Blogger just isn't doing it for me anymore, so I'm moving everything over to an Octopress-based blog on Github pages.
Check out the new site here: johnchapin.boostrot.net
This will be the last post on this instance of my blog. All the individual posts will link to their new locations, and all comments have been disabled. Adios, Blogger!
This is part 4 in a series of posts detailing how I’m securing my Internet communications using open-source software.
In part 1, I set up an OpenBSD VPS with full-disk encryption and the minimum OS install necessary to run OpenVPN.
Part 2 covered the installation of OpenVPN and configuring the PKI system.
Part 3 was a walk-through of OpenVPN configuration and actually running the OpenVPN daemon.
It should be noted that even these measures are only securing part of my traffic. Everything that exits my VPN endpoint is protected only by whatever protocol-specific security measures are already in place (e.g. HTTPS for web traffic).
On Mac OS X, Tunnelblick can be used to connect to the VPN server. It’s an open-source application that offers simple, OpenVPN-specific configuration and a convenient graphical interface.
To install, simply download and run the installer.
Before configuring the VPN, transfer the CA certificate and the client certificate and key from the VPN server to your client computer:
$ scp user@vpn.example.com:~/easy-rsa/keys/ca.crt ~/Desktop/
$ scp user@vpn.example.com:~/easy-rsa/keys/client1.example.com.crt ~/Desktop/
$ scp user@vpn.example.com:~/easy-rsa/keys/client1.example.com.key ~/Desktop/Note that we could have generated the client certificate and key on the client machine, and gone through the certificate signing process without ever transmitting the client’s private key over the network.
Open the Tunnelblick application. On the Configurations tab, click on the + icon in the lower left to add a new configuration. When prompted, select “I DO NOT have configuration files”.
Next, select “Create sample configuration and edit it”.
This process will create a sample configuration and put it on the Desktop.
Move the downloaded certificates and key into the configuration folder:
$ cd Desktop
$ mv ca.crt Sample\ Tunnelblick\ VPN\ Configuration/
$ mv client1.example.com.* Sample\ Tunnelblick\ VPN\ Configuration/Edit the config.ovpn file. It may already be open in your default text editor. The only changes necessary are:
Here’s a diff of those changes:
42c42
< remote vpn.example.com 80
---
> remote my-server-1 1194
89,90c89,90
< cert client1.example.com.crt
< key client1.example.com.key
---
> cert client.crt
> key client.keyThe Tunnelblick configuration folder can be renamed (in this case, to “Example VPN”). To use this configuration in Tunnelblick, add the .tblk extension to the folder name, and then double-click the folder to install the configuration in Tunnelblick.
Click on the “Railroad Tunnel” icon in the Mac OS X menu bar, and select the “Connect Example VPN” option.
That’s it - you’re now using Tunnelblick to route your Internet communications through OpenVPN running on a VPS-hosted OpenBSD server.
This is part 3 in a series of posts detailing how I’m securing my Internet communications using open-source software. In part 1, I set up an OpenBSD VPS with full-disk encryption and the minimum OS install necessary to run OpenVPN. Part 2 covered the installation of OpenVPN and configuring the PKI system.
It should be noted that even these measures are only securing part of my traffic. Everything that exits my VPN endpoint is protected only by whatever protocol-specific security measures are already in place (e.g. HTTPS for web traffic).
With the OpenVPN package installed and the PKI components in place, configuring and running the actual server software is straightforward. The OpenVPN package includes a sample server configuration file that makes a good starting point.
Make an OpenVPN configuration directory in /etc, and add a copy of the sample configuration, the CA certificate, the VPN server certificate and private key, and the Diffie-Hellman parameters:
# As root...
$ mkdir /etc/openvpn
# Copy the sample configuration
$ cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /etc/openvpn/server.conf
# Copy PKI materials from the easy-rsa working directory
$ cp easy-rsa/keys/ca.crt /etc/openvpn/ca.crt
$ cp easy-rsa/keys/dh4096.pem /etc/openvpn/dh4096.pem
$ cp easy-rsa/keys/vpn.example.com.crt /etc/openvpn/vpn.example.com.crt
# Make a private directory for the server key
$ mkdir /etc/openvpn/private
$ chmod 500 /etc/openvpn/private
# Move the server key from the easy-rsa working directory
$ mv easy-rsa/keys/vpn.example.com.key /etc/openvpn/private/vpn.example.com.key
$ chmod 400 /etc/openvpn/private/vpn.example.com.keyI made the following changes to the default configuration:
Here’s the diff of the server.conf changes:
$ diff /etc/openvpn/server.conf /usr/local/share/examples/openvpn/sample-config-files/server.conf
32c32
< port 80
---
> port 1194
53c53
< dev tun0
---
> dev tun
78,80c78,80
< ca /etc/openvpn/ca.crt
< cert /etc/openvpn/vpn.example.com.crt
< key /etc/openvpn/private/vpn.example.com.key # This file should be kept secret
---
> ca ca.crt
> cert server.crt
> key server.key # This file should be kept secret
87c87
< dh /etc/openvpn/dh4096.pem
---
> dh dh1024.pem
187c187
< push "redirect-gateway def1 bypass-dhcp"
---
> ;push "redirect-gateway def1 bypass-dhcp"
195,196c195,196
< push "dhcp-option DNS 208.67.222.222"
< push "dhcp-option DNS 208.67.220.220"
---
> ;push "dhcp-option DNS 208.67.222.222"
> ;push "dhcp-option DNS 208.67.220.220"
255c255
< max-clients 2
---
> ;max-clients 100Note that in this configuration, the server doesn’t need to store individual client certificates. The server will only accept clients whose certificates were signed by the master CA certificate (the same one that signed the server certificate).
The OS requires a few additional tweaks to run OpenVPN.
Turn on packet forwarding:
$ sysctl -n net.inet.ip.forwarding=1Add the following line to pf.conf to perform Network Address Translation on VPN connections (the 10.8.0.0/24 block is distributed via DHCP to OpenVPN clients):
pass out on em0 from 10.8.0.0/24 to any nat-to (em0)$ /usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf
# Verify that it's actually running:
$ ps -aux | grep openvpn
_openvpn 2900 0.0 0.3 1720 3424 ?? Ss Mon03PM 21:49.15 /usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.confLog output will appear in /var/log/daemon. At this point, there are no clients, so it’s enough that the daemon starts without errors.
This is part 2 in a series of posts detailing how I’m securing my Internet communications using open-source software. In part 1, I set up an OpenBSD VPS with full-disk encryption and the minimum OS install necessary to run OpenVPN.
It should be noted that even these measures are only securing part of my traffic. Everything that exits my VPN endpoint is protected only by whatever protocol-specific security measures are already in place (e.g. HTTPS for web traffic).
Installing and configuring the OpenVPN package can seem daunting at first, but given a relatively simple VPN architecture (many clients, one server), the setup is straightforward. Many of the steps below are cribbed from the OpenVPN section of “Building VPNs on OpenBSD”, which is 4 years old but still informative.
Install the OpenVPN package from the installation media or an official OpenBSD mirror site. The OpenBSD FAQ has instructions for setting up the package system.
# Dutch mirror site
$ export PKG_PATH="http://ftp.nluug.nl/pub/OpenBSD/5.3/packages/`machine -a`"
$ pkg_add openvpnNext, make a copy of the easy-rsa directory:
$ cp -R /usr/local/share/examples/openvpn/easy-rsa/2.0 easyrsa
$ cd easyrsaThe version of easy-rsa that’s included with OpenVPN on OpenBSD 5.3 is missing the whichopenssl script, so in the vars file, the KEY_CONFIG line must be edited in addition to the other KEY* lines. Here is a diff with my changes:
$ diff vars /usr/local/share/examples/openvpn/easy-rsa/2.0/vars
29c29
< export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"
---
> export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
53c53
< export KEY_SIZE=4096
---
> export KEY_SIZE=1024
64,71c64,72
< export KEY_COUNTRY="ZZcountry"
< export KEY_PROVINCE="ZZprovince"
< export KEY_CITY="ZZcity"
< export KEY_ORG="example"
< export KEY_EMAIL=
< export KEY_CN=
< export KEY_NAME=
< export KEY_OU=
---
> export KEY_COUNTRY="US"
> export KEY_PROVINCE="CA"
> export KEY_CITY="SanFrancisco"
> export KEY_ORG="Fort-Funston"
> export KEY_EMAIL="me@myhost.mydomain"
> export KEY_EMAIL=mail@host.domain
> export KEY_CN=changeme
> export KEY_NAME=changeme
> export KEY_OU=changemeBecause they are likely to change for each certificate generated, the KEY_EMAIL, KEY_CN, KEY_NAME, and KEY_OU values can be removed from the file.
After editing the vars file, source it and run these scripts to setup the PKI system:
$ . vars
$ ./clean-all
$ ./build-dh
$ ./pkitool --initcaGenerate a certificate for the VPN server:
$ ./pkitool --server vpn.example.comAnd one or more client certificates:
# Can also supply KEY_CN, KEY_OU, and KEY_EMAIL
$ KEY_NAME=client1 ./pkitool client1.example.comThe keys directory should now be full of certificates, keys, and signing requests:
$ ls keys/
01.pem
02.pem
ca.crt
ca.key
dh4096.pem
serial
vpn.example.com.crt
vpn.example.com.csr
vpn.example.com.key
client1.example.com.crt
client1.example.com.csr
client1.example.com.key
...The weekday routine in Ciudad de Panama:
The good:
The bad:
We ended up at the NYBC almost every other day. It was so consistent that it almost became hard to take a chance on something else, knowing we could have a good experience at NYBC.
Einstein’s head, carefully enlarged, preserved, and mounted outside of the NYBC in El Cangrejo.
The good:
The bad:
Bon Vivant was recommended via a response to my inquiry on the “Americans in Panama” Yahoo group. We ended up going there twice - might have been back more often, but it was a bit of a hike to get to from our house in Parque Lefevre. Cutting through Parque Omar Torrijos got us away from the traffic and trash (and uncovered manholes), but a 3+ mile roundtrip in CdP is a lot, especially if you don’t want to be a puddle of sweat at your destination.
The good:
The bad:
Another recommendation, this time from /r/panama. We went to the Obarrio location in the evening, after a day of walking around and trying to find wifi in one of the big malls downtown. It’s tucked off of Calle 50, and was extremely quiet. IIRC, we were one of only a few patrons, and definitely the only ones with laptops out.
The El Cangrejo location had a better overall vibe, with more customers and a livelier setting in general, although we probably wouldn’t have gone had NYBC not been closed for Carnavales. Which might explain why the waitstaff were a little grumpy - they had to work instead of partying!
Petit Paris in Marbella. Delicious food…
PSA: Google Maps is just dead wrong about the location of this place. It’s just north of Cinta Costera, in the Marbella neighborhood. The map on their website is accurate.
Café Sucre and Bajareque in Casco Viejo.
Me, according to Jeca…
Several people have asked me, “John, you handsome devil, how exactly did you manage to arrange your life to be able to pick up and go out into the world with no plans and no return ticket?”
The answer, for me at least, was and is “persistence”. I have persistently and obsessively, over the course of several months, poured over the details of my life and made sure that every action I took moved me closer to location independence. Not all of those decisions have been easy or straightforward.
In no particular order, here’s what I had to do.
A wonderful friend made this very easy. Gerald and his lovely fiance Piali (now lovely wife!) decided to have a destination wedding at Playa Bonita resort, just west of Panama City, Panama. With plane tickets purchased and a resort booked, we were definitely getting on a plane to Panama in mid-January.
Having a date on the calendar made it a lot easier to work backwards and start sorting out everything else.
She was my rock during a rough patch in my life, and saying goodbye wasn’t easy. Fortunately, my good friend Chris was interested in taking her. A three-day, cross-country road trip ensued, and now she’s living it up in Boise, Idaho.
With a cool climate, an awesome owner, and some new canine friends, Maggie is a very happy dog :-)
Looking for tenants is never fun. Looking for tenants in a college town in the middle of November seemed like a terrible idea. Fortune smiled again, as I quickly found two sets of tenants to rent my house over the next 18 months, with no gaps in occupancy and at reasonable rents.
What a pain. After countless trips to Goodwill, the Salvation Army, and the local dump, I ended up with 1/2 a shed of mostly tools, some kitchen equipment, a few mementos, and lots of specialty running and biking gear. That still seems like 1/2 a shed too much, but I ran out of time before I ran out of inventory!
I’m jealous of Jeca, who managed to get everything she didn’t bring to Panama into 4 bins!
I needed the car until almost the last minute, so I didn’t post a for sale ad until about 3 weeks before we left the country. With time running out, I advertised a good price, and accepted an offer for a quick sale with a week to go.
This kept me up at night. I was very happy and gainfully employed, but also ready to leave a job that I loved so that I could travel. I had a very vague backup plan in place (consulting, or something).
However, my current employer (Roomkey - we’re hiring!) was extremely supportive of my plans, and agreed to let me work 100% remotely. I’m looking forward to writing more about this arrangement, and its positives and negatives as it becomes a part of my day-to-day life.
Despite no longer being physically present in the US, I need to receive tax documents, rent checks, and a few other odd and ends via the USPS. I set up an account with a mail forwarding service that will allow me to receive physical mail at a US address. Through a web interface, I can direct that mail to be shredded, scanned, or forwarded. They’ll even forward checks to my bank!
The downside is that the difference between a mailing address and a physical address still eludes some people and institutions (like my city government in Virginia). This topic deserves its own article, so stay tuned for more.
So…
That’s it in a nutshell. This kind of lifestyle change is possible for almost anyone, given sufficient motivation.
If you want to do it, do it.
And, if you’re read this far, go check out my girlfriend and traveling companion’s far more interesting blog here: Calle 90