Openvpn
From NMTWiki
Difficult - for advanced users, may require detailed technical knowledge, use at your own risk!
How to install OpenVPN on NMT
- First part describes how to install OpenVPN
- Second part explains how I proceed to compile TUN module and OpenVPN
Installation and configuration
Download
Download binaries (cross-compiled and tested on HDX1000 and PCH):
- TUN module tun.ko http://sopoyo.byethost17.com/public/NMT/tun.ko
- OpenVPN (with SSL/TLS support and LZO compression) http://sopoyo.byethost17.com/public/NMT/openvpn.gz
Install TUN module
Copy tun.ko on your NMT in folder /lib/modules/2.6.15-sigma/kernel/drivers/net/
Load module in the kernel
insmod -v /lib/modules/2.6.15-sigma/kernel/drivers/net/tun.ko
Check that's ok
lsmod Module Size Used by Tainted: PF tun 10992 1 em8xxx 878848 2 arusb_lnx 393168 0 ide_generic 1248 0 ide_cd 48384 0 ide_disk 20784 4 tangox_bmide 13024 0 ide_core 127120 4 ide_generic,ide_cd,ide_disk,tangox_bmide llad 116128 3 em8xxx
Check also in system logs
dmesg | tail Adding 506036k swap on /dev/hda2. Priority:-1 extents:1 across:506036k ir: Enable NEC decoder (0x00000000) ir: Enable RC5 decoder (0x80001e00) ir: Enable RC6 decoder NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory NFSD: recovery directory /var/lib/nfs/v4recovery doesn't exist NFSD: starting 90-second grace period Algorithmics/MIPS FPU Emulator v1.5 tun: Universal TUN/TAP device driver, 1.6 tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>;
Remark: after each reboot you will need to copy again the module into /lib/...
Install OpenVPN
I've installed my OpenVPN + conf file in /share/Apps/openvpn:
/share/Apps/openvpn/bin/openvpn /share/Apps/openvpn/etc/server.conf
To setup OpenVPN configuration and generate certificates, follow any tutorial on OpenVPN such as http://howto.landure.fr/gnu-linux/debian-4-0-etch-en/install-and-setup-openvpn-on-debian-4-0-etch
Also a french reference: http://www.coagul.org/article.php3?id_article=422
My NMT has IP 192.168.0.5 on my LAN, and I decided to use 10.20.30.x for my VPN.
So my OpenVPN configuration file on the NMT (server.conf) looks like:
port 443 proto tcp dev tun ca ca.crt cert hdxVPN.crt key hdxVPN.key # This file should be kept secret dh dh1024.pem server 10.20.30.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.0.0 255.255.255.0" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3
To start OpenVPN on the NMT, run for instance:
/share/Apps/openvpn/bin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /share/Apps/openvpn/etc --config /share/Apps/openvpn/etc/server.conf
Check that a virtual interface TUN has been created
ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.20.30.1 P-t-P:10.20.30.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:6853 errors:0 dropped:0 overruns:0 frame:0 TX packets:13577 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:500293 (488.5 KiB) TX bytes:8059310 (7.6 MiB)
And you can ping it
ping 10.20.30.1 PING 10.20.30.1 (10.20.30.1): 56 data bytes 64 bytes from 10.20.30.1: seq=0 ttl=64 time=0.6 ms
And to stop it:
kill `cat /var/run/openvpn.server.pid` rm /var/run/openvpn.server.pid /var/run/openvpn.server.status
You can stop here.
Next part explains how I compiled TUN module and OpenVPN.
Compilation process
Pre-requisites
This howto is based on a Linux Ubuntu workstation.
- Install Lundman's toolchain here
- Download Syabas' Linux kernel here
- Set your environment for cross-compilation:
TOOLCHAIN=/usr/local/mips
export PATH=${TOOLCHAIN}/bin:${PATH}
export CC=${TOOLCHAIN}/bin/mipsel-linux-uclibc-gcc
export LDFLAGS=-L/usr/mipsel-linux-uclibc/lib
export CPPFLAGS=-I/usr/mipsel-linux-uclibc/include
export CPP=${TOOLCHAIN}/bin/mipsel-linux-uclibc-cpp
export CROSS_COMPILE=mipsel-linux-uclibc-
export ARCH=mips
Compile TUN module
Uncompress Linux kernel archive in a working directory (on my workstation it's /work/mips/linux-2.6.15/)
Add to Makefile:
EXTRAVERSION = -sigma
Comment line 358 (do not include kconfig file that doesn't exist)
#include $(RUA_DIR)/../../syabas/customer/$(customer)/kconfig
Generate .config:
make menuconfig
Select option -> Device Drivers -> Network device support -> Universal TUN/TAP device driver support
<M> Universal TUN/TAP device driver support
Edit .config file that has just been generated and replace:
CONFIG_INITRAMFS_SOURCE="$(SMP86XX_ROOTFS_PATH)/build_mipsel/root" CONFIG_INITRAMFS_ROOT_UID=504 CONFIG_INITRAMFS_ROOT_GID=500
with :
CONFIG_INITRAMFS_SOURCE=""
Modify the 3 following Makefile ; replace mipsel-linux- with mipsel-linux-uclibc-
./arch/mips/Makefile
32bit-tool-prefix = mipsel-linux-uclibc-
./arch/mips/tangox/fctrl/lib/Makefile
CROSS = mipsel-linux-uclibc-
./arch/mips/tangox/fctrl/lib/fc/Makefile
CROSS = mipsel-linux-uclibc-
Generate modules:
make modules
TUN module should be generated in ./drivers/net/tun.ko
Compile OpenVPN
How to compile OpenVPN with SSL/TLS support and LZO compression
Set up environnement for cross compilation:
TOOLCHAIN=/usr/local/mips
export PATH=${TOOLCHAIN}/bin:${PATH}
export CC=${TOOLCHAIN}/bin/mipsel-linux-uclibc-gcc
export LDFLAGS=-L/usr/mipsel-linux-uclibc/lib
export CPPFLAGS=-I/usr/mipsel-linux-uclibc/include
export CPP=${TOOLCHAIN}/bin/mipsel-linux-uclibc-cpp
export CROSS_COMPILE=mipsel-linux-uclibc-
export ARCH=mips
lzo
Download lzo, version 2.02 (http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz)
Note: I couldn't cross compile the last stable version, so I used version 2.02
./configure --prefix=/usr/local/mips/ --host=mipsel-linux-uclibc make make install
OpenSSL
Download last OpenSSL toolkit, version 0.9.8k (http://www.openssl.org/source/openssl-0.9.8k.tar.gz)
Download the following required patches for MIPS environment (for more explanations, refer to Community Driven BLFS for cross compilation details on OpenSSL at http://cblfs.cross-lfs.org/index.php/OpenSSL)
- http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-0.9.8k-fix_manpages-1.patch
- http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-0.9.8k-build_fix-1.patch
- http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-0.9.8k-mips_support-1.patch
Patch OpenSSL for MIPS environment (32 bits + Little-Endian):
patch -Np1 -i ../openssl-0.9.8k-fix_manpages-1.patch patch -Np1 -i ../openssl-0.9.8k-build_fix-1.patch patch -Np1 -i ../openssl-0.9.8k-mips_support-1.patch
Then configure and make as follows:
./Configure linux-mipsel --prefix=/usr/local/mips make make install
OpenVPN
Download latest stable version of OpenVPN, version 2.0.9 (http://openvpn.net/release/openvpn-2.0.9.tar.gz)
Then cross compile using lzo and OpenSSL libraries & headers compiled previously and installed in /usr/local/mips as follows:
./configure --host=mipsel-linux-uclibc --prefix=/usr/local/mips --with-lzo-headers=/usr/local/mips/include/ --with-lzo-lib=/usr/local/mips/lib/ --with-ssl-headers=/usr/local/mips/include/ --with-ssl-lib=/usr/local/mips/lib/ make make install
That's all.
How to create the keys if you don't have the OpenSSL library
When I tried to follow this set up (thanks sopoyo for your marelous work), it appears I was not able to create the certificates because I didn't set up OpenSSL libraries on my HDX.
Thus you have 2 ways to do it:
1 Install OpenSSL on your HDX
2 Use another simple way: create all the needed certificates from a Windows platform
As my labtop was supposed to be my OpenVPN client, it appears simpler for me to generate the certificates from my PC.
Instal openvpnon on your PC
Download it from the official web site herewith:
I downloaded the 2.0.9 version that is OK for me:
Just follow the wizard, here are the files you should have once done:
12/11/2008 22:52 <REP> .
12/11/2008 22:52 <REP> ..
