Sunday, December 15, 2013

Adios, Blogger!

Blogger just isn't doing it for me anymore, so I'm moving everything over to an Octopress-based blog on Github pages.

Check out the new site here: johnchapin.boostrot.net

This will be the last post on this instance of my blog. All the individual posts will link to their new locations, and all comments have been disabled. Adios, Blogger!

Friday, December 13, 2013

Secure comms with OpenBSD and OpenVPN, part 4

This blog entry has moved to: http://johnchapin.boostrot.net/blog/2013/12/14/secure-comms-with-openbsd-and-openvpn-part-4/



This is part 4 in a series of posts detailing how I’m securing my Internet communications using open-source software.

In part 1, I set up an OpenBSD VPS with full-disk encryption and the minimum OS install necessary to run OpenVPN.
Part 2 covered the installation of OpenVPN and configuring the PKI system.
Part 3 was a walk-through of OpenVPN configuration and actually running the OpenVPN daemon.

It should be noted that even these measures are only securing part of my traffic. Everything that exits my VPN endpoint is protected only by whatever protocol-specific security measures are already in place (e.g. HTTPS for web traffic).


Tunnelblick Installation

On Mac OS X, Tunnelblick can be used to connect to the VPN server. It’s an open-source application that offers simple, OpenVPN-specific configuration and a convenient graphical interface.

To install, simply download and run the installer.

Before configuring the VPN, transfer the CA certificate and the client certificate and key from the VPN server to your client computer:

$ scp user@vpn.example.com:~/easy-rsa/keys/ca.crt ~/Desktop/
$ scp user@vpn.example.com:~/easy-rsa/keys/client1.example.com.crt ~/Desktop/
$ scp user@vpn.example.com:~/easy-rsa/keys/client1.example.com.key ~/Desktop/

Note that we could have generated the client certificate and key on the client machine, and gone through the certificate signing process without ever transmitting the client’s private key over the network.

Tunnelblick Configuration

Open the Tunnelblick application. On the Configurations tab, click on the + icon in the lower left to add a new configuration. When prompted, select “I DO NOT have configuration files”.

Next, select “Create sample configuration and edit it”.

This process will create a sample configuration and put it on the Desktop.

Move the downloaded certificates and key into the configuration folder:

$ cd Desktop
$ mv ca.crt Sample\ Tunnelblick\ VPN\ Configuration/
$ mv client1.example.com.* Sample\ Tunnelblick\ VPN\ Configuration/

Edit the config.ovpn file. It may already be open in your default text editor. The only changes necessary are:

  • Use port 80 instead of 1194
  • Replace the dummy server name and PKI file names with valid ones.

Here’s a diff of those changes:

42c42
< remote vpn.example.com 80
---
> remote my-server-1 1194
89,90c89,90
< cert client1.example.com.crt
< key client1.example.com.key
---
> cert client.crt
> key client.key

The Tunnelblick configuration folder can be renamed (in this case, to “Example VPN”). To use this configuration in Tunnelblick, add the .tblk extension to the folder name, and then double-click the folder to install the configuration in Tunnelblick.

Running Tunnelblick

Click on the “Railroad Tunnel” icon in the Mac OS X menu bar, and select the “Connect Example VPN” option.

That’s it - you’re now using Tunnelblick to route your Internet communications through OpenVPN running on a VPS-hosted OpenBSD server.

Part 5 - Wrap-up, OpenBSD 5.4 notes, and more!

Wednesday, December 11, 2013

Secure comms with OpenBSD and OpenVPN, part 3

This blog entry has moved to: http://johnchapin.boostrot.net/blog/2013/12/11/secure-comms-with-openbsd-and-openvpn-part-3/



This is part 3 in a series of posts detailing how I’m securing my Internet communications using open-source software. In part 1, I set up an OpenBSD VPS with full-disk encryption and the minimum OS install necessary to run OpenVPN. Part 2 covered the installation of OpenVPN and configuring the PKI system.

It should be noted that even these measures are only securing part of my traffic. Everything that exits my VPN endpoint is protected only by whatever protocol-specific security measures are already in place (e.g. HTTPS for web traffic).


Configuring OpenVPN

With the OpenVPN package installed and the PKI components in place, configuring and running the actual server software is straightforward. The OpenVPN package includes a sample server configuration file that makes a good starting point.

Make an OpenVPN configuration directory in /etc, and add a copy of the sample configuration, the CA certificate, the VPN server certificate and private key, and the Diffie-Hellman parameters:

# As root...
$ mkdir /etc/openvpn

# Copy the sample configuration
$ cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /etc/openvpn/server.conf

# Copy PKI materials from the easy-rsa working directory
$ cp easy-rsa/keys/ca.crt /etc/openvpn/ca.crt
$ cp easy-rsa/keys/dh4096.pem /etc/openvpn/dh4096.pem
$ cp easy-rsa/keys/vpn.example.com.crt /etc/openvpn/vpn.example.com.crt

# Make a private directory for the server key
$ mkdir /etc/openvpn/private
$ chmod 500 /etc/openvpn/private

# Move the server key from the easy-rsa working directory
$ mv easy-rsa/keys/vpn.example.com.key /etc/openvpn/private/vpn.example.com.key
$ chmod 400 /etc/openvpn/private/vpn.example.com.key

I made the following changes to the default configuration:

  • Run the server on port 80, so it can be reached from networks that might restrict or firewall outbound traffic to other ports.
  • Use the tun0 device.
  • Enable redirect-gateway, to force all client traffic through the VPN.
  • Push DNS server information addresses to clients (OpenDNS, in this case).
  • Only allow 2 clients at a time (a laptop and a mobile device).

Here’s the diff of the server.conf changes:

$ diff /etc/openvpn/server.conf  /usr/local/share/examples/openvpn/sample-config-files/server.conf           
32c32
< port 80
---
> port 1194
53c53
< dev tun0
---
> dev tun
78,80c78,80
< ca /etc/openvpn/ca.crt
< cert /etc/openvpn/vpn.example.com.crt
< key /etc/openvpn/private/vpn.example.com.key  # This file should be kept secret
---
> ca ca.crt
> cert server.crt
> key server.key  # This file should be kept secret
87c87
< dh /etc/openvpn/dh4096.pem
---
> dh dh1024.pem
187c187
< push "redirect-gateway def1 bypass-dhcp"
---
> ;push "redirect-gateway def1 bypass-dhcp"
195,196c195,196
< push "dhcp-option DNS 208.67.222.222"
< push "dhcp-option DNS 208.67.220.220"
---
> ;push "dhcp-option DNS 208.67.222.222"
> ;push "dhcp-option DNS 208.67.220.220"
255c255
< max-clients 2
---
> ;max-clients 100

Note that in this configuration, the server doesn’t need to store individual client certificates. The server will only accept clients whose certificates were signed by the master CA certificate (the same one that signed the server certificate).

Configuring OpenBSD for OpenVPN

The OS requires a few additional tweaks to run OpenVPN.

Turn on packet forwarding:

$ sysctl -n net.inet.ip.forwarding=1

Add the following line to pf.conf to perform Network Address Translation on VPN connections (the 10.8.0.0/24 block is distributed via DHCP to OpenVPN clients):

pass out on em0 from 10.8.0.0/24 to any nat-to (em0)

Running the OpenVPN daemon

$ /usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf

# Verify that it's actually running:
$ ps -aux | grep openvpn
_openvpn  2900  0.0  0.3  1720  3424 ??  Ss    Mon03PM   21:49.15 /usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf

Log output will appear in /var/log/daemon. At this point, there are no clients, so it’s enough that the daemon starts without errors.

Part 4 - Client configuration

Monday, December 9, 2013

Secure comms with OpenBSD and OpenVPN, part 2

This blog entry has moved to: http://johnchapin.boostrot.net/blog/2013/12/09/secure-comms-with-openbsd-and-openvpn-part-2/



This is part 2 in a series of posts detailing how I’m securing my Internet communications using open-source software. In part 1, I set up an OpenBSD VPS with full-disk encryption and the minimum OS install necessary to run OpenVPN.

