OpenVPN

From WL-HDD Wiki

WL-HDD Contents
What is the WL-HDD
Features
Pro's/con's
Reviews
Hacking
Inserting the HDD
Hacking Guides
Basic setup guides
Packages guides
Requests
Troubleshooting
This Wiki
Credits
Editing help
Contact Me

Contents 1 Prerequisites 2 Basic Understanding 3 Install an openvpn client on Win XP: 4 Generate both client and server certificates on Win XP: 5 Generate certificate & key for server 6 Generate certificates & keys for client 7 Generate Diffie Hellman parameters 8 Creating configuration files for client: 9 Creating configuration files for server: 10 HDPARM 11 Install the OpenVPN server on the WL-HDD 12 Configure the WL-HDD box for OpenVPN support: 13 Transfer certificates from XP to WL-HDD 14 Transfer configuration file: 15 Testing OpenVPN Server 16 Add firewall rules: 17 Autostart 18 To Test it In Windows 19 OPTIONS: 20 An aditional security key with "tls-auth" 21 Conclusion: 22 Roadmap 23 Credits

[edit] Prerequisites

To complete this guide, the following is assumed:

You are running Oleg's firmware (1.9.2.7-6b or later)

You have harddisk partitions up and running with an extended filesystem mounted to /opt

You have installed the Ipkg package system.

You have configured your partitions to automount.

You have setup and successfully ran VSFTP from within your LAN.

You have setup and successfully run Samba on your LAN (using the guest account) and you have some shares already setup in smb.conf.

[edit] Basic Understanding

When you are on a windows network, you can 'share' files and folders amongst computers. However, this only works while you are on a LAN. You cannot access 'shares' on other windows networks via the internet (unless you are a hacker!). There is however a way round this called VPN or Virtual Private Network. VPN allows different windows networks around the world to connect together allowing resources to be shared. OpenVPN is an open source implementaion of VPN. Client computers connect securely to the OpenVPN server which gives access to other client's resources. A simple diagram of this idea is presented below:

Please note: Image above is just an example, please do not use 192.168.666.* anywhere on a network as this is invalid and WILL NOT WORK.

[edit] Install an openvpn client on Win XP:

Download OpenVPN from http://openvpn.se/download.html openvpn-2.0.7-gui-1.0.3-install.exe which will install both OpenVPN and a Windows GUI.

Install everything, that means checking ALL the boxes

[edit] Generate both client and server certificates on Win XP:

Generate the master Certificate Authority (CA) certificate & key:

start>run>cmd
cd\
cd program files
cd openvpn
cd easy-rsa
init-config

This batch file will copy the configuration files into place (this will overwrite any vars.bat and openssl.cnf files that exist already).

Now, browse to:

C:\Program Files\OpenVPN\easy-rsa\

in windows explorer and edit the vars.bat (just right click on vars.bat) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters to suit your preference. Whatever you do, don't leave any of these parameters blank.

Once you've done that, go back to the command line and run:

vars
clean-all
build-ca

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command.

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars.bat files. The only parameter which must be explicitly entered is the Common Name. (put whatever you want)

[edit] Generate certificate & key for server

Next, we will generate a certificate and private key for the server. Still in the command line, type:

build-key-server server

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Enter a password. Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]". Obviously, enter y for both of these.

[edit] Generate certificates & keys for client

Generating client certificates is very similar to the previous step. Still in the command line, type:

build-key client

You can repeat this for different clients.

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client. If you don't you may get the error message;

Could Not Find C:\Program Files\OpenVPN\easy-rsa\keys\*.old

[edit] Generate Diffie Hellman parameters

Still in the command line, type:

build-dh

It can take some time! The output will looks like this:

   Generating DH parameters, 1024 bit long safe prime, generator 2
   This is going to take a long time
   .................+...........................................
   ...................+.............+.................+.........
   ......................................

Now, all the key files are generated. We need to create a temporary directory to store these files on the Windows XP machine. Later, they will be moved to the WL-HDD. I suggest making this in your 'My Documents' folder.

