Shearing FireSheep with the Cloud December 3, 2010
If your laptop ever connects to a network behind enemy lines (e.g. hhonors, attwifi, panera), this post is for you. The step-by-step directions below allow you to stand up a portable, cloud-based private VPN that you can use from anywhere – for around $0.50 a month. Once you get everything setup, you can feel good connecting to a hotspot and laugh at the guy running FireSheep.
Speaking of Firesheep, I’ve actually had some people close to me (including my wife) ask how they can prevent these types of attacks from happening. There are some nice “off-the-shelf” solutions like HTTPS Everywhere and BlackSheep but as a security professional I wanted to give a recommendation that would provide broader coverage than these solutions.
Enter Amazon’s recently introduced Free Tier for EC2. I’ll save my thoughts and comments on “The Cloud” and security for a later date (and after a couple of beers), but for the purposes of this solution, it works great to help you increase your security while using open wireless networks. Quite simply, the solution I came up with was to create an EC2 instance with Ubuntu 10.04 LTS server and setup OpenVPN and SideStep. This allows me to route all of my traffic over an SSL or SSH VPN to my EC2 instance and then out to the Internet.
To graphically represent what this solution offers, below is a picture of your laptop while surfing on an Open Wi-Fi network such as those at Starbucks.
The second image is the guy running Firesheep at Starbucks.
The last image depicts your laptop running OpenVPN or SideStep at Starbucks.
Enough with the ‘Behind Enemy Lines’ comparisons…I swear. I installed other services on my EC2 instance, like Privoxy and iodine (see my post on tunneling traffic via iodine), but for the purpose of this post, I will limit the scope to creating an EC2 instance, installing and configuring OpenVPN, and installing and configuring SideStep.
A couple of notes before we get started. While the instructions that follow utilize Amazon’s Free Tier, this setup will cost you roughly $.50 per month. There are ways to shrink your EC2 ami to fit within the Free Tier’s EBS limit of 10GB, but I will pay around $.50 a month to have this service available to me (the Ubuntu AMI we will use utilizes 15GB of EBS). Thanks to Martin’s post in the comments below, I have updated this post to utilize an 8GB ami, which is less than the 10GB allotted in the free tier for EBS storage.
So let’s get started…
1. If you haven’t already, head over to Amazon EC2 and create an Amazon EC2 account.
2. Once you have created an account, visit the AWS Management Console and click on the ‘Key Pairs’ link on the left side of the screen. Here you will create a Key Pair that will allow you to login to your EC2 instances. Click on the ‘Create Key Pair’ button and name the Key Pair something unique. I chose ‘JustinsAllEC2Key’. Save the file in your ~/Download folders and move it to your ~/.ssh/ folder by issuing the following commands:
Your Mac
jmorehouse@Old-Trafford:~$ cd Downloadsjmorehouse@Old-Trafford:Downloads$ mv JustinsAllEC2Key.pem ~/.ssh/jmorehouse@Old-Trafford:Downloads$ chmod 400 ~/.ssh/JustinsAllEC2Key.pem
3. Now that you have a key pair, it is time to create and launch an instance. Click on the ‘AMIs’ link on the left side. Then select All Images from the ‘Viewing’ drop-down (it takes a minute to load all of the available instances), and search for ami-4a0df923 ‘ami-3e02f257′. This is an EBS instance of Ubuntu 10.04 LTS Server 64-bit 32-bit from Alestic. EBS allows for persistent storage, so that your setting will remain even when you power-cycle your instance.
4. Select the AMI and then click the ‘Launch’ button at the top. You will be prompted with a number of options, and I recommend using the following:
-
Number of Instances: 1
-
Availability Zone: No Preference
-
Instance Type: Micro
-
Launch Instances
-
Click ‘Continue’
-
Kernel ID: Default
-
RAM Disk ID: Default
-
No Monitoring
-
No User Data
-
Click ‘Continue’
-
Key = ‘Name’
-
Value = ‘Free Tier EC2 Ubuntu 10.04 Instance’
-
Click ‘Continue’
-
Choose from your existing Key Pairs – ‘JustinsAllEC2Key’ -> This is the key you previously created in Step 2 and moved to your ~/.ssh/ folder.
-
Create a new Security Group – ‘InternetAccessible’ -> This akin to a firewall ruleset group. I created a new once called ‘InternetAccessible’, but you can just as simply use and edit the ‘Default’ group.
-
Describe your security group – ‘Services allowed from the Internet’
-
Select ‘SSH’ from the drop-down ‘Applications’ menu -> I left ‘All Internet’ as we want to access this instance from wherever we are on the Internet.
-
Click ‘Add Rule’
-
Select ‘HTTPS’ from the drop-down ‘Applications’ menu -> This will give us access to our OpenVPN server. I also left this open to ‘All Internet’ for the same reason we configured SSH this way.
-
Click ‘Add Rule’
-
Click ‘Continue’
5. You are then be presented with a confirmation page where you should confirm your setting and make any necessary changes. If everything looks good, go ahead and launch your instance.
6. Your instance is now launching. Click on the ‘View your instances on the Instances page’ link to access information about your instance.
7. Now we will assign a static IP address to your instance as Amazon makes this feature available for free (what IPv4 shortage?). Click on the ‘Elastic IPs’ link on the left side. Then click on the ‘Allocate New Address’ button in the center of the page. Click the ‘Yes, Allocate’ button, and then click the checkbox infront of the newly added IP address. We want to associate this IP with your newly created instance. You can do this by now clicking on the ‘Associate’ button at the top. Select the ‘Instance ID’ for the instance you just created (there should be only one Instance ID in the drop-down) and click ‘Associate’. Copy the IP address somewhere handy as we will need it in a couple of minutes.
8. Once you have done this, it’s time to login to your EC2 instance! You can perform this from Terminal using the following:
Your Mac
jmorehouse@Old-Trafford:Downloads$ cd ~jmorehouse@Old-Trafford:~$ ssh -i ~/.ssh/<filename>.pem ubuntu@IPAddress
9. Type ‘yes’ to accept the RSA key fingerprint and you should see something akin to the following:
Linux ec2 2.6.32-309-ec2 #18-Ubuntu SMP Mon Oct 18 21:00:50 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.04.1 LTSWelcome to Ubuntu!
* Documentation: https://help.ubuntu.com/System information as of Fri Dec 3 00:40:20 UTC 2010
System load: 0.0 Processes: 60
Usage of /: 6.2% of 14.76GB Users logged in: 1
Memory usage: 6% IP address for eth0: 10.XX.XX.XX
Swap usage: 0% IP address for tun0: 10.X.XX.XGraph this data and manage this system at https://landscape.canonical.com/
———————————————————————
At the moment, only the core of the system is installed. To tune the
system to your needs, you can choose to install one or more
predefined collections of software by running the following
command:sudo tasksel –section server
———————————————————————14 packages can be updated.
