Friday, October 12, 2007

openVPN - Homing from work.

The company I work for has graciously set up a VPN (Virtual Private Network) to allow me to be able to work for them at all hours of the day or night, so I figured, heck, why not return the favour and set up my own VPN so I could be "home" at all hours of the work day?

Besides, this would make connecting to the Asterisk server a lot easier as a VPN hides all the NAT issues that so plague the SIP VoIP standard.

So here is the process I used to get my VPN working.

First a summary of what I did:

1) Install openvpn on my MythDora box
2) Generate the necessary certificate files for server and clients
3) Configure the openvpn server on the MythDora box
4) Copy over the client certificates to my laptop
6) Download the Openvpn compatible client and installed it on my laptop
7) Configure the Openvpn client
8) Configure your home router
8) Test the connection
9) Configure openvpn server to start on reboot.

Install openvpn on my MythDora box:

From my home Linux box (same one I used for both MythTV and Asterisk) I open a terminal session and type:

#yum install openvpn
This installs the openvpn software and creates these two directories:

For the tools needed to create certificates: /usr/share/openvpn/easy-rsa/2.0/
Config examples: /usr/share/doc/openvpn-2.1
Generate the necessary certificate files for server and clients:

Now the "hard part" (Actually everything went pretty smooth.) You can find the basic quick start instructions here, but these instructions take your through a lot of steps that your don't need to go through, such as installing the software in some other manner than by using the "yum" command above. The configuration and certificate creation information still applies, but rather than just send you over to read some long document and try to figure out what to ignore and what is important on your own, here is what I did (keep in mind, my Linux distribution is MythDora 4.0, different distributions may not work the same way.)

In the /usr/share/openvpn/easy-rsa/2.0/ directory you need to initialize your "certificate authority", you do this by running the following (note, you can edit the vars file to change the "export KEY_SIZE=1024" entry to "export KEY_SIZE=2048" if you feel you need the extra security ... I did, as I am connecting from work, I don't want to take any unnecessary chances) :

# . ./vars
# ./clean-all
# ./build-ca
When you run the ./build-ca program, you will be promoted for information, it's really not that important what you respond with, but it should make some sense Ex: in my case:

Country Name (2 letter code) [KG]: CA
State or Province Name (full name) [NA]: Ontario
Locality Name (eg, city) [BISHKEK]: Toronto
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:MythTV
Email Address [me@myhost.mydomain]
Next you need to create the "server certificates", you do this by running the following command:

./build-key-server server


When prompted for the "Common Name" enter the word "server". The following two promts that require input, I answered "y".

Now, you will need to create the "client certificates", note that you will need to run this process as many times as the number of machines that you will be connecting to your VPN. In my case I only have one laptop that I want connected, so I only needed to run this "client certificate creation" process one time (I ran it twice though to create a second set of certificates just in case I wanted to use them on another system, maybe give a set to my brother so he could VPN into my network and have his own extension off my Asterisk later on?) Each time you run this process, use a unique "Common Name". In my case I just used "client1" and "client2". Again, the last two prompts of each client certificate build process I responded "Y".

./build-key client1
./build-key client2
Next we create our " Diffie Hellman parameters" by running the following:

./build-dh
This will take several minutes so be patient.

Configure the openvpn server on the MythDora box:

So, now we can look in the /usr/share/openvpn/easy-rsa/2.0/keys directory and see a bunch of files. These are your certificates and related files. To make them easier to find in the future I created a directory /etc/openvpn and copied the /usr/share/openvpn/easy-rsa/2.0/keys to there:

# mkdir /etc/openvpn
# cp
/usr/share/openvpn/easy-rsa/2.0/keys /etc/openvpn/.
Now we need to create the configuration files for the server and client. The recommended procedure is to copy the example files over from the examples directory mentioned above and modify them for your purposes, but I will provide you with the configuration I used and highlight the parts that you may want to change for your own configuration. Keep in my that in my configuration I have an internal network of 192.168.1.0/255.255.255.0 and the VPN will create a virtual adapter on my Linux server with the subnet 10.8.0.0/255.255.255.0 to which the VPN clients will be part of when they connect.

The clients, when they run the VPN client software will connect to my MythDora server as 10.8.0.x ("x" being some number between 2 & 254) and see the MythDora server as 10.8.0.1

First the server configuration file (/etc/openvpn/server.conf):

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server? I used TCP as I have to
# traverse two NAT firewalls and UDP sucks at
# that depending upon the routers and firewalls
# being used.
proto tcp
;proto udp

# Read the config file or documentation to figure this one out
# but I would suggest you just leave it as is.
dev tun

# These are your server certificates.
# If you put them somewhere else, change the localtion
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
# server.key is your private certificate, keep it private (secret.)

