ALL ABOUT VPNs in OPNsense! Wireguard, OpenVPN, and IPSec Setup and Configuration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
today I'm talking about vpns not the kind of vpns that get shilled on YouTube I'm talking about VPN tunnels as a technology what are some protocols we can use for vpns what use case might we have for each of these common protocols and how can you set them all up in open sense so if you like VPN tunnels Come Along on this adventure so before we get too far along there's a lot of different software pieces that Implement VPN tunnels I'm going to stick to the basics here I'm not going to get into some of the more advanced mesh topologies so I'm going to talk about IPC wire guard and openvpn these are the three relatively open protocols that are commonly implemented all across the world and across operating systems I know you guys like modern mesh systems nebula is one that I use a lot tail scale 02 they're also popular but they're built on these same Technologies as their underlay and they add some more features on top so I'm going to stick to the basics for this video it's already long enough so to get started let's try to understand what problem vpns solve so let's look at routing packets across the internet so over here we have a computer and we have a server and we want to send some data between them so we bring in a packet here we want to send a packet asking this to do a DNS query 2601 fe9 that's a DNS server so we send a packet to 2601 fe9 now where does it go well we probably think we have our own router so this would be our router so if I'm 20 1 db8 69 my router might be 2001 db8 or maybe1 db81 so this is my router at the edge of my network but now I got to get from my network over to quad 9's Network so you might think well we just go over the Internet so I send my packet I send it off to the internet and it magically appears at quad 9 and that's not exactly what happens so the internet looks more like this so it's a network of routers all connected to each other so in this case this is my router here at my house I'm connected to my internet service provider which in this case is 21400 they're connected to three other service providers so let's say one in Europe because that's 2A and two in North America and then they're all connected to 2601 which is the service provider of quad 9 in this case so I've set my packet to 2601 fe9 I send it to my router I don't have a routing table that says anything but default so I'm going to let my router handle it my router also doesn't have a complex routing table so it sends it on to 21400 and this is the first step where we see routing in action so this router has three links that could potentially get this packet to its destination we could go to 2 a1600 we could go to 26100 or we could go to 261200 so looking at this you might say well we have two different choices it's obvious but imagine that this router is connected to 300 other routers or it's an appearing facility with hundreds of other isps that's going to be a much more complicated Choice especially if there's not just one router in between there might be 10 2601 Fe might be on the other side of the Atlantic we might have to take some unde cables so we need to decide which outgoing interface to send our packet on and specifically which router to send it to next it's called the next hop so fundamentally what router do is they read the destination address that's my two and they decide which one one of their peered routers that they're directly connected to is the best place to send this packet next so it will get closer to its destination so this is called a Looking Glass major isps provided Hurricane Electric is one of the largest in the world but not the largest so let's pick one of the quick selects let's say LAX and let's look at the BG R to 2601 fe9 so here's an example of what this shows so 26120 that's the parent route so in this case this router has 1 two three four five six seven eight nine 10 11 different ways that could get there so learned these are the bgpp peers so these are all different routers and it has a session with all 11 of them and it decided that this one is the best beted so it receives a packet to 2601 fe9 it's going to send it to 21559 1279 but if this this router were to drop for some reason it would fall back on the next metric which would be this guy here 21470 6692 so now this router has the routing cable it knows where to forward this packet so it forwards it makes it a destination so now the problem is the destination doesn't know how to reply so unless the packet contains some additional information on how to get responses back it doesn't magically know how to get it back so back when we send the packet we should add a from too so that's our own address so now we send it here it uses the two field route it and each router on the path looks at the two field of the destination and it makes to the server so now the server is going to generator's response and it's going to flip these so it's going to flip the source and destination so really The Source was only used by the destination so that it could send a response back and so now it's going to send a response to 2001 db-8 69 this router has to look at its routing table for 2001 DBA 69 etc etc we end up here so as we start talking about modifying routing tables for VPN it's very important to remember that we always need a route back so just because we can send a packet to the destination all of those routes work doesn't mean the destination can route packets back it's two-way street so when we're adding VPN routes we need to add them on both sides so why would we add VPN routes well let's take a look at how a VPN tunnel Works fundamentally so now say we want to protect this packet in transit so there's a few reasons you might want to do this you might not want to expose this server open ports directly to the Internet so if this is a DNS server for example having an open DNS server can mean tons of people will hammer it trying to do DNS amplification attacks you're not necessarily the victim but you're a part of their scheme so maybe we don't want this connection to be open maybe also we feel like the contents of this packet are sensitive if we're using TLS to encrypt our traffic the uh the contents shouldn't be sensitive but maybe just the headers are sensitive or maybe the Sni or something like that that's further down in the packet from the two in the from maybe those are sensitive so whatever reason we want to create a tunnel so there's a few pieces we can do it so I have now created a VPN tunnel so where is the tunnel going to end so if I connect to it directly from my computer then one end point will be the computer and if the other end is the server I'm connecting to the other endpoint will be the server so to the application traffic is passing straight through the tunnel but underneath that tunnel has to take this packet and it has to encapsulate it inside of a VPN header so now I've got a VPN packet that's blue and we're going to put our secure packet inside of it and we're going to take that whole thing we're going to transport that across the internet and then at the other end pop out the packet that was inside and now we can process it so now we have two levels of twos and froms so we have the inside packet still has a tuna from and the outside packet needs a tuna from too and so this address of the inside packet would be the address within the tunnel or the overlay and the address here is the address on the real internet or the underl