DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th May 2014
gkbsd's Avatar
gkbsd gkbsd is offline
Port Guard
 
Join Date: Jun 2013
Posts: 19
Thanked 0 Times in 0 Posts
Post Defend your network and privacy : VPN gateway with OpenBSD

Hello,

People here helped me get started installing 5.5 current to have my NIC operational. Now I have published an article explaining how I set up my VPN gateway with OpenBSD :
http://networkfilter.blogspot.com/20...ivacy-vpn.html

In case it could be useful to someone

Regards,
Guillaume.
Reply With Quote
  #2   (View Single Post)  
Old 11th May 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Interesting write up. I note you selected OpenVPN, which uses OpenSSL.

OpenBSD's implementation of OpenVPN may soon replace that with PolarSSL, but the work to do that is still in development. Here's an excerpt from $ cvs log ports/net/openvpn/Makefile:
Code:
----------------------------
revision 1.51
date: 2014/04/18 19:08:12;  author: espie;  state: Exp;  lines: +6 -6
*really* disable things properly.
----------------------------
revision 1.50
date: 2014/04/18 11:54:32;  author: sthen;  state: Exp;  lines: +10 -1
add makefile parts dealing with PolarSSL support; not enabled yet as current
OpenVPN versions are built against the 1.2 API
----------------------------
revision 1.49
date: 2014/01/09 22:42:43;  author: sthen;  state: Exp;  lines: +2 -3
bugfix update to OpenVPN 2.3.2
----------------------------
Reply With Quote
  #3   (View Single Post)  
Old 11th May 2014
gkbsd's Avatar
gkbsd gkbsd is offline
Port Guard
 
Join Date: Jun 2013
Posts: 19
Thanked 0 Times in 0 Posts
Default

I don't know about PolarSSL. I have read that OpenBSD 5.6 should use LibreSSL, bur I do not know if it will used in OpenVPN. Thanks for the changelog of the port
Reply With Quote
  #4   (View Single Post)  
Old 11th May 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

PolarSSL has already been integrated with OpenVPN and its options -- ciphers, key management -- may be more apropos to integration with non-OpenBSD platforms.

However, that is entirely conjecture. I have not seen any traffic regarding this on ports@ or misc@ or tech@, and I haven't used OpenVPN in more than 15 years.

For more than guesses, you might ask Stuart Henderson. He's the developer doing the work, according to the log.
Reply With Quote
  #5   (View Single Post)  
Old 13th May 2014
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 566
Thanked 14 Times in 13 Posts
Default

Thanks for sharing the ideas, gkbsd.

I started playing around with DNSCrypt yesterday and have it running now at home (on Linux). Seems to be working. I guess you could run several of these, each proxying for a different DNSCrypt resolver, and then use each one as a forwarder for your normal caching nameserver, to get some redundancy (but so far I'm just using one).

I'm running it as an unprivileged user, dnscp, created for this purpose. When I do this there are two dsncrypt-proxy processes running, one as root and one as dnscp. Any idea if that's what's supposed to happen?

I was also wondering about using this at public access WiFi (the proverbial "coffee shop" mentioned in README.markdown). This would be a place it is most useful. I'm not sure how well it would mesh with the hotspot start-up procedures sometimes though. Has anyone had any problems with that?

Anyway, nice to try out something that may improve on the status quo.
Reply With Quote
  #6   (View Single Post)  
Old 13th May 2014
gkbsd's Avatar
gkbsd gkbsd is offline
Port Guard
 
Join Date: Jun 2013
Posts: 19
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by IdOp View Post
Thanks for sharing the ideas, gkbsd.
You are welcome

Quote:
Originally Posted by IdOp View Post
I'm running it as an unprivileged user, dnscp, created for this purpose. When I do this there are two dsncrypt-proxy processes running, one as root and one as dnscp. Any idea if that's what's supposed to happen?
On my OpenBSD router I only have one process, ran with "_dnsrypt-proxy" user. I have dnscrypt v1.4.0 installed. But may be Linux handles it differently I don't know.

About using a VPN + DNScrypt on a public place using Wifi, if it's to protect your laptop yes it would definitely be useful.

Regards,
Guillaume.
Reply With Quote
  #7   (View Single Post)  
Old 13th May 2014
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 566
Thanked 14 Times in 13 Posts
Default

Quote:
Originally Posted by gkbsd View Post
On my OpenBSD router I only have one process, ran with "_dnsrypt-proxy" user. I have dnscrypt v1.4.0 installed. But may be Linux handles it differently I don't know.
Thanks, same version of DNSCrypt here, I'll have to investigate this a bit more.

Quote:
About using a VPN + DNScrypt on a public place using Wifi, if it's to protect your laptop yes it would definitely be useful.
Yes it would be very useful. I was just thinking that some places may only allow regular DNS to get through until you agree to their Terms&Conditions, and so on. Of course it will depend on the hotspot. Again something for future investigation as opportunity permits.
Reply With Quote
  #8   (View Single Post)  
Old 14th May 2014
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 775
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by jggimi View Post
PolarSSL has already been integrated with OpenVPN and its options -- ciphers, key management -- may be more apropos to integration with non-OpenBSD platforms.

However, that is entirely conjecture. I have not seen any traffic regarding this on ports@ or misc@ or tech@, and I haven't used OpenVPN in more than 15 years.

For more than guesses, you might ask Stuart Henderson. He's the developer doing the work, according to the log.
We use at work OpenVPN. I run OpenVPN server on OpenBSD of course. I read OpenVPN documentation back and forth several times but this is the first time I hear about PolarSSL. OpenSSL sucks of course but it is so tightly integrated with many packages that even LibreSSL people concede that was the sole reason they forked OpenSSL instead using some other much better alternatives as a starting point.
Reply With Quote
  #9   (View Single Post)  
Old 14th May 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Quote:
...this is the first time I hear about PolarSSL.
I'd only learned of the software through a response to one of the recent OpenSSL articles on the OpenBSD Journal, and once I saw the CVS log in the port I looked for and found a history and status of the OpenVPN integration work. As I mentioned, I haven't used OpenVPN in a very long time for VPNs and I know nothing about PolarSSL.

Last edited by jggimi; 14th May 2014 at 10:21 AM. Reason: typo
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trouble after changing static IP to dynamic IP on OpenBSD gateway magrin OpenBSD General 5 5th April 2014 10:38 AM
Setting up OpenBSD as a ssh gateway dbach OpenBSD General 6 12th January 2012 05:30 PM
rtorrent on NAT-gateway slows down network. pieterverberne OpenBSD General 2 28th March 2010 02:33 PM
Network configuration issue (gateway(s)) amorphousone OpenBSD General 3 25th November 2009 04:53 AM
openBSD IPSEC gateway w/WINDOWS XP roadwarrior s2scott OpenBSD Security 7 13th January 2009 11:01 AM


All times are GMT. The time now is 08:38 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick