DOCSLIB.ORG

Openvpn Guest Lecture OS3 System & Network Engineering

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Openvpn Guest Lecture OS3 System & Network Engineering OpenVPN Guest Lecture OS3 System & Network Engineering Jan Just Keijser Nikhef 4 December 2019 J.J. Keijser Nikhef Amsterdam A few words about me Working as grid system engineer since 2005 Working in IT industry since 1995 “discovered” OpenVPN in 2004 Used and supported OpenVPN since then Author of the “OpenVPN 2 Cookbook” (2011), “Mastering OpenVPN” (2015, met Eric Crist) en “OpenVPN Cookbook - 2nd Edition” (2017) IT interests include open source, networking, VPNs, security, J.J. Keijser Nikhef openssl, socat, HPC/GPU computing Amsterdam What is a VPN? Your TROL (Typical Remote Office Layout) Client Internet / WAN NAT&Firewall Firewall&NAT Without the use of a VPN… J.J. Keijser Nikhef Amsterdam Server What is a VPN? VPN Setup Client NAT&Firewall Firewall&NAT Internet / WAN Using a VPN… J.J. Keijser Nikhef Amsterdam Server Types of VPNs Web based: Proxies, SOCKS Solutions based on SSH PPTP based: Microsoft PPTP VPN client IPSec based: OpenS/WAN, FreeS/WAN, StrongSwan, raccoon IPSec+L2TP based: Microsoft L2TP VPN client New kid: wireguard SSL based: OpenVPN J.J. Keijser Nikhef Amsterdam Virtual network adapter Most VPNs use the concept of a Virtual Network Adapter. This allows for: ◦ Separate IP address; ◦ Control over the routing and protocols allowed over the VPN. The Virtual Network Adapter is the interface between the VPN client (or server) software and the Operating System. 1 Ethernet VPN client J.J. Keijser 3 2 Nikhef Amsterdam Virtual Network Adapter Web-based VPNs Also known as “clientless VPNs” Work only with web-based applications Basically, a souped-up Secure Proxy server or SOCKS server The VPN never leaves the “sandbox” of the webbrowser: HTTPS encrypted traffic Ethernet 1 Web browser J.J. Keijser Nikhef VPN applet Amsterdam SSH-based solutions Not a true VPN – tunnelling of specific TCP ports only Client and server software available for nearly every platform OpenSSH includes SOCKS server support, allowing more flexible tunnels hostA:80 SSH Tunnel 127.0.0.1:8080 127.0.0.1:1200 hostB:23 J.J. Keijser 127.0.0.1 port 8080 hostA port 80 (http) Nikhef Amsterdam 127.0.0.1 port 1200 hostB port 23 (telnet) SSH-based solutions (2) Newer versions of OpenSSH include “tun” support Available only on Linux/*BSD Is a fully functional VPN, but does not scale well hostA SSH Tunnel tun0: 10.10.10.1 tun0: 10.10.10.2 J.J. Keijser hostB Nikhef Amsterdam Web&SSH Pro's and con's Pro’s: ◦ Cient software for nearly all platforms; ◦ Uses standard TCP traffic so no NAT’ting issues; ◦ Easy to configure. Con’s: ◦ Web-based (TCP, HTTPS) only; ◦ Not easy to share local data with remote site/server; J.J. Keijser ◦ Not a true VPN solution. Nikhef Amsterdam PPTP: the Microsoft solution Developed by Microsoft and Ascend (RFC2637) Authentication using username/password OR X.509 certificates (EAP-TLS) Runs over single TCP port and GRE tunnels (protocol 47) Frequently used for ADSL ethernet modems Interface to OS through PPTP adapter: GRE encrypted traffic 1 Ethernet VPN client J.J. Keijser 3 2 Nikhef Amsterdam PPTP adapter PPTP: Pro's and con's Pro’s: ◦ Client built into Microsoft platform; ◦ Other platforms supported for both client and server: Linux; FreeBSD/OpenBSD/NetBSD; Macintosh OS X. Con’s: ◦ PPTP considered fundamentally insecure; J.J. Keijser Nikhef ◦ Secure version (EAP-TLS) supported fully only on Windows; Amsterdam ◦ GRE tunnelling does not work well with NAT’ting devices. IPsec Official IEEE/IETF standard voor IP security (RFC2411) Operates