Linked by Igor Ljubuncic on Mon 2nd Apr 2012 15:41 UTC
Features, Office You have just bought tickets to an exotic vacation spot. You board the flight, you land safely, you pull your netbook from your backpack, fire it up, and then check if there are any available Wireless networks. Indeed there are, unencrypted, passwordless, waiting for you. So you connect to the most convenient hotspot and start surfing. Being addicted as you are, you want to login into your email or social network just to check if something cardinal happened in the world during your four-hour flight. You're about to hit the sign in button. Stop. What you're about to do might not be safe.
Permalink for comment 512731
To read all comments associated with this story, please click here.
Security on the road
by chandler on Mon 2nd Apr 2012 16:38 UTC
chandler
Member since:
2006-08-29

As the author suggests, using a VPN provides the best available security while travelling and on others' networks, whether open or secured. Unfortunately most OSes these days tend to do a lot of phoning home before they even allow you to establish a VPN connection, and on most open hotspots you'll have to go through a captive portal before being able to establish your VPN tunnel.

What I've done on my personal Linux systems is to set up HTTP and SOCKS proxies on the VPN server and point everything on the local machine at those proxies. Be sure to use the system firewall to prevent traffic to those proxies from escaping unencrypted when the VPN link is not up! When I encounter a hotspot with a captive portal, I run a separate instance of Firefox with a different profile that is configured to always use private browsing, has plugins disabled, and has no proxy set. Once I log in, the OpenVPN tunnel establishes automatically. I do not have the tunnel take over the default route, since almost everything is configured to use the proxies; however, you can set that up easily enough too.

This configuration has the advantage that it is fail safe; that is, if I happen to leave a program running and connect to an untrusted network, the program won't automatically start communicating on that network until the VPN link is up. I could imagine other ways to obtain this fail-safe configuration, but any of them would be much more difficult to implement.

Here's how I accomplished this on Ubuntu; these instructions should work on Debian too, and will be very similar on other distributions.

To prevent VPN traffic from escaping on the wireless interface when the VPN is not up using the "ufw" firewall management script:

ufw deny out on wlan0 from any to 192.168.202.0/24

Adjust as appropriate for your VPN address range and network interface.

Place your OpenVPN configuration in /etc/openvpn/myvpn.conf , then edit /etc/default/openvpn and set AUTOSTART="myvpn". Be sure to use proto udp in your OpenVPN configuration if possible.

I use squid and dante on my VPN host to provide HTTP and SOCKS proxies, respectively. On the client side, these proxies are configured as the default through the desktop environment's controls. To make Thunderbird use a SOCKS proxy, go to Edit -> Preferences -> Advanced -> General and choose Config Editor. In the config editor, set network.proxy.socks and network.proxy.socks_port as appropriate, then enable network.proxy.socks_remote_dns and set network.proxy.type to 1. All other proxy settings should be the default.

For SSH, I use a program called connect-proxy which is available in the Debian and Ubuntu repositories. Instructions on configuring it are available in the man page.

I've added the proxy to /etc/environment so that programs like curl automatically use it on all user accounts:

http_proxy="http://192.168.202.1:8080"
HTTPS_PROXY="http://192.168.202.1:8080"
FTP_PROXY="http://192.168.202.1:8080"
ALL_PROXY="http://192.168.202.1:8080"
NO_PROXY="localhost,.local"

In addition, I've configured sudo to use a separate environment file /etc/environment.sudo so that commands like sudo apt-get update use the proxy as well. The contents of /etc/environment.sudo are the same as what I added to /etc/environment. To configure sudo, run visudo and add the following line near the beginning of the file:

Defaults env_file=/etc/environment.sudo

Be careful when editing the sudo configuration, since one mis-edit can ruin your day.

Reply Score: 7