TTLequals0

OpenVPN Endpoint In ~3 Minutes on AWS

Sun, 13 Mar 2016 21:06:14 +0000

This is an improvement on a previous post but this time it takes less time and is completely scripted. This process now only involves cloning a git repo and running a single script. The total time it takes to deploy an OpenVPN endpoint is roughly 3 minutes, although i have seen it take less.

The process is very simple but also assumes that you already have API keys in place and the boto python library installed. Also as a note this is my first attempt interacting with the AWS python API so the script might not be perfect and probably can be improved upon.

The script works by executing a bash script supplying AWS keypair name as argument that then runs a python script that creates the ec2 instance and needed security groups returning the IP address. The bash script then uses the returned IP address and uses it to establish an SSH connection to the instance and configures OpenVPN. When all is finished an OpenVPN config file will be located in current working directory.

Note: The openvpn-autoinstall.sh script in the autovpnn directory is what gets executed on the newly created ec2 instance to configure OpenVPN. Also this script is till a work in progress many changes will be made over time.

USAGE:

This script assumes that all AWS credentials and tools are already setup on system.

Clone rep to system.
Execute autovpn with -k options to deploy to your default AWS region. ./autovpn -k macbook
OpenVPN config files are downloaded to current working directory.
Import the OpenVPN config file into VPN client.
Connect to VPN.

DESCRIPTION:

autovpn - AWS OpenVPN Deployment Tool.
Project found at https://github.com/ttlequals0/autovpn

USAGE:
ACTION [OPTIONS]
-h Displays this message.
-i AWS Instance type (Optional, Default is t2.micro)
t2.nano t2.micro t2.small t2.medium t2.large *
-k Specify the name of AWS keypair (Required) **
-r Specify AWS Region (Optional, will use default region)
us-east-1 us-west-1 us-west-2 eu-west-1 eu-west-1
ap-southeast-1 ap-northeast-1 ap-northeast-2 ap-southeast-2
sa-east-1 cn-north-1 ***

NOTES:

* - In reality any instance size can be given but the t2.micro is more than
enough.
** - If you choose to deploy an endpoint in a different region make sure
you have a keypair setup in that region.
*** - Since all ami's aren't located in all regions the ami being used will
need to be changed to one that exists in that region. An option to do this
will be added soon for now this will need to be manually changed in python
script.

OpenVPN Endpoint on AWS in 10 Minutes

Sun, 16 Aug 2015 22:04:12 +0000

Note: This setup can be used on Red Hat or Debian based system on pretty much and VPS for example DigitalOcean. Skip to OpenVPN Server Setup to configure server on a non AWS instance. The script that is being used can be found on GitHub if you want to review it or fork it.

Overview

The purpose of this post is to show how to setup an OpenVPN endpoint on AWS for free in roughly 10 minutes. There are plenty of free VPN solutions that could be found on the internet but most have limitations. A few of the main issues with using a random VPN solution on the internet is they usually have low bandwidth limits unless you opt for paid version. Some of the solutions inject add into webpages you visit. The two major issues with using a random VPN solutions are security related. Issue one is that the endpoint can not be trusted the provider might be capturing all user traffic for a number of reasons. The second commonly seen issue is that the client that is provided gives the user access to the VPN but also uses there system as and endpoint or it install other software.

This solution uses a free AWS EC2 t2.micro instance all that is required is creating an AWS account. For the OpenVPN installation it is completely scripted only requiring a few questions to be answered. I have been using an AWS issue for some time now with no apparent issues. I am not going to show how to navigate through the AWS management console since it pretty self explanatory. Also before the creation of the EC2 instances make sure your public key is in AWS management console.

The limitations of using the AWS free tier.

750 hours of Amazon EC2 Linux t2.micro instance usage (1 GiB of memory and 32-bit and 64-bit platform support) – enough hours to run continuously each month
30 GB of Amazon Elastic Block Storage in any combination of General Purpose (SSD) or Magnetic, plus 2 million I/Os (with EBS Magnetic) and 1 GB of snapshot storage
15 GB of bandwidth out aggregated across all AWS services

AWS Setup

On the AWS management console in the EC2 we are going to want to launch a new instance. The OS can be Red Hat or Debian based, for this I chose to use an Ubuntu Server 14.04 LTS image. Since this is only a VPN endpoint CPU performance and Disk space isn't that big of a deal making the t2.micro instance the best choice plus its also in the free tier.

