Sunday, September 05, 2010

OpenVPN behind a firewall with SSH

 Serverside config

##############################
#
# Install Bridging

sudo apt-get install bridge-utils

###############################
# Modify /etc/network/interfaces
vi /etc/network/interfaces

==========================
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#auto eth0
#iface eth0 inet dhcp

auto br0
iface br0 inet static
     address 192.168.1.64
     #network 192.168.
     netmask 255.255.255.0
     gateway 192.168.1.254
     bridge_ports eth0
     bridge_fd 9
     bridge_hello 2
     bridge_maxage 12
     bridge_stp off


#Bridge setup
#auto br0
#iface br0 inet static
#address 192.168.1.61
#netmask 255.255.255.0
#gateway 192.168.1.254
#bridge_ports eth0
==========================

# Install OpenVPN
apt-get install openvpn

###############################
#Generate some keys:

mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
chown -R root /etc/openvpn/easy-rsa

vi /etc/openvpn/easyrsa-vars # and edit the following
==========================
export KEY_COUNTRY="Zoo"
export KEY_PROVINCE="Apes"
export KEY_CITY="Monkey Cage"
export KEY_ORG="Baboons"
export KEY_EMAIL="bob@thebaboon.zoo"
==========================

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

###############################
#Create the client keys:

cd /etc/openvpn/easy-rsa
. vars

./pkitool photon

scp /etc/openvpn/ca.crt hakan@photon:~/openvpn
scp /etc/openvpn/easy-rsa/keys/photon.crt hakan@photon:~/openvpn
scp /etc/openvpn/easy-rsa/keys/photon.key hakan@photon:~/openvpn
scp /etc/openvpn/ta.key hakan@photon:~/openvpn

###############################
#Configure the server:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

vi /etc/openvpn/server.conf and modify
==========================
local 192.168.1.64
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
;server 10.8.0.0 255.255.255.0
server-bridge 192.168.1.66 255.255.255.0 192.168.1.220 192.168.1.239
push "route 192.168.1.254 255.255.255.0"
push "dhcp-option DNS 192.168.1.254"
push "dhcp-option DOMAIN lan"
cipher AES-256-CBC
keepalive 3 200
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup
==========================

vi /etc/openvpn/up.sh
==========================
#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV
==========================

vi /etc/openvpn/down.sh
==========================
#!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down
==========================
Clientside config

sudo apt-get install openvpn
Then with the server configured and the client certificates copied to the /etc/openvpn/ directory, create a client configuration file by copying the example. In a terminal on the client machine enter:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
Edit and modify the following

dev tap
proto tcp
remote monkeycage.zoo.com 1194 #(<-- replace this with localhost if you want to use SSH tunnelling)
cert photon.crt
key photon.key
tls-auth ta.key 1
cipher AES-256-CBC

sudo update-rc.d -f openvpn remove
##############################
#
# With SSH
ssh -fX -L1194:192.168.1.64:1194 monkeycage.zoo.com sleep 30
sudo /etc/init.d/openvpn start


No comments: