z·eeki·sh

tech log on gentoo, linux, and random stuff

Posts Tagged ‘openvpn

openvpn over ad-hoc wireless connection

leave a comment »

I have a spare zd1211rw usb WLAN dongle that I’d like to use to turn my desktop into some kind of AP, so that I can freely move around with my laptop. Sadly, the zd1211rw driver doesn’t support master mode, nor wpa over ad-hoc. My first thought is to encrypt the ad-hoc connection somehow through an ssh tunnel, but after fiddling around with dante (for `transparent socks proxy’) + ssh -D (socks5 proxy via ssh) combination for a while, I didn’t find the setup to be as transparent as I though it could be–e.g., socksify firefox doesn’t work quite well. It seems finally it’s time to dip my foot into the VPN pond.

The setup is quite straightforward though a little bit tedius. Following is exported from my installation journal in org-mode


openvpn over ad-hoc wireless

1 setup openvpn on desktop running Arch linux (as vpn server)

1.1 pacman -Sy openvpn

note:

  1. example conf in /etc/openvpn/examples
  2. easy-rsa scripts in /usr/share/openvpn/easy-rsa

now follow openvpn howto

1.2 generate certificates & keys

  1. cp -r {/usr/share,/etc}/openvpn/easy-rsa/
  2. edit vars file
  3. (cd /etc/openvpn; . ./vars; ./clean-all; ./build-ca)
  4. ./build-key-server server
    i also used a challenging password
  5. ./build-key alfred
    where `alfred’ is the name of my laptop. i also used a
    different challenging password
  6. ./build-dh (Diffie-Hellman parameters)
  7. Summary of key files:

    Filename Needed By Purpose Secret
    ca.crt server + all clients Root CA certificate NO
    ca.key key signing machine only Root CA key YES
    dh{n}.pem server only Diffie Hellman parameters NO
    server.crt server only Server Certificate NO
    server.key server only Server Key YES
    alfred.crt “alfred” only “alfred” Certificate NO
    alfred.key “alfred” only “alfred” Key YES
  8. now cp key/{ca.crt,alfred*} /mnt/usbstick, to be transfered
    to alfred

1.3 configuring server

  1. cd /etc/openvpn
  2. cp examples/server.conf ./
  3. linking appropriate certificate files generated previously:
    for f in dh1024.pem ca.crt server.crt server.key; do ln -s easy-rsa/keys/$f ./$f; done
  4. edit server.conf file.

    server.conf with most comments stripped. Note that a verbatim
    DNS server address is used

    # address to listen to
    local 192.168.3.2
    port 1194
    
    ;proto tcp
    proto udp
    
    # we are using routing instead of bridging. see the online howto
    ;dev tap
    dev tun
    
    # certificates and keys
    ca ca.crt
    cert server.crt
    key server.key  # This file should be kept secret
    dh dh1024.pem
    
    # flag this as a server
    server 10.8.0.0 255.255.255.0
    
    ifconfig-pool-persist ipp.txt
    
    # not using bridging
    ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
    
    ;push "route 192.168.10.0 255.255.255.0"
    ;push "route 192.168.20.0 255.255.255.0"
    
    push "redirect-gateway local def1"
    
    push "dhcp-option DNS 202.109.15.135"
    ;push "dhcp-option WINS 10.8.0.1"
    
    ;client-to-client
    
    # allow duplicate certificates
    ;duplicate-cn
    
    keepalive 10 120
    
    # use tls for extra security
    ;tls-auth ta.key 0 # This file is secret
    
    ;cipher BF-CBC        # Blowfish (default)
    ;cipher AES-128-CBC   # AES
    ;cipher DES-EDE3-CBC  # Triple-DES
    
    max-clients 2
    
    # run unprivileged
    user nobody
    group nobody
    
    persist-key
    persist-tun
    
    status openvpn-status.log
    
    ;log         openvpn.log
    ;log-append  openvpn.log
    
    # verbosity
    verb 3
    
    ;mute 20
    

1.4 running server

manually, cd /etc/openvpn; openvpn --config server.conf.

