Hi,
I have my VPN setup using DD-WRT. I am able to RDP, get to network drives, & everything works great. I have two questions:
1. I thought that when VPN'ing into my network, that my external IP would change to the SOHO network's external IP. That is not the case, I still have the external IP of my current ISP. This makes me wonder if my SOHO traffic might be at risk.
2. Is there a way to test that the VPN traffic is secure?
3. I notice when launching the VPN from a client, that no password is asked. While I dont expect to lose a laptop, I do wonder if it makes sense to have a password that I can change.
Thanks,
Rich
How can I check that the VPN is secure?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
-
RichTJ99
- OpenVpn Newbie
- Posts: 6
- Joined: Wed May 11, 2011 3:11 pm
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: How can I check that the VPN is secure?
that depends on your setup; if you are using1. I thought that when VPN'ing into my network, that my external IP would change to the SOHO network's external IP. That is not the case, I still have the external IP of my current ISP. This makes me wonder if my SOHO traffic might be at risk.
Code: Select all
push "redirect-gateway def1"run wireshark on the external interface (i.e. eth0) and browse to a website - you should not see HTML text fly by, just garbled data2. Is there a way to test that the VPN traffic is secure?
you can set a password on the client certificate, or you can add username/password authentication. If you lose a laptop you can always revoke the certificate that was stored on the laptop ; this does show that proper key management is necessary!3. I notice when launching the VPN from a client, that no password is asked. While I dont expect to lose a laptop, I do wonder if it makes sense to have a password that I can change.
-
RichTJ99
- OpenVpn Newbie
- Posts: 6
- Joined: Wed May 11, 2011 3:11 pm
Re: How can I check that the VPN is secure?
JJK,
Thanks for getting back to me! I appreciate it! I am really finding this fun to play with.
1. How do I check to see if i have the routing right (not exactly sure what you mean)? I log in, it does give me the same IP on the VPN as the SOHO, so I guess thats good.
2. Actually, I ended up remoting into one of my client PC's, installing openvpn, & testing it that way. The source & destination using wireshark showed now HTTP traffic. The only source/destination was the local IP on the client end and my SOHO WAN Ip. I guess thats secure then!
3. I agree that key management is important for just this type of situation. I didnt see where I can add a password to the certificate or where I could add another password when connecting. Is one method more secure than another?
Thanks,
Rich
Thanks for getting back to me! I appreciate it! I am really finding this fun to play with.
1. How do I check to see if i have the routing right (not exactly sure what you mean)? I log in, it does give me the same IP on the VPN as the SOHO, so I guess thats good.
2. Actually, I ended up remoting into one of my client PC's, installing openvpn, & testing it that way. The source & destination using wireshark showed now HTTP traffic. The only source/destination was the local IP on the client end and my SOHO WAN Ip. I guess thats secure then!
3. I agree that key management is important for just this type of situation. I didnt see where I can add a password to the certificate or where I could add another password when connecting. Is one method more secure than another?
Thanks,
Rich
janjust wrote:that depends on your setup; if you are using1. I thought that when VPN'ing into my network, that my external IP would change to the SOHO network's external IP. That is not the case, I still have the external IP of my current ISP. This makes me wonder if my SOHO traffic might be at risk.on the server then your IP address should change to the address of the VPN server, provided that you've got routing right.Code: Select all
push "redirect-gateway def1"
run wireshark on the external interface (i.e. eth0) and browse to a website - you should not see HTML text fly by, just garbled data2. Is there a way to test that the VPN traffic is secure?
you can set a password on the client certificate, or you can add username/password authentication. If you lose a laptop you can always revoke the certificate that was stored on the laptop ; this does show that proper key management is necessary!3. I notice when launching the VPN from a client, that no password is asked. While I dont expect to lose a laptop, I do wonder if it makes sense to have a password that I can change.
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: How can I check that the VPN is secure?
if you're redirecting all traffic via the VPN then you also need to make sure routing on the server end is set up correctly, or you won't browse the internet at all; if a site like http://www.whatismyip.com shows your VPN server address then you're all set1. How do I check to see if i have the routing right (not exactly sure what you mean)? I log in, it does give me the same IP on the VPN as the SOHO, so I guess thats good.
when building a certificate you can use3. I agree that key management is important for just this type of situation. I didnt see where I can add a password to the certificate or where I could add another password when connecting. Is one method more secure than another?
Code: Select all
build-key-passCode: Select all
openssl rsa -des3 -in client1.key -out newclient.key-
RichTJ99
- OpenVpn Newbie
- Posts: 6
- Joined: Wed May 11, 2011 3:11 pm
Re: How can I check that the VPN is secure?
I was also curious, using a client PC connecting remotely to the VPN, I am able to ping a computer on the local SOHO. If I am on the SOHO & try to ping a computer connecting via VPN, I am unable to ping it (weird)?
Ok, in terms of keys with passwords.
Would this is the order I did it without a password:
You mentioned using "build-key-pass" but I dont see that batch file but I do see it mentioned in the how to . I like the idea of making a new password client.
Where would I use this?
Do I add that to the client.conf file? For the newclient.key, do I just make a text file with the password, then change the extension to .key?
Thanks,
Rich
Ok, in terms of keys with passwords.
Would this is the order I did it without a password:
Code: Select all
vars
clean-all
build-ca
build-key-server server
build-key client1
build-dh
Where would I use this?
Code: Select all
openssl rsa -des3 -in client1.key -out newclient.keyThanks,
Rich
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: How can I check that the VPN is secure?
oh crap , I forgot, the windows batch files don't include 'build-key-pass' ....Reply with quote Post Posted: 13 May 2011 19:40
Re: How can I check that the VPN is secure?
I was also curious, using a client PC connecting remotely to the VPN, I am able to ping a computer on the local SOHO. If I am on the SOHO & try to ping a computer connecting via VPN, I am unable to ping it (weird)?
Ok, in terms of keys with passwords.
Would this is the order I did it without a password:
Code:
vars
clean-all
build-ca
build-key-server server
build-key client1
build-dh
You mentioned using "build-key-pass" but I dont see that batch file but I do see it mentioned in the how to . I like the idea of making a new password client.
this is actually a command you would run in a Windows CMD shell; go to the directories where your keys and certs are located and type in this command; if openssl.exe is not in your PATH then prependWhere would I use this?
Code:
openssl rsa -des3 -in client1.key -out newclient.key
Code: Select all
"c:\program files\openvpn\bin\