|
|
Line 98: |
Line 98: |
| | | |
| sudo bash openvpn_extra.sh | | sudo bash openvpn_extra.sh |
− |
| |
− | = Generating your own certificates in OpenVPN for Amahi =
| |
− |
| |
− | The default OpenVPN install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. All commands are issued from the CLI as the root user unless noted otherwise.
| |
− |
| |
− | Step 1: Copy the necessary easy-rsa files to the openvpn directory in etc
| |
− |
| |
− | <pre>cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa</pre>
| |
− |
| |
− | Step 2: Navigate to the directory you just copied
| |
− |
| |
− | <pre>cd /etc/openvpn/easy-rsa</pre>
| |
− |
| |
− | Step 3: Backup, then modify the variables in the vars file
| |
− |
| |
− | <pre>cp vars vars.backup</pre>
| |
− |
| |
− | This creates a backup of the original file
| |
− |
| |
− | <pre>nano vars</pre>
| |
− |
| |
− | This is the command we will use to modify the variables in the vars file
| |
− |
| |
− | The primary variable we are looking is (ctrl+w to search):
| |
− |
| |
− | <pre>export EASY_RSA = “`pwd`”</pre>
| |
− |
| |
− | You want to change this variable to this:
| |
− |
| |
− | <pre>export EASY_RSA=”/etc/openvpn/easy-rsa”</pre>
| |
− |
| |
− | OPTIONAL
| |
− |
| |
− | You can also change the cipher strength in this file. If you wish to do this, the variable you are looking for is:
| |
− |
| |
− | <pre>export KEY_SIZE=1024</pre>
| |
− |
| |
− | You can bump this number up to 2048 to increase security, however you may notice a decrease in speeds over the VPN if you do so.
| |
− |
| |
− | Step 4: The next step here is to build your new CA on your server. Issue the commands below:
| |
− |
| |
− | First, be sure you are still in the /etc/openvpn/easy-rsa directory. Issuing the pwd command will display the directory you currently working in. If it is anything other than /etc/openvpn/easy-rsa, issue the following command:
| |
− |
| |
− | <pre>cd /etc/openvpn/easy-rsa</pre>
| |
− |
| |
− | Now issue the following commands to build the new CA:
| |
− |
| |
− | <pre>source ./vars</pre>
| |
− |
| |
− | This command loads the vars file you modified in step 3.
| |
− |
| |
− | <pre>./clean-all</pre>
| |
− |
| |
− | This command will remove anything in the /keys directory. There is most likely nothing in the directory at this point (if there is, back it up!).
| |
− |
| |
− | <pre>./build-ca</pre>
| |
− |
| |
− | This command will build the CA. You will be asked various questions, note that you do not need to modify any of these values. You can just hit enter and it will use the default displayed values.
| |
− |
| |
− | Step 5: We now build the keys for the server with the following commands.
| |
− |
| |
− | </pre>./build-key-server [HDA NAME HERE (no brackets)]</pre>
| |
− |
| |
− | You will again be asked many questions. Default values should all be OK. Ensure that the 'common name' lines up with the HDA name you typed previously.
| |
− |
| |
− | When asked for a challenge password, leave it blank
| |
− |
| |
− | When asked to sign the certificate, type y
| |
− |
| |
− | When asked to commit, type y
| |
− |
| |
− | Step 6: Create certificates for each of your clients with the commands below:
| |
− |
| |
− | <pre>./build-key-pass UserName(or client name, or whatever will identify this for you)</pre>
| |
− |
| |
− | Enter a PEM password and confirm. This can be whatever you want.
| |
− |
| |
− | You will be asked many questions again. You can leave these at the default values or modify them if you wish.
| |
− |
| |
− | When asked for a challenge password, leave this field blank.
| |
− |
| |
− | When asked to sign the certificate, type y
| |
− |
| |
− | REPEAT THIS STEP FOR EACH CLIENT
| |
− |
| |
− | After you have created certs/keys for each of your clients, move on to the next step.
| |
− |
| |
− | Step 6: The next step is to change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.
| |
− |
| |
− | <pre>Cd keys</pre>
| |
− |
| |
− | This command moves us to the keys directory.
| |
− |
| |
− | <pre>Openssl rsa -in KEYNAMEFROMSTEP6.key -des3 -out KEYNAMEFROMSTEP6.3des.key</pre>
| |
− |
| |
− | This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase. Use whatever you wish here, but do not leave this blank.
| |
− |
| |
− | REPEAT THIS STEP FOR ALL THE KEYS CREATED IN STEP 6
| |
− |
| |
− | Once you have created your 3des keys, move on to the next step.
| |
− |
| |
− | Step 7: This step will be to build the diffie-hellman key exchange for the server.
| |
− |
| |
− | <pre>Cd /etc/openvpn/easy-rsa/</pre>
| |
− |
| |
− | This moves us back to the easy-rsa directory.
| |
− |
| |
− | <pre>./build-dh</pre>
| |
− |
| |
− | Depending on your system specs this can take some time, but it is typically pretty fast.
| |
− |
| |
− | Step 8: Now we will generate an HMAC key for DoS protection.
| |
− |
| |
− | <pre>Openvpn --genkey --secret keys/ta.key</pre>
| |
− |
| |
− | Please note that copying and pasting this command may cause formatting issues. The lines in the command need to be two hyphens back to back without spaces.
| |
− |
| |
− | OK, now we are getting close to the home stretch.
| |
− |
| |
− | Step 9: In this step we will backup then modify the openvpn.conf file.
| |
− |
| |
− | <pre>Cd /etc/openvpn</pre>
| |
− |
| |
− | Change directory to the openvpn directory
| |
− |
| |
− | <pre>cp openvpn.conf openvpn.conf.backup</pre>
| |
− |
| |
− | This backs up the default config
| |
− |
| |
− | <pre>nano openvpn.conf</pre>
| |
− |
| |
− | You can use this [http://fpaste.org/136131/11574407/ config file] as a template. You will need to change the indicated fields as necessary. You will need to setup IP forwarding if you wish to browse LAN devices and the internet while on the VPN. This information can be found elsewhere in the Amahi wiki.
| |
− |
| |
− | Step 10: In this step we will create a template file for a script to create ovpn files.
| |
− |
| |
− | Use [http://fpaste.org/136132/ this file] as a template. Name the file Default.txt
| |
− |
| |
− | Step 11: In this step we will download a script to create your ovpn files for you.
| |
− |
| |
− | <pre>Cd /etc/openvpn/easy-rsa/keys</pre>
| |
− |
| |
− | First we move to the keys directory
| |
− |
| |
− | Download [https://gist.github.com/laurenorsini/10013430 this script] to the keys directory and call it makeovpn.sh
| |
− |
| |
− | Now we need to make the script executable
| |
− |
| |
− | <pre>chmod +x makeovpn.sh</pre>
| |
− |
| |
− | Step 12: Run the script created in step 12 for each client you created in step 6.
| |
− |
| |
− | <pre>./makeovpn.sh</pre>
| |
− |
| |
− | When the script runs it will ask you for a client name you created in step 6. Enter the name and press enter. You may see some errors, but the file should still be created and be usable.
| |
− |
| |
− | And that is it. You have now got everything you need to connect multiple clients to your VPN.
| |
− |
| |
− | The following link was used as a primary source for the bulk of this tutorial:
| |
− |
| |
− | [http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing Raspberry Pi VPN Tutorial]
| |
| | | |
| = Troubleshooting = | | = Troubleshooting = |
Going forward, you will need to install the Amahi OpenVPN application.
You need to forward one port (1194/UDP) to your HDA's IP to enable your OpenVPN service from outside your network.
You will also need client software.
Once connected from outside your network, your computer becomes virtually a computer in your home network. All your files and services are as easily accessible as when you are at home.
NEW! You can now use your amahi.org control panel to test your VPN remotely!
Overview
There are two requirements for Remote Access to work:
- On the client side, you need to be running a client
- We provide one for Windows, pre-configured for Amahi
- We recommend one for the Mac, which requires some manual configuration
- The client for Linux comes with most distros and uses the same settings as the Mac
- Your router needs to forward UDP port 1194 to the IP address of your HDA. The way to do this is through port forwarding, which varies from router to router. Make sure you forward UDP (not TCP)
OpenVPN Clients
Check the page for OpenVPN clients.
Port Forwarding References
Bridging VPN and eth0
If you'd like your VPN clients to get IP addresses in the same subnet as your HDA, and not in the 10.8.0.0/24 subnet (default), read this page: VPN Bridging.
IP Forwarding (Ubuntu)
Something that is often asked on the forums is how to have access to your remote LAN's resources while connected to your HDA. One way to accomplish this is through bridging VPN and eth0 on your HDA. This process may not be necessary for some users and a script has been developed by user olson of the forum to accomplish this task. Not only with this script allow for a user to browse to their remote LAN's resources, the user will also be able to browse the internet while connected to their VPN. Below is the script and instructions for how to run it. Please keep in mind that this is for Ubuntu based HDA's ONLY.
#!/bin/bash
log_file="/tmp/openvpn_extra.log"
function log()
{
echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@" >> $log_file
echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@"
}
# Enable it right now
if ! echo 1 > /proc/sys/net/ipv4/ip_forward; then
log "FATAL: could not enable ip_forward for immediate use"
exit 1
fi
if ! iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; then
log "FATAL: could not set iptables for immediate use"
exit 1
fi
#set it up so it does it at startup
if ! sed -i 's/#net.ipv4.ip_forward=.*\+/net.ipv4.ip_forward=1/' /etc/sysctl.conf; then
log "FATAL: could not set ip_forward permanantly"
exit 1
fi
if ! sh -c "iptables-save > /etc/iptables.rules"; then
log "FATAL: could not set iptables permanantly"
exit 1
fi
sudo cat > /etc/network/if-pre-up.d/iptablesload <<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
EOF
sudo cat > /etc/network/if-post-down.d/iptablessave <<EOF
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules
fi
exit 0
EOF
if ! chmod +x /etc/network/if-post-down.d/iptablessave; then
log "FATAL: Could not chmod the iptablessave script"
exit 1
fi
if ! chmod +x /etc/network/if-pre-up.d/iptablesload; then
log "FATAL: Could not chmod the iptablesload script"
exit 1
fi
echo "Done"
exit 0
You can then run the script with the following command from the CLI:
sudo bash openvpn_extra.sh
Troubleshooting
Check out the OpenVPN troubleshooting page for troubleshooting tips.
Implementation
The VPN solution is implemented through the very popular OpenVPN software VPN.