User Login      + Register  

1        Virtual Private Network Scripts

A collection of scripts to make managing OpenVpn connections, configurations, routing and creation of client / server keys an easy, semi-automated process.

1.1    VPN Client Scripts

There are two VPN client scripts.

"/etc/openvpn/iface_updown.sh" is used for automatically configuring the advanced routing required to bridge OpenVpn TUN (due to lack of VPN provider support for TAP) and other VPN interfaces (such as pptp-pppX) to WIFI SSID's and, optionally, real (additional) ethernet interfaces. This allows sharing VPN connections with client devices connected via Wifi or a dedicated ethernet port. This script can be used for the following purposes:

  • As the up / down script in openvpn configuration files, called when the connection goes up / down.
  • As a hotplug script when PPTP or other interface goes up / down.
  • As a standalone (no VPN) script to bridge an isolated WiFi LAN directly to the internet, so clients are isolated from your network infrastructure with no access to local resources.

"/etc/openvpn/firewall_updown.sh" is (optionally) used to forward ports between the VPN bridge and interface. It is called by "/etc/openvpn/iface_updown.sh" if a server (for port forwarding) is specified as a parameter. This allows running websites and other services over a VPN connection. This, in effect provides another ISP / internet connection. The SecureOffice team uses this for test servers and VOIP quality testing over long distances, since the server can appear to be located anywhere on the planet with VPN servers. If intending to use this functionality, make sure your VPN provider does not block ports or allows port forwarding.

1.2    VPN Server Scripts

These scripts automate the following complex, tedious, error prone functions, necessary for SecureOffice to be an OpenVpn server for secure remote client access:

  • Creates OpenVpn server certificates.
  • Creates OpenVpn server (bridged / routed) configuration files.
  • Creates OpenVpn client certificates (can be unique per client). These certificates are automatically added to the client OpenVpn configuration files.
  • Creates OpenVpn client (bridged / routed, can be unique per client) configuration files.

1.3    VPN Scripts Prerequisites

  • Valid user credentials to access the SecureOffice custom package / script repository ($). If not, follow instructions here.
  • The SecureOffice domain must be set correctly in "/etc/hosts" with an entry of form: "<LAN_IP_address> <domain_name_without_www>" as discussed in configuration. The domain is used for user authentication for script download and for SecureOffice VPN server SSL certificate creation.
  • SecureOffice must be connected to the internet from your registered domain. To test this, enter "ping <www.your domain>". The result should be the WAN IP address of SecureOffice (WAN Topology) or main router (LAN Topology). If not, DDNS is not working and needs to be configured or checked.
  • A commercial VPN provider to share VPN connections using SecureOffice WIFI or bridged ethernet interfaces.

1.4    VPN Scripts Installation

To install the scripts, at a SecureOffice command prompt, enter:

  • "opkg update; opkg install vpn_scripts"
  • Client scripts are installed in directories "/etc/openvpn". Server scripts are installed in "/etc/ssl/openvpn"

2        Using VPN Client Scripts

Caution: each connection must have a dedicated, uniquely named bridge. The client_vpn bridge can only be used for one connection at a time. If using multiple bridged connections, multiple bridges are required.

2.1    For OpenVPN Connections

The path of the iface_updown script is placed in the client VPN configuration file and called when the VPN TUN device becomes connected or disconnected. This script automatically configures traffic routing to mimic TAP device (bridge) functionality using TUN devices.

  • A VPN connection with a commercial provider has already been setup and verified per these instructions up to and including testing the connection.
  • Using nano editor, uncomment (remove "#") at the beginning of next two lines in the /etc/openvpn/<provider>/<provider>.conf file.
  • #up "/etc/openvpn/iface_updown.sh client_vpn 0". Connection up script to run, interface to bridge to, no logging.
  • #down "/etc/openvpn/iface_updown.sh client_vpn 0". Connection down script to run, interface to bridge to, no logging.
  • Complete the VPN network, DHCP, firewall and WiFi settings by following these instructions.