4 updates are security updates.Last login: Thu Dec 2 23:22:38 2010 from pool-XX-XX-XX-X.domain.net
10. At this point you want to perform some hardening and maintenance on the box.
Update passwords
EC2 Instance
ubuntu@ec2:~$ sudo su -ubuntu@ec2:~$ passwd ubuntu (Enter in a new password for the ‘ubuntu’ account. This is the default account on your EC2 instance. I recommend storing these passwords in KeePassX)ubuntu@ec2:~$ passwd (Enter in a new password for the ‘root’ account. This account should be need no explanation.)
Update packages
EC2 Instance
ubuntu@ec2:~$ exitubuntu@ec2:~$ sudo apt-get update (This updates the list of known packages.)ubuntu@ec2:~$ sudo apt-get upgrade -y (This upgrades the installed packages to their latest version.)
If you are prompted for grub-pc config update, just hit enter. Also select ‘Yes’ at the next Grub message window.
Time Zone
EC2 Instance
ubuntu@ec2:~$ sudo dpkg-reconfigure tzdata
Follow the instructions to setup the proper timezone information for your EC2 instance.
ubuntu@ec2:~$ sudo reboot now (This will reboot the sytem. Wait about 2 minutes before you try and reconnect to the EC2 instance via Terminal using the above ssh command.)
11. At this point I setup a host record for my EC2 instance so that I could use DNS to access it. I also configured the hostname on the system to match the DNS record. This is an optional step, and if you aren’t sure what I am talking about or aren’t sure how to do it, don’t worry about it.
12. Now that we have our EC2 instance configured and ready to go, it is time to install and configure OpenVPN. To install OpenVPN on your EC2 instance, simply type the following from within your SSH session:
EC2 Instance
ubuntu@ec2:~$ sudo apt-get -y install openvpn libssl-dev openssl
13. Now we need to create the certificates to use with OpenVPN. First let’s copy the easy-rsa tool to the OpenVPN folder.
EC2 Instance
ubuntu@ec2:~$ cd /etc/openvpn/ubuntu@ec2:/etc/openvpn$ sudo mkdir easy-rsaubuntu@ec2:/etc/openvpn$ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ubuntu@ec2:/etc/openvpn$ sudo chown -R $USER /etc/openvpn/easy-rsa/ubuntu@ec2:/etc/openvpn$ cd /etc/openvpn/easy-rsa/
14. We now need to edit the ‘vars’ file to provide some information for our SSL certificates. You will need to know how to use the ‘vi’ text editor. If you don’t know how to use it, I recommend this tutorial.
EC2 Instance
ubuntu@ec2:/etc/openvpn/easy-rsa$ sudo vi vars
Change export ‘KEY_SIZE=1024′ to ‘export KEY_SIZE=2048′
Change export KEY_COUNTRY=”US” to your country.
Change export KEY_PROVINCE=”CA” to your state. I.e. ‘KEY_PROVINCE=”FL”‘
Change export KEY_CITY=”SanFrancisco” to your city. I.e. ‘KEY_CITY=”Tampa”‘
Change export KEY_ORG=”Fort-Funston” to your organization or something else. I did my family (‘KEY_ORG:”Morehouse-Family”‘)
Change export KEY_EMAIL=”me@myhost.mydomain” to your email address.
Save the file by hitting the ‘ESC’ key and then typing ‘:wq’ and press enter.
ubuntu@ec2:/etc/openvpn/easy-rsa$ source varsubuntu@ec2:/etc/openvpn/easy-rsa$ ./clean-allubuntu@ec2:/etc/openvpn/easy-rsa$ source varsubuntu@ec2:/etc/openvpn/easy-rsa$ ./build-ca
You should be prompted for the following. You can hit ‘enter’ to keep the default value you already setup by editing the ‘vars’ file.
Country Name (2 letter code) [US]:
State or Province Name (full name) [FL]:
Locality Name (eg, city) [Tampa]:
Organization Name (eg, company) [Morehouse-Family]:
Organizational Unit Name (eg, section) []:Personal
Common Name (eg, your name or your server’s hostname) [justin.domain.org]: -> Enter your hostname here if you created a DNS record. Otherwise enter your EC2′s Elastic IP address from Step 7.
Name []:Justin Morehouse
Email Address [justin@mydomain.com]:
Now execute the following commands:
ubuntu@ec2:/etc/openvpn/easy-rsa$ ./build-dh (This takes some time. Like 2 minutes.)ubuntu@ec2:/etc/openvpn/easy-rsa$ source varsubuntu@ec2:/etc/openvpn/easy-rsa$ ./pkitool --server serverubuntu@ec2:/etc/openvpn/easy-rsa$ cd keysubuntu@ec2:/etc/openvpn/easy-rsa/keys$ openvpn --genkey --secret ta.keyubuntu@ec2:/etc/openvpn/easy-rsa/keys$ sudo cp server.crt server.key ca.crt dh2048.pem ta.key /etc/openvpn/
15. Now we have created the CA and Server certificates. Now we need to create keys for our users. For the purpose of this blog, we will create one key for one user. You can repeat this step for each additional user you wish to allow to access your OpenVPN server.
EC2 Instance
ubuntu@ec2:/etc/openvpn/easy-rsa/keys$ cd..ubuntu@ec2:/etc/openvpn/easy-rsa$ source varsubuntu@ec2:/etc/openvpn/easy-rsa$ ./pkitool <yourname> (I typed ‘./pkitool justin’)ubuntu@ec2:/etc/openvpn/easy-rsa$ cd ..
16. Now we need to create an archive to download all of the necessary files from the server to the system you want to configure to use OpenVPN (Your laptop). I recommend using Cyberduck to access the .tar file we create. Remember to use your EC2 key to login with Cyberduck. It is the key we created in Step 2 and stored in your ~/.ssh/ folder (JustinsAllEC2Key.pem). Remember, the keys.tar file will be located in the /etc/openvpn/ directory. Download the keys.tar file to your Downloads directory.
EC2 Instance
ubuntu@ec2:/etc/openvpn$ sudo tar czf keys.tgz ca.crt ta.key easy-rsa/keys/yourname.crt easy-rsa/keys/yourname.key
17. Now it’s time to configure your OpenVPN server. You can most likely use the pre-configured template I posted online. It uses the IP address scheme of 10.8.80.0/24 for VPN clients, so unless you are using that network somewhere else, you don’t need to change a thing in the configuration. If you do need to edit the network, you can download the server.conf file here or issue the commands below and use vi to edit it as you would like. Use the commands below to download the server.conf file to the /etc/openvpn folder on your EC2 instance.
EC2 Instance
ubuntu@ec2:/etc/openvpn$ sudo wget http://www.stratumsecurity.com/sites/default/files/server.conf
18. Now we have to setup ip forwarding on your EC2 instance. We’ll use sudo to perform these commands.
EC2 Instance
ubuntu@ec2:~$ sudo su -root@ec2:~$ modprobe iptable_natroot@ec2:~$ echo 1 > /proc/sys/net/ipv4/ip_forwardroot@ec2:~$ iptables -t nat -A POSTROUTING -s 10.8.80.0/24 -o eth0 -j MASQUERADEroot@ec2:~$ iptables-save > /etc/iptables.confroot@ec2:~$ echo '#!/bin/sh' > /etc/network/if-up.d/iptablesroot@ec2:~$ echo "iptables-restore < /etc/iptables.conf" >> /etc/network/if-up.d/iptablesroot@ec2:~$ chmod +x /etc/network/if-up.d/iptablesroot@ec2:~$ echo "net.ipv4.ip_forward=1" >> /etc/sysctl.confroot@ec2:~$ reboot now
19. Back on your Mac, download and install Tunnelblick. It is is a free, open source Graphic User Interface (GUI) for OpenVPN on Mac OS X. You can download the latest stable version from here.