On the "Configure Instance Details" page the only change that needs to be made is to check the box "Protect against accidental termination".

The "Add Storage" page no change need to be made unless for some reason you desire more disk space. Keep in mind the free tier can only use 30GB of storage total.

On the "Tag Instance" page in the "value" section is where you would name the instance.

The "Configure Security Group" page is the most important part of the setup since the instance is NATed the appropriate ports need to be opened and mapped correctly. Make sure "Create a new security group: is checked. the security group name and description can be set to whatever is desired. The following rules need to exits for this to work.

SSH TCP port 22 with source from anywhere
Custom UDP Rule UDP port 1194 source from Anywhere (Default OpenVPN port")
DNS (UDP) UDP port 53 source from anywhere (Used as alternate OpenVPN port")

On the "Review and Launch" page double check to make sure everything looks correct. Click "Launch" and make sure to chose the correct key pair.

Once the Instance is launched find the public ip of instance on the AWS management console in the EC2 section. Also the log on username can be found from this page in my case the default user is Ubuntu. SSH to the the instances ubuntu@ip.address.

OpenVPN Server Setup

Now its time for the actual OpenVPN configuration. Note from this point on these steps can be applied to any Red Hat or Debian based system on pretty much and VPS. My other got to VPS provider is DigitalOcean. The script that is being used can be found on GitHub if you want to review it or fork it.

Once you are connected to your instance you are going to want to switch to root since all of the following steps will be adding packages and making other system changes.

As root run the following one liner to start the setup process.


wget git.io/v35Kx --no-check-certificate -O openvpn-install.sh; bash openvpn-install.sh

Make sure the ip address is a private ip address on AWS or public ip address depending on you setup. If this looks good hit enter.
What port do you want OpenVPN to listen on? 1194 is chosen by default but can be set to anything. If you chose different port make sure to make the appropriate changes to the security group on AWS.
Do you want OpenVPN to be available at port 53 too? This is useful if the network your on is trying to block VPNs.
Do you want to enable internal networking for the VPN? This will allow VPN clients to communicate between each other over the VPN. the Default is "No".
What DNS servers do you want to use with the VPN? 1) Current system resolvers, 2) OpenDNS, 3) Level 3 4) Hurricane Electric or 5) Google.
Last give a name for the client cert no spaces, or special characters.
If everything looks good hit enter to continue the setup or ctrl+c and run script again to make changes.
On an AWS instance or NATed VPS the script will prompt for the public ip address of the instance. This is usually the same ip used for SSH.
At this point the server setup is complete all thats left is to download client config file and setup client.

Client Setup

Now that the Server is setup all that s left is to configure the client used to connect to the VPN. The config file can be used on Windows, Linux, OS X, iOS and Android.

First we need to download the client configuration file easiest way is to use SCP scp user@server-ip:~/client.ovpn Downloads/. or WinSCP on Windows
Install an OpenVPN client for your OS

Windows

The OpenVPN client for Windows can be found on OpenVPN's Downloads page. Choose the appropriate installer version for your version of Windows.
After installing OpenVPN, copy the unified *.ovpn profile to:
```
C:\Program Files\OpenVPN\config
```
When you launch OpenVPN, it will automatically see the profile and makes it available.
Another Client I like to use is Viscosity which cost $10
Note OpenVPN client need to be ran as Administrator

OS X

Use Ttunnelblick which is free or my favorite Viscosity which cost $10
To import move config file to ~ and within the client import the *.ovpn file.

Testing VPN

Once server is setup and client is installed lets check the current ip address of our client by simply typing "my ip" into google. This will return the ip address assigned by your ISP and as you appear on the Internet.

Now connect the OpenVPN client and connect to your VPN and go to google again and type "my ip" you should see a different ip address. If you also want to to see what DNS servers are being used go to DNSLeakTest and run "Extended Test" will check your DNS settings and confirm you are now using the DNS resolvers pushed by your VPN.

At this point you now have a full functioning VPN in a matter of minutes.

Windows 10 build 10122 Fun.

Mon, 25 May 2015 02:25:46 +0000

Throughout my testing of the windows 10 Tech Preview build I have experienced the good and the bad of testing new operating systems. I have recently installed build 10122 which is currently the latest build and everything seemed to be running well until it started to go down hill. When I was just sitting at the desktop explorer.exe went into a loop of crashes and restarts. After a few minutes of this I went with windows troubleshooting 101 reboot the system. After the reboot is when the fun started.

As the system was booting I got the good old BSOD and the system continued to boot loop.

So I got the flash drive that had the windows install media on it to use some of the troubleshooting tools. The first thing was run the startup repair utility hoping it would be a quick easy fix. Turns out I would not be that lucky startup repair was unable to fix issue.

Next I tried system restore since I have recently installed graphics drivers but system restore was a no go as well. The utility claimed it could not perform system restore due to filesystem corruption and to check the disk. So of course iI ran the utility and it found no errors on the disk. I decided to give this another shot and the same error compelling about filesystem corruption.

Since this PC didn't have much software installed I went the Refresh your PC option. This also ended in failure.

I could not use the Roll-Back to previous version option since this was a clean install. Leaving me with the Reinstall using Installation Media option which also did not go well. The installation process failed at first reboot.

Booted up using installation media and decided to give this another try since I had nothing to lose and was immediately presented with this.

Then after that I got a really descriptive dialogue box.

I eventually ended up wiping the drive and reinstalling Windows 10 instead of wasting more time troubleshooting this. Overall I do think Microsoft is doing a good job with Windows 10 and I look forward to continue testing new builds.

The Real Way to Lock Mac with Keyboard Shortcut.

Sat, 09 May 2015 21:37:05 +0000

There has been a number of times that I just simply want to lock my Mac at work or at home with a simple keyboard shortcut. To my surprise there really was no shortcut for example win key + L on windows or ctrl + alt + L on systems using Gnome. When I did a few quick Google searches on how to do this many sites suggested using control+Shift+Eject or Control+Shift+Power after enabling "require password immediately after sleep or screen saver begins.". There are some problems with these suggestions. the first issue is this not only locks the computer it also put it to sleep which means the computer has to wake up first before the lock screen appears. The second issue is many keyboard i use do not have an "Eject" or "Power" key on them.

Over some time I discovered a partial solution for locking the screen. The only slight issue was it needed to be done from a terminal window. This was fine for me since I spend most of my time at a terminal window anyways. This was accomplished by creating an alias with the command and perimeter to signal the computer to lock screen.

alias lock='/System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend'

Finally I have found a way to lock screen using a keyboard shortcut that didn't put the computer to sleep first. I accomplished this by using a built in tool on the Mac called "Automator" by creating a custom system service.

First launch Automator by using Spotlight search and select Service for the type of document.

Set the service receives "no input" from the dropdown box.

Search for "shell" in the search box and double click "Run Shell Script" and paste the following into the box.

/System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend

Save the service and call it "LockMac" or whatever is desired and close Automator.

Now got to System Preferences > Keyboard > Shortcuts and select "Services". Scroll down until the service that was just created using Automator is seen it should be toward the bottom. Make sure the the box to the left is checked to enable it. Then click on the word "none" to assign the desired shortcut keys.

At this point try out the keyboard shortcut, if everything works properly the lock screen will appear.

Adding / Removing Users to Mailing Lists via Powershell

Wed, 15 Apr 2015 01:12:36 +0000

This is a quick post for adding and removing users to mailing lists via Powershell.

1. Open a powershell window. Open start menu and type "powershell". Roght click on it and click "Run as Administrator"

2. Set Office365 login credential, in dialogue box use full email address ex: sample.user@domain.com

$UserCredential = Get-Credential

3. Connect to Office365

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

4. Import powershell session

Import-PSSession $Session

5. Add or move users to group. Users must be specified using full email address. ex. sample.user@domain.com. Note: It is possible to use "for loop" if adding a bunch of users.

Add User

Add-DistributionGroupMember -Identity "mailing-list" -Member "sample.user@domain.com"

Remove User

Remove-DistributionGroupMember -Identity "mailing-list" -Member "sample.user@domain.com"

6. Be sure to disconnect the remote PowerShell session when you're finished. Failing to disconnect session may result in using up all available connections and will have to wait for them to expire.

Remove-PSSession $Session

Home Network (Personal Cloud)

Mon, 13 Apr 2015 21:03:05 +0000

This post is to show off my home network. Although I call it a home network all of my infrastructure is not located in my apartment but it's all managed remotely. I have setup a site to site VPN between my apartment and the location where all my servers are located. All servers are virtualized using fully licensed vSphere 5.5.

