Securing your connection to the internet is no longer something that is reserved for hobbyists who fit the paranoid, tin-foil hatted stereotype. Today, with the majority of our interactions involving some form of digital support, the opportunities for simple, pick-pocket level hacks that take advantage of unsuspecting victims are immeasurable.
While most services that individuals use are natively encrypted, its no longer necessary to see that user’s traffic in order to know what they’re doing. Simply knowing the destination of the traffic is enough to profile a target and increase the attack vector. If you know the target is going to facebook or twitter or similar platforms, its easy to find even more information.
On top of that, the websites we all visit today are selling our information to whomever asks for it. There are entire organizations dedicated to modeling our behavior online and identifying us as targets for all sorts of reasons. Those models could also be available to the highest bidder.
The reality is such that a number of companies are making a lot of money selling VPN services, currently for ~$100 per year. The value goes beyond security. Users are capable of masking or changing their geolocation, essentially deciding to enter the Internet from any location where the VPN service has a server.
I’m here to argue that VPN services are simple enough to setup nowadays, especially with the advent of cloud computing, that almost any level of hobbyist can do it. Especially if the hobbyist already has a presence on the internet.
Setting Up the Server
I chose Google Cloud to host my VPN server and have other things setup that make this overall process easier (like DNS and SSH), and there are a ton of articles that explain how to do this. The most important callout on Google Cloud is that the VM must be created with Port Forwarding enabled on the network interface. This option can’t be changed after the VM has been built. This took me a while to figure out and I owe my knowledge to the following article: https://medium.com/teendevs/setting-up-an-openvpn-server-on-google-compute-engine-9ff760d775d9
I used Ubuntu on my VM and followed this guide to set up OpenVPN as a server. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
By the end of that article you should understand how OpenVPN authenticates its clients, how to generate a Certificate Authority and sign certificate requests to create new client keys.
My server.conf ended up looking like the following:
port 1194
proto udp
dev tun
ca skylaski/ca.crt
cert skylaski/skylaski.crt
key skylaski/skylaski.key # This file should be kept secret
dh skylaski/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
route 192.168.1.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 120
tls-auth skylaski/ta.key 0 # This file is secret
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 4
explicit-exit-notify 1
Setting Up the Client
The client will be unique to the device connecting to the VPN. Most of the value-add for VPN providers is their client. However, basic networking knowledge is all thats needed to get an OpenVPN client working. One thing that helps is to create a single ‘.ovpn’ file with all the authentication information inside that file.
On Android I used the official OpenVPN client and created my ‘.ovpn’ to look like the following…
client
dev tun
remote YOURVPNIPORDOMAIN
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
verb 1
keepalive 10 120
port 1194
proto udp
remote-cert-tls server
<ca>
----INSERT YOUR CA HERE----
</ca>
<key>
----INSERT YOUR CLIENT KEY HERE----
</key>
<cert>
----INSERT YOUR CLIENT CERT HERE----
</cert>
<tls-auth>
----INSERT YOUR TLS AUTH KEY HERE----
</tls-auth>These are some of the simplest configuration files I’ve ever seen in my life. I’ve tested this client configuration on the OpenVPN Client for Android AND Windows 10.
This is just one example. There are a number of ways to do this today and hosting in general is relatively inexpensive. DigitalOcean has a 1-click deploy option for an OpenVPN access server for relatively cheap as well. https://marketplace.digitalocean.com/apps/openvpn-access-server