When working remotely one of the most important things about connecting to the internet is ensuring that your connection is secure. If you are using public wifi hotspots to reduce your mobile data bill, then it’s safe to say that your connection may often be far from secure.
The Risk of Public Wifi
Many locations offering have wifi don’t require a password, and while this is handy for people to quickly get online without bothering the staff, this means that all data sent from your device to the wifi access point is unencrypted, so anyone else listening in to what you are sending can see the details you are sending. Even if the Wifi hotspot does use a password – meaning that encryption is enabled on your connection – it is trivial for an attacker to impersonate the wifi access point, and you could be connecting to an attacker’s device rather than the legitimate access point without realizing. This type of man in the middle attack can then allow the hacker to view all your traffic being sent to the internet. Finally, with the recent release of details about the wifi KRACK attack, there are ways of defeating the encryption in the wifi standard. The history of Android device manufacturers not bothering to support software updates, even months after putting devices on the market, a number of devices may never be patched to fix this vulnerability.
How to Set Up OpenVPN on a VPS
So that all sounds somewhat doom and gloom for using a mobile hotspot when working on the go. Fortunately the technology exists to resolve this in the use of a Virtual Private Network (VPN). This creates a secure connection between your device and a server on the internet, and can then send all of your internet traffic from your device to the internet via this server. The data sent to the server is encrypted so many of these attacks will no longer be of use against you. Here we’ll look at getting the OpenVPN server up and running on a VPS running either Debian or Ubuntu Linux.
The first step is to get the software installed. This is relatively easy as the default repositories already contain the relevant information:
sudo apt-get update
sudo apt-get install openvpn easy-rsa
This creates a directory for the OpenVPN configuration, but not a basic configuration file, so we’ll need to copy one over from the documentation to get configured:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf > /etc/openvpn/server.conf
Next we’ll need to make some changes to the default configuration that will improve the security provided by the VPN.
sudo nano /etc/openvpn/server.conf
The first one is to change the Diffie hellman parameters to use a 2048 bit key. Therefore, search in the file for a line that says “# Diffie hellman parameters.”, and a little way beneath that change the line that reads “dh dh1024.pem” to the following:
Next we want to ensure that the VPN forwards all your internet traffic onward to its destination, so now look for the following line in the configuration file:
;push “redirect-gateway def1 bypass-dhcp”
Remove the semicolon at the start of the line to enable it, at which point it should look like this:
push “redirect-gateway def1 bypass-dhcp”
The next comment block after this references using DHCP to push DNS settings to users connected to the VPN, this means that all DNS requests will be sent to the VPN server and not your normal DNS server. So we’ll uncomment both lines starting with ‘;push “dhcp-option DNS’ which will have the VPN server use the OpenDNS servers for resolving DNS requests. Once that’s done it should look like this:
push “dhcp-option DNS 184.108.40.206”
push “dhcp-option DNS 220.127.116.11”
Finally, for the security of the server we need to lower the permissions of the user that the VPN server runs as. By default it will use the root user, but it can be configured to run as any user. Search for a line containing “;user nobody”, then uncomment the line and the line beneath so that they look like this:
With these changes made you can save and exit the file with OpenVPN configured and ready to go. However we’re not quite there yet – there’s some more configuration needed on the server before it can be used, and we’ll be looking at that further next time.
This article was brought to you by VPS.net, for dedicated server hosting, cloud servers and 24/7 support visit our site here vps.net