An easy to use and portable Virtual Private Network (VPN) system built with Linux and a Raspberry Pi. https://iadgov.github.io/goSecure/
Note: Add "--insecure" to the end of the curl command if your computer does not trust the goSecure client's self signed certificate.
About goSecure
goSecure is an easy-to-use and portable Virtual Private Network (VPN) solution.
To get started or for more information see https://iadgov.github.io/goSecure/
from https://github.com/iadgov/goSecure
-----------
goSecure Documentation Current version 0.9.9
Introduction
goSecure is an easy to use and portable Virtual Private Network (VPN) solution.
The system consists of a single server and one or many clients. strongSwan is used to establish a Suite B IPsec tunnel with pre-shared keys between the server and client(s).
The system consists of a single server and one or many clients. strongSwan is used to establish a Suite B IPsec tunnel with pre-shared keys between the server and client(s).
The server component is a multi-homed [laptop/server/cloud instance/Raspberry Pi] that runs strongSwan using the NSA Commercial Solutions for Classified (CSfC) guidelines for protecting classified data. It is built upon a minimal and hardened Linux instance per DISA Security Technical Implementation Guides (STIGs).
The client component is a Raspberry Pi that runs strongSwan using the NSA CSFC guidelines for protecting classified data and it utilizes its hardware Random Number Generator (RNG). It is built upon a minimal and hardened Linux instance per DISA STIGs.
The client currently supports 3 modes of operation:
The client currently supports 3 modes of operation:
- Ethernet (eth0) LAN - Wifi (wlan0) WAN
- Ethernet (eth1) LAN - Ethernet (eth0) WAN
- Wifi LAN (wlan0) - Ethernet (eth0) WAN
Build Components
Step 0: Prerequisites
Decide on values for the following before starting:| Variable | Value |
|---|---|
| Client ID | i.e. client1.ix.mil |
| Client Pre-Shared Key | i.e. "cxvljals@fj09q2jasdf#dsjvk(asdjf" Note: The PSK must be at least 16 characters. The PSK must also be surrounded in double quotes and cannot contain a double quote within. |
Step 1: Build Server Side
Note: The server component build instructions are an example that can be used by affaliates that desire a complete solution, but the client component can interoperate with any VPN server that can be configured using the NSA CSFC guidelines.
Select a server side deployment option:
Step 2: Build Client Side
Select a client side deployment option:
Step 3: Client Setup
- Setup:
- Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
- Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
- Wait 60 seconds.
- Open a web browser and navigate to "https://setup.gosecure"
- Follow the instructions on the web page that appears. The default login username is "admin" and the password is "gosecure". You will be prompted to change them once you login.
- You can access your enterprise resources now.
- Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
- Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
- Wait 60 seconds.
- You can access your enterprise resources now.
Normal use:
Documentation
Client - User Instructions:
- Initial Setup:
- Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
- Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
- Wait 60 seconds.
- Open a web browser and navigate to "https://setup.gosecure"
- Follow the instructions on the web page that appears. The default login username is "admin" and the password is "gosecure". You will be prompted to change them once you login.
- You can access your enterprise resources now.
- Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
- Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
- Wait 60 seconds.
- You can access your enterprise resources now.
Normal use:
API
goSecure Client REST API examples using curl
Note: Add "--insecure" to the end of the curl command if your computer does not trust the goSecure client's self signed certificate.
| # | Action | curl command |
|---|---|---|
| 1 | Set VPN credentials | curl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/credentials -d '{"vpn_server":"server1@ix.mil", "user_id":"client1@ix.mil","user_psk":"mysecretpsk"}' |
| 2 | Reset (clear) VPN credentials | curl --user admin:gosecure -H "Content-Type: application/json" -X DELETE https://192.168.50.1/v1.0/vpn/credentials |
| 3 | Start VPN service and establish connection | curl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/actions -d '{"action":"start_vpn"}' |
| 4 | Stop VPN service and close connection | curl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/actions -d '{"action":"stop_vpn"}' |
| 5 | Restart VPN service and establish connection | curl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/actions -d '{"action":"restart_vpn"}' |
FAQ
How do I add more clients to the system?
Refer to the comments in the "/etc/ipsec.conf" configuration file on the goSecure server. Also add a new line to the "/etc/ipsec.secrets" configuration file on the goSecure server that contains the new <unique_id_of_client> and a new unique password.
No comments:
Post a Comment