Install Dionaea on Ubuntu 14.04
September 9, 2014

OwnCloud + OpenVPN + Duo Security

I love the cloud, but with the insane number of data breaches recently I decided to bring my data in-house. I’m not claiming that this setup is any more secure, however, it’s much less of an attractive target. I’m just one guy. From the attacker perspective the return on investment is significantly lower by taking the time to break into my system compared to that of Google, Facebook, or any of the other cloud data behemoths.

My email is still in the cloud. I made the decision that email is too important to me to deal with spam filtering or downtime. I did migrate my hosted email from Google Apps to Zoho Mail, coming in at just under half the cost of Google. They offer free hosting for a single domain, which is fantastic, but I had to upgrade because of using multiple domains. It’s only been ~24 hours, but so far so good. A bit of retraining of the spam filters but not bad at all.

Then there’s the data that’s (more) important to protect. I just wanted an alternative to Dropbox and Google Apps that didn’t suck. OwnCloud + OpenVPN + Duo Security FTW. OwnCloud is a FOSS solution providing similar functionality to Dropbox & Google Apps (minus the mail). Unfortunately, I couldn’t get any 2-Factor authentication “apps” to work after hours of monkeying around and reading blogs. I decided that putting all this data behind OpenVPN is probably a better option than depending on OwnCloud on it’s own.

OpenVPN surprisingly turned out to be a PITA to get going quite right. In the end I found a great script intended for “road warriors” to get OpenVPN up and running in a few minutes. True to it’s claim, it was epic!

After getting OpenVPN up and running the way I wanted, I still had to address 2-Factor Authentication. Duo Security is my go-to for this. I find it incredibly easy with their “push” approach to 2FA (done right imho, thanks!).

In the end, I have an in-house version of Dropbox, Google Apps, and secure external access to my home network all protected by a trusted VPN with 2FA.  Perfect!  Here’s how I got here from a vanilla Ubuntu 14.04 build running on a little ZBOX from Amazon.

OwnCloud 7

This is a painless install. Just run the installation package and you’re all set.  Please note that SSL is not installed or available by default. I recommend installing and enabling it with the instructions below.

Installation:

 wget http://download.opensuse.org/repositories/isv:ownCloud:community/xUbuntu_14.04/Release.key
 sudo apt-key add - < Release.key
 sudo sh -c "echo 'deb http://download.opensuse.org/repositories/isv:/ownCloud:/community/xUbuntu_14.04/ /' >> /etc/apt/sources.list.d/owncloud.list"
 sudo apt-get update
 sudo apt-get install owncloud

Source: http://software.opensuse.org/download/package?project=isv:ownCloud:community&package=owncloud

Enable HTTPS:

 sudo apt-get install openssl
 sudo a2enmod ssl
 sudo a2enmod rewrite
 sudo mkdir -p /etc/apache2/ssl
 sudo openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/owncloud.pem -keyout /etc/apache2/ssl/owncloud.key
 sudo vi /etc/apache2/apache2.conf

### paste below given lines,at the end of file apache2.conf ###

IncludeOptional conf.d/*.conf

Then restart Apache and edit the owncloud configuration manually

sudo /etc/init.d/apache2 restart
sudo vi /etc/apache2/conf.d/owncloud.conf

Remember to swap out the “XXX.XXX” for your servers IP address (I choose IP over name virtual hosts because I just use IP’s on my internal network. I don’t run a DNS server internally).

Alias /owncloud /var/www/owncloud
<Directory /var/www/owncloud/>
AllowOverride All
</Directory><VirtualHost 192.168.xxx.xxx:80>#### Redirect to port 443 ###
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
#### End of Redirection configuration ###DocumentRoot /var/www/owncloud/
<Directory /var/www/owncloud>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory></VirtualHost><VirtualHost 192.168.xxx.xxx:443>####Configuration for SSL #####
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/owncloud.pem
SSLCertificateKeyFile /etc/apache2/ssl/owncloud.key
#### End of SSL Configuration ####DocumentRoot /var/www/owncloud/
<Directory /var/www/owncloud>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
</VirtualHost>

Restart Apache and Test

sudo /etc/init.d/apache2 restart

 

Test out the install by going to http://192.168.XXX.XXX/

Source: http://sharadchhetri.com/2014/03/09/setup-owncloud-6-self-signed-ssl-certificate-ubuntu-13-10/

OpenVPN

Another painless install thanks to this awesome script. The only modification we’ll need to make is to accommodate the addition of Duo Security for 2FA. Just make sure you have the selected port/protocol open on your firewall.

wget http://git.io/vpn --no-check-certificate -O openvpn-install.sh; chmod +x openvpn-install.sh; ./openvpn-install.sh

You can create additional client certificates by re-running the installation script.  Keep it around.

Pro Tip:  When prompted for your “Client Name” use the same name that you have in Duo (ie: brian).

Source: https://github.com/Nyr/openvpn-install

Duo Security

Here’s where our 2FA comes into play. I use Duo for all sorts of things so I didn’t need to make an account, but if you do it should follow a similar process. You just need to get 3 things once you’re setup at Duo to make 2FA run; Integration key, secret key, and API hostname.

The instructions for the OpenVPN integration are again quick and painless. I discovered that I needed to put something into the username field and just used the character “1” without issue, then using “push” in accordance with the Duo instructions for pushing 2FA to the app on my phone. You could just as easily use text or voice if that’s what you prefer (phone, sms) as the password.

sudo apt-get install build-essential checkinstall make
wget https://github.com/duosecurity/duo_openvpn/tarball/master
tar zxf master
cd duosecurity-duo_openvpn-4d3727c/
make && sudo make install
service openvpn restart

NOTE:  Duo requires tcp/443 outbound to be available from the OwnCloud server.  Do not enable inbound – your OwnCloud will then be internet accessible without 2FA.

Source: https://www.duosecurity.com/docs/openvpn

Post Installation

OpenVPN Client Template

Edit OpenVPN client template file for Duo Security 2FA requirements for future users and/or replacing your own lost certificates without painful troubleshooting long down the road 🙂

Add this text to the bottom of  /usr/share/doc/openvpn/examples/sample-config-files/client.conf

# Duo Security Requirements
auth-user-pass
reneg-sec 3600  #will require reauthentication after 1hr, set to whatever you deem appropriate for your environment.

Enable Server-Side Encryption

OwnCloud comes with server-side encryption out of the box. You just need to turn it on via the +Apps in the upper-left corner. Once enabled, log out and back in again to initiate encryption of all your data.

If you find any inaccuracies or come across any issues, feel free to reach out.

2 Comments

  1. […] OwnCloud + OpenVPN + Duo Security […]

  2. […] concept, and reading. Maybe a little too much for accessing from work, but not bad if you’re outside of work or on […]

Leave a Reply

Your email address will not be published. Required fields are marked *