8 replies to this topic

[mosskit]

Hi Folks,

I am new to Enigma boxes (and Linux). It took me some time to set it up to make it work mainly due to missing knowledge of linux and OpenVPN which I wanted to understand. Some beginners might see this post useful. My idea was to be able to connect from Windows based laptop or iOS device (ipad, iphone) to my home network using OpenVPN with my linuxbox as a temporary server in a secure way. Here is what follows:

1. I've installed openvpn 2.3.9 with opkg on my OpenPLI7.0
 

2. I've downloaded  openvpn-2.3.10.tar.gz and easy-rsa-2.3.3_master with wget from openvpn site (there was no 2.3.9 release on site but only 2.3.10 and newer so chosed this one to be close to OpenVPN PLI package version)
https://build.openvp...loads/releases/ and unziped it to my box (VU+ Uno SE) tmp directory

 

3. I've created \etc\openvpn folder in my box and moved server.conf, client.conf and easy-rsa folder there.

 

4. I've changed \etc\openvpn access rights to full access

 

5. I've edited vars file from \etc\openvpn\easy-rsa\2.0\ and put required keys:

export KEY_COUNTRY="country"
export KEY_PROVINCE="province"
export KEY_CITY="city"
export KEY_ORG="organization"
export KEY_EMAIL="email@email"
export KEY_CN=yournamehere
export KEY_NAME=yournamehere
export KEY_OU=yournamehere

6. I've initialized PKI:

. ./vars
./clean-all
./build-ca

7. Then built CA certificate, built server certificate and some client certificates:

./build-ca
./build-key-server server
./build-key ipad_client
./build-key notebook_client

8. Then moved all generated files from /etc/openvpn/easy-rsa/2.0/keys folder to /etc/openvpn/keys

 

9. Then I configured /etc/openvpn/server.conf and client.conf accordingly (ca.crt, server.key, server.crt paths for both server and client, set remote to my dyndns name and proper port on client.conf and left other setings default)

server:

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key

dh /etc/openvpn/keys/dh1024.pem

client:

remote your-dyndns-or-IP port

ca ca.crt
cert ipad_client.crt
key ipad_client.key 

10. I merged client.conf and client ca, client.crt, client.key to single *.ovpn file for each one (laptop, iphone and ipad) by using <ca> </ca> tags 

 

ipad example:

cd /etc/openvpn/keys
cp /etc/openvpn/client.conf /etc/openvpn/keys/ipad_client.ovpn
echo -e "\n\n<ca>\n$(cat ca.crt)\n</ca>" >> ipad_client.ovpn
echo -e "\n\n<cert>\n$(cat ipad_client.crt)\n</cert>" >> ipad_client.ovpn
echo -e "\n\n<key>\n$(cat ipad_client.key)\n</key>" >> ipad_client.ovpn 

11. Imported *.ovpn file to my ipad with iTunes (I was not able to import *.ovpn file by sending through email) to openvpn app 

12. Forwarded port in my router to local VU+ ip:vpnport

13. Created TUN adapter:

mkdir /dev/net
mknod /dev/net/tun c 10 200 

14. Initiated persistant tunnel and its device:

openvpn --mktun --dev tunX

15. Started VPN

/etc/init.d/openvpn start 

Questions:

1. Communication between VPN and LAN

 

Tunnel works. I can connect from my tablet being outside NAT (external GSM network) to my VPN subnet X.X.X.X thus safely stream from my box without going outside with it but I cannot reach other devices that are in my Local Network in Y.Y.Y.Y subnet. I think It's a matter of routing / masquarading between VPN and LAN. Please be informed that I have added my LAN Subnet to server.config:

push "route Y.Y.Y.Y NETMASK" 

Can someone give me a hint, how to set it up? What am I missing?

 

[WanWizard]

This is one of the many reasons you shouldn't use the box as a security device.

 

The problem is that the devices in your LAN don't know the route back. They have knowledge of the local subnet only, and send everything else to the default gateway, your internet router.

 

So you need a static route on your internet router for the subnet of your VPN, with as next hop the IP address of your box.

[mosskit]

This is one of the many reasons you shouldn't use the box as a security device.

 

The problem is that the devices in your LAN don't know the route back. They have knowledge of the local subnet only, and send everything else to the default gateway, your internet router.

 

So you need a static route on your internet router for the subnet of your VPN, with as next hop the IP address of your box.

Yes I know. Box should not be used as and Edge device. Still, its better to have VPN to box instead of simple port forwarding to public address without connection being encrypted. I wonder, what are possible attacks here with basic OpenVPN? What else can be done from security perspective? I mean what encryptions I should use etc. for VPN and box hardening? Also, is my understanding of OpenVPN proper that CA certificates shall be built on external local machine separated from any network?  

 

In terms of static routes. This is what came to my mind. As I still have default router from my ISP (wating for new device) I am not able to configure any static route. What I was thinking of was IP masquarading. I am not a network guy just speculating if thats possible to set up on box itself ?

Last one. Is there any way to see connected clients status? I know I can see it in logs but its not the fastes way of monitoring.

[WanWizard]

Still, its better to have VPN to box instead of simple port forwarding to public address without connection being encrypted.

 

True.

 

I wonder, what are possible attacks here with basic OpenVPN? What else can be done from security perspective? I mean what encryptions I should use etc. for VPN and box hardening? Also, is my understanding of OpenVPN proper that CA certificates shall be built on external local machine separated from any network?  

 

The problem is that the box (in a lot of cases) runs an antique linux version, without security patches. Also, everything runs as root, so any exploit has immediate access to the entire box.Which is why hackers prefer embedded devices over PC's, they are a lot easier to hack. Sadly, the same is usually true for most Internet routers...

 

In terms of static routes. This is what came to my mind. As I still have default router from my ISP (wating for new device) I am not able to configure any static route. What I was thinking of was IP masquarading. I am not a network guy just speculating if thats possible to set up on box itself ?

 

That would require a fully functional IPtables on the box, which isn't available either.

 

Normally, you would use the tap device, which is a bridging device, instead of a tun device. With tap, the remove device gets an IP in the local subnet, and no routing is involved.

[mosskit]

 

In terms of static routes. This is what came to my mind. As I still have default router from my ISP (wating for new device) I am not able to configure any static route. What I was thinking of was IP masquarading. I am not a network guy just speculating if thats possible to set up on box itself ?

 

That would require a fully functional IPtables on the box, which isn't available either.

 

Normally, you would use the tap device, which is a bridging device, instead of a tun device. With tap, the remove device gets an IP in the local subnet, and no routing is involved.

 

 

Hello back. I have checked that possibility but unfortunatelly TAP interface is not supported for iOS devices on OpenVPN due to its API limitation so the only way around is with static Routing. I am going to test it soon on my new Linksys Router just for a test purpose as device itself supports VPN Server.

 

[anudanan]

 

That would require a fully functional IPtables on the box, which isn't available either.

 

Normally, you would use the tap device, which is a bridging device, instead of a tun device. With tap, the remove device gets an IP in the local subnet, and no routing is involved.

 

 

An other way to integrate a VPN Client into the local network is to use proxy ARP. Also the remote VPN Client gets an IP from the local address space from the VPN device and the VPN device ansers for the ARP requests to the IP of the remote VPN client. Than also communcations works

 

Is there a possibility to give with openvpn the remote client an IP address from the local network and is there a way that the openVPN device can work with proxy ARP to forward the packets to the VPN client? 

[littlesat]

You do have easy rsa running on your box?

easy-rsa-2.3.3_master

[Pippin]

Hi,

 

KISS, keep it stupid simple...

 

What I was thinking of was IP masquarading.

 

Good thinking.

iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o $EXT_IF -j MASQUERADE

 

opkg list-installed | grep *masq*

If not installed, see if it is available and install it:

opkg list | grep *masq*

My advise would be not to use:
TAP (always stay away from TAP if there is no need for L2 traffic, about 90+% of cases)
compression (comp-lzo no, see VORACLE attack))

​https://community.op...pn/wiki/VORACLE

But do use tls-auth:
tls-auth (manual 2.3: https://community.op...penvpn23ManPage )
cipher AES-128-CBC (minimum)
auth SHA1 (minimum, not a problem in context OpenVPN, default SHA256)

​

I wonder, what are possible attacks here with basic OpenVPN?

 

Configure it securely and you safe enough.

 

Also, is my understanding of OpenVPN proper that CA certificates shall be built on external local machine separated from any network?

 

Correct.

 

 

[mosskit]

 

 

That would require a fully functional IPtables on the box, which isn't available either.

 

Normally, you would use the tap device, which is a bridging device, instead of a tun device. With tap, the remove device gets an IP in the local subnet, and no routing is involved.

 

 

An other way to integrate a VPN Client into the local network is to use proxy ARP. Also the remote VPN Client gets an IP from the local address space from the VPN device and the VPN device ansers for the ARP requests to the IP of the remote VPN client. Than also communcations works

 

Is there a possibility to give with openvpn the remote client an IP address from the local network and is there a way that the openVPN device can work with proxy ARP to forward the packets to the VPN client? 

 

In VPN config you need to define a VPN subnet B.B.B.B so once you connect from remote with a client you are getting an IP within that subnet. My box has its LAN ip A.A.A.A attached to phisial interface (eth0) and second virtual interface that comes from VPN subnet B.B.B.B Don't think VPN will work if those two subnets will overlap. Proxy Arp -sounds like it could do the trick but not sure how to bind those addresses between each other.

 

 

 

You do have easy rsa running on your box?

easy-rsa-2.3.3_master

 

YES

 

 

Hi,

 

KISS, keep it stupid simple...

 

What I was thinking of was IP masquarading.

 

Good thinking.

iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o $EXT_IF -j MASQUERADE

opkg list-installed | grep *masq*

If not installed, see if it is available and install it:

opkg list | grep *masq*

My advise would be not to use:
TAP (always stay away from TAP if there is no need for L2 traffic, about 90+% of cases)
compression (comp-lzo no, see VORACLE attack))

​https://community.op...pn/wiki/VORACLE

But do use tls-auth:
tls-auth (manual 2.3: https://community.op...penvpn23ManPage )
cipher AES-128-CBC (minimum)
auth SHA1 (minimum, not a problem in context OpenVPN, default SHA256)

​

I wonder, what are possible attacks here with basic OpenVPN?

 

Configure it securely and you safe enough.

 

Also, is my understanding of OpenVPN proper that CA certificates shall be built on external local machine separated from any network?

 

Correct.

 

Unfortunatelly there is no package for IP masquarading but thanks for recommendation on security hardening.