It should be noted that even these measures are only securing part of my traffic. Everything that exits my VPN endpoint is protected only by whatever protocol-specific security measures are already in place (e.g. HTTPS for web traffic).


OpenVPN Installation

Installing and configuring the OpenVPN package can seem daunting at first, but given a relatively simple VPN architecture (many clients, one server), the setup is straightforward. Many of the steps below are cribbed from the OpenVPN section of “Building VPNs on OpenBSD”, which is 4 years old but still informative.

Install the OpenVPN package from the installation media or an official OpenBSD mirror site. The OpenBSD FAQ has instructions for setting up the package system.

# Dutch mirror site
$ export PKG_PATH="http://ftp.nluug.nl/pub/OpenBSD/5.3/packages/`machine -a`"
$ pkg_add openvpn

Next, make a copy of the easy-rsa directory:

$ cp -R /usr/local/share/examples/openvpn/easy-rsa/2.0 easyrsa
$ cd easyrsa

Public Key Infrastructure (PKI) Configuration

The version of easy-rsa that’s included with OpenVPN on OpenBSD 5.3 is missing the whichopenssl script, so in the vars file, the KEY_CONFIG line must be edited in addition to the other KEY* lines. Here is a diff with my changes:

$ diff vars /usr/local/share/examples/openvpn/easy-rsa/2.0/vars     
29c29
< export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"
---
> export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
53c53
< export KEY_SIZE=4096
---
> export KEY_SIZE=1024
64,71c64,72
< export KEY_COUNTRY="ZZcountry"
< export KEY_PROVINCE="ZZprovince"
< export KEY_CITY="ZZcity"
< export KEY_ORG="example"
< export KEY_EMAIL=
< export KEY_CN=
< export KEY_NAME=
< export KEY_OU=
---
> export KEY_COUNTRY="US"
> export KEY_PROVINCE="CA"
> export KEY_CITY="SanFrancisco"
> export KEY_ORG="Fort-Funston"
> export KEY_EMAIL="me@myhost.mydomain"
> export KEY_EMAIL=mail@host.domain
> export KEY_CN=changeme
> export KEY_NAME=changeme
> export KEY_OU=changeme

Because they are likely to change for each certificate generated, the KEY_EMAIL, KEY_CN, KEY_NAME, and KEY_OU values can be removed from the file.

After editing the vars file, source it and run these scripts to setup the PKI system:

$ . vars
$ ./clean-all
$ ./build-dh
$ ./pkitool --initca

Generate a certificate for the VPN server:

$ ./pkitool --server vpn.example.com

And one or more client certificates:

# Can also supply KEY_CN, KEY_OU, and KEY_EMAIL
$ KEY_NAME=client1 ./pkitool client1.example.com

The keys directory should now be full of certificates, keys, and signing requests:

$ ls keys/
01.pem
02.pem
ca.crt
ca.key
dh4096.pem
serial
vpn.example.com.crt
vpn.example.com.csr
vpn.example.com.key
client1.example.com.crt
client1.example.com.csr
client1.example.com.key
...

Part 3 - Running OpenVPN on OpenBSD

Saturday, December 7, 2013

Secure comms with OpenBSD and OpenVPN, part 1

This blog entry has moved to: http://johnchapin.boostrot.net/blog/2013/12/07/secure-comms-with-openbsd-and-openvpn-part-1/



This is part 1 in a series of posts detailing how I secure my Internet communications using OpenBSD, OpenVPN, and other open-source software.
It should be noted that even these measures are only securing part of my traffic. Everything that exits my VPN endpoint is protected only by whatever protocol-specific security measures are already in place (e.g. HTTPS for web traffic).

Virtual Private Server

I prefer a virtual private server (VPS) over buying, configuring, shipping, upgrading, and disposing of a Real Machine™. Using QEMU/KVM, the hosting company TransIP supports VPSs running OpenBSD 5.3. I’m currently using their “Blade VPS X1” product, which costs €10/month and provides 1GB memory, 50GB storage, 1TB transfer, and importantly, a static IPv4 address.

Why OpenBSD?

I trust OpenBSD to be the most secure operating system available, and I have several years of experience installing and using it. The OpenBSD development team is world-renowned for their commitment to security, and I truly believe that there is no better general-purpose operating system to use as a basis for this project.
TransIP supplies installation files for OpenBSD 5.3. Unfortunately, the OpenBSD project does not digitally sign their releases, instead choosing only to provide SHA256 hashes of the installation set files to protect against corruption or tampering. In their own words, “If the men in black suits are out to get you, they’re going to get you.”
With that in mind, when using a VPS, we have no choice but to trust that the provider hasn’t tampered with the installation process or tapped the VNC console (before SSH can be enabled) to capture our disk encryption or system passwords.

OpenBSD Installation with Full Disk Encryption

OpenBSD 5.3 supports full disk encryption, so I followed the steps in Ryan Kavanagh’s blog post, “Setting up full disk encryption in OpenBSD 5.3”. His instructions are comprehensive, but I found it useful to re-familiarize myself with both the OpenBSD installation process, and the usage of fdisk in particular.
After setting up the encrypted disk, I proceeded with the standard OpenBSD installation, using sd0 as the installation target, and selecting “whole” when prompted, to use the entire device. I chose to use a custom partition layout, forgoing multiple data partitions in favor of a single large “/” partition.
When given the opportunity to select OpenBSD install packages, I chose only:
  • bsd - The Kernel
  • base53 - Contains the base OpenBSD system
  • etc53 - Contains all the files in /etc
This represents the bare minimum OpenBSD system necessary to support an OpenVPN server. Any additional software or services represent additional, unnecessary security risk.

Part 2 - OpenVPN Installation and PKI Configuration

Tuesday, March 5, 2013

Oases of the Digital Nomad, Ciudad de Panama

The weekday routine in Ciudad de Panama:

  1. Wake up, get out of bed, drag a comb across my head.
  2. Eat breakfast.
  3. GTFO before it gets too hot.
  4. Find an oasis.

Oasis #1: New York Bagel Café, El Cangrejo

The good:

  • Consistent wifi, several accessible power outlets.
  • Tasty, relatively inexpensive food and bottomless coffee.
  • Easy access via the Via España bus line.
  • Loads of expats.

The bad:

  • Loads of expats.
  • Generally terrible music, increasing in volume throughout the day.
  • Impressively unpleasant chairs.

We ended up at the NYBC almost every other day. It was so consistent that it almost became hard to take a chance on something else, knowing we could have a good experience at NYBC.


Einstein’s head, carefully enlarged, preserved, and mounted outside of the NYBC in El Cangrejo.

Oasis #2: Bon Vivant, San Francisco

The good:

  • Reasonable wifi
  • Uncrowded (except during lunch)
  • Excellent food, especially the croissants

The bad:

  • Hard to get to via bus from Parque Lefevre. We ended up walking 3+ miles roundtrip.
  • Packed during lunch. Great for business, but not conducive to tele-working.
  • Relatively expensive food, few vegetarian options.

Bon Vivant was recommended via a response to my inquiry on the “Americans in Panama” Yahoo group. We ended up going there twice - might have been back more often, but it was a bit of a hike to get to from our house in Parque Lefevre. Cutting through Parque Omar Torrijos got us away from the traffic and trash (and uncovered manholes), but a 3+ mile roundtrip in CdP is a lot, especially if you don’t want to be a puddle of sweat at your destination.

Oasis #3: Churreria Manolo, El Cangrejo and Obarrio

The good:

  • Good wifi
  • Extensive menu
  • Uncrowded

The bad:

  • No power outlets (in the El Cangrejo location)
  • Mediocre food
  • Grumpy waitstaff (even for Panama!)

Another recommendation, this time from /r/panama. We went to the Obarrio location in the evening, after a day of walking around and trying to find wifi in one of the big malls downtown. It’s tucked off of Calle 50, and was extremely quiet. IIRC, we were one of only a few patrons, and definitely the only ones with laptops out.

The El Cangrejo location had a better overall vibe, with more customers and a livelier setting in general, although we probably wouldn’t have gone had NYBC not been closed for Carnavales. Which might explain why the waitstaff were a little grumpy - they had to work instead of partying!

Never worked in:

Petit Paris in Marbella. Delicious food…

PSA: Google Maps is just dead wrong about the location of this place. It’s just north of Cinta Costera, in the Marbella neighborhood. The map on their website is accurate.

Never made it to:

Café Sucre and Bajareque in Casco Viejo.

Thursday, January 17, 2013

Out into the world.


Me, according to Jeca…

Several people have asked me, “John, you handsome devil, how exactly did you manage to arrange your life to be able to pick up and go out into the world with no plans and no return ticket?”

The answer, for me at least, was and is “persistence”. I have persistently and obsessively, over the course of several months, poured over the details of my life and made sure that every action I took moved me closer to location independence. Not all of those decisions have been easy or straightforward.

In no particular order, here’s what I had to do.

Set the date and first location.

A wonderful friend made this very easy. Gerald and his lovely fiance Piali (now lovely wife!) decided to have a destination wedding at Playa Bonita resort, just west of Panama City, Panama. With plane tickets purchased and a resort booked, we were definitely getting on a plane to Panama in mid-January.

Having a date on the calendar made it a lot easier to work backwards and start sorting out everything else.

Give up my beloved dog, Maggie.

She was my rock during a rough patch in my life, and saying goodbye wasn’t easy. Fortunately, my good friend Chris was interested in taking her. A three-day, cross-country road trip ensued, and now she’s living it up in Boise, Idaho.

With a cool climate, an awesome owner, and some new canine friends, Maggie is a very happy dog :-)

Find tenants for my house.

Looking for tenants is never fun. Looking for tenants in a college town in the middle of November seemed like a terrible idea. Fortune smiled again, as I quickly found two sets of tenants to rent my house over the next 18 months, with no gaps in occupancy and at reasonable rents.

Get rid of almost everything.

What a pain. After countless trips to Goodwill, the Salvation Army, and the local dump, I ended up with 1/2 a shed of mostly tools, some kitchen equipment, a few mementos, and lots of specialty running and biking gear. That still seems like 1/2 a shed too much, but I ran out of time before I ran out of inventory!

I’m jealous of Jeca, who managed to get everything she didn’t bring to Panama into 4 bins!

Sell my car.

I needed the car until almost the last minute, so I didn’t post a for sale ad until about 3 weeks before we left the country. With time running out, I advertised a good price, and accepted an offer for a quick sale with a week to go.

Adjust my employment situation.

This kept me up at night. I was very happy and gainfully employed, but also ready to leave a job that I loved so that I could travel. I had a very vague backup plan in place (consulting, or something).

However, my current employer (Roomkey - we’re hiring!) was extremely supportive of my plans, and agreed to let me work 100% remotely. I’m looking forward to writing more about this arrangement, and its positives and negatives as it becomes a part of my day-to-day life.

Hoodwink the man.

Despite no longer being physically present in the US, I need to receive tax documents, rent checks, and a few other odd and ends via the USPS. I set up an account with a mail forwarding service that will allow me to receive physical mail at a US address. Through a web interface, I can direct that mail to be shredded, scanned, or forwarded. They’ll even forward checks to my bank!

The downside is that the difference between a mailing address and a physical address still eludes some people and institutions (like my city government in Virginia). This topic deserves its own article, so stay tuned for more.

So…

That’s it in a nutshell. This kind of lifestyle change is possible for almost anyone, given sufficient motivation.

If you want to do it, do it.

And, if you’re read this far, go check out my girlfriend and traveling companion’s far more interesting blog here: Calle 90