This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
computing:vpnserver [2019/06/17 22:57] – oemb1905 | computing:vpnserver [2023/02/11 13:04] – oemb1905 | ||
---|---|---|---|
Line 11: | Line 11: | ||
------------------------------------------- | ------------------------------------------- | ||
- | [Update: | + | This tutorial is for flashing a Netgear WNDR3800 router with openwrt and then building a vpn server on it with openvpn. The instructions here can easily be adapted to other hardware. |
- | Thanks to Jason Schaefer and Geoff Chesshire from [[http://schaeferconsulting.com|Schaefer IT Consulting]] for helping me put this all together! | + | [[http://downloads.openwrt.org|OpenWrt]] |
- | In this tutorial, you will create a vpn server on a WNDR3800 router running LEDE, formerly and still partially known as OpenWrt. | + | It is probably best to stop network manager; after that, assign |
- | + | ||
- | https:// | + | |
- | http:// | + | |
- | + | ||
- | Add an address on the subnet | + | |
sudo systemctl stop network-manager | sudo systemctl stop network-manager | ||
ip a a 192.168.1.105/ | ip a a 192.168.1.105/ | ||
- | Put a paperclip in the reset button while device is off. Keeping | + | Put a paperclip in the reset button while device is off. Keeping |
| | ||
ping 192.168.1.1 | ping 192.168.1.1 | ||
+ | sudo ethtool < | ||
- | If you cannot successfully ping the router, then re-add your interface to the proper subnet and try again. | + | In the past, you would get a " |
- | curl -T ~/ | + | curl -T ~/ |
- | curl -T ~/ | + | |
- | If you are flashing a router for the second or multiple times, you might need to remove | + | After that, wait at least 5-10 minutes before attempting to log in to the device. In fact, before I log in, I prefer to shell into the router, |
- | + | ||
- | ssh-keygen -f "/ | + | |
- | + | ||
- | Now that we have openWRT on the router, | + | |
+ | ssh root@192.168.1.1 | ||
opkg update | opkg update | ||
- | opkg install luci-ssl | + | opkg install |
- | | + | |
+ | opkg upgrade < | ||
| | ||
- | In the config file, one can see that the port 80 lines are commented out in order to reredirect the router to use TLS. Additionally, enter the parameters for the self-signed cert using the options at the bottom of the configuration file shown above. Once you are done, restart | + | Before I get any further, I like to set up https. |
| | ||
+ | nano / | ||
/ | / | ||
- | Now that we have https, we can begin to set up the vpn server | + | Now, let's create custom config directories for openvpn and easy-rsa so they behave better when we are faced with upgrading packages |
- | + | ||
- | https:// | + | |
- | + | ||
- | + | ||
- | Method 1; copying the template directory from your host to the router. | + | |
- | + | ||
- | scp -r openvpnconfig root@192.168.1.1:/ | + | |
- | ssh root@192.168.1.1 | + | |
| | ||
- | Method 2; using wget to download the directory into your router. | + | mkdir / |
- | + | ||
- | ssh root@192.168.1.1 | + | |
- | opkg update | + | |
- | opkg install wget | + | |
- | wget https:// | + | |
- | + | ||
- | If you use this template and the key and config building script inside it, be aware of what it is doing for you; it is zipping the two keys and certificate authority together with the client config in one .zip file for easy downloading using scp. It also uses stock configuration options that can be adjusted as needed. | + | |
- | + | ||
- | opkg update | + | |
- | opkg install zip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump curl luci-ssl | + | |
- | + | ||
- | mv / | + | |
mv / | mv / | ||
cd /etc/ | cd /etc/ | ||
