Embed Size (px)
Citation preview
Mercy College
Securing Your Network with OpenVPN and
Raspberry Pi 3
A Thesis
By
James Pak
Department of Math/Computer Sciences
Submitted in partial fulfillment of the requirements
For the degree of
Master of Science, Cybersecurity
Date
5/3/2018
Accepted by the Cybersecurity Program
____________ ________________________
Date Dean of the Graduate School
The undersigned have examined the thesis entitled ‘Securing Your Network with OpenVPN
and Raspberry Pi 3’ presented by James Pak, a candidate for the degree of Master of
Science Cybersecurity and hereby certify that it is worthy of acceptance.
_______________ _______________________________
Date Advisors name
_______________ _______________________________
Date Committee member name
1
Table of Contents ABSTRACT 3
CHAPTER I : INTRODUCTION 4
CHAPTER II : BACKGROUND AND LITERATURE 7
CHAPTER III : METHODOLOGY 13 Router Configuration 19 Security Script Implementation 20
CHAPTER IV: RESULTS 21
CHAPTER V: CONCLUSION 22 Python Code 23
2
ABSTRACT Internet is a valuable resource that everyone uses everyday to use for their
needs. In today’s society, you can pretty much gain access to the internet almost
anywhere. Most of the shop gives their customer access to the internet for their leisurely
use. Cable providers also give you access to the internet via their own network using
their tower. There are many different uses for the network. For example, a user might
need to access to the internet to look up information such and balance inquiries or make
a payment. The user has to use public internet to complete this task. But how secure
are you when you are connecting to the internet? This is a thought that everyone should
be thinking about when a user is connecting to the network. There are products out their
that helps you secure your internet connection. This service provides users create a
secure tunnel to any network that the user wants to connect to. With a VPN, users can
send and receive data on shared or public network as if the user is connected to a
private network. VPN creates a secure encrypted connections allowing users to send
and receive encrypted data over the network. However, these services can be
expensive. Many VPN services charges according to how much data the user wants to
use on monthly basis. This becoming expensive overtime if you are using it constantly.
There is a different solution for users. You can use a small power device called
Raspberry pi and create your own vpn service using your own network. This can be a
replacement for your VPN service that you may be paying for. You can create your own
secure connection straight to your home network.
3
CHAPTER I : INTRODUCTION
“Tempted to connect to that elusive “Free Wifi” hotspot?” stated on an article by
Lexy Savvides[1]. This one comment can lead to many different types of thoughts. One
of them being is “is that network secure?”. Many shops offers free internet access for
customers, so that the customers can enjoy or do some work while they are in the shop.
Many people rely on the internet to do their work or tasks they need to do. Public wifi is
a convenient way for someone to get online, but this can lead to all shorts of trouble.
Many people see the word Free and they get tempted to see what it is. A customer can
be think, why should I use up my data when I can use the shops internet for free. This
temptation is dangerous for many users. The article “Staying safe on public wi-fi” stated,
it is pretty easy for a hacker to intercept your data by setting up a network called Free
Wi-fi or other variation that includes a name of nearby venue name. For example, if you
walked into Wendy’s, there is a sign that shows Wendy’s free wifi name and password.
A hacker can setup an access point with the same wifi and password some user would
be tempted to connect to that. Once the user, connects to the rogue access point, the
hacker has access to your device making the connection insecure. Figure 1.1 is a
image that many people have seen as when they try to connect to the access point, a
portal page is shown for the user agreement. There was not enough security for the
users to protect users from hacker gaining access to the network. Many locations have
changed their methods now to ask for password to get on the network.
4
Figure 1.1: Portal page from Wendy’s wi-fi
Public wi-fi is an easy method for a hacker to gain access to a users devices. If a
user were to have left on the option of connect to the network that they have connected
to before, like Wendy’s wifi, the users computer would automatically connect to the
network because of the option that was setup by user. This is known as
man-in-the-middle attack. The hacker is always in the middle attempting to collect any
type of information that is being sent of the network. Hackers know which type of
location they want to attack so they can collect valuable information. Figure 1.2 is an
illustration of Man-in-the-middle attack.
