| View previous topic :: View next topic |
| Author |
Message |
nhaggin
n00b
Joined: 15 Jun 2002
Posts: 74
Location: Illinois, USA
|
 Posted: Tue Sep 07, 2004 4:25 am Post subject: New HOWTO: 802.11 + Firewall + VPN |
 |
|
Greetings, all.
Having undertaken, with many annoying difficulties, to get a working VPN + firewall working on my own 802.11 network, I thought it might be worth documenting for others who might want to give it a try:
http://nhaggin.freeshell.org/wireless-vpn-howto/
It covers both IPSec (2.6 kernel native subsystem) and OpenVPN. If those of you who are interested would give it a read and offer feedback/criticism, I would be most grateful. (I'm sure it still contains quite a few errors.)
_________________
Nick
A.M.D.G. |
|
| Back to top |
|
 |
nhaggin
n00b
Joined: 15 Jun 2002
Posts: 74
Location: Illinois, USA
|
| Posted: Sun Sep 12, 2004 10:22 pm Post subject: |
|
|
*bump*
Apparently everyone's questions are answered elsewhere, and my stuff is superfluous. Ah, well...on to the next project.
_________________
Nick
A.M.D.G. |
|
| Back to top |
|
|
Flummi
n00b
Joined: 23 Oct 2002
Posts: 13
Location: Erfurt (Germany)
|
| Posted: Sat Sep 25, 2004 10:59 pm Post subject: |
|
|
Hey, what a cool Howto. This is exactly, what I have been looking for. Thank you very much. I will report you my success (or - hopefully not - my failure).
Flummi |
|
| Back to top |
|
|
fls
Tux's lil' helper
Joined: 18 Apr 2003
Posts: 111
Location: Germany
|
| Posted: Sun Sep 26, 2004 7:36 am Post subject: |
|
|
Thanks for this nice document nhaggin! I´m currently interested in good stuff about VPN´s since I know I´ll have to do one in the future for the company I work for. Your document gives a clear understanding of the whole matter and that´s why I like it.
Thanks 
_________________
First they ignore you, then they laugh at you, then they fight you, then you win. Mahatma Ghandi |
|
| Back to top |
|
|
Flummi
n00b
Joined: 23 Oct 2002
Posts: 13
Location: Erfurt (Germany)
|
| Posted: Mon Sep 27, 2004 12:54 pm Post subject: |
|
|
Hmmm, I can understand nearly everything you wrote in this howto, but I am totally confused about the file-names you use for the certs, keys, req and so on. I think it would be helpful (at least for me) if you could use some real-existing filenames and post your openssl.conf.
Thanks in advance
Flummi |
|
| Back to top |
|
|
nhaggin
n00b
Joined: 15 Jun 2002
Posts: 74
Location: Illinois, USA
|
| Posted: Sat Oct 02, 2004 9:22 pm Post subject: |
|
|
Flummi: for some reason, the forums didn't send me an email telling me of your most recent post. Sorry for the delay in getting back. Are you having trouble with generating the CA, generating the host certificates, putting the right names in the VPN config files, or all of the above?
I originally decided not to use "real" filenames to keep the presentation sufficiently general; I've often found that when one specifies filenames people tend to use them unchanged, which can cause issues if my names conflict with something completely different that already exists on someone's machine. But then, *nix folk tend to be smarter about those kinds of things.
I've revised section 5 into something intermediate between my original version and your request; it now includes the relevant portion of the openssl.cnf file. I haven't decided yet whether to change to a set of "real" names; maybe the course of the discussion in this thread will sway me one way or the other.
_________________
Nick
A.M.D.G. |
|
| Back to top |
|
|
No_Code
n00b
Joined: 14 Sep 2004
Posts: 8
|
| Posted: Wed Oct 06, 2004 7:37 pm Post subject: |
|
|
I'm attempting this and when I go to do the final openssl step, I run into a brick wall. Forgive my "creative" file-naming convention.
| Code: |
release ssl # openssl ca -out hostCertFile.pem -in certRequestFile.pem
Using configuration from /etc/ssl/openssl.cnf
wrong number of fields on line 1 (looking for field 6, got 1, '' left)
Segmentation fault
|
The opening of my openssl.cnf file looks like:
| Code: |
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
|
I'm not sure where to go from here. Any input would be greatly appreciated.[/code] |
|
| Back to top |
|
|
nhaggin
n00b
Joined: 15 Jun 2002
Posts: 74
Location: Illinois, USA
|
| Posted: Wed Oct 06, 2004 8:09 pm Post subject: |
|
|
Hmm...your config file's first few lines are identical to mine, except for the first. Mine starts with the comment marker (#) while yours appears to be blank. It's possible that OpenSSL is looking for either something specific, or a comment; try changing it to the latter.
Your file-naming convention is certainly forgiven. 
_________________
Nick
A.M.D.G. |
|
| Back to top |
|
|
nhaggin
n00b
Joined: 15 Jun 2002
Posts: 74
Location: Illinois, USA
|
| Posted: Wed Oct 06, 2004 8:35 pm Post subject: |
|
|
Two additional things:
1. I have added a couple more items: a) a "Further References" section which currently contains only one book, and b) a link in section 10 to a tarball of premade scripts, including a Gentoo-style init script for setting everything up.
If the changes aren't there right when you read this, don't panic; they'll be there shortly.
2. If you post to this thread, please tell me whether you're using IPSec or OpenVPN for the VPN portion; I'm curious to know which generates more interest. And if this request baffles you because you were planning to use both, let me know also, since that would indicate my presentation doesn't make it clear that you are supposed to use one or the other, not both. Probably won't happen, but one never knows.
