Web lists-archives.com

[OT a bit] -- OpenVPN and mobile safety




All

This is a little bit OT but has some roots in Debian. More than anything 
I am looking for pointers to where I should be looking for tutorials or 
other help, as I am pretty sure there is info out there on what I want 
to do but am not sure what to search for. Most of my searches so far 
have turned up info about connecting two networks using a VPN, which 
seems more difficult / complicated than what I am trying to do.

I travel a lot for business and some time ago I set up OpenVPN so I can 
access my home network, and in particular my main PC, while 
travelling.

I run OpenVPN on my network's firewall, which is a miniITX PC running 
LFS. The OpenVPN server is running in multi-client mode. When I will be 
travelling I open the relevant port on my firewall, add rules for the 
tundevice, fire up openVPN on the server and on my client PC. When I 
come home I shut it down, as I don't need the VPN normally.

There are 2 clients for this VPN -- one is my main home PC which is a 
Debian Stretch machine and is conected by wired ethernet to a Buffalo 
Airstation which also supplies my WiFi. The WAN port of the AirStation 
runs to my firewall. The other client is an Android tablet where I run 
OpenVPN for Android.

For months I have reliably been able to connect the Android tablet and 
thus have connectivity from the tablet to the Debian machine while 
travelling. My usual drill is connect via OpenVPN, ssh from the tablet 
into the box, fire up a tigervncserver session and then connect from the 
tablet using a VNC viewer, after which I can pretty much do anything as 
if I were sitting in front of my home machine. For example right now I 
am using that configuration to send this email using mutt running on my 
Debian PC, while I am using my tablet in a hotel room in Singapore.

What I'd like to do now is have the option to set things up so that the 
tablet has NO CHOICE but to do all its interaction with the internet 
over the VPN.

In other words, it should conect to local untrusted WiFi as normal, get 
an IP address from that network, and then when I fire up OpenVPN I want 
to arrange things such that all user / app attempts to access the 
internet are routed through the VPN, so they emerge onto the internet at 
large from my home network not from my tablet directly. And, crucially, 
any attempt to talk to the tablet that doesn't come through the VPN goes 
ignored.

Thus untrusted networks don't see my traffic, and my tablet is safe from 
attack from the local untrusted WiFi LAN.

I imagine I need to let some traffic go through the untrusted 
connection, eg DHCP etc to keep the local connection to the untrusted 
WiFi alive, but I want that to be the absolute minimum necessary.

Is this a matter of configuring OpenVPN right, and if so can anyone 
point me at a good tutorial? or do I need other software, in which case 
can anyone give me any pointers?

Thanks

Mark