Web Working on Road Trips
I don't have any solid plans for the holy week but I certainly don't want to miss trips to Tagaytay, Bulacan or the nearby Ocean Park if anybody decides they want to go on a road trip.
Fortunately, finding an internet connection is easier now than ever before. Between Smart Bro, Globe Tatto, commercial and free Wi-Fi services, you're pretty much covered, specially if you won't be wandering too far away from Metro Manila.
You've got your trusty laptop and internet access is not a problem, so what's keeping you from going on that road trip ?
For me, it's secure access to my files and the virtual machines on my home network.
The internet may be more accessible here in the Philippines but it isn't necessarily more secure. In fact the data packets, be it from WiFi, 3G or HSDPA, are transmitted over the air. Anyone, with enough knowhow, the proper hardware and software could possibly capture the data as it is being transmitted.
What's a mobile web worker to do ? The solution, setting up a Virtual Private Network (VPN) .
Is a VPN Overkill ?
I know, it sounds overkill but "VPN" should not connote buying expensive Cisco hardware and VPN software. It's now possible to set up a VPN on your home network with relatively inexpensive hardware like the Linksys WRT54G router (which I happen to own) and free software like dd-wrt.
The first thing to do of course is to acquire a router that supports dd-wrt. This use to be easy as the Linksys WRT54G was the only router that was supported. Today, you have a lot more options from the likes of Buffalo, Asus and Netgear.
I won't discuss how to setup dd-wrt on your router as it's out of the scope of this article. You can find instructions from the dd-wrt wiki and do a search on google to read about how other people have fared in their attempts at installation. Note though that the process is not for the feint of heart. It's gotten easier with each release but there is still a possibility that you will "brick" (the term used to describe a router that has been rendered useless) your router.
dd-wrt has many builds. Make sure to install the vpn build.
What you need for your VPN
In addition to :
- A supported router, I used a Linksys WRT54G v2.2 router.
- dd-wrt vpn build, I installed v24-sp1
- A desktop or laptop computer with Linux , my desktop is running OpenSUSE v11
- OpenVPN on the linux desktop, I installed this using the Yast software manager
- A text editor like Kate or vi
You've been warned !!
The computer with OpenVPN is where we generate the certificate files needed to setup the OpenVPN server on dd-wrt. We will not be setting up OpenVPN on this computer.
It is also possible to use windows with the OpenVPN GUI installed instead of a linux desktop but I won't discuss how to do it here.
Step by Step Set Up
Let's get to it.
1. On your linux desktop, open a terminal and become root by using su.
su -2. Go to /usr/share/openvpn/easy-rsa/2.0
cd /usr/share/openvpn/easy-rsa/2.03. Execute the following commands in the correct order
# sets some environment variables to make the succeeding scripts work4. The commands above will create a keys folder inside the current folder you are in with the files you need for the next step. Open the files using your chosen text editor.
source vars
# cleans up any previously created keys if any
./clean-all
# create a certificate
# you will be asked to enter some information
# remember what you entered as you will need to use the same information
# to generate the server key
./build-ca
# create a server key
./build-key-server server
# create the Diffie-Hellman parameters needed by the server
./build-dh
5. Open a web browser and enter the IP address of your router. If you did not change the default, the IP should be 192.168.1.1. This opens to the web administration interface for dd-wrt
6. Click Services, then under OpenVPN daemon click the "Enable" radio button. This should reveal additional textareas where you need to paste the contents of the files from the keys folder.
Public Server Cert > ca.crt7. For the OpenVPN Config textarea, you will need to decide what IP address range you want to use for the private routing network that will be used by OpenVPN. In the sample configuration below, I decided to use 192.168.2.0 as the private routing network. The push parameter should have the IP and subnet of your local area network.
# note that you only need the portion of ca.crt that starts with
# -----BEGIN CERTIFICATE -----
# and ends with
# ----- END CERTIFICATE -----.
Certificate Revoke List (CRL) > (blank)
Public Client Cert > server.crt
Private Client Key > server.key
DH PEM > dh1024.pem
OpenVPN Config > (see 7 below)
OpenVPN TLS Auth > (blank)
push "route 192.168.1.0 255.255.255.0"8. Once the textareas have been filled up, click "Apply Settings" and just to be sure, click "Reboot Router" to reboot the router.
server 192.168.2.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
Hopefully, the OpenVPN server on your router should be up and running. To verify, use ssh to log into your router and run
ps | grep openvpnYou should see an openvpn process running. If you don't, then you'll need to take the following steps to turn on logging and debug the problem.
