Category: Network

Set Up Always On Home Virtual Private Network (VPN) Using DD-WRT and a Linksys Router

Small Network DiagramLast article I went over basic Home Network Security– let’s move on to something a bit more advanced- here’s how to set up an always on Home Virtual Private Network (VPN). What does a VPN do, and why do I need it? Simply put, a VPN creates a tunnel between two endpoints. The endpoints can be clients, such as your PC or even your smart phone. They can also be routers and servers. This tunnel creates a secure VPN connection that prevents interception of plain text and exploitation of the traffic. Also, to the outside world, you connection appears to be sourced at the VPN server, rather than your laptop. This allows you to do things like watch American shows on Hulu from outside the US- or access websites blocked by your normal internet access.

For example, let’s say you were in an coffee shop, or an airport with your laptop, and you connect to the free wireless hotspot. Many business travelers do this on a regular basis. Without a VPN, an unscrupulous person could intercept your email and passwords, provided you’re using the standard POP3/SMTP protocol (If you’re logging into webmail and using SSL/TLS (look for the lock in your browser) you’re fine). Recently there was a great deal of talk in the security community about Firesheep, a Firefox addon that allows a hacker to not only see your social networking credentials (ie Facebook, Twitter, etc.), but to also take over your profile. Anyway, if you’re using any wireless you didn’t set up yourself, consider it insecure. By installing using a VPN client, you create a tunnel between your laptop and the VPN server, and the communication is encrypted. Even if your traffic is intercepted, it cannot be read. Your passwords- your Facebook, remains your information. Corporate travelers usually have a company VPN. For folks who don’t, I recommend StrongVPN. They have a variety of plans, and VPN servers located all over the world, and I used them for this setup.

Strong VPN provides VPN From a Variety of Locations

Pick a Plan

Right now, check your IP address on the front page of StrongVPN. It’s in the top right corner. Or you can just click What is my ip? Write that down, we’ll call it your ISP IP. (This is how we can tell when we’re using the VPN or not- this number will change when we connect.) When you first look over the site, they have quite a few options. Don’t worry, it’s not nearly as complex as it looks. If you look at their packages you can see they range from $7 a month (two servers), all the way up to $30 a month for all their servers (133 in 14 countries as of this writing). Usually they have an annual special- which breaks down to $5 a month or so, depending on what you select. For our purpose, the 4 country PPTP plan will do, although I recommend the OpenVPN version.

PPTP versus OpenVPN

PPTP (Point to Point Tunneling Protocol) is a much older protocol, that allows up to 128bit encryption. Because it has been around for so long, it pretty much runs on a variety of clients (like mobile phones), and is easy to set up. In fact, you don’t need any special software to run PPTP- if you check out the setup instructions you can see you’re basically just adding a network connection. This is the fastest and easiest option. However PPTP is vulnerable to a number of attacks- you can read more on that at SANS. It’s certainly better than no protection at all, but OpenVPN is better still. OpenVPN allows encryption from 128 bits all the way to 2048 bits. It uses SSL/TLS encryption (you may have seen it referred to as an SSL VPN), and public key infrastructure, and it is more secure. Of course OpenVPN is a bit more expensive, so the choice is up to you.

Connect With Your Computer First

One time I had a speaker cutting out in and out in my car. Being a hands on engineer, I of course disassembled the stereo, and measured the output with a meter. There wasn’t a problem. Somewhat puzzled I put it back together- and as I was putting the toolbox back behind the seat, I noticed the speaker wire was loose. This taught me a lesson that’s as valuable in networking as it is in electronics. Start with the simplest item and work forward- not the most complex. Before we touch the router to set up that virtual private network, make sure you can connect with your computer. If you happen to have a laptop this is particularly useful, as you’ll have the configuration already in place for your next trip. Once you’ve signed up with StrongVPN, you’ll get a welcome email. If you picked the PPTP plan, you’re going to get your server username/login, if you’ve signed up for an Open plan you’ll also receive a zip file with the software. Normally I’d detail the steps with screenshots, but StrongVPN has step by step instructions with screenshots on their setup page. In addition, they also have live 24/7 support directly off the web page, via a custom instant messaging interface. It’s hard to go wrong, but if you do, help is literally a click away. Once your VPN connection is up and working, go to StrongVPN and write down your VPN IP address- that’s in the top right corner.

