Difference between revisions of "RaspberryPi"
From dbawiki
(→Assign a fixed IP address (to the wireless adapter in the case)) |
(→Install an OpenVPN server) |
||
| Line 79: | Line 79: | ||
raspi-config # set overclocking to Medium | raspi-config # set overclocking to Medium | ||
</pre> | </pre> | ||
| − | Install the packages | + | ====Install the packages==== |
<pre> | <pre> | ||
apt-get install openvpn openssl | apt-get install openvpn openssl | ||
</pre> | </pre> | ||
| − | Generate a copy of the easy-rsa structure | + | ====Generate a copy of the easy-rsa structure==== |
<pre> | <pre> | ||
cd /etc/openvpn | cd /etc/openvpn | ||
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa | cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa | ||
</pre> | </pre> | ||
| − | Modify the easy-rsa location | + | ====Modify the easy-rsa location==== |
<pre> | <pre> | ||
cd easy-rsa | cd easy-rsa | ||
| Line 98: | Line 98: | ||
./clean-all | ./clean-all | ||
</pre> | </pre> | ||
| − | Link correct binary | + | ====Link correct binary==== |
<pre> | <pre> | ||
ln -s openssl-1.0.0.cnf openssl.cnf | ln -s openssl-1.0.0.cnf openssl.cnf | ||
</pre> | </pre> | ||
| − | Generate certificate authority files | + | ====Generate certificate authority files==== |
<pre> | <pre> | ||
./build-ca ca | ./build-ca ca | ||
| Line 113: | Line 113: | ||
-rw-r--r-- 1 root root 3 Feb 2 12:02 serial | -rw-r--r-- 1 root root 3 Feb 2 12:02 serial | ||
</pre> | </pre> | ||
| − | Now the server key files | + | ====Now the server key files==== |
| + | just hit ENTER for the password but sign and commit the certificate when asked | ||
<pre> | <pre> | ||
./build-key-server home_server | ./build-key-server home_server | ||
| Line 131: | Line 132: | ||
-rw-r--r-- 1 root root 3 Feb 2 12:02 serial.old | -rw-r--r-- 1 root root 3 Feb 2 12:02 serial.old | ||
</pre> | </pre> | ||
| − | Build client keys | + | ====Build client keys==== |
| + | just hit ENTER for the password but sign and commit the certificate when asked | ||
<pre> | <pre> | ||
./build-key home_client1 | ./build-key home_client1 | ||
| Line 154: | Line 156: | ||
-rw-r--r-- 1 root root 3 Feb 2 12:03 serial.old | -rw-r--r-- 1 root root 3 Feb 2 12:03 serial.old | ||
</pre> | </pre> | ||
| − | Build Diffie-Hellman file | + | ====Build Diffie-Hellman file==== |
<pre> | <pre> | ||
./build-dh | ./build-dh | ||
| Line 162: | Line 164: | ||
-rw-r--r-- 1 root root 245 Dec 24 13:40 dh1024.pem | -rw-r--r-- 1 root root 245 Dec 24 13:40 dh1024.pem | ||
</pre> | </pre> | ||
| − | Build a server config file | + | ====Build a server config file==== |
| + | Copy from the examples directory... | ||
<pre> | <pre> | ||
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ | cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ | ||
| Line 189: | Line 192: | ||
comp-lzo | comp-lzo | ||
</pre> | </pre> | ||
| − | Enable IP forwarding | + | ====Enable IP forwarding==== |
<pre> | <pre> | ||
echo 1 >/proc/sys/net/ipv4/ip_forward | echo 1 >/proc/sys/net/ipv4/ip_forward | ||
</pre> | </pre> | ||
| − | Check IP address and interface name | + | ====Check IP address and interface name==== |
| + | Alter routing table to allow traffic to the server (assuming wired interface and the ip address of our Pi is 192.168.1.100) | ||
<pre> | <pre> | ||
ifconfig -a | ifconfig -a | ||
| Line 199: | Line 203: | ||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 192.168.1.100 | iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 192.168.1.100 | ||
</pre> | </pre> | ||
| − | Allow IP forwarding across reboots | + | ====Allow IP forwarding across reboots==== |
<pre> | <pre> | ||
vi /etc/sysctl.conf | vi /etc/sysctl.conf | ||
| Line 205: | Line 209: | ||
net.ipv4.ip_forward=1 | net.ipv4.ip_forward=1 | ||
</pre> | </pre> | ||
| − | Start the server | + | ====Start the server==== |
<pre> | <pre> | ||
/etc/init.d/openvpn start | /etc/init.d/openvpn start | ||
</pre> | </pre> | ||
Server is running, setup client.<br /> | Server is running, setup client.<br /> | ||
| − | Use Tunnelblick or Viscosity (on a Mac) | + | ====Generate and export an OpenVPN config file==== |
| + | Use Tunnelblick or Viscosity (on a Mac) or copy/paste and modify this: | ||
<pre> | <pre> | ||
dev tun | dev tun | ||
Revision as of 17:13, 2 February 2014
Contents
- 1 Autoboot the wlan0 wireless lan interface
- 2 Assign a fixed IP address (to the wireless adapter in the case)
- 3 Install an OpenVPN server
- 3.1 Install the packages
- 3.2 Generate a copy of the easy-rsa structure
- 3.3 Modify the easy-rsa location
- 3.4 Link correct binary
- 3.5 Generate certificate authority files
- 3.6 Now the server key files
- 3.7 Build client keys
- 3.8 Build Diffie-Hellman file
- 3.9 Build a server config file
- 3.10 Enable IP forwarding
- 3.11 Check IP address and interface name
- 3.12 Allow IP forwarding across reboots
- 3.13 Start the server
- 3.14 Generate and export an OpenVPN config file
- 4 Make routing table modifications persistent
Autoboot the wlan0 wireless lan interface
root@raspberrypi:/# cat /etc/network/interfaces auto lo iface lo inet loopback iface eth0 inet dhcp #allow-hotplug wlan0 #iface wlan0 inet manual #wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf #iface default inet dhcp auto wlan0 allow-hotplug wlan0 iface wlan0 inet dhcp wpa-ssid "<SSID>" wpa-psk "<PASSPHRASE>" iface default inet dhcp
Assign a fixed IP address (to the wireless adapter in the case)
Get the current IP address and other info
ifconfig -a
We're interested in these bits:
wlan0
inet addr:192.168.1.15 Bcast:192.168.1.255 Mask:255.255.255.0
Get the router/gateway address
netstat -rn
We're interested in these bits:
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
Now using the above data, edit /etc/network/interfaces and add the following lines to the wlan0 section (also changing the iface line to "static")
address 192.168.1.100 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1
It should end up looking something like this:
auto wlan0 allow-hotplug wlan0 iface wlan0 inet static address 192.168.1.100 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 wpa-ssid "<SSID>" wpa-psk "<PASSPHRASE>"
Restart the networking daemon
/etc/init.d/networking reload (or restart)
Install an OpenVPN server
All operations as root
Get the Pi up-to-date
apt-get update apt-get upgrade apt-get autoremove raspi-config # set overclocking to Medium
Install the packages
apt-get install openvpn openssl
Generate a copy of the easy-rsa structure
cd /etc/openvpn cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
Modify the easy-rsa location
cd easy-rsa vi vars Change #export EASY_RSA="`pwd`" export EASY_RSA="/etc/openvpn/easy-rsa" . ./vars ./clean-all
Link correct binary
ln -s openssl-1.0.0.cnf openssl.cnf
Generate certificate authority files
./build-ca ca
This creates 4 files in the keys subdirectory...
-rw-r--r-- 1 root root 1383 Feb 2 12:02 ca.crt -rw------- 1 root root 916 Feb 2 12:02 ca.key -rw-r--r-- 1 root root 0 Feb 2 12:02 index.txt -rw-r--r-- 1 root root 3 Feb 2 12:02 serial
Now the server key files
just hit ENTER for the password but sign and commit the certificate when asked
./build-key-server home_server
keys subdirectory now looks like this
-rw-r--r-- 1 root root 4129 Feb 2 12:03 01.pem -rw-r--r-- 1 root root 1383 Feb 2 12:02 ca.crt -rw------- 1 root root 916 Feb 2 12:02 ca.key -rw-r--r-- 1 root root 4129 Feb 2 12:03 home_server.crt -rw-r--r-- 1 root root 737 Feb 2 12:03 home_server.csr -rw------- 1 root root 916 Feb 2 12:03 home_server.key -rw-r--r-- 1 root root 141 Feb 2 12:03 index.txt -rw-r--r-- 1 root root 21 Feb 2 12:03 index.txt.attr -rw-r--r-- 1 root root 0 Feb 2 12:02 index.txt.old -rw-r--r-- 1 root root 3 Feb 2 12:03 serial -rw-r--r-- 1 root root 3 Feb 2 12:02 serial.old
Build client keys
just hit ENTER for the password but sign and commit the certificate when asked
./build-key home_client1
keys subdirectory now looks like this
-rw-r--r-- 1 root root 4129 Feb 2 12:03 01.pem -rw-r--r-- 1 root root 4012 Feb 2 12:04 02.pem -rw-r--r-- 1 root root 1383 Feb 2 12:02 ca.crt -rw------- 1 root root 916 Feb 2 12:02 ca.key -rw-r--r-- 1 root root 4012 Feb 2 12:04 home_client1.crt -rw-r--r-- 1 root root 737 Feb 2 12:04 home_client1.csr -rw------- 1 root root 916 Feb 2 12:04 home_client1.key -rw-r--r-- 1 root root 4129 Feb 2 12:03 home_server.crt -rw-r--r-- 1 root root 737 Feb 2 12:03 home_server.csr -rw------- 1 root root 916 Feb 2 12:03 home_server.key -rw-r--r-- 1 root root 283 Feb 2 12:04 index.txt -rw-r--r-- 1 root root 21 Feb 2 12:04 index.txt.attr -rw-r--r-- 1 root root 21 Feb 2 12:03 index.txt.attr.old -rw-r--r-- 1 root root 141 Feb 2 12:03 index.txt.old -rw-r--r-- 1 root root 3 Feb 2 12:04 serial -rw-r--r-- 1 root root 3 Feb 2 12:03 serial.old
Build Diffie-Hellman file
./build-dh
This gives us one extra file
-rw-r--r-- 1 root root 245 Dec 24 13:40 dh1024.pem
Build a server config file
Copy from the examples directory...
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ gunzip /etc/openvpn/server.conf.gz
... or paste this snippet.
cd .. vi server.conf dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem server 10.8.0.0 255.255.255.0 persist-key persist-tun status /var/log/openvpn-status.log verb 3 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" log-append /var/log/openvpn comp-lzo
Enable IP forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
Check IP address and interface name
Alter routing table to allow traffic to the server (assuming wired interface and the ip address of our Pi is 192.168.1.100)
ifconfig -a iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 192.168.1.100
Allow IP forwarding across reboots
vi /etc/sysctl.conf # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1
Start the server
/etc/init.d/openvpn start
Server is running, setup client.
Generate and export an OpenVPN config file
Use Tunnelblick or Viscosity (on a Mac) or copy/paste and modify this:
dev tun client proto udp #remote 192.168.1.100 1194 # testing with lan address of Raspberry Pi remote <public ip address> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 3
Make routing table modifications persistent
Some info on iptables might come in handy at this point. See references...
vi /etc/rc.local Add the routing commands before the exit iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 192.168.1.100
Some other bits that may be needed:
iptables -A INPUT -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -s XXX.XXX.XXX.XXX -o eth0 -j MASQUERADE
3 files needed for each client
ca.crt, client.crt, client.key
Eventually got it working with this but don't know which bits are really necessary just yet
Put these lines in /etc/iptables.rules
# Generated by iptables-save v1.4.14 on Sun Jan 26 18:19:17 2014 *nat :PREROUTING ACCEPT [526:41694] :INPUT ACCEPT [363:30775] :OUTPUT ACCEPT [197:12420] :POSTROUTING ACCEPT [197:12420] -A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.1.100 -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.1.100 COMMIT # Completed on Sun Jan 26 18:19:17 2014 # Generated by iptables-save v1.4.14 on Sun Jan 26 18:19:17 2014 *filter :INPUT ACCEPT [484:38699] :FORWARD ACCEPT [1:40] :OUTPUT ACCEPT [1896:366345] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT -A FORWARD -o eth0 -m state --state NEW -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -j ACCEPT COMMIT # Completed on Sun Jan 26 18:19:17 2014
then edit /etc/network/interfaces and add the following line just after "iface eth0 inet static"
pre-up iptables-restore < /etc/iptables.rules
References
- http://www.sans.org/reading-room/whitepapers/hsoffice/soho-remote-access-vpn-easy-pie-raspberry-pi-34427
- http://en.alexnogard.com/install-openvpn-raspberry-pi-wheezy-debian/
- https://forums.openvpn.net/topic14286.html
- http://raspberrypi-hacks.com/29/turn-your-raspberry-into-an-openvpn-vpn-server/
- http://www.cyberciti.biz/tips/linux-iptables-examples.html
- http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn
- http://community.openvpn.net/openvpn/wiki/RoutedLans
- https://workaround.org/openvpn-faq
- https://wiki.debian.org/iptables
- http://www.revsys.com/writings/quicktips/nat.html
