[auton-users] New VPN server fully functional

[predragp at andrew.cmu.edu]

Dear Autonians,

If you are not using Auton Lab Linux based desktop you might stop reading
this info now. If you care about security of our Lab you might want to
continue reading even if you currently not using Linux based desktop.

I have a good news. Our new OpenVPN server running on areas.autonlab.org
is now fully functional. I tested both server and my own desktop machine
as a client. These are the highlights:

1. Client and server run on machines as non privileged users in the chroot.
2. Certificates have proper permission. For example private keys are
visible only by openvpn user.
3. Diffie hellman parameters 1024 bit keys (I can increase to 2048 if NSA
type security is necessary)
4. Fully encrypted TLS connection
5. We use AES-256-CBC cryptography cipher (until now we used Blowfish)
6. I enabled HMAC firewall to help mitigate  DoS attacks (ta.key)
7. The compression is enabled on all VPN links
and finally
8. I am filtering in and out traffic on tun interface on
areas.autonlab.org just like I am doing with any other physical
interfaces.


A casual computer user should notice change in the speed of DNS queries as
soon as I turn on new VPNs on your machines. I have generated already
certificates for all desktops.


There is also one unpleasant discovery. Our NIS is using completely random
ports to provide Linux computers  with user credentials necessary for NFS
(NFS itself uses ports 1111, 2049, 4000, 4001, 4002). This is completely
unacceptable to me as such system can not be properly fire-walled and this
is just additional reason that I speed up LDAP server (NIS replacement).
Without LDAP I can not properly mount NFS on your desktops.

Most Kind Regards,
Predrag