This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
computing:vpnserver [2018/05/18 08:39] – oemb1905 | computing:vpnserver [2020/03/23 15:47] – oemb1905 | ||
---|---|---|---|
Line 11: | Line 11: | ||
------------------------------------------- | ------------------------------------------- | ||
- | Thanks to Jason Schaefer | + | This tutorial is for flashing a Netgear WNDR3800 router with openwrt |
- | In this tutorial, you will create a vpn server on a WNDR3800 router running LEDE, formerly and still partially known as OpenWrt. | + | [[http://downloads.openwrt.org|OpenWrt]] |
- | https:// | + | It is probably best to stop network manager; after that, assign a local ip address |
- | http:// | + | |
- | + | ||
- | Add an address on the subnet | + | |
sudo systemctl stop network-manager | sudo systemctl stop network-manager | ||
ip a a 192.168.1.105/ | ip a a 192.168.1.105/ | ||
- | Put a paperclip in the reset button while device is off. Keeping | + | Put a paperclip in the reset button while device is off. Keeping |
| | ||
ping 192.168.1.1 | ping 192.168.1.1 | ||
+ | sudo ethtool < | ||
- | If you cannot successfully ping the router, then re-add your interface to the proper subnet and try again. | + | In the past, you would get a " |
- | curl -T ~/ | + | curl -T ~/ |
- | curl -T ~/ | + | |
- | If you are flashing a router for the second or multiple times, you might need to remove | + | After that, wait at least 5-10 minutes before attempting to log in to the device. In fact, before I log in, I prefer to shell into the router, |
- | + | ||
- | ssh-keygen -f "/ | + | |
- | + | ||
- | Now that we have openWRT on the router, | + | |
+ | ssh root@192.168.1.1 | ||
opkg update | opkg update | ||
- | opkg install luci-ssl | + | opkg install |
- | | + | |
- | + | opkg upgrade < | |
- | In the config file, comment out the port 80 lines to redirect the router to use TLS. Additionally, | + | |
| | ||
+ | Before I get any further, I like to set up https. | ||
+ | | ||
+ | nano / | ||
/ | / | ||
- | Now that we have https, we can begin to set up the vpn server | + | Now, let's create custom config directories for openvpn and easy-rsa so they behave better when we are faced with upgrading packages |
- | + | ||
- | https:// | + | |
- | + | ||
- | + | ||
- | Method 1; copying the template directory from your host to the router. | + | |
- | + | ||
- | scp -r openvpnconfig root@192.168.1.1:/ | + | |
- | ssh root@192.168.1.1 | + | |
| | ||
- | Method 2; using wget to download the directory into your router. | + | mkdir / |
- | + | ||
- | ssh root@192.168.1.1 | + | |
- | opkg update | + | |
- | opkg install wget | + | |
- | wget https:// | + | |
- | + | ||
- | If you use this template and the key and config building script inside it, be aware of what it is doing for you; it is zipping the two keys and certificate authority together with the client config in one .zip file for easy downloading using scp. It also uses stock configuration options that can be adjusted as needed. | + | |
- | + | ||
- | opkg update | + | |
- | opkg install zip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump | + | |
- | + | ||
- | mv / | + | |
mv / | mv / | ||
cd /etc/ | cd /etc/ | ||
ln -s config/ | ln -s config/ | ||
| | ||
- | Specify | + | Now, let's enter the parameters on the vars file which determines |
| | ||
nano / | nano / | ||
| | ||
- | # easy-rsa parameter settings | + | Now, let's rename the original config |
- | # NOTE: If you installed from an RPM, | + | |
- | # don't edit this file in place in | + | |
- | # / | + | |
- | # instead, you should copy the whole | + | |
- | # easy-rsa directory to another location | + | |
- | # (such as / | + | |
- | # edits will not be wiped out by a future | + | |
- | # OpenVPN package upgrade. | + | |
- | # This variable should point to | + | |
- | # the top level of the easy-rsa | + | |
- | # tree. | + | |
- | export EASY_RSA="/ | + | |
- | # This variable should point to | + | |
- | # the requested executables | + | |
- | export OPENSSL=" | + | |
- | export PKCS11TOOL=" | + | |
- | export GREP=" | + | |
- | # This variable should point to | + | |
- | # the openssl.cnf file included | + | |
- | # with easy-rsa. | + | |
- | export KEY_CONFIG=`/ | + | |
- | # Edit this variable to point to | + | |
- | # your soon-to-be-created key | + | |
- | # directory. | + | |
- | # WARNING: clean-all will do | + | |
- | # a rm -rf on this directory | + | |
- | # so make sure you define | + | |
- | # it correctly! | + | |
- | export KEY_DIR=" | + | |
- | # Issue rm -rf warning | + | |
- | echo NOTE: If you run ./ | + | |
- | # PKCS11 fixes | + | |
- | export PKCS11_MODULE_PATH=" | + | |
- | export PKCS11_PIN=" | + | |
- | # Increase this to 2048 if you | + | |
- | # are paranoid. | + | |
- | # down TLS negotiation performance | + | |
- | # as well as the one-time DH parms | + | |
- | # generation process. | + | |
- | export KEY_SIZE=2048 | + | |
- | # In how many days should the root CA key expire? | + | |
- | export CA_EXPIRE=7305 | + | |
- | # In how many days should certificates expire? | + | |
- | export KEY_EXPIRE=7305 | + | |
- | # These are the default values for fields | + | |
- | # which will be placed in the certificate. | + | |
- | # Don't leave any of these fields blank. | + | |
- | export KEY_COUNTRY=" | + | |
- | export KEY_PROVINCE=" | + | |
- | export KEY_CITY=" | + | |
- | export KEY_ORG=" | + | |
- | export KEY_EMAIL=" | + | |
- | export KEY_OU=" | + | |
- | # X509 Subject Field | + | |
- | export KEY_NAME=" | + | |
- | # PKCS11 Smart Card | + | |
- | # export PKCS11_MODULE_PATH="/ | + | |
- | # export PKCS11_PIN=1234 | + | |
- | # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below | + | |
- | # You will also need to make sure your OpenVPN server config has the duplicate-cn option set | + | |
- | # export KEY_CN=" | + | |
| | ||
- | Enter parameters for your openvpn | + | mv / |
+ | touch / | ||
+ | touch / | ||
| | ||
- | nano /etc/config/ | + | Examples of this .conf file can be found [[https://codetalkers.services|HERE]] |
| | ||
+ | ##/ | ||
+ | package openvpn | ||
+ | config openvpn < | ||
+ | option enabled 1 | ||
+ | option config / | ||
+ | |||
+ | In the second configuration file, do something like this. Remember to change all the < | ||
+ | |||
float | float | ||
port 1194 | port 1194 | ||
proto udp | proto udp | ||
dev tun | dev tun | ||
- | comp-lzo yes | ||
cipher AES-256-CBC | cipher AES-256-CBC | ||
tls-version-min 1.2 | tls-version-min 1.2 | ||
- | tls-cipher | + | tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384: |
- | dh | + | dh |
- | ca | + | ca |
- | key easy-rsa/keys/ | + | key easy-rsa/pki/ |
- | cert easy-rsa/keys/server.crt | + | cert easy-rsa/pki/ |
- | #crl-verify / | + | |
ifconfig-pool-persist / | ifconfig-pool-persist / | ||
client-config-dir clients | client-config-dir clients | ||
status / | status / | ||
- | ## | ||
- | #server [192.xx.xx.0 255.255.255.0] | ||
- | ##begin VPN options for static ip mode (mode server)## | ||
mode server | mode server | ||
tls-server | tls-server | ||
topology subnet | topology subnet | ||
push " | push " | ||
- | ifconfig | + | ifconfig |
- | route-gateway | + | route-gateway |
- | push " | + | push " |
- | ifconfig-pool | + | ifconfig-pool |
- | ##end VPN options for static ip## | + | push " |
- | ##general LAN options## | + | |
- | push "route 192.168.1.0 255.255.255.0" | + | |
- | push " | + | |
- | push " | + | |
- | client-to-client | + | |
- | mute 5 | + | |
- | log / | + | |
- | keepalive 10 120 | + | |
- | persist-key | + | |
- | persist-tun | + | |
- | + | ||
- | Specify where the openvpn configuration is to be found; example provided below the text editor command. | + | |
- | + | ||
- | nano / | + | |
- | + | ||
- | ##/ | + | |
- | package openvpn | + | |
- | config openvpn server | + | |
- | option enabled 1 | + | |
- | option config / | + | |
- | Now, time to build the certificate authority, the diffy helman | + | Once those configuration files are built, you can now create |
| | ||
- | | + | |
