Back in 2007 I released a method which was supposed to ease the building of multiple encapsulated VPN tunnels. With VPNEncap it is possible to build as much tunnels as you like encapsuled within each other without having to care for the apropriate routing which is done by OPENVPN and the VPNENCAP script. Depending on the VPN hosters' server configuration this will apply more anonymity and security to your connection. VPNENCAP can be used to easily build even complex Cascade Tunnel Setups. You may compare it to the technique TOR or Proxychains uses chaining 3 or more Proxy Server in a Cascade Proxy Setup but with (higher) encryption possible between each node and combining the tunnel ciphers by inlaying new tunnels within already established tunnels - imagine a cable which is containing additional cables and each of them is containing x cables and so on. This method of multi encapsulation is applicable to create wrapped encrypted containers or packages to secure any kind of data storage or transaction; Using a traditional method of data/message transaction always offers attackers the possibility of reading your datastream without your agreement.You should use additional encryptions to secure your privacy and/or anonymity - the following example describes the application of VPNEncap with 3 VPN connections.
Examples with 3 Servers - 3 VPN tunnels encapsuled with n bits each key length and different authentication data.
CLIENT -> SERVER1 -> SERVER2 -> SERVER3 -> INTERNET
CLIENT -> (encrypted1 + (encrypted2 + (encrypted3))) -> SERVER1 ->
-> (encrypted2 + (encrypted3)) -> SERVER2 ->
-> (encrypted3) -> SERVER3 ---> INTERNET/Network/Server
this is how it looks like if you are monitoring the connection:
The encrypted Packages of the DNS Request
CLIENT->SERVER1
As you can see nobody between CLIENT and SERVER1 is able to read this cleartext request.
This tunnel will hold the next tunnel.
The encrypted Packages of the DNS Request
CLIENT->SERVER1
As you can see nobody between CLIENT and SERVER1 is able to read this cleartext request.
This tunnel will hold the next tunnel.
The encrypted Packages of the DNS Request
SERVER2->SERVER3
We got an encrypted connection no content sniffing possible.
Finally at the outbound server of our setup we got the unencrypted
DNS request to Google's Nameserver 8.8.8.8
SERVER3->INTERNET
anybody between SERVER3 and your target server (e.g. 8.8.8.8)
can sniff your package and its content if you do not use encryption
like HTTPS,etc.
Which practical application are possible this way?
- Encrypting your INTERNET Connection
- Connect to other Networks
- Connect to (File-,Mail,etc.)Servers
What is the advance in using encapsuled encrypted tunnels?
- High Encryption - If some attacker should be able to decrypt capsule1(encrypted1) there are still encrypted3 encapsuled within encrypted2 to make your data streams not readable for the attacker. Having i tunnels results in a i times encrypted connection to the first server decreasing for each following server instance. In most cases the attacker will take positive decryption attempts as fails and continue his attack.
- High Anonymity - It is hard to do a traceback to the original source.
Are there disadvantages?
- If you are using too many vpn tunnels and/or choose servers which are located geographically far from each other you may have a loss of connection speed. Thats why you should use cheap combinations in relation to the geolocation of the servers or networktopology.
- Your system may be compromised if it is badly secured using unsafe VPN servers. Using a PAX Kernel+SELinux+IPTables+correct configuration will make your day.
- Some web services are using captchas to protect their apis from bots - if you are using a vpn server exit server which were massively used by a bot before you will enjoy those captchas.
Which protocol to use?
There is a vast range of protocols which can be used. PPTP is outdated and connections are safe for a maximum of 24-48h if the connection is attacked. Better use OPENVPN connections by the TCP protocol.
for example: openvpn -> openvpn -> openvpn
for example: pptp -> openvpn/pptp -> openvpn
Where to find a documentation?
Just open up the vpnencap-x.sh in a text editor of your choice. On top you will find a documented section for setting up your VPN servers.
Is this compatible with other operating systems than linux?
Yes but this is not yet documented. There are several overlays for OSX to get all tools needed. Windows user may try a virtual machine embed linux system or cygwin(not tested).
It is up to you! Configuring your VPNENCAP setup properly will improve your level of security and anonymity.
Have fun with testing.
Quickstart :
- git clone https://github.com/whussup/vpnencap.git
- cd vpnencap
- chmod +x ./install.sh && ./install.sh
- open up the configuration files and setup vpnencap: vi /etc/vpnencap/vpn_config.sh
- openvpn config files have to use following scheme (if you have separate ca, cert and key files copy paste them as follows to your config file)
#config section
# ...<ca>
-----BEGIN CERTIFICATE-----
CERTIFICATE STRING
-----END CERTIFICATE-----<>
# if used:
<cert>
-----BEGIN CERTIFICATE-----
CERTIFICATE STRING
-----END CERTIFICATE-----<ert>
# if used:
<key>
-----BEGIN CERTIFICATE-----
CERTIFICATE STRING
-----END CERTIFICATE-----<
# if used:
<tls-auth>
-----BEGIN CERTIFICATE-----
CERTIFICATE STRING
-----END CERTIFICATE-----<
- start vpnencap: /etc/init.d/vpnencap start && screen -r
- by using STRG+A+D you can detach the screen to let the process remain in the background. After doing this you need to give the screen id to reattach vpnencap to your screen: screen -r #screen_id (this should be the lowest number when you type in the command screen -r)
*UPDATES VPNENCAP-0.3.6 :
- various Bugfixes
- Iptables basic network security
*UPDATES VPNENCAP-0.3.5 :
- Bugfixes : (re)connecting - connection will now stay stable and reestablish properly
- Bugfixes : router device
- Error output cosmetics
- New options for launching vpnencap at boot/default
*UPDATES VPNENCAP-0.3.4 :
- Debian Bugfixes
- Router Mode
- Code Cleanup
- Tests with Debian like and Gentoo like systems.
- Pidora workaround.
*UPDATES VPNENCAP-0.3.3 :
- properly checking for last used server if public server check is turned off
- added option for checking connection health either by ips or ips + tunnel num
- checking server ports with netcat
*UPDATES VPNENCAP-0.3.1 :
- minor Bugfixes for openvpn connection setup
- new option for individual server timeout
*UPDATES VPNENCAP-0.3 :
- fixed some bugs for (auto)reconnect
- fixed PPTP setup
- improving connection setup speed
- spliting the script into functions
- added parent ui for controlling your vpn setup : - automatic reconnect on connection lost
- live monitoring
*UPDATES VPNENCAP-0.2 :
- New Global Options: - Randomization: will randomize your Server chain
- Skip: will skip a specific number of servers in your chain
- Public_Server_Check: if activated it will check any server for it's status before it will get added to the chain
- Server Options: - enabled flag for activating or deactivating a server config
Github : https://github.com/whussup/vpnencap
Posted at 2014-10-17 12:45:52 ( updated at 2018-09-17 22:20:51 by cr4sh )in Security
Tags:
