Configuring a basic Road Warrior OpenVPN Virtual Private Network Tunnel

If you’re a road warrior like me, you’re often accessing the internet from insecure hotspots. All traffic that traverses an open wireless connection is subject to inspection, but furthermore even on untrusted secured wirelesses, you’re activity is subject to monitoring by those providing the internet (trusted or otherwise), as well as ISP providers, etc.

To help keep what you’re doing private, I suggest always using a secure VPN tunnel for all your roaming activity. This guide will show you how to setup your own VPN tunnel using Linode for only $5 per month! That’s right, why pay a third party company money for your privacy which costs more, and you get unlimited usage for yourself and whoever else you decide to provide access for.

Now to be clear upfront, the purpose of this setup is to provide secure tunneling when you’re on the road with untrusted networks such as hotels or coffee shops. Some of the reasons people use VPNs is to provide general internet privacy, which this setup will NOT provide. It does, however, allow you to appear to be connecting to the internet from another geographical location. They have 8 datacenters, spanning the US, Europe, and Asia Pacific. So when you’re on the internet you can configure it so that it appears your connecting from a different location then you’re actually located.  There are other benefits available such as giving you an always fixed WAN IP address, so when you’re configuring security for your services, you can now lock down access to a specific remote IP. Think of only allowing remote connections to your server/services/etc from a single IP address. That provides much stronger security instead of just leaving remote access open.

 

Let’s get started with the configuration:

This post is going to assume you already have a basic Linode setup. Here is how to install the OpenVPN Server in a very simple way. That way, these instructions will work with any Ubuntu Linux Server. Leave comments if you’d like a full setup guide and I’ll throw it together for you.

  1. Remotely connect to your server (such as SSH)
  2. Login as root (or someone with sudo rights)
  3. Run the following from the command prompt:wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
  4. When prompted I suggest the following configuration:
    1. UDP (default)
    2. Port 1194 (default)
    3. DNS of 1.1.1.1 (see this link for more info)
    4. Enter a name for your first client name – this is unique for each client. So for example, I’ll call my first one Laptop
  5. The file is now available at /root/ under the filename equal to the client name you specified in step 4.4 — in our example /root/Laptop.ovpn
  6. Download that file to your local computer using the transfer method best for your system:
    1. Linux/MacOS use SCP
    2. Windows use Windows SCP
  7. You’ll want to download the OpenVPN client from https://openvpn.net/community-downloads/
  8. Install the Laptop.ovpn file you downloaded into OpenVPN client – for Windows, right click on the systray icon, choose import – from file. Choose the Laptop.ovpn file you copied from the server. After you choose the file it might take a minute or so, and you should see a notice that the file was imported successfully. Then check the systray icon again and you’ll now see the server WAN IP address listed. Then you simply click that IP address then connect, and you’re all set.
    1. The first time you initiate a connection you may be prompted to trust this unverified connection, this is because you’re using a self-signed certificate. For basic road warriors, this is sufficient. If you’re a corporate IT department, you might want to consider using your own certificate, either trusted or enterprise certs.

You can simply repeat steps 1-3 above, and at step 4 you’ll only be prompted for the client name. Do this for every device and/or user that needs to remotely access this server. For me, I use a separate key for my laptop, phone, and tablet. If they’ll be connected at the same time, you’ll need separate keys. You can also run through the same steps to revoke certificates – so you want to make sure you name them something logical, such as myAndroid, kidsiPhone, wifesLaptop, etc.

Enjoy!

 

 

 

 

 

Smokeping

Here is a great tool that I’ve used over the years to help troubleshoot ISP latency issues and QoS issues when working with VoIP lines, but it can be used to troubleshoot all sorts of issues: Smokeping

You can use this wonderful tool at DSL Reports: http://www.dslreports.com/smokeping

What does SmokePing do?

SmokePing generates flexible graphs that, within hours, contain actual information about the quality & reachability of your IP address from several distributed locations.

Continue reading “Smokeping”

Cisco Smartports

In troubleshooting  a network problem recently, I was reminded about a feature set which is turned on by default on their Small Business and Catalyst Express Switches called Smartports Roles, and in their larger switches and routers they are called Smartport Macros (but are not enabled by default and used in the CLI). This is a love-it or hate-it feature of Cisco SMB switches. When we think of managed switches, how much feature set are we often using other than VLAN, QoS and perhaps high-throughput? The reality is that managed switches have a lot more feature and functionality to them which we often don’t configure. Cisco had made these feature also available as templates for small businesses. Which is great, unless you don’t realize they’re in-place. If you don’t know about Smartport rules you can spend hours chasing your tail.

The biggest gotcha you need to know is that by default most ports are configured in the “Desktop” role, which permits only one Mac address per port, and it disables spanning tree to permit fast network connectivity. If you connect in a switch you may notice that only the first node will actually work, and all others will fail to connect (this is port security).

In those cases you want “Switch” mode which permits multiple IPs (disabled port security) and enabled Rapid Spanning Tree (RSTP). Continue reading “Cisco Smartports”

Spanning Tree Protocol (STP)

Many of you have probably heard about the news coverage surrounding the downtime of the WordPress.com website (link). Perhaps the biggest lessons learned here is the complexity of spanning tree (STP), and perhaps more significantly, how the technology is taken for granted. The question for the week: do you know exactly how your spanning tree is operating within your organization? Which is your root bridge?

Without specifically designing your switching network intentionally, you leave things basically up to fate to decide on which switch is your root. Sometimes the worst connected or non-redundantly connected switch ends up being the root. Imagine a level 1 technician connecting in a basic managed switch in their cubicle to provide additional ports, but because the MAC address is the smallest, it becomes elected at the root. Probably not exactly what you want to have happen, but that is exactly what I’ve seen.

Here is a quick refresher:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/sw_ntman/cwsimain/cwsi2/cwsiug2/vlan2/stpapp.htm

Along with a great list of common problems:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800951ac.shtml

70-290 Concepts: Networking/Terminal Services

graduation·          Under Windows Server 2003, the default share permissions are Everyone: Allow Read (previously Full Control in Server 2000)

·          Under Windows Server 2003, the default NTFS permissions are Administrator/System/Owner: Full Control; Users: Allow Modify

 

·          NTFS permissions are cumulative, with deny always overrides; share permissions + NTFS = lowest takes precedent.

·          Share folders cannot be renamed; share folders with a postfix of $ will be hidden in Network Places.

·          Quotas: admin @ unlimited; assigned per-user/per-drive. Not assignable to groups; based on file size regardless of disk compression

·          Shadow copies automatically backup copies of shared folders at scheduled times, must be NTFS formatted, setup per volume, must have client software installed and accessed via UNC (\\server\share)

·          Terminal Services (TS) Licensing: Remote Administration Mode: 2 concurrent users max; Application Server: need per client license for every client

·          TS management, permitting to view/connect/disconnect/logoff/send message/remote control

·          TS configuration permitting control over Active Desktop/temp files/encryption level/local resources/etc.

·          Should use tsshutdn.exe instead of shutdown since it will notify remote users of the restart.

·          Control of remote desktop on server via right-click My Computer > Properties > Remote

·          The print spooler service loads files to memory for printing, if there is a problem restart the service.

·          Terminal Services Licensing server:

o    Terminal Servers first check their registry for a possible pointer to a license server; then they query

o    Enterprise License Server which can run on a DC or member servers; registered existence in AD for the local site only; then they query

o    Domain Licensing Server: only exists on domain controllers

 

Building Relationship

As we’ve gone through the years of building our small business, it has become abundantly clear that meeting and knowing the right people is the cause of many successes in business. You may have all of the knowledge, and do the right thing; provide excellent service and be great at what you do. However, more often then not, it is meeting the right person at the right time, and knowing it – and then leveraging it for all it’s worth! We can look at Bill Gates who happened upon the creator of DOS and brought it to new heights – and it was a real win-win for both; and while Gates really made out in the end, the poor developer still made far more than he probably would have without Bill. So many it is the strategic relationship. Or it is the introduction which is made to open up all new markets and customer bases. Knowing your stuff is critical, however it will not take you very far. It is making the right relationships, taking the time to network and really build those partnerships. And it really help to “network” by showing how you can see yourself helping them, providing to them, to grow their network, businesses, impact — not how you can use them to see your services, exploit them to grow your business. There is an old adage of givers-gain, or paying-forward. See what you can bring to the table for the other person, and it can return huge dividends. Two of the greatest sources of businesses for our company has resulted from meeting key individuals after we took the effort to go out of our way to help other people succeed.

Powered by WordPress.com.

Up ↑