Advanced Networking: OpenVPN: Difference between revisions
No edit summary |
No edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
This is a small tutorial to OpenVPN [http://openvpn.net/] and it's usage in Telem-GW6. A complete example is beyond the scope of this tutorial. However the idea is that after reading it you should be able to deploy it using Telem-GW6 or any other Martem product that has OpenVPN. Complete manuals and tutorials can be found from OpenVPN website. For instance [http://openvpn.net/index.php/manuals/69-openvpn-21.html] is manual for version 2.1. It is assumed that reader understands basic Unix commands as Telem-GW6 is Linux Busybox system. Introduction to Telem-GW6 and other networking related stuff can be found from here [https://phobos.martem.ee/wiki/Advanced_Networking]. | This is a small tutorial to OpenVPN [http://openvpn.net/] and it's usage in Telem-GW6. A complete example is beyond the scope of this tutorial. However the idea is that after reading it you should be able to deploy it using Telem-GW6 or any other Martem product that has OpenVPN. Complete manuals and tutorials can be found from OpenVPN website. For instance [http://openvpn.net/index.php/manuals/69-openvpn-21.html] is manual for version 2.1. It is assumed that reader understands basic Unix commands as Telem-GW6 is Linux Busybox system. Introduction to Telem-GW6 and other networking related stuff can be found from here [https://phobos.martem.ee/wiki/Advanced_Networking]. | ||
As of new firmware and gws.exe it is possible to configure OpenVPN with gws.exe by using setup version 4 instead on setupt version 3. Setup version 4 is used by [[TELEM-GWM]]. | |||
== Changing Default User Accounts == | == Changing Default User Accounts == | ||
Line 9: | Line 11: | ||
== OpenVPN Configuration == | == OpenVPN Configuration == | ||
For this example we will be using this simple OpenVPN configuration for the | For this example we will be using this simple OpenVPN configuration for the Telem-GW6: | ||
<pre> | <pre> | ||
Line 130: | Line 132: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Debugging == | |||
View the OpenVPN log file at Telem-GW6. For instance it looks something like this if the server is down: | |||
<pre> | |||
[root@Gateway6 client1]# cat openvpn.log | |||
Sat Jan 1 18:47:34 2000 OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Nov 15 2011 | |||
Sat Jan 1 18:47:34 2000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables | |||
Sat Jan 1 18:47:34 2000 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext | |||
Sat Jan 1 18:47:34 2000 TUN/TAP device tun0 opened | |||
Sat Jan 1 18:47:34 2000 /sbin/ifconfig tun0 192.168.100.2 pointopoint 192.168.100.1 mtu 1500 | |||
Sat Jan 1 18:47:34 2000 Attempting to establish TCP connection with 192.168.0.4:8002 [nonblock] | |||
Sat Jan 1 18:47:35 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:47:41 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:47:46 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:47:51 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:47:56 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:48:01 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:48:06 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:48:11 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
</pre> | |||
And if the server is up: | |||
<pre> | |||
[root@Gateway6 client1]# cat openvpn.log | |||
Sat Jan 1 18:47:34 2000 OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Nov 15 2011 | |||
Sat Jan 1 18:47:34 2000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables | |||
Sat Jan 1 18:47:34 2000 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext | |||
Sat Jan 1 18:47:34 2000 TUN/TAP device tun0 opened | |||
Sat Jan 1 18:47:34 2000 /sbin/ifconfig tun0 192.168.100.2 pointopoint 192.168.100.1 mtu 1500 | |||
Sat Jan 1 18:47:34 2000 Attempting to establish TCP connection with 192.168.0.4:8002 [nonblock] | |||
Sat Jan 1 18:47:35 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:47:41 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:47:46 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:47:51 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:47:56 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:48:01 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:48:06 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 18:48:11 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
... | |||
Sat Jan 1 20:02:12 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 20:02:17 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 20:02:22 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 20:02:27 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 20:02:32 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 20:02:37 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused | |||
Sat Jan 1 20:02:43 2000 TCP connection established with 192.168.0.4:8002 | |||
Sat Jan 1 20:02:43 2000 TCPv4_CLIENT link local: [undef] | |||
Sat Jan 1 20:02:43 2000 TCPv4_CLIENT link remote: 192.168.0.4:8002 | |||
</pre> |
Latest revision as of 08:20, 6 June 2013
Introduction
This is a small tutorial to OpenVPN [1] and it's usage in Telem-GW6. A complete example is beyond the scope of this tutorial. However the idea is that after reading it you should be able to deploy it using Telem-GW6 or any other Martem product that has OpenVPN. Complete manuals and tutorials can be found from OpenVPN website. For instance [2] is manual for version 2.1. It is assumed that reader understands basic Unix commands as Telem-GW6 is Linux Busybox system. Introduction to Telem-GW6 and other networking related stuff can be found from here [3].
As of new firmware and gws.exe it is possible to configure OpenVPN with gws.exe by using setup version 4 instead on setupt version 3. Setup version 4 is used by TELEM-GWM.
Changing Default User Accounts
Befaure configuring OpenVPN you should change default user accounts. Small howto can be found from here [4].
