eduvpn François Kooman

Similar documents
Configuring OpenVPN on pfsense

ESP Egocentric Social Platform

Security Guide Zoom Video Communications Inc.

Network Security. Thierry Sans

Single Sign-On. Introduction

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Securing MQTT. #javaland

CS November 2018

Accessing CharityMaster data from another location

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Cirius Secure Messaging Single Sign-On

NGFW Security Management Center

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Personal Internet Security Basics. Dan Ficker Twin Cities DrupalCamp 2018

NetScaler for Apps and Desktops CNS-222; 5 Days; Instructor-led

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

Network Administrator s Guide

Single Sign-On. Introduction. Feature Sheet

DreamFactory Security Guide

Openvpn Client Do Not Change Default Gateway

Why do we really want an ID/locator split anyway?

BEST PRACTICES FOR PERSONAL Security

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

CloudFleet Documentation

Wireless Terminal Emulation Advanced Terminal Session Management (ATSM) Device Management Stay-Linked

Secure Container DME. SecureContainer - DME is available for ios and Android.

For those who might be worried about the down time during Lync Mobility deployment, No there is no down time required

This paper introduces the security policies, practices, and procedures of Lucidchart.

G/On. G/On is available for Windows, MacOS and Linux (selected distributions).

Administering Jive Mobile Apps

The Current State of OAuth 2. Aaron Open Source Bridge Portland, June 2011

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

openid connect all the things

Providing Secure, Fast and Available

The specifications and information in this document are subject to change without notice. Companies, names, and data used

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Federated login to native applications

Tutorial: Building the Services Ecosystem

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Cloud Native Security. OpenShift Commons Briefing

Qualys SAML & Microsoft Active Directory Federation Services Integration

TLS 1.1 Security fixes and TLS extensions RFC4346

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Where s my DNS? Sara Dickinson IDS 2. Where s my DNS?

/****************************************************************************\ DAS Release for Solaris, Linux, and Windows

Campus Wi-Fi. Set up access to eduroam: the University Wi-Fi network

AC750 Dual Band WiFi Router

Authentication Technology for a Smart eid Infrastructure.

edusafe Network Func2on Virtualiza2on lite Lightning

InterCall Virtual Environments and Webcasting

Setup PureVPN Windows Software

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Securing ArcGIS Services

How to Secure SSH with Google Two-Factor Authentication

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall

FIVE REASONS YOU SHOULD RUN CONTAINERS ON BARE METAL, NOT VMS

PureVPN's OpenVPN Setup Guide for pfsense (2.3.2)

RKN 2015 Application Layer Short Summary

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

Google Identity Services for work

Operating system hardening

USER MANUAL. VIA IT Deployment Guide for Firmware 2.3 MODEL: P/N: Rev 7.

HTTPS is Fast and Hassle-free with Cloudflare

NSG100 Nebula Cloud Managed Security Gateway

LECTURE WK4 NETWORKING

All-in one security for large and medium-sized businesses.

Contents. Configuring SSH 1

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

HySecure Quick Start Guide. HySecure 5.0

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Delivering Large Scale WebRTC. Richard Tworek Principal WebRTC Strategies Twitter: rmtworek. WebRTC STRATEGIES 11/25/2013

NSG50/100/200 Nebula Cloud Managed Security Gateway

VMware AirWatch Content Gateway Guide for Linux For Linux

System Requirements. Network Administrator Guide

VMware Identity Manager vidm 2.7

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

If you re a Facebook marketer, you re likely always looking for ways to

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

CYBER RISK CONSULTING. Smartphone Security Issues

This release of the product includes these new features that have been added since NGFW 5.5.

BeBanjo Infrastructure and Security Overview

tcpcrypt: real transport-level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

PrinterOn Security Discussion Paper Enterprise Edition. PrinterOn Enterprise security framework-in depth

Alcatel OmniAccess 200 Series

IPv6 at Google. Lorenzo Colitti

REMOTE ACCESS SSL BROWSER & CLIENT

Etanova Enterprise Solutions

Securing VMware NSX-T J U N E 2018

VPN Solutions for Zerto Virtual Replication to Azure. IPSec Configuration Guide

PULSE CONNECT SECURE APPCONNECT

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

SAP Security in a Hybrid World. Kiran Kola

On the Internet, nobody knows you re a dog.

Making life simpler for remote and mobile workers

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Cisco Wide Area Application Services (WAAS) Mobile

Technical Overview. Version March 2018 Author: Vittorio Bertola

Transcription:

eduvpn François Kooman <fkooman@tuxed.net> @fkooman Enschede, 2018-02-09

Me Software Developer (PHP, C) Freelancer traveling around Europe Used to work for SURFnet Now: lead developer eduvpn / Let s Connect!

eduvpn vs Let s Connect Let s Connect is the software project eduvpn is a branded Let s Connect for higher education and research

Outline Screenshot Parade Let s Connect! Technology Campus Integration Application Integration Distribution / Federation Future

Screenshot Parade

Let s Connect for Windows

eduvpn for Windows

Let s Connect!

What A free software, easy to use VPN service you can host yourself!

Let s Connect! Project started 3.5 years ago as eduvpn Initially funded by SURFnet (NL) Now many (international) partners involved: GÉANT, NORDUnet, Vietsch Foundation, DeiC, AARnet, RIPE Community Fund, SIDN Fonds, NLnet, Commons Conservancy Won ISOC Internet Innovation Award 2018!