_________________
Nick
A.M.D.G. |
|
| Back to top |
|
|
No_Code
n00b
Joined: 14 Sep 2004
Posts: 8
|
| Posted: Fri Oct 08, 2004 3:36 pm Post subject: |
|
|
Ok, so I got the keys made and I had a little initial trouble with getting the OpenVPN server started, but eventually I did because the server.up file was not chmod'ed properly. I then attempted to connect to the VPN through the Windows clients that I'm using. Initially, I was getting an error message on the Windows client:
| Code: |
read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
|
Then I tried to change the settings in the server.up file. Then the server simply would not start, giving me the message of:
| Code: |
Oct 7 18:35:12 [openvpn] TUN/TAP device tun0 opened
Oct 7 18:35:12 [openvpn] /sbin/ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 mtu 1259
Oct 7 18:35:12 [openvpn] /etc/openvpn/server.up tun0 1259 1300 10.0.0.1 10.0.0.2 init
Oct 7 18:35:12 [openvpn] script failed: could not execute shell command
Oct 7 18:35:12 [openvpn] Exiting
|
So then I checked the chmod again and moved the file around; same thing. Then, I tried executing the command contained in the file in the shell myself and it didn't like the syntax. What I don't understand is how route can work at one point, but not work the next, even though the route that I'm trying to add isn't already in the list.
The command that it is trying to execute is:
| Code: | | route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 |
Is there something that I am missing here? |
|
| Back to top |
|
|
nhaggin
n00b
Joined: 15 Jun 2002
Posts: 74
Location: Illinois, USA
|
| Posted: Fri Oct 08, 2004 5:20 pm Post subject: |
|
|
If you try executing that directly from the command line, it won't work. The "up" scripts that you can specify are given a series of command-line arguments, the fifth of which is the IP address of the other endpoint of the tunnel. So if you wanted to run it from the command line, you'd do something like
| Code: | | route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.2 |
changing 10.0.0.2 to whatever IP address the other endpoint is going to use.
This is probably the right time to mention something else about OpenVPN. I quote from their HOWTO:
| Quote: |
Note that each OpenVPN tunnel needs to run on its own separate port number...At this point in OpenVPN's development, it is not capable of handling any sort of incoming connection template that would allow a single configuration file to describe a large class of potential connecting clients.
|
The "incoming connection template" feature is implemented in OpenVPN 2.0, which is currently in beta.
Because of this limitation in the current stable OpenVPN series, Gentoo has set up the init script to allow automatic startup of multiple server processes with different configurations in the following manner: under /etc/openvpn, you create a directory for each configuration, and place all configuration data in that directory. Read /etc/init.d/openvpn for more details.
I do not mention this in my HOWTO since it is specific to Gentoo; I am undecided as to whether I should add a section detailing the idiosyncrasies of various Linux distributions.
_________________
Nick
A.M.D.G. |
|
| Back to top |
|
|
No_Code
n00b
Joined: 14 Sep 2004
Posts: 8
|
| Posted: Fri Oct 08, 2004 5:58 pm Post subject: |
|
|
Thanks for the explanation. Alas, it didn't seem to do me any good, even if I changed server.up to what you had posted here. Basically, OpenVPN continues to not start up and the following occurs if I enter the route manually:
| Code: |
release root # route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.2
SIOCADDRT: Network is unreachable
|
I have TUN/TAP support compiled into my kernel (2.6.8). Do I have to bring up the interface somehow before this can take place? If so, is it brought up like any other standard network interface? |
|
| Back to top |
|
|
nhaggin
n00b
Joined: 15 Jun 2002
Posts: 74
Location: Illinois, USA
|
| Posted: Fri Oct 08, 2004 9:02 pm Post subject: |
|
|
First: compile TUN/TAP support as a module; if you compile it into the kernel, you'll only ever be able to have one TUN/TAP device.
Second: I should have mentioned this earlier: if you're using a Windows client, you don't have IP-level tunneling (TUN); rather, you have Ethernet bridged tunneling (TAP). Windows has neither kind of functionality built-in, so OpenVPN includes code for a Windows TAP driver. This is probably why, on your initial attempt, the server came up just fine but the client's connection timed out.
Therefore, you have to configure the Linux end (wired endpoint) to use TAP instead of TUN. The following documents are available with regard to this problem on the OpenVPN site:
http://openvpn.sourceforge.net/INSTALL-win32.html
http://openvpn.sourceforge.net/bridge.html
I may rewrite the OpenVPN section of my HOWTO to use Ethernet bridging instead of IP-level tunneling. I originally chose IP-level tunneling because it's really quick to set up IF both sides are running Linux. (IOW, I was lazy. )
_________________
Nick
A.M.D.G. |
|
| Back to top |
|
|
nhaggin
n00b
Joined: 15 Jun 2002
Posts: 74
Location: Illinois, USA
|
| Posted: Fri Oct 08, 2004 9:27 pm Post subject: |
|
|
Hmm...I committed a small blooper: according to one of the pages I mention above, the driver for Windows included with OpenVPN does both TUN and TAP. So we're kind of back where we started.
I don't have a wireless machine with Windows running to help you troubleshoot here, so the best I can do is wish you happy hacking. If you do wind up getting something working, though, I'll certainly add it and you'll get a shiny contributor credit.
_________________
Nick
A.M.D.G. |
|
| Back to top |
|
|
Flummi
n00b
Joined: 23 Oct 2002
Posts: 13
Location: Erfurt (Germany)
|
| Posted: Sun Dec 05, 2004 8:08 pm Post subject: |
|
|
Hello again,
sorry for this very late replay. I wasn't informed about new postings either. Don't know why. But Thanks, now I able to create my certs without a problem. Thanks alot nhaggin.
Greetings
Flummi |
|
| Back to top |
|
|
|
Networking & Security
