• openVPN
• CommunityTunnel

OpenVPN Community Tunnel

An OpenVPN tunnel exists for the community to securely communicate with hosts through potentially compromised networks when SSL is not available or not secure enough. An example use case are events and congresses where public WiFi or even worse a network full of potentially evil users is used.

Basic Data

• OpenVPN server: community-vpn.cacert.org
• Port: 443/tcp or 1194/tcp
• LZO Compression: yes
• Device Type: tap
• Subnet: 10.67.65.0/24
• Gateway address: 10.67.65.1
• DNS recursor: 10.67.65.1

You have to use a valid and non-revoked CAcert client certificate to authenticate.

Example config

dev tap
client
remote community-vpn.cacert.org 443
resolv-retry infinite
nobind
proto tcp-client
persist-key
persist-tun
comp-lzo
pkcs12 /etc/openvpn/cacert/client.p12   # This is the file exported from Firefox after generating your client certificate
tls-remote "/CN=community-vpn.cacert.org"

Usage

The tunnel allows you to route any traffic outside, securely encrypted and authenticated using CAcert certificates and masqueraded. Client-to-client communication is prohibited. Furthermore, the gateway provides a DNS recursor probably not spoofed by Mallory at the booth next door.

Caveats

Obviously, you should make your firewall restrict critical traffic to the tunnel. Even more obviously, no one can overtake responsibility for your traffic once it leaves the VPN gateway. The VPN only seperates you from the global conference mess.

Administration

The tunnel and gateway are provided by community member DominikGeorge as a donation to CAcert. CAcert Inc. has neither explicitly approved of it nor are they responsible.