WebVeta - Advanced, unified, consistent search for your website(s), from content of your website(s), blogs(s). First 50 customers, who sign-up prior to 15/05/2024 get unlimited access to existing features, newer features for at least 1 year. Sign up now! https://webveta.alightservices.com/

Tag: VPN

Categories
Security VPN

Some interesting and important configuration settings for OpenVPN

Yesterday in the announcements blog, I have mentioned about – Security levels at ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (U.S.A).

Over the past few months, I have been writing about CyberSecurity, VPNs etc… I am using two levels of encryption i.e outer layer uses OpenVPN and the traffic gets sent to a OpenVPN server, the second layer is based on Wireguard. I use Oracle VM Virtual Box with Ubuntu linux for accessing sensitive servers. The ubuntu virtual box uses Wireguard based VPN while the Windows based laptop uses OpenVPN.

The reference manual for OpenVPN can be accessed from: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/

–fast-io: Experimental but apparently has speed improvement.

–mlock: Tunnel data etc… are not written to disk, might have some speed improvement.

–script-security: The security setting for allowing what types of scripts to execute.

–allow-compression (NO): Don’t use compression.

–auth: Use 256-bit or higher algorithms, I am using 512-bit.

–auth-user-pass: Client option for the GUI to prompt for username and password.

–single-session: After first connection, don’t allow more connections.

–max-clients: Maximum number of concurrent clients to allow.

–verify-client-cert: Use require

–reneg-sec: How often should the keys get changed

–tls-cert-profile: Use at least preferred

–tls-cipher: Specify list of ciphers i.e mention only strong ciphers. Suggestion: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA

–tls-version-min: Use “1.2”

–hand-window: How long can a handshake happen.

–tcp-queue-limit: Use 4096, the default value very less and causes connection drops.

–sndbuf: 512000 for buffer size, the default values cause connection drops.

–rcvbuf: 512000 for buffer size, the default values cause connection drops.

The other interesting useful options:

txqueuelen 15000
tun-mtu 9000
mssfix 0

auth-gen-token
reneg-sec
tran-window

The following scripting options are useful:

client-connect
client-disconnect

–auth-user-pass-verify

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
Security Tailscale VPN

A review and discussion of the free tier of Tailscale-2

This blog post is a continuation of: https://www.alightservices.com/2023/10/30/a-review-and-discussion-of-the-free-tier-of-tailscale/

In my own startups – ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (U.S.A) I do everything from end-to-end i.e coming up with ideas, analysing value proposition, deciding on features, feature prioritization, cloud architecture, technical architecture, actual development, some sanity checks, deployment with the help of some CI/CD tools based in the cloud and blog articles in the open internet. I have been evaluating and experimenting with various methods of securely accessing cloud workloads.

I have tried few more things after writing the above mentioned blog post:

MagicDNS and Serve: Definitely useful feature for quick demos or prototypes.

SSH: SSH via Tailscale, did not trigger my alerts. I have configured and developed my own monitoring and alerting system based on NIST CyberSecurity Framework. When I SSH’ed via Tailscale by advertising node by passing –ssh these did not get triggered. The reason could be because Tailscale SSH does not use port 22 and that’s why port does not need to be opened. This option did not even require the .pem or password because SSH is being done directly inside of Tailscale rather than normal port 22.

I have not tried SSH without –ssh option i.e normal ssh while connected to VPN overlay yet.

I have uninstalled Tailscale and I might make further trials later or tomorrow.

BTW in my own startups – ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (U.S.A) I do everything from end-to-end i.e coming up with ideas, analysing value proposition, deciding on features, feature prioritization, cloud architecture, technical architecture, actual development, some sanity checks, deployment with the help of some CI/CD tools based in the cloud and blog articles in the open internet.

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
Security Tailscale VPN

A review and discussion of the free tier of Tailscale

Tailscale is a SaaS product offering, enabling easy VPN networks of scale on top of WireGuard. I have been using Tailscale for 2 – 3 months now and I plan to use more Tailscale features soon. This article is not a hands on guide, but more of a discussion on the features.

Someday I might upgrade to the paid plans.

Simple and straightforward installation, setup and thorough documentation.

Tailscale machines can be registered in the network, removed from the console. By default machines need to be registered every 24 hours, but if needed key expiry can be disabled.

