Eclectic Security

This howto explain the setup  of an openvpn server in road warrior mode, where the external laptop will be able to join the home local network (through a vpn encrypted tunnel) in order to access resources on the LAN/intranet and still be able  to browse the internet safely . This particular configuration is suited for who wants to connect to the company office or to the home network in a secure way even from insicure wifi hotspost provided by   airports, cafes, hotel, or public places.

Requirement and notes

Broadband connection
Broadband router with port forwarding and DynDns support
Open vpn server (Ubuntu server is ok)

Home router public address: home.dyndns.org
Home router ip address: 192.168.1.1
Home vpn server: 192.168.1.251

1) Subscribe to dyndns or other dns services , enable the port forwarding on the router. In this case the port 1194 UDP is forwarded  to port UDP 1194 on the openvpn server inside the lan 192.168.1.251.

Port forwarding

2) OpenVpn server configuration

Install the required software

apt-get install openvpn openssl bridge-utils

3) Openvpn keys generation

copy the easy rsa script to the openvpn directory

cp -a /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/

go to /etc/openvpn/easy-rsa/2.0/ and open the file called vars, you must edit the last five lines according to your parameters. “US” must be replaced with your country code.

export KEY_COUNTRY=”US”
export KEY_PROVINCE=”US”
export KEY_CITY=”mycity”
export KEY_ORG=”vpn”
export KEY_EMAIL=”myname@myemail.org”

Then run the following commands,the certification authority creation it’s very straightforward.

. ./vars
./clean-all
./build-ca

Now you need to create the server keys

./build-key-server server

Now you need to generate the keys for the users, user1 can be as well the username.

./build-key user1

Generate the Diffie Hellman

./build-dh

Generate the static key

openvpn --genkey --secret ta.key

Server side configuration.

Create a directory called /etc/openvpn/keys.

mkdir /etc/openvpn/keys

Copy the keys and certificates previusly generated in the server keys folder.

cp ca.crt  server.crt server.key dh1024.pem  ta.key  /etc/openvpn/keys

in /etc/openvpn/ create a file called server.conf

#/etc/openvpn/server.conf
local 192.168.1.251
port 1194
proto udp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
tls-auth /etc/openvpn/keys/ta.key 0

ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.1 255.255.255.0 192.168.1.70 192.168.1.79

keepalive 10 120
push "redirect-gateway def1"
max-clients 5
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3

Bridge script , is needed to combine the ethernet interface with one or more virtual TAP interfaces and bridging them together .

In /etc/init.d/ create a file called bridge.sh

#bridge.sh
#!/bin/bash
# Create global variables
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth1"
eth_ip="192.168.1.251"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
gw="192.168.1.251"
start_bridge () {
#################################
# Set up Ethernet bridge on Linux
#################################
for t in $tap; do
openvpn --mktun --dev $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
route add default gw $gw $br
}
stop_bridge () {
####################################
# Pull Down Ethernet bridge on Linux
####################################
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
route add default gw $gw $eth
}
case "$1" in
start)
echo -n "Starting Bridge"
start_bridge
;;
stop)
echo -n "Stopping Bridge"
stop_bridge
;;
restart)
stop_bridge
sleep 2
start_bridge
;;
*)
echo "Usage: $0 {start|stop|restart}" >&2
exit 1
;;
esac

Enable the openvpn server at the system boot.

chmod +x /etc/init.d/bridge.sh
update-rc.d bridge.sh defaults

On the client side

Install openvpn.

apt-get install openvpn

Create the keys directory

1

mkdir  /etc/openvpn/keys

copy in a secure way (preferably with scp) the keys and certificates from the server to the client.

scp ca.crt   user1.crt   user1.key ta.key user@laptop:/etc/openvpn/keys

in /etc/openvpn create a file called client1.conf with this configuration

client
dev tap0
proto udp
remote home.dyndns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/user1.crt
key /etc/openvpn/keys/user1.key
tls-auth /etc/openvpn/ta.key 1

verb 5
ping 10
ping-restart 60
--explicit-exit-notify 2

Starting the vpn on the laptop

As root type

openvpn --config /etc/openvpn/home/client1.conf

On the laptop a virtual interface called tap0 will aquire a local ip address of your local area network, this will grant the access to the home/office resources through an encrypted tunnel.

If you want to learn more about Openvpn, check the OpenVPN 2 Cookbook. Download the sample chapter here.

Scridb filter