OpenVPN
From WL-HDD Wiki
| WL-HDD Contents |
|---|
| What is the WL-HDD |
| Features |
| Pro's/con's |
| Reviews |
| Hacking |
| Inserting the HDD |
| Hacking Guides |
| Basic setup guides |
| Packages guides |
| Requests |
| Troubleshooting |
| This Wiki |
| Credits |
| Editing help |
| Contact Me |
Prerequisites
To complete this guide, the following is assumed:
| You are running Oleg's firmware (1.9.2.7-6b or later) |
| You have harddisk partitions up and running with an extended filesystem mounted to /opt |
| You have installed the Ipkg package system. |
| You have configured your partitions to automount. |
| You have setup and successfully ran VSFTP from within your LAN. |
You have setup and successfully run Samba on your LAN (using the guest account) and you have some shares already setup in smb.conf. |
Basic Understanding
When you are on a windows network, you can 'share' files and folders amongst computers. However, this only works while you are on a LAN. You cannot access 'shares' on other windows networks via the internet (unless you are a hacker!). There is however a way round this called VPN or Virtual Private Network. VPN allows different windows networks around the world to connect together allowing resources to be shared. OpenVPN is an open source implementaion of VPN. Client computers connect securely to the OpenVPN server which gives access to other client's resources. A simple diagram of this idea is presented below:
Install an openvpn client on Win XP:
Download OpenVPN from http://openvpn.se/download.html openvpn-2.0.7-gui-1.0.3-install.exe which will install both OpenVPN and a Windows GUI.
Install everything, that means checking ALL the boxes
Generate both client and server certificates on Win XP:
Generate the master Certificate Authority (CA) certificate & key:
start>run>cmd cd\ cd program files cd openvpn cd easy-rsa init-config
This batch file will copy the configuration files into place (this will overwrite any vars.bat and openssl.cnf files that exist already).
Now, browse to:
C:\Program Files\OpenVPN\easy-rsa\
in windows explorer and edit the vars.bat (just right click on vars.bat) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters to suit your preference. Whatever you do, don't leave any of these parameters blank.
Once you've done that, go back to the command line and run:
vars clean-all build-ca
The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command.
Note that in the above sequence, most queried parameters were defaulted to the values set in the vars.bat files. The only parameter which must be explicitly entered is the Common Name. (put whatever you want)
Generate certificate & key for server
Next, we will generate a certificate and private key for the server. Still in the command line, type:
build-key-server server
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Enter a password. Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]". Obviously, enter y for both of these.
Generate certificates & keys for client
Generating client certificates is very similar to the previous step. Still in the command line, type:
build-key client
You can repeat this for different clients.
Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client. If you don't you may get the error message;
Could Not Find C:\Program Files\OpenVPN\easy-rsa\keys\*.old
Generate Diffie Hellman parameters
Still in the command line, type:
build-dh
It can take some time! The output will looks like this:
Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .................+........................................... ...................+.............+.................+......... ......................................
Now, all the key files are generated. We need to create a temporary directory to store these files on the Windows XP machine. Later, they will be moved to the WL-HDD. I suggest making this in your 'My Documents' folder.
Go to C:\Program Files\OpenVPN\easy-rsa\keys\
move dh1024.perm, server.crt and server.key to the temporary directory
!!! Copy, not move !!! ca.crt from keys to temporary directory
Finally, move client.crt, client.key AND ca.crt to C:\Program Files\OpenVPN\config\
Creating configuration files for client:
Edit C:\Program Files\OpenVPN\sample-config\client.ovpn
Find these particular lines in the config file and change their values to the below (and don't forget to remove the ";" where necessary). Leave all other lines as they are:
remote www.yoursite.com 1234 (where www.yoursite.com is the hostname or ip address of the server- the WL-HDD) ca ca.crt cert client.crt key client.key ns-cert-type server
Add at the bottom:
float
if you want to access to your VPN both from LAN and WAN
Save this new client.ovpn to C:\Program Files\OpenVPN\config\
Creating configuration files for server:
Edit C:\Program Files\OpenVPN\sample-config\server.ovpn
Again, modify these lines (and don't forget to remove the ";"), to obtain:
port 1234 user nobody group nobody ca /opt/etc/openvpn/easy-rsa/keys/ca.crt cert /opt/etc/openvpn/easy-rsa/keys/server.crt key /opt/etc/openvpn/easy-rsa/keys/server.key dh /opt/etc/openvpn/easy-rsa/keys/dh1024.pem
HDPARM
If you use HDPARM to spin down your harddrive, you should also but a ";" before the line "status openvpn-status.log". Otherwise, OpenVPN writes its status every minute to the specified file and by doing so, prevents the HD from spinning down. Save as !!! server.conf !!! in your temporary folder.
Install the OpenVPN server on the WL-HDD
ipkg -force-depends install openvpn
You may (and probably will) get the following warning:
Warning: Cannot satisfy the following dependencies for openvpn: kernel-module-tun
But warning can be disregarded, tun is already included in oleg's firmware.
Configure the WL-HDD box for OpenVPN support:
If you don't understand the following, dont worry, just do it!! Create the TUN device node:
mkdir /dev/net mknod /dev/net/tun c 10 200
Load the TUN/TAP kernel module:
insmod tun
Enable routing:
echo 1 > /proc/sys/net/ipv4/ip_forward
Transfer certificates from XP to WL-HDD
Create directory /opt/etc/openvpn/easy-rsa/keys on the WL-HDD and copy the server key files from you temporary folder to there.
mkdir -p /opt/etc/openvpn/easy-rsa/keys
Transfer all 4 key files from your temporary folder to /opt/etc/openvpn/easy-rsa/keys/ via FTP or samba.
That means:
ca.crt dh1024.pem server.crt server.key
Transfer configuration file:
Transfer server.conf from your temporary folder to /opt/etc/openvpn/ via FTP or samba.
Testing OpenVPN Server
In the putty shell type:
/opt/sbin/openvpn /opt/etc/openvpn/server.conf
You are likely to get this warning:
WARNING: file '/opt/etc/openvpn/easy-rsa/keys/server.key' is group or others accessible
Lets change the files permissions to make server.key only accessible by the owner:
chmod 700 /opt/etc/openvpn/easy-rsa/keys/server.key
After doing that, try again, you should reach the following status:
Thu May 25 10:57:44 2006 Initialization Sequence Completed
Nothing else will appear, this is because OpenVPN has not been daemonized. However, we were just testing to see if it runs ok. You can exit OpenVPN now using the keyboard command.
Ctrl + C
Add firewall rules:
Again, in putty:
cd /usr/local/sbin nano post-firewall
Add the following rules:
#!/bin/sh #OpenVPN access from WAN iptables -D INPUT -j DROP iptables -A INPUT -p udp --dport 1234 -j ACCEPT iptables -t nat -A PREROUTING -i vlan1 -p udp --dport 1234 -j DNAT --to-destination $4:1234 iptables -A INPUT -j DROP
iptables -D INPUT -j DROP # Allow TUN interface connections to OpenVPN server iptables -A INPUT -i tun+ -j ACCEPT # Allow TUN interface connections to be forwarded through other interfaces iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -j DROP
Now save and exit
Ctrl + O Ctrl + X
Note that you may already have other existing firewall rules that you want to run too. You do not need a separate:
iptables -D INPUT -j DROP
line for each one of these. Here is a sample post-firewall script that allows FTP, SSH and OpenVPN connections.
#!/bin/sh #SSH and FTP access from WAN iptables -D INPUT -j DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p udp --dport 1234 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 22 -j DNAT --to-destination $4:22 iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 21 -j DNAT --to-destination $4:21 iptables -t nat -A PREROUTING -i vlan1 -p udp --dport 1234 -j DNAT --to-destination $4:1234 iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -j DROP
Once you have made changes to your post-firewall script, you need to make them permanent or they will be lost after the next reboot.
flashfs save flashfs commit flashfs enable
Now procede to the autostart section to make OpenVPN server start automatically.
