eduvpn François Kooman

Transcription

1 eduvpn François Enschede,

2 Me Software Developer (PHP, C) Freelancer traveling around Europe Used to work for SURFnet Now: lead developer eduvpn / Let s Connect!

3 eduvpn vs Let s Connect Let s Connect is the software project eduvpn is a branded Let s Connect for higher education and research

4 Outline Screenshot Parade Let s Connect! Technology Campus Integration Application Integration Distribution / Federation Future

5 Screenshot Parade

6

7

8

9

10

11 Let s Connect for Windows

12 eduvpn for Windows

13 Let s Connect!

14 What A free software, easy to use VPN service you can host yourself!

15 Let s Connect! Project started 3.5 years ago as eduvpn Initially funded by SURFnet (NL) Now many (international) partners involved: GÉANT, NORDUnet, Vietsch Foundation, DeiC, AARnet, RIPE Community Fund, SIDN Fonds, NLnet, Commons Conservancy Won ISOC Internet Innovation Award 2018!

16 Use Cases Protect against attackers on (insecure) WiFi networks Access (private) networks at your organization or at home

17 Who is this for? NRENs / ISPs Organizations (self hosting) Hacker spaces Individuals Cheaper than buying a VPN subscription! Easy to share with your friends!

18 Let s Connect! FLOSS (Free/Libre Open Source Software) AGPLv3+ Easy to install on everything from 3/month VPS, Raspberry Pi to 128 core bare metal with 10+GBit network Runs on Debian >= 9, Red Hat Enterprise Linux/CentOS >= 7, Fedora >= 25 Web interface for users and administrators Guest Usage Native Applications (also FLOSS) Privacy by Design & Default! Survived two source code security audits to date

19 Audits 2017 Radically Open Security (ROS) 2018 Radboud University, Nijmegen, The Netherlands

20 Privacy Does not log originating IP address (default) Does log VPN IP + connection time, removed after 30 days (default) You can find a user using the IP that was reported (abuse) together with the time of the incident With eduvpn we only know a persistent identifier of the user, have to ask SURFconext for actual user identity Can block the user without knowing the identity of the user

21 Trust (I/II) You need to trust 1) Your device (laptop, smartphone) 2) WiFi network / ethernet 3) ISP 4) The service you are using

22 Trust (II/II) VPN helps if you don t trust 2 and/or 3 ISP provides insecure crappy modem ISP is recording metadata/monitoring everything, for fun and profit! Sometimes you trust 2 and/or 3 more than your VPN provider! Too many stories of untrustworthy VPN providers... If you don t trust 1 and/or 4, it is game over Your Android phone last received a security update in March 2016 Tinder doesn t encrypt pictures, leaks swiping behavior If you use Facebook or Google, oh well...

23 Technology

24 Technology OpenVPN OpenVPN >= 2.4 Most secure configuration OAuth 2.0 Bearer tokens with Public Key Cryptography

25 OpenVPN Why? Audited (openvpn-nl) Works over TCP (port 443) Easy to setup Turns out not so easy to set up correctly Available everywhere ( ) Easy integration with ACLs, 2FA,

26 OpenVPN Configuration disasters SELinux Network (Adaptive) Compression Verifying 2FA / ACL MTU ios

27 OpenVPN We want unmodified OpenVPN clients to work with Let s Connect! We want unmodified OpenVPN server to work with Let s Connect!

28 OpenVPN We want to use normal way of running OpenVPN on Linux Use systemd for init scripts Work without hard dependency on Let s Connect! Except of course when 2FA/ACL is enabled, we need to verify it somehow!

29 OpenVPN Take care of generating Server configuration CA / certificates Let the OS take care of process management KISS This turned out to be very reliable!

30 Cryptography AES-256-GCM SHA256 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 TLS >= 1.2 TLS Auth / TLS Crypt

31 Network Full IPv6 support Connecting to VPN (and inside VPN) (IPv6) NAT or Public IP addresses

32 Scaling #OpenVPN processes ~= #CPU cores Can quickly become very expensive AES-NI helps a lot not for connection setup, but during active connection Maximum 64 clients per OpenVPN process Bigger Deployments 8 Profiles ~ 4096 IP addresses (concurrent users) 4096 / 64 = 64 OpenVPN processes Start with 8 cores, can easily grow!

33 Architecture Host eduvpn instances for institutes but allow self hosting as well! Easy to scale instances Start with one VM for all instances Allow moving instances without breaking VPNs Dedicated VM Bare metal Raspberry Pi

34 Campus Integration

35 Lightpaths Guaranteed bandwidth to campus from eduvpn server(s) Use organizations (public) IP addresses Use organization packet filter / firewall

36 Authorization ACL on VPN usage Only allow members of (LDAP) group to access certain VPN profiles Supports SURFteams / VOOT as well

37 Application Integration

38 OAuth Protocol (framework) to authorize (native) applications to act on your behalf

39 OAuth 1) Client opens browser with URL of authorization server (AS) 2) AS makes sure user is authenticated, and then prompt for authorization 3) Browser redirects back to client Special URL scheme, localhost, claimed HTTPS URL 4) Client exchanges authorization code for access token 5) Client uses access token to talk to API

40

41

42

43

44 Distribution / Federation

45 Trust Allow establishing trust between multiple Let s Connect! deployments SURFnet runs their server in Amsterdam AARnet runs their server in Perth Users of the server provided by SURFnet can use the VPN provided by AARnet

46 Why? Load balancing Sharing costs for creating a federated/distributed VPN provider network Route around errors on the network when reaching certain destinations Leveraging existing trust networks, e.g. Hacker spaces/communities to create a trusted VPN provider network Allow users choice of VPN server to use (latency, jurisdiction,...)

47 How? Leverage OAuth 2.0 Bearer tokens used for Native Application integration Public Key Signatures over Bearer tokens

48 Flow 1) Application loads list of VPN services part of the federation, i.e. Discovery file 2) Application obtains OAuth Bearer token at their home VPN service 3) Obtained token can be used at all providers part of the federation

49 Discovery

50 Future Target PHP 7.2 Red Hat Enterprise Linux/CentOS 8 Debian 10 (probably Debian 11...) Setup a (distributed) not for profit friends of friends VPN service with Let s Connect as testing ground Look into using WireGuard as a replacement for OpenVPN High(er) level implementation OpenVPN for all platforms (using native VPN APIs) Use better protocol than HTTP(S) between nodes

51 Questions / Discussion François Kooman

52 eva eduvpn Visitor Access SMS eduvpn to or use the apps! Account valid for 2 days (48h)