20. Once you have installed Tunnel blick, go do your ‘Downloads’ folder and extract your keys.tar files. Copy the ca.crt, ta.key, <yourname>.crt, and <yourname.key> files from the extracted .tar file to the Tunnelblick directory located at ‘~/Library/Application\ Support/Tunnelblick/Configurations/‘. (<yourname>.crt and <yourname.key> will be in the ‘easy-rsa/keys’ folder. Make sure all of the extracted files are in the ‘~/Library/Application\ Support/Tunnelblick/Configurations/‘ folder!)
21. You will now need to edit the client template that I have posted here. Download the file to ‘~/Library/Application\ Support/Tunnelblick/Configurations/‘ and edit the following three items:
-
Line 42: Change ‘<IP or hostname>’ to your EC2 instance’s IP address, from Step 7, or the DNS name you gave it.
-
Lines 89 & 90: Change cert <yourname>.crt & key <yourname>.key to the names of the .crt and .key files you extracted from the keys.tar file. This the client certificate you created for yourself in Step 15.
22. Once this is done, open up a web browser and go to IP Chicken. Obesrve your current source IP address. Then open Tunnelblick and from the menu bar at the top, select Connect ‘ec2′. Reload your browser and notice that you now have a source IP address of your EC2 instance! Congratulations on getting OpenVPN on an EC2 instance setup. Now let’s setup SideStep.
23. While Tunnelblick allows you to create an on-demand SSL tunnel to proxy all of your network traffic through your EC2 instance (for both wired and wireless) networks, SideStep takes the guess work out of when to use a proxy to secure your network when you are on an open wireless network (it currently only works on wireless networks, but Chetan is going add the capability to use it on an wired network as well). First download and install SideStep.
24. SideStep uses passwords or keys to create an on-demand SSH tunnel that proxies your traffic. As our EC2 instance doesn’t allow for password logins via SSH, we need to create a new keypair to use with SideStep. Using Terminal on your Mac, issue the following commands:
Your Mac
jmorehouse@Old-Trafford:~$ cd ~jmorehouse@Old-Trafford:~$ ssh-keygen -t rsa -f ~/.ssh/id_ec2
Enter in a passphrase twice, and store it some place safe (KeePassX) because you will need it later.
jmorehouse@Old-Trafford:~$ scp -i .ssh/JustinsAllEC2Key.pem .ssh/id_ec2.pub ubuntu@IP:~/.ssh/ (Key created in Step 2 and IP address from Step 7.)
25. Still within Terminal, log back into your EC2 instance and append the public key to your authorized_keys file.
Your Mac
jmorehouse@Old-Trafford:~$ cd ~jmorehouse@Old-Trafford:~$ ssh -i ~/.ssh/<filename>.pem ubuntu@IPAddress (Key created in Step 2 and IP address from Step 7.)
EC2 Instance
ubuntu@ec2:~$ cd .ssh/ubuntu@ec2:~/.ssh/$ cat >> authorized_keys id_ec2.pububuntu@ec2:~/.ssh/$ chmod 640 authorized_keysubuntu@ec2:~/.ssh/$ exit
26. Now we need OSX to prompt us for the passphrase for the id_ec2 key, so from Terminal, enter the following:
Your Mac
jmorehouse@Old-Trafford:~$ cd ~jmorehouse@Old-Trafford:~$ ssh -i .ssh/id_ec2 ubuntu@IP
You should be prompted for a password. Check the save the password to your Key Chain and hit ok. You should now have an SSH session to your EC2 box using your new key. You can go ahead and exit from your SSH session and close out all of your Terminal sessions and quit the Terminal application.
27. Now fire up SideStep and click the ‘Next’ button. Under ‘I already have one’ enter ‘ubuntu’ as the Username, your IP address from Step 7 as the hostname, and press ‘Test Connection to Server.’ You should receive a ‘Connection to server succeeded!’ message. Now click the ‘Next’ button. Read the notes and check the box that reads ‘Run SideStep on login.’ Click ‘Finish.’
28. SideStep is now on the menu bar next to Tunnelblick. I added Tunnelblick to my login items so that it is launched when I boot. Understand the differences between these two tools (Tunnelblick and SideStep) and when to use each.
Congratulations! If you made it this far, pat yourself on the back. This was a long tutorial, but it should work if you followed each step. If you have any problems, hit me up on Twitter (@Mascasa).
Enjoy surfing open wireless networks or hostile wired network securely!
For anyone having trouble with step 16, it looks like the browser is interpreting ‘yourname’ as a tag and preventing us from seeing it.
It should read:
ubuntu@ec2:/etc/openvpn$ sudo tar czf keys.tgz ca.crt ta.key easy-rsa/keys/justin.crt easy-rsa/keys/justin.key
Where ‘justin’ is replaced with the name you chose in step 15.
trueluk, in italics.
Good catch…must have missed that in my late night review. I updated the post to show the
Thanks!
Cool. I wasn’t sure how fast you’d respond on here so I posted this question in Hacker News thread as well, but figured I should ask it here too.
I normally just do my tunneling with ssh -D. Is there an advantage of using SSH VPN instead of SSH as a SOCKS proxy? Is an ssh tunnel with -D not secure?
It might also be easier to use the commercial offering from OpenVPN since it offers two free concurrent connections:
http://www.openvpn.net/index.php/access-server/download-openvpn-as.html
I’ve deployed it a couple of times for people and it is by far the easiest method of rolling out OpenVPN. It takes care of the certificate generation and can be configured to authenticate off of LDAP (Active Directory), RADIUS, or local user accounts (PAM). The included windows client bundles the certificates and configuration into the installer which makes client deployment easy as well. The client.ovpn file also works with Tunnelbrick (even though I’ve found Viscosity to be a better client).
SideStep basically automates ssh -D for you and sets up a local SOCKS proxy. However SOCKS proxies (and thus the current version of Sidestep) can only protect TCP traffic that supports SOCKS proxies. For example, you can’t tunnel your DNS requests over a proxy (without tinkering with Firefox’s about:config).
Also, since ssh -D is not a true VPN tunnel, your machine is exposed to the hostile network (if you don’t have a firewall).
If you want complete privacy where ALL of your IP traffic is tunneled out, OpenVPN (or other tunneling layer 3 solution) is the way to go.
Justin, AFAIK ssh supports SOCKS5 that includes UDP support for DNS lookups.
I guess it may depend on the SOCKS client, but Firefox 3.6 deals with SOCKS5 perfectly.
@Mat – > Can you point me in the right direction to how to setup a similar setup as you described using open vpn in conjunction with EC2?
Re: step 22
I’m connected to my EC2 instance using Tunnelblick. The log messages are not indicating any problem, but I’m unable to connect to anything. The browser just hangs on ‘sending request…’ I try to ping an IP address that I know is up and it’s 100% packet loss.
Any idea what could be going wrong?
Go back and check Step 18 was setup properly. View each of these files and make sure they contain what they are supposed to:
/proc/sys/net/ipv4/ip_forward has ’1′ in it
/etc/network/if-up.d/iptables has ‘#!/bin/sh’ in it
/etc/iptables.conf has ‘iptables -t nat -A POSTROUTING -s 10.8.80.0/24 -o eth0 -j MASQUERADE’ in it
/etc/sysctl.conf has ‘net.ipv4.ip_forward=1′ in it.
Don’t include the ‘.
I went through the steps again and reboot. When I check the files after reboot /proc/sys/net/ipv4/ip_forward is 0 instead of 1. It was 1 before the reboot. I went through the steps again and noticed that /etc/iptables.conf has: -A POSTROUTING -s 10.8.80.0/24 -o eth0 -j MASQUERADE
I changed that to: iptables -t nat -A POSTROUTING -s 10.8.80.0/24 -o eth0 -j MASQUERADE
I rebooted again and this time when I come in /proc/sys/net/ipv4/ip_forward has kept the 1 and all of the other files look good. It still wasn’t working so I ran only:
root@ec2:~$ iptables -t nat -A POSTROUTING -s 10.8.80.0/24 -o eth0 -j MASQUERADE
root@ec2:~$ iptables-save > /etc/iptables.conf
After that it started to work. Not sure what fixed it but I can say that /etc/iptables.conf had 3 generated blocks before while it wasn’t working and now it only has 2 blocks in it.
Thanks so much.
With SideStep running I ran a tcpdump and saw my DNS traffic going to my local DNS servers and not being tunneled through SSH. If you know of a way to tunnel that w/ ssh, let me know and I will add it! Thanks!
amazon and privacy.. see what happened to wikileaks
Is there a way to do this using the native Mac OS X L2TP VPN client? That way you could use the OS X location manager to determine when you use the VPN.
Amazon didn’t violate Wikileaks’ privacy. For right or wrong they leveraged their acceptable use policy to kick them off. Not sure the Wikileaks-Amazon situation is relavant here.
A quicker and maybe cheaper way to do this would be just using the instance as a SSH tunnel. That way you don’t have to install anything on the instance and all you have to do is have a ssh client on your local computer.
@Winter That’s what Justin and trueluk were discussing above.
@Winter SideStep does the SSH tunnel for you. You can forgo the whole OpenVPN section (Steps 12 through 22) if you just want to use SideStep.
One last question Justin.
I’m still a little unclear on the VPN/SSH thing. The way I’m understanding it right now is that there is no reason to use ssh -D (Sidestep) if I’m already using VPN (Tunnelblick). With Tunnelblick all of my connections go through my EC2 instance so there’s no reason to also use an ssh tunnel. Is that correct? If I’m understanding it right, then using them in conjunction seems like overkill.
When would I ever use Sidestep?
@truelik you are correct. They are an either or. SideStep is when you want to set this up on someone’s computer that doesn’t know a lot about tech and it will automatically secure their network connection with SSH while on an unencrypted network.
[...] I ran across a post talking about using Amazon’s EC2 service as a VPN to secure your wireless connection when on [...]
@Brian I haven’t done it, but that seems like a great idea. This tutorial seems like a good start. http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/
@Different Justin
Doing OpenVPN-AS on EC2 I would deploy CentOS5 since the OpenVPN-AS packages haven’t been updated for Ubuntu 10.x (at least not released).
I’ve used the CentOS 5.5 64bit AMI ami-92dd2afb before with great success and it fits within the 10GB free limit. After you have that up and running you would just go download the Red Hat 5 amd/x86 64bit package from here:
wget http://swupdate.openvpn.net/as/openvpn-as-1.5.6-RHEL5.x86_64.rpm
On the new CentOS instance you would then add a new non-root user account:
adduser <>
Then set a password:
passwd <>
After that is complete you would then just install the RPM package of OpenVPN-AS
rpm -ivh openvpn-as-1.5.6-RHEL5.x86_64.rpm
Then you need to run the ovpn-init script:
/usr/local/openvpn_as/bin/ovpn-init
You can find more details on installing OpenVPN-AS here:
http://www.openvpn.net/index.php/access-server/installation-overview.html
Instructions for those of you who are using Ubuntu 10.x clients:
sudo apt-get install network-manager-openvpn network-manager-openvpn-gnome
Network Manager > VPN Connections > Configure VPN...
Click on Add button
Choose OpenVPN and click Create...
Gateway: IP address of you EC2 instance
Type: Certificates (TLS)
User Certificate: .crt
CA Certificate: ca.crt
Private Key: .key
Private Key Password: leave empty
Click on Advanced button
General Tab >
Use custon gateway port: 443
Use LZO data compression: checked
Use TCP connection: checked
TLS Authentication Tab >
Use additional TLS authentication: Checked
Key File: ta.key
Key Direction: 1
Save everything
sudo service network-manager restart
Network Manager > VPN Connections > Select you newly created VPN
tail -f /var/log/messages for troubleshooting
Enjoy!
Just a quick question that probably demonstrates my lack of knowledge about VPN – does the amount of bandwidth that goes through the VPN affect the Amazon charges? So, for instances where you may be streaming music from one device to another using the VPN, would charges be higher?
@analogue awesome post! Thanks!
@John Yes. Since all of your traffic will be routed through the VPN to your Amazon EC2 instance and then out to the Internet, your charges would be higher. This setup is good for casual browsing and the occasional download.
Is amazon then able to view what you’re browsing?
@m00p Sure. But short of end-to-end encryption to your destination, this would be the case for any Internet access.
Thanks,
Great post…
Works like charm! PERFECT TUTORIAL !
Thank you so much!!
PS: the “ami-4a0df923″ is only available if you select the region “US East”! Maybe you should write this in the TUT.
Didn’t you twitter that your clients are trying to figure out how to move to the cloud?
With your great (yes, it is great) EC2 writeup, they certainly will move as we speak. Obviously, the biz people will run with the wind when they see how sausages are made and SaaS their own.
As mentioned before OpenSSH supports Socks5 proxying!
Far too much work for just thwarting firesheep or any other http snooping mechanism.
1) get firefox,
2) install Foxyproxy (optional: but less hassle to switch proxy)
3) ssh -D 5555 user@ec2node (or any -D port you prefer)
4) configure foxyproxy to use Socks5 127.0.0.1 port 5555
5) browse through secure ssh connection!
Notes:
1: Any browser can be used but the firefox/foxyproxy combo allows you to quickly disable/re-enable proxy with one click.
2: Windows users can use Putty (Google, Putty socks proxy)
3. Most people just want to secure their http connections,creating a full fledge VPN is usually overkill since everything these days is usually done via browser.