12/11/2008 22:52 63 OpenVPN Windows Notes.url
12/11/2008 22:52 53 OpenVPN Manual Page.url
12/11/2008 22:52 55 OpenVPN HOWTO.url
12/11/2008 22:52 45 OpenVPN Web Site.url
12/11/2008 22:52 527 Uninstall OpenVPN.lnk
12/11/2008 22:52 641 Add a new TAP-Win32 virtual ethernet adapter.lnk
12/11/2008 22:52 658 Delete ALL TAP-Win32 virtual ethernet adapters.lnk
12/11/2008 22:52 557 OpenVPN configuration file directory.lnk
12/11/2008 22:52 538 OpenVPN log file directory.lnk
12/11/2008 22:52 594 OpenVPN Sample Configuration Files.lnk
12/11/2008 22:52 1 672 Generate a static OpenVPN key.lnk
11 fichier(s) 5 403 octets
2 Rép(s) 29 150 347 264 octets libres
Install the graphical user interface:
I downloaded the 2.0.9 version that is OK for me.
Just follow the wizard, here are the files you should have once done:
2/11/2008 22:57 632 OpenVPN Win32 README.lnk 2/11/2008 22:57 682 OpenVPN GUI.lnk 2/11/2008 22:57 657 OpenVPN GUI ReadMe.lnk
Run the init file:
C:\Program Files\OpenVPN\easy-rsa>init-config
C:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
1 fichier(s) copié(s).
C:\Program Files\OpenVPN\easy-rsa>copy openssl.cnf.sample openssl.cnf
1 fichier(s) copié(s).
The « vars.bat » file is to be edited if you want to set non default options . On this install, everything remains on default status
Prepare setup:
Load variables
C:\Program Files\OpenVPN\easy-rsa>vars
Check:
C:\Program Files\OpenVPN\easy-rsa>set k
KEY_CITY=SanFrancisco KEY_CONFIG=openssl.cnf KEY_COUNTRY=US KEY_DIR=keys KEY_EMAIL=mail@host.domain KEY_ORG=FortFunston KEY_PROVINCE=CA KEY_SIZE=1024
C:\Program Files\OpenVPN\easy-rsa>clean-all:
Le fichier spécifié est introuvable.
1 fichier(s) copié(s).
1 fichier(s) copié(s).
Directory $HOME/easy-rsa/keys is created
Build-ca (certificate authority)
C:\Program Files\OpenVPN\easy-rsa>build-ca
Loading 'screen' into random state - done Generating a 1024 bit RSA private key .........++++++ .............................++++++ writing new private key to 'keys\ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [FortFunston]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address [mail@host.domain]:
$HOME\easy-rsa\keys\ca.crt and ca.key are created
Build key server
C:\Program Files\OpenVPN\easy-rsa>build-key-server ServerVPN
Loading 'screen' into random state - done Generating a 1024 bit RSA private key ............................++++++ ...++++++ writing new private key to 'keys\ServerVPN.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [FortFunston]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ServerVPN Note: If no name is psecified for “Common Name, pem and index is not created SO certificat not signed Email Address [mail@host.domain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from openssl.cnf Loading 'screen' into random state - done Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'FortFunston' commonName :PRINTABLE:'ServerVPN' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Nov 10 22:15:27 2018 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
What is done in $HOME\easy-rsa\keys: 1 Files .key, .crt, .crr created 2 Certificates signed:
##.pem created (incremental number)
Index.txt updated
index.txt.attr updated
serial updated
Build key client
C:\Program Files\OpenVPN\easy-rsa>build-key clienttaf
Loading 'screen' into random state - done Generating a 1024 bit RSA private key ..........................................................++++++ .................++++++ writing new private key to 'keys\clienttaf.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [FortFunston]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:clienttaf Email Address [mail@host.domain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from openssl.cnf Loading 'screen' into random state - done DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'FortFunston' commonName :PRINTABLE:'clienttaf' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Nov 10 22:21:06 2018 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
=== Build Diffie Hellman parameter
Dh1024.pem file creation (on $HOME\easy-rsa\keys directory):
C:\Program Files\OpenVPN\easy-rsa>build-dh
Loading 'screen' into random state - done Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .......................................................................+............................................... .......................+.........+.....+...........+...................................................+............... ...+.................................................................................+................................. .....................................................................................................+...+............. ........+........................................................................+.......+.........................+... ..........................................................+.......................................................+.... .................+............+...........++*++*++*
Check
C:\Program Files\OpenVPN\easy-rsa\keys>dir /p
12/11/2008 23:10 887 ca.key 12/11/2008 23:10 1 139 ca.crt 12/11/2008 23:15 887 ServerVPN.key 12/11/2008 23:15 680 ServerVPN.csr 12/11/2008 23:15 3 541 ServerVPN.crt 12/11/2008 23:15 3 541 01.pem 12/11/2008 23:21 891 clienttaf.key 12/11/2008 23:21 680 clienttaf.csr 12/11/2008 23:21 3 438 clienttaf.crt 12/11/2008 23:21 3 serial 12/11/2008 23:21 21 index.txt.attr 12/11/2008 23:21 3 438 02.pem 12/11/2008 23:21 194 index.txt 12/11/2008 23:25 245 dh1024.pem
Finalise the configuration
Now you have to finalise the configuration files (setting the public IPs, configurations names). I did the following to have it work properly:
Files moved from “keys” to “bin” rep on VPN server:
dh1024.pem ServerVPN.crt ServerVPN.key Ca.crt
Files moved from “keys” to “clienttaf” rep on VPN server:
Clienttaf.key Clienttaf.crt Ca.crt (this one is copied on “bin” and “clienttaf” rep) Clienttaf.ovpn
You have to ensure the configuration files are OK with your physical configuration. You also probably have to setup NAT on your ADSL access.
