Find where it was installed:
$ which openvpn
REPORTS:
/usr/sbin/openvpn

Determine the version of openvpn installed (looks like the version is 2.2.2):
$ openvpn --version
REPORTS:
OpenVPN 2.2.2 x86_64-unknown-linux-gnu

Copy the easy-rsa folder to the /etc/openvpn directory:
$ sudo cp -r /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/.

Due to a reputed CentOS 6 bug, you must patch /etc/openvpn/easy-rsa/2.0/vars
$ sudo vi /etc/openvpn/easy-rsa/2.0/vars
CHANGE LINE #29 of 74 FROM:
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
CHANGE LINE #29 of 74 TO:
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

Create a certificate (I wish they'd just say "why" we want to do this):
$ sudo chmod 755 /etc/openvpn/easy-rsa/2.0/*
$ su root
# source /etc/openvpn/easy-rsa/2.0/vars
# /etc/openvpn/easy-rsa/2.0/vars
# /etc/openvpn/easy-rsa/2.0/clean-all

Build CA (I wish they'd state why we'd want to do this):
# /etc/openvpn/easy-rsa/2.0/build-ca
I received the error:
[root@machine]# /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/pkitool
bash: /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/pkitool: Permission denied

So I changed the permissions (you'd think they'd have noticed this):
# chmod 755 /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/pkitool

And re-ran the build-ca command:
# /etc/openvpn/easy-rsa/2.0/build-ca

At this point I received the instructions below (you'd think they'd give better advice on how to answer the questions!):
NOTE: It would be nice to know what the bare minimum answers would be. For me, I guessed at that being just my machine name.
Generating a 1024 bit RSA private key
.......++++++
...............................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]: <enter>
State or Province Name (full name) [CA]: <enter>
Locality Name (eg, city) [SanFrancisco]: <enter>
Organization Name (eg, company) [Fort-Funston]: <enter>
Organizational Unit Name (eg, section) [changeme]: <enter>
Common Name (eg, your name or your server's hostname) [changeme]:MACHINE-NAME <enter>
Name [changeme]: <enter>
Email Address [mail@host.domain]: <enter>

Build key server (again, you'd think they'd provide advice for how to answer these questions!):
NOTE: It would be nice to know what the bare minimum answers would be. For me, I guessed at that being just my machine name.

# /etc/openvpn/easy-rsa/2.0/build-key-server server

Generating a 1024 bit RSA private key
......++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]: <enter>
State or Province Name (full name) [CA]: <enter>
Locality Name (eg, city) [SanFrancisco]: <enter>
Organization Name (eg, company) [Fort-Funston]: <enter>
Organizational Unit Name (eg, section) [changeme]: <enter>
Common Name (eg, your name or your server's hostname) [server]:MACHINE-NAME <enter>
Name [changeme]: <enter>
Email Address [mail@host.domain]: <enter>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <enter>
An optional company name []: <enter>
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'MACHINE-NAME'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Dec 4 20:12:00 2022 GMT (3650 days)
Sign the certificate? [y/n]: <enter>
CERTIFICATE WILL NOT BE CERTIFIED

Build Diffie Hellman (again, you'd think they'd mention what this step is and does):
# /etc/openvpn/easy-rsa/2.0/build-dh

Make a note of which of these files exist (because they're gonna bite you in a moment):
# ls -l /etc/openvpn/easy-rsa/2.0/keys/ca.crt (not found on my machine)
# ls -l /etc/openvpn/easy-rsa/2.0/keys/server.crt (not found on my machine)
# ls -l /etc/openvpn/easy-rsa/2.0/keys/server.key (not found on my machine)
# ls -l /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem (not found on my machine)

Copy the sample openvpn configuration file to the /etc/openvpn directory:
# cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/.

Make sure you have the following set (you'd think they'd provide better advice):
# vi /etc/openvpn/server.conf
Note: Since I started by copying the example, I simply added the settings below that were NOT in the example
and I changed those that were, but which were different in the example:

local 123.123.123.123 #- your_server_ip goes here
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3


Start OpenVPN (here you'd think they'd provide some kind of debugging hints):
# service openvpn start
REPORTED:
Starting openvpn: [FAILED]

Enable IP forwarding by editing /etc/sysctl.conf to set ‘net.ipv4.ip_forward’ to 1 (why?):
# cp /etc/sysctl.conf /etc/sysctl.conf.orig
# vi /etc/sysctl.conf
CHANGE line #7 of 40 FROM:
net.ipv4.ip_forward = 0
CHANGE line #7 of 40 TO:
net.ipv4.ip_forward = 1