# 2048 bit keys. If different location, then update path.
dh /etc/openvpn/keys/dh2048.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.1.0 255.255.255.0"
# In my case I wanted any client connecting to the VPN
# to know to go through the VPN to get to the
# 192.168.1.0 network.
# You may have different requirements
# or a different network config.

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log openvpn.log
log-append openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

I've left out a bunch of other parameters that could be used, so have a look through the various example config files, or read the documentation to see what else can be configured.

Copy over the client certificates to my laptop:

OK, next we need to copy over the following files to your client machine:

ca.crt
client1.crt
client1.key

Note: this is for "client1", if it were for "client2" you'd copy over the "client2" files and the common "ca.crt" file.

The way you do the copy is not important, except that the more secure method you use the better ... moving the files by floppy and destroying the floppy after you're finished is pretty safe ... sending the files by email or on a public BBS is a pretty damn poor way to go about it ... I used sftp which is very safe, and convenient if you have a sftp client such as filezilla.

Download the Openvpn compatible client and installed it on my laptop:

You can use which ever openvpn compatible client you wish, I used this one (the OpenVPN GUI for Windows) so naturally, the instructions below are for the client I used.

This is a standard windows install, simply download the client installer and run it.

Configure the Openvpn client:

First, you need to move the client certificates you copied over to your client machine into the "C:\Program Files\OpenVPN\config" directory.

Next you need to edit the "C:\Program Files\OpenVPN\config\client.ovpn" file and make the following edits:

Make sure "dev tun" is uncommented and "dev tap" is commented out

Uncomment "proto tcp" and comment "proto udp".

edit "remote my-server-2 1194" to change "my-server-2" to your hostname (if you have a registered domain name for your home network and a static address, then use that, if not I suggest you open a free dynamic DNS account, set up a free domain name under one of their main domains and set up your router to update their records, or download and run one of their clients ... I'll create a separate posting later to explain how to do this in more detail later.

Make sure the proper certificates are being specified, and that they are in the "C:\Program Files\OpenVPN\config" directory, the default client.ovpn file has these as the defaults and should be left as such unless you moved the certificates somewhere else or used a different Common Name than "client1".:
ca ca.crt
cert client1.crt
key client1.key

Configure your home router:

You will have to forward tcp port 1194 to your MythDora box. For testing purposes you should make the MythDora box the "DMZ host", then once you confirm everything works, turn off the "DMZ Host" access and just forward the single 1194 TCP port.

Each router is different in how you make this configuration, but generally speaking the options you are looking for are called "DMZ" and "Port Forwarding".

Test the connection:

To fully test the connection you will need to go to the office and do the final test from there. Before I did this I decided to configure my router to make my MythDora machine the "DMZ" host, meaning it was basically sitting out on the Internet and could be accessed using the external real IP address. I would recommend that you shut down all the other services like MythTV, apache, webmin, vncserver, smb, tftp, cvs, nfs, mysqld, and any other service that a hacker might use to gain easy access to the system. I could then access my server via ssh mythtv@ and make any necessary configuration changes in case the VPN failed.

Once at the office I ssh (I use putty as my ssh client) to my MythDora server, log in and "su" to root, and start up a temporary openvpn session (I actually open two connections to my MythDora box so I can look at the logs if necessary.)

To start the openvpn session type:

/usr/sbin/openvpn /etc/openvpn/server.conf
The session may seem to hang, but it is actually doing somthing.

Now you can run the Windows openvpn client and see if it will connect to your server. If not, in the /etc/openvpn directory you will find a couple log files, openvpn.log being the most useful one for troubleshooting. You can also right click on the Windows openvpn client icon in the system tray and select "View Log" to examine what's going on from the client side.

You can test the actual connection by opening a new ssh session on your laptop and trying to ssh to the openvpn virtual adapter address, 10.8.0.1 by default. If you can get a log in prompt and actually log in using that address, then everything else should work fine.

Configure openvpn server to start on reboot:

As root run the command:
# chkconfig openvpn on

---------------------------------------------

Note 1: in order to use this VPN it is probably best to have a domain name to use, especially if you are like most home users and have an external IP address that can change at any time.

To this end I used the Dynamic DNS servers from www.dyndns.org, which is free and handles the problem of having a "dynamic IP address". I will create a new post detailing the registration, installation and configuration of this service soon.

Note 2: At the moment my SIP client software on my laptop running over the VPN can make and accept telephone calls (SIP,) but for some reason the actual voice stream (rtp) is not passed on ... I haven't had a chance to investigate this, but I recall reading that this is a common problem with a relatively simple fix as I recall, but I haven't have an opportunity to research the problem ... when I find the fix for this problem I will post it.

1 comment:

Anonymous said...

Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!