OpenVPN, we unite home networks
This article focuses on the integration of several home LANs with the provision of transparent shared access to network resources using VPN. For the implementation of VPN taken openvpn . Clients and the openvpn server are installed on home network routers, in a particular case, routers of the asus wl500 family, but this manual is quite applicable to other routers where there is access to the OS and you can install openvpn.
Although such manuals on the Internet are a dime a dozen, they are written more for administrators who have extensive experience with * nix systems, while users of home routers are mostly not hackers, but ordinary users who may first see the Linux command line the router itself. I will try to write so that it is clear to everyone.
For those who do not like a lot of letters, so that it is clear what they mean under the cut, I bring a picture
')
So, once again formalize the task. We have several networks having access to the Internet through a router, we need to provide access to the resources of each other’s networks through an encrypted Internet tunnel.
It will be necessary to configure routers together, therefore it is desirable to have access to them simultaneously. Running from one apartment to another is not very convenient, so you can either provide access from the Internet to computers behind routers (as I did), or simply assemble routers in one apartment and attach client routers to the server, then on the spot their constant work will only need to change the address of the openvpn server.
Consider briefly how the system will work. The network consists of a server (in the figure, this is the Mars router) and Earth and Mercury clients. The server provides virtual network operation, traffic encryption and packet routing from one network to another.
The server operation is shown in more detail in the following figure (the figure is very conditional, it is for general understanding only and does not reflect program components). In client mode, openvpn works in the same way, but does not perform routing.
So, we have a network with the address range 192.168.1.1-192.168.1.255 behind the first router (Mars) and with the range 192.168.2.1-192.168.2.255 behind the Earth router. OpenVPN creates a special virtual network card tun0, and the packets that get there are encrypted and sent to the server (on the server computer locally, on the client via the Internet), where they are decrypted and sent via the necessary tunnels to the addressee.
For example, consider the passage of a package from a Phobos computer to a Moon computer. A packet from Phobos is sent to its gateway by default - Mars, where the routing table says that it needs to be sent to the tun0 tunnel, where it gets into openvpn, which already knows that packets to the network which includes Moon should be sent to the tunnel to Earth . Having come to Earth, the package will be safely sent to the Moon connected to the loaklke.
We are flashing routers with firmware from Oleg and installing ikpg. I think many users wl500th this procedure is known. It is very detailed written here: http://wl500g.info/showthread.php?t=3171 . We need steps 1-4, the actual firmware and 7, the installation of additional packages.
After everything is ready we put the packages there with the command ipkg install <package name>
While the packages are being installed, we digress a bit from Linux and generate keys for the vpn connection. How to do it under Windows (Linux, I think, already in the topic :)) has already been considered in detail on Habré , it makes no sense to repeat, you just need to add that ca.key should be removed somewhere far away, for example, write to an unnecessary USB flash drive., and put the flash drive in the chest under 33 locks , since knowing ca.crt and ca.key you can easily connect to your home network, which is clearly not part of our plans.
Having certificates at hand they need to be put on the router which will be the server, since these are ordinary text files, then you can just copy them into a text editor on the router.
Connect via telnet to the router, for example
C: \> telnet 192.168.1.1
Further:
$ vim /opt/etc/openvpn/keys/ca.crt
Then press the i button, paste the contents of the ca.crt file. We do the same with the dh2048.pem, mars.crt and mars.key files.
After that, you need to create an openvpn configuration file, the included one can be discarded and inserted:
$ rm /opt/etc/openvpn/openvpn.conf
$ vim /opt/etc/openvpn/openvpn.conf
Create a directory in which there will be a configuration for clients
$ mkdir / opt / etc / openvpn / ccd /
In this directory, you must create files for those clients behind which will be located the network to be joined. In our case, this is the Earth client, we create the Earth file.
$ vim / opt / etc / openvpn / ccd / Earth
We will have one whole line
This line tells openvpn where to send packets for the 192.168.2.0/24 network.
So, before the openvpn start, it remains only to correct the startup script /opt/etc/init.d/S20openvpn and remove the line return 0 from there.
Everything, we start openvpn
/opt/etc/init.d/S20openvpn
If everything is ok, then netstat -ul output | grep 1194 should issue a stitch
and in the /opt/var/log/openvpn/openvpn.log file an entry about the successful launch of the server appears.
So, the server is working, it is necessary to allow packets to pass through the firewall.
For this:
For the rules to be applied each time they need to be added to the / usr / local / sbin / post-firewall file, and the line /opt/etc/init.d/S20openvpn should be added to the post-mount so that the server starts each time the router is started ($ means Command line request; no need to add it to the files!).
(Did you remember to write the changes in flashfs?)
