During three wee hours of the morning, I set up OpenVPN at home. This would have been simpler had I actually been at home.
Instead, I did this from two states away: a digital moon shot in which I remotely reconfigured my home server, router, and modem to create a new connection. While mundane by sysadmin standards (I do this all the time for work), the fact I did this entirely from a Chromebook and a Linux box at home is an accessible tale of late night ninjitsu that made me feel quite clever.
My kit for this setup:
- One SSH connection, previously set up on a box at home
- One Chromebook
- One iPhone with wireless tether
The recipe was something like this:
- Use ChromeOS’ Secure Shell plugin to connect remotely to my box at home.
- Set up a SOCKS proxy, which is now supported by the SSH plugin.
- Remotely touch my router’s and modem’s web interfaces to punch a new forwarding port.
- Set up OpenVPN server and its PKI on my home box.
- Set up OpenVPN Connect on my phone.
- Gmail myself my client configuration and certs (!), because this is one of the few ways OpenVPN Connect can configure itself.
- Fail to connect a dozen times because OpenVPN server has a zillion bugs in its certificate parser.
- Curse loudly.
- Enable OpenVPN server logging.
- Fix my client certificates to not break the parser (eg, specify an actual email address instead of “Rawr”).
- Send my key again.
- Bounce the server.
- Connect my shiny new OpenVPN client to my home server.
- Get the [VPN] indicator on my iPhone.
- Cheer loudly, because it finally fscking works.
Any of these steps could have failed, ending my run. This would have been bad, because most VPN service providers are dangerously terrible: I much prefer a connection with Comcast to any of the free VPN startups that do unspecified things with customer data. When any of these connections is “free”, chances are you are the product being sold.
It is incredible that we live in a world in which these shenanigans are not just possible, but commonplace. I’m especially pleased this worked, because it means I can connect to wifi at a convention I’ll be visiting without compromising my security.
Never doubt the tenacity of a network engineer with SSH and a singular need. We will surprise you, and I find that glorious.