Category: Uncategorized

encryption and protocol in openvpn

williamLeave a comment

Protocol

SSL/TLC:
Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), which is now deprecated by the Internet Engineering Task Force[1] (IETF)

TLS and SSL do not fit neatly into any single layer of the OSI model or the TCP/IP model.[8][9] TLS runs “on top of some reliable transport protocol (e.g., TCP),”which would imply that it is above the transport layer. It serves encryption to higher layers, which is normally the function of the presentation layer. However, applications generally use TLS as if it were a transport layer,[8][9] even though applications using TLS must actively control initiating TLS handshakes and handling of exchanged authentication certificates.

Protocol Published
SSL 1.0 Unpublished
SSL 2.0 1995
SSL 3.0 1996
TLS 1.0 1999
TLS 1.1 2006
TLS 1.2 2008
TLS 1.3 2018

TLS typically relies on a set of trusted third-party certificate authorities to establish the authenticity of certificates. Trust is usually anchored in a list of certificates distributed with user agent software,[35] and can be modified by the relying party.

 

encryption algorithm

RSA
RSA (Rivest–Shamir–Adleman) is one of the first public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and it is different from the decryption key which is kept secret (private).
DHERSA (forward secrecy)
PSKRSA
PSK
To build a key from shared secret, the key derivation function is typically used. Such systems almost always use symmetric key cryptographic algorithms. The term PSK is used in Wi-Fi encryption such as Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), where the method is called WPA-PSK or WPA2-PSK, and also in the Extensible Authentication Protocol (EAP), where it is known as EAP-PSK. In all these cases, both the wireless access points (AP) and all clients share the same key.

 

cipher

AES GCM, AES CCM, AES CBC, ChaCha20Poly1305,

AES128 is a symmetric block cipher. SHA256 is a hash which is used as part of a message authentication code (HMAC). ECDHE is a key-exchange protocol, which is used as the handshake to establish the ephemeral keys used with the cipher.

 

HTTPS

In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also often referred to as HTTP over TLS,[3] or HTTP over SSL.

 

openvpn-as configurations full tutorial

williamLeave a comment

In this tutorial, we will cover all the openvpn configurations.
From the openvpn client to the openvpn server. Clients include pc, phone, router. servers include google cloud, aws, and others. Then we will also learn VPN connection test technique. For a visual overview, here is the my YouTube video.

The whole tutorial is divided into 4 parts.
Part 1, The VPC, is where our remote vpn server reside in.
VPC example, let’s take google.
Pricing for google cloud.
Static IP cost

Type

Price/Hour
Static IP address (assigned but unused) $0.010
Static IP address (assigned and in use) No charge
Ephemeral IP address (attached to instance or forwarding rule) No charge

Egress cost

Here is my actual GCP bill.

Product Resource Usage Amount
Compute Engine Static Ip Charge in Japan 296.62 Hour $4.43
Compute Engine Network Internet Egress from Virginia to China 16.03 Gibibyte $3.69
Compute Engine Network Internet Egress from Los Angeles to China 14.54 Gibibyte $3.34
Compute Engine Network Internet Egress from Americas to China 8,878.51 Mebibyte $1.99
Compute Engine Micro instance with burstable CPU running in Japan 9,460.08 Minute $1.45
Compute Engine Micro instance with burstable CPU running in Virginia 7,801.22 Minute $1.12
Compute Engine Micro Instance with burstable CPU running in Los Angeles 6,201.73 Minute $0.94
Compute Engine Network Internet Egress from Japan to China 2,591.20 Mebibyte $0.58
Compute Engine Network Internet Egress from Japan to Americas 2,009.34 Mebibyte $0.27
Compute Engine Network Internet Egress from Singapore to China 996.54 Mebibyte $0.22
Compute Engine Storage PD Capacity in Japan 2,884.21 Gibibyte-hour $0.20
Compute Engine Micro instance with burstable CPU running in Singapore 758.25 Minute $0.12
Compute Engine Storage PD Capacity in Los Angeles 1,415.42 Gibibyte-hour $0.09
Compute Engine Storage PD Capacity in Virginia 1,300.55 Gibibyte-hour $0.08
Compute Engine Network Internet Egress from Virginia to Americas 103.90 Mebibyte $0.01

Machine type cost: Disk cost: 
Cost is base on CPU cores, memory and GPUs you selected. I am currently using 2 VPN clients, which doesn’t consume too much resources. 1 vCPU and 0.6G RAM is ok.

Generally, the distance between your real address and your remote server will make a big effect on your network speed. Actually I found it’s a big deal. The connection between China and east America is fast enough for me to watch 4K video.

Part 2: The OPEN VPN server
openvpn is open source VPN with GPL licence. But OPENVPN-AS application from openvpn.net is not a free one. Anyway, you can build your own openvpn from scratch, see this video. Or, you can use script written by others to make things more easier, see this video.

Part 3: The OPEN VPN client.
we can find the private vpn client (not a free vpn service by openvpn offical) on the openvpn.net main page, including window, mac, android, and iphone. Can this client use my own .ovpn file. Yes, it can! but you need to sign up private vpn account, which make it annoying. Anyway, we can find the OPEN VPN client for windows in the openvpn.net. and we can download openvpn client from google easily.

Part 4: VPN connection test.
Have you ever seen your IP address is changed, but you still can access the blocked internet? That’s why you should know how to test your VPN connection. I always set my router’s, phone, pc’s dns address to OPEN DNS, or other DNS. so I am sure my DNS traffic won’t go to my ISP. DNS leak test will always help you out.

 

How to install and config openvpn client on openwrt router

williamLeave a comment
  1. ssh into your router (enter the command below in the terminal)
    • ssh root@192.168.1.1
  2. openwrt factory reset
    • mount_root
    • mtd -r erase rootfs_data
    • reboot -f
  3. install openvpn client
    • opkg update
    • install openvpn-openssl
  4. config openvpn auto start at router startup
    • /etc/init.d/openvpn enable
  5. new and config a openvpn instance
    • uci set openvpn.vpnInstance=openvpn
    • uci set openvpn.vpnInstance.enable=’1′
    • uci set openvpn.vpnInstance.config=’/etc/openvpn/client.conf’
  6. new and config a network interface (tun, virtual)
    • uci set network.vpnInterface=interface
    • uci set network.vpnInterface.ifname=’tun0′
    • uci set network.vpnInterface.proto=’none’  #dhcp #none
  7. new and config a firewall (zone)
    • uci set firewall.vpnFW=zone
    • uci set firewall.vpnFW.name=vpn
    • uci set firewall.vpnFW.network=vpnInterface
    • uci set firewall.vpnFW.input=REJECT
    • uci set firewall.vpnFW.output=ACCEPT
    • uci set firewall.vpnFW.forward=REJECT
    • uci set firewall.vpnFW.masq=1
    • uci set firewall.vpnFW.mtu_fix=1
  8. enable forwarding (LAN to VPN)
    • uci set firewall.lanforward=forwarding
    • uci set firewall.lanforward.src=lan
    • uci set firewall.lanforward.dest=vpn
  9. enable forwarding (VPN to WAN)
    • uci set firewall.vpnforward=forwarding
    • uci set firewall.vpnforward.src=vpn
    • uci set firewall.vpnforward.des=wan
  10. fixed DNS on lan interface, using opendns
    1. uci add_list dhcp.lan.dhcp_option=’6,208.67.222.222,208.67.220.220′
  11. fixed DNS on wan interface, using opendns
    • uci set network.wan.peerdns=0  # this disable the DNS provided by DHCP
    • uci del network.wan.dns # Deletes the previous list of DNS
    • uci add_list network.wan.dns=’208.67.222.222′
    • uci add_list network.wan.dns=’208.67.220.220′
  12. uci commit
  13. reboot