networking - Do I need to buy SSL when setting up my own OpenVPN Access Server?

06
2014-04
  • IMB

    I was able to quickly do the following:

    • Setup an OpenVPN Access Server using a lowend VPS
    • I was able to connect to it from my Windows PC using the OpenVPN Desktop Client
    • It was able to change my PC's IP address (i.e., when I go to whatismyip.com, I see my VPS's IP address instead of my PC's)

    My questions are:

    1. Is this setup good to go already for the concern of "anonymizing" my PC's internet activities?

    2. When I visit the admin page of my OpenVPN Access Server (i.e., https://vps-ip-adress/admin), I get a browser warning The site's security certificate is not trusted! Do I need to buy an SSL for this? And does this have an effect in anonymizing the VPN clients?

    • Answers
  • Paul

    1) It depends on the level of anonymity you are seeking. Certainly, your IP address is now that of the VPS. If all of your web traffic now comes from this IP address, your activities can be aggregated and monitored just as if they were coming from your local IP. Your browser (if not in private mode) will share lots of information, and will permit tracking via cookies and flash LSO's unless you explicitly prevent it.

    And if you are paying for the VPS, then in various jurisdictions the VPS provider might be compelled to reveal your details if circumstances demand it.

    However, as you are encrypting your traffic between your network and the VPS, your ISP and any other party in the path cannot easily monitor your activity. The ISP of the VPS will be able to monitor your activity however.

    2) You are using a self-signed SSL certificate. This means that no external party has validated this certificate. From an encryption perspective, this is not important, your traffic is equally encrypted with a signed or unsigned certificate.

    The intent of signing is to provide assurance to others that the server they are accessing is indeed the one that it says it is. In your case, you are going direct to the VPS IP address, and so are less susceptible to man-in-the-middle attacks where DNS servers may be compromised.

    It is the SSL private key on your VPS that is the basis for your encryption, and if this falls into the wrong hands, they would be able to decrypt your traffic. If you are uncertain of where the current private key came from, I would recommended generating a new certificate/private key and password protecting the key. The OpenSSL docs will help you do this.


    • Related Question

    networking - Tunnel Splitting with Openvpn Acess Server
  • sdc88

    I want to be able to use my vpn for all nonbrowsing applications that require the internet (eg steam, sc2, etc) and use my normal internet for browsing (chrome, etc). How can this be done? Can it be done with my current setup?

    My current setup: openvpn access server 1.8.3 on Ubuntu 11.10. The clients are all Windows 7. I have proxycap if that is useful at all. I have to have the openvpn on port 443 because of a very restrictive firewall.


    • Related Answers
  • mgorven

    I don't think you can do this with a Windows client. It can be done using policy routing on a Linux OpenVPN client (which could be the router for the Windows machines).