A good buddy of mine, Trevor, had mentioned wanting to bridge his Brother‘s and his networks. Having done an OpenVPN install many moons ago it had resonated with the “I need to do that again” list in my head. When the N900 arrived it seemed like the perfect opportunity to have the n900 use a VPN tunnel to secure traffic while on open AP. Here is my config:
The first step was to get a current version of OpenVPN installed on the Ubuntu 9.10 server. I decided to go with the bridge setup rather than a routed so that I could play more easily with my VMware clusters at the house and the lab with my BeOS and OpenBSD boxes.
sudo apt-get install openvpn bridge-utils
Next I setup a bridged adapter to use on the Ubuntu 9.10 box that would give me transparent access. Open the /etc/network/interfaces file in vi
auto lo br0
iface lo inet loopback
iface br0 inet static
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
Afterward you need to restart the network interfaces
sudo /etc/init.d/networking restart
Since I was using the desktop edition of Ubuntu rather than Server (this machine was a pseudo desktop for a little bit) I had to enable ip forwarding by editing /etc/sysctl.conf with vi and adding
Next few steps are to setup the CA you need for certificate generation. Easy-rsa is pretty sweet for quick and dirty CA for these type of things. You can also use the openvpn tools to do static keys, but where is the fun in that?
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo vi /etc/openvpn/easy-rsa/vars
Change these lines at the bottom so that they reflect your new CA.
Now to generate your root
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool –initca ## creates ca cert and key
./pkitool –server server ## creates a server cert and key
openvpn –genkey –secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
These next two up/down scripts setup the bridge when the server starts. This is the magic in not having to perform the routing you used to be required to do in OpenVPN1
sudo vi /etc/openvpn/up.sh
This script should contain the following
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV
Now, we’ll create a “down” script.
sudo vi /etc/openvpn/down.sh
It should contain the following.
/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down
Now, make both scripts executable.
sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh
Below is my example /etc/openvpn/server.conf Customize as you see fit
port 443 ## i am running on 443 rather than the default for firewall bypassing
up “/etc/openvpn/up.sh br0”
down “/etc/openvpn/down.sh br0”
tls-auth ta.key 0
#cipher and compression
cipher BF-CBC # Blowfish (default)
server-bridge 172.16.1.102 255.255.255.0 172.16.1.50 172.16.1.60
push “dhcp-option DNS 172.16.1.1”
push “dhcp-option DOMAIN geekyschmidt.com”
#log and security
keepalive 10 120
Afterward restart the OpenVPN Server
sudo /etc/init.d/openvpn restart
Now it is time to generate your client certs that you will need to copy to each device. I use n900 as the name here, but you can replace with whatever you wish. I try to keep names and machines close for my poor memory
You will be left with a few files in your /etc/openvpn/easy-rsa/keys directory you need to copy to the device. In my case I copied them to the MyDocs/openvpn area of my N900 to be sure the applet could see them. Most linux machines store them in /etc/openvpn. The list of files to copy is below. Keep in mind that mine are named n900 due to the above pkitool n900 command.
Once those are on the machine you need to generate a config file. Here is mine from the n900.
### Client configuration file for OpenVPN
# Specify that this is a client
# Bridge device setting
# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote notlikelytopostinanopenwebsite.com 443
# Client does not need to bind to a specific local port
# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule.
##You may need to comment it out.
# Preserve state across restarts
# SSL/TLS parameters – files created previously
# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1
# Specify same cipher as server
# Use compression
# Log verbosity (to help if there are problems)
On the n900 you will need to install from extras-testing the openvpn packages
apt-get install openvpn openvpn-applet
Thats it! Click in your status bar with the n900 and import the config file stored in MyDocs/openvpn from earlier. It will import the keys into the correct locations and allow you to test the connection.