' and others, please forgive the wall of text. It is that kind of a question. This is a description of what I did. Others can add to the discussion or ask for more details on particular issues.
* Why I did it. 1) I use my laptop while traveling and use either hotel/motel wireless or coffee shop wireless. 2) I don't trust "smart phones" and didn't get a G4 Internet plan for the few times I'd dare to connect my phone to Internet. I only connect over Wi-Fi hotspots. I wanted a way to tunnel past all the hotspot threats before hitting the 'net.
* Overview: VM running Linux with a OpenVPN server and 'tinyproxy' proxy. Laptop and Android phone runs OpenVPN client.
The VPN/proxy virtual machine (VM): Runs a 64bit RHEL6 clone with 512MB RAM and one virtual CPU. Any Linux distribution should work. One virtual NIC is bridged to the host physical NIC that routes traffic to the Internet.
I kept the installation to a minimum, but did a custom installation to make sure I had all the services I needed. Mainly looked for programs to support 'libvirt' since I use on KVM on the host as the hypervisor. Also wanted development tools so I could compile source code as needed.
I did not install the X Window System or a GUI. I either SSH in directly or connect through a serial console from the host to configure/maintain the VM. The final VM file is about 3.6GB in size. The disk size is not fixed and will grow as needed. But I don't expect it to grow since I didn't install a caching proxy.
One could use VirtualBox instead of KVM to build the VM host and machine. Probably easier. Runs on Windows as well. I didn't because my use is business/personal and did not want to worry about Oracle's license for the extension pack.
Another option is VMware. We've build VM's on that for clients, but there was no need for me to spend money when KVM is around.
I decided to install 'OpenVPN' and 'tinyproxy' on the VM. I chose OpenVPN because there's a OpenVPN client app available for my Android phone. I trust that app more than the native VPN app that comes with Android. Plus, it's more secure than M.S. PPTP. L2TP is a bear to set up under a OpenSwan VPN server and I would have wanted to go that way to use RSA instead of shared secrets.
'tinyproxy' is a straightforward non-caching proxy, all I need.
The VPN server is secured in several ways: SELinux, OSSEC, iptables configured to block out entire continents or countries and to drop malformed packets, etc. The firewall also forwards local traffic to/from the virtual 'tun' network that OpenVPN creates. Proxy runs as 'nobody'. Multiple partitions that are either immutable or mounted as 'noexec,nosuid,nodev'. Swap, /tmp and /var/tmp are set up with 'cryptsetup' and a random key. The proxy only allows connections from the non-routable virtual network established by OpenVPN. So no direct outside access to the proxy.
The client programs use the DNS I assigned on the VPN/proxy, OpenDNS. So, a hacker/cracker at a Wi-Fi hotspot attempting to spoof DNS won't succeed. Also, I did not register the IP to associate it with a URL, so clients don't need DNS to find the VPN, just it's IP address. As I mentioned before, sites in the business of tracking are mapped to '127.0.0.1' by the /etc/hosts file on the VPN/proxy. So, they don't see my traffic at all.
My main concern is security over autonomy, but I may add the 'polipo' proxy to the VPN. It can easily chain to 'Tor'. i.e. the proxy on the VPN would direct traffic to 'Tor'. 'polipo' would listen on a separate port on the same virtual network OpenVPN creates. So, if I wanted more autonomy, I would simply change the port number in my web browser proxy setting.
'tinyproxy' allows you to enable "anonymous proxying" and to specify which fields to pass in the connection packet header. You can even block the 'User-Agent' to make it harder for sites to characterize you by the OS, browser that you use. But, some sites will brand you a threat and block you. GlockTalk doesn't care. I generally allow it along with 'Host', 'Authorization' and 'Cookie'. Cookies are useful to websites and are less of a concern if they are deleted when the browser closes. All the packet header fields are described here: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
* Authentication: I used a separate VM with no Internet access as a certificate authority (CA) to sign the public and private keys for all parties. I did it all using 'openssl'. But, OpenVPN offers something called "easy-rsa" that's supposed to make this task easier.
The private key for the phone should be password protected. You will be asked for it when you configure the client.
The Android OpenVPN client (and apparently the Windows client) needs a PKCS12 formatted cert/privatekey combination file. A Linux client wants the public certificate and private key in separate files. I used 'openssl', but 'easy-rsa' might do that for you.
You will need four or five files on clients and six on Linux server:
- server.conf on the server
- client.conf on a Linux client or nearly the same file with name changed to client.ovpn on Android or Windows.
- dh2048.pem Diffie-Hellman signing certificate. (on server only, not clients)
- public certificate of the CA (never the CA private key)
- CA signed public certificate for the phone (or laptop), CA signed private key for the phone (or laptop). These two are adjoined as a single file on Android (or Windows).
- OpenVPN's ta.key (OpenVPN's HMAC to strengthen safety of TLS handshaking. Thwarts Wi-Fi spoofing. 'OpenVPN' provides a simple command to create it.)
I placed the five files on a microSD and plugged it into my Android phone. The OpenVPN client setup picked up the files off of 'external_sd'.
* The phone: I installed 'OpenVPN Connect' from https://play.google.com/store/apps/d...penvpn.openvpn
and 'Firefox Beta' from https://play.google.com/store/apps/d...fox_beta&hl=en
'OpenVPN Connect' is also available for iOS from https://itunes.apple.com/us/app/open...590379981?mt=8
The native web browser on Android has no way to change how to connect to Internet. Fortunately, Firefox-beta provides a way. No GUI for that, one must use 'about
* Laptop: Easier. Used same tar.gz source I compiled on the server to compile/install on my laptop. Used a .conf for clients instead of servers. Web browsers have a GUI dialog for setting up proxies.
In both cases, I went to a site that shows the IP address I'm using to confirm I'm using the proxy. Then from my phone, I entered a nonexistent site name to make sure the 'OpenDNS' page showed up for such sites (proving the phone is using DNS configured on the VPN).