Make the changes to sysctl.conf take effect (you'd think they'd mention why we're doing this):
# /sbin/sysctl -p
REPORTS:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

Route Iptables (how are we to even know what an iptable is?):
# /sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Check if you're using config service firewall csf (this isn't as obvious as it would seem):
(http://vps2.me/secure-harden-centos-vps-server-install-csf-firewall/)
# ls /etc/csf/csf.conf
REPORTED: nothing found (so I guess I'm not using csf)
I'm not sure 'what' firewall I'm using since the only one I know of that I have is
System->Administration->Firewall, which points to "system-config-firewall 1.2.27"

At this point, you've made so many guesses (e.g., iptables, firewall, etc.) and you've had so many failures
(e.g., permissions, services, etc.) that there's really no chance it will be working. So what I will do is document
where I am, and then go back to the beginning, and do some more research so as to not branch too far off the
instructions. However, it is disconcerting that I would think I'm the most basic user out there and yet, the instructions
fail for me (where all the defaults should suffice). I'll keep trying - but - allow me to document the steps should someone
else have a better tutorial to follow for a beginner.
[/code]

At this point, I think I've made far too many guesses to move on successfully - but I'll try and report back.
It seems to me what we need are (better) instructions which explain the basic reason for each of the steps.
If I already knew the answers, I'd write that - but I find it hard to believe that it isn't already written as I can't be the first person to want to set up VPN on Centos 6.

User avatar
AlanBartlett
Forum Moderator
Posts: 9320
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: How to install & configure OpenVPN on Centos 6 for use in a typical home environment

Post by AlanBartlett » 2012/12/07 03:02:38

The person who may be able to assist you is [url=http://wiki.centos.org/EdHeron]Ed Heron[/url], as he started to draft out a guide for [i]CentOS 5[/i] ([url=http://wiki.centos.org/EdHeron/CentOS5OpenVPN]Install OpenVPN on CentOS 5[/url]), which appears to have not been finished. :-(

Perhaps the pair of you could collaborate on a suitable [i]HowTo[/i] for [i]CentOS 6[/i]?

User avatar
vonskippy
Posts: 839
Joined: 2006/12/30 03:00:04
Location: Western Slope Colorado

How to install & configure OpenVPN on Centos 6 for use in a

Post by vonskippy » 2012/12/07 06:39:58

I'm curious why you would take this approach, especially for "a typical home user".

VPN tunnels (including OpenVPN) are best setup on the EDGE of the network, not on an internal server.

Nor is "rolling your own firewall" a good idea (as in making a dual-nic CentOS box both your edge firewall and your network server).

Most Edge Firewalls (like IPCOP or PFSENSE) have both IPSEC and OpenVPN built in, so it's a relatively simple matter of setting up a net-to-net or roadwarrior-to-net VPN to the edge of your network, and then using Firewall rules to control access further inside your network (or DMZ).

If you put your VPN server BEHIND your firewall, then you no longer have access control via the VPN cert, as you have to open a tunnel thru the edge firewall to get to the VPN server. So you're either punching a hole in your edge firewall for everyone, or you're duplicating the effort of limiting access to valid VPN Cert holders.

Also once you're at the internal VPN server, you no longer can control access to internal assets via the firewall, but would need to duplicate that type of access control on the VPN Server itself.

Overall, at best you're duplicating several access control setups, at worse you're allowing untrusted sources inside your firewall and possibly inside your network.

Best to leave VPN access and control on the edge.

Rocksockdoc
Posts: 414
Joined: 2012/03/29 20:12:28

Re: How to install & configure OpenVPN on Centos 6 for use in a typical home environment

Post by Rocksockdoc » 2012/12/07 18:35:14

[quote]
AlanBartlett wrote:
Perhaps the pair of you could collaborate on a suitable [i]HowTo[/i] for [i]CentOS 6[/i]?[/quote]

I'd love that. I am not sure I'm the best to collaborate, simply because I know nothing and simply want to install - and use - applications that change my IP address and encrypt my traffic - but I can review anything and try it to see if it works and makes sense to me. In general, if it makes sense to me, it should make sense to anyone! :-)

[quote]
vonskippy wrote:
I'm curious why you would take this approach, especially for "a typical home user".[/quote]

Good question.

All I really want is free & usable anonymity & security on Centos 6 for typical home applications (i.e., for torrent, nntp, email, & web).
I think that all boils down to changing my IP address at will, and, encrypting my traffic (both TCP & UDP).
If someone would tell me how to accomplish that, I'd be happy to follow suit.

I first googled and found individual and payware solutions (such as BTGuard, HushMail, SSH, MuteMail, PGP, Private Internet Access, Ipredator, Faceless, AirVPN, PRQ, BlackVPN, CryptoCloud, SwissVPN, StrongVPN, VyprVPN, MullVad, IPVanish, VyprVPN, Privacy.io, PrivatVPN, VPNReactor, BlackVPNetc, etc.), and found the sheer amount of information overwhelming, even for an OCD person such as myself.

[b]However, I still want anonymity (e.g., IP address changes) & security (e.g., traffic encryption) for the four basic home user applications (i.e., email, web, torrent, and nntp).[/b]

I'm a strong believer in first trying the freeware - before ever buying the payware, if for no other reason that you learn what you really need by the flaws found when using the freeware - so that makes your payware decision a more informed one. Most of the time, the freeware works fine for typical home use. Given that, I then tried tor/vidalia/privoxy/polipo/torcat/socat as described below - and - while the Tor Browser Bundle worked, albeit slowly, I soon got hung up trying to torrify/socatify each non-http application as described separately here:
- [url=https://www.centos.org/modules/newbb/viewtopic.php?topic_id=40283&forum=59&post_id=174669#forumpost174669]How to install & configure tor, vidalia, privoxy, & polipo privacy software on Centos 6[/url]

When I ran into roadblocks torifying applications on Centos 6, I asked about and found out that torifying and socatifying each individual application is not really the right way to go for a basic home user who simply wants anonymity and privacy in email, usenet, web, and torrent applications.

[b]I was told the right way to go was to use VPN[/b], and, given my proclivity to find and use the canonical freeware solution first, I hit upon OpenVPN.

I then looked for a Centos 6 OpenVPN tutorial on this forum (and found none) and then looked for tutorials on the web (and found only installation guides).

I would think all basic home users would want to know the same things I want to know, namely:
1. What is the canonical anonymity/privacy freeware solution on Centos 6 for email, torrent, nntp, and the web?
2. Where are the installation and setup instructions for that canonical solution?
3. What's the general use model for that canonical solution (e.g., what servers are needed, what is the setup, what is the use model, etc.)?

[quote]
vonskippy wrote:
VPN tunnels (including OpenVPN) are best setup on the EDGE of the network, not on an internal server.[/quote]

You've hit upon a problem I have, as a basic home user.

First off, I don't even know what you mean by the 'edge' of the network or an internal server.
All I want is privacy and anonymity on the Internet for email, web, nntp, and torrent use.

So, I guess the belated question is:
Q: [b]What is the canonical free Centos 6 method which enables basic anonymity & privacy for typical home nntp, torrent, web, and email use?[/b]

User avatar
vonskippy
Posts: 839
Joined: 2006/12/30 03:00:04
Location: Western Slope Colorado

Re: How to install & configure OpenVPN on Centos 6 for use in a typical home environment

Post by vonskippy » 2012/12/07 21:44:01

I think you're confusing encryption (via VPN's) with anonymity.

Only (ONLY) the traffic is encrypted in a VPN tunnel, but the end points of the tunnel are visible to any trying to find them.

Encrypting email only works if you're sending it to someone that has the same method of encryption so that they can decrypt it - if not, then it's not a message, it's gibberish. Even if the email is encrypted, it's not anonymous, since the email header will have where (via IP) the email originated from and where (via IP) it was sent.

Anonymous on the web is almost a oxymoron, since at some point you need to interface with the rest of the world and at that point, your public ip will be visible and tracked.

The standard way to have some since of anonymity on the internet is to use a service that provides you with a VPN tunnel to their service (so all your traffic is encrypted from you to them) and then they use some type of TOR (which is a random hop utility that masks the start and end point of the traffic) to obfuscate your traffic pattern.

Even with such a service, it's not 100% guaranteed anonymity - since you have no clue what the service provider is doing with their traffic logs, nor how willing they are to stand up to any subpoena (plus how do you pay for their service and still remain anonymous, etc).

The only guaranteed way to be anonymous on the internet is to NOT use the internet - otherwise your footprint is left in hundreds (thousands) of boxes you have no control over.

You could look into the TOR project, but it's so incredible slow you have to have a triple layer tinfoil hat on in order to even think about enduring that snail fest.

http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29

As they said at the last security conference I went to - "the Internet is just one big Postcard, assume anyone and everyone is reading it".

