Security tools with ddwrt and optware – Part II.

Posted on November 10, 2011

0



..!OPEnvPN!..

This is madness! It is the simpliest and cheapest ssl vpn solution I have ever seen and I can use it on my ddwrt router.

I have documented here what and how I did, just in case I need it later, but shortly it is an openvpn setting on ddwrt router with certificate authentication.

1. Create a CA

Secure or not I did it on the router that runs the ddwrt software. This is more complicated as the easy-rsa from openvpn, but at least I learned more about openssl.
I have an external USB stick mounted to the /tmp/mnt folder that holds all the data for the certificates.
The config file is saved in /tmp/openvpn/openvpn.conf, but the /tmp will be erased after restart.

Comment:
What happens if I restart the router? Where are the certificates and the key saved? That needs to be cleared…

Create the directories for the CA and get a configuration file

I have got an ubuntu behind the gateway with openssl. I stealed the openssl.cnf from here.

# cd /tmp/mnt
# mkdir root_ca
# cd root_ca
# mkdir certs
# mkdir crl
# mkdir newcerts
# mkdir private
# touch serial
# echo 0100 > serial
# touch index.txt
# touch crlnumber
# echo 0100 > crlnumber

.

# scp admin@192.168.1.111:/etc/ssl/openssl.cnf .
# vi openssl.cnf
#RANDFILE = $ENV::HOME/.rnd
#dir = ./demoCA # Where everything is kept
dir = .

.

# openssl rand -out ./private/.rand 1024
# openssl genrsa -out ./private/cakey.pem -des3 -rand ./private/.rand 2048
!!!INPUT Required!!!
Enter pass phrase for ./private/cakey.pem:
!!!INPUT Required!!!
# openssl req -x509 -new -key ./private/cakey.pem -out cacert.pem -config openssl.cnf
!!!INPUT Required!!!
Enter pass phrase for ./private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:Rohrbach
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:Development
Common Name (eg, YOUR name) []:Router
Email Address []:
!!!INPUT Required!!!
#openssl dhparam -out dh1024.pem 1024

2. Create a server certificate.

2.1 create a certificate request and sign it with the CA

# cd ..
# mkdir server_cert
# cd server_cert/
# mkdir private
# openssl rand -out ./private/.server_rand 1024
# openssl genrsa -des3 -out ./private/server.key -rand ./private/.server_rand 2048
!!!INPUT Required!!!
Enter pass phrase for ./private/server.key:
Verifying – Enter pass phrase for ./private/server.key:
!!!INPUT Required!!!
# openssl req -new -key ./private/server.key -out server.csr
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:Rohrbach
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:Development
Common Name (eg, YOUR name) []:Router1
Email Address []:Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
!!!INPUT Required!!!

Sign it with the CA

# cd ..
# cd root_ca/
# openssl ca -in ../server_cert/server.csr -config openssl.cnf
!!!INPUT Required!!!
Enter pass phrase for ./private/cakey.pem:
y
y
!!!INPUT Required!!!# cp ./newcerts/0100.pem ../server_cert/server.pem
# cd ../server_cert

2.2 Create DH key

# openssl dhparam -out dh1024.pem 1024

3. Client side settings

3.1 Install openvpn within gnome network manager (On linux, on Ubuntu :-))

$ sudo apt-get install network-manager-openvpn-gnome
[sudo] password for kojak:
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
libpkcs11-helper1 network-manager-openvpn openssl-blacklist openvpn openvpn-blacklist
Suggested packages:
resolvconf
The following NEW packages will be installed:
libpkcs11-helper1 network-manager-openvpn network-manager-openvpn-gnome openssl-blacklist openvpn openvpn-blacklist
0 upgraded, 6 newly installed, 0 to remove and 14 not upgraded.
Need to get 7,998 kB of archives.
After this operation, 17.4 MB of additional disk space will be used.
Do you want to continue [Y/n]? y

3.2 Install openvpn on Windows

A) Get the client software

There are 2 versions of openvpn for windows, one for commercial purposes and one for free.
Use the free one from here:
http://www.openvpn.net/index.php/open-source/downloads.html

B) Get your certificate

The certificate and the key will be created in the following point. This 2 files and the ca certificate should be copied to
C:\Program Files\OpenVPN\config folder.

C) Customize your config file

Copy the sample config file called client.ovpn from
C:\Program Files\OpenVPN\sample-config
to
C:\Program Files\OpenVPN\config

Open the client.ovpn and modify the followings:

– change to router ip “remote 192.168.1.1 1194”
– “cipher AES-128-CBC”
– “;ns-cert-type server” (I have deactivated the nsCertType checking as the certificate I created does not contains it.)
– “link-mtu 1400”

The Windows client works with a client key that is not protected, we have to remove the pass phrase.

# openssl rsa -in /tmp/mnt/client_cert/private/client.key -out /tmp/mnt/client_cert/client_noph.key
Enter pass phrase for /tmp/mnt/client_cert/private/client.key:
writing RSA key

3.3 Create a certificate for the client

I have created it on the router as the CA is there…

# mkdir client_cert
# cd client_cert
# mkdir private
# openssl rand -out ./private/.client_rand 1024
# openssl genrsa -des3 -out ./private/client.key -rand ./private/.client_rand 2048
!!!INPUT Required!!!
Enter pass phrase for ./private/client.key:
Verifying – Enter pass phrase for ./private/client.key:
!!!INPUT Required!!!
# openssl req -new -key ./private/client.key -out client.csr
!!!INPUT Required!!!
Enter pass phrase for ./private/client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:Rohrbach
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:Development
Common Name (eg, YOUR name) []:Kojak
Email Address []:kojak@mycompany.de
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
!!!INPUT Required!!!
# cd ..
# cd root_ca/
# openssl ca -in ../client_cert/client.csr -config openssl.cnf
!!!INPUT Required!!!

!!!INPUT Required!!!
# cp ./newcerts/0101.pem ../client_cert/

4. Setup openvpn

I did it through the gui of ddwrt. See the print screens for more informations about the server configurations

Additionally I did some fine tunning as the config of the client and the server should match.

GUI: Advanced settings:
– advanced options enable
– enable comp-lzo
– tun mtu setting 1400

5. Troubleshooting – Configuration issues

Error message 1.

Thu Nov 10 07:41:31 2011 us=971609 Cannot load certificate file /tmp/openvpn/cert.pem: error:140AD009:lib(20):func(173):reason(9)
Thu Nov 10 07:41:31 2011 us=971813 Exiting

The problem is that your certificate is wrong, you may have an Enter or Space somewhere included… Copy and paste it again.

Error message 2.

Thu Nov 10 09:12:25 2011 us=808122 Cannot load private key file /tmp/openvpn/key.pem: error:0D07207B:lib(13):func(114):reason(123): error:0D068066:lib(13):f
unc(104):reason(102): error:0D07803A:lib(13):func(120):reason(58): error:0D09A00D:lib(13):func(154):reason(13): error:0907B00D:lib(9):func(123):reason(13):
error:140B0009:lib(20):func(176):reason(9)
Thu Nov 10 09:12:25 2011 us=808675 Error: private key password verification failed
Thu Nov 10 09:12:25 2011 us=808872 Exiting

The problem is that your server.key is password protected. Issue the following command to check it first and the second one if you have to remove the password protection:

# openssl rsa -text -noout -in /tmp/mnt/server_cert/private/server.key
Enter pass phrase for /tmp/mnt/server_cert/private/server.key: --> If this message comes, then it is protected with a pass phrase!
#
# openssl rsa -in /tmp/mnt/server_cert/private/server.key -out /tmp/mnt/server_cert/server_noph.key

and paste the content of server_noph.key to the gui (Private Server Key)

Good message 1.

The logs if everything works fine and the server starts:

Thu Nov 10 09:28:04 2011 us=672410 OpenVPN 2.2.1 mipsel-linux [SSL] [LZO2] built on Sep 17 2011
Thu Nov 10 09:28:04 2011 us=673165 MANAGEMENT: TCP Socket listening on 127.0.0.1:5002
Thu Nov 10 09:28:04 2011 us=674555 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Nov 10 09:28:05 2011 us=386645 Diffie-Hellman initialized with 1024 bit key
Thu Nov 10 09:28:05 2011 us=388805 WARNING: file '/tmp/openvpn/key.pem' is group or others accessible
Thu Nov 10 09:28:05 2011 us=392945 TLS-Auth MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Nov 10 09:28:05 2011 us=393278 Socket Buffers: R=[114688->131072] S=[114688->131072]
Thu Nov 10 09:28:05 2011 us=396179 TUN/TAP device tun0 opened
Thu Nov 10 09:28:05 2011 us=396476 TUN/TAP TX queue length set to 100
Thu Nov 10 09:28:05 2011 us=396996 /sbin/ifconfig tun0 10.10.10.1 netmask 255.255.255.0 mtu 1500 broadcast 10.10.10.255
Thu Nov 10 09:28:05 2011 us=426754 /tmp/openvpn/route-up.sh tun0 1500 1557 10.10.10.1 255.255.255.0 init
br0: File exists
Thu Nov 10 09:28:05 2011 us=500869 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Thu Nov 10 09:28:05 2011 us=502478 UDPv4 link local (bound): [undef]:1194
Thu Nov 10 09:28:05 2011 us=502958 UDPv4 link remote: [undef]
Thu Nov 10 09:28:05 2011 us=503290 MULTI: multi_init called, r=256 v=256
Thu Nov 10 09:28:05 2011 us=504115 IFCONFIG POOL: base=10.10.10.2 size=252
Thu Nov 10 09:28:05 2011 us=504582 IFCONFIG POOL LIST
Thu Nov 10 09:28:05 2011 us=505096 Initialization Sequence Completed

If you see the process with ps then you are ready to accept vpn connections:

31840 root      2160 S    /tmp/openvpnserver --config /tmp/openvpn/openvpn.conf --up /tmp/openvpn/route-up.sh --down /tmp/openvpn/route-down.sh --daemon

Still does not work, need more info, look at here:
http://www.dd-wrt.com/wiki/index.php/OpenVPN#Troubleshooting

Good message 2.