Troubleshooting with Logs
To turn on logging, click the Services tab and click the "Enable" radio button under System Log. Leave "Remote Server" blank. Then add verb 5 to your OpenVPN config textarea. Click "Apply Settings". Then log into your router via ssh and execute.
tail -f /var/log/messageConnecting Clients
Now that you have your server up and running. The next thing we want to do is to setup a client computer to connect to the OpenVPN server. If you're on windows, you can download the OpenVPN GUI.
For Linux users, you can use the openvpn applet for the NetworkManager which comes installed by default on most Linux distributions.
Before anything else, you need to create the certificates that your client computers (in this case my laptop) will use to connect to the server.
Login to your linux desktop and go back to /usr/share/openvpn/easy-rsa/2.0, then execute
./build-key client1where client1 is the name of the client computer you want to connect to. You can also leave it as client1 if you like.
The above will generate 3 files in the keys folder, a client1.crt, client1.csr and client1.key. You need to copy client1.crt and client1.key to the client computer that wants to connect to the server. You also need to copy ca.crt from the keys folder to the client computer.
Click on the NetworkManager applet icon on your linux desktop, then click "VPN Connections" -> "Configure VPN".
Click on the VPN tab, then click "Add", choose "OpenVPN" from the connection type drop down.
In the succeeding form, enter the following information :
Connection name : (enter whatever you like here)You should now be able to use the NetworkManger to connect to your router's OpenVPN server.
Gateway : (for now enter the IP address of your router)
Type: Certificates (TLS)
User Certificate : point this to the location of client1.crt on the client computer
CA Certificate : point this to the ca.crt file
Private Key: point this to client1.key
We have tested so far that the VPN server works but for this to be actually useful, the OpenVPN server should be able to accept connections from the internet.
Dynamic DNS and the Router Firewall
In quickest way to do this is to sign up to a free dyanmic DNS service.
dd-wrt supports several free dynamic dns services here is a comprehensive how to from the dd-wrt wiki.
Once you have DDNS set up, you need to open port 1194 on the router's firewall in order to accept connections from the internet.
Go back to the dd-wrt web interface, click the Administration tab, then click Commands. Enter the following code and click the "Save Firewall" button.
# Replace 1194 with your OpenVPN port number:You may want to click "Reboot Router" to reboot the router and make sure that openvpn is working with the new start up firewall script.
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
# change 192.168.2.0/24 to the private routing network you chose earlier
iptables -I FORWARD 1 --source 192.168.2.0/24 -j ACCEPT
Connecting for real
The next step is to go on a road trip, find free WiFI and connect to the OpenVPN server.
Have a blessed holy week and advanced happy easter to everyone.
References :
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35689&postdays=0&postorder=asc&start=0
http://www.dd-wrt.com/wiki/index.php/OpenVPN
Do we need the keepalive setting for the server configuration? My connection drops every 3-4 minutes.
ReplyDeleteDoes keepalive ping addresses in the tunnel or externally? I ask this because I am doing this from work and they blocked pings in and outbound.
Is there any way to test the openVPN connection (security certs etc) from within the LAN? I tried connecting from within the LAN, and all the certificates were set up correctly, but I got a 'route conflict' message, and lost the link to the router until I rebooted.
ReplyDeleteI have Smartbro "SHARE IT" as my internet provider. I wonder if anybody knows if Smart support any IPSec services such as IPSecurity?
ReplyDeleteOn my Mac i run IPSecuritas and on most networks here in the Philippines it runs well but not on Smart. Are there anybody who knows if Smart support his and if so how to set this up? Of if they don't support this at all, but this i find strange since all other networks support this so why should not smart do it?
Torleif
PS: More info can be find here about this VPN Tunnels, http://www.lobotomo.com/products/IPSecuritas/index.html
Great job and very nice content... i read this blog, this blog is very helpful for me...
ReplyDeleteI am very thankful to share this post.. I hope you have more information about this post.. So, Please share me.. Thanks..
Visit my site:- Linksys Router Support