Small Network DiagramLast article I went over basic Home Network Security– let’s move on to something a bit more advanced- here’s how to set up an always on Home Virtual Private Network (VPN). What does a VPN do, and why do I need it? Simply put, a VPN creates a tunnel between two endpoints. The endpoints can be clients, such as your PC or even your smart phone. They can also be routers and servers. This tunnel creates a secure VPN connection that prevents interception of plain text and exploitation of the traffic. Also, to the outside world, you connection appears to be sourced at the VPN server, rather than your laptop. This allows you to do things like watch American shows on Hulu from outside the US- or access websites blocked by your normal internet access.

For example, let’s say you were in an coffee shop, or an airport with your laptop, and you connect to the free wireless hotspot. Many business travelers do this on a regular basis. Without a VPN, an unscrupulous person could intercept your email and passwords, provided you’re using the standard POP3/SMTP protocol (If you’re logging into webmail and using SSL/TLS (look for the lock in your browser) you’re fine). Recently there was a great deal of talk in the security community about Firesheep, a Firefox addon that allows a hacker to not only see your social networking credentials (ie Facebook, Twitter, etc.), but to also take over your profile. Anyway, if you’re using any wireless you didn’t set up yourself, consider it insecure. By installing using a VPN client, you create a tunnel between your laptop and the VPN server, and the communication is encrypted. Even if your traffic is intercepted, it cannot be read. Your passwords- your Facebook, remains your information. Corporate travelers usually have a company VPN. For folks who don’t, I recommend StrongVPN. They have a variety of plans, and VPN servers located all over the world, and I used them for this setup.

Strong VPN provides VPN From a Variety of Locations

Pick a Plan

Right now, check your IP address on the front page of StrongVPN. It’s in the top right corner. Or you can just click What is my ip? Write that down, we’ll call it your ISP IP. (This is how we can tell when we’re using the VPN or not- this number will change when we connect.) When you first look over the site, they have quite a few options. Don’t worry, it’s not nearly as complex as it looks. If you look at their packages you can see they range from $7 a month (two servers), all the way up to $30 a month for all their servers (133 in 14 countries as of this writing). Usually they have an annual special- which breaks down to $5 a month or so, depending on what you select. For our purpose, the 4 country PPTP plan will do, although I recommend the OpenVPN version.

PPTP versus OpenVPN

PPTP (Point to Point Tunneling Protocol) is a much older protocol, that allows up to 128bit encryption. Because it has been around for so long, it pretty much runs on a variety of clients (like mobile phones), and is easy to set up. In fact, you don’t need any special software to run PPTP- if you check out the setup instructions you can see you’re basically just adding a network connection. This is the fastest and easiest option. However PPTP is vulnerable to a number of attacks- you can read more on that at SANS. It’s certainly better than no protection at all, but OpenVPN is better still. OpenVPN allows encryption from 128 bits all the way to 2048 bits. It uses SSL/TLS encryption (you may have seen it referred to as an SSL VPN), and public key infrastructure, and it is more secure. Of course OpenVPN is a bit more expensive, so the choice is up to you.

Connect With Your Computer First

One time I had a speaker cutting out in and out in my car. Being a hands on engineer, I of course disassembled the stereo, and measured the output with a meter. There wasn’t a problem. Somewhat puzzled I put it back together- and as I was putting the toolbox back behind the seat, I noticed the speaker wire was loose. This taught me a lesson that’s as valuable in networking as it is in electronics. Start with the simplest item and work forward- not the most complex. Before we touch the router to set up that virtual private network, make sure you can connect with your computer. If you happen to have a laptop this is particularly useful, as you’ll have the configuration already in place for your next trip. Once you’ve signed up with StrongVPN, you’ll get a welcome email. If you picked the PPTP plan, you’re going to get your server username/login, if you’ve signed up for an Open plan you’ll also receive a zip file with the software. Normally I’d detail the steps with screenshots, but StrongVPN has step by step instructions with screenshots on their setup page. In addition, they also have live 24/7 support directly off the web page, via a custom instant messaging interface. It’s hard to go wrong, but if you do, help is literally a click away. Once your VPN connection is up and working, go to StrongVPN and write down your VPN IP address- that’s in the top right corner.

Testing Connection Speed

Okay, once you have the VPN connection working, it’s worth your time to do a speed test. Click the “Start Test” button and try a few of the servers in your plan. You want the closest one possible. They also have some speed suggestions to keep in mind. Now’s a good time to mention that encryption comes with a price- speed. When you use your router as your VPN client, it’s going to be even slower. If you don’t have an acceptable speed with the client VPN, try a different server. To change servers, login to the customer area at StrongVPN, click the ‘VPN Accounts Summary’ link in the lefthand column. Next click ‘change server’ and then pick the new server. You’ll get another email, but if you want the VPN connection information immediately you can go back the ‘VPN Accounts Summary’ and click ‘View Greeting’. You may consider not implementing the VPN (they have a 7 day no questions refund policy) if you’ve spoken with support and tried several servers. As a frame of reference, my VPN speed encrypted from the client PC is about 70% of the unencrypted speed. Using the router, it’s about 45%. That’s not insignificant, but in my case it is acceptable (having a fast connection to begin helps quite a bit.) Be sure to check your speed unencrypted, encrypted from your PC, and encrypted using the router.

Flashing Your Router with DD-WRT

DD-WRT is a free Linux based operating system that runs on a variety of small home office routers. What you do is replace the firmware in your manufacturer’s router (this most likely voids your warranty, but you can flash the original firmware back), which enables quite a bit of diverse functionality. You can see graphs of your network usage- adjust your wireless power settings, and of course connect to a VPN gateway, all without having to invest in additional VPN hardware. However, getting there can be tricky, so a warning is in order. If you fail to follow the instructions exactly- you may “brick your router”- which is as bad as it sounds. You basically have an expensive paperweight. Now I’ve flashed probably a dozen or so routers with DD-WRT and never had a problem, but proceed at your own risk- here’s what you need to do:

  1. Locate your router in the database, and READ the entire entry. If you’re not sure what you have, you can usually find the exact model on the bottom of the router. Might as well check it now, you’re going to be handling it a bit during the flash. For this project I’ve got a Cisco/Linksys WRT-310N. I had it on hand, and it has the horsepower to do an adequate job as a VPN router. If you’re buying a new router, you should consider the Cisco WRT 320, or the ASUS RT-N16. I’m basing that on CPU speed, a faster CPU will perform better under the load of a VPN. By way of comparison, the 310N I used is running at 300Mhz with 32M RAM. The 320N runs at 354Mhz with 32M, and the Asus runs at 480Mhz with 128M of RAM. Note: if you have a Linksys W54, your CPU speed varies by model. If you’re on the slow side, it’s worth a shot, but you may not be happy with performance. Here’s my entry from the 310N. Notice there’s a link for additional instructions.
    Linksys WRT-310N Entry in the Router Database
  2. Read and Save the Instructions- If you click File>Save on your browser you’ll notice you can save and entire web page to your computer. Go ahead and do that- there’s nothing worse than having no internet connection and not being able to connect to get instructions on how to proceed. Notice that my router has a recovery instructions link- if yours does as well, go ahead and save that page too (just in case.)
  3. Save any ISP specific settings, or customizations you made to the configuration of your router. At the very least print them out.
  4. Download the appropriate VPN build of DD-WRT. StrongVPN doesn’t specify, but you need VPN for the OpenVPN to work.
  5. Read the entire flash procedure for your router, and follow it exactly. Here’s a great article about the entire generic installation. The 30-30-30 Hard reset is a pain to complete- but it can be the difference between success and failure- just complete it as directed. Go ahead and Flash the router with DD-WRT.
  6. If things didn’t go as planned, plug your internet connection directly into your computer bypassing the router (you do have your firewall up, right?). Go to recovering from a bad flash.
  7. If everything went fine, you need to change your username and password, which DD-WRT prompts you to do (default user/pass is: root/admin). Now is a great time to go through each page of the admin and set up your wireless network security.
  8. Go to the administration page, backup subtab, and at the bottom and click “backup”. This stores your settings, so you can come back to the configuration if you need to.

Set Up Always On Home Virtual Private Network (VPN)

linksys-310n-router Okay, now the moment of truth and set up a VPN. Actually it’s probably anti-climatic after all that preparation- here’s the configuration for your VPN tunnel, first PPTP and then OpenVPN. After you configure your version jump to the Verifying Your VPN section.

Configure PPTP VPN Client with DD-WRT

  1. Log in to your DD-WRT router from the web interface.
  2. Open the Service>VPN subtab
  3. Select PPTP Client Options Enable
  4. For Server IP enter the IP address of your VPN server from your welcome email. If you haven’t received that, login to the customer area at StrongVPN, click the ‘VPN Accounts Summary’ link in the lefthand column. Next click ‘View Greeting’, and you can copy the information from there. If the IP address of the server isn’t listed, you can open a command prompt (start>programs>accessories>command prompt), and type (everything after the green bar):
    ping vpn-sf1.reliablehosting.com

    replacing that first part with your server name.

  5. For Remote Subnet enter your VPN IP address, the one you got from the StrongVPN homepage WHILE connected via VPN from your computer.
  6. Remote Subnet Mask is 255.255.255.0
  7. For MPPE Encryption enter (everything after the green bar):
    mppe required,stateless
  8. Leave MTU, MRU and NAT at their default values
  9. Username and password are the values from the greeting email.
  10. Click Apply Settings.
  11. Under the Setup>Basic Setup subtab, Network Address Server Settings (DHCP)
    Set DNS 1 to (everything after the green bar):

    216.131.94.5

    Set DNS 2 to(everything after the green bar):

    216.131.95.20

    If you leave the last two addresses blank, your router MAY sometimes use your ISP DNS- which means your queries would be in their logs. If it is important that this not happen, you can load Google DNS servers as the last two entries.

    Set DNS 3 to(everything after the green bar):

    8.8.8.8

    Set DNS 4 to(everything after the green bar):

    8.8.4.4
  12. Click Save
  13. Open the Administration>Command subtab, and paste the following code (after the green bar) in the window:
  14. echo "sleep 40" > /tmp/firewall_script.sh ; echo "gw=\`ip route ls to 0/0|cut -d ' ' -f3\`" >> /tmp/firewall_script.sh ; echo "vpnsrv=\$(nvram get pptpd_client_srvip)" >> /tmp/firewall_script.sh ;echo "dynvpnip=\$(ifconfig ppp0 | grep 'inet addr' | grep -v '127.0.0.1'| awk '{print $2}' | cut -d: -f2)" >> /tmp/firewall_script.sh ; echo "vpnip=\$(nvram get pptpd_client_srvsub)" >> /tmp/firewall_script.sh ; echo "route add -host \$vpnsrv gw \$gw" >> /tmp/firewall_script.sh ; echo "route del default" >> /tmp/firewall_script.sh ; echo "route add default dev ppp0" >> /tmp/firewall_script.sh ; echo "iptables -t nat -I POSTROUTING -o ppp0 -j SNAT --to-source \$dynvpnip" >> /tmp/firewall_script.sh ; echo "for i in \`echo \$(nvram get forward_spec)|sed 's=\ =\n=g'|grep on|grep tcp\` ; do" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p tcp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p tcp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "done" >> /tmp/firewall_script.sh ; echo "for i in \`echo \$(nvram get forward_spec)|sed 's=\ =\n=g'|grep on|grep udp\` ; do" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p udp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p udp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "done" >> /tmp/firewall_script.sh ; echo "for i in \`echo \$(nvram get forward_spec)|sed 's=\ =\n=g'|grep on|grep both\` ; do" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p tcp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p tcp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p udp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p udp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "done" >> /tmp/firewall_script.sh ; sh /tmp/firewall_script.sh &
  15. Click Save Firewall
  16. This bit of code comes from the dynamic IP forum thread, which was helpful in getting the router online. Will at Sabai Technology wrote the code, and also sells pre-configured routers. The original forum post is here- notice I specifically left the SPI firewall on. Dropping it leaves your network exposed. If you need to drop it to get the configuration working, do so briefly (with your computer software firewall on)- but DO NOT leave it off.

  17. Now login to the router via the web interface, go to the Administration>Management subtab, and click ‘Reboot Router’. The router will reboot, and after about 5 minutes the VPN connection should come up.

Configure OpenVPN Client with DD-WRT

  1. Enable the Secure Shell daemon (SSHd) on the Services>Services subtab. Leave it at the default port of 22. Click ‘Save’
  2. Enable SSH Remote Management, again on port 22 on the Administration>Management subtab.
  3. Extract ovpnNNN_ddwrt.sh (where NNN is your server) from the zip file they sent you with sign up. Didn’t get it? Login to the customer area, click the ‘VPN Accounts Summary’ link in the lefthand column. Next click ‘View Greeting’, and then there’s a link to download the configuration zip. You use it to install the client software, and the .sh file contains all the security information your router needs to connect.
  4. Connect to your router to do a secure copy (SCP). There is one gotcha here- your username is “root”- REGARDLESS of your web interface username. The password is the same as the web interface. Once you have a connection, copy ovpnNNN_ddwrt.sh to the /tmp directory. Hang in there, we’re almost done.
  5. Now we’re going to run the script. To do that, connect with SSH, and enter the following command (everything after the green bar):
    sh /tmp/ovpnNNN_ddwrt.sh
  6. Now login to the router via the web interface, go to the Administration>Management subtab, and click ‘Reboot Router’. The router will reboot, and after about 5 minutes the VPN connection should come up. Here’s the complete forum thread on how to accomplish that on StrongVPN if you need additional details. I changed a couple of minor details (left off logging, reboot from the web interface because the ssh command sometimes fails, etc.) If it’s not working work through their method, and then open a ticket- they’re VERY good about responding quickly.

Verifying the Virtual Private Network is Working

There’s a couple of ways you can check this. You can go the the StrongVPN homepage and check your IP- or you can visit What is my ip? and make sure you have a different IP address than your previous ISP address. There’s also a Firefox addon called Show My IP that shows your externally visible IP at all times in the bottom right of the browser. Finally, I usually run a quick scan at GRC Shields Up, just to make sure I don’t have any errant ports open.

Got it all working? Log in to the DD-WRT web interface, go to the administration page, backup subtab, and at the bottom and click “backup”. This stores your settings, so you can come back to the configuration if you need to. Congratulations, on setting up a permanent virtual private network. Now every machine on you home network has an encrypted connection to the Internet.

{ 4 comments }