ln -s config/ | ln -s config/ | ||
| | ||
- | Specify | + | Now, let's enter the parameters on the vars file which determines |
| | ||
nano / | nano / | ||
| | ||
- | Enter parameters for your openvpn configuration; | + | Now, let's rename |
| | ||
- | | + | |
+ | touch / | ||
+ | touch / | ||
| | ||
- | Examples of this .conf file can be found [[https:// | + | Examples of this .conf file can be found [[https:// |
- | + | ||
- | nano / | + | |
- | + | ||
- | Okay ... in this file, simply link to another file as follows ... all of this is to avoid re-write from easy-rsa and openvpn | + | |
| | ||
##/ | ##/ | ||
package openvpn | package openvpn | ||
- | config openvpn server | + | config openvpn |
option enabled 1 | option enabled 1 | ||
option config / | option config / | ||
- | Now, time to build the certificate authority, the diffie | + | In the second configuration file, do something like this. Remember |
+ | |||
+ | float | ||
+ | port 1194 | ||
+ | proto udp | ||
+ | dev tun | ||
+ | cipher AES-256-CBC | ||
+ | tls-version-min 1.2 | ||
+ | tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384: | ||
+ | dh | ||
+ | ca | ||
+ | key easy-rsa/ | ||
+ | cert easy-rsa/ | ||
+ | ifconfig-pool-persist / | ||
+ | client-config-dir clients | ||
+ | status / | ||
+ | mode server | ||
+ | tls-server | ||
+ | topology subnet | ||
+ | push " | ||
+ | ifconfig < | ||
+ | route-gateway < | ||
+ | push " | ||
+ | ifconfig-pool < | ||
+ | push "route < | ||
+ | |||
+ | Once those configuration files are built, you can now create | ||
| | ||
- | | + | |
- | | + | |
- | build-key-server server | + | easyrsa --batch gen-dh |
+ | | ||
+ | easyrsa --batch build-server-full <server> nopass | ||
- | You can alternately choose to build the dh key on the **// | + | Make sure that the name that you enter for < |
sudo openssl dhparam -out / | sudo openssl dhparam -out / | ||
- | scp / | + | scp / |
- | You can now use the script contained in the template directory that you zipped earlier | + | After this, it is now time to create your keypair |
- | | + | easyrsa --batch build-client-full <clientname> nopass |
| | ||
- | Or, if you did not use the template directory and the script, then change the vars file each time you need a key with the parameters that you desire, and then build the key, crt, and ca manually: | + | It is now time to scp the key, certificate, and authority from the router to your home device: |
- | + | ||
- | nano / | + | |
- | pkitool [clientname] | + | |
- | If you chose not to use the template | + | scp / |
+ | |||
+ | Obviously, I am using an example home subnet here (10.10.10.0), | ||
+ | |||
+ | cd ~ | ||
+ | mkdir vpn-connection | ||
+ | cd vpn-connection | ||
+ | mv ~/ca.crt ~/ | ||
+ | sudo chmod 600 server.key | ||
+ | touch connect-to-vpn.ovpn | ||
+ | sudo chmod 640 server.crt ca.crt connect-to-vpn.ovpn | ||
+ | nano connect-to-vpn.ovpn | ||
| | ||
- | nano / | + | In the config file, enter something like this: |
| | ||
nobind | nobind | ||
float | float | ||
- | comp-lzo | ||
cipher AES-256-CBC | cipher AES-256-CBC | ||
dev tun | dev tun | ||
- | remote | + | remote |
client | client | ||
tls-exit | tls-exit | ||
ca ca.crt | ca ca.crt | ||
- | cert <client>.crt | + | cert <clientname>.crt |
- | key <client>.key | + | key <clientname>.key |
remote-cert-tls server | remote-cert-tls server | ||
mute 5 | mute 5 | ||
Line 140: | Line 147: | ||
# | # | ||
- | You are now ready to set up the interfaces and firewall zones for the router using the web panel. | + | Now that your client workstation is ready to test the connection, we need to return to setting |
/ | / | ||
Line 147: | Line 154: | ||