By registering machines, the machines are registered in an overlay network and can communicate. The communications, user-access can be configured via policies. I think it’s very important to use –shields-up argument with tailscale up on client machines where we don’t want inbound connections. Considering the anonymous mafia equipment, I think there is a small loophole where a hacker might temporarily gain control a server in some scenarios – I have reported and suggested an alternative way: https://github.com/tailscale/tailscale/issues/8823

tailscale up --shields-up

VPN via exit node:

Although not the primary use-case, one of the Tailscale nodes can be configured as exit-nodes and can be used as VPN with very minimal configuration. This is one of the features, I have been using. I have a exit node in AWS in London region and I use the exit node like a VPN. The reason, I liked this feature is because, I don’t need to open any ports to the public internet or even for my own IP.

SSH:

Another useful feature, for semi-secure environments such as Development / QA could be SSH. Without opening the ports SSH can be done through Tailscale portal. I have used this feature few times.

WebHook Alerts: Webhook alerts can be used for getting notifications. I have configured Slack for alerts.

Some features, I haven’t tried yet but plan to:

Lock: Locks allow key signing from trusted internal nodes.

MagicDNS: MagicDNS allows an internal DNS. Should be useful for Dev / QA environments, internal applications etc…

Cert: Allows generating certificates based on MagicDNS i.e internal applications can be accessed securely using SSL.

Serve: Spin up a web-server. This can be done from command-line for some quick tests / validations without worrying about web server configurations in Dev / QA environments. For longer-term, I think configuring NGinx / Apache / IIS would be more useful.

SSH Session Recording: This is a paid feature but definitely useful i.e SSH sessions via Tailscale can be recorded.

Tailscale has extensive documentation and should be straightforward for most users.

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
AWS Azure Security VPN

WireGuard, OpenVPN, Pro Custodibus, TailScale

In my startup – ALight Technology And Services Limited, I don’t have any employees. I do everything myself. I know .Net web development. These other activities are something new for me.

Most of you know, I have been looking for secure, efficient way of accessing servers hosted in my AWS and Azure accounts. This effort is part of productionizing WebVeta and securing the servers.

I have written some blog articles about OpenVPN in the past and how-to automate changing keys using some C# code at random for higher security.

This blog post is about few other alternatives and some tips.

WireGuard is another free VPN software! But the problem 256-bit key. i.e less secure but high throughput. One possible way is by rotating the key on a timely basis. There is another software known as Pro Custodibus, that helps in rotating keys and managing keys + MFA!

OpenVPN is very highly configurable and can support 2048 bit keys and above.

How to easily install OpenVPN and some easy C# code snippets for Process class

The above blog post talks about how to install and use some C# code for re-generating server and client side keys. The above blog post allows keys + password protection for the ovpn file i.e 2 layers of higher security.

OpenVPN has the following interesting options for further security / monitoring and alerting:

--ipchange cmd
--route-up cmd
--route-pre-down cmd
--ping-exit n
--up cmd
--down cmd
--down-pre
--up-restart
--client-connect
--client-disconnect
--auth-user-pass-verify cmd method
--auth-gen-token [lifetime]
--single-session

Using some of these options and commands, alerts can be generated by either using scripts or programs. I would use C#, but any programming language or even shell scripts can be used.

Using –auth-user-pass-verify 3rd level of security can be added i.e an additional username + password security can be added.

–single-session allows one and only one session, no session re-negotiation – Probably perfect for my scenario.

TailScale is a very nice VPN management software and has a very generous free-tier of upto 100 devices and 3 users. With a little bit of custom programming and using TailScale the security can be increased and can be easily managed. However, one of the biggest problems I saw was registering servers. TailGate displays a URL in plain-text, the URL needs to be entered in browser and authenticated for registering a server in TailGate. If anyone knows the URL and if they authenticate before you, they can try to take-over the server and of-course you can immediately terminate server etc…

I think re-gistering servers should be 2 way i.e

  1. In the website allow copying some random GUID (don’t show the GUID in plain text).
  2. In the server after tailscale up, prompt for the GUID, treat the GUID like password, allow pasting but don’t echo the GUID.
  3. Generate another unique GUID on the server and display.
  4. User copies the server-side GUID and pastes in the website.
  5. Now pair the servers

Even if someone somehow steals the first GUID and pastes in their server, the second GUID generated by their server would be different and can’t be paired.

If someone steals the second guid, their browser-side first guid associated with their account would be different and can’t be paired.

Meanwhile TailScale pairing can be done little securely using my opensource tool – https://github.com/ALightTechnologyAndServicesLimited/LightKeysTransfer – This feature to be implemented, I would make an announcement when the feature gets implemented.

The feature would be very simple, instead of displaying the URL, the URL would be encrypted, use the client-mode part of tool for decrypting, copy and paste in small-sized browser window and approve.

This feature request has been submitted – https://github.com/tailscale/tailscale/issues/8823

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.