At this point, the server setup is almost complete. The only thing is, if the server has a dynamic ip, then you need to take care that the clients know what IP the server currently has. To do this, there is such a thing as DDNS, that is, dynamic DNS. Asus has built-in support for some DDNS providers, but not all, such as mine . Therefore, I wrote a simple script that updates IP to DNS if the IP of the router has changed:
How to install and configure cron is written in great detail here: wl500g.info/showpost.php?p=52524&postcount=1
And so, now go to the client. Client installation is absolutely the same as the server, the only thing is to overtake the client keys (we will need ca.crt, Earth.crt, Earth.key) and the other config file. Do not forget to correct the startup script.
Client config, in the remote field you need to insert the server address
Similarly, apply the rules iptables:
We launch openvpn on the client, it connects to the server and enjoy life. You can watch movies, photos and chopped into games like lokalke.
The only thing that I could not do is to synchronize the internal DNS servers, so you need to access computers between networks by their ip.
Well, I hope this will be useful to someone, I'm tired of writing this epic manual.
For homework, connect your Mercury computer so that it can access local resources from anywhere, such as gprs or public wifi.
As an advanced homework, take away from mercury the ability to connect to the network, changing only the configuration of Mars.
(C) Ivan Lisenkov 2009
Although such manuals on the Internet are a dime a dozen, they are written more for administrators who have extensive experience with * nix systems, while users of home routers are mostly not hackers, but ordinary users who may first see the Linux command line the router itself. I will try to write so that it is clear to everyone.
For those who do not like a lot of letters, so that it is clear what they mean under the cut, I bring a picture
')
So, once again formalize the task. We have several networks having access to the Internet through a router, we need to provide access to the resources of each other’s networks through an encrypted Internet tunnel.
What is needed there
- Routers of the asus wl500 family
- It is very desirable to provide routers with usb-flash drives, since there is very little flash and RAM in the router, absolutely any will do, well, except for a completely old junk, that is, less than 9Mb. What is not a great reason to please yourself with a new flash drive? :)
- At least one of the routers must go to the Internet with a real IP address, or all routers must be in the same segment of the provider's local network.
- Networks behind routers should have a different address range.
- Little time and brain
It will be necessary to configure routers together, therefore it is desirable to have access to them simultaneously. Running from one apartment to another is not very convenient, so you can either provide access from the Internet to computers behind routers (as I did), or simply assemble routers in one apartment and attach client routers to the server, then on the spot their constant work will only need to change the address of the openvpn server.
Theory
Consider briefly how the system will work. The network consists of a server (in the figure, this is the Mars router) and Earth and Mercury clients. The server provides virtual network operation, traffic encryption and packet routing from one network to another.
The server operation is shown in more detail in the following figure (the figure is very conditional, it is for general understanding only and does not reflect program components). In client mode, openvpn works in the same way, but does not perform routing.
So, we have a network with the address range 192.168.1.1-192.168.1.255 behind the first router (Mars) and with the range 192.168.2.1-192.168.2.255 behind the Earth router. OpenVPN creates a special virtual network card tun0, and the packets that get there are encrypted and sent to the server (on the server computer locally, on the client via the Internet), where they are decrypted and sent via the necessary tunnels to the addressee.
For example, consider the passage of a package from a Phobos computer to a Moon computer. A packet from Phobos is sent to its gateway by default - Mars, where the routing table says that it needs to be sent to the tun0 tunnel, where it gets into openvpn, which already knows that packets to the network which includes Moon should be sent to the tunnel to Earth . Having come to Earth, the package will be safely sent to the Moon connected to the loaklke.
Practice
We are flashing routers with firmware from Oleg and installing ikpg. I think many users wl500th this procedure is known. It is very detailed written here: http://wl500g.info/showthread.php?t=3171 . We need steps 1-4, the actual firmware and 7, the installation of additional packages.
After everything is ready we put the packages there with the command ipkg install <package name>
- openvpn - well, it is not hard to guess :)
- vim is a text editor (the one that is built into the shell is completely useless)
- wget-ssl - will be needed to update the records in dns, if the server has a dynamic external ip.
While the packages are being installed, we digress a bit from Linux and generate keys for the vpn connection. How to do it under Windows (Linux, I think, already in the topic :)) has already been considered in detail on Habré , it makes no sense to repeat, you just need to add that ca.key should be removed somewhere far away, for example, write to an unnecessary USB flash drive.
Having certificates at hand they need to be put on the router which will be the server, since these are ordinary text files, then you can just copy them into a text editor on the router.
Connect via telnet to the router, for example
C: \> telnet 192.168.1.1
Further:
$ vim /opt/etc/openvpn/keys/ca.crt
Then press the i button, paste the contents of the ca.crt file. We do the same with the dh2048.pem, mars.crt and mars.key files.
After that, you need to create an openvpn configuration file, the included one can be discarded and inserted:
$ rm /opt/etc/openvpn/openvpn.conf
$ vim /opt/etc/openvpn/openvpn.conf
dev tun
tls-server
server 192.168.255.0 255.255.255.0
ifconfig 192.168.255.1 192.168.255.2
client-config-dir ccd
route 192.168.255.0 255.255.255.0 #IP Range of VPN
route 192.168.2.0 255.255.255.0 #IP Range of Earth
push "route 192.168.1.0 255.255.255.0"
#Say to clients that Mars has 192.168.1.0/24 LAN
#keys
dh /opt/etc/openvpn/keys/dh1024.pem
ca /opt/etc/openvpn/keys/ca.crt
cert /opt/etc/openvpn/keys/home2.crt
key /opt/etc/openvpn/keys/home2.key
#Do not change unless you know what you are doing
client-to-client
port 1194
proto udp
user nobody
group nobody
comp-lzo
persist tun
persist-key
verb 3
log-append /opt/var/log/openvpn/openvpn.log
status /opt/var/log/openvpn/status.log
keepalive 10 60
Create a directory in which there will be a configuration for clients
$ mkdir / opt / etc / openvpn / ccd /
In this directory, you must create files for those clients behind which will be located the network to be joined. In our case, this is the Earth client, we create the Earth file.
$ vim / opt / etc / openvpn / ccd / Earth
We will have one whole line
iroute 192.168.2.0 255.255.255.0
This line tells openvpn where to send packets for the 192.168.2.0/24 network.
So, before the openvpn start, it remains only to correct the startup script /opt/etc/init.d/S20openvpn and remove the line return 0 from there.
Everything, we start openvpn
/opt/etc/init.d/S20openvpn
If everything is ok, then netstat -ul output | grep 1194 should issue a stitch
udp 0 0 *:1194 *:*
and in the /opt/var/log/openvpn/openvpn.log file an entry about the successful launch of the server appears.
So, the server is working, it is necessary to allow packets to pass through the firewall.
For this:
$iptables -I INPUT -p udp --dport 1194 -j ACCEPT
$iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
$iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
$iptables -I INPUT -i tun0 -p tcp --dport 80 -j ACCEPT
For the rules to be applied each time they need to be added to the / usr / local / sbin / post-firewall file, and the line /opt/etc/init.d/S20openvpn should be added to the post-mount so that the server starts each time the router is started ($ means Command line request; no need to add it to the files!).
(Did you remember to write the changes in flashfs?)
At this point, the server setup is almost complete. The only thing is, if the server has a dynamic ip, then you need to take care that the clients know what IP the server currently has. To do this, there is such a thing as DDNS, that is, dynamic DNS. Asus has built-in support for some DDNS providers, but not all, such as mine . Therefore, I wrote a simple script that updates IP to DNS if the IP of the router has changed:
#!/bin/sh
IFACE="ppp0"
TMPFILE="/tmp/oldip.txt"
/sbin/ifconfig $IFACE > /dev/null 2>&1
if [ "$?" -ne "0" ]
then
logger "update_ip.sh: Interface $IFACE is down, exiting..."
exit 1
fi
new=`/sbin/ifconfig $IFACE|grep inet\ addr|sed -e 's/.*\ addr:\([0-9\.]*\).*/\1/'`
if [ -f $TMPFILE ]
then
old=`cat $TMPFILE`
else
touch $TMPFILE
old=" "
fi
if [ "$new" != "$old" ]
then
/opt/bin/wget --no-check-certificate "https://dynamicdns.park-your-domain.com/update?host=mars&domain=yourdomain&password=PASSWORD" > /dev/null 2>&1
logger "update_ip.sh: New ip $new detected"
echo $new > $TMPFILE
fi
How to install and configure cron is written in great detail here: wl500g.info/showpost.php?p=52524&postcount=1
And so, now go to the client. Client installation is absolutely the same as the server, the only thing is to overtake the client keys (we will need ca.crt, Earth.crt, Earth.key) and the other config file. Do not forget to correct the startup script.
Client config, in the remote field you need to insert the server address
client
dev tun
proto udp
remote mars.yourdomain 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /opt/etc/openvpn/keys/ca.crt
cert /opt/etc/openvpn/keys/Earth.crt
key /opt/etc/openvpn/keys/Eartth.key
ns-cert-type server
comp-lzo
verb 3
log-append /opt/var/log/openvpn/openvpn.log
status /opt/var/log/openvpn/status.log
Similarly, apply the rules iptables:
$iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
$iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
$iptables -I INPUT -i tun0 -p tcp --dport 80 -j ACCEPT
We launch openvpn on the client, it connects to the server and enjoy life. You can watch movies, photos and chopped into games like lokalke.
The only thing that I could not do is to synchronize the internal DNS servers, so you need to access computers between networks by their ip.
Well, I hope this will be useful to someone, I'm tired of writing this epic manual.
For homework, connect your Mercury computer so that it can access local resources from anywhere, such as gprs or public wifi.
As an advanced homework, take away from mercury the ability to connect to the network, changing only the configuration of Mars.
(C) Ivan Lisenkov 2009
Source: https://habr.com/ru/post/56652/
All Articles