Just start-up your VPN on your HDX, and enjoy.
Note: I didn't succedd on running the openVPN client and server on the same subnet, so for the testing you have to set your client as if you were outside.
Automatic OPenVPN startup/stop
I updated my crontab as follow:
0 8-10/2 * * 1-4 /share/Apps/TooKeep/Scripts/openvpn.sh start 0 0-24/2 * * 5-6,0 /share/Apps/TooKeep/Scripts/openvpn.sh stop
I created a script for HDX startup:
/share/Apps/TooKeep/BootScripts/S99rootsebacool:
#!/bin/sh Cron=/share/Apps/TooKeep/BootScripts/Cron_temp # ll Alias for root (sh so .profile) echo "alias ll=\"ls -al\"" >> /root/.profile # Crontab update crontab -l > $Cron grep "/share/Apps/TooKeep/Scripts/openvpn.sh" $Cron >/dev/null 2>&1 [ "$?" = "0" ] || echo "0 8-14/2 * * 1-5 /share/Apps/TooKeep/Scripts/openvpn.sh start crontab $Cron
I updated the HDX auto-startfile start_app.sh:
/share/Apps/TooKeep/BootScripts/S99rootsco
The /share/Apps/TooKeep/Scripts/openvpn.sh script is below:
#!/bin/sh
Run=$1
PATH=/share/Apps/Telnetd/bin:/share/bin:/share/Apps/AppInit:$PATH
HOME=/share
export TERM="xterm"
if [ "$1" = "" ]
then
echo "Usage $0 start|stop|status"
exit 0
fi
echo "--------> $0 $1 `date`"
/sbin/ifconfig tun0 >/dev/null 2>&1
PS="$?"
case $Run in
"start")
echo start
if [ "$PS" = "0" ]
then echo "openvpn is already running, exit"
exit 0
fi
cd /share/Apps/openvpn
/sbin/lsmod|grep -w tun >/dev/null 2>&1
[ "$?" = "0" ] || /sbin/insmod ./tun.ko
cd bin
./openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --config /share/Apps/openvpn/etc/server.conf
sleep 5
/sbin/ifconfig tun0
;;
"stop")
echo stop
if [ "$PS" != "" ]
then
if [ -f "/var/run/openvpn.server.pid" ]
then echo "Stopping openvpn server"
kill `cat /var/run/openvpn.server.pid`
rm /var/run/openvpn.server.pid
fi
else echo "openvpn server already stopped, exit"
exit 0
fi
sleep 5
/sbin/ifconfig tun0 >/dev/null 2>&1
if [ "$?" = "0" ]
then /sbin/ifconfig tun0
echo "error stopping tunnel"
else echo "tun0 dismounted"
fi
;;
"status")
if [ "$PS" = "" ]
then echo "openvpn is not running"
else echo "openvpn is running"
fi
;;
esac
exit 0
Example
Your PC IP is 10.12.123.15 Your public IP adress is 87.122.202.12 Your internal subnet is 192.168.200 Your HDX internal IP is 192.168.200.1
Your HDX openVPN IP is 10.121.100.1 Your PC openVPN IP is 10.121.100.2 You have to NAT your port 443 to your HDX internal IP (192.168.200.1)
So the VPN request from outside, port 443, will be redicrected to your internal HDX IP. Once credentials granted, your PC will have a second IP: 10.121.100.2