A script to run the server and set up appropriate NAT routing:
~/bin/runvpn

#!/bin/sh
OVDIR=/etc/openvpn
OPENVPN=/usr/sbin/openvpn
IPTABLES=/usr/sbin/iptables
$OPENVPN --daemon --config $OVDIR/server.conf --cd $OVDIR
$IPTABLES -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE

2 setup openvpn on laptop running Gentoo (as vpn client)

2.1 emerge openvpn

Note: enable the `examples’ USE flag to get vendor-provided
skeleton conf files (in /usr/share/doc/openvpn-*/examples/)

2.2 configuring client

cp the skeleton client.conf to /etc/openvpn/home.conf (home
being the profile name), mod it.

home.conf:

# flag this as client
client

;dev tap
dev tun

;proto tcp
proto udp

# vpn server's ip address
remote 192.168.3.2 1194
;remote my-server-2 1194

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

# certificates/keys
ca homekeys/ca.crt
cert homekeys/alfred.crt
key homekeys/alfred.key 

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# no compression
;comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

2.3 running client

gentoo’s openvpn package has an init script. Just ln -s /etc/init.d/openvpn{,.home}, (home being your profile name) and
rc-service start openvpn.home

3 networking

In the server-side runvpn script, NAT routing has already been set
up. Note that ip-forwarding must be enabled (manually by echo "1" > /proc/sys/net/ip_forward or through sysctl: sysctl -w net/ipv4/ip_forward=1)

At the client side, after bringing up the vpn client, I still have
to route add default gw 10.8.0.5 where 10.8.0.5 is the p2p end
of tun0. It’s possible that this can be pushed by the server but I’m
tired of reading the openvpn manual, so this is done in a script
runvpn on my laptop (not to be confused with the script on the
server side bearing the same name). The script is setup to also ssh
to the server on its WLAN address and start up the vpn server.

#!/bin/sh
ssh home sudo bin/runvpn
sudo rc-service openvpn.home restart
sleep 10
TUN=`sudo /sbin/ifconfig tun0 | sed -n 's/.*P-t-P:\([^ ]\+\).*/\1/p'`
sudo route add default gw $TUN

4 real-world operation

  1. plug in the USB WLAN card on the desktop. With the following
    /etc/udev/rules.d/10-zd1211.rules and ~/bin/adhoc, the card
    is automatically set in ad-hoc mode and assigned 192.168.3.2

  2. on the laptop, run adhoc && sleep 5 && runvpn. the sleep 5 is
    to allow some time for the WLAN to be fully associated to an
    ad-hoc cell

    10-zd1211.rules (on server)

    ACTION=="add", ATTR{manufacturer}=="ZyDAS", ATTR{product}=="USB2.0 WLAN", SYSFS{idVendor}=="0ace", SYSFS{idProduct}=="1215", SYMLINK+="net/wireless-usb-zd1211", RUN+="/hoard/home/bin/zd-inserted"
    

    ~/bin/adhoc (on server)

    #!/bin/sh
    
    # ref: http://forums.gentoo.org/viewtopic-t-274790-highlight-adhoc+wireless.html
    
    /sbin/rmmod zd1211rw && /sbin/modprobe zd1211rw
    
    # need to set abs. path for script to work when called by e.g. udev
    IFCONFIG=/sbin/ifconfig && \
    IWCONFIG=/usr/sbin/iwconfig && \
    $IFCONFIG wlan0 down && \
    $IWCONFIG wlan0 mode ad-hoc && \
    $IWCONFIG wlan0 essid soc channel 1 && \
    $IFCONFIG wlan0 192.168.3.2 && \
    $IWCONFIG wlan0 txpower 14dbm
    

    ~/bin/adhoc (on client)

    #!/bin/sh
    IFCONFIG="sudo /sbin/ifconfig"
    IWCONFIG="sudo /sbin/iwconfig"
    $IFCONFIG wlan0 down && \
    $IWCONFIG wlan0 mode ad-hoc && \
    $IFCONFIG wlan0 192.168.3.3 && \
    $IWCONFIG wlan0 essid soc channel 1 txpower 10dbm
    

HTML generated by org-mode 6.27a in emacs 23

Advertisements

Written by zsh

June 28, 2009 at 3:40 am

Posted in /etc, /usr/local/bin

Tagged with , , ,