RaspberryPi
From dbawiki
Contents
Autoboot the wlan0 wireless lan interface
root@raspberrypi:/# cat /etc/network/interfaces auto lo iface lo inet loopback iface eth0 inet dhcp #iface wlan0 inet manual #wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf auto wlan0 allow-hotplug wlan0 iface wlan0 inet dhcp wpa-ssid "<SSID>" wpa-psk "<PASSPHRASE>" iface default inet dhcp
Assign a fixed IP address (to the wireless adapter in the case)
Get the current IP address and other info
ifconfig -a
We're interested in these bits:
wlan0
inet addr:192.168.1.15 Bcast:192.168.1.255 Mask:255.255.255.0
Get the router/gateway address
netstat -rn
We're interested in these bits:
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
Now using the above data, edit /etc/network/interfaces and add the following lines to the wlan0 section (also changing the iface line to "static")
address 192.168.1.100 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1
It should end up looking something like this:
auto wlan0 allow-hotplug wlan0 iface wlan0 inet static address 192.168.1.100 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 wpa-ssid "<SSID>" wpa-psk "<PASSPHRASE>"
Install OpenVPN server
All operations as root
Get the Pi up-to-date
apt-get update apt-get upgrade apt-get autoremove raspi-config # set overclocking to Medium
Install the packages
apt-get install openvpn openssl
Generate a copy of the easy-rsa structure
cd /etc/openvpn cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
Modify the easy-rsa location
cd easy-rsa vi vars Change #export EASY_RSA="`pwd`" export EASY_RSA="/etc/openvpn/easy-rsa" . ./vars ./clean-all
Link correct binary
ln -s openssl-1.0.0.cnf openssl.cnf
Generate certificate authority files
./build-ca ca
This creates 4 files in the keys subdirectory...
-rw-r--r-- 1 root root 1383 Dec 24 13:32 ca.crt -rw------- 1 root root 912 Dec 24 13:32 ca.key -rw-r--r-- 1 root root 0 Dec 24 13:31 index.txt -rw-r--r-- 1 root root 3 Dec 24 13:31 serial
Now the server key files (sign and commit the certificate when asked)
./build-key-server server
New files in keys subdirectory
-rw------- 1 root root 916 Dec 24 13:35 server.key -rw-r--r-- 1 root root 729 Dec 24 13:35 server.csr -rw-r--r-- 1 root root 3 Dec 24 13:35 serial -rw-r--r-- 1 root root 21 Dec 24 13:35 index.txt.attr -rw-r--r-- 1 root root 136 Dec 24 13:35 index.txt -rw-r--r-- 1 root root 4120 Dec 24 13:35 server.crt -rw-r--r-- 1 root root 4120 Dec 24 13:35 01.pem
Build client keys (sign and commit the certificate when asked)
./build-key client1
Client files in keys subdirectory...
-rw------- 1 root root 916 Dec 24 13:39 client1.key -rw-r--r-- 1 root root 729 Dec 24 13:39 client1.csr -rw-r--r-- 1 root root 3 Dec 24 13:39 serial -rw-r--r-- 1 root root 21 Dec 24 13:39 index.txt.attr -rw-r--r-- 1 root root 273 Dec 24 13:39 index.txt -rw-r--r-- 1 root root 3999 Dec 24 13:39 02.pem -rw-r--r-- 1 root root 3999 Dec 24 13:39 client1.crt
Build Diffie-Hellman file
./build-dh
This gives us one extra file
-rw-r--r-- 1 root root 245 Dec 24 13:40 dh1024.pem
Build a server config file. Copy from the examples directory...
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn gunzip /etc/openvpn/server.conf.gz
... or paste this snippet.
cd .. vi server.conf dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem server 10.8.0.0 255.255.255.0 persist-key persist-tun status /var/log/openvpn-status.log verb 3 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" log-append /var/log/openvpn comp-lzo
Enable IP forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
Check IP address and interface name and alter routing table to allow traffic to the server
ifconfig -a iptables -t nat -A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to 192.168.1.100
Allow IP forwarding across reboots
vi /etc/sysctl.conf # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1
Start the server
/etc/init.d/openvpn start
Server is running, setup client.
Use Tunnelblick or Viscosity to generate and export an OpenVPN config file or paste and modify this:
dev tun client proto udp #remote 192.168.1.100 1194 # testing with lan address of Raspberry Pi remote <public ip address> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 3
Make routing table modifications persistent
Some info on iptables might come in handy at this point. See references...
vi /etc/rc.local Add the routing commands before the exit iptables -t nat -A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to 192.168.1.100
Some other bits that may be needed:
iptables -A INPUT -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -s XXX.XXX.XXX.XXX -o eth0 -j MASQUERADE
3 files needed for each client
ca.crt, client.crt, client.key
Eventually got it working with this but don't know which bits are really necessary just yet
Put these lines in /etc/iptables.rules
# Generated by iptables-save v1.4.14 on Sun Jan 26 18:19:17 2014 *nat :PREROUTING ACCEPT [526:41694] :INPUT ACCEPT [363:30775] :OUTPUT ACCEPT [197:12420] :POSTROUTING ACCEPT [197:12420] -A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.1.100 -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.1.100 COMMIT # Completed on Sun Jan 26 18:19:17 2014 # Generated by iptables-save v1.4.14 on Sun Jan 26 18:19:17 2014 *filter :INPUT ACCEPT [484:38699] :FORWARD ACCEPT [1:40] :OUTPUT ACCEPT [1896:366345] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT -A FORWARD -o eth0 -m state --state NEW -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -j ACCEPT COMMIT # Completed on Sun Jan 26 18:19:17 2014
then edit /etc/network/interfaces and add the following line just after "iface eth0 inet static"
pre-up iptables-restore < /etc/iptables.rules
References
- http://www.sans.org/reading-room/whitepapers/hsoffice/soho-remote-access-vpn-easy-pie-raspberry-pi-34427
- http://en.alexnogard.com/install-openvpn-raspberry-pi-wheezy-debian/
- https://forums.openvpn.net/topic14286.html
- http://raspberrypi-hacks.com/29/turn-your-raspberry-into-an-openvpn-vpn-server/
- http://www.cyberciti.biz/tips/linux-iptables-examples.html
- http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn
- http://community.openvpn.net/openvpn/wiki/RoutedLans
- https://workaround.org/openvpn-faq
- https://wiki.debian.org/iptables
- http://www.revsys.com/writings/quicktips/nat.html
