Thursday 23 October 2008

Install an OpenVPN server on the fileserver

I'm going to use an OpenVPN based Ethernet bridge to allow me to connect to my home LAN via the Internet when I'm away from home.

First install the openvpn, bridge-utils (for the Ethernet bridge) and openssl (to generate certificates) packages

fileserver:~# apt-get install openvpn bridge-utils openssl

The /etc/init.d/openvpn script that comes with the package is far to complicated for me to understand/need so I replaced it with a simpler one (copied the original one to /etc/init.d/openvpn.orig)

#! /bin/sh
# /etc/init.d/openvpn
#

# Carry out specific functions when asked to by the system
case "$1" in
  start)
    echo "Starting openvpn server"
    openvpn --config /etc/openvpn/simple.conf
    ;;
  stop)
    echo "Stopping openvpn server"
    killall openvpn
    ;;
  *)
    echo "Usage: /etc/init.d/openvpn {start|stop}"
    exit 1
    ;;
esac

exit 0

To use the killall command, I had to install the psutils package.

To make the bridge between the tap device and the physical ethernet port, I edited the edit /etc/network/interfaces to -

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
auto eth0
iface eth0 inet static
        address 0.0.0.0
        netmask 255.255.255.0

auto tap0
iface tap0 inet static
        address 0.0.0.0
        netmask 255.255.255.0
        pre-up /usr/sbin/openvpn --mktun --dev tap0

auto br0
iface br0 inet dhcp
        hostname fileserver
        bridge_ports eth0 tap0

Generating the required certificates is as described in openVPN HOWTOs. The easy-rsa directory was at /usr/share/doc/openvpn/examples/easy-rsa/2.0. I copied this to /etc/openvpn and worked there. At the end of the process I copied the files needed on the server to /etc/openvpn -

/etc/openvpn/ca.crt
/etc/openvpn/server.crt
/etc/openvpn/server.key
/etc/openvpn/dh1024.pem

The files needed on the client are -

ca.crt
client.crt
client.key

The openVPN server configuration file /etc/openvpn/simple.conf is -

dev tap0
server-bridge 192.168.2.1 255.255.255.0 192.168.2.101 192.168.2.110
user nobody
persist-key
persist-tun
proto udp
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
daemon

This will allow up to 10 clients to connect which will be given IP addresses from 192.168.2.101 to 192.168.2.110 on the home LAN. Note 192.168.2.1 is the IP address of the home LAN router.

Finally, I needed to forward TCP and UDP ports 1194 on the WAN side of my internet firewall to the fileserver IP address 192.168.1.18.

My first client is the my windows laptop running OpenVPN GUI for Windows. The client config file is -

client
dev tap
proto udp

remote flabby.is-a-geek.com 1194

nobind

persist-key
persist-tun

mute-replay-warnings

ns-cert-type server

verb 3

ca   "ca.crt"
key  "client.key"
cert "client.crt"

float

 

 

OK

Monday 20 October 2008

Add dynamic DNS service updater

I'm going to be adding a VPN gateway to the fileserver so I can access it over the internet. I have an account at DynDNS that will map the WAN address of my router to my DynDNS domain name. I need a simple client on the LAN to update this account when the WAN address changes.

The simplest client recommened at DynDNS seems to be inadyn which I installed on the fileserver

fileserver:~# apt-get install inadyn

I generated the required config file automatically using the DynDNS tool and saved it on the fileserver at /etc/inadyn.conf.

fileserver:~# cat /etc/inadyn.conf
## inadyn configuration file
update_period_sec 600 # Check for a new IP every 600 seconds

# DynDNS username and password here
username xxxxxx
password xxxxxx

dyndns_system dyndns@dyndns.org

## Dynamic DNS hosts
alias flabby.is-a-geek.com

background

I tested the update process by running inadyn from the command line -

fileserver:~# inadyn
INADYN: Started 'INADYN version 1.96' - dynamic DNS updater.
I:INADYN: IP address for alias 'flabby.is-a-geek.com' needs update to '65.93.163.244'
I:INADYN: Alias 'flabby.is-a-geek.com' to IP '65.93.163.244' updated successful.

I added the line -

background

to the end of /etc/inadyn.conf which causes the process to run in the background and the output to be sent to syslog.

I then set up the required scripts to run inadyn correctly at boot time.

cp /etc/init.d/skeleton /etc/init.d/inadyn
chmod 755 /etc/init.d/inadyn

I changed only the line -

NAME=inadyn
and then tested with -
fileserver:~# /etc/init.d/inadyn start
fileserver:~# ps -ef | grep /etc/init.d/inadyn
root 3275 1 0 18:29 ? 00:00:00 /usr/sbin/inadyn
fileserver:~# tail -n 3 /var/log/syslog
Oct 20 18:29:21 fileserver INADYN[3275]: INADYN: Started 'INADYN version 1.96' - dynamic DNS updater.
Oct 20 18:29:22 fileserver INADYN[3275]: I:INADYN: IP address for alias 'flabby.is-a-geek.com' needs update to '65.93.163.244'
Oct 20 18:29:22 fileserver INADYN[3275]: I:INADYN: Alias 'flabby.is-a-geek.com' to IP '65.93.163.244' updated successful.
Then to make it permanent I did -
fileserver:# update-rc.d /etc/init.d/inadyn defaults
Adding system startup for /etc/init.d/inadyn...
/etc/rc0.d/K20inadyn -> ../init.d/inadyn
/etc/rc1.d/K20inadyn -> ../init.d/inadyn
/etc/rc6.d/K20inadyn -> ../init.d/inadyn
/etc/rc2.d/S20inadyn -> ../init.d/inadyn
/etc/rc3.d/S20inadyn -> ../init.d/inadyn
/etc/rc4.d/S20inadyn -> ../init.d/inadyn
/etc/rc5.d/S20inadyn -> ../init.d/inadyn

So it should run correctly on reboot now.