Logs for successful login
You can inject a text like “there is a connect” in the log file to know where you have started your login.

# echo "there is a connect" >> /tmp/var/log/openvpn
# less /tmp/var/log/openvpn
...
there is a connect
Thu Nov 10 11:39:06 2011 us=150073 MULTI: multi_create_instance called
Thu Nov 10 11:39:06 2011 us=150588 192.168.1.106:1110 Re-using SSL/TLS context
Thu Nov 10 11:39:06 2011 us=150916 192.168.1.106:1110 LZO compression initialized
Thu Nov 10 11:39:06 2011 us=151138 192.168.1.106:1110 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently
 it is 1400)
Thu Nov 10 11:39:06 2011 us=152531 192.168.1.106:1110 Control Channel MTU parms [ L:1458 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Nov 10 11:39:06 2011 us=152842 192.168.1.106:1110 Data Channel MTU parms [ L:1458 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Nov 10 11:39:06 2011 us=153605 192.168.1.106:1110 Local Options String: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-128-
CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Nov 10 11:39:06 2011 us=153855 192.168.1.106:1110 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,ciphe
r AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Nov 10 11:39:06 2011 us=154263 192.168.1.106:1110 Local Options hash (VER=V4): 'f1922133'
Thu Nov 10 11:39:06 2011 us=154633 192.168.1.106:1110 Expected Remote Options hash (VER=V4): '48b03f84'
Thu Nov 10 11:39:06 2011 us=155205 192.168.1.106:1110 TLS: Initial packet from 192.168.1.106:1110, sid=705a9639 81cc77d5
Thu Nov 10 11:39:06 2011 us=623257 192.168.1.106:1110 VERIFY OK: depth=1, /C=DE/ST=Bayern/L=Rohrbach/O=MyCompany/OU=Development/CN=Router
Thu Nov 10 11:39:06 2011 us=630527 192.168.1.106:1110 VERIFY OK: depth=0, /C=DE/ST=Bayern/O=MyCompany/OU=Development/CN=Kojak/emailAddress=kojak@mycompany.d
e
Thu Nov 10 11:39:06 2011 us=771421 192.168.1.106:1110 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1458', remote='link-mtu 1400'
Thu Nov 10 11:39:06 2011 us=771744 192.168.1.106:1110 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1400', remote='tun-mtu 1342'
Thu Nov 10 11:39:06 2011 us=774720 192.168.1.106:1110 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Nov 10 11:39:06 2011 us=775010 192.168.1.106:1110 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov 10 11:39:06 2011 us=775257 192.168.1.106:1110 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Nov 10 11:39:06 2011 us=775515 192.168.1.106:1110 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov 10 11:39:06 2011 us=802829 192.168.1.106:1110 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Nov 10 11:39:06 2011 us=803210 192.168.1.106:1110 [Kojak] Peer Connection Initiated with 192.168.1.106:1110
Thu Nov 10 11:39:06 2011 us=804314 Kojak/192.168.1.106:1110 MULTI: Learn: 10.10.10.2 -> Kojak/192.168.1.106:1110
Thu Nov 10 11:39:06 2011 us=804575 Kojak/192.168.1.106:1110 MULTI: primary virtual IP for Kojak/192.168.1.106:1110: 10.10.10.2
Thu Nov 10 11:39:09 2011 us=326946 Kojak/192.168.1.106:1110 PUSH: Received control message: 'PUSH_REQUEST'
Thu Nov 10 11:39:09 2011 us=327601 Kojak/192.168.1.106:1110 SENT CONTROL [Kojak]: 'PUSH_REPLY,redirect-gateway def1,route-gateway 10.10.10.1,topology subnet
,ping 10,ping-restart 120,ifconfig 10.10.10.2 255.255.255.0' (status=1)

On the client if you successfully connected you got a new virtual interface -as with all of vpn client-
(This is my first hungarian output, sorry)

Ethernet-adapter Helyi kapcsolat 6:

        Kapcsolatspecifikus DNS-utotag. . . . :
        Lers. . . . . . . . . . . . . . . . : TAP-Win32 Adapter V9
        Fizikai cim . . . . . . . . . . . . . : 00-FF-21-D5-87-C3
        DHCP engedelyezve . . . . . . . . . . : Igen
        Automatikus konfiguracio engedelyezve : Igen
        IP-cim. . . . . . . . . . . . . . . . : 10.10.10.2
        Alhalozati maszk. . . . . . . . . . . : 255.255.255.0
        Alaprtelmezett atjaro. . . . . . . . : 10.10.10.1
        DHCP kiszolgalo . . . . . . . . . . . : 10.10.10.254
        Berleti jog kezdete . . . . . . . . . : 2011. november 10. 9:37:00
        Berleti jog vege. . . . . . . . . . . : 2012. november 9. 9:37:00
Advertisements
Tagged: ,
Posted in: ddwrt, Linux, Security