5
Figure 1.2: Attack on user network.
This type of attack is one of the most common type of attack. These types of attack
occurs on daily basis because users are unaware of these types of attack. Public wifi
have little to no security because of how the user wants to use the internet. This is a big
risk that users have to take when connecting to the internet. The evil doer used a
method to gain access to the network and he is able to listen in on what the web surf is
doing. If there was any financial transactions going through during the time the evil doer
was connected to the network, the hacker would have gained all the information from
the session.
6
CHAPTER II : BACKGROUND AND LITERATURE
When it comes to securing your network connections, there are multiple ways to
secure the connection. A method to not falling victim of being attacked is for the user to
have knowledge of how to stay safe. First the user can turn off settings on the devices
that allows users to shared their network. This limits the way of access from the
intruder. Printer and file sharing is a common setting that is left on because many
places uses file sharing for easy file transfer and to print from any location.
Figure 2.1: Option to turn on or off the sharing feature within windows.
7
Figure 2 shows the file sharing setting on a windows 10 machine. It is best practice to
always check what setting are set because users may change setting for a specific use
and may forget to revert back to it previous setting. It only takes one small mistake for a
user to fall victim to a hacker.
Hackers Method of Attack
Most of the attacks are network based, so hackers always intend to look for
crowded areas with network access. Most hackers have great knowledge on how to get
on a network. They know ways of exploiting vulnerabilities and using this gain access to
valuable information. Stated on Nortons website, “Attackers exploits security flaw in
router”.[3] There are many security flaw around the world on any networks. One of the
most common flaw is physical device themselves. Figure 2.2 is an Man-in-the-middle
attack where the hacker is able to exploit the flaw within the router. This type of attack is
common within small shops. Shops are not able to keep up with the cybersecurity world
because the shops do not know anything about it. They shop owner could have hired a
technician to install the device for them and it could have been a device that had a flaw.
Most of the time, the shop owner does not even know that they are using a security flaw
device. If an hacker found this device, the hacker would exploit the vulnerability without
the shop owner knowing about it. If no one told the shop owner, this flaw can be a risk
to many customers that are using the device.
8
Figure 2.2: Man-In-The-Middle Attack one method of attack.
Setting Up Security on Access Point
Wi-fi hotspots and public wifi can be secure. Generally the first step is to
configure the router with a strong encryption for connection and then set a strong
password with different combination. Many people use simple words such as their
favorite color or names. These types of password should never be used as they can be
guessed. Using different types of combination of letters, numbers, and symbols is
recommended for a strong password. Having separate network for guest with minimal
privilege is also recommended. This blocks off potential threat of having a hacker get
into the main network. To secure the connection ever further, there are services that
can be purchased to create a encrypted network connection. Virtual private network is a
service that provides an encrypted tunnel to a network for the user to use safely. With
this service, a user can connect to any public wifi and connect to any network using vpn
service.
9
Figure 2.3: Illustration of VPN connection with devices connecting to the internet.
VPN is now becoming more popular as users hear about becoming a victim to an
attack from hackers. More companies are developing different layers for security for
their VPN services. As data becomes more important VPN service is becoming more
widely used by almost everyone that is dealing with sensitive data. VPN or virtual
private network, service allows user to connect to a private network over the internet
securely and privately. Each VPN services have different types of protocol they use to
create their encrypted tunnels. Figure 2.3 is visual concept of how a VPN tunnel is
setup. The devices would connect to the router and then the router would create a
tunnel to VPN server. However there are multiple different types of VPN tunnel. Two
mainly used VPN types are Remote Access VPN and Site-to-Site VPN.
Types of VPN
Remote Access VPN is very common within business or organizations. It is used
to allow user to connect to a private network and access its services and resources
remotely.[4]
10
This method of security allows user to mask their data for privacy usage. This service
helps users to also bypass regional restrictions on the internet access and blocked
websites. Many users purchase this type of VPN because of the feature that allows
them to bypass restrictions. Employees that are constantly traveling are given Remote
Access VPN so they can use any internet service to remote into their workstation giving
resources to users.
