LEAP Encryption Access Project

Provider installation workshop

LEAP Provider installation workshop

If you want to use Vagrant during this session
please start right away with downloading the
“LEAP/jessie” vagrantbox:

vagrant box add LEAP/jessie

Introduction to LEAP

Goals

“Provider in a box”
Make encryption as easy to use as possible
Strict client encryption

Increase User experience

Protect the provider

https://mayfirst.org/en/2012/fbi-returns-server/

What we have

Bitmask client: A client that works smoothly with any LEAP provider.
LEAP Platform: A toolkit to make it easy for you to run a federated service provider.
New protocols: So that users don’t need to trust the provider.

Current Services: VPN

Route all your internet traffic through an encrypted channel.
Prevent eavesdropping (thiefs in the public network, police, …).
Circunvent censorship, surveillancec and geoblocking
Prevent leaks (DNS, IPv6, …).

Current Services: email

Transparent end-to-end encryption using OpenPGP.
Automatic key discovery and validation.
Service provider has no access to user data.
Strong protection for metadata, whenever possible.
Cloud synchronized for high availability on multiple devices.

Bitmask client

Currently available for Android (VPN) and Linux (VPN + Email)
Windows and MacOS coming soon (with your help even faster!)
Formerly Python 2, Twisted and QT
Rewritten with Python 2, Twisted and Javascript (React)

Bitmask client

VPN

Bitmask client

VPN

Bitmask client

VPN

Bitmask client

VPN

--- ~ » curl -s ipinfo.io
{
  "ip": "198.252.153.83",
  "hostname": "No Hostname",
  "city": "Seattle",
  "region": "Washington",
  "country": "US",
  "loc": "47.6062,-122.3321",
  "org": "AS16652 Riseup Networks",
  "postal": "98194"
}

Bitmask for Android

VPN

Key management

Automated keylookup and validation.

Keys, Keys, Keys

--- » gpg --search-keys snowden
gpg: data source: https://ntzwrk.org:443
(1)	Snowden
	  4096 bit RSA key 0xE941A4612E67D76A, created: 2017-03-24
(2)	This Is Snowden
	  4096 bit RSA key 0xBB44DF1AFC479844, created: 2017-03-20
(3)	Edward Snowden <trump2020buildawall@gmail.com>
	  4096 bit RSA key 0xA15DD46C59051BDB, created: 2017-03-12, expires: 2022-03-11
(4)	Edward Snowden <trump2020buildawall@gmail.com>
	  4096 bit RSA key 0xE64ECB1548116AEB, created: 2017-03-10, expires: 2022-03-09
(5)	Snowden <sfogert@gmail.com>
	  3072 bit RSA key 0xE643E968226937A1, created: 2017-03-10
(6)	Edward Snowden <joshing@protonmail.com>
	  4096 bit RSA key 0x2C3C1EFA83946932, created: 2017-01-20, expires: 2021-01-20
(7)	Edward Snowden (Very secret) <ed_snowden2016@outlook.com>
	  2048 bit RSA key 0xDC245D84A0F97A17, created: 2016-12-14
(8)	Edward Snowden
	  4096 bit RSA key 0xFAD43291D0951541, created: 2016-12-10
(9)	Edward Joseph Snowden <snowden@edwardsnowden>
	  4096 bit RSA key 0x34BD314D37015D55, created: 2016-11-02, expires: 2020-11-02
(10)	snowden <snowdenet@163.com>
	  3072 bit RSA key 0xFD764233079ACE40, created: 2016-10-11
(11)	Edvard Snowden <lordkott1987@gmail.com>
	  2048 bit RSA key 0xF5BE6495E2210CE1, created: 2016-10-07
Keys 1-11 of 146 for "snowden".  Enter number(s), N)ext, or Q)uit >

LEAP Platform

Configuration Management using puppet
Installs and configures the servers
leap_cli is the tool to deploy to the servers

LEAP Platform Example: Setup single node email provider

sudo gem install leap_cli
leap new example --domain workshop.bitmask.net
cd example
leap add-user --self
leap cert ca
leap cert csr
leap node add workshop \
  services:couchdb,webapp,soledad,mx ip_address:1.1.1.3
leap init node
leap deploy

LEAP Platform: Install and configure the server(s)

Email: Postfix, spamassassin, clamav
Database: couchdb, stunnel
Webserver: apache
Encrypting remailer: leap-mx
Synchronisation: soledad
Account management, issue tracking: leap-webapp
Firewall: shorewall
Monitoring: nagios, check_mk
…

System requirements

A remote sever/VM installed with fresh Debian jessie (!) OS
Physical or paravirtualized Server (KVM, Xen, OpenStack, Amazon, but not VirtualBox or OpenVZ)
Depending on the service 1-4 GB RAM, >3 GB disk space
Able to login as root with ssh key
Second public IPv4 (for VPN only)

Ruby

Debian / Ubuntu

$ apt install rubygems

Mac OS

$ brew install ruby

Create provider config

$ leap new --domain workshop.bitmask.net ./workshop
  Create directory /home/dev/workshop ? y
  = created /home/dev/workshop/

  The name of the provider: |Example| Workshop demo
  File path of the leap_platform directory: |/home/dev/leap_platform| 
  Default email address contacts: |root@workshop.bitmask.net| 

  The platform directory "/home/varac/dev/projects/leap/leap_platform" does not exist.
  Do you want me to create it by cloning from the
  git repository https://leap.se/git/leap_platform.git? y
  …

leap_platform master branch build status

Leap Platform Build Status:

see https://0xacab.org/leap/platform/

Optional: Use latest release tag for stable version

If the build status of current leap_platform:master failed we need to checkout the last stable version of the leap_platform:

git clone -b version/0.10.0 https://leap.se/git/leap_platform \
  ../leap_platform

SSL certificates

Create a SSL certificate authority and a certificate signining request:

$ leap cert ca
$ leap cert csr

Single node VPN provider

Tutorial: https://leap.se/en/docs/platform/tutorials/single-node-vpn

$ export OPTS=(services:webapp,couchdb,openvpn openvpn.gateway_address:37.218.245.4)

Single node email provider

Tutorial: https://leap.se/en/docs/platform/tutorials/single-node-email

$ export OPTS=(services:webapp,couchdb,soledad,mx)

Add an existing remote server

$ leap node add blackbox ip_address:37.218.245.94 $OPTS

Option B: Create a new server in the cloud

Currently works only with AWS ec2
cloud.json needed for AWS config and credentials
https://leap.se/en/docs/platform/guide/virtual-machines for details

$ leap vm add blackbox services:webapp,couchdb,soledad,mx
$ leap vm status

Time to deploy !

$ leap list

$ leap node init blackbox

$ leap deploy blackbox

unbuffer leap node init blackbox | ts
unbuffer leap deploy blackbox | ts

Email deploy: ~10 min on AWS, 15 min on Greenhost
VPN deploy: ~8 min on AWS, 13 min on Greenhost
We’ll setup DNS meanwhile

DNS

leap compile zone

Use the listed entries in our DNS provider.

These are for workshop.bitmask.net (in this workshop’s case):

@                     IN A      37.218.245.94
blackbox              IN A      37.218.245.94
api                   IN A      37.218.245.94
nicknym               IN A      37.218.245.94
@                     IN MX 10  blackbox
@                     IN TXT    "v=spf1 MX ip4:37.218.245.94 -all"
234072283e._domainkey IN TXT    "v=DKIM1;h=sha256;k=rsa;s=email;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApdCDTAuRJJa0yx8T3Z7d" "f2NLE0oOvKysLqHqtvJk92Zf8RHYO6/RzpvJ5s51fPfOfyLnAjEzGs3gBL5GkWNV" "hLyMB9TzYnuQ9lmnz3ep3Hyh8U9yPVmNu1YZDrMYGaeoHE6FZXkmvrtBUOv3XAZw" "4BNQwdcHCa/Z9iWgMDtBx0h+56DRDTOrJvr7M/7qGxknBo0FnnQ/Qhw9GQjkTg0h" "UmFZjuvx3BmgN/9lCMkrjxC7qfADvGYMIYer3iPt0wI7cqAvgWN0a+7iqm2PU+aB" "wLPWOSmWsl3e6wzHW4jFS7EchilGXjHiGQ5WC9anRC6WWr3SomL/cxKZNCjTCfBy" "dwIDAQAB"

DNS

Option A: Fake DNS for new provider

We are using a domain here without proper DNS, so we need to override our DNS resolution.

Open another terminal and:
```
cd ~/workshop
leap compile hosts
```

You need to edit your hosts file with admin privileges and add the output of above command to it.

Linux: sudo editor /etc/hosts
MacOS: sudo nano /etc/hosts

see Quick start tutorial/Setup DNS for details.

Let’s encrypt certificates

For proper, free-of-cost TLS certificates issued
by https://letsencrypt.org/:

$ leap cert register
$ leap cert renew workshop.bitmask.net
$ leap deploy --tags x509 --fast

Check https://workshop.bitmask.net in browser afterwards.

Use Bitmask

Extract downloaded Bitmask archive, and run ./bitmask-0.10.2/bitmask
Add workshop.bitmask.net as a new provider
Register a new user

LEAP Encryption Access Project

Provider installation workshop

LEAP Provider installation workshop

LEAP Encryption Access Project

What to expect

Introduction to LEAP

Goals

Increase User experience

Protect the provider

What we have

Current Services: VPN

Current Services: email

Bitmask client

Bitmask client

VPN

Bitmask client

VPN

Bitmask client

VPN

Bitmask client

VPN

Bitmask for Android

VPN

Bitmask client

Encrypted Mail

Bitmask Mail

Bitmask Mail

Bitmask Mail

Composing

Key management

Keys, Keys, Keys

LEAP Platform

LEAP Platform Example: Setup single node email provider

LEAP Platform: Install and configure the server(s)

Server-side techstack

Client-side techstack

Soledad

LEAP Webapp

LEAP Webapp Main Page

LEAP Webapp Account Management

LEAP Encryption Access Project

Platform Workshop

System requirements

Tutorials

Install prerequisites

Ruby

Debian / Ubuntu

Mac OS

Install the LEAP command-line utility

Create provider config

leap_platform master branch build status

Optional: Use latest release tag for stable version

Add your ssh key

SSL certificates

Single node VPN provider

Single node email provider

Generate diffie-hellman parameters for openvpn

Add an existing remote server

Option B: Create a new server in the cloud

Time to deploy !

DNS

DNS

Option A: Fake DNS for new provider

Download Bitmask client

Questions ?

Let’s encrypt certificates

Test if things work correctly

Use Bitmask

Try more

Contribute

Thanks!

Etc

Bitmask Schema