so these twos and froms these sources and destinations these are going to be address of the tunnel end points these are the nodes on our Network that are encapsulating and decapsulating Tunnel traffic and in the pink we have our internal packets the overlay and these are going to be host to host so for example if we have our routers do VPN so say we have this guy do VPN we have that guy do VPN so now our outer packet is going to go to feon colon and it's going to be from db81 so it's router to router but this guy is still going to be end to end because he's the inner packet so now we've just got to figure out what sort of protocols we have available and what architectures we have to set up our VPN tunnels make sense so the first topology I'm going to look at is called site to site so hypothetically we have some location we'll call it our headquarters and at our headquarters we have some application server that we want people to be able to access whatever it is and we have our firewall router at our headquarters and it has has its Subnet in this case it's 2 A1 db8 and it's got a /48 it's got a pretty big subnet and so this is like our headquarters office it's a completely normal Network as is and then somewhere else we have another router and some desktops this could be a branch office this could be a home office these two could be two different friends who want to game together whatever it is this is a different location and so this has a different subnet 2001 db8 so that's 2 a and that's 2000 and we want to be able for this branch office desktop to connect to this application server without exposing this application server directly to the Internet so we create a VPN tunnel where the tunnel endpoint is the router for each Network so now if we bring in a packet so this guy can send his packet he's going to send this packet up to the router the router is going to encapsulate it now we have our encapsulated tunnel packet we send it across the internet and it comes over here to the destination router where it gets capsulated and the destination router can send to the application server so when this guy is sending his packet he doesn't care that there's a tunnel involved he just needs to know the IP address of the application server so he says 2 2 A1 db8 feed and the router needs to know that when it Encounters this subnet 2 A1 db8 48 it actually needs to go across the sight to site tunnel instead of directly across the internet and likewise on this side when he encounters is a packet that goes to 2001 db8 he needs to know that that prefix goes via the the tunnel and not via the Internet of course it works the same way on ipv4 if we do Legacy we'd have this guy [Applause] 10.0.1 say 10 12 we could have [Applause] him so say he's got a 16 so now he needs to not overlap so we'll give him 10.1 do oops so we'll give this guy a different subnet so the subnets can't overlap and we'll give this guy an address in that subnet so if your subnets overlap side to side like if both sides use 192.168.1 then you'll have to do n and we're not going to talk about that in this video so in general for site to site connections we are connecting between two routers that we control so we're managing both ends or Our IT department or whatever we know what Hardware routers we're using in general they're probably all going to be the same brand maybe the all the open sense microt Tech whatever we know all of the subnets involved because we're setting it up we're setting up most of them and we're going to use largely static routing or dynamic routing to get these large routes across so we can route across all the different sites from the end users perspective they're just connected to a network and it's the router's job to deal with the sight to sight encapsulation decapsulation so we have a lot of flexibility in protocols here because we're in control of both ends we can choose uh protocols that run well on our Hardware we can choose cryptography that's fast on our Hardware up to our security level that we desire we don't have to worry about large numbers of users and passwords because we're again controlling both ends both sites so we can add certificates to both sites and automatically regenerate them with our business automation we don't have to deal with users and let users deal with configuration so in general sight to sight tunnels are the simplest to construct and we have the most protocols available to us so next typology I have we're going to call client access so we have a client and we've installed the VPN software directly on the client so our tunnel is going to go directly from the client to in this case our headquarters so some software on the phone is directly establishing this tunnel for applications to use that way our phone can access the application server can access all the stuff at headquarters so to do this we have to give our client an IP address on our tunnel Network so in this case we might take one subnet out of our 48 and use that for the tunnel so in this case the tunnel Network would be 2a1 so in this case we took the Fe subnet out of our headquarter subnet and we took a single address out of that to give the phone and for all packets going to 2801 db8 48 it needs to Route them via the tunnel which will get it to the application server now as for the return path this one address ends up in the routing table on this router via a specific VPN pier and the phone needs to know that when it's going to send stuff to 21 db8 it has to use its tunnel address as the source address it can't use its public address because that would go over the public internet of course all of this works with ipv4 as well you end up with the tunnel subnet you end up with the routed subnet over here Etc with V4 though you have the possible concern that if I use the tunnel submit of say 192.168.1.1 that the mobile phone's public address could also be 192.168.1 something and these would overlap in community a wouldn't work so that's one of the reasons to choose V6 so with client access we're dealing with hundreds or thousands of devices connecting to our network if you watch my channel you're probably not at the hundreds of thousands scale I would guess so these devices could be company devices that could be company laptops company phones then we're setting them up with a mobile device manager and we can push configs out to them pretty easily but they could also be personal devices especially if you're doing this as a home lab and so if these are all of your family's devices do you want to be going in and installing ing a VPN software on all of them do you want to be configuring that VPN software and do you want them to have to bring it to you every time it breaks so these are some considerations we have in choosing the protocol we're going to use for client access vpns on the server side we also have to deal with a large number of tunnel sessions to all of our different client endpoints because every single client is a separate tunnel endpoint instead of just the router on the other side we're going have a large routing table to deal with this and we're have to deal with user authentication for all of these users whether that's usernames and passwords or certificates or something like that and so this means when we're choosing software for client access it's more than just does the protocol work we also have to consider all of these other features the protocol might provide does it have apps for all the platform does it have the authentication types we want does it work with active directory does it work with the certificates we're using and so it's much more complicated choice for client access so last typology I've got for you we're going to call a server Access VPN this is the type you see getting shied on YouTube all the time so in this example I want to send a packet to some server on the public internet but I don't want it to look like it came from me so I call up a VPN company and they give me a tunnel address on one of their servers and then we create a tunnel so now I have a tunnel from my phone to the VPN server and I have an address on the VPN server this might be a nated address on ipv4 or it might be a nated address in V6 or part of their V6 subnet depends on the provider so now I send my packet through the tunnel so it actually goes out to the internet to the VPN server then the VPN server is going to do Network address translation to make it seem like it came from the VPN server itself then it's going to send it on to the public server and the reason we do this is because here we get the address of the VPN server as the from so it doesn't know that we actually connected from all the way over here now there's some legitimate use cases for this so in this example 2 A1 that's a prefix out of the EU so this would be somewhere in Europe and the phone is at 2601 that's a North American prefix so the public server here is going to think I'm in Europe because of my prefix there are other there are other reasons you might want to do this but this is a one of the legitimate reasons to do this so for a server Access VPN we could either run the client on our device directly phone laptop whatever or we could run it on our router and choose clients to network address translate or assign addresses on the tunnel Network to send over to the VPN provider this can get to be a quite complicated setup but I'll go over some basic examples in this video in this case we're stuck with whatever ciphers and software our providers have chosen most of them support openvpn and wire guard those are very common so now that we understand our topologies let's look at the choice of software we have that I'm going to cover in this video so our first Challenger today is wire guard you've probably heard of it it's a very common protocol in the home lab space now so now I'm going to set up three different types of tunnels using wire guard the first is going to be a sight to site between my home and a remote server the second is going to be a client Access VPN home and the third is going to be a server Access VPN to a VPN Provider from my home so let's jump into the side to site so here I have two open sense systems and for your benefit one is white and one is black so the white system this is my actual system at home that I'm actually using and the black system is a remote site that I have set up in hner cloud and Helsinki so we are going to try to connect this remote site back to my home site and Route subnets across them so with the latest version of open sense 24.1 wire guard is installed Now by default so you no longer have to install it and so on each side we need to set up an instance and we need to set up peers so in wire guard terminology instance is an interface this is the tunnel end point and a pier is a remote connection so my instance has its own public and private key pair and then I take all of the public keys of all of my peers and allow them to connect to this instance so we're going to connect to instance so site to site we need to generate a new key pair here's a public and private key we're going to listen on a recommended Port 51820 if if we come back to our diagram like this the tunnel itself is creating a network interface at each end so on this router it has an interface and we need to give those interfaces IP addresses so we could give them something out of our subnet or we could give them something like fe80 col one on this side and we could do the same on the other side f80 colon colon 2 and so that's part of a 64 so then this particular fe80 con 2/64 would be the tunnels interface could also use a Ula instead so like FC one we do fc0 2 doesn't really matter these interfaces are only used to address each end of the tunnel directly we're going to end up using them as our gateways so for this example I'm going to use fc001 64 so this is my address and the tunnel submit is a sl64 we'll add peers later and we'll save that enable wi guard and apply so now on the other side we do the same thing wire guard instances new instance generate a new key so now we need to exchange our peers across so if I go and edit this I can copy my public key here cuz I'm going to need it and then we'll close that come back over to the other system and let's add a pier and I need to copy and paste in the public key so allowed IPS so these are going to be the remote IPS of the pier so in this case it's using so that's the remote subnet we're routing going be side to side instance if we know the IP of the other side we can put it here uh we know the port is 51820 and so in this case it has a domain main name it's a VPN L1 if you don't have a static endpoint address then only the other side can initiate a connection I missed the equals on the end there we go so now we have a here now we need to do the same for the other side so we need to copy our public key here the whole thing we go here so next up we need to create a firewall rule to allow this traffic to come through on both the wire grid interface and on the WAN interface so we got a rules Wan and we'll add a rule and so we'll say anything can come in on V6 that's using UDP and destination Port is going to be 51820 and make sure you do that on the other side as well so now we've created a r on W but now we need to allow traffic on wire guard so our options here are to create wire guard as a group so this will affect wire guard um packets the other option is to go to interfaces assignments and create a new interface on wire guard but that's not necessarily required if you want to do policy routing it is if you just want to do route based routing it's not I'll explain what that means a little bit later but we're going to not create an interface today and so we're going to go to firewall rules wi guard group and we'll add a rule that for now I'm just going to say pass all V6 and I'm going to do that on the other firewall as well so now let's try to Ping across yes so we're getting pings we do a trace route here we go so we hopped across the tunnel so my address is fc2 so fc001 is the other side of the tunnel and then this is on the remote subnet at home so we took the tunnel and that was pretty easy so that was a pretty simple sight to site setup so in this case we're relying on routes when we configure a pier we specify what routes are available via that Pier so that's going to be the tunnel address of the pier so in this case the fc001 64 but also all the other subnets we can get to Via that Pier when wire guard starts the tunnel it installs these routes into the system routing table that say when you have this specific subnet route it via wire guard so this is a route based system you come over here and look at System Route status so you can see 26014 this guy sl60 he's going via wire guard zero and so this means we're not using firewall policies to deide what goes over the tunnel we're just saying all traffic for that destination goes over the tunnel and the firewall policy will have to allow or deny just based on those address ranges and for Sight to sight riding this is usually what you want you're going to just have the VPN tunnel responsible for the entire subnet use your firewalling to limit who can get to the tunnel who can come out of the tunnel as you normally would next up we're going to do user access I got my phone here to be my remote side I'm going to use my phone over cellular so we're not using the same internet connection and uh yeah let's get that started so coming back to our client access drawing we again need to give addresses to both sides so this side we were going to give them out of our prefix so this is going to be part of the prefix for the mobile phone and the other side also needs an address so we need to define a subnet for this tunnel and for this example I'm going to use 26014 4 e 8102 CCC okay I'm not using one so this is going to be my Subnet on the link this is globally rounded able so if my clients get a wire guard address they're allowed to Route all the way out to the internet if they want to if I wanted to make this local only I could use a Ula address for this so like [Applause] FD I could randomly generate a Ula using a Ula random generator that would restrict me to only routing within my own networks or I could use a global address if I want to give these guys internet access via my route so I'm use this and then my tunnel endpoint on the server side is going to be col col one and my other sides are going to get randomly generated so again we come back to instances we can have more than one instance of course so just going to create another instance here this is going to be my client access instance we'll generate a key pair we're going to listen on Port 51821 because we're already listening on 51820 and my tunnel address is going to be 2601 currently have no peers and let's go so now to create our Pier instead of going to peers and adding each other we're going to use the peer generator so this is a feature that will generate the configuration file for client based on the information we specify so I come here and I type in my endpoint so this is how the client is going to address the server so it's my DNS name and my port this is the name of the client and then we have a public key and a private key this is automatic randomly generated we have to give it an address so it already filled in the subnet and we just have to fill in the next part so we just say two and now allowed IPS so allowed IPS are what traffic will Traverse the tunnel from the client side so these essentially get added as routes over the tunnel on the client so if we say 0.0.0.0 and colon col0 that is a default route so all traffic on the client is going to come over this tunnel that'll be a full tunnel if you want to send all of your internet traffic home this is what you would use if you don't you would put in the subnets you want to come across the tunnel if you want to be able to have both a full tunnel and a split tunnel and choose between them you'll have to create two peers add them as two Pier configurations on your phone and switch between them on your phone wi G doesn't have other way to uh configure this let goinging back here in this case I'm only going to send this subnet so slash 60 so that encompasses all of my networks here's my DNS server and there's the config and now we have to QR code and we have to add it and before we're done we have to make sure we say store and generate next because if we don't store it it's not going to store it and that's going to be frustrating so now from the app I say add tunnel from QR code hold up the QR code name it home allow wire guard to add configurations and there we go we can add it so now I'm going to click store and generate next at this point so it's going to store this configuration there we go so now generated a new one randomly if we go back to peers you can see my phone got added and it got added to client access instance so now that it's actually here we can apply and it'll actually work so now let's generate a full tunnel Pier so let say full tunnel we're going to say colon colon zero and also V4 um V4 traffic might not like that but uh we'll see we're going to give this guy the address three so I already have home so we'll turn off the home VPN and let's do a QR code again and this will be home ft full tunnel to enable that one so now you can see we got pushed route that's everything so all of our traffic should go over this tunnel DNS we're going to look for google.com Trace that a V6 address let's go so my first top is my home router and then from there I'm leaving and I'm coming as if I was at home so now if I turn off the tunnel what would my normal trace route be like so it looks like my service provider is using Ula addresses internally which is not great but then we end up in AT&T so that's the second mode of wire guard wire guard is also capable of the third mode server access so let's set that up next so here again is our reference for Server access so this is going to be our VPN provider or could be us if we set it up oursel for this example I've used a VPN provider that does not shill on YouTube so maybe you've never heard of it but they have V6 support for my mobile phone I'm going to be using my own router and for the public server I don't know I'll try to find some site that's blocked in the US we're just going to set up my home router to connect out to VPN provider so with whatever provider you use you have to get a wire guard config file from them then we're going have to pull that information out and type it in over here where do we want to exit let's exit from Stockholm in case you didn't know Stockholm was in Switzerland so here is what they sent they called it immune python they just generate a random name they generated a private key for me they gave me the public key of their server they gave me an address in the 10 range so this is going to be a carrier grade n address they gave me a V6 address in the FC range this is a Ula so they're also going to be doing v6n and they gave me net server and then their public server is at this location at 23 dohol on the standard Port 51 a20 so make a new instance for this call [Applause] this you can have more than one of these set up at a time if you want to so now I need the public key and the private key let's copy and paste in the private key so next up I need my tunnel address that's going to be these two guys here we'll copy and paste that in and we have no peers yet so in this case I'm going to say disable routes because we're going to use policy based routing to decide who goes over this tunnel so now let's add our Pier so this is going to [Applause] be Stockholm we need the public key from Stockholm and and we're going to allow all IPS in the tunnel so endpoint address is the IP address and endpoint Port is 51820 this is going to be for the server Access VPN and let's save that so now we have the tunnel established and it's wg2 because they're sequential so now I'm going to make an interface for this so I'm going to go to interfaces assignments I'm pick on wg2 and we're call This Server access dool so I'm just going to enable this interface it's on W wg2 and we're not going to select anything else so next up I'm going to create a Gateway so this will be a Gateway configuration so I have my existing Upstream gateways and we'll add two more that's going to go out on Stockholm and we're going to take our own IP address and just go off by one so it's a far Gateway we're not going to monitor it and it is not a default gateway candidate then we're going to do the same for before one last thing is because our vpm provider only gave us a