Site-to-site VPN or Router-to-Router is mostly used in the corporates because
corporates intend to have different geolocations and they need to be able send secure
data over the network. This VPN works by having routers connect to each and create a
secure tunnel within the tunnel. Offices are constantly asking for or receiving sensitive
data. The sensitive can be stored at a different location site so that other users who
needs to access them would have access.
Depending on the VPN service the user is using, there are multiple different
layers of security the VPN would be using. There are current six different types of VPN
security protocols:
● Internet Protocol Security (IPSec)
● Layer 2 Tunneling Protocol (L2TP)
● Point-to-point Tunneling Protocol (PPTP)
● Secure Socket Layer (SSL) and Transport Layer Security (TLS)
● OpenVPN
● Secure Shell (SSH).
11
Each of the protocols works differently compared to each other. Each protocols has
different types of encryptions method to encrypt data that is being sent over. One
protocol uses data encryption to send data securely over the network and other types of
protocol encrypts the connections for data to flow to its destination.
The focus of this projects is to create an openVPN network using a small device.
If configured properly, a user can access their home network or a private network from
any public wi-fi. OpenVPN is an open source software for anyone to use and create
their own VPN. It allows user the flexibility of implementing different kind of programs
they want to use with their openVPN software. Creating your own VPN is more efficient
for home users that do not require special features. Purchasing top quality VPN service
does come with a lot of features that users can use, but many VPN users would like to
use the service just for secure browsing. This also becomes expensive over time as the
users have to pay for services. According to CNET article “The Best VPN services for
2018”, the most like VPN service is going to cost the user $69.99 annually or $10 per
month on monthly basis.[5] Other VPN service providers are charging around that price
range. Creating your own VPN server would be beneficial in cost and reduce the
resources needed.
12
CHAPTER III : METHODOLOGY
Creating a secure VPN server requires a lot of proper configuration. There also
needs to be proper security measures. The main software needed for this project is the
openVPN software from the openVPN website. Along with this main software, the
raspbian operating system on a sd card and a raspberry pi 3 will be needed. There are
many imaging software that can be used to create the raspbian image on the sd card.
Etcher by resin.io and Win32 by Microsoft are most commonly used imaging tool used
for raspberry pi projects. Figure 3.1 is the imaging tool Etcher for imaging. There is only
few steps involved to create an image to a storage device:
● Select an image (example: Raspbian_Jesse.iso)
● Select a storage device (flash drive,sd card, or hard drive)
● Select Flash for the software to flash the device.
Figure 3.1: Etcher imaging tool.
13
For this project, an Sd card was imaged with Raspbian Stretch image was used. Once
the image was flashed, the sd card was load into the sd card slot and booted up. Using
an HDMI cable, the raspberry pi 3 was plugged into a hdmi display. Then image was
updated using the command “apt-get update && apt-get upgrade”. This will look for all
the correct drivers for the device and it may take its time depending on what is being
installed.
Figure 3.2: Update of Raspberry pi 3.
Once all the updates are completed, next step is install the rsa software for the
encryption. This will encrypt of keys for the connection sessions. The command to get
the RSA software for openVPN is “sudo apt-get install openVPN easy-rsa”. Once that is
set up, the next step is to set up the certificate authority.
14
Certificate Authority Configuration
The Certificate Authority is a signing key that ensure that only a specified device
with the key is able to connect to your network. To create CA, a folder needs to be
created with the “make-cadir” command and the path to the openvpn folder. This
command creates a folder just for the CA’s. After, their is an old openssl.cnf file that
needs to replaced with the latest files. The file is located within the openvpn folder. If it
cannot be found, a “grep” command can be used to search for the file. This ensures that
the configure is update to date.
After the configuration file is placed, a file called vars that helps a user to create a
key needs to reconfigured. Using a vim or nano command can open the “vars” file and a
few options needs to be changed. There are many other editing tools that can be used
as the user is not limited to this specific one. First, the “export KEY_SIZE=” needs to
changed. 4096 is recommended as it offers the highest level of encryption, but the
default of 2048 can be used. Then the other export keys can be changed to the users
preference. Once the file is configured, the user needs to run the file so that it can be
used with openvpn. The command to run the vars file is “source
./vars”
Building Keys
The keys are necessary for any device to be able to connect to the VPN. To
create a key, the following command is used “./build-key-server server”. This sets up the
server for the stored keys, which checks with the devices connecting to the VPN
15
service. Figure 3.3 is an illustration of building a key. The key needs information to
match the data on the server side so that the server knows whos connecting to the
VPN. Password is also required to connect to the server. This is the first factor for
authentication.
Figure 3.3: Building key for client.
Note: 1024 bit encryption was used for demonstration purpose
Then a Diffie-Hellman PEM needs to created to secure the connection to the server.
The encryption key should be set to 4096 bits for the highest security level. The
command for this operation is “openssl dhparam 4096 > /etc/openvpn/dh4096.pem”.
This command created encryption file to the openvpn folder for devices to use for a
secure connection. Depending on the encryption bit used, it can take a while to create
16
the .pem file. Even though this is secure, another key called HMAC can be used to have
packets being sent over the network have a signature so that it can prevent certain
types of attack on the connection. To create this key, the following command needs to
run: “openvpn --genkey --secret /etc/openvpn/certs/keys/ta.key”. Then the key is
generated in the keys folder. This is the last step for generating proper keys.
Next is to configure the server with the correct paths for the certificates and keys.
In order to configure the server, the server.conf file needs to altered with to point files to
the correct path. Then certain options needs to be enabled to have the proper gateway
and DNS options work in the correct manner.Users and groups also needs to be
enabled within the configuration file in order for users to be able access the openvpn. At
the end of the configuration file, the following needs to be added at the bottom:
● #Auth Digest
auth SHA512
● #Limit Ciphers
Tls-cipher
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-G
CM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-C
AMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-R
SA-WITH-CAMELLIA-128-CBC-SHA
The last two added lines makes sure that the file is using the correct types of encryption
and what kind of encryption is allowed. Figure 3.4 is an example of the configuration of
creating a path for the keys and certificate.
17
Figure 3.4: Server file configuration.
Final step is to test the server to check if it is online. Running the command “sudo
systemctl start openvpn@server” ensures that the server is open and running. Then the
following command. “Sudo systemctl status openvpn*.service” will open the list of
programs that is running the openvpn and show whether the server is active or offline.
Figure 3.5 is an example of when the server is up and running. There is an green
indicator that is showing that it is active. If another color was showing then there could
be an issue with the software itself, or the operating system does not recognize that the
server is trying to run. Troubleshooting will be required then.
18
Figure 3.5: Green light showing the server and service is up and running.
Router Configuration With a VPN server, the raspberry pi needs to be port forwarded via the main router.
Every router configuration is set up differently. For this project, a linksys router was used for the
vpn service. First step is to find the default gateway of the router. This can be done by opening
command prompt and typing in the command “ipconfig”. This will populate the network
information along with the default gateway IP address for the router access. Figure 3.6 is an
example of searching for ip address on the raspberry pi.
Figure 3.6: Linux command “ifconfig” is equivalent to “ipconfig” for windows. ip
19
Next open an web browser and type in the IP address. This will open the portal for the
router webpage. Most routers will have an account login. The user will need to login to
gain access to the router configuration page. Once logged in, search for the port
forwarding section. Figure 3.7 shows the user opening the port forwarding section by
selecting the application and gaming tab. Then on the empty section, select the external
and internal port, select tcp, and type in the ipaddress of the raspberry pi.
Figure 3.7: Linksys port forwarding
Security Script Implementation Security script can help decrease the risk of the unwanted intruders. A python
code was created to send a random security code to the user and only the user will
receive a code to input into the designated area. First the script will ask the user for a
password. Then a 10 digit phone number. An option will display for the user to select
20
the proper carrier for the phone number. Once the user receives the four digit code, the
user can input the code into the area that's asked for. Figure 3.6 is an example of the
script running for the vpn server.
Figure 3.6: Running python script.
