..!OPEnvPN!..
This is madness! It is the simpliest and cheapest ssl vpn solution I have ever seen and I can use it on my ddwrt router.
I have documented here what and how I did, just in case I need it later, but shortly it is an openvpn setting on ddwrt router with certificate authentication.
1. Create a CA
Secure or not I did it on the router that runs the ddwrt software. This is more complicated as the easy-rsa from openvpn, but at least I learned more about openssl.
I have an external USB stick mounted to the /tmp/mnt folder that holds all the data for the certificates.
The config file is saved in /tmp/openvpn/openvpn.conf, but the /tmp will be erased after restart.
Comment:
What happens if I restart the router? Where are the certificates and the key saved? That needs to be cleared…
Create the directories for the CA and get a configuration file
I have got an ubuntu behind the gateway with openssl. I stealed the openssl.cnf from here.
| # cd /tmp/mnt # mkdir root_ca # cd root_ca # mkdir certs # mkdir crl # mkdir newcerts # mkdir private # touch serial # echo 0100 > serial # touch index.txt # touch crlnumber # echo 0100 > crlnumber |
.
| # scp admin@192.168.1.111:/etc/ssl/openssl.cnf . # vi openssl.cnf #RANDFILE = $ENV::HOME/.rnd #dir = ./demoCA # Where everything is kept dir = . |
.
| # openssl rand -out ./private/.rand 1024 # openssl genrsa -out ./private/cakey.pem -des3 -rand ./private/.rand 2048 !!!INPUT Required!!! Enter pass phrase for ./private/cakey.pem: !!!INPUT Required!!! # openssl req -x509 -new -key ./private/cakey.pem -out cacert.pem -config openssl.cnf !!!INPUT Required!!! Enter pass phrase for ./private/cakey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bayern Locality Name (eg, city) []:Rohrbach Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Organizational Unit Name (eg, section) []:Development Common Name (eg, YOUR name) []:Router Email Address []: !!!INPUT Required!!! #openssl dhparam -out dh1024.pem 1024 |
2. Create a server certificate.
2.1 create a certificate request and sign it with the CA
| # cd .. # mkdir server_cert # cd server_cert/ # mkdir private # openssl rand -out ./private/.server_rand 1024 # openssl genrsa -des3 -out ./private/server.key -rand ./private/.server_rand 2048 !!!INPUT Required!!! Enter pass phrase for ./private/server.key: Verifying – Enter pass phrase for ./private/server.key: !!!INPUT Required!!! # openssl req -new -key ./private/server.key -out server.csr Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bayern Locality Name (eg, city) []:Rohrbach Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Organizational Unit Name (eg, section) []:Development Common Name (eg, YOUR name) []:Router1 Email Address []:Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []: !!!INPUT Required!!! |
Sign it with the CA
| # cd .. # cd root_ca/ # openssl ca -in ../server_cert/server.csr -config openssl.cnf !!!INPUT Required!!! Enter pass phrase for ./private/cakey.pem: y y !!!INPUT Required!!!# cp ./newcerts/0100.pem ../server_cert/server.pem # cd ../server_cert |
2.2 Create DH key
| # openssl dhparam -out dh1024.pem 1024 |
3. Client side settings
3.1 Install openvpn within gnome network manager (On linux, on Ubuntu :-))
| $ sudo apt-get install network-manager-openvpn-gnome [sudo] password for kojak: Reading package lists… Done Building dependency tree Reading state information… Done The following extra packages will be installed: libpkcs11-helper1 network-manager-openvpn openssl-blacklist openvpn openvpn-blacklist Suggested packages: resolvconf The following NEW packages will be installed: libpkcs11-helper1 network-manager-openvpn network-manager-openvpn-gnome openssl-blacklist openvpn openvpn-blacklist 0 upgraded, 6 newly installed, 0 to remove and 14 not upgraded. Need to get 7,998 kB of archives. After this operation, 17.4 MB of additional disk space will be used. Do you want to continue [Y/n]? y |
3.2 Install openvpn on Windows
A) Get the client software
There are 2 versions of openvpn for windows, one for commercial purposes and one for free.
Use the free one from here:
http://www.openvpn.net/index.php/open-source/downloads.html
B) Get your certificate
The certificate and the key will be created in the following point. This 2 files and the ca certificate should be copied to
C:\Program Files\OpenVPN\config folder.
C) Customize your config file
Copy the sample config file called client.ovpn from
C:\Program Files\OpenVPN\sample-config
to
C:\Program Files\OpenVPN\config
Open the client.ovpn and modify the followings:
– change to router ip “remote 192.168.1.1 1194”
– “cipher AES-128-CBC”
– “;ns-cert-type server” (I have deactivated the nsCertType checking as the certificate I created does not contains it.)
– “link-mtu 1400”
The Windows client works with a client key that is not protected, we have to remove the pass phrase.
