Index.
- Introduction.
- Overview.
- Bridge configuration.
- OpenVPN server certificate.
- OpenVPN server configuration.
- Download.
Introduction.
If we want to access our Home Server network from a remote location we need a secure solution. Ideally the connection should look like if we are directly plugged into our network. We can do this using OpenVPN in bridged mode. On both sides we use tap adapters so the connection will be a true network bridge. A connected client then looks like if it’s plugged into the network with a cable, this makes sure that both IPv4 and IPv6 work.
To secure the connection certificates are used on the server side and for each client. Use always one client certificate for each remote device (laptop, smartphone). If such device gets lost (stolen) you can simply revoke that certificate to prevent access to your network.
Overview.
Homeserver and Virtual servers.
On the server OpenVPN listens on UDP port 1194. In the firewall you need to open this port and forward it to the server which runs OpenVPN, in our example setup, gateway must forward this to the home server.
In this drawing we see the interface for OpenVPN as br0/eth0/tap0. This is a bridged network interface, allmost all programs on the server need to refer to br0 instead of eth0. Now eth0 is only the physical interface, and tap0 is the virtual OpenVPN interface.
After setting this all up, you must update all applications that refer to eth0 and change it into br0.
To allow client access, add a FQDN to the DNS for our OpenVPN service like vpn.wpl.uk. This name will also be used in the certificates.
Bridge configuration.
First, install bridge-utils and openvpn:
[root@homsrv ~]# pacman -S bridge-utils openvpn resolving dependencies... looking for inter-conflicts... Targets (3): bridge-utils-1.4-4 lzo2-2.05-1 openvpn-2.2.0-1 Total Download Size: 0.40 MB Total Installed Size: 1.59 MB Proceed with installation? [Y/n] :: Retrieving packages from core... bridge-utils-1.4-4... 14.5K 136.3K/s 00:00:00 [######################] 100% lzo2-2.05-1-i686 105.0K 367.2K/s 00:00:00 [######################] 100% openvpn-2.2.0-1-i686 287.3K 709.3K/s 00:00:00 [######################] 100% (3/3) checking package integrity [######################] 100% (3/3) checking for file conflicts [######################] 100% (1/3) installing bridge-utils [######################] 100% (2/3) installing lzo2 [######################] 100% (3/3) installing openvpn [######################] 100% [root@homsrv ~]#
Firewall bridge configuration
We reconfigure eth0 into br0 with bridged interfaces eth0 and tap0. First you must change the configurtaion in the firewall using fwbuilder. Change the name of eth0 in the homsrv machine in br0 and then press the “advanced interface settings” button in the interface screen. Change the “Device type” from Ethernet into Bridge. Then in the object tree, right click the br0 interface and add the eth0 and tap0 interfaces. Save and upload the firewall. Even if the interfaces don’t exist yet, the upload is accepted by our server.
While you are working on the firewall, you might add the OpenVPN UDP port 1194 to the gateway and forward it to the Home Server.
Next add the following lines to /etc/conf.d/bridges:
bridge_br0="eth0 tap0" BRIDGE_INTERFACES=(br0)
Then configure /etc/conf.d/openvpn-tapdev:
TAPDEVS="tap0"
And update /etc/rc.conf to configure the bridged interface:
eth0="eth0 0.0.0.0 promisc up"
tap0="tap0 0.0.0.0 promisc up"
br0="br0 10.126.160.253 netmask 255.255.255.0 broadcast 10.126.160.255 \
add 2001:1af8:fecf:7ea0::fd/64"
Add openvpn-tapdev to the DAEMONS=() array in /etc/rc.conf before network-legacy. Now we can reconfigure the network:
[root@homsrv etc]# /etc/rc.d/openvpn-tapdev start :: Creating tap devices for OpenVPN ... tap0 [DONE] [root@homsrv etc]# /etc/rc.d/network-legacy restart :: Stopping Network [BUSY] bridge br0 doesn't exist; can't delete it [FAIL] :: Starting Network [DONE] [root@homsrv etc]#
The error is normal, you you do this a second time there will be no error. Now there is one thing left, you must reconfigure all applications that reference eth0 in their configuration files. Use the following command from the /etc directory to find them:
[root@homsrv etc]# grep -R eth0 *
avahi/avahi-daemon.conf:#allow-interfaces=eth0
conf.d/wireless:#wlan_eth0="eth0 mode managed essid default"
conf.d/wireless:#WLAN_INTERFACES=(eth0)
conf.d/bridges:# eth0="eth0 up"
cut.....cut
minidlna.conf:network_interface=eth0
radvd.conf:interface eth0
rc.conf:eth0="eth0 0.0.0.0 promisc up"
rc.conf:INTERFACES=(eth0 tap0 br0 eth1 red0)
rc.conf:# interface=eth0
rc.conf:# interface=eth0
[root@homsrv etc]#
Before you continue, it may be a good idea to reboot the server to see if everything works as planned. You can check the bridge with:
[root@homsrv ~]# brctl show bridge name bridge id STP enabled interfaces br0 8000.080027f14f3a no eth0 tap0 [root@homsrv ~]#
OpenVPN server certificate.