2.2    For PPTP Connections

The PPTP device will be named pptp-pppX, where X is the device number. An example hotplug script is in "/etc/openvpn/example_hotplug/30-ppp0". Copy it to "/etc/hotplug.d/iface/30-ppp0". This script will be executed (to setup routes, DNS, etc) every time the interface goes up / down. The script is shown below:

#!/bin/sh

# Example hotplug script to be placed in /etc/hotplug.d/iface

# Rename to XX-$VPN_IF where XX is numeric execution order (lowest first)

 

# VPN interface (tunX, pppX, ...) as defined in /etc/config/network

VPN_IF=ppp0

# Isolated bridge for $INTERFACE as defined in /etc/config/network

BRIDGE=client_vpn

# Optional, server to forward ports to (as defined in /etc/openvpn/firewall_updown.sh)

# If SERVER="", no port forwarding and anything connected to bridge will be totally isolated except for internet access

SERVER=10.0.0.128

# 0 | 1 to log events

LOG=1

LOGFILE=/var/log/hotplug-$INTERFACE.log

 

[ "$ACTION" = "ifup" -a "$INTERFACE" = "$VPN_IF" ] && {

#logger "$0 iface $INTERFACE up"

sh -x /etc/openvpn/iface_updown.sh $BRIDGE $LOG $SERVER > $LOGFILE

/etc/init.d/fw3 -q reload

}

[ "$ACTION" = "ifdown" -a "$INTERFACE" = "$VPN_IF" ] && {

#logger "$0 iface $INTERFACE down"

# ifdown does not provide $DEVICE

export DEVICE=pptp-$VPN_IF; sh -x /etc/openvpn/iface_updown.sh $BRIDGE $LOG $SERVER > $LOGFILE

}

exit 0

From a command prompt, enter "nano /etc/openvpn/example_hotplug/30-ppp0". Change the following parameters to match your configuration.

  • VPN_IF: The VPN device, for example pptp-ppp0.
  • BRIDGE: Name of the bridge interface used for this connection. Default client_vpn.
  • LOG: "1" to log status. "0" no log.
  • LOGFILE: Do not change.
  • SERVER: (optional, IP address on bridge) Server to forward ports to (defined in "/etc/openvpn/firewall_updown.sh").

2.3    For Isolated Connections

To use the up / down script to provide isolated (no VPN, internet access only) connections, copy "/etc/openvpn/example_hotplug/30-ppp0" to "/etc/hotplug.d/iface/30-ethX", where "X" is the device number of your WAN interface (default: eth1).

Configure as above (PPTP), changing VPN_IF=ppp0 to "ethX" (WAN interface)

2.4    Forwarding VPN Ports

If your VPN provider does not close ports (firewall) or can forward ports (may charge extra), it is possible to run websites and other services over VPN which allows your services to appear to be running from another geographic location. With a VPN provider that does not keep logs and "obey" your local "authorities", nobody can link you to the services, such as websites.

The server (may be SecureOffice hosted virtual machine) must have a static IP address on the SecureOffice LAN. Ports are forwarded to the server's IP address

To forward ports, enter "nano /etc/openvpn/firewall_updown.sh" to define which ports to forward. An example set of port forwards are shown below for web, email and VOIP telephony services:

# ("Enabled [0 | 1]" "Start_Port[:End_Port]" "protocol" "Server to forward to" "Comment")

FWD_0=("1" "80:90" "tcp" "$server" "Forward_Http_to_$server")

FWD_1=("1" "443" "tcp" "$server" "Forward_Https_to_$server")

FWD_2=("1" "5060:5080" "tcp" "$server" "Redirect-SIP")

FWD_3=("1" "5060:5080" "udp" "$server" "Redirect-SIP")

FWD_4=("1" "$rtp_range" "udp" "$server" "Redirect-RTP")

FWD_5=("1" "25" "tcp" "$server" "Redirect-SMTP")

FWD_6=("1" "2525" "tcp" "$server" "Redirect-SMTP-alt")

FWD_7=("1" "465" "tcp" "$server" "Redirect-SMTP-secure")

FWD_8=("1" "110" "tcp" "$server" "Redirect-POP3")

FWD_9=("1" "995" "tcp" "$server" "Redirect-POP3-secure")

FWD_10=("1" "143" "tcp" "$server" "Redirect-IMAP")

FWD_11=("1" "993" "tcp" "$server" "Redirect-IMAP-secure")

 

FWD_ARRAY=(

FWD_0[@]

FWD_1[@]

FWD_2[@]

FWD_3[@]

FWD_4[@]

FWD_5[@]

FWD_6[@]

FWD_7[@]

FWD_8[@]

FWD_9[@]

FWD_10[@]

FWD_11[@]

)

COUNT=${#FWD_ARRAY[@]}

Remove any entries not required. Add any additional port forwards and save the file.

This script is called by "/etc/openvpn/iface_updown.sh" with the server IP address as a parameter when the VPN interface goes up or down. The server IP address must be added to the caller of the "/etc/openvpn/iface_updown.sh" which may be OpenVPN or hotplug.

If OpenVPN is managing the interface, edit the provider OpenVPN configuration file (/etc/openvpn/provider/<provider>.conf) and add the server IP address to the up / down script parameters. For example:

Change "up '/etc/openvpn/iface_updown.sh client_vpn 0'" to "up '/etc/openvpn/iface_updown.sh client_vpn 0 <server_IP>'"

Change "down '/etc/openvpn/iface_updown.sh client_vpn 0'" to "down '/etc/openvpn/iface_updown.sh client_vpn 0 <server_IP>'"

If the interface is managed by hotplug, define "SERVER=<server_IP> in the /etc/hotplug.d/<script name> file.

3        Using VPN Server Scripts

These scripts allow using SecureOffice as a VPN server for secure remote access to SecureOffice, as a bridged or routed server (simultaneously for different clients). The differences between bridged and routed VPN connections and when to use each are explained here.

These functions are performed by script "/etc/ssl/openvpn/openvpn-server.sh"

The script must be run from directory "/etc/ssl/openvpn".

Script usage is best explained by running it without parameters, to display help: "cd /etc/ssl/openvpn; ./openvpn-server.sh".

Prerequisites:
Change variables at beginning of /etc/ssl/openvpn/openvpn-server.sh to match your installation
Change variables at beginning of /etc/ssl/openvpn/openvpn-server.cnf to match your installation
Caveat: No spaces in any parameters, else enclose in quotes

Usage:
"./openvpn-server.sh server":
Creates openvpn server certificates
Creates openvpn tap server configuration file: /etc/ssl/openvpn/<domain>-bridged.conf
Creates openvpn tun server configuration file: /etc/ssl/openvpn/<domain>-routed.conf

"./openvpn-server.sh client "user_name" "user_email" "user_password" "user_challenge_password" (optional):
Create openvpn client certificates
It is not recommended to use "user_challenge_password"
Client output certificates: /etc/ssl/openvpn/<domain>-<user_name>.key.pem, /etc/ssl/openvpn/<domain>-<user_name>.crt.pem
Client output configuration files: /etc/ssl/openvpn/<user_name>-<domain>-bridged.ovpn, /etc/ssl/openvpn/<user_name>-<domain>-routed.ovpn

3.1.1      Script Prerequisites

Beginning of file "/etc/ssl/openvpn/openvpn-server.sh" contains VPN server configuration settings such as protocol (tcp / udp), server ports and tap / tun device numbers. Change them according to your preferences. It is suggested to leave the device numbers at "0" and start VPN client device numbers at "1".

Beginning of file "/etc/ssl/openvpn/openvpn-server.cnf" contains VPN certificate configuration settings such as key size, location and organization. Change them according to your preferences.