The main use for all of my infrastructure is what I call a whole home / cloud DVR. All my tv shows are recorded, processed removing all commercials, converted for optimal streaming and posted to my media server. All of this is done automatically and has been working for years. I have tweaked the process a few times for more efficiency.

The other purpose is used for a lab environment. This allows me to practice system administration and test new technologies.

Home infrastructure broken down:

Mac Mini
- Runs vSphere 5.5
- Main purpose is Veeam Backup Server.
- 16 GB RAM
- 2x 250 GB Samsung EVO 840 SSDs
- 2x 1GB NICs
Qnapp TS-669L
- Used mainly for backups.
- 6x 3TB WD Reds. (RAID 5)
FringeBox 1100
- pfSense Firewall / Router
- Used for remote VPN and site to site VPN.
Cisco SG200-26 Gigabit Ethernet Switch
ASUS RS720-E7/RS12-E 2U
- Runs vSphere 5.5
- 2x Intel Xeon E5-2640 v2
- 64 GB RAM (4x 16 GB) Kingston Technology
- 2x 120 GB Samsung EVO 840 SSDs (RAID 1)
- 11x 2TB HGST 7200 SAS Drives (RAID 6)
- Current VMs
  - Graphite in Docker (CentOS 6.5)
  - Plex Main Server (win 7)
  - Plex Test server (Win 7)
  - Recording server (Win 7)
  - FreeRADIUS server (Ubuntu 14.04)
  - FTP (Server 2012 R2)
  - File Server (Server 2012)
  - DNS (CentOS 6.5)
  - Internal stikked sever (CentOS 6.5)
Test Server (old media server)
- Runs vSphere 5.5
- Core i7 3770K
- 16 GB RAM
- 4x 2TB WD Greens
- 4x 1GB NICs
- currently running VMs
  - Nested CloudStack Environment.
  - Nested VSAN
  - A couple of Windows and Linux systems
  - CHEF server 12
APC Smart-UPS RM SMT1500RM2U

Recently all equipment was moved from homemade rack to a proper rack.

Before:

After:

Note: Wasn't completely finished re-racking equipment when pictures were taken.

OpenVPN with 2FA using FreeRADIUS and Google Authenticator

Tue, 07 Apr 2015 21:54:49 +0000

This implementation of OpenVPN is using pfSense with FreeRADIUS and Google Authenticator PAM (pluggable authentication module) to generate One-time passcodes. The end result is the user is prompted for credentials, they use their username and password + One-time passcode to authenticate.

For the server that will run FreeRADIUS I choose to to use Ubuntu server 14.04 LTS in a VM.

The first thing is to install NTP there are two main reasons for this. The first is since Google Authenticator uses TOTP algorithm (time-based one-time password) having an out of sync system clock will lead to the passcodes that are generated being invalid. The second reason is since I decided to run the server in a VM there is a higher risk of time drift which would also result in invalid passcodes.

 sudo apt-get update
sudo apt-get install ntp

Up next install the FreeRADIUS package and all of the necessary dependencies.

 sudo apt-get install build-essential libpam0g-dev freeradius libqrencode3 git

Download the Google Authenticator source from Github. Since it has been moved there from Google Code.

 git clone https://github.com/google/google-authenticator/
cd ~
cd google-authenticator/libpam/
make
make install

Since we will be using local accounts on the server its a good idea to make a group to put users in if they no longer need access instead of removing them.

addgroup disabled-radius

FreeRADIUS Configuration.

FreeRadius configuration. With this configuration there is one aspect im not thrilled about but unfortunately as of now it has to be done. The problem is since FreeRadius needs to be able to read each users .google_authenticator token in their home directory FreeRadius needs to run as root. Since this isn't the best security practice I suggest to limit access to this machine and only use it for FreeRADIUS.

The first file that needs to be modified is /etc/freeradius/radiusd.conf we need to configure FreeRadius to use the root user and group.

change from this:

user = freerad
group = freerad

To this:

user = root
group = root

The next file that needs to be edited is /etc/freeradius/users. We need to add the disabled-radius group to the "Deny access for a group of users." section.

Add this to the end of the commented out section.

 DEFAULT Group == "disabled-radius", Auth-Type := Reject
Reply-Message = "Your account has been disabled."

We also going to add the rule to use PAM libraries for authentication.

DEFAULT Auth-Type := PAM

Next up to edit is /etc/freeradius/sites-enabled/default. This will enable the use of PAM for the FreeRADIUS server. To do this uncomment "pam" after the line "# Pluggable Authentication Modules."

Now we need to edit/etc/pam.d/radiusd to tell FreeRADIUS to use local unix password plus the Google Authenticator passcode.

Comment out all of the lines that begin with "@" and add the following to the end.

 auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

To change the shared secret or to specify which clients will be connecting to the server this file needs to be edited. /etc/freeradius/clients.conf There many ways to specify the hosts that communicate with this server for authentication.

User Configuration.

Once FreeRADIUS is configured we are going to create a test user to see if it all works. The password can be simple since this is for testing and this user can be disabled or removed from system later. I used "test123" as password.

adduser test-user

After the user is created go ahead and login as that user.

su test
google-authenticator

If all goes this will be the output. Now that we have the QR code import it into the Google Authenticator app (or whatever is being used for OTP tokens).

Test Configuration.

Time to test the configuration. First restart the FreeRADIUS service so the new configuration gets loaded.

sudo service freeradius restart

Use the following command to see if user can authenticate with the localhost.

radtest username unix_password+google_auth localhost 18120 testing123

example:

radtest test-user test123708169 localhost 18120 testing123

If everything is configured properly and the authentication the output should look like this.

OpenVPN Configuration.

Now its time to tell OpenVPN to use RADIUS for authentication. Log into pfSense web interface and navigate to System > User Manager and click on the servers tab and then the "+" to add a new one.

After the RADIUS server navigate to VPN> OpenVPN then edit server and select the newly added server in the "Backend for Authentication" box.

Test to see if router can communicate with RADIUS server by going to Diagnostics > Authentication. Select the RADIUS server from dropdown and enter username and unix password + one-time passcode.

Troubleshooting.

If for some reason the FreeRADIUS fails to start or cant communicate with host try this to see if there are any errors when starting service.

sudo service freeradius stop
sudo freeradius -X

If the service starts correctly the expected output is this:

Another good tool for testing radius server is NTRadPing.

Output for bad credentials:

Output for unable to communicate with server:

Output for successful authentication:

If there is issues communicating with the server it may be necessary to add allow rules for the device that will be using the server. In my case my router is accessing the server.

sudo iptables -A INPUT -p udp -s 192.168.9.1 --dport 1812 -i eth0 -j ACCEPT
sudo iptables -A INPUT -p udp -s 192.168.9.1 --dport 1813 -i eth0 -j ACCEPT
sudo iptables -A INPUT -p udp -s 192.168.9.1 --dport 1814 -i eth0 -j ACCEPT

save firewall settings:

sudo sh -c "iptables-save > /etc/iptables.rules"

Invoke these rules at boot i added this line at the eth0 interface configuration in /etc/network/interfaces.

pre-up iptables-restore < /etc/iptables.rules

Google Domains Dynamic DNS on pfSense

Tue, 24 Mar 2015 00:26:00 +0000

This is a quick write up on how to configure Google Domains Dynamic DNS on pfSense. Since Google Domains is fairly new it is not officially supported in pfSense nor is there any good documentation on how to do accomplish this

Lets start by setting up the Dynamic DNS in Google Domains. This part is pretty straight forward.

On the DNS tab in Google Domains scroll down to the "Synthetic records" portion. Select Dynamic DNS from the dropdown, fill in the subdomain name and select add.

Once the record is added expand the entry to reveal the record information. It show just an "A" record with an IP of 0.0.0.0 since nothing is configure yet. Click on the "View credentials" link to unmask the Username and Password.

On the pfSense router navigate to Services > Dynamic DNS. On the DynDNS tab click the + sign to add new entry. From the "Service type" dropdown select "custom" since Google Domains is not an option and needs to be configured manually. Set the "Interface to monitor" and "Interface to send update from" to WAN. Fill in the Username and password with the information provided from Google Domains. For the "Update URL" copy the link below and change the hostname to the subdomain that was set in Google Domains. Also update "Result Match" with the information below.

Update Url:

https://domains.google.com/nic/update?hostname=test.ttlequals0.com

Result Match:

good %IP%|nochg %IP%

Once this is done click "Save & Force Update". If all goes well within about a minute the Dynamic DNS "A" record should have the current IP of the router.