- | | + | |
- | build-key-server server | + | easyrsa --batch gen-dh |
+ | | ||
+ | easyrsa --batch build-server-full <server> nopass | ||
- | You can alternately choose to build the dh key on the **// | + | Make sure that the name that you enter for < |
sudo openssl dhparam -out / | sudo openssl dhparam -out / | ||
- | scp / | + | scp / |
- | You can now use the script contained in the template directory that you zipped earlier | + | After this, it is now time to create your keypair |
- | | + | easyrsa --batch build-client-full <clientname> nopass |
| | ||
- | Or, if you did not use the template directory and the script, then change the vars file each time you need a key with the parameters that you desire, and then build the key, crt, and ca manually: | + | It is now time to scp the key, certificate, and authority from the router to your home device: |
- | + | ||
- | nano / | + | |
- | pkitool [clientname] | + | |
- | If you chose not to use the template and script, then on each client you will need to create a config file with something like the following parameters; adjust these parameters as needed: | + | scp / |
| | ||
- | nano /directory/to/keep/openvpn/keys/clientconfigname.ovpn | + | Obviously, I am using an example home subnet here (10.10.10.0), |
+ | |||
+ | cd ~ | ||
+ | mkdir vpn-connection | ||
+ | cd vpn-connection | ||
+ | mv ~/ca.crt ~/server.key ~/server.crt ~/vpn-connection/ | ||
+ | sudo chmod 600 server.key | ||
+ | touch connect-to-vpn.ovpn | ||
+ | sudo chmod 640 server.crt ca.crt connect-to-vpn.ovpn | ||
+ | nano connect-to-vpn.ovpn | ||
+ | |||
+ | In the config file, enter something like this: | ||
| | ||
nobind | nobind | ||
float | float | ||
- | comp-lzo | ||
cipher AES-256-CBC | cipher AES-256-CBC | ||
dev tun | dev tun | ||
- | remote | + | remote |
client | client | ||
tls-exit | tls-exit | ||
ca ca.crt | ca ca.crt | ||
- | cert <client>.crt | + | cert <clientname>.crt |
- | key <client>.key | + | key <clientname>.key |
remote-cert-tls server | remote-cert-tls server | ||
mute 5 | mute 5 | ||
Line 238: | Line 147: | ||
# | # | ||
- | You are now ready to set up the interfaces and firewall zones for the router using the web panel. | + | Now that your client workstation is ready to test the connection, we need to return to setting |
/ | / | ||
Line 245: | Line 154: | ||
31296 root 1356 S grep openvpn | 31296 root 1356 S grep openvpn | ||
- | If you did not get this output, then you should debug your configuration by running | + | This is the output you want, showing that the service is running. |
openvpn / | openvpn / | ||
- | |||
- | Now that the service is running and you have a client config, you can use the openWRT web page to create an interface and a firewall zone. Go to interfaces, add interface and name it VPN, select tun0 (unmanaged). | ||
- | {{ : | + | Now that the service is running, let's log in to the router and adjust the settings a bit. In your web browser, visit 192.168.1.1, and log in/change password. |
- | {{ : | + | |
- | {{ : | + | |
- | Now that you have a client configuration file set up, and the interfaces and firewall zones set up, you can install openvpn on your host; and be aware of how to execute the client - server handshake, thus initiating the openvpn connection. | + | |
- | + | sudo openvpn | |
- | sudo apt install openvpn | + | |
- | | + | Since you did not suppress standard output, you should get the following the message, " |
- | sudo openvpn | + | |
- | + | ||
- | To enable TLS and separately | + | |
- | + | ||
- | | + | |
- | tls-version-min 1.2 | + | |
- | tls-cipher | + | |
- | cipher AES-256-CBC | + | |
- | Key, ca, and .ovpn permissions, | + | * [[https:// |
+ | * [[https:// | ||
- | sudo chmod 600 clientname.key | + | -- -- -- -- -- |
- | sudo chmod 640 clientname.crt | + | |
- | sudo chmod 640 ca.crt | + | |
- | sudo chmod 640 clientconfigname.ovpn | + | |
- | Thanks! | + | Thanks |
- | --- //[[netcmnd@jonathanhaack.com|oemb1905]] | + | --- //[[jonathan@haacksnetworking.com|oemb1905]] |