Recently in internet Category

I have long used an SSH tunnel (put simply: ssh -D 8000 server + FoxyProxy) to browse the web securely from unencrypted wireless access points and other potentially hostile networks. While this is secure, it isn't all that convenient and has inherent problems. What I really want is a proper VPN, that will seamlessly encapsulate all traffic from my local machine and pass it through the tunnel to be emitted by the server. OpenVPN is one of those things that has a reputation for being difficult to setup,so I long avoided it. Once I decided to actually make with the go, it turned out to not be terribly difficult, though I did have to do a bit of searching to get exactly what I wanted.

There are a number of good tutorials for setting up OpenVPN, and the following instructions will mostly mirror those. First, install the requisite packages:

caligula:~$ sudo aptitude install openvpn

Then, setup a place to generate the requisite keys:

    caligula:~$ mkdir tmp/vpn && cd vpn
    caligula:~/tmp/vpn$ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* .

At this point, many tutorials (the above mentioned ones included) say that you should run ./init-config, which doesn't exist in recent version OpenVPN. With the scripts for generating keys in place, open up vars and edit the stuff at the bottom, which should be pretty straightforward:

    export KEY_COUNTRY="US"
    export KEY_PROVINCE="NY"
    export KEY_CITY="Rochester"
    export KEY_ORG="Dinomite-Net"
    export KEY_EMAIL="drew@dinomite.net"

The vars file just sets up a bunch of environment variables, so you'll want to source it and then build the certificate authority:

    caligula:~/tmp/vpn$ source vars
    caligula:~/tmp/vpn$ ./clean-all
    caligula:~/tmp/vpn$ ./build-ca

Building the certificate authority involves a few questions, for most of which the defaults defined from vars are all you need. Next, build the keys for the server and client (I name my computers after Roman emperors):

    caligula:~/tmp/vpn$ ./build-key-server caligula
    caligula:~/tmp/vpn$ ./build-key vespasian
    caligula:~/tmp/vpn$ ./build-dh

With all that done, you can copy the appropriate key files over to the client, in my case vespasian. Since I already had tunnelblick on that machine, I put the files directly where they needed to go:

caligula:~/tmp/vpn$ cd keys
caligula:~/tmp/vpn/keys$ scp vespasian.crt vespasian.key \
    ca.crt vespasian:~/Library/Application Support/Tunnelblick/Configurations/

Two steps left. First, make the client configuration file. For tunnelblick, this goes in the same directory as above, and you can name it whatever you want:

    vespasian:~$ cat Library/Application Support/Tunnelblick/Configurations/client.conf
    client
    dev tun
    proto udp
    remote caligula.dinomite.net 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert vespasian.crt
    key vespasian.key
    comp-lzo
    verb 3

There are plenty of other sites that will explain what all of those options mean, so I won't go over it here. The important things to change from above are the remote and the names for the cert and key. Now on to the server config and the files that it needs:

    caligula:~/tmp/vpn/keys$ cp dh1024.pem caligula.key caligula.crt /etc/openvpn/
    caligula:~/tmp/vpn/keys$ cat /etc/openvpn/server.conf
    server 10.7.7.0 255.255.255.0
    push "redirect-gateway"

    dev tun0
    proto udp
    keepalive 10 120
    comp-lzo
    dh /etc/openvpn/dh1024.pem
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/caligula.dinomite.net.crt
    key /etc/openvpn/caligula.dinomite.net.key

    status /var/log/openvpn-status.log
    verb 3

The secret sauce in that config is push "redirect-gateway" which is what tells the client to route all of its traffic through the tunnel to the server. To make this work, the server needs to be set up to do NAT:

    caligula:~/tmp/vpn/keys$ echo "1" > /proc/sys/net/ipv4/ip_forward
    caligula:~/tmp/vpn/keys$ iptables -t nat -A POSTROUTING -s 10.7.7.0/24 -o eth0 -j MASQUERADE

That's all there is to it! Just restart the server (sudo /etc/init.d/openvpn restart), connect, and all your traffic is now safely encrypted to the server.

My Internet Birthday recently passed. What is an Internet Birthday, you ask? Why it's the arbitrary date that I've chosen to give when a website wants to know my birthday. You see, gentle reader, the vast majority of websites that ask for your birthday have no real reason to have it; most of the time it will simply be used for marketing. Whether or not you really care about that relatively innocuous usage, the real danger is that a lot of legitimate, organizations such as financial institutions, hospitals, and governments, use your birthday as an identifying piece of information—as though providing such a date is a verification of the person speaking or filling out a form.

Because of this abuse of a fairly public piece of information for the purpose of security, it is reasonable to want to keep your date of birth somewhat secret—or at least refrain from giving it to everyone who asks. Unfortunately, many services require you to provide a date of birth when signing up; some will give you a bonus if you give them your birthday. So as to not miss out on these services, I simply came up with a date that I use as my birthday when asked on the internet. I no longer hesitate to provide the information asked. Why not use a random date every time you sign up? Sometimes, particularly if you forget your password, a website will want you to enter your birthday at a later time to verify who you are. By choosing one date and sticking to it, you can always give the correct information.

Choosing an Internet Birthday

To come up with an internet birthday, simply choose a date!  Afraid you won't remember?  Understandable.  Choose something that makes sense to you: the first or last day of the month you were born, the day you were born modulo 12 to get a new month, or take Cheshire Catalyst's suggestion and use the start or end date for your astrological symbol.  As for the year, in most cases keeping the same year as your actual birth is the easiest and effective enough for our purpose.  If you're really paranoid, then just round to the nearest half-decade

Internet Family

Cheshire has updated his essay to suggest that an internet "Mother's Maiden Name" is also beneficial—and I agree.  I have an entire family based upon characters from a movie that I use for my financial accounts.  If you're serious about security, or you just can't remember the surnames names of your recent ancestors, then an Internet family based upon your favorite (or not so favorite) story is a great route to take.