at Level2/Level3 of IP stack Part of IPv6 specification Introduces the concept of Security Policies Uses Encapsulated Security Payload (ESP, IP protocol 50) for payload security, Hash-based Message Authentication Code (HMAC) for integrity Authentication using X.509 certificates or pre-shared keys Two modes supported: J.J. Keijser Nikhef Amsterdam ◦ Transport mode; ◦ Tunnelling mode; IPsec+L2TP Developed by Microsoft and Cisco Systems (RFC3193) Utilizes IPSec Transport mode Authentication using X.509 certificates or pre-shared keys, in combination with a username/password Uses both UDP ports 500 and 4500 as well as ESP (protocol 50) Interface to OS through L2TP adapter: IPsec encrypted traffic IPSec 1 Ethernet L2TP client J.J. Keijser 3 2 Nikhef Amsterdam L2TP adapter IPsec: Pro's and con's Pro’s: ◦ Industry standard; ◦ Good platform support, including ADSL and Wifi routers; ◦ Security policies allow for a very modular approach. Con’s: ◦ Configuration and troubleshooting can be difficult; ◦ Notoriously difficult to configure, especially in combination with NAT-Traversal (NAT-T); ◦ Server-side cannot be NAT’ted, often forcing the use of a DMZ; J.J. Keijser Nikhef ◦ IPSec and NAT’ting devices do not go well together. Amsterdam Wireguard: new kid on the block New protocol: no TLS, no SSL, no IPSec, no X.509 “WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. “ Currently implemented as a Linux kernel module Platform support for Windows, MacOS, Android, iOS, Linux Userspace programs still severely lacking Works over UDP only: makes it harder to operate in a “hostile” environment J.J. Keijser Nikhef Amsterdam OpenVPN: an SSL based VPN Uses TLS/SSL for payload security, HMAC for integrity Authentication using X.509 certificates or pre-shared keys UDP, TCP and SOCKS/HTTP Proxy support Supports tunnelling (TCP/IP) and bridging (Ethernet) mode Interface to OS through tun/tap device or TAP-Win32 adapter: UDP/TCP encrypted traffic 1 Ethernet OpenVPN J.J. Keijser 3 Nikhef 2 Amsterdam tun/tap device What is OpenVPN? With OpenVPN, you can: ◦ tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port, ◦ configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients, ◦ use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet, ◦ use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library, ◦ choose between static-key based conventional encryption or certificate-based public key encryption, ◦ use static, pre-shared keys or TLS-based dynamic key exchange, ◦ use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization, ◦ tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients, ◦ tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules, ◦ tunnel networks over NAT, J.J. Keijser ◦ create secure ethernet bridges using virtual tap devices, and Nikhef Amsterdam ◦ control OpenVPN using a GUI on Windows or Mac OS X. (from http://openvpn.net/index.php/open-source/333-what-is-openvpn.html) OpenVPN: some history Started in 2002 by James Yonan First version only supported preshared keys and site-to-site connectivity 2004: OpenVPN 2.0 which supported X509 certificates, and client/server mode 2009: OpenVPN 2.1 which added PKCS#11 and Windows Vista/7 support 2011: OpenVPN 2.2 released: first community-built version 2013: OpenVPN 2.3 released: IPv6 support, PolarSSL/mbedTLS 2017: OpenVPN 2.4 released: AEAD (AES-GCM) support, TLS-Crypt, Windows 10 J.J. Keijser st Nikhef Latest release: Oct 31 2019: version 2.4.8 Amsterdam OpenVPN protocol In SSL/TLS mode two channels are used: ◦ A reliable control channel for exchanging SSL/TLS information and keys ◦ A data channel for transporting actual payload. In UDP mode