CHAPTER IV: RESULTS
The project did not succeed as planned. OpenVPN takes a lot of effort to set up
for an average users and it is not consistent. When configuring, the VPN server, all the
configurations needs to be set to the specified location and IP address. After when
creating the server key, the user needs to make sure that all configuration is exactly the
21
same as the one on the server. The key on the device is usually checked with the
server key to see if is the exact match.
The python script implementation did not go as planned. The goal was to change
one of the key files to run the script to ask the user for 4 digit code along with the
password to gain access to the VPN, but this did not go as planned. When the
configuration files were changed with the script, openVPN shutdown, the configuration
files were denied when the device, tried to connect to VPN server. As for this project, it
was not successful.
CHAPTER V: CONCLUSION Wi-fi can be found every at almost every location. Many of the wi-fi connections
are not secured and the security offered by the access point is not enough for a user to
use the web securely. VPN services provides security for users when connecting to
different networks. These services encrypts the connection or data being sent over any
network and they are almost impossible to decrypt. If someone were even listen in on
the connection, all they would get is hashed data and it would require vast amount of
time for that person to decrypt the data.
VPN services are reliable and they are costly. Free VPn services are not as safe
because there is very little maintenance done and they provide very little service. It
would be more efficient to have a personal VPN server at home so that the user can
connect to their network over any public wi-fi. Having a personal VPN means that it
would need more security and applying a personal security measure can be effective.
22
The script for this project was able to generate a random four digit code for the user to
input and allow them access to the server. This security measure adds another security
factor to the VPN services. Adding more security to a service is always the best
practice.
Python Code
import smtplib import getpass import random uname = '[email protected]' pword = getpass.getpass('Password: ') receiver = raw_input("Phone#: ") print("1.Verizon") print("2.T-mobile") opt = raw_input("Enter option: ") if opt == '1':
receiver = receiver + "@vtext.com" elif opt == '2':
receiver = receiver + "@tmomail.net" else:
print("Invalid") print(receiver) newcode = str(random.randrange(1111,9999)) server = smtplib.SMTP("smtp.gmail.com",587) #ports 25, 465, 587 smtp ports server.starttls() server.login(uname,pword) server.sendmail(uname, receiver, newcode) server.quit()
23
print("waiting...") pcode = raw_input("Enter code received: ") if pcode == newcode:
print("Granted Access") else:
print("Permission Denied.")
24
Work Citied:
[1] Savvides, L. (2015, June 03). Staying safe on public Wi-Fi. Retrieved from
https://www.cnet.com/how-to/tips-to-stay-safe-on-public-wi-fi/
[2]Judge, K. (2017, August 07). Comodo EV SSL provides protection against Man in the Middle
Attacks. Retrieved from
https://blog.comodo.com/e-commerce/stay-away-from-the-man-in-the-middle/
[3] Wi-Fi. (n.d.). Retrieved from
https://us.norton.com/internetsecurity-wifi-why-hackers-love-public-wifi.html
[4]Types of VPN and types of VPN Protocols. (n.d.). Retrieved from
https://www.vpnoneclick.com/types-of-vpn-and-types-of-vpn-protocols/
[5]Gewirtz, David. “The Best VPN Services for 2018.” CNET, CNET, 11 July 2017,
www.cnet.com/best-vpn-services-directory/.
[6]“Turn A Raspberry Pi Into A VPN To Access Your Network From Anywhere.” PCMech, 31
Mar. 2018, www.pcmech.com/article/raspberry-pi-vpn-access-network/.
[7]Crawford, D. (2018, April 20). VPN Encryption: The Complete Guide - BestVPN.com.
Retrieved from https://www.bestvpn.com/vpn-encryption-the-complete-guide/
[8]“Turn A Raspberry Pi Into A VPN To Access Your Network From Anywhere.” PCMech, 31
Mar. 2018, www.pcmech.com/article/raspberry-pi-vpn-access-network/.
[9] “20.12. Smtplib - SMTP Protocol Client¶.” 20.12. Smtplib - SMTP Protocol Client - Python
2.7.15 Documentation, docs.python.org/2/library/smtplib.html.
25
