Title: SNC Delivest User Guide
Description: Debian 11.6
secure remote Office Works Suite
Encrypted Communications
In this chapter - network (VPN) setup, browsing the web, sending and receiving encrypted mail,
encrypted chat to email users, GnuPG cryptosystem management, remote desktop connections, remote file
editing and sharing over SSHFS.
Network and VPN client setup
- The easiest way to configure network is using Network Manager, which is installed by default.
The point of NetworkManager is to make networking configuration and setup as painless and automatic
as possible. If using DHCP, Network Manager is intended to replace default routes, obtain IP addresses
from a DHCP server and change nameservers whenever it sees fit. In effect, the goal of Network Manager
is to make networking Just Work. Network Manager will only handle interfaces not declared in
/etc/network/interfaces. It keeps connection information on known individual networks in configuration
files called profiles. Those are stored at /etc/Network Manager/system-connections/ and can be added or edited
by calling Network Manager Connection Editor via main menu entry "SNC Delivest - Settings - Advanced Network Configuration".
Once network connection is configured, further user actions (like choosing Wi-Fi access point or connecting to VPN)
are performed via top panel Status Trail Plug in, which includes Network Manager Applet.
- Status Trail Plug in also runs Bluetooth Manager Applet, which is used to configure and connect Bluetooth devices.
Bluetooth configuration alternatively can be performed via main menu entry "SNC Delivest - Settings - Bluetooth Manager".
- VPN connections
to secure office network are configured using the same Network Manager Connection Editor.
A virtual private network (VPN) is a way of connecting to a local network over the Internet. Several different methods of
VPN network traffic encryption can be configured and used via main menu entry "SNC Delivest - Settings - Advanced Network
Configuration - VPN.
- To add new connection for Cisco Compatible VPN (vpnc), click main menu entry "SNC Delivest - Settings -
Advanced Network Configuration" + Add New connection (choose a Connection Type). Select the Cisco Compatible VPN (vpnc)
option and then click Create. You can now fill in the entries for your particular VPN connection. You will need to provide
the VPN gateway address, group name, and group password. Select NAT-T for the traversal method and ensure that the
encryption method is set to Secure. Click Apply and exit the configuration screen. Now you can click on the Network Manager
applet again and go down to VPN Connections and select the VPN that you just created. Click the name of the connection and
you should be prompted for a password shortly. Once you provide it, the VPN connection will be established, and the Network
Manager icon will change to have a little golden lock on it, indicating the VPN session is active.
- OpenVPN can be configured via Network Manager GUI by selecting the VPN tab and then the "Add" button. Select OpenVPN as
the VPN type in the opening requester and press "Create". In the next window add the OpenVPN’s server name as the "Gateway",
set "Type" to "Certificates (TLS)", point "User Certificate" to your User certificate, "CA Certificate" to your CA certificate
and "Private Key" to your private key file. Use the advanced button to enable compression (e.g. comp-lzo), dev tap, or other
special settings you set on the server. Now try to establish your VPN. You can also configure OpenVPN much easier, if you
have configuration file exported by OpenVPN Server Gateway (router). Click main menu entry "SNC Delivest - Settings -
Advanced Network Configuration" + Add New connection (choose a Connection Type) - import a saved VPN configuration.
- IPsec provided by Libreswan is the preferred method by Red Hat Linux for creating VPN connections. Libreswan is a user space
IPsec implementation for VPN. A VPN enables the communication between your LAN and another, remote LAN by setting up a
tunnel across an intermediate network such as the Internet. For security reasons, a VPN tunnel always uses authentication
and encryption. For cryptographic operations, Libreswan uses the NSS library. Further configuration instructions can be obtained from
Red Hat Enterprise Linux documentation.
- strongSwan provide IPsec/IKEv2 plug in for Network Manager to configure road warrior clients for the most common setups.
The plug in supports connections using the IKEv2 protocol only. The plug in uses a certificate for server authentication and
supports EAP and public key authentication for client authentication. PSK authentication is supported starting with version
1.3.1 of the plugin but strong secrets (a minimum of 20 characters) are enforced. Detailed configuration instructions
can be found at strongSwan Documentation
website.
Browsing the Web, encrypted E-mail and Chat
- Mozilla Firefox ESR is included as default web browser. Mozilla has a very fast-paced
release cycle for Firefox. New releases are published every six to eight weeks and only the latest version is supported
for security issues. This doesn't suit all kind of users so, every 10 cycles, they are promoting one of their release to
an Extended Support Release (ESR) which will get security updates (and no functional changes) during the next 10 cycles
(which covers a bit more than a year). You can also install any other
Debian Supported Web Browser of your choice.
- We advocate userfriendly encrypted e-mail communications based on Autocrypt standard,
therefore default e-mail client, included into SNC Delivest platform for extra e-mail security, is
Epyrus with Enigmail OpenPGP plug in. Epyrus is a fork of pre-68 version
Mozilla Thunderbird which currently supports Autocrypt standard via Enignail plug in. Enigmail was originally developed for
Mozilla Thunderbird, but Mozilla Corporation since 2021 removed
Autocrypt OpenPGP support
from their post-68 versions of Thunderbird. We provide Epyrus e-mail client tutorial,
which can be accessed via main menu entry "SNC Delivest - Manuals - Epyrus (Thunderbird) Enigmail Workbook".
- As a secure mean of decentralized communication, we provide DeltaChat application,
which uses End-to-End Encryption with Autocrypt and CounterMITM protocols,
your e-mail accounts for identification, and needs no centralized server registration to provide
PP2P (Personal Peer to Peer Protocol) chat. For usage assistance, we provide a link to DeltaChat online help, which can be reached by
clicking main menu entry "SNC Delivest - Manuals - DeltaChat Online Help".
- Kleopatra is a graphical interface to OpenPGP/GnuPG, a tool to encrypt and authenticate text and files using the
OpenPGP standard. The software stores your certificates and keys, it supports managing X.509 and OpenPGP/GnuPG certificates
in the GpgSM keybox and retrieving certificates from LDAP servers. With Kleopatra you can:
- Create new OpenPGP/GnuPG keys for yourself
- Manage your OpenPGP/GnuPG private keys and the public keys of others
- Encrypt and sign text with a public key
- Encrypt text with a passphrase
- Decrypt and verify text
For detailed instructions use GnuPG Kleopatra Handbook, accessible via main menu entry "SNC Delivest - Manuals -
GnuPG Kleopatra Handbook".
Remote Desktop and Files over SSHFS
- Remote office workspace is based on remote desktop technology, therefore we provide universal remote
desktop application Remmina. It supports the Remote Desktop Protocol (RDP), VNC, NX, XDMCP,
SPICE, X2Go and SSH protocols and uses FreeRDP as foundation.
- For remote file access, we also provide SiriKali SSHFS application.
In computing, SSHFS (SSH File system) is a file system client to mount and interact with directories and files located on a
remote server or workstation over a normal ssh connection. The client interacts with the remote file system via the
SSH File Transfer Protocol (SFTP), a network protocol providing file access, file transfer, and file management functionality
over any reliable data stream that was designed as an extension of the Secure Shell protocol (SSH) version 2.0.
SiriKali is a Qt/C++ GUI application that manages ecryptfs, cryfs, encfs, gocryptfs, fscrypt and securefs based encrypted folders.
SiriKali can also connect to ssh servers using sshfs.