Haack's Wiki

User Tools

Site Tools

Trace:
computing:vpnserver

This is an old revision of the document!

  • vpnserver
  • Jonathan Haack
  • Haack's Networking
  • netcmnd@jonathanhaack.com

vpnserver

Thanks to Jason Schaefer and Geoff Chesshire from Schaefer IT Consulting for helping me put this all together!

In this tutorial, you will create a vpn server on a WNDR3800 router running LEDE, formerly and still partially known as OpenWrt. The tutorial will also work for any other router that is successfully flashed with LEDE. I will show folks how to build an openvpn server on a vps and or a traditional workstation in the future. For now, begin by downloading the LEDE image; links provided as a courtesy, you should always verify what image you need at LEDE's Table of Hardware: 

https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/openwrt-15.05.1-ar71xx-generic-wndr3800-squashfs-factory.img
http://downloads.lede-project.org/releases/17.01.4/targets/ar71xx/generic/lede-17.01.4-ar71xx-generic-wndr3800-squashfs-factory.img

Add an address on the subnet of the router, and stop the network-manager from hijacking the connection. Run ip a to obtain your interface name, as it may not be eth0. 

sudo systemctl stop network-manager
ip a a 192.168.1.105/24 dev <eth0>

Put a paperclip in the reset button while device is off. Keeping it in, turn the device on, wait for flashing green. Be patient and do not turn power off or anything else during this process. First, ping the router. 

ping 192.168.1.1

If you cannot successfully ping the router, then re-add your interface to the proper subnet and try again. You know you succeeded if you get an error about “taking countermeasures” while pinging the device. If you can ping the device, then the curl command below should work. 

curl -T ~/Downloads/openwrt-15.05.1-ar71xx-generic-wndr3800-squashfs-factory.img tftp://192.168.1.1
curl -T ~/Downloads/lede-17.01.4-ar71xx-generic-wndr3800-squashfs-factory.img tftp://192.168.1.1

If you are flashing a router for the second or multiple times, you might need to remove the offending ssh known host entry as follows: 

ssh-keygen -f "/home/username/.ssh/known_hosts" -R [192.168.1.1]:222

Now that we have openWRT on the router, we should enable https for the web admin panel before proceeding with anything else. First, verify that you completed the above steps correctly by visiting 192.168.1.1 in your web browser of choice. 

opkg update
opkg install luci-ssl nano
nano /etc/config/uhttpd 

config uhttpd 'main'
#list listen_http '0.0.0.0:80'
#list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '1'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
config cert 'px5g'
option days '9730'
option bits '2048'
option country 'countryabbreviation'
option state 'stateabbreviation'
option location 'citylocatlityname'
option commonname 'certname'

In the config file, one can see that the port 80 lines are commented out in order to reredirect the router to use TLS. Additionally, enter the parameters for the self-signed cert using the options at the bottom of the configuration file shown above. Once you are done, restart the service, which will automatically build the cert using the parameters specified above. 

/etc/init.d/uhttpd restart

Now that we have https, we can begin to set up the vpn server on the WNDR. Using the template files in the directory openvpnconfig, download them to the router for ease, or use scp. You can optionally configure everything without the template; the plate download link is below: 

https://educationaction.biz/vpn/openvpnconfig.zip

Method 1; copying the template directory from your host to the router. 

scp -r openvpnconfig root@192.168.1.1:/etc/config/
ssh root@192.168.1.1

Method 2; using wget to download the directory into your router. 

ssh root@192.168.1.1
opkg update
opkg install wget
wget https://educationaction.biz/vpn/openvpnconfig.zip

If you use this template and the key and config building script inside it, be aware of what it is doing for you; it is zipping the two keys and certificate authority together with the client config in one .zip file for easy downloading using scp. It also uses stock configuration options that can be adjusted as needed. Ok, let's set up the server now that we have our config template: 

opkg update
opkg install zip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump curl
mv /etc/config/openvpnconfig/openvpn /etc/config/
mv /etc/easy-rsa /etc/config/openvpnconfig/
cd /etc/
ln -s config/openvpnconfig/easy-rsa ./

Specify how you want the default key pairs to be built, and specify parameters for the certificate authority; example provided below the text editor command: 

nano /etc/config/openvpnconfig/easy-rsa/vars 

# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="/etc/easy-rsa"
# This variable should point to
# the requested executables
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
export CA_EXPIRE=7305
# In how many days should certificates expire?
export KEY_EXPIRE=7305
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="NM"
export KEY_CITY="Calexico"
export KEY_ORG="Enterprise IT Solutions"
export KEY_EMAIL="macguy@enterprisesolutions.com"
export KEY_OU="Owner"
# X509 Subject Field
export KEY_NAME="EasyRSA"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
# export KEY_CN="CommonName"

Enter parameters for your openvpn configuration; example provided below the text editor command: 

nano /etc/config/openvpnconfig/openvpnWRT.conf

float
port 1194
proto udp
dev tun
comp-lzo yes
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher      TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
dh   easy-rsa/keys/dh2048.pem
ca   easy-rsa/keys/ca.crt
key  easy-rsa/keys/server.key
cert easy-rsa/keys/server.crt
#crl-verify /etc/config/openvpnconfig/easy-rsa/keys/crl.pem
ifconfig-pool-persist /tmp/ipp.txt
client-config-dir clients
status /var/log/openvpn-status.log
##Don't enable unless you disable all static ip options below#
#server [192.xx.xx.0 255.255.255.0]
##begin VPN options for static ip mode (mode server)##
mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 192.xx.xx.1 255.255.255.0
route-gateway 192.xx.xx.1
push "route-gateway 192.xx.xx.1"
ifconfig-pool 192.xx.xx.100 10.xx.xx.150 255.255.255.0
##end VPN options for static ip##
##general LAN options##
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DOMAIN domainname.com <or> external-ip <or> server.local"
push "dhcp-option DNS 192.168.1.1"
client-to-client
mute 5
log /tmp/openvpn.log
keepalive 10 120
persist-key
persist-tun

Specify where the openvpn configuration is to be found; example provided below the text editor command. 

nano /etc/config/openvpn

##/etc/config/openvpn##
package openvpn
config openvpn server
option enabled 1
option config /etc/config/openvpnconfig/server.conf

Now, time to build the certificate authority, the diffie helman key, and the key and certificate for the vpn server. 

build-ca 
build-dh [takes a long time, see alternate method below]
build-key-server server

You can alternately choose to build the dh key on the host machine you are administering from and then scp it to the router when it completes as follows. Do not forget to symlink easy-rsa properly so this works. 

sudo openssl dhparam -out /tmp/dh2048.pem 2048 
scp /tmp/dh2048.pem root@xx.xx.xx.xx:/etc/config/openvpnconfig/easy-rsa/keys/

You can now use the script contained in the template directory that you zipped earlier to create your client keys and config file; you are back on the router now. 

/etc/config/openvpnconfig/easyrsa-user-setup-openwrt.sh [clientname] [server.com]

Or, if you did not use the template directory and the script, then change the vars file each time you need a key with the parameters that you desire, and then build the key, crt, and ca manually: 

nano /etc/config/openvpnconfig/easy-rsa/vars 
pkitool [clientname]

If you chose not to use the template and script, then on each client you will need to create a config file with something like the following parameters; adjust these parameters as needed: 

nano /directory/to/keep/openvpn/keys/clientconfigname.ovpn  

nobind
float
comp-lzo
cipher AES-256-CBC
dev tun
remote xx.xx.xx.xx 1194 udp
client
tls-exit
ca ca.crt
cert <client>.crt
key <client>.key
remote-cert-tls server
mute 5
resolv-retry infinite 
#explicit-exit-notify
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
#redirect-gateway def1

You are now ready to set up the interfaces and firewall zones for the router using the web panel. Before you do this, you need to start the vpn service and ensure it is working. You should get two processes, one for the openvpn grep you just ran, and another for the service running: 

/etc/init.d/openvpn start
ps | grep openvpn
1314 root      3896 S    /usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openvpn.server.status --cd /etc/config/openvpnconfig --config /etc/config/openvpnconfig/server.conf
31296 root     1356 S    grep openvpn

If you did not get this output, then you should debug your configuration by running openvpn against your server configuration as follows, and use the output it provides to determine what you did wrong. 

openvpn /etc/config/openvpnconfig/server.conf

Now that the service is running and you have a client config, you can use the openWRT web page to create an interface and a firewall zone. Go to interfaces, add interface and name it VPN, select tun0 (unmanaged). Set up a fw zone at the same time or separately, and name it vpn_zone. Navigate to Network/Firewall, select the tab for traffic rules, and then add a rule that allows incoming vpn connections on udp 1194 to device, i.e., your router which is your vpn server. In the firewall zone, make sure to allow forwarding to the lan and wan, and from the lan.

Now that you have a client configuration file set up, and the interfaces and firewall zones set up, you can install openvpn on your host; and be aware of how to execute the client - server handshake, thus initiating the openvpn connection. 

sudo apt install openvpn  
cd ~/directory/where/thekeys/youmade/above/are/
sudo openvpn clientconfigname.ovpn

To enable TLS and separately to enable a strong cipher, use these settings on the server configuration. The cipher setting matches the setting in the client configuration above. 

/etc/config/openvpnconfig/server.conf
tls-version-min 1.2
tls-cipher      TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-  128-GCM-SHA256
cipher AES-256-CBC

Key, ca, and .ovpn permissions, in case they get messed up: 

sudo chmod 600 clientname.key
sudo chmod 640 clientname.crt
sudo chmod 640 ca.crt
sudo chmod 640 clientconfigname.ovpn

Thanks!

search for /etc/easy-rsa/openssl … change the “days” and crl to 7305

add p flag to scp when copying openvpn back to new router image

1) flash 2) opkg upgraded with vi shit and made big string 3) after that saw -opkg different files and compared, overwriting old ones with new, except be careful on dropbear with 0 kb one 4) edit not just /etc/config/uhttpd but also edit /etc/easy-rsa/openssl …

copy the etc/easy-rsa over after — oemb1905 2018/05/17 10:16

computing/vpnserver.1532132656.txt.gz · Last modified: 2018/11/25 01:33 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki