User Tools

Site Tools


meta:template_howto

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Previous revision
meta:template_howto [2012/11/10 18:19]
meta:template_howto [2015/07/05 04:59] (current)
JW0914 [Firewall Rules]
Line 1: Line 1:
-|:!: **NOTE:** This TEMPLATE is meant for HowTo'​s ​ only. There is a separate one for [[meta:​template_howtobuild|HowToBuild]].|+====== OpenVPN Server Setup (Streamlined) ====== 
 +  * Five things are required for a SSL VPN: 
 +    ​Certificates 
 +    ​Server Config 
 +    ​Client Config 
 +    ​VPN Interface Creation 
 +    * Firewall Rules for VPN Traffic 
 +==== Install Applicable Packages ====
  
-====== Template HowTo ====== +  * <​code>​ 
-µMurmur or uMurmur ​is a minimalistic Mumble server primarily targeted to run on routers with an open OS like OpenWrt.+opkg update ; opkg install openvpn-easy-rsa openvpn-openssl luci-app-openvpn 
 +</​code>​ 
 +    * OpenVPN config file is located at ///​etc/​config/​openvpn//​ 
 +    * OpenVPN root folder is located at ///​etc/​openvpn//​ 
 +    * Easy-RSA root folder ​is located at ///​etc/​easy-rsa//​
  
-===== Preparation ===== 
-==== Prerequisites ==== 
-Please read about here [[wp>​OpenWrt]] and here [[doc:​howto:​tc:​tc.theory|theoretical background]]. Read about [[http://​tools.ietf.org/​html/​rfc5246#​page-27|Three Way Hand Shake]], etc. 
  
-  - follow [[doc/​howto/​usb.essentials]] for a basic USB support (**Do not explain this again!** Link to it, and you're done) +==== Create SSL Certificates ====
-  - follow [[doc/​howto/​usb.storage]] for USB storage support +
-  - follow [[doc/​howto/​luci.essentials#​installation]] to install and configure the LuCI WebUI. +
-  - follow [[doc/​howto/​wireless.overview]] for stuff related to wireless +
-  - follow [[doc/​howto/​client.overview#​Mounting.Filesystems]] to mount //any// filesystem.+
  
 +  * Edit the following in ///​etc/​easy-rsa/​vars//​
 +  * <​code>​
 +  * export KEY_SIZE=2048
 +  * export CA_EXPIRE=3650
 +  * export KEY_EXPIRE=3650
 +  * export KEY_COUNTRY="<​Whatever you like>"​
 +  * export KEY_PROVINCE="<​Whatever you like>"​
 +  * export KEY_CITY="<​Whatever you like>"​
 +  * export KEY_ORG="<​Whatever you like>"​
 +  * export KEY_EMAIL="<​Whatever you like>"​
 +  * export KEY_OU="<​Whatever you like>"​
 +</​code>​
 +    * **Do //__not__// use the same //Common Name (CN)// for two clients**
 +      * The CN (Common Name) is the name you enter when prompted in uci after running //​build-key-pkcs12//​
  
-Firewall: ''​portmap'​' ​uses port 111 TCP + UDP''​nfsd''​ uses ports from 32777 to 32780 TCP + UDP. It might be necessary to populate ''​/etc/hosts.allow''​ to whitelist NFS clientsinsert an entry like ''​portmap:​ 192.168.1.*''​.+  * If you haven't already//cd /etc/easy-rsa//​ 
 +  * <​code>​ 
 +clean-all 
 +build-ca 
 +build-key-server my-server 
 +build-key-pkcs12 my-client 
 +build-dh 
 +</​code>​ 
 +    * The above creates a server certificate named //​my-server//​ and a p12 certificate named //​my-client//​ 
 +      * PKCS12 (p12) certificates contain the //ca.crt////client.crt//, and //client.key//
  
-==== Required Packages ==== +    ​It is highly recommended to add a complex password to your //Certificate Authority//; failure to set any password allows anyone who gains access to your Certificate Authority ​the ability to create client certificates.
-=== Server (OpenWrt) === +
-  ​***''​tc''​** [[http://linux.die.net/man/8/​tc|manpage of tc]] +
-    ***''​kmod-sched''​** (dependency of //tc//), package contains ​the schedulers +
-  ***''​iptables-mod-ipopt''​** optional! Contains some matches and targets for iptables: CLASSIFY, length, mark/MARK, statistic, tos/TOS +
-    ***''​kmod-ipt-ipopt''​** (user space module; dependency of corresponding user space module; //we need both//, see [[https://​dev.openwrt.org/​ticket/​8294|#​8294]] +
-  ***''​ppp''​** (already in 10.03 RC3 Image)+
  
-=== Client (your PC=== +    * It is recommended to add a password to each client certificate;​ failure to do so enables anyone gaining access to your client certificate(sunfettered access to your VPN. 
-For Linux you need ...+   
 +    * You will need to run //​build-key-pkcs12//​ for however many clients you're creating certificates for. 
 +   
 +    * If using Windows, add your certificate authority to the //Trusted Root Certificate Authorities//​ in Credential Manager (I assume there'​s a *nix equivalent if running a *nix based OS)
  
-===== Installation ===== +  * Once all certificates have been created and the dh2048.pem has been generated:​ 
-[[doc:​techref:​opkg]] +  * <​code>​ 
-<​code ​bash+cp -R keys /​etc/​openvpn 
-opkg install umurmur-polarssl +</​code>​  
-vi /​etc/​umurmur.conf + 
-/etc/init.d/umurmur enable +==== Create VPN interface ​==== 
-/etc/init.d/umurmur start + 
-netstat -a +  ​* ​<​code>​ 
-iptables -I INPUT -j ACCEPT -i eth0.1 -p tcp --dport 64738 +uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none
-iptables -I INPUT -j ACCEPT -i eth0.1 -p udp --dport 64738+
 </​code>​ </​code>​
-You should now be able to connect via the mumble protocol. 
  
-===== Configuration ===== +==== Allow OpenVPN Tunnel Utilization ​==== 
-==== Server configuration ==== + 
-Use the file ''/​etc/​exports''​ to configure your shares. Example: +  ​* ​<​code>​ 
-<​code>​ +uci add firewall zone 
-/​mnt/​sda2 ​  ​192.168.1.2,192.168.1.3,192.168.1.4(ro,​sync,​no_subtree_check) +uci set firewall.@zone[-1].name=OpenVPN 
-/​mnt/​sda3 ​  192.168.1.2(rw,​sync,​no_subtree_check) +uci set firewall.@zone[-1].input=ACCEPT 
-/​mnt/​sda4 ​  192.168.1.3(rw,​sync,​no_subtree_check)+uci set firewall.@zone[-1].forward=ACCEPT 
 +uci set firewall.@zone[-1].output=ACCEPT 
 +uci set firewall.@zone[-1].network=vpn0 
 +uci add firewall forwarding 
 +uci set firewall.@forwarding[-1].src='​vpn'​ 
 +uci set firewall.@forwarding[-1].dest='​wan'​
 </​code>​ </​code>​
-Assuming the daemons are already running, use the command ''​exportfs -ar''​ to reload and apply changes on the fly. 
  
-==== Network configuration ​====+==== Firewall Rules ====
-Edit your '/​etc/​config/​[[doc:​uci:​network]]'​ file: (see [[doc:​uci:​network#​protocol.3g.ppp.over.ev-do.cdma.umts.or.grps|network 3G section]] for more details)+
  
-<​code>​ +  * Traffic rules should go as close to the top of the //​firewall//​ config as possible, while interzone forwarding rules are input at the bottom (iptables is a hierarchical firewall) 
-config ​'​interface'​ '​wan'​ + 
-option '​ifname'​ '​ppp0'​ +  * <​code>​ 
-option '​pincode'​ '​1234'​ +vi /etc/config/firewall 
-option 'device' '/dev/ttyUSB0'​ +</​code>​ 
-option 'apn' 'your.apn+    * Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes 
-option 'service' 'umts+    * VPNs should always use the UDP protocol, only using TCP for troubleshooting 
-option 'proto' '3g'+      * Allowing both prevents from having to edit the firewall every time troubleshooting is needed 
 +     
 +== Allow initial VPN connection == 
 +  * **LuCI:** //From any host in any zone To any router IP at port 1194 on this device ​(Accept Input)// 
 +  * <​code>​ 
 +config rule 
 +        ​option ​target ​'ACCEPT' 
 +        option proto 'tcp udp
 +        option ​family ​'ipv4' 
 +        option src '*
 +        option ​dest_port ​'1194' 
 +        option name 'Allow Inbound VPN0'
 </​code>​ </​code>​
  
-Replace ​'apn' ​with the correct APN of your 3g/umts provider.+== Allow Initial VPN Request to be Forwarded to Other Zones == 
 +  * **LuCI:** //From any host in any zone To any host, port 1194 in any zone (Accept Forward)//​ 
 +  * <​code>​ 
 +        option target '​ACCEPT'​ 
 +        option proto 'tcp udp' 
 +        option src '​*'​ 
 +        option dest '​*'​ 
 +        option name 'Allow Forwarded VPN0'​ 
 +        option dest_port ​'1194' 
 +</code>
  
-Note in case your APN also requires an username/password, you can configure ​this too, just add to the network configuration file:+== Once Assigned a VPN IP, Allow Inbound Traffic to LAN == 
 +  * **LuCI:** //From IP range 10.1.1.0/​24 ​in any zone To IP range 192.168.1.0/24 on this device (Accept Input)// 
 +  * <​code>​ 
 +config rule 
 +        option target '​ACCEPT'​ 
 +        option proto 'tcp udp' 
 +        option family '​ipv4'​ 
 +        option src '​*'​ 
 +        option src_ip '​10.1.1.0/​24'​ 
 +        option dest_ip '​192.168.1.0/​24'​ 
 +        option name 'Allow Inbound VPN0 Traffic ​to LAN' 
 +</​code>​
  
-==== Chap configuration ====+== Once Assigned a VPN IP, Allow Forwarded Traffic to LAN == 
 +  * **LuCI:** //From IP range 10.1.1.0/24 in any zone To IP range 192.168.1.0/​24 on this device (Accept Forward)//​ 
 +  * <​code>​ 
 +config rule 
 +        option target '​ACCEPT'​ 
 +        option proto 'tcp udp' 
 +        option family '​ipv4'​ 
 +        option src '​*'​ 
 +        option src_ip '​10.1.1.0/​24'​ 
 +        option dest '​*'​ 
 +        option dest_ip '​192.168.1.0/​24'​ 
 +        option name 'Allow Forwarded VPN0 Traffic to LAN' 
 +</​code>​
  
 +== Allow Outbound ICMP Traffic from VPN ==
 +  * **LuCI:** //ICMP From IP range 10.1.1.0/24 in any zone To any host in lan (Accept Forward)//
 +  * <​code>​
 +config rule
 +        option target '​ACCEPT'​
 +        option proto '​icmp'​
 +        option src_ip '​10.1.1.0/​24'​
 +        option src '​*'​
 +        option dest '​lan'​
 +        option name 'Allow Inbound ICMP Traffic from VPN0 to LAN'
 +</​code>​
  
 +== Allow Outbound Ping Requests from VPN ==
 +  * **LuCI:** //ICMP with type echo-request From IP range 10.1.1.0/24 in any zone To any host in wan (Accept Forward)//
 +  * <​code>​
 +config rule
 +        option target '​ACCEPT'​
 +        option proto '​icmp'​
 +        option src '​*'​
 +        option src_ip '​10.1.1.0/​24'​
 +        option dest '​wan'​
 +        option name 'Allow Outbound ICMP Echo Request (8)'
 +        list icmp_type '​echo-request'​
 +</​code>​
  
-==== Client configuration ==== +== InterZone Forwarding ​== 
-=== Linux === +  * **LuCI:** //Firewall - Zones - VPN - Edit - Interzone Forwarding//​ 
-Mount manually+  ​* ​<​code>​ 
-<​code>​ +config forwarding 
-sudo mount 192.168.1.254:/​mnt/​share1 /​home/​sandra/​nfs_share+        option dest '​vpn'​ 
 +        option src '​lan'​ 
 + 
 +config forwarding 
 +        option dest '​lan'​ 
 +        option src '​vpn'​
 </​code>​ </​code>​
 +==== Commit Changes ====
  
-Or mount permanently with entries in the ''/​etc/​fstab''​ on each client PC: +  * <​code>​ 
-<​code>​ +uci commit network ; /etc/init.d/network reload ; uci commit firewall ; /etc/init.d/firewall restart
-# Intranet +
-192.168.1.254:​/mnt/sda2 /​media/​openwrt ​   nfs     ​ro,​async,​auto ​   0       0 +
-192.168.1.254:/mnt/sda4 /media/remote_stuff ​   nfs     ​rw,​async,​auto ​   0       0 +
-#+
 </​code>​ </​code>​
  
-Check the [[http://​linux.die.net/​man/​8/​mount|manpage for mount]].+==== Create VPN Server Config ====
  
-=== Windows ===+  * <​code>​ 
 +echo > /​etc/​config/​openvpn ; vi /​etc/​config/​openvpn 
 +</​code>​ 
 +  * Paste the following //(will need to update to your custom port, locations, subnets, etc.)//: 
 +    * <​HTML>​ 
 +<p style="​padding:​ 12px;​border:​1px solid grey;​height:​300px;​font:​12px/​14px Georgia, Garamond, Serif;​overflow:​Auto;​background-color:#​FFFFFF">​ 
 +<​code>​ 
 +config openvpn '​VPN-Server'​
  
-=== Mac OS X ===+        option enabled ​    '​1'​
  
 +    # --- Protocol ---#
 +        option dev         '​tun'​
 +        option dev         '​tun0'​
 +        option topology ​   '​subnet'​
 +        option proto       '​udp'​
 +        option port        '​1194'​
  
-===== Examples ===== +    #--- Routes ---# 
-   *[[doc:​howto:​tc:​tc.example1|example1:​ PRIO one user, simple prioritizing]] +        ​option server ​   '10.1.1.0 255.255.255.0'
-   ​*[[doc:​howto:​tc:​tc.example3|example3:​ HFSC several user with all sorts of traffic]]+
  
-===== Start on boot ===== +    #--- Client Config ---# 
-To enable/​disable start on boot:\\ +#       ​option ccd_exclusive ​          '1' 
-''​/​etc/​init.d/​umurmur enable'' ​ this simply creates a symlink: ''/etc/rc.d/S90umurmur -> /etc/init.d/umurmur''\\ +#       ​option ifconfig_pool_persist ​  '/etc/openvpn/clients/private/ipp.txt
-''/etc/init.d/umurmur disable'' ​this removes the symlink again\\+#       ​option client_config_dir ​      '/etc/openvpn/​clients/private' 
 +        option ifconfig ​               '​10.1.1.1 255.255.255.0'
  
-===== Administration ===== +    #--- Pushed Routes ---# 
-TODO+        list push    'route 192.168.1.0 255.255.255.0'​ 
 +        list push    '​dhcp-option DNS 192.168.1.1'​ 
 +        list push    '​dhcp-option WINS 192.168.1.1'​ 
 +        list push    '​dhcp-option DNS 8.8.8.8'​ 
 +        list push    '​dhcp-option DNS 8.8.4.4'​ 
 +        list push    '​dhcp-option NTP 129.6.15.30'​
  
-===== Troubleshooting ===== +    #--- Encryption ---# 
-If you get something like this: +        ​option cipher ​    '​AES-256-CBC'​ 
-<​code>​ +        ​option dh         '/​etc/​openvpn/​keys/​VPN-Server/​dh2048.pem'​ 
-Try `iptables ​-h' ​or 'iptables ​--help' ​for more information.+        ​option pkcs12 ​    '/​etc/​openvpn/​keys/​VPN-Server/​VPN-Server.p12' 
 +        option tls_auth ​  '/​etc/​openvpn/​keys/​VPN-Server/​ta.key 0' 
 + 
 +    #--- Logging ---# 
 +        option log           '/​tmp/​openvpn-private.log' 
 +        option status ​       '/​tmp/​openvpn-private-status.log'​ 
 +        option verb          '​7'​ 
 + 
 +    #--- Connection Options ---# 
 +        option keepalive ​       '10 120' 
 +        option comp_lzo ​        '​yes'​ 
 + 
 +    #--- Connection Reliability ---# 
 +        option client_to_client '​1'​ 
 +        option persist_key ​     '​1'​ 
 +        option persist_tun ​     '​1'​ 
 + 
 +    #--- Connection Speed ---#     
 +        option sndbuf ​           '​393216'​ 
 +        option rcvbuf ​           '​393216'​ 
 +        option fragment ​         '​0'​ 
 +        option mssfix ​           '​0'​ 
 +        option tun_mtu ​          '​48000'​ 
 + 
 +    #--- Pushed Buffers ---# 
 +        list push    '​sndbuf 393216'​ 
 +        list push    '​rcvbuf 393216'​ 
 + 
 +    #--- Permissions ---# 
 +        option user     '​nobody'​ 
 +        option group    '​nogroup'​
 </​code>​ </​code>​
-then bla bla bla+</​p>​ 
 +</​HTML>​ 
 + 
 +  * The CCD (under Client Config) directives are commented out, as you will need to read the [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html#​policy|OpenVPN HowTo]] to understand what it is and how to use it. The only option under //Client Config// that should __not__ be commented out is //option ifconfig//​ 
 + 
 +  * Two or more servers can be run from this config file 
 +    * To add additional servers, simply copy and paste the first config directly below itself, with a blank line separating the two.  Customize the second server config, making sure not to forget to change the second //option dev// (under //​Protocol//​) to the correct interface name.  
 +==== Create Client Configurations ==== 
 + 
 +  * The server'​s TLS key (text from //ta.key//) goes in the blank xml space between //Begin// and //End// 
 + 
 +== Windows == 
 +  * <​code>​ 
 +client 
 +dev tun 
 +tun-mtu 48000 
 +fragment 0 
 +mssfix 0 
 +proto udp 
 +remote your.ddns.com 1194 
 +float 
 +resolv-retry infinite 
 +nobind 
 +persist-key 
 +persist-tun 
 +pkcs12 VPN-Server-Client-1.p12 
 +key-direction 1 
 +<​tls-auth>​ 
 +-----BEGIN OpenVPN Static key V1----- 
 + 
 +-----END OpenVPN Static key V1----- 
 +</​tls-auth>​ 
 +remote-cert-tls server 
 +cipher AES-256-CBC 
 +auth-nocache 
 +verb 5 
 +comp-lzo 
 +</​code>​ 
 +    * In Windows, if the p12 isn't stored in the same directory as the ovpn config file, you will need to reference the path to the p12 cert (don't forget, in Windows you must use double backslashes,​ i.e. //"​C:​\\Program Files\\OpenVPN\\Config\\"//​). 
 + 
 +== Android == 
 +  * <​code>​ 
 +client 
 +dev tun 
 +tun-mtu 48000 
 +fragment 0 
 +mssfix 0 
 +proto udp 
 +remote your.ddns.com 1194 
 +float 
 +nobind 
 +persist-key 
 +persist-tun 
 +key-direction 1 
 +<​tls-auth>​ 
 +-----BEGIN OpenVPN Static key V1----- 
 + 
 +-----END OpenVPN Static key V1----- 
 +</​tls-auth>​ 
 +remote-cert-tls server 
 +cipher AES-256-CBC 
 +auth-nocache 
 +verb 5 
 +comp-lzo 
 +</​code>​ 
 +    * [[https://​play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN for Android]] is the best app for VPNs on Android 
 +    * In Android, there is no need to reference a p12 file, as it's installed into the Android Keychain. ​ A security feature will cause a warning toast to always appear in the notification area due to user installed certs. 
 +      * This warning can be removed if you have a rooted or bootloader unlocked device by following [[http://​forum.xda-developers.com/​google-nexus-5/​help/​howto-install-custom-cert-network-t2533550|this]] tutorial on XDA-Developers. ​ It involves a minor edit and permissions change, which transfers the PKCS12 certificate from userland to system trusted. 
 + 
 +==== VPN Wikis ==== 
 +  
 +== OpenWRT == 
 +  * [[http://​wiki.openwrt.org/​doc/​howto/​vpn.openvpn|OpenVPN Setup Guide for Beginners]] 
 +  * [[http://​wiki.openwrt.org/​inbox/​vpn.howto|OpenVPN Server HowTo]] 
 +  * [[http://​wiki.openwrt.org/​doc/​howto/​vpn.server.openvpn.tun|Using OpenWRT as an OpenVPN Server with a TUN Device]]
  
-===== Notes ===== +== OpenVPN ​== 
-  * The Project Homepage: ​[[http://mumble.sourceforge.net/]] +  * [[https://docs.openvpn.net/docs/​openvpn-connect/​openvpn-connect-android-faq.html|OpenVPN Connect Android FAQ]] 
-  * a very good tutorial: ​[[http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html]]+  * [[https://openvpn.net/index.php/open-source/​documentation/​howto.html|OpenVPN HowTo]] 
 +  * [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|OpenVPN Man Page]]
  
 +== XDA Developers ==
 +  * [[http://​forum.xda-developers.com/​google-nexus-5/​help/​howto-install-custom-cert-network-t2533550|Remove "Your Network Could be Monitored"​ Toast]]
meta/template_howto.1352567948.txt.bz2 · Last modified: 2012/11/10 18:19 (external edit)