If the ONLY thing you care about is protecting the confidentiality of your your HTTP traffic, then yes, SOCKS via ssh is a great simple solution. Then again if HTTP was the only thing worth protecting no one would have VPNs. Too bad ssh SOCKS proxies won’t protect non-proxy aware apps, UDP traffic (e.g. your DNS lookups), etc. Also, it’s common for 3rd party browser plugins to ignore proxy settings exposing their traffic to the unsecured network. Tunnelblick also makes this solution pretty much point and click.
Nice guide!
I use “sudo -s” instead of “sudo su -”
@analogue Thank you so much!
Fantastic! It worked for me without a hitch.
“Awesome” is such an overused word these days, but your instructions really ARE awesome.
I’m attending a conference in a couple of days with all-day open wireless, so this is very timely. Thank you!!
Hello there. Very interesting tutorial. I’m trying to do this with a Windows client and the OpenVPN Windows GUI. All seemingly went well, but I seem to be stuck. My log shows the following.
Sun Dec 05 15:46:44 2010 OpenVPN 2.2-beta5 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 30 2010
Sun Dec 05 15:46:44 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Dec 05 15:46:44 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sun Dec 05 15:46:44 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 05 15:46:44 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 05 15:46:44 2010 LZO compression initialized
Sun Dec 05 15:46:44 2010 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Sun Dec 05 15:46:44 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Dec 05 15:46:44 2010 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Dec 05 15:46:44 2010 Local Options hash (VER=V4): 'ee93268d'
Sun Dec 05 15:46:44 2010 Expected Remote Options hash (VER=V4): 'bd577cd1'
Sun Dec 05 15:46:44 2010 Attempting to establish TCP connection with 50.16.236.144:443
Sun Dec 05 15:46:44 2010 TCP connection established with 50.16.236.144:443
Sun Dec 05 15:46:44 2010 TCPv4_CLIENT link local: [undef]
Sun Dec 05 15:46:44 2010 TCPv4_CLIENT link remote: 50.16.236.144:443
Sun Dec 05 15:46:44 2010 Connection reset, restarting [0]
Any advice?
Thank you.
And that’s the recommendation you gave *your wife*, seriously?
Everything is workingly flawlessly with the exception of connection speed. When I’m VPNed into my EC2 instance via TunnelBlick is *significantly* slower – 2Mbps on VPN vs. 20Mbps on the same connection running without VPN.
Any ideas on how to improve performance?
@Bill, I have a theory that TCP tunneled over TCP is not as efficient as UDP. Maybe try to use UDP? You’ll need to update your instance’s security policy and the openvpn configs on both sides. Let us know your results if you give this a try!
Trevor
@Trevor -
Sounds promising, but unfortunately I don’t have the server config chops to give this a try.
If there is a tutorial somewhere you can point to, I might be able to follow along well enough to test this theory out.
Justin – any thoughts?
/Bill
@trueluk and @justin I went through all the steps (twice actually) and noticed the same problem trueluk did… plus a typo on my part… is there any way to simply delete the erroneous line, as the file is read-only?
@Robert
No, I set this up and have her click on the Tunnelblick icon when she is on an open WiFi network. Single click. Simple enough!
@Andre
What specific file are you talking about and what erroneous line?
@Todd
Try changing ‘dev tun’ to ‘dev tap’ on both the server.conf and ec2.conf. Make sure you restart openvpn on your ec2 instance and that ‘dev tun’ is commented out in both config files.
@Todd, The last line, “Connection reset” indicates that the remote side closed the connection via a RST, but after connecting. Do you have a web server listening on port 443? Maybe run “sudo lsof | grep 443 | grep -i tcp” and see what process is using 443. If it’s openvpn, tail the openvpn log to see why it’s giving you the boot.
Justin, loved the how-to. Worked like a charm and gave me an excuse to experiment with EC2.
I also succeeded in connecting my Windows laptop and wrote up some short instructions:
http://mattkaar.com/addendum-amazon-ec2-vpn-using-a-windows-clien
[...] There’s this wonderful article on using Amazon EC2 as your VPN. There’s a free tier that’s been released recently by [...]
Thanks for the writeup, it works very well.
A few notes for others:
I’m on US-West and used image ami-880c5ccd
Using Viscosity I had some troubles connecting and it was due to not having ‘Direction: 1′ selected under Authentication->Extra
[...] tonight, and if I can get that done maybe make use of what’s running under the hood. I found this project a week or two ago, and I want to try it [...]
[...] Shearing FireSheep with the Cloud | Stratum Security Blog – This entry was posted in delicious bookmarks and tagged networking, privacy, security. Bookmark the permalink. ← Bookmarks for December 16th [...]
Okay this is confusing. On the AWS website, the free teir is free for ‘Amazon EC2 Linux Micro Instance’ :
750 hours of Amazon EC2 Linux Micro Instance usage (613 MB of memory and 32-bit and 64-bit platform support) – enough hours to run continuously each month*
Anything other than this AMI would, as can be deduced, will incurr its own charges and is not included in the 750hours. So which part of this whole deal is free?
It will be quite costly to run the Ubuntu or some other non-amazon ami.
Please help i’m confused.
Why not try this:
1. Ask Wi-Fi provider to enable WPA2 on their router and provide all customers with the password.
2. Enjoy browsing unaffected by FireSheep, as all data sent to and from the router is now encrypted and FireSheep is only effective at mining data sent in the clear.
If your local hotspot can’t swing this, offer to do it yourself. It’ll take far less time than following these steps, and if you have the expertise needed to follow these steps, you’re more than qualified to set up WiFi security on a router. Added bonus: you’ll be protecting everyone who uses that public wifi, not just yourself. Just a thought.
@Richard Few things:
1. That may work in very small wireless setups (like the basement of the CS building heh) but key distribution at say Starbucks, Panera, Virgin Inflight Wifi, any hotel, conferences, etc. would be unfeasible. Just not an option in practice.
2. This is incorrect. WPA/WEP does not protect you against eavesdropping within the same encrypted network. If you and I are both on a WPA encrypted network I can still intercept your session ID via FIreSheep.
3. My local hotspot is Starbucks, which is really AT&T. I’m not sure that offering AT&T (via the Starbucks barista) would really work.
Awesome. Any tips on adding iPhone to the VPN?
@Justin Thank you for your great post. It took a while for me to get back to this. I did get it all to work and learned a lot about Unix in the process. Sometimes the best course of action is to start over rather than trying to find the needle in the hay stack. You can edit a read-only file with Vi as a super user – one of those ‘duh’ moments
@Trevor
Re your point 2 – I believe WPA provides inter-client-isolation – so using WPA should render Firesheep useless if both parties are on the wireless (in a cafe) for instance.
That said, it’s no substitute for a full VPN Solution.
Thanks Justin for providing such a great guide – this is pretty much identical to how i’ve been setting OpenVPN up for a while so it’s good to know i’m doing it correctly.
@Philip Tomas
AFAIK there is no way to connect to OpenVPN from an iPhone – you would need an IPSec or PPTP vpn server for that.
Thanks for this – you explain things really well for non-tech n00bs like me. I got as far as step 16, and I’m a bit stuck:
“Remember to use your EC2 key to login with Cyberduck. It is the key we created in Step 2 and stored in your ~/.ssh/ folder (JustinsAllEC2Key.pem). Remember, the keys.tar file will be located in the /etc/openvpn/ directory. Download the keys.tar file to your Downloads directory.”
I installed Cyberduck, but I’m a bit stuck on the part where I log in to my EC2 account. How do I access my key?
Great solution. One question though: when selecting the fixed IP address, does Amazon make it possible to get UK allocated IP addresses? This would help me solve the problem of the wireless security, and also accessing “UK only” services.
Thanks
Two things I’d like to point out in order to keep $ charges to a minimum, from my own experience:
1) Use a CNAME record instead of a A record to point to your Amazon EC2 Instance. If you use an A record, the EC2 instance will talk to itself using the external IP and get charged “$0.010 per GB – regional data transfer – in/out/between EC2 Avail Zones or when using public/elastic IP addresses or ELB”. Point your CNAME record to your ec2-xx-xx-xx-xx.compute-1.amazonaws.com address. More info: http://www.stevenringo.com/elastic-ip-on-amazon-ec2-why-using-a-cname-is-better-than-an-a-record/
2) Keep only 1 attached Elastic IP and 0 non-attached Elastic IPs. Non-attached Elastic IPs will be billed “$0.01 per non-attached Elastic IP address per complete hour”. In my attempt to capture a memorable Elastic IP address, I allocated the maximum number IPs (5 I believe) to decide between them. I associated my favorite IP to my instance but forgot to release the remaining 4 non-attached IPs and was billed by the hour for each of them I left overnight.
Although these $ charges are just pennies, and not a big deal, I thought it worthwhile to leave a warning here for those who truly want to keep a $0.00 balance
I forgot one more thing.
3) Use a AMI that is under 10GB as you only get “10 GB of Amazon Elastic Block Storage, plus 1 million I/Os, 1 GB of snapshot storage, 10,000 snapshot Get Requests and 1,000 snapshot Put Requests” in the Free Tier for Amazon’s AWS.
the AMI used in this tutorial is ami-4a0df923 and uses 15GB. Amazon has updated their AMI’s to include under 10GB ones, recently. I personally used ami-3e02f257 which clocks in at 8GB.
OK I keep remembering more things to write. Sorry about that…
If you’re accessing your EC2 Instance via ssh from a Windows machine using a SSH client such as PuTTY, then you have to convert the *.pem key into a format that PuTTY can use with PuTTYgen.
Open up PuTTYgen, hit the Load button, browse to your *.pem key saved earlier (select All Files if you have to, to see it) , a message will popup confirming what we imported and will give you further instructions. Click OK on that message, and hit “Save private key” as instructed.
Use the saved ppk file with “putty -i -l ubuntu” to login to your EC2 Instance.
Hi Justin,
Great tutorial, thanks very much for sharing it. I appreciate you’ve written this from a Mac user’s perspective, and on my Mac it works a treat. However I’ve tried to make it work on my Vista machine and have hit a slight snag.
The OpenVPN GUI connects without a problem and picks up a 10.8.80.x IP address. However traffic still routes over my wired connection, confirmed by IPChicken.
So I turned the firewall off for all connections (Windows Firewall), but this made no difference. IPconfig revealed the following for the OpenVPN (TAP) connection:
IPv4: 10.8.80.6
Subnet: 255.255.255.252
Gateway: MISSING
DHCP server: 10.8.80.5
DNS: 208.67.222.222 and 208.67.220.220
So I figured the missing gateway must be the issue, and manually configured it as 10.8.80.1 up to 5, none of which helped.
Ping tests reveal that the only 10.8.80.x IP address I’m able to ping is myself (.6).
Any suggestions on what these IP settings should be, or if there are some amendments to make in order to make it work on Vista?
Much appreciated,
Riaan
PS re the previous post: OpenVPN works fine on my XP machine, only Vista has issues.
Riaan
Hi,
i followed your great tutorial in december and everything was working fine. Today i want to login with ssh ubuntu@ipadress and get an Permission denied (public key) error message.
i am not sure what to do now, hopefully you can help me out?!
Regards,
Sebastian
Ok. Problem solved. I have used the wrong *.pem file. Everything works fine.
Regards,
Sebastian
Riaan, I think this may help your situation, 1) try running OpenVPN GUI as an administrator and 2) add these two lines to your ovpn file:
route-method exe
route-delay 2
I was connected via OpenVPN GUI as well but my traffic wasn’t routing over the VPN connection for some reason as well. If you look in the log, you might see the following:
“ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=18]”
and/or
“Route addition via IPAPI failed”
if that is the case, then those two lines should help you out. Just make sure to run OpenVPN GUI as an admin to mitigate any permissions problems in establishing the route.
That was the last problem I encountered in setting up everything, and forgot to post about it here. Hopefully the entirety of this article and our comments will help some strangers get on the internet, whether they are evading firesheep or circumventing censorship.
Thanks for the awesome tutorial, it was exactly what I was looking for.
@Martin
Thanks! I just switched my personal ami to this image and will update the blog now!
I am completely ignorant when it comes to Linux, SSH and using keyfiles so I am having trouble with step 16. I am supposed to download the tar file I created using CyberDuck (I have Transmit and have tried that as well) and can’t figure out how to use either CyberDuck or Transmit to get into the instance and download the tar file. Is there instructions for this anywhere?
Never mind. Got my problem figured out with using Transmit. Thanks.
Awesome! Got it working. This will be great. Thanks much for the walkthrough.
Can anyone explain why I’m getting a permission denied. Followed the instructions, and on the first time trying to ssh in, i get this
The authenticity of host ‘xx.xx.xxx.xxx (xx.xx.xxx.xxx)’ can’t be established.
RSA key fingerprint is [fingerprint id].
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘xx.xx.xxx.xxx’ (RSA) to the list of known hosts.
Permission denied (publickey).
? I’m on OS X 10.6.6
Ok, solved my problem. I has poor spelins
it’s ubuntu, not ubantu
I’m a little confused about how the bandwidth usage charges work. I regularly work long hours at a coffee shop, and would love to set this up for usage there, but if all of my outgoing bandwidth is routed through this EC2 instance, won’t I exceed the free limits very quickly?
Hi, I followed the tutorial above with no difficulties and my connection is now secured! However, I’ve already been charged 60 cents in the last 2 days by Amazon. Is this expected?
I’m not sure that I am eligible for the ‘free tier’ since I previously used Amazon S3 on my account about 2 years ago.
@Matthew
For high bandwidth users, I would not recommend using EC2. It will cost you. You might want to look at Linode.com or even setting up an SSH tunnel to your house using SideStep.
Justin
@Andrew,
What was the $.60 charged for?
Justin
So far, I’ve been charged $0.66 for 33 hours of $0.02 per Micro Instance (t1.micro) instance-hour (or partial hour).
(plus 5 cents for $0.10 per GB-month of provisioned storage 0.452 GB-Mo)
This has only been running since Saturday afternoon.
@Andrew
I would contact Amazon and see if you are not signed up for the free tier.
Let me know.
Thanks.. I’ll try to get in touch with Amazon.
I think the problem might be that the free tier is limited to people who never used Amazon Web Services before the free-tier was announced. (unfortunately I played around with S3 about a year prior as an off-site backup solution.)
@Andrew
I am in the same boat. I activated an S3 account for offsite backups like two years ago and I don’t think I used it once. Here is my response from AWS:
“Hello,
I’ve researched your account and see that your AWS account was created before October 21, 2010. Unfortunately, your account isn’t eligible for the AWS Free Usage Tier.
Please note that the definition of new customer as related to this offer is based on the creation date of your AWS account, and is not related to your current or previous use of AWS services.
Please review the full terms of this offer for more information:
http://aws.amazon.com/free/terms/
I’m sorry if this causes any disappointment. We hope to see you again soon.”
I suppose I could create a new account but if you read closely, it’s only free for the first year. They credit you 750 instance-hrs/mo (24 hrs/day) and 15 GB/mo, which is virtually unlimited data.
You have to remember to shut down the EC2 instance if you decide to keep it. As a frequent traveler with no desktop at home on which to host my own SSH setup, EC2 is still cheaper than most of the commercial solutions I’ve seen.
I followed up to step 18 but can’t get Transmit or Cyberduck to connect to my EC2.
How else can I download the .tar file mentioned in step 20?
I even followed these steps (http://jeffreysambells.com/posts/2010/08/04/connecting-to-amazon-ec2-using-transmit/) to get it to work in Transmit.
No luck.
Could anyone help?
Thanks.
@Percy
Do you have an outbound firewall? Perhaps on your mac or network?
Email me your IP and I will see if I can reach it -> http://scr.im/mascasa
am completely stuck on step 16! please help!!!
i can’t figure out how to use my EC2 key to login with Cyberduck – i’m sure it’s simple, but what am i missing?
Check “Pubic Key Authentication” and then select your .pem EC2 key.
@justin
I finished the tutorial. I was able to select the .pem in Transmit by copying it to the Desktop.
Thanks for your help!
Thanks for the guide, as others have said, a great introduction to AWS as well as a useful network facility to be able to access. During this week I’ll be changing all my machines over from SSH to OpenVPN.
As I’m in the UK I used the “EU West (Ireland)” AWS region and the “ami-fb9ca98f” image (8GiB ubuntu maverick 10.10) which worked flawlessly. I’ve changed the server.conf and OpenVPN client conf files to use UDP on port 1194.
Thanks again to Justin and all those submitting comments (eg use of PuTTY, CNAME etc). Very helpful!
[...] be usable in different situations where internet access is firewalled, but DNS queries are allowed.Shearing FireSheep with the Cloud | Stratum Security Blog – Quite simply, the solution I came up with was to create an EC2 instance with Ubuntu 10.04 [...]
Thanks for the awesome guide. Might want to point out that in step 4, the default values for a given app (0.0.0.0/0) are in fact, any IP. Don’t know if the UI has changed since you initially wrote this or what, but I was mildly confused
[...] server hosting your website, your computer at home, or for about $0.50 / month, you can set up an Amazon EC2 Instance that can act as your proxy [...]
the tutorial is really helpful, thank you.
although I encountered an error at the end when Tunnelblick tries to connect, well it cannot connect, I posted its log here:
https://gist.github.com/991052
can someone help me on this ?
@Hormoz it cannot find your hormoz.crt certificate file. Where did you place this file and what does your config file say for its path? Check them both.
“hormoz.crt” is in “/etc/openvpn/easy-rsa/keys”; and in the .conf file I first just changed the name, & seeing its not working i wrote the whole address in there, that didn’t work either!
This was a fantastic tutorial. I managed to get everything working, which given the complexity of what is being described here, is a great testament to your clarity and quality of writing.
I couldn’t find the instance you were referring to, so I picked one that was reasonably close from the Alestic site – ami-2cc83145
I didn’t qualify for the free tier, so I’ve paid the extortionate (hehe) price of $0.44 for a day so far.
I don’t mind paying a few cents to protect each open session, but I probably wouldn’t spend around $10 a month for the privilege, given all the other hosting I’m paying for (Media Temple, BlueHost, NearlyFreeSpeech.net etc. etc.)
The cost of a micro instance is 2c an hour, and if you stop the instance, but keep the elastic IP, you still pay 1c an hour for the privilege, so that isn’t a fix either.
Is there a way around this? What would your advice be?
Once again, thanks – it was great to feel like a Unix guru for a few hours.
A quick update – I am now using Sidestep to connect via my MediaTemple server through SSH.
Is there any reason to keep my EC2 now? (I’ve also unloaded Tunnelblick, presumably I don’t need that any more as it was just a GUI for OpenVPN, which presumably I don’t need any more either?)
Finally – as a programmer, but not an Internet security or server expert (or even amateur), where should I go to learn the basics of some of the skills you’re illustrating in this article?
Many thanks for such an educational and well-written piece. You have a great teaching style.
@Shahid
If you are using SideStep with MediaTemple, and you are ok with your DNS queries being sniffed on open networks, then you should be fine. I still keep my EC2 around if I need to try random things out, but I myself am using SideStep to my house for SSH-Proxy on open networks.
As for the blogs, LifeHacker.com is decent.
@Justin
Many thanks.
You see, when you talk about my DNS queries being sniffed on open networks, that’s the kind of thing I’d never have realised. That’s the kind of thing it’d be great to learn. lifehacker doesn’t teach those things in general, but there might be other sites?
On another note, I’ve stopped (not terminated) my EC2 instance, but the Elastic IP I’ve got stays active at 1c an hour. Is there anything else worth keeping it around for? Otherwise the elastic IP on its own costs me $87 a year!
Thanks again.
[...] Protect yourself from FireSheep with Amazon EC2 + OpenVPN for $0.50 a month (stratumsecurity.com) [...]
Can someone firm that this still works if I create an account and do this /today/? I need to enter credit card info to create an Amazon AWS account and I don’t want to be accidentally charged. I’m just in Europe for a few months and would love to be able to keep using Spotify and Netflix and Hulu.
[...] Micro Instanzen als YouTube Proxy [1] [2] [...]
I found a way past Step 16 (Cyberduck). I downloaded Transmit (free trial from Panic) and instead of setting up an S3 connection I chose SFTP.
Server name: the IP address of my EC2 instance
User name: ubuntu
Password: click the key icon and browse to the .pem file you made earlier
When you connect you’ll be in the folder called ‘ubuntu’ above an empty file list. This actually /home/ubuntu, so to find your .tar file go up two directories to /, then find /etc/openvpn.
[...] possess personal home SSH server. If you’re peaceful to compensate usually a little, we can get an Amazon EC2 instance with SSH entrance for around $0.50/month or pay $1 one time for entrance to Silence is [...]
[...] set up your own personal home SSH server. If you’re willing to pay just a little, you can get an Amazon EC2 instance with SSH access for around $ 0.50/month or pay $ 1 one time for access to Silence is [...]
[...] set up your own personal home SSH server. If you’re willing to pay just a little, you can get an Amazon EC2 instance with SSH access for around $US0.50/month or pay $US1 one time for access to Silence is [...]
[...] set up your own personal home SSH server. If you’re willing to pay just a little, you can get an Amazon EC2 instance with SSH access for around $0.50/month or pay $1 one time for access to Silence is [...]
[...] set up your own personal home SSH server. If you’re willing to pay just a little, you can get an Amazon EC2 instance with SSH access for around $US0.50/month or pay $US1 one time for access to Silence is [...]
So… I know a bit about computers, but some of this stuff is a bit over my head. From the very start I’m having trouble… When trying to move the key from the downloads folder to the ssh folder, it says it doesn’t exist. What am I missing? Is this a folder that my computer should already have, or is it one I need to make?
So should we turn off the Instance when we’re not using it? Does it rack up any charges if it’s just running and waiting for an OpenVPN connection?
It does incur charges while running and not being used, but it isn’t that much $. You could turn it off until you know you will need it and then turn it on.
Which folder are you talking about? .ssh? You may need to create it. Are you on OSX?
It still works, but you will be charged a nominal fee each month. The credit card is needed to pay this fee. Your fee will be higher if you stream video through it.
Great tutorial thanks- I am a completely new to unix and was able to follow it without a hitch UNTIL… I was unable to connect to my ec2 with tunnelblick- it says that it is unable to resolve host in the details, no problems connecting via the terminal.
any ideas what might be causing this error?
What is your external DNS or IP for the instance you are trying to connect to?
107.22.219.190
connects fine in terminal with the the ssh key pair.
If i ping it i get a timeout too.
Is it to do with port 443 which tunnelblick connects to being closed?
Did you do the HTTPS part of #4?
Yes I have just checked and only SSH and HTTPS ports are on the security group InternetAccesible which is associated with the instance.
Send me your client and server configs
http://scr.im/mascasa
Do you have any errors in /var/log/syslog on the server or via tunnelblick?
I can now connect to the ec2 instance but then cannot connect to the internet!
Pinging google from ec2 works fine.
Yes, it’s the .ssh folder, and I am running OSX. It says “no such file or directory”
The instance no longer exists within Amazon’s list, I chose ami-83b587f7 I presume this should be OK?
I know have issues connecting via Tunnelblick, with a connection refused error. Any ideas
2011-11-02 11:29:35 *Tunnelblick: OS X 10.6.8; Tunnelblick 3.1.7 (build 2190.2413); OpenVPN 2.1.4
2011-11-02 11:29:39 *Tunnelblick: Attempting connection with ec2; Set nameserver = 1; monitoring connection
2011-11-02 11:29:39 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start ec2.conf 1337 1 0 0 0 49
2011-11-02 11:29:39 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2] [PKCS11] built on Mar 1 2011
2011-11-02 11:29:39 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2011-11-02 11:29:39 Need hold release from management interface, waiting…
2011-11-02 11:29:39 MANAGEMENT: Client connected from 127.0.0.1:1337
2011-11-02 11:29:39 MANAGEMENT: CMD ‘pid’
2011-11-02 11:29:39 MANAGEMENT: CMD ‘state on’
2011-11-02 11:29:39 MANAGEMENT: CMD ‘state’
2011-11-02 11:29:39 MANAGEMENT: CMD ‘hold release’
2011-11-02 11:29:39 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2011-11-02 11:29:39 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
2011-11-02 11:29:39 Control Channel Authentication: using ‘ta.key’ as a OpenVPN static key file
2011-11-02 11:29:39 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1′ for HMAC authentication
2011-11-02 11:29:39 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1′ for HMAC authentication
2011-11-02 11:29:39 LZO compression initialized
2011-11-02 11:29:39 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
2011-11-02 11:29:39 Socket Buffers: R=[262140->65536] S=[131070->65536]
2011-11-02 11:29:39 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
2011-11-02 11:29:39 Local Options hash (VER=V4): ‘ee93268d’
2011-11-02 11:29:39 Expected Remote Options hash (VER=V4): ‘bd577cd1′
2011-11-02 11:29:39 Attempting to establish TCP connection with 176.34.250.77:443 [nonblock]
2011-11-02 11:29:39 MANAGEMENT: >STATE:1320233379,TCP_CONNECT,,,
2011-11-02 11:29:39 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn –cd /Users/ecrime2/Library/Application Support/Tunnelblick/Configurations –daemon –management 127.0.0.1 1337 –config /Users/ecrime2/Library/Application Support/Tunnelblick/Configurations/ec2.conf –log /Library/Application Support/Tunnelblick/Logs/-SUsers-Secrime2-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sec2.conf.1_0_0_0_49.1337.openvpn.log –management-query-passwords –management-hold –script-security 2 –up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d –down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d –up-restart
2011-11-02 11:29:40 TCP: connect to 176.34.250.77:443 failed, will try again in 5 seconds: Connection refused
2011-11-02 11:29:45 MANAGEMENT: >STATE:1320233385,TCP_CONNECT,,,
2011-11-02 11:29:46 TCP: connect to 176.34.250.77:443 failed, will try again in 5 seconds: Connection refused
2011-11-02 11:29:51 MANAGEMENT: >STATE:1320233391,TCP_CONNECT,,,
2011-11-02 11:29:52 TCP: connect to 176.34.250.77:443 failed, will try again in 5 seconds: Connection refused
2011-11-02 11:29:53 SIGTERM[hard,init_instance] received, process exiting
2011-11-02 11:29:53 MANAGEMENT: >STATE:1320233393,EXITING,init_instance,,
2011-11-02 11:29:54 *Tunnelblick: Flushed the DNS cache
[...] up your own personal home SSH server. If you’re willing to pay just a little, you can get an Amazon EC2 instance with SSH access for around $0.50/month or pay $1 one time for access to Silence is [...]
Sorted it now. Ta.
Love this post. I’ve translated it to Chinese and posted here: http://edwwang.com/blog/2011/12/07/shearing-firesheep-with-the-cloud/
[...] personally, but lots of people have, check out this link using the free tier on Amazon EC2:http://www.stratumsecurity.com/b…This answer .Please specify the necessary improvements. Edit Link Text Show answer summary [...]
I have been happily using my EC2 instance, built from you excellent instructions, for over a year. All that time, I’ve never understood what steps I need to take to make the instance survive a reboot. Now I’ve recv’d the following warning from Amazon:
“One or more of your Amazon EC2 instances have been scheduled for a reboot in order to receive some patch updates.”
What do I need to do in order to survive reboot and get back up again?
Thanks for any help you can provide.
Hi,
Ignore my previous message. I found the documentation I needed for an instance reboot. Thanks.
Now, if AWS ever schedules a *system* reboot, I’m still unclear about what steps will be necessary to preserve this functionality …
Ignore my previous message. I found the documentation I needed for an instance reboot. Thanks.
Now, if AWS ever schedules a *system* reboot, I’m still unclear about what steps will be necessary to preserve this functionality …