Secure Vpn On Linux

[SMS]

Hello,

I have been searching on the net for some time now, but have only found tons of information which seems a little confusing to a linux newbie.

The thing is i travel a lot and use the public networks a lot. eg any available unencrypted WIFI.

Now i realise using other networks(even Thai isp ) is a major security risk.

I have a virtual server runing on CentOS 4.3 with complete root access, i can do anything there except for kernal related modifications.

This box has a statis external IP assigned to it.

I want to set up a VPN server on the linux box. so when i surf the net from my windoze PC (or linux in the near future) all connections to non LAN IPs should go thru VIA the encrypted VPN. And I will be sniff proof unless the IDC ppl get corrupt.

Any idea on how to go about it?

Has anyone already acompolished such a setup?

Any proper how-to for this specific setup?

I was keen on doing this before...but now very keen on setting this up after reading a scary comment at bagkok post today.

Talking to a number of sources scattered around ISPs and government, it seems that that Cyber Inspector team uses a "session hijacking" system that effectively takes over a user's browsing session in the middle and shows the inspectors everything the user is looking at. Then, they can just click and ban.

Full Article

[Simmo]

I've done similar setups in the past.

Basically you need to setup FreeS/WAN on the linux server and use a VPN client on your desktop.

A better option to do what you want would be to google for "tor network".

[SMS]

on shell access uname -r returns

2.6.12.6-xen3_12.1_rhel4.1

is this kernal 2.6?

it seems freeswan requires to modify the kernal which is not allowed on my system. Any easier solution?

[Whitey]

I am doing the same thing and this is what I did.

I am using Debian Sarge with Webmin control panel so it was very easy to configure.

First, I installed the Squid Proxy Cache Server. Simple with Debian through apt-get.

Next, I configured the listen to port with my server IP address and used an obscure port number. I configured it in Webmin to use authentication. Most hosting plans do not allow an open proxy and it isn't a good idea to get charged bandwidth for others using it. I created a special proxy user and gave it an easy to remember password.

Lastly, I configured the squid configuration file itself to not pass the x-forward-for header. That way it is difficult to know that I am in Thailand.

I wish i could be a little bit more in depth, but if you PM me, I can give more details IF you are technical in nature.

Basically, for my ISP, it appears only that I am sending requests to a proxy server, they could probably see what I am doing. If secrecy is what you desire, you can easily add an SSH tunnel to the set up. basically, the ssh tunnel encrypts all the packets between your computer and your server running squid. About all they could find examing your traffic is that you are sending encyrpted packets to a US server.

Setting up an SSH tunnel to use along with the Squid is easy. Make sure you configure the Squid to listen on the localhost, 127.0.0.1. Next, download putty. If you have a server, you are probably already using Putty. In putty, there is an option to set up an SSH tunnel. Easy, add this port: localhost:XXXX (xxxx is the port your squid is listening on) and for the local port is anything, 4444 is an easy choice.

In order to start surfing, fire up Firefox and add this proxy setting: 127.0.0.1 port 4444. You are set, all is satisfied.

I know this is over the heads of some and sounds mundane to others. Like I said above, PM me if you are technically inclined and I can give some more in depth instructions. I post this to show how easily it can be done. It took me about a day to get everything working with a lot of trial and error. I can help eliminate that trial and error.

One side note: I surf using gprs, I haave found that my pages load up faster and my surfing experience is a lot better when I use the proxy server and especially when I use the ssh tunnel to compress my traffic.

[rishi]

A better option to do what you want would be to google for "tor network".

Curiosly, it seems that the main #t#o#r# website is also blocked by the mentioned inspector - and so are various other online proxy functionality websites, mentioned on this forum. It seems to me that exchange of info on these subjects are better off by being done by less public means than posting...

(but thanks for the hint)

Edited June 7, 2006 by rishi

[SMS]

Hi Whitey and thanks a lot for the detailed post, however my intention is not to hide my identity from the websites i am visiting.

My main intention is to block people from sniffing packets in transit to get my passwords and other details.

I need a complete solution where all internet connection from my PC is routed thru the server.

i meen not only HTTP, but also POP, chats, software updates, etc.

after strugling a bit, i finally managed to install freeswan, if anyone has an experience in freeswan, pls inform.. have dozzens of questions on how to get it to work...i couldnt hind a tutorial targeted towards a linux newbie.

[Whitey]

Hi Whitey and thanks a lot for the detailed post, however my intention is not to hide my identity from the websites i am visiting.

My main intention is to block people from sniffing packets in transit to get my passwords and other details.

I need a complete solution where all internet connection from my PC is routed thru the server.

i meen not only HTTP, but also POP, chats, software updates, etc.

after strugling a bit, i finally managed to install freeswan, if anyone has an experience in freeswan, pls inform.. have dozzens of questions on how to get it to work...i couldnt hind a tutorial targeted towards a linux newbie.

Hiding your identity? You are hardly hiding your identity since you are paying for the server. You are merely surfing with a different IP address, but if you didnt want to hide yourself, you just wouldn't edit the squid config files to do that. You have that choice.

This is a complete solution. I can and do send everything through my encrypted SSH tunnel to my server. It is easy to do. There are tons of sites to tell you how to do this.

Check this site out:

http://www.howtoforge.com/linux_secure_browsing_squid

If I had a new debian based linux box, I could have this up and going in less than an hour. It is easy if you just follow the directions. I don't know about freesawn, but it sounds a lot more difficult and doesn't do anything that my current setup doesn't do.

[autonomous_unit]

I would also suggest an ssh tunnel. I use privoxy with my Fedora systems... I assume that is also on RHEL but I have no reason to advocate more or less than squid. It's just what I happened to start using.

It is true that a VPN can route "all" traffic while these ssh solutions do less. But only you can really judge which traffic is a concern. Are you using Linux on both ends? There really shouldn't be that much surprising traffic unless you are running dodgy applications.

I forward web browsing and instant messenger over ssh through my remote privoxy. You just need to enable the right relay ports (privoxy defaults to just 443 for relay connections). I do this for MSN and AIM connections using gaim.

I also forward SMTP and IMAP. This is not strictly necessary, because I use SSL-protection on both already. But it makes it a lot easier when on the road. Because it is forwarding, I only have to find a way to get my ssh connection punched through to the other side. I do not have to deal with firewalls or bad proxies trying to intercept SMTP or IMAP, nor do I have to try to find out why VPN isn't working through someone's router or NAT box.

On occasion, I do use "vpnc" to connect to dedicated Cisco VPN hardware. But, in general I just work with the ssh tunnels. Another benefit of using a proxy with filtering is that you can actually "accelerate" your international browsing because it strips out many junk advertisements so they do not clog up your WAN link from Thailand.