31296 root 1356 S grep openvpn | 31296 root 1356 S grep openvpn | ||
- | If you did not get this output, then you should debug your configuration by running | + | This is the output you want, showing that the service is running. |
openvpn / | openvpn / | ||
- | |||
- | Now that the service is running and you have a client config, you can use the openWRT web page to create an interface and a firewall zone. Go to interfaces, add interface and name it VPN, select tun0 (unmanaged). | ||
- | {{ : | + | Now that the service is running, let's log in to the router and adjust the settings a bit. In your web browser, visit 192.168.1.1, and log in/change password. |
- | {{ : | + | |
- | {{ : | + | |
- | Now that you have a client configuration file set up, and the interfaces and firewall zones set up, you can install openvpn on your host; and be aware of how to execute the client | + | cd ~/ |
+ | sudo openvpn connect-to-vpn.ovpn | ||
+ | |||
+ | Since you did not suppress standard output, you should get the following the message, " | ||
- | | + | |
- | cd ~/directory/where/thekeys/youmade/above/are/ | + | |
- | | + | |
- | To enable TLS and separately to enable a strong cipher, use these settings on the server configuration. | + | -- -- -- -- -- |
- | | + | Thanks to Jason Schaefer and Geoff Chesshire from [[http://schaeferconsulting.com|Schaefer IT Consulting]]. |
- | tls-version-min 1.2 | + | |
- | tls-cipher | + | |
- | cipher AES-256-CBC | + | |
- | + | ||
- | Key, ca, and .ovpn permissions, | + | |
- | + | ||
- | sudo chmod 600 clientname.key | + | |
- | sudo chmod 640 clientname.crt | + | |
- | sudo chmod 640 ca.crt | + | |
- | sudo chmod 640 clientconfigname.ovpn | + | |
- | + | ||
- | Thanks! | + | |
- | + | ||
- | Addenda | + | |
- | + | ||
- | * dhcp-opkg. | + | |
- | * dropbear_rsa_host_key-opkg. | + | |
- | * dropbear-opkg. | + | |
- | + | ||
- | + | ||
- | search for /etc/easy-rsa/openssl ... | + | |
- | change the " | + | |
- | + | ||
- | add p flag to scp when copying | + | |
- | + | ||
- | 1) flash | + | |
- | 2) opkg upgraded with vi shit and made big string | + | |
- | 3) after that saw -opkg different files and compared, overwriting old ones with new, except be careful on dropbear with 0 kb one | + | |
- | 4) edit not just /etc/config/uhttpd but also edit /etc/easy-rsa/openssl … | + | |
- | + | ||
- | copy the etc/ | + | |
- | + | ||
- | common package upgrades | + | |
- | + | ||
- | base-files busybox dnsmasq dropbear firewall fstools fwtool hostapd-common ip6tables iptables iw iwinfo jshn jsonfilter kernel kmod-ath kmod-ath9k kmod-ath9k-common kmod-cfg80211 kmod-gpio-button-hotplug kmod-ip6tables kmod-ipt-conntrack kmod-ipt-core kmod-ipt-nat kmod-leds-wndr3700-usb kmod-lib-crc-ccitt kmod-mac80211 kmod-nf-conntrack kmod-nf-conntrack6 kmod-nf-ipt kmod-nf-ipt6 kmod-nf-nat kmod-nls-base kmod-ppp kmod-pppoe kmod-pppox kmod-slhc kmod-usb-core kmod-usb-ledtrig-usbport kmod-usb-ohci kmod-usb2 lede-keyring libblobmsg-json libc libgcc libip4tc libip6tc libiwinfo libiwinfo-lua libjson-c libjson-script liblua libnl-tiny libpthread libubox libubus libubus-lua libuci libuci-lua libuclient libxtables logd lua luci luci-app-firewall luci-base luci-lib-ip luci-lib-jsonc luci-lib-nixio luci-mod-admin-full luci-proto-ipv6 luci-proto-ppp luci-theme-bootstrap mtd netifd odhcp6c odhcpd opkg ppp ppp-mod-pppoe procd rpcd swconfig uboot-envtools ubox ubus ubusd uci uclient-fetch uhttpd uhttpd-mod-ubus usign wpad-mini | + | |
- | + | ||
- | This tutorial is a designated " | + | |
- | --- //[[netcmnd@jonathanhaack.com|oemb1905]] | + | --- //[[jonathan@haacksnetworking.com|oemb1905]] |