docs/mindstab.net_blog/2005-09-23-openvpn-on-gento...

159 lines
5.8 KiB
Markdown

# OpenVPN on Gentoo and OpenBSD #
*Sep 23, 2005*
Well, in the name of helping add to the wonderful and useful infrastructure this city is building of unsecured wifi access points I've not been wanting to use WEP or anything. How ever I've been concerned about the easy access to my network. So I finally popped another ethernet card into Janus my firewall and routed the wifi box through that. Voila, segregated wireless. But now my laptop Nika wasn't on my network and couldn't share files easily etc.
So the solution was to create a VPN. I'd been wanting to do this already so I could use it from remotely, but now I finally had some really good motivation.
So, to start, I pkg_add openvpn with OpenBSD on Janus and emerge openvpn on my laptop Nika. Portage notified my that the 2.x series won't work with the 1.x series that OpenBSD 3.7 has. So I pkg_delete ed that and downloaded and installed a fresh version on Janus from the openvpn site. One hitch, had to ./compile with `--with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib`.
Then came the fun of configuring them and using SSL/TLS. Useful reference in vague order are:
* [Official OpenVPN 2.x HowTo](http://openvpn.net/howto.html)
* [VPN Guide on Gentoo Wiki](http://gentoo-wiki.com/HOWTO_Road_Warriors_with_OpenVPN)
* [OpenBSD networking tutorial: Networking, Bridging, and OpenVPN](http://www50.brinkster.com/dachee/)
* [OpenVPN 2.x on OpenBSD](http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd)
A couple points were that while syntax like
dev tap
worked on Linux, you needed
dev-type tap
dev tun0
on OpenBSD
Only the instructions in the official OpenVPN guide that told you to use the easy-rsa directory and tools that openvpn supplies worked for generating SSL certs and stuff that didn't cause connection errors.
Also, when as a client, and using the remote server name.com, you can also add the 'float' command so that the client will accept packets from other IPs (in my case I specify Janus.mindstab.net so it will resolve from any where on the internet, but when I'm at home it resolves to a private network address).
OpenBSD bridging is pretty easy
# cat /etc/bridgename.bridge0
add vr0
add tun0
up
# cat /etc/hostname.tun0
link0 up
Then I added some rules to pf so as to segregate my wireless network and allow the vpn to work.
The relevant parts of my 'pf.conf' are below:
ext_if="vr0"
int_if="vr1"
wi_if="xl0"
vpn_if="tun0"
int="192.168.1.0/24"
wi="192.168.2.0/24"
vpn="192.168.3.0/24"
inferno="192.168.1.2/32"
scrub in all
nat on vr0 from $int to any -> (vr0)
nat on vr0 from $wi to any -> (vr0)
# FTP proxy
rdr on $int_if proto tcp from any to $ext_if port 21 -> 127.0.0.1 port 8021
rdr on $wi_if proto tcp from any to $ext_if port 21 -> 127.0.0.1 port 8021
rdr on $vpn_if proto tcp from any to $ext_if port 21 -> 127.0.0.1 port 8021
# VNC
rdr on $ext_if proto tcp from any to (vr0) port 5900 -> $inferno
# BitTorrent
rdr on $ext_if proto tcp from any to (vr0) port 6881 -> $inferno
# for active mode FTP connections
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state
antispoof quick for $int_if inet
antispoof quick for $wi_if inet
antispoof quick for $vpn_if inet
# segregate wireless (making it dmz ish)
block in on $wi_if from any to $int_if
block in on $int_if from any to $wi
block in on $vpn_if from any to $wi
# secure janus
block in on $wi_if from any to 192.168.2.1
pass in on $wi_if proto udp from any to $wi_if port 1194
# don't really need since vpn is working
#pass in on $wi_if proto tcp from any to $wi_if port ssh
#pass in on $wi_if proto udp from any to $wi_if port ssh
...
My server's OpenVPN 'local.conf':
dev-type tap
dev tun0
server 192.168.3.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/mindstab/ip_pool
mode server
status /var/log/openvpn-status.log
# extra auth channel encryption. One of the non official
# tutorials first showed me how to nicely set this up
tls-auth /etc/openvpn/mindstab/mindstab-key.txt 0
keepalive 10 30
client-to-client
#max-clients 150
verb 3
tls-server
dh /etc/openvpn/mindstab/dh1024.pem
ca /etc/openvpn/mindstab/ca.crt
cert /etc/openvpn/mindstab/server.crt
key /etc/openvpn/mindstab/server.key
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
And the laptop's client's OpenVPN 'local.conf':
#float allows openvpn to accept packets from
#ips that aren't what the remote line resolves to
float
remote janus.mindstab.net
dev tap
client
resolv-retry infinite
mute-replay-warnings
verb 3
persist-tun
persist-key
tls-auth /etc/openvpn/mindstab/mindstab-key.txt 1
tls-client
ca /etc/openvpn/mindstab/ca.crt
cert /etc/openvpn/mindstab/nika.crt
key /etc/openvpn/mindstab/nika.key
comp-lzo
# adds a route to the routing table while
# this vpn is active
# in this case any request for my home network
# are routed through this vpn
route 192.168.1.0 255.255.255.0
And that's about it. A day's work. Really. Follow the first guide, it'll save you a lot of time and problems. the others all just didn't work for me.
Once you're ready, it's just `/etc/init.d/openvpn start` on Gentoo, and `rc-update add openvpn default` if you're confident. For testing just run `openvpn --config local.conf`.
On OpenBSD for persistance, add `/usr/local/sbin/openvpn --daemon openvpn --writepid /var/run/openvpn.pid --config /etc/openvpn/mindstab/local.conf` to your '/etc/rc.local'.
Now weather I'm at home or school I can just open my ssh mount and browse Inferno (my desktop) for files.