Don't forget to add a rule in Windows Firewall or any other software firewall running to accept traffic on port 1234 !!!
Autostart
To automatically start the OpenVPN server processes at boot time:
nano /opt/etc/init.d/S24openvpn
Add the following:
#!/bin/sh
if [ -n "`pidof openvpn`" ]; then
/bin/killall openvpn 2>/dev/null
fi
# load TUN/TAP kernel module
/sbin/insmod tun
# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Startup VPN tunnel in daemon mode
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf
Now save and exit
Ctrl + O Ctrl + X
Lets make that script executable:
chmod +x /opt/etc/init.d/S24openvpn
Now we can finally reboot!
reboot
The server should be up and running: Type:
ps -e |grep openvpn
You should receive the following:
113 nobody 2116 S /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --lo 135 jono 256 R grep openvpn
To Test it In Windows
Via the start menu, open the program OpenVPN GUI, this should run and place an icon in your system tray.
Right click on the icon and click connect, wait whilst all the initializing takes place.
You should see a little balloon with the message:
Assigned IP 10.8.0.6
Now, from the start button, click Run and type in the address assigned in the specified format:
\\10.8.0.6\
An explorer box should pop up showing any windows 'shares' on your client computer as well as shared printers.
Now get some more computers connected to the VPN and you can make use of your new server!!! Try connecting to shares between computers.
OPTIONS:
Here are some other options that can be added to server.conf
To access all ressource on the server Lan:
push "route 192.168.0.0 255.255.255.0"
where 192.168.0.0 is your Lan server subnet.
Access other OpenVPN clients In the server.conf file, uncomment the client-to-client line You need windows file and printer sharing turned on.
Traffic Redirect
To redirect all your traffic Web, FTP,... through your VPN (it's for paranoiacs and it's gonna be really slow!)
push "redirect-gateway def1"
push "redirect-gateway def1" tells the OpenVPN client to use the OpenVPN server as the default gateway for all traffic!!.
An aditional security key with "tls-auth"
The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:
- DoS attacks or port flooding on the OpenVPN UDP port.
- Port scanning to determine which server UDP ports are in a listening state.
- Buffer overflow vulnerabilities in the SSL/TLS implementation.
- SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:
openvpn --genkey --secret ta.key
This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. It can be placed in the same directory as the RSA .key and .crt files.
In the server configuration file, add the line:
tls-auth /opt/etc/openvpn/easy-rsa/keys/ta.key 0
In the client configuration, add the line:
tls-auth ta.key 1
Conclusion:
Now you can easily access your samba shares.
Just add a network disk like \\10.8.0.1\"your share directory here"
if you want an automatic connection on start up to this disk:
(unfortunately it doesn't work on wireless due to time to initiate connection...)
first, disconnect this network disk (if you already added it)
then go to a command line and type
net use X: \\10.8.0.1\"your share directory" /user:"NAME OF YOUR COMPUTER"\"username" "password" /persistent:yes
(of course you need to be either on your LAN or already connected to you VPN)
tip for wifi networks
the easiest way I found is to create a .bat file you launch when your wifi
is connected so, you don't have to type your password again and again...
just create a .txt file with this:
@echo off
net use X: \\10.8.0.1\"your share directory" /user:"NAME OF YOUR COMPUTER"\"username" "password" /persistent:no
cls
save as .bat, execute when you need to connect.
Roadmap
Whilst this guide adds OpenVPN capabilities to the asus WL-HDD, there is still work to be done:
-check if you can access the other computers on your LAN
Credits
This guide was not written by me. I have been through the guide and tested its functionality- everything worked!
All credit must be given to Propa for putting much time into getting this to work.
Thanks, Jono 11:34, 25 May 2006 (BST)
Categories: VPN | Samba | Firewall