this channel is not reliable Each encrypted packet is formatted as follows: ◦ HMAC(explicit IV, encrypted envelope) ◦ Explicit IV ◦ Encrypted Envelope The content of the encrypted envelope is formatted as follows: J.J. Keijser Nikhef ◦ 64 bit seQuence number Amsterdam ◦ payload data, i.e. IP packet or Ethernet frame Modes of operation OpenVPN supports several modes of operation: Preshared static keys AuthN using X509 certificates AuthN using username+password Tunnelling mode (point-to-point, aka 'tun') Ethernet mode (aka 'tap') J.J. Keijser Ethernet bridging Nikhef Amsterdam Basic static key example First, generate a static key: $ openvpn --genkey --secret secret.key Transfer the key to the remote end using a secure channel (e.g. scp) Start the server/listener: $ openvpn --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --secret secret.key And connect to it using the client: J.J. Keijser $ openvpn --ifconfig 10.200.0.2 10.200.0.1 \ Nikhef Amsterdam --dev tun --secret secret.key \ --remote openvpnserver.example.com Setting up a PKI OpenVPN supplies 'easy-rsa' scripts, which are wrappers around 'openssl ca' commands Other PKI solutions can also be used, provided they can supply PEM-encoded certificates and keys or PKCS#12 formatted files Example usage of 'easy-rsa': $ <edit vars file> $ . ./vars $ ./clean-all $ ./build-ca J.J. Keijser Nikhef $ ./build-key-server <servername> Amsterdam $ ./build-key <clientname> Basic X509 example (server) proto udp port 1194 dev tun server 10.8.0.0 255.255.255.0 ca ca.crt cert server.crt key server.key dh dh1024.pem tls-auth ta.key 0 persist-key persist-tun J.J. Keijser keepalive 10 60 Nikhef Amsterdam user nobody group nobody Basic X509 example (client) client proto udp remote openvpnserver.example.com port 1194 dev tun nobind ca ca.crt cert client.crt key client.key tls-auth ta.key 1 J.J. Keijser Nikhef Amsterdam Network topologies OpenVPN 2.1 introduced a new keyword topology subnet Previously, each client was assigned a miniature /30 network: ◦ Server uses 10.8.0.0-10.8.0.3 ◦ First client is assigned 10.8.0.4-10.8.0.7 ◦ Second client is assigned 10.8.0.8-10.8.0.11, etc.
Load more

Recommended publications
  • Uila Supported Apps
    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
    [Show full text]
  • Enabling TPM Based System Security Features
    Enabling TPM based system security features Andreas Fuchs <[email protected]> Who am I ? ● 13 year on/off TPMs ● Fraunhofer SIT: Trustworthy Platforms ● TCG-member: TPM Software Stack WG ● Maintainer – tpm2-tss: The libraries – tpm2-tss-engine: The openssl engine – tpm2-totp: Computer-to-user attestation (mjg’s tpm-totp reimplemented for 2.0) 2 The hardware stack ● Trusted Platform Module (TPM) 2.0 – Smartcard-like capabilities but soldered in – Remote Attestation capabilities – As separate chip (LPC, SPI, I²C) – In Southbridge / Firmware – Via TEEs/TrustZone, etc – Thanks to Windows-Logos in every PC ● CPU – OS, TSS 2.0, where the fun is... 3 The TPM Software Stack 2.0 ● Kernel exposes /dev/tpm0 with byte buffers ● tpm2-tss is like the mesa of TCG specs ● TCG specifications: – TPM spec for functionality – TSS spec for software API ● tpm2-tss implements the glue ● Then comes core module / application integration – Think GDK, but OpenSSL – Think godot, but pkcs11 – Think wayland, but cryptsetup 4 The TSS APIs System API (sys) Enhanced SYS (esys) Feature API (FAPI) • 1:1 to TPM2 cmds • Automate crypto for • Spec in draft form HMAC / encrypted • TBimplemented • Cmd / Rsp sessions • No custom typedefs U serialization • Dynamic TCTI • JSON interfaces s • No file I/O loading • Provides Policy e • No crypto • Memory allocations language r • No heap / malloc • No file I/O • Provides keystore S p TPM Command Transmission Interface (tss2-tcti) p a Abstract command / response mechanism, • No crypto, heap, file I/O a Decouple APIs
    [Show full text]
  • Test-Beds and Guidelines for Securing Iot Products and for Secure Set-Up Production Environments
    IoT4CPS – Trustworthy IoT for CPS FFG - ICT of the Future Project No. 863129 Deliverable D7.4 Test-beds and guidelines for securing IoT products and for secure set-up production environments The IoT4CPS Consortium: AIT – Austrian Institute of Technology GmbH AVL – AVL List GmbH DUK – Donau-Universit t Krems I!AT – In"neon Technologies Austria AG #KU – JK Universit t Lin$ / Institute for &ervasive 'om(uting #) – Joanneum )esearch !orschungsgesellschaft mbH *+KIA – No,ia -olutions an. Net/or,s 0sterreich GmbH *1& – *1& -emicon.uctors Austria GmbH -2A – -2A )esearch GmbH -)!G – -al$burg )esearch !orschungsgesellschaft -''H – -oft/are 'om(etence 'enter Hagenberg GmbH -AG0 – -iemens AG 0sterreich TTTech – TTTech 'om(utertechni, AG IAIK – TU Gra$ / Institute for A((lie. Information &rocessing an. 'ommunications ITI – TU Gra$ / Institute for Technical Informatics TU3 – TU 3ien / Institute of 'om(uter 4ngineering 1*4T – 1-Net -ervices GmbH © Copyright 2020, the Members of the IoT4CPS Consortium !or more information on this .ocument or the IoT5'&- (ro6ect, (lease contact8 9ario Drobics7 AIT Austrian Institute of Technology7 mario:.robics@ait:ac:at IoT4C&- – <=>?@A Test-be.s an. guidelines for securing IoT (ro.ucts an. for secure set-up (ro.uction environments Dissemination level8 &U2LI' Document Control Title8 Test-be.s an. gui.elines for securing IoT (ro.ucts an. for secure set-u( (ro.uction environments Ty(e8 &ublic 4.itorBsC8 Katharina Kloiber 4-mail8 ,,;D-net:at AuthorBsC8 Katharina Kloiber, Ni,olaus DEr,, -ilvio -tern )evie/erBsC8 -te(hanie von )E.en, Violeta Dam6anovic, Leo Ha((-2otler Doc ID8 DF:5 Amendment History Version Date Author Description/Comments VG:? ?>:G?:@G@G -ilvio -tern Technology Analysis VG:@ ?G:G>:@G@G -ilvio -tern &ossible )esearch !iel.s for the -2I--ystem VG:> >?:G<:@G@G Katharina Kloiber Initial version (re(are.
    [Show full text]
  • Xmind ZEN 9.1.3 Crack FREE Download
    1 / 4 XMind ZEN 9.1.3 Crack FREE Download Download XMind ZEN 9.2.1 Build Windows / 9.1.3 macOS for free at ... Version 9.2.1 is cracked, then install the program and click Skip in the Login window.. Adobe Premiere Pro CC 2019 13.1.2 – For macOS Cracked With Serial Number.. Free Download XMind ZEN 9.1.3 Build. 201812101752 Win / macOS Cracked .... 3 Crack + Serial Key Free Download. Malwarebytes 4.2.3 Crack Real-time safety of all threats very effectively. This is a .... ZW3D 2019 SP2 Download 32-64 Bit For Windows. The Powerful engineering ... XMind ZEN 9.1.3 Download. Free Download Keysight .... With this app, you can download online maps, digital maps and even ... Tableau Desktop Pro 2019.4.0 Win + Crack · XMind ZEN 9.2.0 Build .... Download Free XMind: ZEN 9.1.3 Build 201812101752 for Mac on Mac Torrent Download. XMind: ZEN 9.1.3 Build 201812101752 is a .... XMind 8 Pro 3 7 6 Mac Crack Full version free download is the latest version of the most advanced and Popular Mind ... XMind ZEN for Mac 9.1.3 Serial Key ... Download Nero KnowHow for PC - free download Nero KnowHow for ... The full version comes in single user and a family variant with the former costing ... Download XMind ZEN 9.2.1 Build Windows / 9.1.3 macOS for free at .... XMind ZEN Crack 10.3.0 With Keygen Full Torrent Download 2021 For PC · XMind Crack 9.1.3 With Keygen Full Torrent Download 2019 For PC.
    [Show full text]
  • Wireguard in Eduvpn Report
    WireGuard in eduVPN Report Nick Aquina SURF, Utrecht Fontys University of Applied Sciences, Eindhoven INTERNSHIP REPORT FONTYS UNIVERSITY OF APPLIED SCIENCES HBO-ICT Data student: Family name, initials: Aquina, N Student number: project period: (from – till) 31 August 2020 – 22 January 2021 Data company: Name company/institution: SURF Department: Team Security Address: Kantoren Hoog Overborch, 3511 EP Utrecht, Moreelsepark 48 Company tutor: Family name, initials: Spoor, R Position: (Tech) Product Manager University tutor: Family name, initials: Vos, A Final report: Title: WireGuard in eduVPN Date: 12 January 2021 Approved and signed by the company tutor: Date: 12 January 2021 Signature: Preface This report is written for my internship for Fontys. The internship was done at SURF for the eduVPN project. My task was to build a proof of concept in which WireGuard is integrated into eduVPN. This internship took place from September 2020 until January 2021. I would like to thank Arno Vos for his guidance and feedback throughout this internship. I would also like to thank Rogier Spoor for guiding me throughout this internship and inviting me to meetings which gave me a valuable insight into cyber security and technological issues facing members of SURF. And last, but not least, I would like to thank François Kooman for all technical support, advice and code reviews which helped improve the project. All blue text can be clicked to open a hyperlink. 1 Contents Preface . .1 Summary 4 Introduction 5 Free software . .5 The company (SURF) 6 Project 7 Context / Initial situation . .7 Project goal . .7 Assignment . .7 Constraints . .8 Development strategy .
    [Show full text]
  • Nist Sp 800-77 Rev. 1 Guide to Ipsec Vpns
    NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel Karen Scarfone Paul Wouters This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel* Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA Paul Wouters Red Hat Toronto, ON, Canada *Former employee; all work for this publication was done while at NIST This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 June 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • Vyos Documentation Release Current
    VyOS Documentation Release current VyOS maintainers and contributors Jun 04, 2019 Contents: 1 Installation 3 1.1 Verify digital signatures.........................................5 2 Command-Line Interface 7 3 Quick Start Guide 9 3.1 Basic QoS................................................ 11 4 Configuration Overview 13 5 Network Interfaces 17 5.1 Interface Addresses........................................... 18 5.2 Dummy Interfaces............................................ 20 5.3 Ethernet Interfaces............................................ 20 5.4 L2TPv3 Interfaces............................................ 21 5.5 PPPoE.................................................. 23 5.6 Wireless Interfaces............................................ 25 5.7 Bridging................................................. 26 5.8 Bonding................................................. 27 5.9 Tunnel Interfaces............................................. 28 5.10 VLAN Sub-Interfaces (802.1Q)..................................... 31 5.11 QinQ................................................... 32 5.12 VXLAN................................................. 33 5.13 WireGuard VPN Interface........................................ 37 6 Routing 41 6.1 Static................................................... 41 6.2 RIP.................................................... 41 6.3 OSPF................................................... 42 6.4 BGP................................................... 43 6.5 ARP................................................... 45 7
    [Show full text]
  • Wireguard Port 53