single address that it routs 32 and 128 we have to do Network address translation and everything that's leaving to mate as these two addresses V4 and V6 on to firewall n outbound so I have set to hybrid that's what I usually use so let's create some rules so interface is going to be the server access if we're on V4 so targets going to be the interface address and it should be good I'm going to do one more for V6 as well I know V6 is not often added but it's kind of required in this case and then we will apply these guys so at this point we've created the wire guard tunnel now we need to tell traffic to go over this tunnel in past examples we use subnet based routing where we would have a specific subnet that would go over the tunnel so for client to access the client would have our land subnets it would send all of that traffic over the tunnel or it could do all traffic in a full tunnel for a sight to site we would put the subnets of each site in the config it would route this is route based for this type of VN I'm going to set up policy based this means that by fault no traffic will take the tunnel and in order to have traffic take the tunnel we have to have some rule in the firewall that tells it that traffic should take a different path than normal so let's set that up now so I have a virtual machine here this is going to be our victim I guess we'll call it so we're going to try to Route this over the tunnel so we're going to do by Mac address I'm going to take this Mac address and to make an alias for [Applause] it it's going to be a host Mac address so now we found all the IPS of the test server so we can write rules with this Alias so going to say rule On LAN We'll add a new rule we're going to say when traffic comes in on land that is either V4 or V6 and the source is the test server so if the traffic came from the test server's IP addresses then we're going to go down and we're going to set the gateway to VPN V4 and actually I'm going to need two of these rules for V4 and V6 so remember rules are processed in order so we want to put these rules somewhere in the middle probably I would probably put the rules that allow access to other things on my network first then after that my redirect rules and then after that my blanket allow deny all rules so looks like we got to be four we do not get to be six that's a little bit unfortunate so now you do policy routing and open sense it's a pretty powerful tool aside from just this because you can send individual clients to different places over different gateways but this is a pretty big use case for policy routing so for most people in the home lab and small business space wire guard is probably the solution you want to get started with it's very easy to pick up simple to set up things like that but it does have some downsides so let's take a look at a hypothetical scenario where wire guard would have a lot of problems so I Apple ARS adventures in this example do business in Europe and the us so I have two VPN servers one in North America one in Europe and I want my phone to be able to connect to whichever one it's physically closer to make sense so in the US say I have 2601 DBA that's my prefix so I break that down for all my business sites and in Europe I get one from Ripe and it's in 21 db8 so that's my European prefix then I have an anycast prefix in this case 2001 db8 and that's the address of the VPN endpoint itself all my public websites and stuff those can anycast in the third prefix so when my phone is connected to North America I need to have an address that starts with this VPN prefix out of the North American server so 2601 gb8 something like that but then when I travel over to Europe I need an address out of the European prefix so 2 A1 so notice how this is different so with wire guard there is no way to push configuration to the client you have to do that on your own either manually or using some other service that manages wire card for you so in this case I have my two VPN end points and they need to have a separate IP address for depending on which content I'm connecting to so I'm in the right prefix if I just gave every single client a unique address I could do that then I have to have my internal Gateway protocol route to the correct VPN server based on where the clients cannect connected and that becomes a nightmare so the clients should have IP addresses out of the prefix of their server and with wire guard that doesn't happen but there's more to it than just that so let's say I somehow solve that IP address problem probably using Nat Network address translation which is an Nightmare on its own but now what happens when I have a thousand of these phones so now I have a thousand sets of wire guard public keys that need to go into both of these servers and if both of these servers are pretending to be the same server then I have to put the same private key on both of these servers and that means that compromising either of these VPN servers compromises the configuration I've already established on all my clients so remember wire guard does not use certificates when it authenticates it uses bare elliptic curve Diffy Helman so it uses curve 25519 which is cryptographically very secure but there's no additional information there's no expiration date and so if we put this server public key in all of our thousand clients and our server was compromised those clients are essentially compromised Forever Until We can rotate that configuration file out because there's no way to automatically deprecate that certificate so if we were to use certificates to authenticate the servers we could rekey the servers every night with a new CT each server could have its own CT and if one of the servers are to be compromised we Rey the server the CT will expire say the next day and because the clients trust the authority and not the individual CT the uh the CT will time out it'll be save again and likewise it be nice if we could do that same CT dance with a with a client so if the client had a CT then these guys wouldn't need a complete list of every client's public key they would just need the CT that issues client CTS to trust and then they be all set so really we need a VPN solution for users that solves these problems instead of just pushing them onto us in our business automation wire guard is great at cryptographic security but it essentially does nothing else it's pushing all of that work onto us and openvpn takes a very different approach it solves a lot of these problems internally so let's take a look at setting up an openvpn solution for client access so we're back at my test system in Helsinki and let's set up openvpn so there used to be clients and servers but now there's just instances So eventually these two Legacy ones will go away so let's take a look at what we have in here for configuration options so despite the lack of client and server terminology openvpn actually does have server mode and client mode in their configuration so we will have to choose server or client for this that's different from wire guard where everyone is just AP so we're going to set up a server so our role here is a server client access server here we have the ability to choose UDP or TCP and we can further specify that we're only going to support V4 or V6 on the underlay so we're using UDP there is a common port number and it is 1194 so server V4 and server V6 these are the subnets we're going to use so we're just going to leave V4 empty because I'm not using V4 next example and for V6 I'm going to use FD [Applause] 69 