This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
computing:vpnserver [2018/05/17 15:38] – created oemb1905 | computing:vpnserver [2020/03/22 23:47] – oemb1905 | ||
---|---|---|---|
Line 1: | Line 1: | ||
------------------------------------------- | ------------------------------------------- | ||
- | #**vpnserver** | + | * **vpnserver** |
+ | * **Jonathan Haack** | ||
+ | * **Haack' | ||
+ | * **netcmnd@jonathanhaack.com** | ||
------------------------------------------- | ------------------------------------------- | ||
- | In this tutorial, you will create a vpn server on a WNDR3800 router running openWRT. | + | // |
- | https://downloads.openwrt.org/chaos_calmer/15.05.1/ | + | ------------------------------------------- |
- | + | ||
- | Get on the proper subnet, and stop the network-manager | + | Thanks to Jason Schaefer and Geoff Chesshire from [[http://schaeferconsulting.com|Schaefer IT Consulting]]. |
+ | |||
+ | [[http://downloads.openwrt.org|OpenWrt]] | ||
+ | |||
+ | It is probably best to stop network manager; after that, assign | ||
sudo systemctl stop network-manager | sudo systemctl stop network-manager | ||
- | ip a a 192.168.1.105/ | + | ip a a 192.168.1.105/ |
- | Put a paperclip in the reset button while device is off. Keeping | + | Put a paperclip in the reset button while device is off. Keeping |
| | ||
ping 192.168.1.1 | ping 192.168.1.1 | ||
+ | sudo ethtool < | ||
- | If you cannot successfully ping the router, then re-add your interface to the proper sub net and try again. | + | In the past, you would get a " |
- | curl -T ~/ | + | curl -T ~/ |
- | Now that we have openWRT on the router, we should enable https for the web admin panel. First, verify that you completed | + | After that, wait at least 5-10 minutes before attempting to log in to the device. In fact, before I log in, I prefer to shell into the router, update, install, and then upgrade all packages first. In order to do this, make sure to plug in an ethernet cable from your current LAN into the WAN port on the router so it can route. |
+ | ssh root@192.168.1.1 | ||
opkg update | opkg update | ||
- | opkg install luci-ssl | + | opkg install |
- | | + | |
- | + | opkg upgrade < | |
- | In the config file, comment out the port 80 lines to prohibit using the router with https. | + | |
| | ||
+ | Before I get any further, I like to set up https. | ||
+ | | ||
+ | nano / | ||
/ | / | ||
- | Now that we have https, we can begin to set up the vpn server on the WNDR. Using the template files in the directory openvpnconfig, | + | Now, let's create custom config directories |
- | + | ||
- | scp -r openvpnconfig root@[openwrt]:/ | + | |
- | ssh root@[openwrt] | + | |
- | + | ||
- | Simplified instructions, | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | opkg install zip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump | + | |
- | + | ||
- | mv / | + | |
mv / | mv / | ||
cd /etc/ | cd /etc/ | ||
ln -s config/ | ln -s config/ | ||
+ | | ||
+ | Now, let's enter the parameters on the vars file which determines how the openvpn server will be built, and also drives the default parameters for your client keys. I suggest editing the expiration date and the organization parameters (minimally). | ||
+ | | ||
nano / | nano / | ||
- | | + | |
- | | + | Now, let's rename the original config file, and then create two custom configuration files as follows: |
+ | |||
+ | mv / | ||
+ | touch / | ||
+ | touch / | ||
+ | | ||
+ | Examples of this .conf file can be found [[https:// | ||
+ | |||
+ | ##/ | ||
+ | package openvpn | ||
+ | config openvpn < | ||
+ | option enabled 1 | ||
+ | option config / | ||
- | build-ca | + | In the second configuration file, do something like this. Remember to change all the < |
- | build-dh [takes a long time] | + | |
- | build-key-server server | + | |
- | You can alternately choose to build the dh key on the **//__host__//** machine | + | float |
+ | port 1194 | ||
+ | proto udp | ||
+ | dev tun | ||
+ | cipher AES-256-CBC | ||
+ | tls-version-min 1.2 | ||
+ | tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384: | ||
+ | dh | ||
+ | ca | ||
+ | key easy-rsa/ | ||
+ | cert easy-rsa/ | ||
+ | ifconfig-pool-persist / | ||
+ | client-config-dir clients | ||
+ | status / | ||
+ | mode server | ||
+ | tls-server | ||
+ | topology subnet | ||
+ | push " | ||
+ | ifconfig < | ||
+ | route-gateway < | ||
+ | push " | ||
+ | ifconfig-pool < | ||
+ | push "route < | ||
+ | |||
+ | Once those configuration files are built, you can now create | ||
+ | |||
+ | cd /etc/config/openvpnconfig/easy-rsa/ | ||
+ | easyrsa --batch init-pki | ||
+ | easyrsa --batch gen-dh | ||
+ | easyrsa --batch build-ca nopass | ||
+ | easyrsa --batch build-server-full < | ||
+ | |||
+ | Make sure that the name that you enter for < | ||
sudo openssl dhparam -out / | sudo openssl dhparam -out / | ||
- | scp / | + | scp / |
- | You can now use the script contained in the template directory that you zipped earlier | + | After this, it is now time to create your keypair |
- | | + | easyrsa --batch build-client-full < |
| | ||
- | Or, if you did not use the template directory and the script, then change the vars file each time you need a key with the parameters that you desire, and then build the key, crt, and ca manually: | + | It is now time to scp the key, certificate, and authority from the router to your home device: |
- | + | ||
- | nano / | + | |
- | pkitool [username] | + | |
- | If you chose not to use the template and script, then on each client you will need to create a config file with something like the following parameters; adjust these parameters as needed: | + | scp / |
| | ||
- | nano /directory/to/keep/openvpn/keys/clientconfigname.ovpn | + | Obviously, I am using an example home subnet here (10.10.10.0), |
+ | |||
+ | cd ~ | ||
+ | mkdir vpn-connection | ||
+ | cd vpn-connection | ||
+ | mv ~/ca.crt ~/server.key ~/server.crt ~/vpn-connection/ | ||
+ | sudo chmod 600 server.key | ||
+ | touch connect-to-vpn.ovpn | ||
+ | sudo chmod 640 server.crt ca.crt connect-to-vpn.ovpn | ||
+ | nano connect-to-vpn.ovpn | ||
+ | |||
+ | In the config file, enter something like this: | ||
| | ||
nobind | nobind | ||
float | float | ||
- | comp-lzo | ||
cipher AES-256-CBC | cipher AES-256-CBC | ||
dev tun | dev tun | ||
- | remote | + | remote |
client | client | ||
tls-exit | tls-exit | ||
ca ca.crt | ca ca.crt | ||
- | cert <client>.crt | + | cert <clientname>.crt |
- | key <client>.key | + | key <clientname>.key |
remote-cert-tls server | remote-cert-tls server | ||
mute 5 | mute 5 | ||
Line 93: | Line 147: | ||
# | # | ||
- | You are now ready to set up the interfaces and firewall zones for the router using the web panel. | + | Now that your client workstation is ready to test the connection, we need to return to setting |
/ | / | ||
Line 100: | Line 154: | ||
31296 root 1356 S grep openvpn | 31296 root 1356 S grep openvpn | ||
- | If you did not get this output, then you should debug your configuration by running | + | This is the output you want, showing that the service is running. |
openvpn / | openvpn / | ||
- | |||
- | Now that the service is running and you have a client config, you can use the openWRT web page to create an interface and a firewall zone. Go to interfaces, add interface and name it VPN, select tun0 (unmanaged). | ||
- | {{ : | + | Now that the service is running, let's log in to the router and adjust the settings a bit. In your web browser, visit 192.168.1.1, and log in/change password. |
- | {{ : | + | |
- | {{ : | + | |
- | {{ : | + | |
- | {{ :computing: | + | |
- | Now that you have a client configuration file set up, and the interfaces and firewall zones set up, you can install openvpn on your host; and be aware of how to execute the client - server handshake, thus initiating the openvpn connection. | + | |
- | + | sudo openvpn | |
- | sudo apt install openvpn | + | |
- | | + | Since you did not suppress standard output, you should get the following the message, " |
- | sudo openvpn | + | |
- | + | ||
- | To enable TLS and separately | + | |
- | + | ||
- | | + | |
- | tls-version-min 1.2 | + | |
- | tls-cipher | + | |
- | cipher AES-256-CBC | + | |
- | + | ||
- | Key permissions | + | |
- | 640 for everything except the private key and 600 for that ... | + | --- // |