    Wireguard Port 53 IKEv2: UDP 500 et 4500. alias_neo on Feb 20, 2019 I ran some tests with the guys in WireGuard IRC which seemed to confirm that the issue is specifically EE limiting UDP whether by QoS or otherwise. 254/24' set interfaces ethernet eth1 policy route 'PBR' set interfaces wireguard wg0 address '10. Mullvad är en VPN-tjänst som hjälper till att hålla dina onlineaktiviteter, din identitet och plats privat. Filter by Port Number. 53 страницы « wg. com It is a relatively new VPN. 10 security =0 1. ListenPort = 55000: The port on which the VPN will listen for incoming traffic. Port details: tailscale Mesh VPN that makes it easy to connect your devices 1. By using a raw socket the client is able to spoof the source port used by WireGuard when communicating with the server. 2 port 5201 [ 9] local 10. 10/32' set interfaces wireguard wg0 description 'VPN-to-wg-PEER01-172. I can't say for sure though since I don't have a S8 FD variant amongst my testers yet, but it should. conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127. Go to Network > Interfaces and Click the Edit button next to WIREGUARD 59. Step 4 – Configuring Nginx HTTPS. WireGuard is super awesome and easy to setup. Support for other platforms (macOS, Android, iOS, BSD, and Windows) is provided by a cross-platform wireguard-go implementation. IP address Port Country Type Checked (ago) Check; 103. Why are the three responses in this downvoted, using port 53 and tunneling UDP thru TCP would have helped this situation.
    [Show full text]
  • Connecting to a Censored Region
    Knowledgebase > Technical > Troubleshooting > Connection > Connecting to a Censored Region Connecting to a Censored Region Kaneesha D. - 2021-05-14 - Connection While Our VPN service is available for nearly all regions worldwide. There are a few regions that are known to aggressively block or restrict VPN activity making it difficult to connect. These known regions are: Turkey China Egypt UAE Turkmenistan Kazakhstan Sri Lanka Russia While we are aware that these blocks and restrictions make it difficult to connect, we are able to provide possible workarounds, for users, that allows you to connect to specific regions using our newly implemented Geo-location Regions or with the options to connect via configuration files that connect through an IP address instead of the hostname via OpenVPN. Additionally, it may be possible to establish a connection using other VPN Protocols. For users that are experiencing issues with connecting to the above-listed regions through our newly implemented Geo-located regions please review the following possible workarounds. WireGuard: The First option that users can try, is to change the connection protocol that your application is connecting over to WireGuard. In order to change your application connection protocol please access your applications Settings and navigate to the connection tab within your Desktop application and select the protocol WireGuard. From there you will be able to connect to your desired server location. OpenVPN Connect: The second option that users can try is, setting up an OpenVPN Connection through the OpenVPN Application. The OpenVPN application is a free, open-source application developed by the OpenVPN project. The OpenVPN Project is the same team that develops the OpenVPN protocol, the encryption protocol used at the core of most modern commercial VPN services.
    [Show full text]
  • Eduvpn Safe and Trusted
    eduVPN Safe and Trusted Rogier Spoor, SURFnet François Kooman, DeiC Tangui Coulouarn, DeiC NTW19, Kastrup, 24 September 2019 www.geant.org Agenda • Short on eduVPN • What has been done in the last few months • eduVPN service aspects • Policy questions • eduVPN in production: the example of SURFnet • eduVPN technical aspects • Setting up eduVPN in 7 minutes • SAML www.geant.org Why do we need eduVPN? Working away from the office is the norm - Hotels, Cafés, Airports and Train Stations are the new offices “How can I get WiFi?” is often the first question when attending meetings outside the office BUT not all WiFi is born equal…. • While eduroam is a secure environment with authenticated access and local encryption many public WiFi services are not • Unsecured hotspots • Shared access passwords • “Free” WiFi with web login screens Are our users (and their data) safe? www.geant.org The Risks of public WiFi For Users For IT Support Unprotected WiFi can expose usernames Managed devices can insecurely connect and passwords to unknown networks Content filtering on public WiFi may deny Risk of data loss access to sites Ad-hoc, unmanaged VPN solutions may Possibility of malware injection proliferate Unknown and untrusted proxies could redirect users to fraudulent sites www.geant.org eduVPN - securing access for remote users eduVPN provides easy-to-use client software and a secure gateway to authenticate users and encrypt data. Private Connectivity Public Internet R&E Backbone User authentication via eduGAIN Secure VLAN Insecure public Wi-Fi Authenticated & Connection Encrypted Connection eduVPN Gateway Institution Network www.geant.org The 2 uses of eduVPN • Secure Internet: eduVPN instance gives access to the public Internet.
    [Show full text]
  • Shigeru KAWAGUCHI
    Shigeru KAWAGUCHI Germantown, MD 20874 +1.202.250.3811 [email protected] PROFILE Over twenty years of leading full-custom software development and system migration projects. Familiar with wide range of technology options and their pros and cons through experiences. A US citizen, fluent in English and Japanese. PROFESSIONAL EXPERIENCE • Owner, Lamb Informatics Limited, Germantown, MD — 2005–Present • CTO, DigiFlight, Inc., Washington, DC — 2000–2005 • Chief Scientist, Valtech, Inc., Bethesda, MD — 1997–2000 ACCOMPLISHMENTS • Designed and developed half a dozen full-custom enterprise mission-critical web/ desktop/mobile application systems from scratch fitted to customers’ particular business practices and requirements. • Maintained and supported custom system operations, continuously modified and enhanced to match changes and expansions of customers’ business practices and requirements as well as technological transitions. • Recovered mission-critical data from failing hardware and obsoleted legacy systems, then were migrated to new systems. SKILLS Translation of business requirements to technical solutions, full software development lifecycle and CI/CD. Object oriented design process with UML and CRC cards, multi- tier and distributed computing design. Network and systems administration. TECHNOLOGY SUMMARY IAx86/AMD64, Apple Mac, Raspberry Pi, ARMv8, Arduino, MS Windows, Linux, BSD, macOS, Solaris, LDAP, Oracle RDBMS, FileMaker, MySQL, SQLite, MS SQL Server, MS Access, Informix, Sybase, Cloud, Docker Swarm, Portainer, Azure, VirtualBox, VMWare, AWS, BASIC, Xojo, C/C++, Java, PHP, Python, GRE/IPsec, OpenVPN, WireGuard, VyOS, VoIP, QoS, UniFi, Backblaze, rSync, IoT EDUCATION • Worcester Polytechnic Institute, Worcester, MA — BSc in Biology 1997 GnuPG fingerprint: 6A28 3807 A60B FDB9 C67A FCDC 8B50 753B 28C6 4719.
    [Show full text]
  • A Cryptographic Analysis of the Wireguard Protocol
    A Cryptographic Analysis of the WireGuard Protocol Benjamin Dowling and Kenneth G. Paterson Information Security Group, Royal Holloway, University of London fbenjamin.dowling, [email protected] Abstract. WireGuard (Donenfeld, NDSS 2017) is a recently proposed secure network tunnel operating at layer 3. WireGuard aims to replace existing tunnelling solutions like IPsec and OpenVPN, while requiring less code, being more secure, more performant, and easier to use. The cryptographic design of WireGuard is based on the Noise framework. It makes use of a key exchange component which combines long-term and ephemeral Diffie-Hellman values (along with optional preshared keys). This is followed by the use of the established keys in an AEAD construc- tion to encapsulate IP packets in UDP. To date, WireGuard has received no rigorous security analysis. In this paper, we, rectify this. We first ob- serve that, in order to prevent Key Compromise Impersonation (KCI) attacks, any analysis of WireGuard's key exchange component must take into account the first AEAD ciphertext from initiator to responder. This message effectively acts as a key confirmation and makes the key ex- change component of WireGuard a 1.5 RTT protocol. However, the fact that this ciphertext is computed using the established session key rules out a proof of session key indistinguishability for WireGuard's key ex- change component, limiting the degree of modularity that is achievable when analysing the protocol's security. To overcome this proof barrier, and as an alternative to performing a monolithic analysis of the entire WireGuard protocol, we add an extra message to the protocol.
    [Show full text]