Security

OpenVPN over TCP is BAD

March 17, 2011 in Computer, Network, Security, Software

I use OpenVPN in a road-warrior setup over often slow and unreliable wireless connections. That on it’s own makes using interactive applications pretty hard.

But if you’re now additionally running OpenVPN in TCP mode over these links things get worse. The reason is, that TCP uses some kind of a three-way handshake to make sure all packets arrive in time and re-transmits those packets that don’t. With OpenVPN over TCP you now have your application’s TCP session encapsulated in your VPN”s TCP session, doubling your ACKs and re-transmissions (if needed).

Now I switched to UDP on the VPN’s session and if the link starts to loose packets, the VPN will too, but the application’s TCP session will make sure those packets are being re-transmitted. All in all everything feels much faster – at least for a crappy 3G connection.

See this link for a more detailed explanation.

Nginx or Apache?

March 21, 2010 in Computer, Network, Security, Software

I recently discovered nginx when I was thinking about replacing apache2 as a reverse-proxy that adds ssl and authentication to my internal webserver. I finally chose nginx and it’s now running on my freshly installed OpenBSD 4.7 gateway. I chose nginx because of it’s straight-forward configuration syntax and because it has a much smaller codebase, which means it should run faster and has less security flaws. The documentation also is great. Plus nginx seems to be the rising star on the horizon of webservers Many large sites are already running it as their reverse-proxies/loadbalancers according to this article.

For me nginx runs much faster than apache2. Where apache2 gave about 14MBps for a single download session, nginx gives me 23MBps (It’s a slow Intel Atom machine). Here’s my configuration. But since the nginx docs are that good, you don’t need any how-tos! Just rtfm

user _nginx;
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    sendfile        on;
    keepalive_timeout  65;
    gzip  on;
    access_log off;
    error_log off;
	server {
		listen 443 ;
		ssl on;
		server_name ext.example.org;
		ssl_certificate		ext.example.org.crt;
		ssl_certificate_key	ext.example.org.key;
		ssl_session_timeout	5m;
		ssl_protocols		SSLv3 TLSv1;

		location / {
			proxy_set_header X-Forwarded-Host $host;
			proxy_set_header X-Forwarded-Server $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_pass http://int.example.org;
			auth_basic "int.example.org";
			auth_basic_user_file /etc/nginx/htpasswd;
		}
	}
}

I just love this thing. Maybe I’ll replace apache2 on my internal webserver, too.

2009’s Virtualization Techniques Compared

June 4, 2009 in Computer, Hardware, Network, Security, Software, Unix

Hi folks, before we get started a small explanation of my setup and why I want to replace it.
My small home server runs Xen 3.3 with Ubuntu Intrepid, a Debian Xen kernel and the guests on LVM devices. Guest OSs vary from Debian over Solaris to Windows. I built the server last year, but sadly I’m already running out of HDD space and want to upgrade soon. I also want to re-install the Dom0 because Intrepid doesn’t run very well: USB doesn’t work with all devices, there are some bugs in the start-up scripts and I have trouble with the ttys.
A lot has changed since I last fiddled with virtualization so I used this weeks bad weather to compare the current status of all those virtualization systems.
Because there are so many different needs, there are many specialized solutions for desktop and server virtualization. Open-Source, free or commercial ones.

I use VirtualBox on my workstation because it’s free, fast, easy to use and runs very very well. I’ve used the VMware products earlier on Linux and Windows until they became too feature-rich, slow and sometimes even buggy for me. But this post is not about desktop virtualization, it’s about open-source (or free) server virtualization.

VMware Server, VMware ESXi, Microsoft Hyper-V, VirtualBox, Xen and KVM are the ones I’ve tried. There is also Virtuozzo, OpenVZ, UML and so on, but these are more like chroots on steroids. Continue reading to see what I liked and what I didn’t like about them.

How to Windows Live Messenger and Webcam through OpenBSD and PF

December 31, 2008 in Computer, How-To, Security, Software, Unix, Windows

bsd1 Windows Live Messaging is cool! All the others just suck! – At least that’s what almost everyone I know tells me. I mean… it has nice features, but it uses such a complex protocol that I don’t even want to think about security.

During the Christmas time I visited my family and one evening I wanted to talk to a cousine using MSN and my Dell XPS M1530′s Webcam, but HELL this crappy SoHo router I was connecting through made it impossible to get a picture of her on my screen or to send her mine. Back home we wanted to try again… I know it worked before, but it wasn’t reliable. Sometimes it worked, sometimes not. Mhhh…. I set up my OpenBSD 4.2′s PF “firewall” about a year ago:

rdr on $ext_if proto tcp from any      to ($ext_if) port 5190 10.1.16.11
rdr on $ext_if proto tcp from any      to ($ext_if) port 1863 10.1.16.11
rdr on $ext_if proto tcp from any      to ($ext_if) port 6891:6901 10.1.16.11
rdr on $ext_if proto udp from any      to ($ext_if) port 5190 10.1.16.11
rdr on $ext_if proto udp from any      to ($ext_if) port 1863 10.1.16.11
rdr on $ext_if proto udp from any      to ($ext_if) port 6891:6901 10.1.16.11

Actually I thought that’s it (according to portforward.com), but it seems like it isn’t. I then googled around a bit… found a lot of outdated information and then came across a few newer posts which stated that UPNP is important for the full Live Messenger “experience”.

O.K. another short google: MiniUPNPd. Runs on most BSDs and even supports Linux’s iptables. So I downloaded and installed it according to the INSTALL file included in the tarball. In short, just do: make, make install, add rdr-anchor miniupnpd and anchor miniupnpd to your pf.conf, reload pf.conf, setup miniupnpd.conf or start with miniupnpd -i <yourextif> -a <yourinternalip>. That’s it.

To test if it’s working I found http://www.microsoft.com/windows/using/tools/igd/default.mspx (GRML! requires Windows, Internet Explorer and admin privileges) to be pretty useful. The UPNP test passed successfully. Aaaaand… et voilà she could see me and I could see her.

BUT the price of this is decreased security. Any crappy program could now modify my firewall ruleset!!! I am not going to write about UPNP security (just because I am not very familiarly with it), so if you’re curious read this post. But on the other hand, if you already have malware on your computer that wants to open ports in your firewall… you have other problems.

P.S. i know that’s the FreeBSD devil in the upper left, but I haven’t found anything better……..