Well, in the name of helping add to the wonderful and useful infrastructure this city is building of unsecured wifi access points I’ve not been wanting to use WEP or anything. How ever I’ve been concerned about the easy access to my network. So I finally popped another ethernet card into Janus my firewall and routed the wifi box through that. Voila, segregated wireless. But now my laptop Nika wasn’t on my network and couldn’t share files easily etc.
So the solution was to create a VPN. I’d been wanting to do this already so I could use it from remotely, but now I finally had some really good motivation.
So, to start, I pkg_add openvpn with OpenBSD on Janus and emerge openvpn on my laptop Nika. Portage notified my that the 2.x series won’t work with the 1.x series that OpenBSD 3.7 has. So I pkg_delete ed that and downloaded and installed a fresh version on Janus from the openvpn site. One hitch, had to ./compile with
Then came the fun of configuring them and using SSL/TLS. Useful reference in vague order are:
- Official OpenVPN 2.x HowTo
- VPN Guide on Gentoo Wiki
- OpenBSD networking tutorial: Networking, Bridging, and OpenVPN
- OpenVPN 2.x on OpenBSD
A couple points were that while syntax like
worked on Linux, you needed
dev-type tap dev tun0
Only the instructions in the official OpenVPN guide that told you to use the easy-rsa directory and tools that openvpn supplies worked for generating SSL certs and stuff that didn’t cause connection errors.
Also, when as a client, and using the remote server name.com, you can also add the ‘float’ command so that the client will accept packets from other IPs (in my case I specify Janus.mindstab.net so it will resolve from any where on the internet, but when I’m at home it resolves to a private network address).
OpenBSD bridging is pretty easy
# cat /etc/bridgename.bridge0 add vr0 add tun0 up # cat /etc/hostname.tun0 link0 up
Then I added some rules to pf so as to segregate my wireless network and allow the vpn to work.
The relevant parts of my ‘pf.conf’ are below:
ext_if="vr0" int_if="vr1" wi_if="xl0" vpn_if="tun0" int="192.168.1.0/24" wi="192.168.2.0/24" vpn="192.168.3.0/24" inferno="192.168.1.2/32" scrub in all nat on vr0 from $int to any -> (vr0) nat on vr0 from $wi to any -> (vr0) # FTP proxy rdr on $int_if proto tcp from any to $ext_if port 21 -> 127.0.0.1 port 8021 rdr on $wi_if proto tcp from any to $ext_if port 21 -> 127.0.0.1 port 8021 rdr on $vpn_if proto tcp from any to $ext_if port 21 -> 127.0.0.1 port 8021 # VNC rdr on $ext_if proto tcp from any to (vr0) port 5900 -> $inferno # BitTorrent rdr on $ext_if proto tcp from any to (vr0) port 6881 -> $inferno # for active mode FTP connections pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state antispoof quick for $int_if inet antispoof quick for $wi_if inet antispoof quick for $vpn_if inet # segregate wireless (making it dmz ish) block in on $wi_if from any to $int_if block in on $int_if from any to $wi block in on $vpn_if from any to $wi # secure janus block in on $wi_if from any to 192.168.2.1 pass in on $wi_if proto udp from any to $wi_if port 1194 # don't really need since vpn is working #pass in on $wi_if proto tcp from any to $wi_if port ssh #pass in on $wi_if proto udp from any to $wi_if port ssh ...
My server’s OpenVPN ‘local.conf’:
dev-type tap dev tun0 server 192.168.3.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/mindstab/ip_pool mode server status /var/log/openvpn-status.log # extra auth channel encryption. One of the non official # tutorials first showed me how to nicely set this up tls-auth /etc/openvpn/mindstab/mindstab-key.txt 0 keepalive 10 30 client-to-client #max-clients 150 verb 3 tls-server dh /etc/openvpn/mindstab/dh1024.pem ca /etc/openvpn/mindstab/ca.crt cert /etc/openvpn/mindstab/server.crt key /etc/openvpn/mindstab/server.key comp-lzo user nobody group nogroup persist-key persist-tun
And the laptop’s client’s OpenVPN ‘local.conf’:
#float allows openvpn to accept packets from #ips that aren't what the remote line resolves to float remote janus.mindstab.net dev tap client resolv-retry infinite mute-replay-warnings verb 3 persist-tun persist-key tls-auth /etc/openvpn/mindstab/mindstab-key.txt 1 tls-client ca /etc/openvpn/mindstab/ca.crt cert /etc/openvpn/mindstab/nika.crt key /etc/openvpn/mindstab/nika.key comp-lzo # adds a route to the routing table while # this vpn is active # in this case any request for my home network # are routed through this vpn route 192.168.1.0 255.255.255.0
And that’s about it. A day’s work. Really. Follow the first guide, it’ll save you a lot of time and problems. the others all just didn’t work for me.
Once you’re ready, it’s just
/etc/init.d/openvpn start on Gentoo, and
rc-update add openvpn default if you’re confident. For testing just run
openvpn --config local.conf.
On OpenBSD for persistance, add
/usr/local/sbin/openvpn --daemon openvpn --writepid /var/run/openvpn.pid --config /etc/openvpn/mindstab/local.conf to your ‘/etc/rc.local’.
Now weather I’m at home or school I can just open my ssh mount and browse Inferno (my desktop) for files.