Go to C:\Program Files\OpenVPN\easy-rsa\keys\

move dh1024.perm, server.crt and server.key to the temporary directory

!!! Copy, not move !!! ca.crt from keys to temporary directory

Finally, move client.crt, client.key AND ca.crt to C:\Program Files\OpenVPN\config\

[edit] Creating configuration files for client:

Edit C:\Program Files\OpenVPN\sample-config\client.ovpn

Find these particular lines in the config file and change their values to the below (and don't forget to remove the ";" where necessary). Leave all other lines as they are:

  remote www.yoursite.com 1234 (where www.yoursite.com is the hostname or ip address of the server- the WL-HDD)
  ca ca.crt
  cert client.crt
  key client.key
  ns-cert-type server

Add at the bottom:

  float

if you want to access to your VPN both from LAN and WAN

Save this new client.ovpn to C:\Program Files\OpenVPN\config\

[edit] Creating configuration files for server:

Edit C:\Program Files\OpenVPN\sample-config\server.ovpn

Again, modify these lines (and don't forget to remove the ";"), to obtain:

  port 1234
  user nobody
  group nobody
  ca /opt/etc/openvpn/easy-rsa/keys/ca.crt
  cert /opt/etc/openvpn/easy-rsa/keys/server.crt
  key /opt/etc/openvpn/easy-rsa/keys/server.key
  dh /opt/etc/openvpn/easy-rsa/keys/dh1024.pem

[edit] HDPARM

If you use HDPARM to spin down your harddrive, you should also but a ";" before the line "status openvpn-status.log". Otherwise, OpenVPN writes its status every minute to the specified file and by doing so, prevents the HD from spinning down. Save as !!! server.conf !!! in your temporary folder.

[edit] Install the OpenVPN server on the WL-HDD

ipkg -force-depends install openvpn

You may (and probably will) get the following warning:

Warning: Cannot satisfy the following dependencies for openvpn: kernel-module-tun

But warning can be disregarded, tun is already included in oleg's firmware.

[edit] Configure the WL-HDD box for OpenVPN support:

If you don't understand the following, dont worry, just do it!! Create the TUN device node:

mkdir /dev/net
mknod /dev/net/tun c 10 200

Load the TUN/TAP kernel module:

insmod tun

Enable routing:

echo 1 > /proc/sys/net/ipv4/ip_forward

[edit] Transfer certificates from XP to WL-HDD

Create directory /opt/etc/openvpn/easy-rsa/keys on the WL-HDD and copy the server key files from you temporary folder to there.

mkdir -p /opt/etc/openvpn/easy-rsa/keys

Transfer all 4 key files from your temporary folder to /opt/etc/openvpn/easy-rsa/keys/ via FTP or samba.

That means:

ca.crt
dh1024.pem
server.crt
server.key

[edit] Transfer configuration file:

Transfer server.conf from your temporary folder to /opt/etc/openvpn/ via FTP or samba.

[edit] Testing OpenVPN Server

In the putty shell type:

/opt/sbin/openvpn /opt/etc/openvpn/server.conf

You are likely to get this warning:

WARNING: file '/opt/etc/openvpn/easy-rsa/keys/server.key' is group or others accessible

Lets change the files permissions to make server.key only accessible by the owner:

chmod 700 /opt/etc/openvpn/easy-rsa/keys/server.key

After doing that, try again, you should reach the following status:

Thu May 25 10:57:44 2006 Initialization Sequence Completed

Nothing else will appear, this is because OpenVPN has not been daemonized. However, we were just testing to see if it runs ok. You can exit OpenVPN now using the keyboard command.

Ctrl + C

[edit] Add firewall rules:

Again, in putty:

cd /usr/local/sbin
nano post-firewall

Add the following rules:

#!/bin/sh
#OpenVPN access from WAN
iptables -D INPUT -j DROP
iptables -A INPUT -p udp --dport 1234 -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p udp --dport 1234 -j DNAT --to-destination $4:1234
iptables -A INPUT -j DROP

iptables -D INPUT -j DROP
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -j DROP

Now save and exit

Ctrl + O
Ctrl + X

Note that you may already have other existing firewall rules that you want to run too. You do not need a separate:

iptables -D INPUT -j DROP

line for each one of these. Here is a sample post-firewall script that allows FTP, SSH and OpenVPN connections.