OpenVPN Configuration
For this example we will be using this simple OpenVPN configuration for the Telem-GW6:
--proto tcp-client --port 8002 --remote 192.168.0.4 --dev tun0 --ifconfig 192.168.100.2 192.168.100.1 --log /usr/local/bin/openvpn/client1/openvpn.log --verb 3
At OpenVPN server you need to invoke openvpn like this:
openvpn --verb 3 --proto tcp-server --port 8002 --remote 192.168.0.111 --dev tun0 --ifconfig 192.168.100.1 192.168.100.2
192.168.0.111 is the address for the Telem-GW6 and 192.168.0.4 is the address for the OpenVPN server. Note this setup is insecure as it is not using any encryption and that on production systems you need to configure intermittent routers or firewalls.
Enable OpenVPN at Telem-GW6 Startup
In order for the OpenVPN to start at system boot you need startup script that invokes OpenVPN with your configuration. Example startup script looks like this:
#!/bin/sh
start() {
echo -n "OpenVPN:start ... "
/usr/local/bin/openvpn/StartOpenVPNClient.sh /usr/local/bin/openvpn/client1/client.conf &> /dev/null &
echo "done"
}
stop() {
echo -n "OpenVPN:stop ... "
busybox killall StartOpenVPNClient.sh
busybox killall openvpn
echo "done"
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
restart
;;
*)
echo $"Usage: $0 {start|stop|restart}"
exit 1
esac
exit $?
Note this startup script needs to be place to /etc/init.d, we use wrapper for OpenVPN called StartOpenVPNClient.sh and that files are stored to /usr/local/bin/openvpn. Wrapper for OpenVPN looks like this:
#!/bin/sh
echo Start OpenVPN Client
while true
do
/usr/sbin/openvpn --config $1
sleep 10
done
It takes one argument which is the location for the configuration file.
OpenVPN Telem-GW6 Installer Uninstaller
In order to install and uninstall all the scripts and config files and to change permissions use and install script. For instance script like this:
#!/bin/sh
echo "OpenVPN and iptables configuration"
echo "Copy S82iptables"
cp S82iptables /etc/init.d/S82iptables
chmod +x /etc/init.d/S82iptables
echo "Copy OpenVPN"
cp S83openvpn /etc/init.d/S83openvpn
chmod +x /etc/init.d/S83openvpn
mkdir /usr/local/bin/openvpn
cp StartOpenVPNClient.sh /usr/local/bin/openvpn/StartOpenVPNClient.sh
chmod +x /usr/local/bin/openvpn/StartOpenVPNClient.sh
echo "Copy OpenVPN client1"
mv client1 /usr/local/bin/openvpn
installs and sets up all the files and permissions. Uninstall script that cleans out system:
#!/bin/sh
echo "Uninstall OpenVPN and iptables"
rm /etc/init.d/S82iptables
rm /etc/init.d/openvpn
rm -r /usr/local/bin/openvpn
rm /etc/init.d/S83openvpn
Debugging
View the OpenVPN log file at Telem-GW6. For instance it looks something like this if the server is down:
[root@Gateway6 client1]# cat openvpn.log Sat Jan 1 18:47:34 2000 OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Nov 15 2011 Sat Jan 1 18:47:34 2000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Sat Jan 1 18:47:34 2000 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext Sat Jan 1 18:47:34 2000 TUN/TAP device tun0 opened Sat Jan 1 18:47:34 2000 /sbin/ifconfig tun0 192.168.100.2 pointopoint 192.168.100.1 mtu 1500 Sat Jan 1 18:47:34 2000 Attempting to establish TCP connection with 192.168.0.4:8002 [nonblock] Sat Jan 1 18:47:35 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:47:41 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:47:46 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:47:51 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:47:56 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:48:01 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:48:06 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:48:11 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused
And if the server is up:
[root@Gateway6 client1]# cat openvpn.log Sat Jan 1 18:47:34 2000 OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Nov 15 2011 Sat Jan 1 18:47:34 2000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Sat Jan 1 18:47:34 2000 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext Sat Jan 1 18:47:34 2000 TUN/TAP device tun0 opened Sat Jan 1 18:47:34 2000 /sbin/ifconfig tun0 192.168.100.2 pointopoint 192.168.100.1 mtu 1500 Sat Jan 1 18:47:34 2000 Attempting to establish TCP connection with 192.168.0.4:8002 [nonblock] Sat Jan 1 18:47:35 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:47:41 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:47:46 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:47:51 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:47:56 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:48:01 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:48:06 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 18:48:11 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused ... Sat Jan 1 20:02:12 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 20:02:17 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 20:02:22 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 20:02:27 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 20:02:32 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 20:02:37 2000 TCP: connect to 192.168.0.4:8002 failed, will try again in 5 seconds: Connection refused Sat Jan 1 20:02:43 2000 TCP connection established with 192.168.0.4:8002 Sat Jan 1 20:02:43 2000 TCPv4_CLIENT link local: [undef] Sat Jan 1 20:02:43 2000 TCPv4_CLIENT link remote: 192.168.0.4:8002