Differences

This shows you the differences between two versions of the page.

--- computing:vpnserver [2023/02/11 13:04] – oemb1905
+++ computing:vpnserver [2023/05/21 19:57] (current) – removed oemb1905
@@ Line 1: / Line 1: @@
--------------------------------------------
-  * **vpnserver**
-  * **Jonathan Haack**
-  * **Haack's Networking**
-  * **netcmnd@jonathanhaack.com**
--------------------------------------------
-//vpnserver//
--------------------------------------------
-This tutorial is for flashing a Netgear WNDR3800 router with openwrt and then building a vpn server on it with openvpn.  The instructions here can easily be adapted to other hardware.  First, download the stable release:
-[[http://downloads.openwrt.org|OpenWrt]]
-It is probably best to stop network manager; after that, assign a local ip address (on the same subnet as the router) to your network interface.
-  sudo systemctl stop network-manager
-  ip a a 192.168.1.105/24 dev <eth0>
-Put a paperclip in the reset button while device is off.  Keeping the paperclick depressed in the reset button gently, turn the device on, keeping the paperclip in and depressed until there is a flashing green light.  At this point, I usually ping the router and/or run ethtool
-  ping 192.168.1.1
-  sudo ethtool <eth0>
-In the past, you would get a "taking countermeasures" response while pinging the device.  At other times, ping just hangs (but it is connected).  At any rate, after you are connected, flash the image with curl and tftp:
-  curl -T ~/Downloads/openwrt-latest.img tftp://192.168.1.1
-After that, wait at least 5-10 minutes before attempting to log in to the device. In fact, before I log in, I prefer to shell into the router, update, install, and then upgrade all packages first.  In order to do this, make sure to plug in an ethernet cable from your current LAN into the WAN port on the router so it can route.
-  ssh root@192.168.1.1
-  opkg update
-  opkg install gzip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump curl luci-ssl
-  opkg list-upgradable
-  opkg upgrade <package>
-Before I get any further, I like to set up https.  When you edit the config file, change the expiry dates to something large, enter your email/org, etc., and then start the service.
-  nano /etc/config/uhttpd
-  /etc/init.d/uhttpd restart
-Now, let's create custom config directories for openvpn and easy-rsa so they behave better when we are faced with upgrading packages on the router.
-  mkdir /etc/config/openvpnconfig/
-  mv /etc/easy-rsa /etc/config/openvpnconfig/
-  cd /etc/
-  ln -s config/openvpnconfig/easy-rsa ./
-Now, let's enter the parameters on the vars file which determines how the openvpn server will be built, and also drives the default parameters for your client keys.  I suggest editing the expiration date and the organization parameters (minimally).
-  nano /etc/config/openvpnconfig/easy-rsa/vars
-Now, let's rename the original config file, and then create two custom configuration files as follows:
-  mv /etc/config/openvpn /etc/config/openvpn-original
-  touch /etc/config/openvpn
-  touch /etc/config/openvpnconfig/server.conf
-Examples of this .conf file can be found [[https://codetalkers.services|HERE]]  Specify where the openvpn configuration is to be found; example provided below the text editor command.  In the first configuration file, called openvpn, enter something like what is listed just below, but make sure you to change <server> to the name you will call your server when you build it below, remove the braces, and do not use special characters:
-  ##/etc/config/openvpn##
-  package openvpn
-  config openvpn <server>
-  option enabled 1
-  option config /etc/config/openvpnconfig/server.conf
-In the second configuration file, do something like this.  Remember to change all the <addresses> in triangle braces below.  Remember, the last address should be the address of the lan, not the vpn's address scheme.
-  float
-  port 1194
-  proto udp
-  dev tun
-  cipher AES-256-CBC
-  tls-version-min 1.2
-  tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
-  dh   easy-rsa/pki/pki/dh.pem
-  ca   easy-rsa/pki/pki/ca.crt
-  key  easy-rsa/pki/pki/private/server.key
-  cert easy-rsa/pki/pki/issued/server.crt
-  ifconfig-pool-persist /tmp/ipp.txt
-  client-config-dir clients
-  status /var/log/openvpn-status.log
-  mode server
-  tls-server
-  topology subnet
-  push "topology subnet"
-  ifconfig <10.66.66.1> 255.255.255.0
-  route-gateway <10.66.66.1>
-  push "route-gateway <10.66.66.1>"
-  ifconfig-pool <10.66.66.32> <10.66.66.254> 255.255.255.0
-  push "route <192.168.1.0> 255.255.255.0"
-Once those configuration files are built, you can now create the certificate authority, the diffie-hellman key, and certificate/private key for the server.
-  cd /etc/config/openvpnconfig/easy-rsa/
-  easyrsa --batch init-pki
-  easyrsa --batch gen-dh
-  easyrsa --batch build-ca nopass
-  easyrsa --batch build-server-full <server> nopass
-Make sure that the name that you enter for <server> matches the name in the second configuration file below.  Also, you can optionally create the diffie-hellman key on your home machine and scp it to the router to //save time// as follows, thereby omitting the gen-dh command above.  If you can/want to do this, then on your home machine (not the router), do the following:
-  sudo openssl dhparam -out /tmp/dh2048.pem 2048
-  scp /tmp/dh2048.pem root@192.168.1.1:/etc/easy-rsa/pki/pki/
-After this, it is now time to create your keypair and ca.  You do that as follows:
-  easyrsa --batch build-client-full <clientname> nopass
-It is now time to scp the key, certificate, and authority from the router to your home device:
-  scp /etc/easy-rsa/pki/ca.crt /etc/easy-rsa/pki/private/clientname.key /etc/easy-rsa/pki/issued/clientname.crt root@10.10.10.100:
-Obviously, I am using an example home subnet here (10.10.10.0), so change that address to match your workstation.  Once you have all three of those files, create a directory on the client workstation that intends to connect to the vpn server.  After you create that directory and place these files in it, you need to create a connect-to-vpn.ovpn file that openvpn will use to connect to the vpn server.
-  cd ~
-  mkdir vpn-connection
-  cd vpn-connection
-  mv ~/ca.crt ~/server.key ~/server.crt ~/vpn-connection/
-  sudo chmod 600 server.key
-  touch connect-to-vpn.ovpn
-  sudo chmod 640 server.crt ca.crt connect-to-vpn.ovpn
-  nano connect-to-vpn.ovpn
-In the config file, enter something like this:
-  nobind
-  float
-  cipher AES-256-CBC
-  dev tun
-  remote <external ip or DNS name here> 1194 udp
-  client
-  tls-exit
-  ca ca.crt
-  cert <clientname>.crt
-  key <clientname>.key
-  remote-cert-tls server
-  mute 5
-  resolv-retry infinite
-  #explicit-exit-notify
-  keepalive 10 60
-  ping-timer-rem
-  persist-tun
-  persist-key
-  #redirect-gateway def1
-Now that your client workstation is ready to test the connection, we need to return to setting up the server.  First, if everything above was done correctly, then you should be able to start the vpn service as follows and verify that it is running:
-  /etc/init.d/openvpn start
-  ps | grep openvpn
-root      3896 S    /usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openvpn.server.status --cd /etc/config/openvpnconfig --config /etc/config/openvpnconfig/server.conf
-root     1356 S    grep openvpn
-This is the output you want, showing that the service is running. If you do not get this, then run openvpn against the configuration files on the router and/or check the logs to determine your error.  Here is a good place to start debugging:
-  openvpn /etc/config/openvpnconfig/server.conf
-Now that the service is running, let's log in to the router and adjust the settings a bit.  In your web browser, visit 192.168.1.1, and log in/change password.  After that, click /Interfaces/Add/tun0/ and enter "VPN" for the name (so its parsing matches the others).  Once the interface is created, go to the firewall tab within it and create a matching firewall zone, call it lower-case vpn (this just distinguishes the zones from the interfaces).  Go to the /Firewall tab, and then edit the vpn zone so that it has the WAN as a source destination. It is now time to test the vpn server //from your client workstation//:
-  cd ~/vpn-connection/
-  sudo openvpn connect-to-vpn.ovpn
-Since you did not suppress standard output, you should get the following the message, "Initialization Sequence Completed," to indicate a successful connection.  Your vpn-server is now complete, and you can repeat the steps for building client keys stated above for other workstations/users.  Also, if you need to automate the setup, you can use something like these scripts, which I tweaked a lot, from OpenWrt's wiki:
-  * [[https://repo.haacksnetworking.com/oemb1905/haackingclub/-/blob/master/vpnstuff/vpn-server-script.sh|vpn-server-scripts.sh]]
-  * [[https://repo.haacksnetworking.com/oemb1905/haackingclub/-/blob/master/vpnstuff/vpn-client-script.sh|vp-client-scripts.sh]]
--- -- -- -- --
-Thanks to Jason Schaefer and Geoff Chesshire from [[http://schaeferconsulting.com|Schaefer IT Consulting]].  I am very grateful for their help with all of this.  I also found the source documentation,  [[https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic|OpenWrt OpenVPN basic]], to be particularly helpful, especially when/if commands and config setups change in easy-rsa/openvpn.
- --- //[[jonathan@haacksnetworking.com|oemb1905]] 2020/03/22 19:07//

Haack's Wiki

User Tools

Site Tools

Differences

Page Tools