OpenVPN Access Server


SafeOnline Image by Gerd Altmann from Pixabay

Cafes, malls, train stations, airports, university, a party at friend’s house – everywhere without even hesitation, we automatically connect to available public WiFi, when we feel the need for the internet.

Sometimes this can happen even automatically since some smart devices do have this feature turned on by default, connecting to saved networks or looking for new ones. For example, you once connected to the public network at one branch of a popular chain of coffee shop, and the device will keep that network in mind and keep on looking for it in the future.

Attackers take advantage of this. They create fake hotspots of the same network nearby, which can trick the device into thinking that it is the same network that it used to connect to before and mistakenly connect to the trap network. The goal for attackers is to listen to your unencrypted traffic like connections for logins, passwords, bank details, and if you think that’s it, you are safe if you use HTTPS it may get more complicated. It is also possible to trick that by creating a fake page tricking you into entering the credentials on the fake page that would automatically be saved by a hacker.

How easily the spoofing attacks done?

The creation of the fake network can be done by a 3$ device that is even capable of “deauth” attack (deauthorizing client from original WiFi), so the device will look for another one, opening an excellent possibility for the device to be tricked into using a malicious trap network. Smarter tools that can spoof networks, trick users, listen to traffic, and host a fake versions of websites are available online in already pre-made small routing devices like WiFi Pineapple. Simply it is a little device that sits between an unsuspecting user’s device and the resource they’re attempting to access. This means that an attacker can launch a MiTM (“Man in the Middle”) attack by inspecting the data that flow between the victim and any resources they are accessing on the web. Funnily enough, most of the materials on how to achieve that are available in easy to follow guides, so it is easily achievable without even in-depth knowledge.

Benefits of Access Server

OpenVPN provides Virtual Private Network solutions to secure data while accessing the internet. It is protecting communications, securing IoT resources, providing encrypted, remote access to on-premise, hybrid, and public cloud resources. One of the main benefits of the Access Server is its powerful and easy-to-use web-based admin panel. That makes VPN management and configuration simple enough for anybody (without in-depth knowledge of tunneling, encryption, and Linux) to use, and installation can be done even on a small single-board computer Raspberry Pi. The server provides packages that accommodate Windows, Mac OS, Linux, and mobile environments.

Simple - from installation to connection

First, let us get into the basics, to understand which OS we are running to select the correct installation path, get updates installed, install the requirements and the openvpn-as package via repository for better version management in the future. Note: Most of the commands have to be executed with root privileges.

Getting Updates

In this example, Ubuntu 18.04 LTS with codename bionic is used. Begin by logging on to Linux system on the console or via SSH with root privileges.

Update the cached packages list and upgrade any of these:

sudo apt-get update && sudo apt-get upgrade

Installation via repository

OpenVPN provides different ways of installation, but I have chosen the repository one since it makes the update process much simpler and more error-proof in the future.

To begin with, we would have to install the pre-requisite packages ca-certificates, wget and net-tools.

sudo apt-get -y install ca-certificates wget net-tools

Then we add the repository key and repository itself to sources.list

wget -qO - https://as-repository.openvpn.net/as-repo-public.gpg | sudo apt-key add -
sudo echo "deb http://as-repository.openvpn.net/as/debian bionic main">/etc/apt/sources.list.d/openvpn-as-repo.list

And now we can simply update the packages list with a new repository and install the openvpn-as package.

sudo apt-get update && sudo apt-get -y install openvpn-as

Setting up the admin account

Now when we have the openvpn-as installed, we have to set the admin account password by default admin user is openvpn.

sudo passwd openvpn

Configure settings if needed

The Access Server Admin Web Interface (which is accessible via https://server-ip-or-domain:943/admin/ - replace the server-ip-or-domain with your own server’s address) is an intuitive tool to manage settings for OpenVPN Access Server. It can be used to manage licenses, TLS settings, network settings, advanced VPN settings, web server, client settings, and failover.

Helpful tips for configuration settings:
  • To achieve better reachability, set the Hostname or IP address to one facing the public internet.
  • Change the default subnet and internal DHCP system to fit better your network (the default is 172.27.224.0/20).
  • The routing section provides the option to push specific routes to networks accessed via the server to remote clients.
  • Forwarding client internet traffic through the OpenVPN Access Server is a toggleable option.
  • Set some specific per client settings/permissions.

Establishing Connection

To connect client needs a profile which can be downloaded from the client web interface accessible at: https://server-ip-or-domain:943/

After logging in with the credentials, the user will be able to download their user configuration file and use this with their VPN client to establish the connection.

It is also possible for the user to connect directly to the VPN through their web browser.

Connect from Desktop via downloaded profile

Probably the most natural way would be to install the openvpn client to the device.

sudo apt-get update
sudo apt-get install openvpn

And when the application is installed, use the command with specifying the user configuration file with --config /path/to/client.ovpn

Note: openvpn requires sudo privileges since it modifies the networking adding a new interface to route the traffic.

sudo openvpn --config /path/to/client.ovpn

Conclusion

Anonymity and privacy are becoming a problem nowadays, with lots of hackers trying to steal others’ identities. By simplifying our life with easier internet access, we also make it harder to protect our data, and it is essential to use some safety features to improve security and privacy.

Having your VPN provides many advantages (from encrypted connection with data that is managed by you, to establishing a LAN between devices on different continents)

Today, we looked at an example of OpenVPN Access Server it is simple to install and manage and does not require in-depth knowledge nor a powerful system to operate.

If you are interested in the custom configuration of OpenVPN Access Server, make sure to check out their Admin Manual. Good Luck!

Artur Ovtsinnikov