[OT a bit] -- OpenVPN and mobile safety
- Date: Tue, 21 Nov 2017 22:35:24 +0900
- From: Mark Fletcher <mark27q1@xxxxxxxxx>
- Subject: [OT a bit] -- OpenVPN and mobile safety
This is a little bit OT but has some roots in Debian. More than anything
I am looking for pointers to where I should be looking for tutorials or
other help, as I am pretty sure there is info out there on what I want
to do but am not sure what to search for. Most of my searches so far
have turned up info about connecting two networks using a VPN, which
seems more difficult / complicated than what I am trying to do.
I travel a lot for business and some time ago I set up OpenVPN so I can
access my home network, and in particular my main PC, while
I run OpenVPN on my network's firewall, which is a miniITX PC running
LFS. The OpenVPN server is running in multi-client mode. When I will be
travelling I open the relevant port on my firewall, add rules for the
tundevice, fire up openVPN on the server and on my client PC. When I
come home I shut it down, as I don't need the VPN normally.
There are 2 clients for this VPN -- one is my main home PC which is a
Debian Stretch machine and is conected by wired ethernet to a Buffalo
Airstation which also supplies my WiFi. The WAN port of the AirStation
runs to my firewall. The other client is an Android tablet where I run
OpenVPN for Android.
For months I have reliably been able to connect the Android tablet and
thus have connectivity from the tablet to the Debian machine while
travelling. My usual drill is connect via OpenVPN, ssh from the tablet
into the box, fire up a tigervncserver session and then connect from the
tablet using a VNC viewer, after which I can pretty much do anything as
if I were sitting in front of my home machine. For example right now I
am using that configuration to send this email using mutt running on my
Debian PC, while I am using my tablet in a hotel room in Singapore.
What I'd like to do now is have the option to set things up so that the
tablet has NO CHOICE but to do all its interaction with the internet
over the VPN.
In other words, it should conect to local untrusted WiFi as normal, get
an IP address from that network, and then when I fire up OpenVPN I want
to arrange things such that all user / app attempts to access the
internet are routed through the VPN, so they emerge onto the internet at
large from my home network not from my tablet directly. And, crucially,
any attempt to talk to the tablet that doesn't come through the VPN goes
Thus untrusted networks don't see my traffic, and my tablet is safe from
attack from the local untrusted WiFi LAN.
I imagine I need to let some traffic go through the untrusted
connection, eg DHCP etc to keep the local connection to the untrusted
WiFi alive, but I want that to be the absolute minimum necessary.
Is this a matter of configuring OpenVPN right, and if so can anyone
point me at a good tutorial? or do I need other software, in which case
can anyone give me any pointers?