Secure Public WiFi
It’s no secret public WiFi is just that “PUBLIC”, yet people use it all the time with little thought for security. People check their email, Facebook, Twitter, Skype and even online bank from public access points and hotspots. Crazy? … perhaps, but the problem isn’t that WiFi is open, rather users don’t know any better. And vendors haven’t done much to improve the situation. No one has taken time to teach users good security or at the very least teach users how to spot attacks like “Man-in-the-middle”. Software vendors are not always the best at teaching proper etiquette, they typically rely on pop-up messages filled with technical security information. The problem with this approach is most users will happily ignore or cancel any dialog box without understanding why it popped up in the first place.Then at that point, in the case of Man-in-the-middle attackers connected to the same WAP can easily sniff their targets private and confidential information including login user names and passwords.
Man-in-the-middle type attacks are possible because of inherent flaws in the way most operating system vendors implemented ARP. Unfortunately users can’t do much about fixing ARP implementation in their operating system. However they have control over what packets their operating system puts down on the wire or transmits through the air.
Most of us know encryption is the best way to implement security on the Internet. Why should this be any different for public WiFi? A simple VPN connection thwarts man-in-the-middle type attacks and is simple to implement. In fact I’ll show you how easily you can turn Public WiFi from a scary place to a happy place. And best of all it’s all done with Open Source.
1. VPN Server
2. Internet connection
3. Dynamic DNS
4. VPN client software
5. Public WiFi
Here is the plan;
Sign up for free Dynamic DNS update service. Configure Internet router/firewall to update DNS whenever its public IP address changes. Install VPN Server on a computer or virtual machine; punch a hole through the firewall and forward VPN traffic to said computer or virtual machine. Whenever using public wired connections or Public WiFi, secure your connection through your VPN Server.
In three words “Secure Public Internet” this includes both WiFi and wired. Call me paranoid, but I want a secure connection from Hotel’s, Airports, Starbucks, Libraries and any other publically offered Internet access points.
Most of us have Broadband Internet, which means we have lots of bandwisth (in most cases) however our IP addresses are not static. Most if not all ISP’s these days assign dynamic IP’s. Therefore for this to work we need a DNS update service. I’m not promoting one over another, I think they all do a great job. The one I use most often is DynDNS because its free. Most routers support DynDNS update service. Simply create a login account with your service of choice, create host record for your connection, it can be whatever you wish as long as no one else is already using it. Once you have one created, go into your routers Dynamic DNS configuration and enter all appropriate login information. At this point anytime your router’s external IP address changes it should be updated with your DNS update provider of choice. The last piece of information you have to remember is the domain name associated with your host record. For example with DynDNS it could be dyndns.org, in which case the full DNS name for my connection is hostname.dyndns.org
If you have an old computer lying around, grab a copy of Ubuntu Server (Vanilla) and install OpenVPN Server. Reference my OpenVPN blog entries found here http://www.digitalboundary.net/wp/?m=201104 and http://www.digitalboundary.net/wp/?m=201105 These should help you configure OpenVPN both Server and Client.
Download OpenVPN client software for Windows called OpenVPN GUI, Tunnelblick for Mac or OpenVPN command line for Linux. Alternatively there is one commercial OpenVPN client I really like called Viscosity. It’s available for Mac and Windows. Configure your client software with appropriate certificates but most importantly ensure you ENABLE the option where OpenVPN tunnels ALL traffic through your VPN connection. Without this setting your browser, Skype or other traffic will not flow through the VPN tunnel and your connection will not be secure.
Don’t forget to open a UDP port (OpenVPN uses UDP 1194) through your firewall and forward incoming packets to your internal OpenVPN Server.
Lastly take your laptop, drive down to your local Starbucks, grab a Latte and test your VPN connection. If you’ve done everything properly ALL Internet bound traffic should be directed through your home VPN connection. If not, well at least you got a Latte out of it. Back to the drawing board :-( Retrace your steps
With OpenVPN and DynamicDNS, your browsing and email should be secure from any publically offered Internet connection. If anyone has any questions or comments please drop me a line.