A good buddy of mine, Trevor, had mentioned wanting to bridge his Brother‘s and his networks. Having done an OpenVPN install many moons ago it had resonated with the “I need to do that again” list in my head. When the N900 arrived it seemed like the perfect opportunity to have the n900 use a VPN tunnel to secure traffic while on open AP. Here is my config:
The first step was to get a current version of OpenVPN installed on the Ubuntu 9.10 server. I decided to go with the bridge setup rather than a routed so that I could play more easily with my VMware clusters at the house and the lab with my BeOS and OpenBSD boxes.
sudo apt-get install openvpn bridge-utils
Next I setup a bridged adapter to use on the Ubuntu 9.10 box that would give me transparent access. Open the /etc/network/interfaces file in vi
auto lo br0
iface lo inet loopbackiface br0 inet static
address 172.16.1.102
network 172.16.1.0
broadcast 172.16.1.255
netmask 255.255.255.0
gateway 172.16.1.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp offiface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
Afterward you need to restart the network interfaces
sudo /etc/init.d/networking restart
Since I was using the desktop edition of Ubuntu rather than Server (this machine was a pseudo desktop for a little bit) I had to enable ip forwarding by editing /etc/sysctl.conf with vi and adding
net.ipv4.ip_forward=1
Next few steps are to setup the CA you need for certificate generation. Easy-rsa is pretty sweet for quick and dirty CA for these type of things. You can also use the openvpn tools to do static keys, but where is the fun in that?
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo vi /etc/openvpn/easy-rsa/vars
Change these lines at the bottom so that they reflect your new CA.
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”VA”
export KEY_CITY=”Alexandria”
export KEY_ORG=”oneguynick”
export KEY_EMAIL=”nick@notlikelytopostinanopenwebsite.com”
Now to generate your root
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool –initca ## creates ca cert and key
./pkitool –server server ## creates a server cert and key
cd keys
openvpn –genkey –secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
These next two up/down scripts setup the bridge when the server starts. This is the magic in not having to perform the routing you used to be required to do in OpenVPN1
sudo vi /etc/openvpn/up.sh
This script should contain the following
#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV
Now, we’ll create a “down” script.
sudo vi /etc/openvpn/down.sh
It should contain the following.
#!/bin/sh
BR=$1
DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down
Now, make both scripts executable.
sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh
Below is my example /etc/openvpn/server.conf Customize as you see fit
mode server
tls-serverlocal 172.16.1.102
port 443 ## i am running on 443 rather than the default for firewall bypassing
proto udp#bridging directive
dev tap0
up “/etc/openvpn/up.sh br0″
down “/etc/openvpn/down.sh br0″persist-key
persist-tun#certs
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0#cipher and compression
cipher BF-CBC # Blowfish (default)
comp-lzo#DHCP
ifconfig-pool-persist ipp.txt
server-bridge 172.16.1.102 255.255.255.0 172.16.1.50 172.16.1.60
push “dhcp-option DNS 172.16.1.1″
push “dhcp-option DOMAIN geekyschmidt.com”
max-clients 10#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3
Afterward restart the OpenVPN Server
sudo /etc/init.d/openvpn restart
Now it is time to generate your client certs that you will need to copy to each device. I use n900 as the name here, but you can replace with whatever you wish. I try to keep names and machines close for my poor memory
cd /etc/openvpn/easy-rsa/
source ./vars
./pkitool n900
You will be left with a few files in your /etc/openvpn/easy-rsa/keys directory you need to copy to the device. In my case I copied them to the MyDocs/openvpn area of my N900 to be sure the applet could see them. Most linux machines store them in /etc/openvpn. The list of files to copy is below. Keep in mind that mine are named n900 due to the above pkitool n900 command.
- ca.crt
- ta.key
- n900.key
- n900.crt
Once those are on the machine you need to generate a config file. Here is mine from the n900.
### Client configuration file for OpenVPN
# Specify that this is a client
client# Bridge device setting
dev tap# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote notlikelytopostinanopenwebsite.com 443# Client does not need to bind to a specific local port
nobind# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule.
##You may need to comment it out.
resolv-retry infinite# Preserve state across restarts
persist-key
persist-tun# SSL/TLS parameters – files created previously
ca ca.crt
cert n900.crt
key n900.key# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1# Specify same cipher as server
cipher BF-CBC# Use compression
comp-lzo# Log verbosity (to help if there are problems)
verb 3
On the n900 you will need to install from extras-testing the openvpn packages
sudo gainroot
apt-get install openvpn openvpn-applet
Thats it! Click in your status bar with the n900 and import the config file stored in MyDocs/openvpn from earlier. It will import the keys into the correct locations and allow you to test the connection.