Testing Connection Speed

Okay, once you have the VPN connection working, it’s worth your time to do a speed test. Click the “Start Test” button and try a few of the servers in your plan. You want the closest one possible. They also have some speed suggestions to keep in mind. Now’s a good time to mention that encryption comes with a price- speed. When you use your router as your VPN client, it’s going to be even slower. If you don’t have an acceptable speed with the client VPN, try a different server. To change servers, login to the customer area at StrongVPN, click the ‘VPN Accounts Summary’ link in the lefthand column. Next click ‘change server’ and then pick the new server. You’ll get another email, but if you want the VPN connection information immediately you can go back the ‘VPN Accounts Summary’ and click ‘View Greeting’. You may consider not implementing the VPN (they have a 7 day no questions refund policy) if you’ve spoken with support and tried several servers. As a frame of reference, my VPN speed encrypted from the client PC is about 70% of the unencrypted speed. Using the router, it’s about 45%. That’s not insignificant, but in my case it is acceptable (having a fast connection to begin helps quite a bit.) Be sure to check your speed unencrypted, encrypted from your PC, and encrypted using the router.

Flashing Your Router with DD-WRT

DD-WRT is a free Linux based operating system that runs on a variety of small home office routers. What you do is replace the firmware in your manufacturer’s router (this most likely voids your warranty, but you can flash the original firmware back), which enables quite a bit of diverse functionality. You can see graphs of your network usage- adjust your wireless power settings, and of course connect to a VPN gateway, all without having to invest in additional VPN hardware. However, getting there can be tricky, so a warning is in order. If you fail to follow the instructions exactly- you may “brick your router”- which is as bad as it sounds. You basically have an expensive paperweight. Now I’ve flashed probably a dozen or so routers with DD-WRT and never had a problem, but proceed at your own risk- here’s what you need to do:

  1. Locate your router in the database, and READ the entire entry. If you’re not sure what you have, you can usually find the exact model on the bottom of the router. Might as well check it now, you’re going to be handling it a bit during the flash. For this project I’ve got a Cisco/Linksys WRT-310N. I had it on hand, and it has the horsepower to do an adequate job as a VPN router. If you’re buying a new router, you should consider the Cisco WRT 320, or the ASUS RT-N16. I’m basing that on CPU speed, a faster CPU will perform better under the load of a VPN. By way of comparison, the 310N I used is running at 300Mhz with 32M RAM. The 320N runs at 354Mhz with 32M, and the Asus runs at 480Mhz with 128M of RAM. Note: if you have a Linksys W54, your CPU speed varies by model. If you’re on the slow side, it’s worth a shot, but you may not be happy with performance. Here’s my entry from the 310N. Notice there’s a link for additional instructions.
    Linksys WRT-310N Entry in the Router Database
  2. Read and Save the Instructions- If you click File>Save on your browser you’ll notice you can save and entire web page to your computer. Go ahead and do that- there’s nothing worse than having no internet connection and not being able to connect to get instructions on how to proceed. Notice that my router has a recovery instructions link- if yours does as well, go ahead and save that page too (just in case.)
  3. Save any ISP specific settings, or customizations you made to the configuration of your router. At the very least print them out.
  4. Download the appropriate VPN build of DD-WRT. StrongVPN doesn’t specify, but you need VPN for the OpenVPN to work.
  5. Read the entire flash procedure for your router, and follow it exactly. Here’s a great article about the entire generic installation. The 30-30-30 Hard reset is a pain to complete- but it can be the difference between success and failure- just complete it as directed. Go ahead and Flash the router with DD-WRT.
  6. If things didn’t go as planned, plug your internet connection directly into your computer bypassing the router (you do have your firewall up, right?). Go to recovering from a bad flash.
  7. If everything went fine, you need to change your username and password, which DD-WRT prompts you to do (default user/pass is: root/admin). Now is a great time to go through each page of the admin and set up your wireless network security.
  8. Go to the administration page, backup subtab, and at the bottom and click “backup”. This stores your settings, so you can come back to the configuration if you need to.

