goSecure Documentation Current version 0.9.9

goSecure is an easy to use and portable Virtual Private Network (VPN) solution.

The system consists of a single server and one or many clients. strongSwan is used to establish a Suite B IPsec tunnel with pre-shared keys between the server and client(s). The core crypt implementation has been verified by NSA’s Cryptol tool.


The server component is a multi-homed [laptop/server/cloud instance/Raspberry Pi] that runs strongSwan using the NSA Commercial Solutions for Classified (CSfC) guidelines for protecting classified data. It is built upon a minimal and hardened Linux instance per DISA Security Technical Implementation Guides (STIGs).


The client component is a Raspberry Pi that runs strongSwan using the NSA CSFC guidelines for protecting classified data and it utilizes its hardware Random Number Generator (RNG). It is built upon a minimal and hardened Linux instance per DISA STIGs.

The client currently supports 3 modes of operation:

  1. Ethernet (eth0) LAN - Wifi (wlan0) WAN
  2. Ethernet (eth1) LAN - Ethernet (eth0) WAN
  3. Wifi LAN (wlan0) - Ethernet (eth0) WAN



Step 0: Prerequisites

Decide on values for the following before starting:
Variable Value
Client ID i.e. client1.ix.mil
Client Pre-Shared Key i.e. "cxvljals@fj09q2jasdf#dsjvk(asdjf"
Note: The PSK must be at least 16 characters. The PSK must also be surrounded in double quotes and cannot contain a double quote within.

Step 1: Build Server Side

Note: The server component build instructions are an example that can be used by affaliates that desire a complete solution, but the client component can interoperate with any VPN server that can be configured using the NSA CSFC guidelines.


Select a server side deployment option:


Step 2: Build Client Side

Select a client side deployment option:


Step 3: Client Setup

    Setup:
    1. Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
    2. Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
    3. Wait 60 seconds.
    4. Open a web browser and navigate to "https://setup.gosecure"
    5. Follow the instructions on the web page that appears. The default login username is "admin" and the password is "gosecure". You will be prompted to change them once you login.
    6. You can access your enterprise resources now.

    Normal use:
    1. Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
    2. Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
    3. Wait 60 seconds.
    4. You can access your enterprise resources now.


Network:

Network flow diagram:



Client - User Instructions:


    Initial Setup:
    1. Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
    2. Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
    3. Wait 60 seconds.
    4. Open a web browser and navigate to "https://setup.gosecure"
    5. Follow the instructions on the web page that appears. The default login username is "admin" and the password is "gosecure". You will be prompted to change them once you login.
    6. You can access your enterprise resources now.

    Normal use:
    1. Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
    2. Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
    3. Wait 60 seconds.
    4. You can access your enterprise resources now.

API

goSecure Client REST API examples using curl


Note: Add "--insecure" to the end of the curl command if your computer does not trust the goSecure client's self signed certificate.
# Action curl command
1 Set VPN credentials curl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/credentials -d '{"vpn_server":"server1@ix.mil", "user_id":"client1@ix.mil","user_psk":"mysecretpsk"}'
2 Reset (clear) VPN credentials curl --user admin:gosecure -H "Content-Type: application/json" -X DELETE https://192.168.50.1/v1.0/vpn/credentials
3 Start VPN service and establish connection curl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/actions -d '{"action":"start_vpn"}'
4 Stop VPN service and close connection curl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/actions -d '{"action":"stop_vpn"}'
5 Restart VPN service and establish connection curl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/actions -d '{"action":"restart_vpn"}'

How do I add more clients to the system?

Refer to the comments in the "/etc/ipsec.conf" configuration file on the goSecure server. Also add a new line to the "/etc/ipsec.secrets" configuration file on the goSecure server that contains the new <unique_id_of_client> and a new unique password.

This work was prepared by an U.S. Government employee and, therefore, is excluded from copyright by Section 105 of the Copyright Act of 1976. Copyright and Related Rights in the Work worldwide are waived through the CC0 1.0 Universal license.

Disclaimer of Warranty


This Work is provided "as is." Any express or implied warranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this Guidance, even if advised of the possibility of such damage.

The User of this Work agrees to hold harmless and indemnify the United States Government, its agents and employees from every claim or liability (whether in tort or in contract), including attorneys' fees, court costs, and expenses, arising in direct consequence of Recipient's use of the item, including, but not limited to, claims or liabilities made for injury to or death of personnel of User or third parties, damage to or destruction of property of User or third parties, and infringement or other violations of intellectual property or technical data rights.

Nothing in this Work is intended to constitute an endorsement, explicit or implied, by the U.S. Government of any particular manufacturer's product or service.

Disclaimer of Endorsement


Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes.