OpenVPN Community Tunnel
An OpenVPN tunnel exists for the community to securely communicate with hosts through potentially compromised networks when SSL is not available or not secure enough. An example use case are events and congresses where public WiFi or even worse a network full of potentially evil users is used.
- OpenVPN server: community-vpn.cacert.org
- Port: 443/tcp or 1194/tcp
- LZO Compression: yes
- Device Type: tap
- Subnet: 10.67.65.0/24
- Gateway address: 10.67.65.1
- DNS recursor: 10.67.65.1
You have to use a valid and non-revoked CAcert client certificate to authenticate.
dev tap client remote community-vpn.cacert.org 443 resolv-retry infinite nobind proto tcp-client persist-key persist-tun comp-lzo pkcs12 /etc/openvpn/cacert/client.p12 # This is the file exported from Firefox after generating your client certificate tls-remote "/CN=community-vpn.cacert.org"
The tunnel allows you to route any traffic outside, securely encrypted and authenticated using CAcert certificates and masqueraded. Client-to-client communication is prohibited. Furthermore, the gateway provides a DNS recursor probably not spoofed by Mallory at the booth next door.
Obviously, you should make your firewall restrict critical traffic to the tunnel. Even more obviously, noone can overtake responsibility for your traffic ones it leaves the VPN gateway. The VPN only seperates you from the global conference mess.
The tunnel and gateway are provided by community member DominikGeorge as a donation to CAcert. CAcert Inc. has neither explicitly approved of it nor are they responsible.