Posts Tagged ‘wlan’
openvpn over ad-hoc wireless connection
I have a spare zd1211rw usb WLAN dongle that I’d like to use to turn my desktop into some kind of AP, so that I can freely move around with my laptop. Sadly, the zd1211rw driver doesn’t support master mode, nor wpa over ad-hoc. My first thought is to encrypt the ad-hoc connection somehow through an ssh tunnel, but after fiddling around with dante (for `transparent socks proxy’) + ssh -D (socks5 proxy via ssh) combination for a while, I didn’t find the setup to be as transparent as I though it could be–e.g., socksify firefox doesn’t work quite well. It seems finally it’s time to dip my foot into the VPN pond.
The setup is quite straightforward though a little bit tedius. Following is exported from my installation journal in org-mode
openvpn over ad-hoc wireless
Table of Contents
1 setup openvpn on desktop running Arch linux (as vpn server)
1.1 pacman -Sy openvpn
note:
- example conf in /etc/openvpn/examples
- easy-rsa scripts in /usr/share/openvpn/easy-rsa
now follow openvpn howto
1.2 generate certificates & keys
-
cp -r {/usr/share,/etc}/openvpn/easy-rsa/
-
edit
vars
file -
(cd /etc/openvpn; . ./vars; ./clean-all; ./build-ca)
-
./build-key-server server
i also used a challenging password -
./build-key alfred
where `alfred’ is the name of my laptop. i also used a
different challenging password -
./build-dh
(Diffie-Hellman parameters) -
Summary of key files:
Filename Needed By Purpose Secret ca.crt server + all clients Root CA certificate NO ca.key key signing machine only Root CA key YES dh{n}.pem server only Diffie Hellman parameters NO server.crt server only Server Certificate NO server.key server only Server Key YES alfred.crt “alfred” only “alfred” Certificate NO alfred.key “alfred” only “alfred” Key YES -
now
cp key/{ca.crt,alfred*} /mnt/usbstick
, to be transfered
to alfred
1.3 configuring server
-
cd /etc/openvpn
-
cp examples/server.conf ./
-
linking appropriate certificate files generated previously:
for f in dh1024.pem ca.crt server.crt server.key; do ln -s easy-rsa/keys/$f ./$f; done
-
edit
server.conf
file.server.conf
with most comments stripped. Note that a verbatim
DNS server address is used# address to listen to local 192.168.3.2 port 1194 ;proto tcp proto udp # we are using routing instead of bridging. see the online howto ;dev tap dev tun # certificates and keys ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem # flag this as a server server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt # not using bridging ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" push "redirect-gateway local def1" push "dhcp-option DNS 202.109.15.135" ;push "dhcp-option WINS 10.8.0.1" ;client-to-client # allow duplicate certificates ;duplicate-cn keepalive 10 120 # use tls for extra security ;tls-auth ta.key 0 # This file is secret ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES max-clients 2 # run unprivileged user nobody group nobody persist-key persist-tun status openvpn-status.log ;log openvpn.log ;log-append openvpn.log # verbosity verb 3 ;mute 20
1.4 running server
manually, cd /etc/openvpn; openvpn --config server.conf
.
A script to run the server and set up appropriate NAT routing:
~/bin/runvpn
#!/bin/sh OVDIR=/etc/openvpn OPENVPN=/usr/sbin/openvpn IPTABLES=/usr/sbin/iptables $OPENVPN --daemon --config $OVDIR/server.conf --cd $OVDIR $IPTABLES -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE
2 setup openvpn on laptop running Gentoo (as vpn client)
2.1 emerge openvpn
Note: enable the `examples’ USE flag to get vendor-provided
skeleton conf files (in /usr/share/doc/openvpn-*/examples/
)
2.2 configuring client
cp the skeleton client.conf to /etc/openvpn/home.conf
(home
being the profile name), mod it.
home.conf
:
# flag this as client client ;dev tap dev tun ;proto tcp proto udp # vpn server's ip address remote 192.168.3.2 1194 ;remote my-server-2 1194 # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. mute-replay-warnings # certificates/keys ca homekeys/ca.crt cert homekeys/alfred.crt key homekeys/alfred.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # no compression ;comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20
2.3 running client
gentoo’s openvpn package has an init script. Just ln -s /etc/init.d/openvpn{,.home}
, (home
being your profile name) and
rc-service start openvpn.home
3 networking
In the server-side runvpn
script, NAT routing has already been set
up. Note that ip-forwarding must be enabled (manually by echo "1" > /proc/sys/net/ip_forward
or through sysctl: sysctl -w net/ipv4/ip_forward=1
)
At the client side, after bringing up the vpn client, I still have
to route add default gw 10.8.0.5
where 10.8.0.5
is the p2p end
of tun0. It’s possible that this can be pushed by the server but I’m
tired of reading the openvpn manual, so this is done in a script
runvpn
on my laptop (not to be confused with the script on the
server side bearing the same name). The script is setup to also ssh
to the server on its WLAN address and start up the vpn server.
#!/bin/sh ssh home sudo bin/runvpn sudo rc-service openvpn.home restart sleep 10 TUN=`sudo /sbin/ifconfig tun0 | sed -n 's/.*P-t-P:\([^ ]\+\).*/\1/p'` sudo route add default gw $TUN
4 real-world operation
-
plug in the USB WLAN card on the desktop. With the following
/etc/udev/rules.d/10-zd1211.rules
and~/bin/adhoc
, the card
is automatically set in ad-hoc mode and assigned192.168.3.2
-
on the laptop, run
adhoc && sleep 5 && runvpn
. thesleep 5
is
to allow some time for the WLAN to be fully associated to an
ad-hoc cell10-zd1211.rules
(on server)ACTION=="add", ATTR{manufacturer}=="ZyDAS", ATTR{product}=="USB2.0 WLAN", SYSFS{idVendor}=="0ace", SYSFS{idProduct}=="1215", SYMLINK+="net/wireless-usb-zd1211", RUN+="/hoard/home/bin/zd-inserted"
~/bin/adhoc
(on server)#!/bin/sh # ref: http://forums.gentoo.org/viewtopic-t-274790-highlight-adhoc+wireless.html /sbin/rmmod zd1211rw && /sbin/modprobe zd1211rw # need to set abs. path for script to work when called by e.g. udev IFCONFIG=/sbin/ifconfig && \ IWCONFIG=/usr/sbin/iwconfig && \ $IFCONFIG wlan0 down && \ $IWCONFIG wlan0 mode ad-hoc && \ $IWCONFIG wlan0 essid soc channel 1 && \ $IFCONFIG wlan0 192.168.3.2 && \ $IWCONFIG wlan0 txpower 14dbm
~/bin/adhoc
(on client)#!/bin/sh IFCONFIG="sudo /sbin/ifconfig" IWCONFIG="sudo /sbin/iwconfig" $IFCONFIG wlan0 down && \ $IWCONFIG wlan0 mode ad-hoc && \ $IFCONFIG wlan0 192.168.3.3 && \ $IWCONFIG wlan0 essid soc channel 1 txpower 10dbm
HTML generated by org-mode 6.27a in emacs 23