Secure your browsing using a home VPN


This is one of those posts that is meant to save time for myself in the future when I'll have to figure all of this out from scratch.

I spend a lot of time in coffee shops and public places with unsecure wifi. Unsecure wifi scares the bejeesus out of me so I wanted to figure out a way to secure any traffic going through. It would also be nice to access things on my home network. It turns out there are a million different ways to do this and I found one that worked for me. Here were the constraints that I imposed.

  • It should be secure (duh !) for coffee-shop, public wifi browsing. This is not designed to hold up to connecting to DefCon/blackhat conference wifi.
  • It should work from anywhere in the world.
  • It shouldn't require me to have any computing devices booted up and running at home apart from my wifi router running a DD-WRT build.
  • It should work on all my computing devices, especially on iOS.
  • It shouldn't use any external VPN/SSH services. No good reason apart from the fact that I'm just masochistic about these things.

If you don't have these constraints, there are many different ways to do this. Here are some alternate options

Alternate paths

  • If you are only using laptops, you should just use SSH using the excellent instructions here. I still use this when I'm using my MBP
  • If you're ok with using an external service, you should use something like LogMeIn Hamachi, which is an excellent product and more secure than the setup I lay out below.
  • If you're ok with not being able to use this from non-jailbroken iOS devices, you should use OpenVPN instead of PPTP as I do so below. That is more secure but not supported by iOS out of the box.
  • If you're ok with having a machine apart from your DD-WRT router running, there are several options. For example, there are tons of VPN servers that will let you set up a OpenVPN or a L2TP/PPTP server (both protocols supported by iOS out of the box). See this comparison of the various protocols.

But if you happen to have these specific set of constraints I do and like DIY-hacks, read on.

DO NOT SKIP - IMPORTANT - Security risks of using PPTP

VPNs can be created using a multitude of protocols and the one we are going to use, PPTP, is the most insecure of the lot. Wait, what? Why are we picking the most insecure one if the whole purpose of the exercise is to make internet usage more secure? Worse, by using something insecure, we could let somebody get into our home network and rampage around. If you're not going to use a long passphrase/password, you shouldn't be doing this.

Here's why I picked PPTP and I believe using it with very long passwords/passphrases is acceptable.

  1. OpenVPN is the most secure solution, arguably but iOS doesn't support it out of the box. iOS does support L2TP but DD-WRT doesn't support that. So we're stuck with PPTP. If you're willing to run a server at home, you should be using L2TP.
  2. PPTP's security increases when using long passwords. The security attacks are typically dictionary based. So make sure you use a long password.
  3. And finally, chances are low that an attacker at a public wifi station is going to put in the effort to go after you. If that isn't true, you're in trouble.

If you don't understand what I'm talking about or if you don't agree, you shouldn't be doing this.

END SECURITY SECTION

Setting up your DD-WRT wifi router as a VPN server

  • If you don't have DD-WRT installed on your wifi router, stop reading right now and go install it. It will not only give you all sorts of extra features you never knew wifi routers could do, it also boosts performance over most stock firmwares. In our case, we'll use the VPN service.
  • Get the right version of DD-WRT installed. I have v24-sp2 installed but I believe anything over v24 should be fine.
  • Read the instructions on the DD-WRT wiki. This saved me a lot of headache and when I didn't see bits (like the one on special characters in passwords, for example), I regretted it later.
  • Go to the Services -> VPN tab on your router's administration page (which is typically at http://192.168.1.1 ). DD-WRT moves this UI around from version to version so you might need to hunt a little.
  • The wiki tells you what each of these settings mean but here's what I used to get it working.

    PPTP Server -> Enable
    Broadcast support -> Enable
    Force MPPE Encryption -> Enable
    Server IP -> 192.168.1.1 (you can pick anything here, just remember to use this when you forward traffic a bit later)
    Client IP -> 192.168.1.110-120 ( you can use any valid range here)
    DNS1/DNS2 -> 8.8.8.8/8.8.4.4 (not using Google's DNS also worked for me but others on the web have reported issues here)
    CHAP-Secrets -> __ * username * "password" *
    The format of the username/password line is critical. It is asterisk-space-username-space-asterisk-space-password enclosed by quotes-space-asterisk. If you don't have special characters in your password, you can skip the quotes. If you have multiple usernames and passwords, just use the same format in a new line. REMEMBER - use a long password with special characters or you will be in trouble.

Hit 'Apply Settings'.

  • Now, you need to do a couple of things to work around some iOS and OSX quirks. The first is around DNS. Add the below as a startup command in the Administration->Commands tab.

    #!/bin/sh
    echo "nopcomp" >> /tmp/pptpd/options.pptpd
    echo "noaccomp" >> /tmp/pptpd/options.pptpd
    kill `ps | grep pptp | cut -d ' ' -f 1`
    pptpd -c /tmp/pptpd/pptpd.conf -o /tmp/pptpd/options.pptpd
  • Run this command using Adminstration->Commands to force encryption (the DD-WRT wiki explains this in detail if you want to understand what this does)

    sed -i -e 's/mppe .*/mppe required,stateless/' /tmp/pptpd/options.pptpd
  • Go to Security->VPN Passthrough and make sure PPTP passthrough is enabled.

Setting up DynDNS

The next step is to get this accessible from anywhere in the world. DD-WRT has built-in support for DynDNS which makes this easy.

  • Create an account on DynDNS. You'll get a host-name, something of the form username.dyndyns-server.com.
  • In DD-WRT, go to Setup->DDNS. Select DDNS service as DynDNS.org, enter your DynDNS username, password and hostname and make sure the status textarea doesn't have any errors when you hit 'Apply Settings'. In you type in dig username.dyndns-server.com in a terminal (or use nslookup on Windows), you should now see your public IP.

  • Now comes the scary step - forwarding traffic from the outside world. We're going to forward two ports only (one should be sufficient but some users report errors here). Go to the NAT/QoS->Port Forwarding tab and add the following entries. If you didn't pick 192.168.1.1 before as the server IP address, you need to change that here.

    Application - vpn, Port from - 1723, Protocol - Both, IP Address - 192.168.1.1, Port To - 1723, Enabled - Check
    Application - vpn, Port from - 1792, Protocol - Both, IP Address - 192.168.1.1, Port To - 1792, Enabled - Check

  • Hit 'Apply Settings'.

  • Reboot the router. I typically do this by pulling out the power cord and plugging it back in.

Setting up OSX as a VPN Client

At this point, you should have a functional VPN server. Let's connect to it! I'm going to lay out the instructions for OSX and since Apple uses the same terminology, iOS setup is almost identical from inside the General Settings->Network UI. All other VPN clients should have a similar configuration experience as well.

  • Open up the 'Network' preferences pane in System Preferences.
  • Use the '+' button at the left bottom of the pane.
  • Pick VPN as the interface, PPTP as VPN Type and name it anything you want (I used 'Home VPN').

  • You should have a VPN interface created for you. Here, enter your DynDNS hostname in 'Server Address', your username that you entered in the CHAP Secrets section as 'Account Name'. Press 'Advanced...' and check the option to send all traffic through this connection. Now, back in the main pane, press 'Connect'. Enter the password you typed out back in the CHAP Secrets section and...

  • Voila! You are now connected to your own VPN server. If this actually worked on your first attempt, congratulations! You can now browse securely from anywhere in the world by channeling all traffic through your home network.

If this didn't work

There are several things that could go wrong above. Here are some common debugging tasks

  • Check the username, password format. This was the cause of much pain, especially around special characters.
  • Check the output at every step. For example, try connecting using 192.168.1.1 instead of the public hostname if you think DynDNS is the problem.
  • The DD-WRT forums are excellent. Search there and try posting there if you have an unresolved issue.
  • Of course, there's always your favorite search engine to fall back on :).

Happy VPNing!