3.1.2      Create VPN Server Configs And Certs

Enter "cd /etc/ssl/openvpn/; ./openvpn-server.sh server". This will create all files required to run VPN bridged (tap) and routed (tun) servers on SecureOffice. The generated configuration files are:

  • /etc/ssl/openvpn/<domain>-bridged.conf (openvpn server configuration for bridged clients)
  • /etc/ssl/openvpn/<domain>-routed.conf (openvpn server configuration for routed clients)

Edit "nano /etc/config/openvpn", adding the following configuration entries.

config openvpn 'vpn_server_bridged'

option enabled '1'

option config '/etc/ssl/openvpn/<domain>-bridged.conf'

 

config openvpn 'vpn_server_routed'

option enabled '1'

option config '/etc/ssl/openvpn/<domain>-routed.conf'

3.1.3      Create VPN Client Configs And Certs

Enter "cd /etc/ssl/openvpn/; ./openvpn-server.sh client "user_name" "user_email" "user_password", with no spaces or quotes in any parameters. This will create OpenVpn client configuration files (bridged / tap and routed / tun) for one client which contains all required certificates. Repeat to create as many unique client configuration files as needed, differentiated by client identity and password.

If you intend to use a single client configuration file for multiple clients, be aware that revoking the certificate will revoke credentials for all clients using the certificate (part of client configuration file). To enable this, uncomment "#duplicate-cn" in the server config file.

Clients will normally use routed / TUN configuration files. Clients, such as PC's requiring ability to browse / access resources on the SecureOffice local LAN should use bridged / TAP configuration files.

At date of writing, the SecureOffice team is aware of only one Android OpenVPN application reliably supporting bridged / tap connections. It is an inexpensive paid application, highly recommended. It is called "VPN Client Pro" (colucci-web.it) available from Google PlayStore.

3.1.4      Open Firewall Ports For VPN Servers

Two ports "BRIDGED_PORT" and "ROUTED_PORT" (defaults: 1190, 1191) were specified in "/etc/ssl/openvpn/openvpn-server.sh". These ports need to be opened on the SecureOffice firewall.

"nano /etc/config/firewall". Add two entries at the end:

config rule

option target 'ACCEPT'

option src 'wan'

option proto 'tcp udp'

option dest_port '1190'

option name 'vpn_server_bridged'

 

config rule

option target 'ACCEPT'

option src 'wan'

option proto 'tcp udp'

option dest_port '1191'

option name 'vpn_server_routed'

Replacing the "dest_port" values with the assigned "BRIDGED_PORT" and "ROUTED_PORT" respectively.

Device tap0 must be bridged to the SecureOffice LAN. In file /etc/config/network, under " config interface 'lan'", change "option ifname 'eth1'" to " option ifname 'eth1 tap0'"

Enter "/etc/init.d/network restart" to have the settings take effect.

3.2    Test SecureOffice VPN Servers

3.2.1      Import Configuration Files To Clients

The openvpn client configuration files (which include SSL certificates) are:

  • /etc/ssl/openvpn/<user_name>-<domain>-bridged.ovpn, (use for bridged connections)
  • /etc/ssl/openvpn/<user_name>-<domain>-routed.ovpn (use for routed connections)

These configuration files can be imported into any client PC, phone or device supporting OpenVPN. The transfer / import method is device / OpenVPN application specific. Search the internet to determine how to transfer files and import into the VPN application for your device. WinSCP can be used to transfer the configuration files to another PC and, from there to other devices. Cellphones and Android devices may need the configuration files to be transferred using a SD card.

3.2.2      Test Bridged VPN Connection

Bridged VPN connections provide clients access to the entire SecureOffice LAN and broadcast traffic. It is equivalent to being physically connected to the LAN, including ability to browse network neighborhood. Use bridged connection to access services on the SecureOffice LAN which rely on broadcast traffic such as network browsing.

3.2.3      Test Routed VPN Connection

Routed VPN connections have less overhead than bridged connections due to broadcast traffic not going over the VPN interface. Use routed connections for applications like SecurePBX extensions (phone numbers on cellphone) and access to private resources such as IP cameras.

Technologies Used:

Design by: XOOPS UI/UX Team