First and foremost, this post is not a guide explaining how to shield your online identity to engage in illegal activity.
The dictionary definition of privacy is:
the state or condition of being free from being observed or disturbed by other people. E.g. "she returned to the privacy of her own home."
When people think about privacy, they think of things such as:
- Closing the blinds in their home at night
- The right to enjoy time alone without intrusion
- Whispering when talking about something sensitive
The examples above are only related to your personal space. We live in a digital age, where we increasingly share our lives on the internet. If you treat your personal space with such methods of privacy, why shouldn't you manage your online presence with the same effort? No one knows yourself better than you and your smartphone. In some cases, it's easier for someone to intrude on your privacy online than it is physically.
As a software engineer, I like to think that I have a firm grasp of the reach the internet has on my privacy. To protect against that, I put specific practices in place to better safeguard and maintain my privacy. The problem is, not everyone is tech-savvy to the point where they can put in place the same measures with ease.
There are many services where anyone can sign up and download an application that masks their internet traffic. The problem is that some of those services don't have the best track records, and their implementation is often private (go figure). The technology I'm referring to is a VPN or Virtual Private Network. In short, a VPN creates a tunnel from your device to a server on the internet. When configured correctly, nobody in-between you and the server can see your internet traffic.
A VPN is useful when you want to protect yourself from:
- Public WiFi hotspots
- Internet Service Providers
A VPN doesn't/shouldn't do:
- Safeguard you when engaging in illegal activity
- Natively block access to trackers or analytics services
Now that you know what this post is centered around (VPNs), let's see how easy it is to set one up. The most popular VPN software is OpenVPN. It's open-source, which allows the code to be tested and verified to work correctly.
The easiest and most straightforward way to set up your own OpenVPN server on AWS is by launching a preconfigured solution from the AWS Marketplace. Preconfigured solutions are also available for Azure, DigitalOcean, or Google Cloud and, while easy to set up, they lack in terms of default security settings and customizability. A lot of magic happens to spin these solutions up, and when it comes to security, this is often not considered a best practice.
The most difficult and least straightforward way to set up your own OpenVPN server on AWS is by provisioning a fresh flavor of Linux on an EC2 instance of your choice. We haven't begun the OpenVPN installation process, and we already have to think about things such as OS and hardware requirements. Once you settle on a desired EC2 configuration, you can install OpenVPN using various Linux packages. In the case of Ubuntu, something as simple as
apt -y install openvpn would work. The OpenVPN Community contains full step-by-step instructions.
Once you've completed either form of getting OpenVPN up and running, you can enjoy many of the benefits that a VPN provides, such as the ones listed earlier. There's one issue, while you're more protected on public WiFi networks, and ISPs can't see your traffic anymore; trackers and analytics services are still using your new VPN IP address to target you. Wouldn't it be great if there was an open-source solution for this too? Luckily for you, there is, and it's called Pi-hole.
Pi-hole considers itself as a black hole for advertisements and trackers. Its goal is to act as your primary DNS server and filter all queries while only letting the good ones through to real DNS servers. The bad queries are DNS lookups for advertising or tracking services such as Google or Facebook. Pi-hole was initially developed to run on a Raspberry Pi since that would allow you to attach it to your local network and have your modem route all DNS traffic through it. Then your Kindle, Apple Watch, FireTV, and even your WiFi connected coffee maker would pass through Pi-hole without ever knowing it. Once a DNS request comes into Pi-hole for an advertiser such as Google, Pi-hole will recognize it based on Whitelists or Blacklists and either allow it through to upstream DNS servers or block it. If Pi-hole blocks it, the device that requested it thinks Google is offline and doesn't track or show you the advertisement.
I know what you're thinking, this is so cool, can I use OpenVPN to secure my traffic and Pi-hole to filter it? You're in luck again. Although these two projects are entirely separate from each other, they can be used in tandem. You can spin up another EC2 instance alongside OpenVPN and install Pi-hole on it. Once completed, update your OpenVPN config to tell all of its clients to use the new Pi-hole server as the default DNS server. It just so happens that Pi-hole has some documentation on how to go about this. Though the documentation is a great start, it leaves some questions unanswered and assumes your configuration matches theirs.
If only there were an open-source configuration that setups up OpenVPN and Pi-hole on AWS. It would be even better if it also set up the networking components required for OpenVPN and Pi-hole to work together seamlessly. Well, you're in luck. I felt that security and privacy online should be easy to obtain. Yet, there are so many guides and methods for achieving it that most people get lost and either make mistakes or give up in frustration.
SkyHole is an open-source Terraform configuration that will install and configure OpenVPN, Pi-hole, all networking components and leave you with a
client.ovpn file. This file can be imported into any compatible OpenVPN client and used to connect to the VPN instantly. The configuration also contains the required setup for OpenVPN to use Pi-hole.
SkyHole is very opinionated. It's in the early stages of development and has a long way to come, but it works, and it works pretty well. Most of the default OpenVPN settings are replaced with hardened choices. I would greatly appreciate any contributions to the project in the form of suggesting or adding new features, writing, clarifying, or fixing documentation and reporting or fixing bugs. The best part of open-source is anyone can learn from everyone. I hope this project serves as an excellent resource for anyone to take their security and privacy into their own hands.
Lastly, you might think this sounds expensive, but SkyHole uses two of the smallest EC2 instances, which comes out to about $8 a month. Roughly the same amount that other 3rd party VPN services cost, but now you are in full control of the entire VPN implementation.
Stay tuned for other posts involving device security and simple things you can do to shield yourself in this digital age.