Set Up Always On Home Virtual Private Network (VPN)

linksys-310n-router Okay, now the moment of truth and set up a VPN. Actually it’s probably anti-climatic after all that preparation- here’s the configuration for your VPN tunnel, first PPTP and then OpenVPN. After you configure your version jump to the Verifying Your VPN section.

Configure PPTP VPN Client with DD-WRT

  1. Log in to your DD-WRT router from the web interface.
  2. Open the Service>VPN subtab
  3. Select PPTP Client Options Enable
  4. For Server IP enter the IP address of your VPN server from your welcome email. If you haven’t received that, login to the customer area at StrongVPN, click the ‘VPN Accounts Summary’ link in the lefthand column. Next click ‘View Greeting’, and you can copy the information from there. If the IP address of the server isn’t listed, you can open a command prompt (start>programs>accessories>command prompt), and type (everything after the green bar):
    ping vpn-sf1.reliablehosting.com

    replacing that first part with your server name.

  5. For Remote Subnet enter your VPN IP address, the one you got from the StrongVPN homepage WHILE connected via VPN from your computer.
  6. Remote Subnet Mask is 255.255.255.0
  7. For MPPE Encryption enter (everything after the green bar):
    mppe required,stateless
  8. Leave MTU, MRU and NAT at their default values
  9. Username and password are the values from the greeting email.
  10. Click Apply Settings.
  11. Under the Setup>Basic Setup subtab, Network Address Server Settings (DHCP)
    Set DNS 1 to (everything after the green bar):

    216.131.94.5

    Set DNS 2 to(everything after the green bar):

    216.131.95.20

    If you leave the last two addresses blank, your router MAY sometimes use your ISP DNS- which means your queries would be in their logs. If it is important that this not happen, you can load Google DNS servers as the last two entries.

    Set DNS 3 to(everything after the green bar):

    8.8.8.8

    Set DNS 4 to(everything after the green bar):

    8.8.4.4
  12. Click Save
  13. Open the Administration>Command subtab, and paste the following code (after the green bar) in the window:
  14. echo "sleep 40" > /tmp/firewall_script.sh ; echo "gw=\`ip route ls to 0/0|cut -d ' ' -f3\`" >> /tmp/firewall_script.sh ; echo "vpnsrv=\$(nvram get pptpd_client_srvip)" >> /tmp/firewall_script.sh ;echo "dynvpnip=\$(ifconfig ppp0 | grep 'inet addr' | grep -v '127.0.0.1'| awk '{print $2}' | cut -d: -f2)" >> /tmp/firewall_script.sh ; echo "vpnip=\$(nvram get pptpd_client_srvsub)" >> /tmp/firewall_script.sh ; echo "route add -host \$vpnsrv gw \$gw" >> /tmp/firewall_script.sh ; echo "route del default" >> /tmp/firewall_script.sh ; echo "route add default dev ppp0" >> /tmp/firewall_script.sh ; echo "iptables -t nat -I POSTROUTING -o ppp0 -j SNAT --to-source \$dynvpnip" >> /tmp/firewall_script.sh ; echo "for i in \`echo \$(nvram get forward_spec)|sed 's=\ =\n=g'|grep on|grep tcp\` ; do" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p tcp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p tcp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "done" >> /tmp/firewall_script.sh ; echo "for i in \`echo \$(nvram get forward_spec)|sed 's=\ =\n=g'|grep on|grep udp\` ; do" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p udp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p udp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "done" >> /tmp/firewall_script.sh ; echo "for i in \`echo \$(nvram get forward_spec)|sed 's=\ =\n=g'|grep on|grep both\` ; do" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p tcp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p tcp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p udp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p udp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "done" >> /tmp/firewall_script.sh ; sh /tmp/firewall_script.sh &
  15. Click Save Firewall
  16. This bit of code comes from the dynamic IP forum thread, which was helpful in getting the router online. Will at Sabai Technology wrote the code, and also sells pre-configured routers. The original forum post is here- notice I specifically left the SPI firewall on. Dropping it leaves your network exposed. If you need to drop it to get the configuration working, do so briefly (with your computer software firewall on)- but DO NOT leave it off.

