Thursday, August 19, 2010

Using OpenVPN to tunnel traffic on laptops and mobiles






Today, I want to talk about using OpenVPN as alternative (or complement) to ssh to tunnel traffic on laptops and mobile phones on insecure (wireless?) networks. I guess you are security aware person and that you're already familar with ssh and it's capabilities to tunnel traffic.I would mention -D option which is quite handy for tunneling browser and other network traffic. Simple example of such usage is:


ssh -D 1080 some.ssh.server.somewhere

and then configuring browser or any other networking application to use SOCKS5 proxy on localhost and port 1080. This is quite handy, but there are some drawbacks. It's quite uncomfortable to configure almost every service to use SOCKS5 proxy and some of the network applications does not support proxies at all, so you have to use utility like tsocks to intercept networking calls to use SOCKS proxy. Another problem is growing number of widgets, applets and cron/scheduler jobs which can start up any time and send something(including sensitive data) through insecure channel. 

There is easier way if you're able to setup OpenVPN server somewhere or you have OpenVPN server already configured. New OpenVPN versions introduced --redirect-gateway option which automatically configures routes on OpenVPN client side to tunnel whole traffic through OpenVPN (OpenVPN is acting like gateway). Simple example command line usage would be:


openvpn --config my-vpn-config.ovpn --redirect-gateway def1


This would use your already set up OpenVPN configuration file (my-vpn-config.ovpn) with additional option to tunnel whole traffic through OpenVPN (--redirect-gateway def1). On terminating OpenVPN  connection, original gateway(and route) will be restored. I would recommend to read OpenVPN manual for description of options and which parameters you can pass to redirect-gateway (there is few options which you can choose how you will handle OpenVPN as gateway).  


It's quite useful for laptops and especially mobile phones (for Android, to be specific) on insecure/non-trusted networks. As Android have lot of applications and services which send and synchronize data even when you turn of background synchronization (I don't even have to tell you how I "like" that notice that even when you turn off synchronization that applications can still send data!). Using OpenVPN as VPN solution on Android phone is pretty straightforward and very well documented (go here) so I will not go into details. But have to tell you, that I have tested it on both BlackHat and Defcon this year. Only problem I have noticed is that my G1 is getting too hot after having VPN for long time. Another thing is to have static ARP but this is story for some another time :)


Note that earlier versions of OpenVPN did not have --redirect-gateway option, but you had to write your own scripts to set up routes and restore original ones. But that way is too clumsy if you ask me.


If you don't like OpenVPN, another way is to use ssh to act like gateway for all traffic which works fine, but it's harder to configure. I can cover it in some of the later posts, but if you're interested - google for it! There are already lot of nice instructions and scripts how to do that.