VPN Server with Raspberry Pi

In almost all airports, hotels, libraries, schools and restaurants, there is a proliferation of free unencrypted wireless access points, which are easily accessible to all. Additionally, with the spread of mobile devices, getting on the internet is no longer confined to the office or the home. Usually, a high number of users share the same open access point. Although this arrangement is very convenient for the users, it is also favorable for the snooper with the skills and intent to invade into others’ privacy and collect internet traffic for nefarious purposes.

Security professionals cry themselves hoarse while preaching restraint when it comes to using free/public wireless access points. However, for users wanting to access their office via the Internet, other than waiting to get back home, very few alternatives are available that are practical, free to use or at least almost free. However, the situation can be easily rectified with an inexpensive Single Board Computer, the Raspberry Pi (RBPi) in conjunction with the freely distributed OpenVPN software.

Offices/homes (SOHO) usually have a private network, which remote devices such as tablets and mobiles access through a typical Remote-Access Virtual Private Network (VPN) configuration. The mobile (the client) must authenticate itself successfully and the VPN server then establishes an encrypted tunnel. Now all traffic between the server and the client via the Internet will be securely routed to the private network through this tunnel, simply as if the mobile (client) had connected directly into the network itself. As the traffic is encrypted, anyone listening in will not be able to decipher the content, and the communication remains safe.

Such an arrangement as described above is very easily implemented with OpenVPN, which is an open source VPN implementation that was developed by James Yonan. OpenVPN is a highly customizable solution and supports a huge range of capabilities and options, including the most relevant five:

• Authentication and encryption ensures privacy
• Protection against Denial of Service and zero-day vulnerabilities
• Protection and privacy through proxy
• SOHO network access
• Broad device supports

OpenVPN was created for ensuring privacy, authentication and encryption, which it does via implementation of SSL/TLS concepts. Two encryption modes are used: Pre-Shared Key and TLS. Pre-shared key concept uses static keys that must be generated and shared with all devices for authentication, to establish and encrypt the secure VPN channel. This arrangement is more like a single lock with multiple users, each holding a key. TLS is a more secure arrangement with private/public key pairs.

To defend against Denial of Service or DoS attacks and Zero-day vulnerabilities, OpenVPN implements a variant of the HMAC key protection. Use of proxy disallows sites such as Amazon, Google or Facebook to establish the VPN client location since they are solely based on the IP address. This provides additional protection for the mobile device, since the Internet traffic is routed through the SOHO network. SOHO networks usually deploy additional boundary security, such as IPS, and this protection is extended to the mobile device when it connects through the VPN.

The OpenVPN service provides secure access to the resources available on the SOHO network without opening extra ports through the firewall. The device support is broad and covers Windows, Mac OSX, Linux and Android. For implementation on RBPi, more information is available here.