For this article we will use the FQDN vpn.wpl.uk for our OpenVPN server. Using the procedure in the certificates article, create a server certificate for vpn.wpl.uk, call the script sh request-server-openvpn.sh. Sign it with sh sign-server-openvpn.sh and move the signed request.cert into the vpn.wpl.uk directory. The complete shell session:
[root@mgmtws servers]# sh request-server-openvpn.sh
Create a server sign request (OpenVPN server)
Enter the server full qualified domain name: vpn.wpl.uk
Enter email address: admin@wpl.uk
Creating a server certificate request using the following data:
Country UK
State or Province Kent
Locality Dover
Organisation WPL
Common Name vpn.wpl.uk
Email Address admin@wpl.uk
Hit ENTER to create the request, Ctrl-C to abort #
Generating a 1024 bit RSA private key
.++++++
...................++++++
writing new private key to 'vpn.wpl.uk/request.key'
-----
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=UK, ST=Kent, L=Dover, O=WPL, CN=vpn.wpl.uk/emailAddress=admin@wpl.uk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
cut...............cut
5a:80:61:e8:48:35:10:e2:a3:74:ca:c2:a4:18:00:43:e8:7a:
ba:b3
[root@mgmtws servers]# cd ../root-ca/
[root@mgmtws root-ca]# sh sign-server-openvpn.sh
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=UK, ST=Kent, L=Dover, O=WPL, CN=vpn.wpl.uk/emailAddress=admin@wpl.uk
cut...............cut
ba:b3
Verify that the adata above is correct, to refuse hit Control-C,
to sign the request hit ENTER.
sign request #
Using configuration from conf/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Jul 8 13:40:26 2011 GMT
Not After : Jul 6 13:40:26 2016 GMT
Subject:
countryName = UK
stateOrProvinceName = Kent
organizationName = WPL
commonName = vpn.wpl.uk
emailAddress = admin@wpl.uk
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
F9:AC:B8:47:15:BF:F2:AE:41:B5:B9:AF:D5:3C:3A:CE:C7:6A:5A:9F
X509v3 Authority Key Identifier:
keyid:F7:E1:AD:8A:18:BF:E3:22:07:0B:6C:CB:0E:D0:CB:F8:2D:84:57:AA
DirName:/C=UK/ST=Kent/L=Dover/O=WPL/CN=WPL Root CA/emailAddress=ca@wpl.uk
serial:F3:7F:87:7F:69:0C:BC:CB
Certificate is to be certified until Jul 6 13:40:26 2016 GMT (1825 days)
Write out database with 1 new entries
Data Base Updated
[root@mgmtws root-ca]# cd ../servers
[root@mgmtws servers]# cd vpn.wpl.uk
[root@mgmtws vpn.wpl.uk]# mv ../../root-ca/request.cert .
[root@mgmtws vpn.wpl.uk]# ls -l
total 20
-rw-r--r-- 1 root root 868 Jul 8 15:33 openssl.cnf
-rw-r--r-- 1 root root 4128 Jul 8 15:40 request.cert
-rw-r--r-- 1 root root 655 Jul 8 15:33 request.csr
-rw-r--r-- 1 root root 916 Jul 8 15:33 request.key
[root@mgmtws vpn.wpl.uk]# rm ../../root-ca/request.csr
[root@mgmtws vpn.wpl.uk]# scp request.cert root@homsrv:/etc/certs/openvpn.pem
root@homsrv's password:
request.cert 100% 4128 4.0KB/s 00:00
[root@mgmtws vpn.wpl.uk]# scp request.key root@homsrv:/etc/certs/openvpn.key
root@homsrv's password:
request.key 100% 916 0.9KB/s 00:00
[root@mgmtws vpn.wpl.uk]#
On the Home Server set the right file protection:
[root@homsrv ~]# chmod 400 /etc/certs/openvpn.key [root@homsrv ~]#
OpenVPN server configuration.
To complete the OpenVPN server configuration two extra keys need to be created.
[root@homsrv ~]# cd /etc/certs [root@homsrv certs]# openssl dhparam -out dh 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ........................+....+................................+................ .................................................................+............. ...+....+.....................................................................+ .....................................................................+.....+... ................................+.............................................. .........................+.+................................................... ............................................................................... ...........+..+............+................................................... ..................................................+............................ ..................+....+................................................+...... ..........+........+........................................................... ..........................................................................+.... ......+........................................................................ .........................+............................+........................ ...............+..............................+.............................+.. ............................................................................... +......++*++*++* [root@homsrv certs]# cd /etc/openvpn/homsrv [root@homsrv homsrv]# openvpn --genkey --secret ta.key [root@homsrv homsrv]#
The file /etc/openvpn/homsrv.conf:
cd /etc/openvpn/homsrv port 1194 proto udp dev tap0 ca /etc/certs/wpl-ca.pem cert /etc/certs/openvpn.pem key /etc/certs/openvpn.key dh /etc/certs/dh # server to configure the client. #server-bridge (should work and translate to the next lines, # but it doesn't work). #server-bridge nogw mode server tls-server client-to-client keepalive 10 60 # The second parameter should be '0' # on the server and '1' on the clients. tls-auth ta.key 0 # This file is secret cipher DES-EDE3-CBC # Triple-DES comp-lzo user nobody group nobody persist-key persist-tun verb 1 # Revoked certificates. #crl-verify crl.pem
Now you can start the server:
[root@homsrv openvpn]# /etc/rc.d/openvpn start :: Starting OpenVPN ... homsrv [DONE] [root@homsrv openvpn]#
In the next article you can see how to configure a Windows client.
Download.
The updated scripts and configuration files.