Rocksockdoc
Posts: 414
Joined: 2012/03/29 20:12:28

Re: How to install & configure OpenVPN on Centos 6 for use in a typical home environment

Post by Rocksockdoc » 2012/12/08 06:06:10

[quote]
vonskippy wrote:
I think you're confusing encryption (via VPN's) with anonymity.[/quote]

I probably am confused.
When I think hard about what I want - mostly - I think - I just want to simply change my IP address at will.

For these four typical home applications:
1. Torrent (I would anyone on the swarm to 'think' the torrent files are going to that changed IP address, not mine)
2. NNTP (I would want the NNTP-Posting-Host to be that changed IP address, not mine)
3. SMTP (I would want the originating IP address to be that changed IP address, not mine)
4. HTTP (I would want the originating IP address to be that of the changed IP address, not mine).

What program will allow me to (appear to) change my IP address on Centos 6 for those four applications?

User avatar
jlehtone
Posts: 2127
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How to install & configure OpenVPN on Centos 6 for use in a typical home environment

Post by jlehtone » 2012/12/08 21:56:53

That does sound like network address translation (NAT).

However, you have to understand that you have to have a public IP that you can use. Your traffic originates from that IP and the replies come back to that IP.

Since you don't want your public IP to be that IP, you do need a collaborator X. You will send packets to X with your own public IP, X will forward them onwards, but with IP of X as "source". Replies return to X, which knows to forward them to "real" source, i.e. your public IP. X will be essentially a router with NAT.

VPN is one way to direct traffic via external "router", but VPN includes the encryption of the traffic too, so others cannot see what passes between you and X.

When somebody sends new, incoming packets to X/http, X could redirect them to your IP/http. However, if X does that for you, it cannot self receive http nor redirect http for someone else too. Not trivially.


Summary: [b]vonskippy[/b] did mention service providers that could be the X for you. Otherwise, forget anonymity.

Rocksockdoc
Posts: 414
Joined: 2012/03/29 20:12:28

Re: How to install & configure OpenVPN on Centos 6 for use in a typical home environment

Post by Rocksockdoc » 2012/12/10 19:03:55

[quote]
jlehtone wrote:
... you do need a collaborator X. ...
X will be essentially a router with NAT.
VPN is one way ...VPN includes the encryption ...
[/quote]

You explained the problem the best I've ever seen it (better than I did!).

If I may then reflect upon what you said, in order to make sure I understood - it is this:
a) I have a static public IP which I want to hide from destination nntp/smtp/torrent/http servers
b) An outside collaborator NAT can hide my IP from those destination servers
c) A VPN server can act as that collaborator NAT (with traffic encryption as an added bonus)

If that summary is correct, then I simply need to select the right VPN solution. Right?

[quote]
jlehtone wrote:
When somebody sends new, incoming packets to X/http, X could redirect them to your IP/http.
However, if X does that for you, it cannot self receive http nor redirect http for someone else too. Not trivially.
[/quote]

I read that a few times and I don't quite understand.
1. HTTP, via Firefox seems the easiest protocol to protect (e.g., the Tor Browser Bundle, aka TBB) works just fine, albeit slowly).
2. SMTP, via Thunderbird is harder to protect - but - there is always the TBB option for web-based email (e.g., gmail, hotmail, ymail, etc.).
3. NNTP, via tin, is even harder to protect - but - again - in emergencies - the TBB 'can' be used (albeit the web handles USENET horribly).
4. Torrent, via Transmission seems the hardest of all to protect - as there is no usable web-based alternative.

[quote]
jlehtone wrote:
Summary: [b]vonskippy[/b] did mention service providers that could be the X for you. [/quote]

It's embarrassing to admit I was thoroughly confused by vonskippy's well-intentioned response, mainly, I think, because his explanation hinged on the "edge of the network" and I have never heard of that concept before.

[quote]VPN tunnels (including OpenVPN) are best setup on the EDGE of the network, not on an internal server.[/quote]

I googled "[url=http://edgeof.net/explained.htm]edge of the network[/url]" and he seems to be talking about the edge as being my home broadband router or the rooftop radio & antenna it is connected to, as my Internet service is WISP based (so my "modem" is a radio "transceiver").

Vonskippy then said:
[quote]
Most Edge Firewalls (like IPCOP or PFSENSE) have both IPSEC and OpenVPN built in, so it's a relatively simple matter of setting up a net-to-net or roadwarrior-to-net VPN to the edge of your network, and then using Firewall rules to control access further inside your network (or DMZ).[/quote]

Pretty much I think Vonskippy was trying to tell me what to set up, and where - but I wasn't sure what/where he was telling me to set up.
I did see OpenVPN in his list above - so I just want to figure out how his advice applies to me setting up OpenVPN on 'my' edge of my network (presumably that's my rooftop radio or my home broadband router that the radio is connected to?).