so the server itself is going to take the first address here so it's going to take col colon one and then it's going to give out the rest to clients so next up we have the certificate and the authentication section so openvpn supports one type of authentication for the clients to verify the server and that is using an x509 certificate this is the same type you'd use for TLS so you can use the same sort of mechanisms to distribute your TLS sht distribute an openvpn server sear for clients we have two options either we can use a client side certificate which is very similar to a server certificate or we can use username and password or we can use both so those are options for authentication here so we need aert for the server to present to the client and the only one we have is web TLS cert so if we go in a little detour we can go to system trust authorities we can make a new Authority here and so this will call our client VPN Authority and we're going to create an internal and we're going to use litic curve 384 and lifetime that's pretty long I mean you can pick whatever you want for a country here but this particular server is in Finland so then we can create a new CT base on s that new Authority we're going to sign it with our VPN off it's going to be a server certificate we're going to again use 384 so common name here this is the name we sign the CT with you can add more alternate names if you want let's go so now I have my VPN server sht so that brings us back here so we can now pick the server sht I'm not doing revocation lists here but it does support them so next verify client certificate so we can either require it here which means that we're going to use client certificate authentication or we can say none which means we're going to use password authentication we can do both in which case we have to do require and authentication but we can't do neither so we either have to verify client certificate or we have to set up the authentication section for usernames and passwords so I'm going to say none for this example now we get down to authentication so here we can choose to either use a local database or radius server but I don't have any radius servers configured taking another dour we can come over here to system access users and groups so I'll create a group for VPN [Applause] users and we'll just save that so currently no one's a VPN user then I'll come over here and create a new user for Apple art and a password so we're going say no login and we will be a member of VPN group so now we have a user appal Ard it's member of the VPN group so back from rour we're going to say local database and we're going to say VPN group and so strict user CN matching this means that if we use certificates and authentication that the user's CT has to match the user name so if the user has a CT that's has a name of appal Ard they have to log in for authentication with the username Apple art as well in this case I'm not using client Sears so I'm going to turn that off so here we can put the list of our subnets that we want to push to the client so remember back in wire guard we had to specify in the client configuration what the subnets were that we could access via the server so whether this was all of our subnets or just our local subnets with openvpn this is configured by the server and it's pushed to the client when the client configures so we can change this later if our Network topology changes that messing up all of our client configs all over the world so we'll say we're going to use that prefix you could also do like something like that if you wanted we have some additional options here if you need the descriptions of all of these are in the openvpn docs and you can also push DNS servers to clients if you want to so now before we connect our client we need to go to the firewall rules and make sure we allow openvpn traffic into the firewall and also we allow our clients to go places so firewall rules Wan so we need a rule that will allow traffic to come in on Port 119 4 so we're going to pass traffic came in on the landan IPv6 it's going to be UDP any Source destination is going to be the WAN address and Port is going to be 1194 we'll save that and now in openvpn we need to allow the traffic to go somewhere so once it comes in from the client we have these rules so in this case I'm just going to say allow V6 any for testing but we could be more restrictive if we wanted to be so I'm going to again use my phone as the client let's get the client configured and see how that works go down here to client export so we're going to choose our server here's our export type usually file only is what you want so next up we need the name and the port that it should access Us by so in this case this is my Helsinki VPN and we're on Port 1194 so we're going to validate server subject that means that the client is going to validate the server certificate so down here we can choose which certificate we want to use as the client CT so in this case openvpn server is actually our server CT so we really don't want to export this one if we had any users that had a linked CT it would tell us here we could download that but since I'm not using user search off I'm going to exclude the certificate so we'll download that so here's what the file looks like so it starts with a configuration section and so the remote is the server side and then it has the certificate of the certificate Authority that issued the C for the server so we can validate that so now I got to send this ovpn file over to my phone we can get started from there so over here on the phone we need the ovpn file you can either email it which is less secure because if your email is compromised then you have the file you can share it over I don't know whatever methods you have of sharing files okay so I added the file we're going to add it so profile name it's fine f name I'll remember my username but not my password we have no certificate and we can say connect so now it asked me for my password and we're up so it gave me the address f69 beef Cafe 1 1000 and the server public IP that's the IP of my VPN server in house sinky yeah so I'm able to Ping across the tunnel now to the other side so unless you've been living under a security Rock for the past few years like probably like most businesses in your area you probably know that it's best practice to use multiactor authentication for anything that users touch now if you've been following along I've done four setups so far three with wire guard one with open VPN none of these use more than one factor so in general we pick two out of three from the following factors something that you know something that you have and something that you are so something you know would be a password something that you have would be a file on your computer something that you R would be biometric so in all of the wire guard examples we only have one factor something that you have that's your private key on your computer wire guard does not provide any other way of doing this just with private keys so we can't really add any other factors with wire guard itself we could use some other solution that hacks it together but wiu guard was not designed for this in open VPN though we could have two So currently we just have one and that's our username and password so something you know but we can add a second one pretty easily by adding a user certificate so I mentioned before that you can use either certificates or username and password or both and if we have both we get our two factors so then you have the certificate file on your computer and something you know your password so let's set that up so this one's pretty simple I just have to go into my user account and give my user a certificate so we'll add a search for him if you already have like a Hardware security module or something like a Ubbi key you could generate a CSR from that but we're going to create one from our VPN off we're going to use elliptic curve 384 common name is our username appal so now our user has a key the firewall has stored it and we can use an openvpn so I come back here client export I have all the same information I had earlier but now instead of of saying excluded certificate I say apple art it'll generate a no VPN file with apple art certificate in it now this provides a new challenge and that is how do we get this file securely to our end user we could email it but then if we have an email breach the breach person would have the certificate they could potentially put that together with a password and get in when we exported before all we had was the public certificate of the serers rout so there's nothing special about that generic file I used last time it just contains the address and the port number of the server which is probably already on showan anyway and the root certificate from the certificate Authority which is already public as well so you could post that file on your website and tell your users download this file log in with username and password it would work but then we're still at one factor the username and password so we could go to certificate authentication which is really good by the way you really should be using certificates and that's another option but a third option that's also popular these days is time-based onetime passwords or top and that's also supported in open sense so let's set that up as well so we're going to create a new server here for Access so you might remember we have local database that we've already used so we're going to make a new one and these are all the different authentication providers that open sense supports so you could use ldap if you want to link to Microsoft active directory you could use radius if you want to use a radius back end and you can merge these with time base onetime passwords we're going to do local plus to TP so token length this is how long is your top token usually it's going to be six so essentially with the way open sense does top passwords you're going to type in your top six-digit code and your password together in the password box so you can either put it before or after whichever one you want so I'm going to leave it as the default which is before and we'll save that so now to give my user a timebase onetime password I can come here and edit him and down at the bottom we can generate an OTP seed so this is 160 bit secret that's used to generate the OTP key so we'll save that say generate a new secret once we save it'll generate this secret now this secret is secret so don't let it out in the wild so we'll save that now I can come down here and if I unhide it I've got a QR code and this will let me provision my top app for this user so once you've done this the person can scan their QR code here to set up their phone with their authenticator app now every time they log in with a username and password they stick their top at the beginning then their password so now they have two factors something that they have which is the authenticator app on their phone and something that they know which is their password so now we understand everything they know about picking a VPN protocol right basically we use wire guard when we can and we use openvpn when we must but it is not nearly that simple there's there's a big elephant in the room hanging over wire guard and that is crypto wire guard in its infinite Simplicity is built on the noise protol framework and one of the key tenants of noise is that you decide your Cipher Suite ahead of times there's no negotiation of ciphers now the noise protocol supports a lot of different ciphers but the designer of the application based on noise has to choose one of them because it doesn't negotiate and for wi guard those designers chose Chacha 20 poly 1305 that's an aead or authenticated encryption Cipher now these choices on their own make a lot of sense Chacha 20 po 1305 was proposed by Google primarily to secure TLS connections on mobile devices which did not have Hardware AES support because of the nature of Chacha it can be accelerated very quickly with vector and Matrix multiply units in modern CPUs and so that means it's about 10 times faster than AES everyone else's favorite encryption algorithm but it's only 10 times faster if you don't have AES Hardware instructions so pretty much every x86 device made in the last 10 years or so has the AES ni instruction set and a lot of rv8 devices especially mobile devices have the ases crypto extensions as well so if you have Hardware AES support compared to software Matrix Chacha support you're looking at the opposite AES is about 10 times faster than Chacha now if you're just pushing gigabit through your home lab that probably doesn't matter to you but if you want 10 gig 25 gig or higher you're going to have to start looking really hard at how much CPU it takes to do all of this crypto work especially if you're doing something like data center scale or business scale at that kind of bandwidth um the crypto work to do chaa just gets really really high and so we have other options the old favorite IP so in case you want to know how to set up an IPC tunnel site to sight using AES for blazing fast encryption let's get that set up over here so I got my two systems again and again I'm going to start over here on the Helsinki server and a VPN IP SEC and now we need to generate key pairs so IP SEC unlike we guard supports a lot of different encryption algorithms but it also supports bare public and private Keys just like we guard that's the simplest to set up so that's what I'm going to use for my side to side tunnel here it does also support certificates usernames and passwords and a whole bunch of other things but this is the simplest that's what I'm going with so I'm just going to come over here and generate a key pair so I need to make a new one I have some options to CH I could choose RSA or elliptic curve and I'm going to use P 384 that's a pretty common n approved key and we'll say generate now I'm going to copy the public key so we'll save that I'm going to come over here and paste it in so again that's an ecdsa 384bit key I'm just going to paste in the public key and save so now over here we have the private key and over here we have public key so from here on out the setup is completely identical on both sides so I'm only going to walk through it on one system but where it's as local and remote just flip those on the other side so we're going to set up the connection here so we needed to create a new connection so here in proposals we get to choose our Cipher and there are a lot of choices here and the one that I like is aes128 gcm1 16 sha 256 curve 2519 so local address and remote address this is the public address of our tunnel on the global internet also fun fact because of a bug in FreeBSD we can't put IPv6 addresses here so that's fun so once we hit save we get these boxes down here local off remote off and children in its infinite flexibility IP secc and the key exchange algorithm Ike let us choose a differenty key exchange algorithm for each side of the connection so essentially the two peers initially do a Diffy Helman key exchange just to open a secure tunnel so then they can exchange their real Keys then they can authenticate each other and then they can generate their session Keys it's very complicated and we can choose a completely different algorithm to identify each side of the connection local is the authentication method that our system proposes to the other side and remote is the authentication side that we use to authenticate remote peers in this case I'm just going to use the public private key pair I already generated so let's set that up so I am local I am going to use a public key and I'm going to use the Helsinki key and for the remote side I'm going to also use public key and I am going to select the home key that's my other side of the tunnel and finally we can add children so the big things to set up here these are the networks that we have on our local side and our remote side so in this case I'm going to use the I'm going to use the f69 beef Cafe subnet and on the remote side I have 2601 that's my remote subnet these essentially get created as routes once the pier comes up now it's important to stress here that it's once the pier comes up so if the IP St tunnel is not EST stablished these routes won't be in the kernel and the traffic will just go off onto the internet probably using the default route so if you're having problems the traffic isn't going the right way check and make sure that the connection is actually established look at the logs for Sharon that thing the strong one people thought they were funny I guess IP is the uh the of the Dead I guess the dead protocol so then we can save here then we can enable IPC and save again now IPC needs a couple of different open ports it's not as simple as just one UDP or one TCP port in particular it needs UDP Port 500 which is ISA Camp it probably will also need UDP Port 4500 which is for Nat traversal tunneling and it will probably also need ESP now ESP doesn't have a port number it's kind of like it's a layer four protocol like TCP or UDP so in the drop down where you see TCP UDP there's another one for ESP you just allow that and of course an IPC section also appeared so we need to create rules of where the IP clients can connect I just have an allow all for now So eventually you come to VPN ipx status overview so phase one and phase two should both come up so essentially phase one means that the other side of the connection has established an Ike tunnel that means that the two are talking to each other to negotiate connections doesn't mean the connections up it means that the iked connection is established not the whole IP SEC phase two means they've successfully negotiated and they've connected and the routes are installed so you need both phase one and phase two to be up and if you're having problems you can come here to log file set it to a relatively low level like informational and you can see data from Sharon so a few other positive things to say about IPC it uses AES which is FIP certified if you need to be in all that government compliance stuff uh it's bit of a lowest common denominator protocol pretty much all it vendors should support IPC if they support any sort of VPN it's been around for a long time and there are implementations in most operating systems built in Windows Mac OS iOS they all have IP SEC built in so with open VPN or wire guard you have to download an app it's also capable of pretty pretty much everything openvpn is for client access you can do Sears you can do username and password uh you can push IP addresses and routes to clients all that kind of good stuff that said I still think openvpn is a better choice because it's easier to manage and so that leads us on to our last protocol today what if you want to create a tunnel between two locations but you don't actually need encryption you just need the tunneling bit of it that's where ipip GRE VX plan that's where those come in so you'll notice here under the vpns we have IP SEC open VPN wire guard I've talked about these and these other ones I'm mentioning now aren't vpns um they're under interfaces other types so the other types we have here are vxlan GRE and GF GF so each of these are a little bit different so first vxlan vxlan is a tunneling protocol that tunnels layer 2 Mac frames so it emulates a VLAN over IP so if you need to span a layer 2 subnet across multiple sites you can use VX land to do that you can run it over a wire guard tunnel or an open VP tunnel or whatever um but it's basically tunneling layer 2 Mac frames in layer 3 IP next on the list we have G Cisco is a big fan of this so if you integrate with Cisco GRE it's basically going to again encapsulate layer three or layer two frames within a g header within an IP frame and last one is GIF which actually influen the IP IP protocol so in this protocol we take an IP header and then we just add another IP header right on the end of it so we don't even have a tunnel header we just have the two IP headers nested and so this tunneling protocol is used in like 6 to4 if you're doing Like a Hurricane Electric tunnel they'll use this protocol it's a very simple protocol so I'm going to set that up between my two sides so GIF great tunnel so for the G uh so for the ipip tunnel or GIF we need need the parent interface this is where we are going to use to Tel traffic on the local side so in my case that's Wan we need the address of the remote side our local IP and the remote IP and this is just for the tunnel Network this isn't the traffic that's actually going over it coming back to my sight to site drawing these are just addresses on the tunnel Network they're not subnets we have to Route we have to do the routing separately also if you need ipv4 and IPv6 you can just create two tunnels so now we can assign to this interface as well if we need to so JF zero is now an assignable interface so let's go ahead and set that up then we can enable it and the IP configuration's already done so it's automatically created a Gateway for me on the site to site interface so that's nice so now we can just create a route so routes configuration we're going to add a new route and we're going to go via the site to to side [Applause] tunnel and then we just do the same on the other side of course we need a fir wall rule as well so in this case it's going to be IPv6 as the protocol which is kind of odd but it's IPv6 inside IPv6 so if you're using ipv4 bpn cap so I hope you guys stuck with me on this long video this is the next video in my open sense Series so I've done one on Zen armor I did one setting up open sense itself now I've done open sense vpns so feel free to let me know in the comments what you want to see next on open sense whether that's routing or DNS or something like that all of those are up on the table if you have any questions about these setups feel free to message me down in the comments you can also message me at Discord there's a link down below for the Discord as well this video was not sponsored so if you want to donate anything on Kofi I would greatly appreciate that it obviously takes time to make videos that are an hour long so hopefully you've enjoyed this content and found it useful feel free to scrub through and reference it if you want and uh yeah I guess thanks for coming and I'll see you guys in the next adventure
Info
Channel: apalrd's adventures
Views: 9,372
Rating: undefined out of 5
Keywords:
Id: Id-ztbnFmkU
Channel Id: undefined
Length: 64min 14sec (3854 seconds)
Published: Thu May 09 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.