# openssl rsa -in /tmp/mnt/client_cert/private/client.key -out /tmp/mnt/client_cert/client_noph.key Enter pass phrase for /tmp/mnt/client_cert/private/client.key: writing RSA key |
3.3 Create a certificate for the client
I have created it on the router as the CA is there…
| # mkdir client_cert # cd client_cert # mkdir private # openssl rand -out ./private/.client_rand 1024 # openssl genrsa -des3 -out ./private/client.key -rand ./private/.client_rand 2048 !!!INPUT Required!!! Enter pass phrase for ./private/client.key: Verifying – Enter pass phrase for ./private/client.key: !!!INPUT Required!!! # openssl req -new -key ./private/client.key -out client.csr !!!INPUT Required!!! Enter pass phrase for ./private/client.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bayern Locality Name (eg, city) []:Rohrbach Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Organizational Unit Name (eg, section) []:Development Common Name (eg, YOUR name) []:Kojak Email Address []:kojak@mycompany.de Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []: !!!INPUT Required!!! # cd .. # cd root_ca/ # openssl ca -in ../client_cert/client.csr -config openssl.cnf !!!INPUT Required!!! … !!!INPUT Required!!! # cp ./newcerts/0101.pem ../client_cert/ |
4. Setup openvpn
I did it through the gui of ddwrt. See the print screens for more informations about the server configurations
Additionally I did some fine tunning as the config of the client and the server should match.
GUI: Advanced settings:
– advanced options enable
– enable comp-lzo
– tun mtu setting 1400
5. Troubleshooting – Configuration issues
Error message 1.
Thu Nov 10 07:41:31 2011 us=971609 Cannot load certificate file /tmp/openvpn/cert.pem: error:140AD009:lib(20):func(173):reason(9) Thu Nov 10 07:41:31 2011 us=971813 Exiting |
The problem is that your certificate is wrong, you may have an Enter or Space somewhere included… Copy and paste it again.
Error message 2.
Thu Nov 10 09:12:25 2011 us=808122 Cannot load private key file /tmp/openvpn/key.pem: error:0D07207B:lib(13):func(114):reason(123): error:0D068066:lib(13):f unc(104):reason(102): error:0D07803A:lib(13):func(120):reason(58): error:0D09A00D:lib(13):func(154):reason(13): error:0907B00D:lib(9):func(123):reason(13): error:140B0009:lib(20):func(176):reason(9) Thu Nov 10 09:12:25 2011 us=808675 Error: private key password verification failed Thu Nov 10 09:12:25 2011 us=808872 Exiting |
The problem is that your server.key is password protected. Issue the following command to check it first and the second one if you have to remove the password protection:
# openssl rsa -text -noout -in /tmp/mnt/server_cert/private/server.key Enter pass phrase for /tmp/mnt/server_cert/private/server.key: --> If this message comes, then it is protected with a pass phrase! # # openssl rsa -in /tmp/mnt/server_cert/private/server.key -out /tmp/mnt/server_cert/server_noph.key |
and paste the content of server_noph.key to the gui (Private Server Key)
Good message 1.
The logs if everything works fine and the server starts:
Thu Nov 10 09:28:04 2011 us=672410 OpenVPN 2.2.1 mipsel-linux [SSL] [LZO2] built on Sep 17 2011 Thu Nov 10 09:28:04 2011 us=673165 MANAGEMENT: TCP Socket listening on 127.0.0.1:5002 Thu Nov 10 09:28:04 2011 us=674555 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Thu Nov 10 09:28:05 2011 us=386645 Diffie-Hellman initialized with 1024 bit key Thu Nov 10 09:28:05 2011 us=388805 WARNING: file '/tmp/openvpn/key.pem' is group or others accessible Thu Nov 10 09:28:05 2011 us=392945 TLS-Auth MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ] Thu Nov 10 09:28:05 2011 us=393278 Socket Buffers: R=[114688->131072] S=[114688->131072] Thu Nov 10 09:28:05 2011 us=396179 TUN/TAP device tun0 opened Thu Nov 10 09:28:05 2011 us=396476 TUN/TAP TX queue length set to 100 Thu Nov 10 09:28:05 2011 us=396996 /sbin/ifconfig tun0 10.10.10.1 netmask 255.255.255.0 mtu 1500 broadcast 10.10.10.255 Thu Nov 10 09:28:05 2011 us=426754 /tmp/openvpn/route-up.sh tun0 1500 1557 10.10.10.1 255.255.255.0 init br0: File exists Thu Nov 10 09:28:05 2011 us=500869 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ] Thu Nov 10 09:28:05 2011 us=502478 UDPv4 link local (bound): [undef]:1194 Thu Nov 10 09:28:05 2011 us=502958 UDPv4 link remote: [undef] Thu Nov 10 09:28:05 2011 us=503290 MULTI: multi_init called, r=256 v=256 Thu Nov 10 09:28:05 2011 us=504115 IFCONFIG POOL: base=10.10.10.2 size=252 Thu Nov 10 09:28:05 2011 us=504582 IFCONFIG POOL LIST Thu Nov 10 09:28:05 2011 us=505096 Initialization Sequence Completed |
If you see the process with ps then you are ready to accept vpn connections:
31840 root 2160 S /tmp/openvpnserver --config /tmp/openvpn/openvpn.conf --up /tmp/openvpn/route-up.sh --down /tmp/openvpn/route-down.sh --daemon |
Still does not work, need more info, look at here:
http://www.dd-wrt.com/wiki/index.php/OpenVPN#Troubleshooting
Good message 2.
Logs for successful login
You can inject a text like “there is a connect” in the log file to know where you have started your login.
# echo "there is a connect" >> /tmp/var/log/openvpn # less /tmp/var/log/openvpn ... there is a connect Thu Nov 10 11:39:06 2011 us=150073 MULTI: multi_create_instance called Thu Nov 10 11:39:06 2011 us=150588 192.168.1.106:1110 Re-using SSL/TLS context Thu Nov 10 11:39:06 2011 us=150916 192.168.1.106:1110 LZO compression initialized Thu Nov 10 11:39:06 2011 us=151138 192.168.1.106:1110 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400) Thu Nov 10 11:39:06 2011 us=152531 192.168.1.106:1110 Control Channel MTU parms [ L:1458 D:138 EF:38 EB:0 ET:0 EL:0 ] Thu Nov 10 11:39:06 2011 us=152842 192.168.1.106:1110 Data Channel MTU parms [ L:1458 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Thu Nov 10 11:39:06 2011 us=153605 192.168.1.106:1110 Local Options String: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-128- CBC,auth SHA1,keysize 128,key-method 2,tls-server' Thu Nov 10 11:39:06 2011 us=153855 192.168.1.106:1110 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,ciphe r AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Thu Nov 10 11:39:06 2011 us=154263 192.168.1.106:1110 Local Options hash (VER=V4): 'f1922133' Thu Nov 10 11:39:06 2011 us=154633 192.168.1.106:1110 Expected Remote Options hash (VER=V4): '48b03f84' Thu Nov 10 11:39:06 2011 us=155205 192.168.1.106:1110 TLS: Initial packet from 192.168.1.106:1110, sid=705a9639 81cc77d5 Thu Nov 10 11:39:06 2011 us=623257 192.168.1.106:1110 VERIFY OK: depth=1, /C=DE/ST=Bayern/L=Rohrbach/O=MyCompany/OU=Development/CN=Router Thu Nov 10 11:39:06 2011 us=630527 192.168.1.106:1110 VERIFY OK: depth=0, /C=DE/ST=Bayern/O=MyCompany/OU=Development/CN=Kojak/emailAddress=kojak@mycompany.d e Thu Nov 10 11:39:06 2011 us=771421 192.168.1.106:1110 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1458', remote='link-mtu 1400' Thu Nov 10 11:39:06 2011 us=771744 192.168.1.106:1110 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1400', remote='tun-mtu 1342' Thu Nov 10 11:39:06 2011 us=774720 192.168.1.106:1110 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Thu Nov 10 11:39:06 2011 us=775010 192.168.1.106:1110 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Nov 10 11:39:06 2011 us=775257 192.168.1.106:1110 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Thu Nov 10 11:39:06 2011 us=775515 192.168.1.106:1110 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Nov 10 11:39:06 2011 us=802829 192.168.1.106:1110 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Thu Nov 10 11:39:06 2011 us=803210 192.168.1.106:1110 [Kojak] Peer Connection Initiated with 192.168.1.106:1110 Thu Nov 10 11:39:06 2011 us=804314 Kojak/192.168.1.106:1110 MULTI: Learn: 10.10.10.2 -> Kojak/192.168.1.106:1110 Thu Nov 10 11:39:06 2011 us=804575 Kojak/192.168.1.106:1110 MULTI: primary virtual IP for Kojak/192.168.1.106:1110: 10.10.10.2 Thu Nov 10 11:39:09 2011 us=326946 Kojak/192.168.1.106:1110 PUSH: Received control message: 'PUSH_REQUEST' Thu Nov 10 11:39:09 2011 us=327601 Kojak/192.168.1.106:1110 SENT CONTROL [Kojak]: 'PUSH_REPLY,redirect-gateway def1,route-gateway 10.10.10.1,topology subnet ,ping 10,ping-restart 120,ifconfig 10.10.10.2 255.255.255.0' (status=1) |
On the client if you successfully connected you got a new virtual interface -as with all of vpn client-
(This is my first hungarian output, sorry)
Ethernet-adapter Helyi kapcsolat 6:
Kapcsolatspecifikus DNS-utotag. . . . :
Lers. . . . . . . . . . . . . . . . : TAP-Win32 Adapter V9
Fizikai cim . . . . . . . . . . . . . : 00-FF-21-D5-87-C3
DHCP engedelyezve . . . . . . . . . . : Igen
Automatikus konfiguracio engedelyezve : Igen
IP-cim. . . . . . . . . . . . . . . . : 10.10.10.2
Alhalozati maszk. . . . . . . . . . . : 255.255.255.0
Alaprtelmezett atjaro. . . . . . . . : 10.10.10.1
DHCP kiszolgalo . . . . . . . . . . . : 10.10.10.254
Berleti jog kezdete . . . . . . . . . : 2011. november 10. 9:37:00
Berleti jog vege. . . . . . . . . . . : 2012. november 9. 9:37:00
|
itsecworks 
Posted on November 10, 2011
0