#!/bin/sh
#SSH and FTP access from WAN
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p udp --dport 1234 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 22 -j DNAT --to-destination $4:22
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 21 -j DNAT --to-destination $4:21
iptables -t nat -A PREROUTING -i vlan1 -p udp --dport 1234 -j DNAT --to-destination $4:1234
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -j DROP

Once you have made changes to your post-firewall script, you need to make them permanent or they will be lost after the next reboot.

flashfs save
flashfs commit
flashfs enable

Now procede to the autostart section to make OpenVPN server start automatically.

Don't forget to add a rule in Windows Firewall or any other software firewall running to accept traffic on port 1234  !!!

[edit] Autostart

To automatically start the OpenVPN server processes at boot time:

nano /opt/etc/init.d/S24openvpn

Add the following:

#!/bin/sh

if [ -n "`pidof openvpn`" ]; then 
   /bin/killall openvpn 2>/dev/null
fi
    
# load TUN/TAP kernel module
/sbin/insmod tun
     
# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
   
# Startup VPN tunnel in daemon mode
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
 --log-append /var/log/openvpn.log \
 --config server.conf 

Now save and exit

Ctrl + O
Ctrl + X

Lets make that script executable:

chmod +x /opt/etc/init.d/S24openvpn

Now we can finally reboot!

reboot

The server should be up and running: Type:

ps -e |grep openvpn

You should receive the following:

113 nobody     2116 S   /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --lo
135 jono        256 R   grep openvpn

[edit] To Test it In Windows

Via the start menu, open the program OpenVPN GUI, this should run and place an icon in your system tray.

Right click on the icon and click connect, wait whilst all the initializing takes place.

You should see a little balloon with the message:

Assigned IP 10.8.0.6

Now, from the start button, click Run and type in the address assigned in the specified format:

\\10.8.0.6\

An explorer box should pop up showing any windows 'shares' on your client computer as well as shared printers.

Now get some more computers connected to the VPN and you can make use of your new server!!! Try connecting to shares between computers.

[edit] OPTIONS:

Here are some other options that can be added to server.conf

To access all ressource on the server Lan:

 push "route 192.168.0.0 255.255.255.0"

where 192.168.0.0 is your Lan server subnet.

Access other OpenVPN clients In the server.conf file, uncomment the client-to-client line You need windows file and printer sharing turned on.

Traffic Redirect

To redirect all your traffic Web, FTP,... through your VPN (it's for paranoiacs and it's gonna be really slow!)

 push "redirect-gateway def1"

push "redirect-gateway def1" tells the OpenVPN client to use the OpenVPN server as the default gateway for all traffic!!.

[edit] An aditional security key with "tls-auth"

The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:

• DoS attacks or port flooding on the OpenVPN UDP port.
• Port scanning to determine which server UDP ports are in a listening state.
• Buffer overflow vulnerabilities in the SSL/TLS implementation.
• SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).

Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:

openvpn --genkey --secret ta.key

This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. It can be placed in the same directory as the RSA .key and .crt files.

In the server configuration file, add the line:

tls-auth /opt/etc/openvpn/easy-rsa/keys/ta.key 0

In the client configuration, add the line:

tls-auth ta.key 1

[edit] Conclusion:

Now you can easily access your samba shares.

Just add a network disk like \\10.8.0.1\"your share directory here"

if you want an automatic connection on start up to this disk:

(unfortunately it doesn't work on wireless due to time to initiate connection...)

first, disconnect this network disk (if you already added it)

then go to a command line and type

net use X: \\10.8.0.1\"your share directory" /user:"NAME OF YOUR COMPUTER"\"username" "password" /persistent:yes

(of course you need to be either on your LAN or already connected to you VPN)

tip for wifi networks

the easiest way I found is to create a .bat file you launch when your wifi

is connected so, you don't have to type your password again and again...

just create a .txt file with this:

@echo off

net use X: \\10.8.0.1\"your share directory" /user:"NAME OF YOUR COMPUTER"\"username" "password" /persistent:no

cls

save as .bat, execute when you need to connect.

[edit] Roadmap

Whilst this guide adds OpenVPN capabilities to the asus WL-HDD, there is still work to be done:

-check if you can access the other computers on your LAN

[edit] Credits

This guide was not written by me. I have been through the guide and tested its functionality- everything worked!

All credit must be given to Propa for putting much time into getting this to work.

Thanks, Jono 11:34, 25 May 2006 (BST)