David Westerfield

Gospel. Culture. Technology. Music.

Tag: OpenVPN

Securing Traffic with OpenVPN on Your iPhone or iPad

I’ve been looking at a solution for this for quite some time. Until recently, the only way to make this work was to jailbreak your phone and use GuizmOVPN or some other type of app, which of course voids your warranty. But then along came OpenVPN Connect, an app for the iPhone and the iPad that is extremely simplistic to use (well, relatively speaking for OpenVPN). It works just like any other client side setup for OpenVPN, only you move the certs and config files over through iTunes File Sharing (which is probably the more secure way to do this transaction). This is an absolutely amazing way to secure your traffic to and from an OpenVPN server, from wherever you are, using 3g/4g or Wi-Fi.

  1. Download the OpenVPN Connect app from iTunes on to your iPhone or iPad.
  2. Take a sample client.ovpn file and modify it with your particular settings to connect to your OpenVPN server. Make sure and set the cert and key names to exactly what you’ll be copying over, otherwise it won’t reference the proper files from within the config.
  3. Get your client.crt, client.key, ca.crt, ta.key, and client.ovpn files ready for moving over to your phone. (these file names are just examples)

    certs

  4. Open iTunes with your phone or device connected.
  5. Select the device on the left-hand side.

    device_itunes 

  6. Click the Apps tab at the top.

    apps_itunes

  7. Scroll down to the File Sharing section, select OpenVPN and drag n’ drop your five files (should be five at least) into the OpenVPN Documents window. Once they are moved over, go ahead and do a sync just to make sure everything is good.

    itunes

As long as everything was setup correctly in the client.ovpn file and your certs are all good, you should be able to open your app and add it as a new profile. Once the the new profile is added in the app, you should be able to connect.

ovpn_connect

Note: As an aside, if you want to secure all your traffic to and from the OpenVPN server, make sure and set this parameter before you upload the client.ovpn file: redirect-gateway def1

The downside? It eats battery life like crazy. That all may depend on your encryption level and key size though. 😉 In addition, each time you want to edit the client.ovpn, you have to edit it locally on your computer and re-upload it. But considering the alternative (no VPN, PPTP, or jailbreaking your phone), this is an excellent app.

OpenVPN Sharing a TCP Port with SSL on NGINX and Apache?

I’m absolutely baffled there isn’t more information out there about this. It seems like web managers and techs would be all over this, but there’s barely any information out there on this. I had a hard time finding documentation on OpenVPN’s site itself!

As one guy stated here (the post where I finally understood how this works) it’s not really “sharing” the port per se, but OpenVPN is deciphering between HTTP/S traffic and OpenVPN traffic and then forwarding web traffic over to another port, defined below. That’s crucial to understand.

Before I start, I want to note this doesn’t have to be done on an SSL port, as I understand it. I’m just using that as an example because it seems to be the most logical way to make it work if this is your configuration (you know, an SSL VPN going to an SSL port).

It should also be noted in this configuration example that OpenVPN, using the port-share parameter, is actually doing the listening on TCP port 443 and acting as a proxy itself that forwards non-OpenVPN traffic to the NGINX SSL port which we’ll layout below. You cannot do this utilizing UDP, that I know of.

So here’s what you do.

1) Set your NGINX or Apache listening ports. Set your NGINX standard http port 80 and SSL listening port to something OTHER than 443 … so, for arguments’ sake, let’s set it to 4443.

So it would look like this for Apache and NGINX:

For Apache, in the main httpd.conf (Windows) or in ports.conf (Ubuntu/Linux):

Listen 4443

For NGINX, in /etc/nginx/sites-available/defaults:

server {
        listen   4443;

        location / {
                root  /web/etc/blah;
        }
}

Once implemented, restart your respective service, Apache or NGINX.

2) Next, you’re going to set your OpenVPN server parameters. Set your listening port to 443 from its standard 1194 and add the port-share parameter to point to the Apache or NGINX port created above. The config should look as follows now:

port 443
port-share 127.0.0.1 4443
proto tcp

OpenVPN will now be ready to accept connections over 443 and route the appropriate https/SSL traffic to Apache or NGINX.

3) Change your firewall settings. Leave your TCP port 80 rule pointing directly to Apache or NGINX. Then point your SSL rule to TCP port 443 running on your OpenVPN server. OpenVPN will now catch the traffic directed at it and decipher between OpenVPN traffic and HTTPS traffic.

4) Change the configuration in your OpenVPN clients. Point your OpenVPN clients to TCP port 443 instead of the port you were using before:

remote domain.name.com 443

or

remote [IP ADDRESS] 443

Hope it works. Cheers!

Powered by WordPress & Theme by Anders Norén