RaspberryPi
From dbawiki
Contents
- 1 Autoboot the wlan0 wireless lan interface
- 2 Assign a fixed IP address (to the wireless adapter in the case)
- 3 Install an OpenVPN server
- 3.1 Get the Pi up-to-date
- 3.2 Install the packages
- 3.3 Generate a copy of the easy-rsa structure
- 3.4 Modify the easy-rsa location
- 3.5 Link correct binary
- 3.6 Generate certificate authority files
- 3.7 Generate the server key files
- 3.8 Generate the client keys
- 3.9 Generate the Diffie-Hellman file
- 3.10 Build a server config file
- 3.11 Enable IP forwarding
- 3.12 Check IP address and interface name
- 3.13 Allow IP forwarding across reboots
- 3.14 Start the server
- 3.15 Generate and export an OpenVPN config file
- 4 Make routing table modifications persistent
Autoboot the wlan0 wireless lan interface
root@raspberrypi:/# cat /etc/network/interfaces auto lo iface lo inet loopback iface eth0 inet dhcp #allow-hotplug wlan0 #iface wlan0 inet manual #wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf #iface default inet dhcp auto wlan0 allow-hotplug wlan0 iface wlan0 inet dhcp wpa-ssid "<SSID>" wpa-psk "<PASSPHRASE>" iface default inet dhcp
Assign a fixed IP address (to the wireless adapter in the case)
Get the current IP address and other info
ifconfig -a
We're interested in these bits:
wlan0
inet addr:192.168.1.15 Bcast:192.168.1.255 Mask:255.255.255.0
Get the router/gateway address
netstat -rn
We're interested in these bits:
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
Now using the above data, edit /etc/network/interfaces and add the following lines to the wlan0 section (also changing the iface line to "static")
address 192.168.1.100 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1
It should end up looking something like this:
auto wlan0 allow-hotplug wlan0 iface wlan0 inet static address 192.168.1.100 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 wpa-ssid "<SSID>" wpa-psk "<PASSPHRASE>"
Restart the networking daemon
/etc/init.d/networking reload (or restart)
Install an OpenVPN server
All operations as root
Get the Pi up-to-date
apt-get update apt-get upgrade apt-get autoremove raspi-config # set overclocking to Medium
Install the packages
apt-get install openvpn openssl
and optionally this to be able to reach the server from the internet using names instead of numbers
apt-get install ddclient
and other useful stuff
apt-get install host shorewall telnet lighttpd
Generate a copy of the easy-rsa structure
cd /etc/openvpn cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
Modify the easy-rsa location
cd easy-rsa vi vars Change #export EASY_RSA="`pwd`" export EASY_RSA="/etc/openvpn/easy-rsa" . ./vars ./clean-all
Link correct binary
ln -s openssl-1.0.0.cnf openssl.cnf
Generate certificate authority files
./build-ca ca
This creates 4 files in the keys subdirectory...
-rw-r--r-- 1 root root 1383 Feb 2 12:02 ca.crt -rw------- 1 root root 916 Feb 2 12:02 ca.key -rw-r--r-- 1 root root 0 Feb 2 12:02 index.txt -rw-r--r-- 1 root root 3 Feb 2 12:02 serial
Generate the server key files
just hit ENTER for the password but sign and commit the certificate when asked
./build-key-server home_server
keys subdirectory now looks like this
-rw-r--r-- 1 root root 4129 Feb 2 12:03 01.pem -rw-r--r-- 1 root root 1383 Feb 2 12:02 ca.crt -rw------- 1 root root 916 Feb 2 12:02 ca.key -rw-r--r-- 1 root root 4129 Feb 2 12:03 home_server.crt -rw-r--r-- 1 root root 737 Feb 2 12:03 home_server.csr -rw------- 1 root root 916 Feb 2 12:03 home_server.key -rw-r--r-- 1 root root 141 Feb 2 12:03 index.txt -rw-r--r-- 1 root root 21 Feb 2 12:03 index.txt.attr -rw-r--r-- 1 root root 0 Feb 2 12:02 index.txt.old -rw-r--r-- 1 root root 3 Feb 2 12:03 serial -rw-r--r-- 1 root root 3 Feb 2 12:02 serial.old
Generate the client keys
just hit ENTER for the password but sign and commit the certificate when asked
./build-key home_client1
keys subdirectory now looks like this
-rw-r--r-- 1 root root 4129 Feb 2 12:03 01.pem -rw-r--r-- 1 root root 4012 Feb 2 12:04 02.pem -rw-r--r-- 1 root root 1383 Feb 2 12:02 ca.crt -rw------- 1 root root 916 Feb 2 12:02 ca.key -rw-r--r-- 1 root root 4012 Feb 2 12:04 home_client1.crt -rw-r--r-- 1 root root 737 Feb 2 12:04 home_client1.csr -rw------- 1 root root 916 Feb 2 12:04 home_client1.key -rw-r--r-- 1 root root 4129 Feb 2 12:03 home_server.crt -rw-r--r-- 1 root root 737 Feb 2 12:03 home_server.csr -rw------- 1 root root 916 Feb 2 12:03 home_server.key -rw-r--r-- 1 root root 283 Feb 2 12:04 index.txt -rw-r--r-- 1 root root 21 Feb 2 12:04 index.txt.attr -rw-r--r-- 1 root root 21 Feb 2 12:03 index.txt.attr.old -rw-r--r-- 1 root root 141 Feb 2 12:03 index.txt.old -rw-r--r-- 1 root root 3 Feb 2 12:04 serial -rw-r--r-- 1 root root 3 Feb 2 12:03 serial.old
Generate the Diffie-Hellman file
./build-dh
This gives us one extra file
-rw-r--r-- 1 root root 245 Dec 24 13:40 dh1024.pem
Build a server config file
Copy from the examples directory...
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ gunzip /etc/openvpn/server.conf.gz
... or paste this snippet.
cd .. vi server.conf dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem server 10.8.0.0 255.255.255.0 persist-key persist-tun status /var/log/openvpn-status.log verb 3 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" log-append /var/log/openvpn comp-lzo
Enable IP forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
Check IP address and interface name
Alter routing table to allow traffic to the server (assuming wired interface and the ip address of our Pi is 192.168.1.100)
ifconfig -a iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 192.168.1.100
Allow IP forwarding across reboots
vi /etc/sysctl.conf # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1
Start the server
/etc/init.d/openvpn start
Server is running, setup client.
Generate and export an OpenVPN config file
Use Tunnelblick or Viscosity (on a Mac) or copy/paste and modify this:
dev tun client proto udp #remote 192.168.1.100 1194 # testing with lan address of Raspberry Pi remote <public ip address> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 3
Make routing table modifications persistent
Some info on iptables might come in handy at this point. See references...
vi /etc/rc.local Add the routing commands before the exit iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 192.168.1.100
Some other bits that may be needed:
iptables -A INPUT -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -s XXX.XXX.XXX.XXX -o eth0 -j MASQUERADE
3 files needed for each client
ca.crt, client.crt, client.key
Eventually got it working with this but don't know which bits are really necessary just yet
Put these lines in /etc/iptables.rules
# Generated by iptables-save v1.4.14 on Sun Jan 26 18:19:17 2014 *nat :PREROUTING ACCEPT [526:41694] :INPUT ACCEPT [363:30775] :OUTPUT ACCEPT [197:12420] :POSTROUTING ACCEPT [197:12420] -A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.1.100 -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.1.100 COMMIT # Completed on Sun Jan 26 18:19:17 2014 # Generated by iptables-save v1.4.14 on Sun Jan 26 18:19:17 2014 *filter :INPUT ACCEPT [484:38699] :FORWARD ACCEPT [1:40] :OUTPUT ACCEPT [1896:366345] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT -A FORWARD -o eth0 -m state --state NEW -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -j ACCEPT COMMIT # Completed on Sun Jan 26 18:19:17 2014
then edit /etc/network/interfaces and add the following line just after "iface eth0 inet static"
pre-up iptables-restore < /etc/iptables.rules
iptables
- man iptables!
list open ports
netstat -tulpn
see if firewall is allowing access
telnet <ip address> <port>
list FILTER rules
iptables -L -n -v
list NAT rules
iptables -L -t nat -n -v
list all rules in selected chain
iptables -S -t nat -v
show all rules in a form to use for input
iptables-save | tee /etc/iptables.rules
bring in those rules previously saved
iptables-restore < /etc/iptables.rules
show local routing table
ip route show table local
References
- http://ivanx.com/raspberrypi/
- http://www.sans.org/reading-room/whitepapers/hsoffice/soho-remote-access-vpn-easy-pie-raspberry-pi-34427
- http://en.alexnogard.com/install-openvpn-raspberry-pi-wheezy-debian/
- https://forums.openvpn.net/topic14286.html
- http://raspberrypi-hacks.com/29/turn-your-raspberry-into-an-openvpn-vpn-server/
- http://www.cyberciti.biz/tips/linux-iptables-examples.html
- http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn
- http://community.openvpn.net/openvpn/wiki/RoutedLans
- https://workaround.org/openvpn-faq
- https://wiki.debian.org/iptables
- http://en.wikipedia.org/wiki/Iptables
- http://www.revsys.com/writings/quicktips/nat.html
