Chromebooks with Openvpn on EC2

Chromebooks are perfect companions for travel. They are light, secure and one generally doesn't have to worry about data theft in case they loose the device.  But surfing from hotels and coffee shops is another story. While most sites are in SSL, there are enough websites which are not... and even the ones which support SSL sometimes forget to use SSL connectivity for sensitive data. Which is why extensions like "HTTPS everywhere" is highly recommended.


If I could, I'd pay a few cents for extra level of privacy when using these public wifi networks. In this post I'll document how you could quickly setup an openvpn server on EC2 instance to do exactly this for your chromebook.

Prerequisites 

1. A working EC2 account
2. A working key-pair (required to ssh into the EC2 instance)
3. Chromebook with R23 or later 

Step 1 - Launch Amazon Linux AMI ( I used 32 bit for my setup.. its the cheapest). Pick all the defaults options and pay attention to which "Security Group" you would be selecting. It would most probably be called "default"

Step 2 - Edit the security group used by the instance and make sure 1194 udp is added to "inbound" port list.

Step 3 - Ssh into the EC2 instance using your key ( you could also use this extension if you have the 'identity' file instead of the .pem)

ssh -i my_key.pem ec2-user@ec2-75-101-188-186.compute-1.amazonaws.com

Step 4 - Add a user, set password and update the server

sudo bash 

useradd temp 

echo 'my_password' | passwd temp --stdin 

yum -y update

Step 5 - Install/start openvpn server with basic options

# Install  

yum -y install openvpn

yum -y install mailx  

# Create fresh keys

mkdir -p /etc/openvpn/easy-rsa/

cp /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

cd /etc/openvpn/easy-rsa/

source vars

export KEY_COUNTRY="US"

export KEY_PROVINCE="CA"

export KEY_CITY="test-city"

export KEY_ORG="Example Company"

export KEY_EMAIL="royans@example.com"

export KEY_CN=changemenow

export KEY_NAME=changemenow

export KEY_OU=changemenow

./clean-all

./build-dh

./pkitool --initca

./pkitool --server server

./build-key-pkcs12 --pkcs12 hostname 

# Send a copy of ca cert by mail

mail -s ca.cert -a /etc/openvpn/easy-rsa/keys/ca.crt royans@example.com <<EOF

This is the cert file for this setup. Install this in the authorities tab in the chrome os device from where vpn needs to be initiated.

EOF 

# Create a server.conf file

cat > /etc/openvpn/server.conf <<EOF

port 1194

proto udp

dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key  

# This file should be kept secret

dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

persist-key

persist-tun

status openvpn-status.log/proc/sys/net/ipv4/ip_forward 

verb 6

plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so login

client-cert-not-required

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

EOF  

#Start the service

/etc/init.d/openvpn start

Step 6 - Setup basic source nat

echo 1 > /proc/sys/net/ipv4/ip_forward 

IP=`ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | cut -d':' -f2`  

iptables -F; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $IP

Step 7 - Install cert

• In step 5 we sent the ca.cert to the user's email address. The user should download that cert and install it under authorities tab of chromebook [ chrome://chrome/settings/certificates#cert ]
• There is a known issue that new certs of this type don't take effect until user logs out and logs in again
• After logging in again add the new vpn
• chrome://chrome/settings/
• Click on "Add connection"
• Click on "Add private network"
• In "Server hostname:" put in the external IP address or the name of your EC2 instance. For example ec2-54-245-135-132.compute-1.amazonaws.com
• in "Server CA certificate" you should see a new certificate called "chagemenow"
• For Username/Password use the credentials you setup in step 4

Step 8 - Done

• You should be able to test by pinging www.google.com from the crosh terminal

Certificate based authentication

• If your goal is to setup certificate based authentication you will have to do a few extra steps
• Along with installing ca.cert in authorities tab, you would also have to install  the hostname.p12 certificate you created in "Step 5" onto your chromebook ( look in the keys directory )
• In "server.conf" file comment out  both of the  lines below. The first one disables PAM based authentication, and second one enables certificate based authentication.
• plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so login
• client-cert-not-required
• When you specify client configuration make sure you specify both "Server CA certificate" and "User certificate".
• Type something into username to keep the UI satisfied... if you haven't enabled PAM based authentication it would have no effect in the login process.

Next steps

• Note that this is the simplest Openvpn setup. There are many different ways you can improve on this, which I highly recommend if you plan to keep this instance running for more than a few minutes or hours.
• You could use client certificates instead of just username/password
• You should consider tightening firewall rules on the server  
• If openvpn is running as root on the server, please switch it to something less privileged like 'nobody'.
• You should replace passwords and names I used as example above.
• It should be trivial for someone to write a script to do this... if you do, please let me know and I'll gladly link it from here
• While EC2 instances costs only a few cents per hour... please do remember to shutdown when you are done, else you will get an unexpected bill at the end of the month.

References

• How to setup an openvpn server ? 
• Setting up openvpn server on EC2
• Google: Setup virtual private networks