  17. Now login to the router via the web interface, go to the Administration>Management subtab, and click ‘Reboot Router’. The router will reboot, and after about 5 minutes the VPN connection should come up.

Configure OpenVPN Client with DD-WRT

  1. Enable the Secure Shell daemon (SSHd) on the Services>Services subtab. Leave it at the default port of 22. Click ‘Save’
  2. Enable SSH Remote Management, again on port 22 on the Administration>Management subtab.
  3. Extract ovpnNNN_ddwrt.sh (where NNN is your server) from the zip file they sent you with sign up. Didn’t get it? Login to the customer area, click the ‘VPN Accounts Summary’ link in the lefthand column. Next click ‘View Greeting’, and then there’s a link to download the configuration zip. You use it to install the client software, and the .sh file contains all the security information your router needs to connect.
  4. Connect to your router to do a secure copy (SCP). There is one gotcha here- your username is “root”- REGARDLESS of your web interface username. The password is the same as the web interface. Once you have a connection, copy ovpnNNN_ddwrt.sh to the /tmp directory. Hang in there, we’re almost done.
  5. Now we’re going to run the script. To do that, connect with SSH, and enter the following command (everything after the green bar):
    sh /tmp/ovpnNNN_ddwrt.sh
  6. Now login to the router via the web interface, go to the Administration>Management subtab, and click ‘Reboot Router’. The router will reboot, and after about 5 minutes the VPN connection should come up. Here’s the complete forum thread on how to accomplish that on StrongVPN if you need additional details. I changed a couple of minor details (left off logging, reboot from the web interface because the ssh command sometimes fails, etc.) If it’s not working work through their method, and then open a ticket- they’re VERY good about responding quickly.

Verifying the Virtual Private Network is Working

There’s a couple of ways you can check this. You can go the the StrongVPN homepage and check your IP- or you can visit What is my ip? and make sure you have a different IP address than your previous ISP address. There’s also a Firefox addon called Show My IP that shows your externally visible IP at all times in the bottom right of the browser. Finally, I usually run a quick scan at GRC Shields Up, just to make sure I don’t have any errant ports open.

Got it all working? Log in to the DD-WRT web interface, go to the administration page, backup subtab, and at the bottom and click “backup”. This stores your settings, so you can come back to the configuration if you need to. Congratulations, on setting up a permanent virtual private network. Now every machine on you home network has an encrypted connection to the Internet.

Home Network Security 101

Home Network Security IntroductionWe (justifiably) spend a great deal of time and effort on Corporate Network Security, but what gets very little attention, is Home Network Security. Many of today’s modern home routers, by companies such as Linksys (now Cisco) and D-Link are a snap to connect, and now it is not uncommon to have multiple devices on a home network. Ten years ago a small office would have two or three computers and a T1 internet connection (1.54M down)- now you can see than many devices in many of your neighbors’ houses with ten times the bandwidth. Got an Xbox or a Tivo? You can put those on your home network too. Wireless throughput has increased more than 25 times from it’s introduction, and setting up a laptop where you sit in the backyard and work on the internet is nothing more than a 20 minute project. Although this article is not a comprehensive guide to home network security, I should mention that home wireless security is a HUGE issue- more on that later.

Network security, and computer security in general is always a compromise between convenience and security. Pull that wireless router out of the box, plug it in, and with the default settings you have a working, albeit insecure network. The manufacturers have worked very hard to make it easy- but easy does not protect your personal information. If you work from home, or do your banking online, the threat is multiplied. Take a look at your entire infrastructure (in the trade this refers to servers and desktops, network components, and physical wiring. At home it’s your computers and home router- possibly including switches and other network devices like Tivos, Playstations, wireless printers, etc.) Here’s a brief look at what you should examine.

Home Network Security 101

  1. Latest Operating System Patches
  2. With corporate infrastructure, it really is amazing how many worms, and intrusions can be prevented using good old patch management. I’ve heard all the excuses on why the machines are patched, most don’t hold water, with the exception of “It breaks my applications I need to do business.” For home users it’s MUCH simpler; I’ve never had an update break a commercial application for any friends or family members’ computer. That doesn’t mean it can’t happen, but it is certainly rare (I do, however, recommend you update your drivers from the manufacturer’s website rather than Windows Update- driver updates are always optional on Windows Update.) What I have seen time after time is a machine compromised by an exploit that is months and sometimes years old. With Microsoft Windows machines, you can easily update your machine automatically using Microsoft Update. It’s fine to apply the updates automatically- although you may want to disable your startup and exit sounds– it’s unsettling to have a computer in the next room reboot at 3am and wake you out of a sound sleep. You can read more on setting up Windows update on my previous post, Travel Tips for Your Laptop. You can also check out Automatic Mac Updates if you have a Macintosh.

  3. Up to Date Anti-virus
  4. If you are running a computer on the internet, you need anti-virus (AV). I’ve seen lab computers that we not connected to the internet become infected with a virus from a USB flash drive- so anti-virus all the time is a good policy. We’ve found Eset to be the fastest and most reliable, and they also offer multiuser packages for a discount. Since I provide technical support for a number of friends and family members, I buy a multi-user license every year and install it on everyone’s machine. The hours I don’t spend fixing virus infections make this small investment more than worth it. As for free solutions, Grisoft puts out a solid product with AVG. If you have the means I recommend purchasing your AV, it’s one piece of software that requires constant updates and care of skilled developers.

  5. Good Malware Scanner
  6. So you have AV- why do you need anti-malware? Well unfortunately most AV packages do not catch the variety of malware and adware out there. You can purchase consolidated products, but there is definitely value in having a multi-layered defense. I’ve had particularly good luck with Malwarebytes Anti-Malware (free, or you can purchase the full version, again well worth it.), Spybot Search and Destroy, and Lavasoft Adaware. Bonus Tip: If you’re using Firefox as your browser, Adblock Plus can get rid of ads on websites. Considering turning it off on websites you frequently visit/trust, you may negatively affect the webmaster’s revenue.

  7. Firewall, preferably Hardware
  8. One of the nice benefits the home router is the included firewall. Be sure yours is enabled. A quick scan using GRC Shields Up can give you a quick baseline of your level of protection. If you do not have a hardware firewall- please ensure you have some type of software firewall in place- either the Windows Firewall or a third party product such as Zone Alarm prior to connecting to the Internet.

  9. Lock Down Wireless
  10. If you’re using wireless with the default SSID, the default password, and WEP or no security, please download this document and update your security. I’ll wait. Really, lock down your wireless now. Just to put it in perspective, if someone manages to get on your wireless, YOU are liable for any civil tort or criminal activities they conduct- makes sharing that connection seem much less attractive, huh?

  11. Backups
  12. Backups and Disaster Recovery are an important part of security that many people overlook. For home users, you need a way to get back your data after a virus- or an emergency such as a fire or burglary. Without going into a ton of detail, a regularly scheduled imaging solution, such as Acronis True Image can be a lifesaver. At the very least, use the free backup utilities that come with your operating system, such as Windows Backup. For extra protection, use external storage and don’t have the completed backup right next to the computer. Imagine if you had a fire- you’d lose the data and the backup at the same time, which can be doubly painful.

Home Network Security is important, and unfortunately often overlooked. Spend your free time on your computer doing what you love- not cleaning out viruses or trying to get back lost files.