User avatar
jlehtone
Posts: 2127
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How to install & configure OpenVPN on Centos 6 for use in a typical home environment

Post by jlehtone » 2012/12/10 21:54:08

[quote]
Rocksockdoc wrote:
If I may then reflect upon what you said, in order to make sure I understood - it is this:
a) I have a static public IP which I want to hide from destination nntp/smtp/torrent/http servers
b) An outside collaborator NAT can hide my IP from those destination servers
c) A VPN server can act as that collaborator NAT (with traffic encryption as an added bonus)

If that summary is correct, then I simply need to select the right VPN solution. Right?[/quote]
Summary is correct. But VPN solution is determined by which service provider you do choose.
[quote][b]What is the Tor Browser Bundle (TBB)?[/b]
The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world[/quote]
Tor is clearly a Service Provider. It does not have just one VPN server "relay", but multiple. Suppose there were multiple VPN servers that route and NAT traffic to public internet, and that you establish VPN connections to all of them. Then you could yourself -- via elaborate routing configuration -- send each new connection via different VPN tunnel. That is almost like TBB.

[quote][quote]
jlehtone wrote:
When somebody sends new, incoming packets to X/http, X could redirect them to your IP/http.
However, if X does that for you, it cannot self receive http nor redirect http for someone else too. Not trivially.
[/quote]
I read that a few times and I don't quite understand.[/quote]
I was not sure what you were intending, so I did describe [i]inbound[/i] connection.

You do have a public IP. You do have your computers on home network (aka private LAN). You do have a router. I do guess that the router has on "outside" the public IP and "inside" a private IP. When your computer connects to www.centos.org, it sends packets to the router and the router sends them forward. Not only that, the router claims that the packets originate from its public IP (this is NAT). That starts an [i]outbound[/i] connection. When www.centos.org does reply, the replies come to the router. The router remembers that it did NAT and forwards the replies back to your computer via your LAN. You do get the page that you did ask for.

Now, replace from the above paragraph "home LAN" with "via VPN tunnel", and "your router" with "VPN service provider".

If someone with authority gets interested in the traffic that the VPN service provider sends from its public IP, then they will interrogate the provider to reveal its clients, i.e. your public IP, etc.

The [i]inbound[/i] connection is when someone outside attempts to establish a new connection to some port of the public IP of the router. At this point the router should show its firewall capabilities and refuse the connection.

[i]Internet[/i] is the multitude of connections between subnets. Your home LAN has only one connection to other subnets. It is thus on an "edge" of internet. Your router is the border control -- the Edge -- between internet, where everyone has a public IP, and your home LAN, where IP's are not public. Nobody should know that you have private LAN. They can see a public IP that connects out, but that is all.

Your router more than likely has the routing, NAT, firewall, DHCP for your computers, DNS relay, VPN, etc. It might have both VPN client and server. You could be on the road with laptop and establish (incoming) VPN connection to the VPN server in your router. In this case the router [i]does[/i] listen for and accept a specific connection: VPN. Via the VPN you can reach your home computers.

[b]vonskippy[/b] did refer to using the VPN client of the router to establish a VPN connection to some VPN server. Your router would forward (some) traffic from your home LAN via the VPN tunnel to the internet (or another private LAN).

[quote]
1. HTTP, via Firefox seems the easiest protocol to protect (e.g., the Tor Browser Bundle, aka TBB) works just fine, albeit slowly).
2. SMTP, via Thunderbird is harder to protect - but - there is always the TBB option for web-based email (e.g., gmail, hotmail, ymail, etc.).
3. NNTP, via tin, is even harder to protect - but - again - in emergencies - the TBB 'can' be used (albeit the web handles USENET horribly).
4. Torrent, via Transmission seems the hardest of all to protect - as there is no usable web-based alternative.
[/quote]
1-3 are all outgoing connections. You connect to something.

Torrent (and multi-player games) are different. There is some server "out there" that your client program does connect to, but the client tells the server where (which public IP) your are at. The server has thus a list of clients. When you are downloading, you naturally reach out to the other clients. Similarly, they may reach out to you. Even without VPN, at the firewall of your router you have to set it to accept incoming traffic that is trying to contact the Torrent client running in your computer. Or something like that ... not my cup of tea.


PS. I don't see much CentOS in this networking 101 part of the discussion, but it is always case-dependent whether to solve a specific problem in code or to use entirely different, better algorithm. :hammer:

Post Reply