Differences

This shows you the differences between two versions of the page.

--- computing:vpnserver [2018/05/17 16:19] – oemb1905
+++ computing:vpnserver [2023/02/11 13:04] – oemb1905
@@ Line 1: / Line 1: @@
 -------------------------------------------
-#**vpnserver**
+  * **vpnserver**
+  * **Jonathan Haack**
+  * **Haack's Networking**
+  * **netcmnd@jonathanhaack.com**
 -------------------------------------------
-In this tutorial, you will create a vpn server on a WNDR3800 router running LEDE.  Download the image as follows:
+//vpnserver//
-  https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/openwrt-15.05.1-ar71xx-generic-wndr3800-squashfs-factory.img
+-------------------------------------------
-  http://downloads.lede-project.org/releases/17.01.4/targets/ar71xx/generic/lede-17.01.4-ar71xx-generic-wndr3800-squashfs-factory.img
+This tutorial is for flashing a Netgear WNDR3800 router with openwrt and then building a vpn server on it with openvpn.  The instructions here can easily be adapted to other hardware.  First, download the stable release:
-Add an address on the subnet of the router, and stop the network-manager from hijacking connection.  Run ip a to obtain your interface name, as it may not be eth0.
+[[http://downloads.openwrt.org|OpenWrt]]
+It is probably best to stop network manager; after that, assign a local ip address (on the same subnet as the router) to your network interface.
   sudo systemctl stop network-manager
   ip a a 192.168.1.105/24 dev <eth0>
-Put a paperclip in the reset button while device is off.  Keeping it in, turn the device on, wait for flashing green.  Be patient and do not turn power off or anything else during this process.  First, ping the router.
+Put a paperclip in the reset button while device is off.  Keeping the paperclick depressed in the reset button gently, turn the device on, keeping the paperclip in and depressed until there is a flashing green light.  At this point, I usually ping the router and/or run ethtool
   ping 192.168.1.1
+  sudo ethtool <eth0>
-If you cannot successfully ping the router, then re-add your interface to the proper sub net and try again.  If you can, then the curl command below should work.  You know you succeeded if you get an error about "taking countermeasures" while pinging the device.  Once that is done, execute the curl command as follows in order to flash the router with LEDE:
+In the past, you would get a "taking countermeasures" response while pinging the device.  At other times, ping just hangs (but it is connected).  At any rate, after you are connected, flash the image with curl and tftp:
-  curl -T ~/Downloads/openwrt-15.05.1-ar71xx-generic-wndr3800-squashfs-factory.img tftp://192.168.1.1
+  curl -T ~/Downloads/openwrt-latest.img tftp://192.168.1.1
-  curl -T ~/Downloads/lede-17.01.4-ar71xx-generic-wndr3800-squashfs-factory.img tftp://192.168.1.1
-Now that we have openWRT on the router, we should enable https for the web admin panel before proceeding with anything else.  First, verify that you completed the above steps correctly by visiting 192.168.1.1 in your web browser of choice.
+After that, wait at least 5-10 minutes before attempting to log in to the device. In fact, before I log in, I prefer to shell into the router, update, install, and then upgrade all packages first.  In order to do this, make sure to plug in an ethernet cable from your current LAN into the WAN port on the router so it can route.
+  ssh root@192.168.1.1
   opkg update
-  opkg install luci-ssl
+  opkg install gzip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump curl luci-ssl
-  nano /etc/config/uhttpd
+  opkg list-upgradable
+  opkg upgrade <package>
-In the config file, comment out the port 80 lines to prohibit using the router with https.  Additionally, enter the parameters for the self-signed cert using the options at the bottom of the configuration file.  Once you are done, restart the service and build the cert.
+Before I get any further, I like to set up https.  When you edit the config file, change the expiry dates to something large, enter your email/org, etc., and then start the service.
+  nano /etc/config/uhttpd
   /etc/init.d/uhttpd restart
-Now that we have https, we can begin to set up the vpn server on the WNDR.  Using the template files in the directory openvpnconfig, download them to the router for ease, or use scp.  (You can optionally configure everything without the template.)
+Now, let's create custom config directories for openvpn and easy-rsa so they behave better when we are faced with upgrading packages on the router.
-Method 1; copying the template directory from your host to the router.
-  scp -r openvpnconfig root@192.168.1.1:/etc/config/
-  ssh root@192.168.1.1
-Method 2; using wget to download the directory into your router.
+  mkdir /etc/config/openvpnconfig/
-  ssh root@192.168.1.1
-  opkg update
-  opkg install wget
-  wget https://educationaction.biz/vpn/openvpnconfig.zip
-If you use this template and the key and config building script inside it, be aware of what it is doing for you; it is zipping the two keys and certificate authority together with the client config in one .zip file for easy downloading using scp.  It also uses stock configuration options that can be adjusted as needed.  Ok, let's set up the server now that we have our config template:
-  opkg update
-  opkg install zip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump
-  mv /etc/config/openvpnconfig/openvpn /etc/config/
   mv /etc/easy-rsa /etc/config/openvpnconfig/
   cd /etc/
   ln -s config/openvpnconfig/easy-rsa ./
-Specify how you want the default key pairs to be built, and specify parameters for the certificate authority; example provided below the text editor command:
+Now, let's enter the parameters on the vars file which determines how the openvpn server will be built, and also drives the default parameters for your client keys.  I suggest editing the expiration date and the organization parameters (minimally).
   nano /etc/config/openvpnconfig/easy-rsa/vars
-  # easy-rsa parameter settings
+Now, let's rename the original config file, and then create two custom configuration files as follows:
-  # NOTE: If you installed from an RPM,
-  # don't edit this file in place in
-  # /usr/share/openvpn/easy-rsa --
-  # instead, you should copy the whole
-  # easy-rsa directory to another location
-  # (such as /etc/openvpn) so that your
-  # edits will not be wiped out by a future
-  # OpenVPN package upgrade.
-  # This variable should point to
-  # the top level of the easy-rsa
-  # tree.
-  export EASY_RSA="/etc/easy-rsa"
-  # This variable should point to
-  # the requested executables
-  export OPENSSL="openssl"
-  export PKCS11TOOL="pkcs11-tool"
-  export GREP="grep"
-  # This variable should point to
-  # the openssl.cnf file included
-  # with easy-rsa.
-  export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
-  # Edit this variable to point to
-  # your soon-to-be-created key
-  # directory.
-  # WARNING: clean-all will do
-  # a rm -rf on this directory
-  # so make sure you define
-  # it correctly!
-  export KEY_DIR="$EASY_RSA/keys"
-  # Issue rm -rf warning
-  echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
-  # PKCS11 fixes
-  export PKCS11_MODULE_PATH="dummy"
-  export PKCS11_PIN="dummy"
-  # Increase this to 2048 if you
-  # are paranoid.  This will slow
-  # down TLS negotiation performance
-  # as well as the one-time DH parms
-  # generation process.
-  export KEY_SIZE=2048
-  # In how many days should the root CA key expire?
-  export CA_EXPIRE=7305
-  # In how many days should certificates expire?
-  export KEY_EXPIRE=7305
-  # These are the default values for fields
-  # which will be placed in the certificate.
-  # Don't leave any of these fields blank.
-  export KEY_COUNTRY="US"
-  export KEY_PROVINCE="NM"
-  export KEY_CITY="Calexico"
-  export KEY_ORG="Enterprise IT Solutions"
-  export KEY_EMAIL="macguy@enterprisesolutions.com"
-  export KEY_OU="Owner"
-  # X509 Subject Field
-  export KEY_NAME="EasyRSA"
-  # PKCS11 Smart Card
-  # export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
-  # export PKCS11_PIN=1234
-  # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
-  # You will also need to make sure your OpenVPN server config has the duplicate-cn option set
-  # export KEY_CN="CommonName"
-Enter parameters for your openvpn configuration; example provided below the text editor command:
+  mv /etc/config/openvpn /etc/config/openvpn-original
+  touch /etc/config/openvpn
+  touch /etc/config/openvpnconfig/server.conf
-  nano /etc/config/openvpnconfig/openvpnWRT.conf
+Examples of this .conf file can be found [[https://codetalkers.services|HERE]]  Specify where the openvpn configuration is to be found; example provided below the text editor command.  In the first configuration file, called openvpn, enter something like what is listed just below, but make sure you to change <server> to the name you will call your server when you build it below, remove the braces, and do not use special characters:
+  ##/etc/config/openvpn##
+  package openvpn
+  config openvpn <server>
+  option enabled 1
+  option config /etc/config/openvpnconfig/server.conf
+In the second configuration file, do something like this.  Remember to change all the <addresses> in triangle braces below.  Remember, the last address should be the address of the lan, not the vpn's address scheme.
   float
   port 1194
   proto udp
   dev tun
-  comp-lzo yes
   cipher AES-256-CBC
   tls-version-min 1.2
-  tls-cipher      TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
+  tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
-  dh   easy-rsa/keys/dh2048.pem
+  dh   easy-rsa/pki/pki/dh.pem
-  ca   easy-rsa/keys/ca.crt
+  ca   easy-rsa/pki/pki/ca.crt
-  key  easy-rsa/keys/server.key
+  key  easy-rsa/pki/pki/private/server.key
-  cert easy-rsa/keys/server.crt
+  cert easy-rsa/pki/pki/issued/server.crt
-  #crl-verify /etc/config/openvpnconfig/easy-rsa/keys/crl.pem
   ifconfig-pool-persist /tmp/ipp.txt
   client-config-dir clients
   status /var/log/openvpn-status.log
-  ##Don't enable unless you disable all static ip options below#
-  #server [192.xx.xx.0 255.255.255.0]
-  ##begin VPN options for static ip mode (mode server)##
   mode server
   tls-server
   topology subnet
   push "topology subnet"
-  ifconfig 192.xx.xx.1 255.255.255.0
+  ifconfig <10.66.66.1> 255.255.255.0
-  route-gateway 192.xx.xx.1
+  route-gateway <10.66.66.1>
-  push "route-gateway 192.xx.xx.1"
+  push "route-gateway <10.66.66.1>"
-  ifconfig-pool 192.xx.xx.100 10.xx.xx.150 255.255.255.0
+  ifconfig-pool <10.66.66.32> <10.66.66.254> 255.255.255.0
-  ##end VPN options for static ip##
+  push "route <192.168.1.0> 255.255.255.0"
-  ##general LAN options##
-  push "route 192.168.1.0 255.255.255.0"
-  push "dhcp-option DOMAIN domainname.com <or> external-ip <or> server.local"
-  push "dhcp-option DNS 192.168.1.1"
-  client-to-client
-  mute 5
-  log /tmp/openvpn.log
-  keepalive 10 120
-  persist-key
-  persist-tun
-Specify where the openvpn configuration is to be found; example provided below the text editor command.
-  nano /etc/config/openvpn
-  ##/etc/config/openvpn##
-  package openvpn
-  config openvpn server
-  option enabled 1
-  option config /etc/config/openvpnconfig/server.conf
-Now, time to build the certificate authority, the diffy helman key, and the key and certificate for the vpn server.
+Once those configuration files are built, you can now create the certificate authority, the diffie-hellman key, and certificate/private key for the server.
-  build-ca
+  cd /etc/config/openvpnconfig/easy-rsa/
-  build-dh [takes a long time, see alternate method below]
+  easyrsa --batch init-pki
-  build-key-server server
+  easyrsa --batch gen-dh
+  easyrsa --batch build-ca nopass
+  easyrsa --batch build-server-full <server> nopass
-You can alternately choose to build the dh key on the **//__host__//** machine you are administering from and then scp it to the router when it completes as follows.  Do not forget to symlink easy-rsa properly so this works.
+Make sure that the name that you enter for <server> matches the name in the second configuration file below.  Also, you can optionally create the diffie-hellman key on your home machine and scp it to the router to //save time// as follows, thereby omitting the gen-dh command above.  If you can/want to do this, then on your home machine (not the router), do the following:
   sudo openssl dhparam -out /tmp/dh2048.pem 2048
-  scp /tmp/dh2048.pem root@xx.xx.xx.xx:/etc/config/openvpnconfig/easy-rsa/keys/
+  scp /tmp/dh2048.pem root@192.168.1.1:/etc/easy-rsa/pki/pki/
-You can now use the script contained in the template directory that you zipped earlier to create your client keys and config file; you are back on the **//__router__//** now.
+After this, it is now time to create your keypair and ca.  You do that as follows:
-  /etc/config/openvpnconfig/easyrsa-user-setup-openwrt.sh [clientname] [server.com]
+  easyrsa --batch build-client-full <clientname> nopass
-Or, if you did not use the template directory and the script, then change the vars file each time you need a key with the parameters that you desire, and then build the key, crt, and ca manually:
+It is now time to scp the key, certificate, and authority from the router to your home device:
-  nano /etc/config/openvpnconfig/easy-rsa/vars
-  pkitool [clientname]
-If you chose not to use the template and script, then on each client you will need to create a config file with something like the following parameters; adjust these parameters as needed:
+  scp /etc/easy-rsa/pki/ca.crt /etc/easy-rsa/pki/private/clientname.key /etc/easy-rsa/pki/issued/clientname.crt root@10.10.10.100:
+Obviously, I am using an example home subnet here (10.10.10.0), so change that address to match your workstation.  Once you have all three of those files, create a directory on the client workstation that intends to connect to the vpn server.  After you create that directory and place these files in it, you need to create a connect-to-vpn.ovpn file that openvpn will use to connect to the vpn server.
+  cd ~
+  mkdir vpn-connection
+  cd vpn-connection
+  mv ~/ca.crt ~/server.key ~/server.crt ~/vpn-connection/
+  sudo chmod 600 server.key
+  touch connect-to-vpn.ovpn
+  sudo chmod 640 server.crt ca.crt connect-to-vpn.ovpn
+  nano connect-to-vpn.ovpn
-  nano /directory/to/keep/openvpn/keys/clientconfigname.ovpn
+In the config file, enter something like this:
   nobind
   float
-  comp-lzo
   cipher AES-256-CBC
   dev tun
-  remote xx.xx.xx.xx 1194 udp
+  remote <external ip or DNS name here> 1194 udp
   client
   tls-exit
   ca ca.crt
-  cert <client>.crt
+  cert <clientname>.crt
-  key <client>.key
+  key <clientname>.key
   remote-cert-tls server
   mute 5
@@ Line 221: / Line 147: @@
   #redirect-gateway def1
-You are now ready to set up the interfaces and firewall zones for the router using the web panel.  Before you do this, you need to start the vpn service and ensure it is working.  You should get two processes, one for the openvpn grep you just ran, and another for the service running:
+Now that your client workstation is ready to test the connection, we need to return to setting up the server.  First, if everything above was done correctly, then you should be able to start the vpn service as follows and verify that it is running:
   /etc/init.d/openvpn start
@@ Line 228: / Line 154: @@
 root     1356 S    grep openvpn
-If you did not get this output, then you should debug your configuration by running openvpn against your server configuration as follows, and use the output it provides to determine what you did wrong.
+This is the output you want, showing that the service is running. If you do not get this, then run openvpn against the configuration files on the router and/or check the logs to determine your error.  Here is a good place to start debugging:
   openvpn /etc/config/openvpnconfig/server.conf
-Now that the service is running and you have a client config, you can use the openWRT web page to create an interface and a firewall zone.  Go to interfaces, add interface and name it VPN, select tun0 (unmanaged).  Set up a fw zone at the same time or separately, and name it vpn_zone.  Navigate to Network/Firewall, select the tab for traffic rules, and then add a rule that allows incoming vpn connections on udp 1194 //to device//, i.e., your router which is your vpn server.  In the firewall zone, make sure to allow forwarding //to// the lan and wan, and //from// the lan.
-{{ :computing:zone1.png?600 |}}
+Now that the service is running, let's log in to the router and adjust the settings a bit.  In your web browser, visit 192.168.1.1, and log in/change password.  After that, click /Interfaces/Add/tun0/ and enter "VPN" for the name (so its parsing matches the others).  Once the interface is created, go to the firewall tab within it and create a matching firewall zone, call it lower-case vpn (this just distinguishes the zones from the interfaces).  Go to the /Firewall tab, and then edit the vpn zone so that it has the WAN as a source destination. It is now time to test the vpn server //from your client workstation//:
-{{ :computing:rule1.png?600 |}}
-{{ :computing:rule2.png?600 |}}
-Now that you have a client configuration file set up, and the interfaces and firewall zones set up, you can install openvpn on your host; and be aware of how to execute the client - server handshake, thus initiating the openvpn connection.
+  cd ~/vpn-connection/
+  sudo openvpn connect-to-vpn.ovpn
-  sudo apt install openvpn
-  cd ~/directory/where/thekeys/youmade/above/are/
+Since you did not suppress standard output, you should get the following the message, "Initialization Sequence Completed," to indicate a successful connection.  Your vpn-server is now complete, and you can repeat the steps for building client keys stated above for other workstations/users.  Also, if you need to automate the setup, you can use something like these scripts, which I tweaked a lot, from OpenWrt's wiki:
-  sudo openvpn clientconfigname.ovpn
-To enable TLS and separately to enable a strong cipher, use these settings on the server configuration.  The cipher setting matches the setting in the client configuration above.
-  /etc/config/openvpnconfig/server.conf
-  tls-version-min 1.2
-  tls-cipher      TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-  128-GCM-SHA256
-  cipher AES-256-CBC
-Key, ca, and .ovpn permissions, in case they get messed up:
+  * [[https://repo.haacksnetworking.com/oemb1905/haackingclub/-/blob/master/vpnstuff/vpn-server-script.sh|vpn-server-scripts.sh]]
+  * [[https://repo.haacksnetworking.com/oemb1905/haackingclub/-/blob/master/vpnstuff/vpn-client-script.sh|vp-client-scripts.sh]]
-  sudo chmod 600 clientname.key
+-- -- -- -- --
-  sudo chmod 640 clientname.crt
-  sudo chmod 640 ca.crt
-  sudo chmod 640 clientconfigname.ovpn
-Thanks!
+Thanks to Jason Schaefer and Geoff Chesshire from [[http://schaeferconsulting.com|Schaefer IT Consulting]].  I am very grateful for their help with all of this.  I also found the source documentation,  [[https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic|OpenWrt OpenVPN basic]], to be particularly helpful, especially when/if commands and config setups change in easy-rsa/openvpn.
- --- //[[netcmnd@jonathanhaack.com|oemb1905]] 2018/05/17 10:16//
+ --- //[[jonathan@haacksnetworking.com|oemb1905]] 2020/03/22 19:07//

Haack's Wiki

User Tools

Site Tools

Differences

Page Tools