Use Cases Protect against attackers on (insecure) WiFi networks Access (private) networks at your organization or at home

Who is this for? NRENs / ISPs Organizations (self hosting) Hacker spaces Individuals Cheaper than buying a VPN subscription! Easy to share with your friends!

Let s Connect! FLOSS (Free/Libre Open Source Software) AGPLv3+ Easy to install on everything from 3/month VPS, Raspberry Pi to 128 core bare metal with 10+GBit network Runs on Debian >= 9, Red Hat Enterprise Linux/CentOS >= 7, Fedora >= 25 Web interface for users and administrators Guest Usage Native Applications (also FLOSS) Privacy by Design & Default! Survived two source code security audits to date

Audits 2017 Radically Open Security (ROS) 2018 Radboud University, Nijmegen, The Netherlands

Privacy Does not log originating IP address (default) Does log VPN IP + connection time, removed after 30 days (default) You can find a user using the IP that was reported (abuse) together with the time of the incident With eduvpn we only know a persistent identifier of the user, have to ask SURFconext for actual user identity Can block the user without knowing the identity of the user

Trust (I/II) You need to trust 1) Your device (laptop, smartphone) 2) WiFi network / ethernet 3) ISP 4) The service you are using

Trust (II/II) VPN helps if you don t trust 2 and/or 3 ISP provides insecure crappy modem ISP is recording metadata/monitoring everything, for fun and profit! Sometimes you trust 2 and/or 3 more than your VPN provider! Too many stories of untrustworthy VPN providers... If you don t trust 1 and/or 4, it is game over Your Android phone last received a security update in March 2016 Tinder doesn t encrypt pictures, leaks swiping behavior If you use Facebook or Google, oh well...

Technology

Technology OpenVPN OpenVPN >= 2.4 Most secure configuration OAuth 2.0 Bearer tokens with Public Key Cryptography

OpenVPN Why? Audited (openvpn-nl) Works over TCP (port 443) Easy to setup Turns out not so easy to set up correctly Available everywhere ( ) Easy integration with ACLs, 2FA,

OpenVPN Configuration disasters SELinux Network (Adaptive) Compression Verifying 2FA / ACL MTU ios

OpenVPN We want unmodified OpenVPN clients to work with Let s Connect! We want unmodified OpenVPN server to work with Let s Connect!

OpenVPN We want to use normal way of running OpenVPN on Linux Use systemd for init scripts Work without hard dependency on Let s Connect! Except of course when 2FA/ACL is enabled, we need to verify it somehow!

OpenVPN Take care of generating Server configuration CA / certificates Let the OS take care of process management KISS This turned out to be very reliable!

Cryptography AES-256-GCM SHA256 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 TLS >= 1.2 TLS Auth / TLS Crypt

Network Full IPv6 support Connecting to VPN (and inside VPN) (IPv6) NAT or Public IP addresses

Scaling #OpenVPN processes ~= #CPU cores Can quickly become very expensive AES-NI helps a lot not for connection setup, but during active connection Maximum 64 clients per OpenVPN process Bigger Deployments 8 Profiles ~ 4096 IP addresses (concurrent users) 4096 / 64 = 64 OpenVPN processes Start with 8 cores, can easily grow!

Architecture Host eduvpn instances for institutes but allow self hosting as well! Easy to scale instances Start with one VM for all instances Allow moving instances without breaking VPNs Dedicated VM Bare metal Raspberry Pi

Campus Integration

Lightpaths Guaranteed bandwidth to campus from eduvpn server(s) Use organizations (public) IP addresses Use organization packet filter / firewall

Authorization ACL on VPN usage Only allow members of (LDAP) group to access certain VPN profiles Supports SURFteams / VOOT as well

Application Integration

OAuth Protocol (framework) to authorize (native) applications to act on your behalf

OAuth 1) Client opens browser with URL of authorization server (AS) 2) AS makes sure user is authenticated, and then prompt for authorization 3) Browser redirects back to client Special URL scheme, localhost, claimed HTTPS URL 4) Client exchanges authorization code for access token 5) Client uses access token to talk to API

Distribution / Federation

Trust Allow establishing trust between multiple Let s Connect! deployments SURFnet runs their server in Amsterdam AARnet runs their server in Perth Users of the server provided by SURFnet can use the VPN provided by AARnet

Why? Load balancing Sharing costs for creating a federated/distributed VPN provider network Route around errors on the network when reaching certain destinations Leveraging existing trust networks, e.g. Hacker spaces/communities to create a trusted VPN provider network Allow users choice of VPN server to use (latency, jurisdiction,...)

How? Leverage OAuth 2.0 Bearer tokens used for Native Application integration Public Key Signatures over Bearer tokens

Flow 1) Application loads list of VPN services part of the federation, i.e. Discovery file 2) Application obtains OAuth Bearer token at their home VPN service 3) Obtained token can be used at all providers part of the federation

Discovery

Future Target PHP 7.2 Red Hat Enterprise Linux/CentOS 8 Debian 10 (probably Debian 11...) Setup a (distributed) not for profit friends of friends VPN service with Let s Connect as testing ground Look into using WireGuard as a replacement for OpenVPN High(er) level implementation OpenVPN for all platforms (using native VPN APIs) Use better protocol than HTTP(S) between nodes

Questions / Discussion https://app.eduvpn.nl/ https://letsconnect-vpn.org/ https://eduvpn.nl/ https://eduvpn.org/ @eduvpn_nl François Kooman <fkooman@tuxed.net> @fkooman

eva eduvpn Visitor Access SMS eduvpn to 06-35 777 876 https://eva.eduvpn.nl/ or use the apps! Account valid for 2 days (48h)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback