User Login      + Register  

VPN Scripts  SecureOffice  xoops  29-Nov-2020 17:40  0  24740 reads

1        Virtual Private Network Scripts

Various scripts to make managing OpenVPN connections, configuration, routing and creation of client / server keys an easy, semi-automated process.

1.1    VPN Client Scripts

VPN Client scripts are used to provide isolated VPN hotspot and / or ethernet port(s). A commercial VPN provider is required to provide the VPN connection. SecureOffice makes this connection available as an additional WiFi hotspot and / or dedicated ethernet ports.

Local devices connected to the VPN hotspot and / or ethernet port(s) are totally isolated from SecureOffice local resources and have only secure internet access using a commercial VPN server. In the figure below, green is secure traffic that nobody can eavesdrop, red is traffic that can be listened to but (thanks to VPN) all user identification and location data is anonymous. Further, if using https for connections, hackers cannot decrypt the traffic to collect passwords or other information.

Figure 1: Isolated VPN Clients

There are two VPN client scripts.

"/etc/openvpn/iface_updown.sh" is used to automatically configure the advanced routing required to bridge OpenVPN TUN (due to lack of commercial VPN provider support for TAP) interfaces and other VPN protocols (such as PPTP) to WiFi SSID's and, optionally, real (additional) ethernet interfaces. This allows sharing VPN connections with client devices connected via WiFi or dedicated ethernet ports. This script can be used for the following purposes:

  • As the up / down script in OpenVPN configuration files, executed when the connection goes up / down.
  • As a hotplug script when PPTP or another VPN interface goes up / down.
  • As a standalone (no VPN) script to bridge an isolated WiFi hotspot directly to the internet, so clients are isolated from your network infrastructure with no access to local resources. This is useful to provide internet access for clients / guests on your premises without access to local (LAN) network resources.
  • This configuration allows creating isolated guest WiFi internet access points for home and office.
  • If the commercial VPN provider has servers that can bypass geographic restrictions by services such as NetFlix, the VPN interface can be used to access geo-restricted content anywhere, such as US NetFlix from England.

"/etc/openvpn/firewall_updown.sh" is (optionally) used to forward ports between the VPN bridge and VPN interface. It is called by "/etc/openvpn/iface_updown.sh" if a server (for port forwarding) is specified as a parameter. This allows running websites and other services over a VPN connection. This, in effect provides another isolated ISP / internet connection. The SecureOffice team uses this functionality to test servers and VOIP quality over long distances, since the server can appear to be located anywhere on the planet using commercial VPN servers. If intending to use this functionality, make sure your VPN provider does not block any ports. Some VPN providers do block ports and provide paid port forwarding or static IP servers as options, an alternative way to forward ports.

1.2    VPN Server Script

A commercial VPN provider is NOT required for SecureOffice VPN server functionality.

This script configures SecureOffice to be a VPN server, allowing remote VPN clients full, secure access to SecureOffice resources, making remote clients appear to be local, providing remote access to SecureOffice for road warriors. This is how remote SecurePBX extensions (phones), PC's and other devices are securely connected to SecureOffice as remote clients, appearing as local devices and local resources such as IP cameras and applications (Home Assistant, NextCloud, etc) are accessed remotely. There is no possibility of eavesdroppers or hackers, since private SSL encryption certificates (impossible to forge) are used.

Network topology for SecureOffice as a VPN server is shown below (Green is full secured, encrypted communications):

Figure 2: Remote VPN Clients

This script automates the following complex, tedious, error prone functions, necessary for SecureOffice to be an OpenVPN server for secure remote client access:

  • Creates OpenVPN server certificates.
  • Creates OpenVPN server (bridged / routed) configuration files.
  • Creates OpenVPN client certificates (can be unique per client). These certificates are automatically added to the client OpenVPN configuration files.
  • Creates OpenVPN client (bridged / routed, can be unique per client) configuration files.

1.3    VPN Scripts Prerequisites

  • Valid user credentials to access the SecureOffice custom package / script repository ($). If not, follow instructions here.
  • The SecureOffice domain must be set correctly in "/etc/hosts" with an entry of form: "<LAN_IP_address> <domain_name_without_www>" as discussed in configuration. The domain is used for user authentication and SecureOffice VPN server SSL certificate creation.
  • SecureOffice must be connected to the internet from your registered domain. To test this, enter "ping <www.your domain>". The result should be the WAN IP address of SecureOffice (WAN Topology) or main router (LAN Topology). If not, DDNS is not working and needs to be configured or checked.
  • If intending to provide secure VPN connections to the internet for local clients (such as Netflix to access geo-restricted content or a free office WiFi hotspot with no access to local resources), a commercial VPN provider is required to share VPN connections using SecureOffice WiFi and / or bridged ethernet interfaces.

1.4    VPN Scripts Installation

To install the scripts, at a SecureOffice command prompt, enter:

  • "opkg update; opkg install vpn_scripts"
  • VPN Client scripts are installed in directory "/etc/openvpn". VPN Server scripts are installed in directory "/etc/ssl/openvpn"

2        Using VPN Client Scripts

Local VPN (WiFi hotspot, optional bridged ethernet ports) clients connect to a dedicated bridge isolated from SecureOffice resources. The bridge, firewall and DHCP services must be configured to support the client VPN functionality. File "/etc/openvpn/openwrt_readme.txt" summarizes the configuration pre-requisites.

2.1    VPN Client Configuration Pre-Requisites

Create bridge and VPN interface for local VPN clients. This is also where to optionally bridge dedicated ethernet port(s). Add following to file "/etc/config/network":

# Arbitrary bridge name 'ext_vpn' must match name in /etc/config/dhcp, /etc/config/firewall and /etc/config/wireless

# Bridge created and bound to some interface (/etc/config/network):

config interface 'ext_vpn'

#option ifname 'ethX' # optional: ethernet device to also bind to. Do not add WiFi device.

option proto 'static'

option type 'bridge'

option ipaddr '192.168.20.1' # RFC 1918 private address. eg: 192.168.20.1 that does not conflict with LAN>

option netmask '255.255.255.0'

option ip6assign '60' # IPV6 address

 

# Create client VPN interface and bind to tun/tap

config interface 'tun1'

option ifname 'tun1'

option proto 'none'

Figure 3: Create VPN Client Bridge

Add VPN Client DHCP Configuration. Add following to file "/etc/config/dhcp":

# DHCP interface and range defined (/etc/config/dhcp):

config dhcp 'ext_vpn'

option interface 'ext_vpn'

option dhcpv6 'server'

option ra 'server'

option start '100'

option limit '150'

option force '1'

option leasetime '12h'

list dhcp_option '6,8.8.8.8,8.8.4.4' # DNS servers

Figure 4: VPN Client DHCP Configuration

Create isolated VPN firewall zone, define forwarding rules. Assumes first free TUN device is "tun1" Add following to file "/etc/config/firewall":

# Firewall zones created, forwarding defined (/etc/config/firewall)

config zone

option name 'tun1'

option network 'tun1'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'REJECT'

option masq '1'

option mtu_fix '1'

 

config zone

option name 'ext_vpn'

list network 'ext_vpn'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'REJECT'

 

config forwarding

option src 'ext_vpn'

option dest 'tun1'

 

config forwarding

option src 'tun1'

option dest 'ext_vpn'

Figure 5: VPN Client Firewall Configuration

Create isolated VPN WiFi hotspot. Add the following to file "/etc/config/wireless". Note that if WiFi is not capable of multiple SSID's (most are), alter the only entry:

# If creating VPN Wifi hotspot, add new SSID if Wifi capable of multiple SSID's, or alter only SSID entry (/etc/config/wireless)

config wifi-iface

option device 'radio0' # radio to use

option network 'ext_vpn' # bridge to VPN bridge

option mode 'ap'

option ssid 'your choice'

option encryption 'psk2' # do not change unless you know what you are doing

option key 'your choice'

Figure 6: VPN WiFi Hotspot Configuration

After entering the above configuration, SecureOffice must be rebooted or enter "/etc/init.d/network restart" to apply the changes.

2.2    For OpenVPN Connections

The path of the iface_updown script is placed in the client VPN configuration file and called when the VPN TUN device becomes connected or disconnected. The "iface_updown" script automatically configures IP traffic routing to mimic TAP device (bridge) functionality using OpenVPN TUN devices.

  • Pre-requisite: a VPN connection with a commercial provider has already been setup and verified per these instructions up to and including testing the connection.
  • Using nano editor, uncomment (remove "#") at the beginning of next two lines in the "/etc/openvpn/<provider>/<provider>.conf" file.
  • #up "/etc/openvpn/iface_updown.sh ext_vpn 0". #Connection up script to run, interface to bridge to, no logging.
  • #down "/etc/openvpn/iface_updown.sh ext_vpn 0". #Connection down script to run, interface to bridge to, no logging.

2.3    For PPTP Connections

The PPTP device will be named pptp-pppX, where X is the device number.

To configure / define a PPTP connection, add the following to "/etc/config/network":

config interface 'ppp0'

option disabled '0'

option proto 'pptp'

option ipv6 '1'

option username '<your vpn provider user name>'

option password '<your vpn provider password>'

option defaultroute '0'

option server '<IP address or URL of pptp server>'

Figure 7: VPN Define PPTP Connection

An example hotplug script is in "/etc/openvpn/example_hotplug/30-ppp0". Copy it to "/etc/hotplug.d/iface/30-ppp0". This script will be executed (to setup routes, DNS, etc) every time the interface goes up / down. The script is shown below:

#!/bin/sh

 

# Example openwrt hotplug script to be placed in /etc/hotplug.d/iface

# Rename to XX-$VPN_IF where XX is numeric execution order (lowest first)

 

# VPN_IF interface (pppX, ...) as defined in /etc/config/network

VPN_IF=ppp0

# Isolated bridge for $INTERFACE as defined in /etc/config/network

BRIDGE=ext_vpn

 

# Optional, server to forward ports to (as defined in /etc/openvpn/firewall_updown.sh)

# If SERVER="", no port forwarding and anything connected to bridge will be totally isolated except for internet access

#SERVER=10.0.0.128

# 0 | 1 to log events

LOG=1

LOGFILE=/var/log/hotplug-$INTERFACE.log

 

# script parmaters: $0=bridge $1=logging(0|1) $3= optional server to port forward to using firewall_updown.sh

[ "$ACTION" = "ifup" -a "$INTERFACE" = "$VPN_IF" ] && {

#logger "$0 iface $INTERFACE up"

sh -x /etc/openvpn/iface_updown.sh $BRIDGE $LOG $SERVER > $LOGFILE

#/etc/init.d/fw3 reload

}

[ "$ACTION" = "ifdown" -a "$INTERFACE" = "$VPN_IF" ] && {

#logger "#0 iface $INTERFACE down"

sh -x /etc/openvpn/iface_updown.sh $BRIDGE $LOG $SERVER > $LOGFILE

}

exit 0

Figure 8: VPN PPTP Hotplug Script

From a command prompt, enter "nano /etc/hotplug.d/iface/30-ppp0". Change the following parameters to match your configuration.

  • VPN_IF: The VPN device (as defined in "/etc/config/network"), for example ppp0.
  • BRIDGE: Name of the bridge interface (as defined in "/etc/config/network") used for this connection. Default "ext_vpn".
  • LOG: "1" to log status. "0" no log.
  • LOGFILE: Do not change.
  • SERVER: (optional, IP address on bridge) Server to forward ports to (defined in "/etc/openvpn/firewall_updown.sh").

The pptp connection can be brought up / down by entering "ifup ppp0", "ifdown ppp0" respectively/

2.4    For Isolated Connections

To use the up / down script to provide isolated (not VPN, internet access only) connections, copy "/etc/openvpn/example_hotplug/30-ppp0" to "/etc/hotplug.d/iface/30-ethX", where "X" is the device number of your WAN interface (default: eth1).

Configure as above (PPTP), changing VPN_IF=ppp0 to "ethX" (WAN interface)

2.5    Forwarding VPN Ports

If your VPN provider does not close ports (firewall) or can forward ports (may charge extra), it is possible to run websites and other services over VPN which allows your services to appear to be running from another geographic location. With a VPN provider that does not keep logs and "obey" your local "authorities", nobody can link you to the services, such as websites.

The server (may be SecureOffice hosted virtual machine) must have a static IP address on the SecureOffice LAN. Ports are forwarded to the server's IP address

To forward ports, enter "nano /etc/openvpn/firewall_updown.sh" to define which ports to forward. An example set of port forwards are shown below for web, email and VOIP telephony services:

# ("Enabled [0 | 1]" "Start_Port[:End_Port]" "protocol" "Server to forward to" "Comment")

FWD_0=("1" "80:90" "tcp" "$server" "Forward_Http_to_$server")

FWD_1=("1" "443" "tcp" "$server" "Forward_Https_to_$server")

FWD_2=("1" "5060:5080" "tcp" "$server" "Redirect-SIP")

FWD_3=("1" "5060:5080" "udp" "$server" "Redirect-SIP")

FWD_4=("1" "$rtp_range" "udp" "$server" "Redirect-RTP")

FWD_5=("1" "25" "tcp" "$server" "Redirect-SMTP")

FWD_6=("1" "2525" "tcp" "$server" "Redirect-SMTP-alt")

FWD_7=("1" "465" "tcp" "$server" "Redirect-SMTP-secure")

FWD_8=("1" "110" "tcp" "$server" "Redirect-POP3")

FWD_9=("1" "995" "tcp" "$server" "Redirect-POP3-secure")

FWD_10=("1" "143" "tcp" "$server" "Redirect-IMAP")

FWD_11=("1" "993" "tcp" "$server" "Redirect-IMAP-secure")

 

FWD_ARRAY=(

FWD_0[@]

FWD_1[@]

FWD_2[@]

FWD_3[@]

FWD_4[@]

FWD_5[@]

FWD_6[@]

FWD_7[@]

FWD_8[@]

FWD_9[@]

FWD_10[@]

FWD_11[@]

)

COUNT=${#FWD_ARRAY[@]}

Figure 9: VPN Forward Ports to Server

Remove any entries not required. Add any additional port forwards and save the file.

This script is called by "/etc/openvpn/iface_updown.sh" with the server IP address as a parameter when the VPN interface goes up or down. The server IP address must be added as a parameter to the "/etc/openvpn/iface_updown.sh" script which may be OpenVPN or hotplug.

If OpenVPN is managing the interface, edit the provider OpenVPN configuration file ("/etc/openvpn/<provider>/<provider>.conf") and add the server IP address to the up / down script parameters. For example:

Change "up '/etc/openvpn/iface_updown.sh ext_vpn 0'" to "up '/etc/openvpn/iface_updown.sh ext_vpn 0 <server_IP>'"

Change "down '/etc/openvpn/iface_updown.sh ext_vpn 0'" to "down '/etc/openvpn/iface_updown.sh ext_vpn 0 <server_IP>'"

If the interface is managed by hotplug, define "SERVER=<server_IP> in the "/etc/hotplug.d/<script name>" file.

3        Using VPN Server Script

This script allows SecureOffice to be a VPN server for secure remote access to SecureOffice, as a bridged or routed server (simultaneously for different clients). The differences between bridged and routed VPN connections and when to use each are explained here.

3.1    Server Script Usage

These functions are performed by script "/etc/ssl/openvpn/openvpn-server.sh"

Script usage is best explained by running it without parameters, to display help: "/etc/ssl/openvpn/openvpn-server.sh".

Prerequisites:

Change variables at beginning of /etc/ssl/openvpn/openvpn-server.sh to match your installation / preferences

Change variables at beginning of /etc/ssl/openvpn/openvpn-server.cnf to match your installation / preferences

Caveat: No spaces in any parameters, else enclose in quotes

 

Usage:

"/etc/ssl/openvpn/openvpn-server.sh server":

Create openvpn server certificates

Creates openvpn tap server configuration file: /etc/ssl/openvpn/<domain>-bridged.conf

Creates openvpn tun server configuration file: /etc/ssl/openvpn/<domain>-routed.conf

"/etc/ssl/openvpn/openvpn-server.sh client "user_name" "user_email" "user_password" "user_challenge_password" (optional):

Create openvpn client certificates

Using "user_challenge_password" is discouraged

Client output certificates: /etc/ssl/openvpn/<domain>-<user_name>.key.pem, /etc/ssl/openvpn/<domain>-<user_name>.crt.pem

Client output configuration files: /etc/ssl/openvpn/<user_name>-<domain>-bridged.ovpn, /etc/ssl/openvpn/<user_name>-<domain>-routed.ovpn

Figure 10: VPN Server Script Usage

3.1.1Script Prerequisites

Beginning of file "/etc/ssl/openvpn/openvpn-server.sh" contains VPN server configuration settings such as protocol (tcp / udp), server ports and tap / tun device numbers. Change them according to your preferences. It is suggested to leave the device numbers at "0" and start VPN client device numbers at "1".

Beginning of file "/etc/ssl/openvpn/openvpn-server.cnf" contains VPN certificate configuration settings such as key size, location and organization. Change them according to your preferences.

3.1.2Create VPN Server Configs And Certs

Enter "/etc/ssl/openvpn/openvpn-server.sh server". This will create all files required to run VPN bridged (tap) and routed (tun) servers on SecureOffice. The generated configuration files are:

  • /etc/ssl/openvpn/<domain>-bridged.conf (openvpn server configuration for bridged clients)
  • /etc/ssl/openvpn/<domain>-routed.conf (openvpn server configuration for routed clients)

Edit "nano /etc/config/openvpn", adding the following configuration entries.

config openvpn 'vpn_server_bridged'

option enabled '1'

option config '/etc/ssl/openvpn/<domain>-bridged.conf'

 

config openvpn 'vpn_server_routed'

option enabled '1'

option config '/etc/ssl/openvpn/<domain>-routed.conf'

Figure 11: OpenVPN Server Configuration

3.1.3Create VPN Client Configs And Certs

Enter "/etc/ssl/openvpn/openvpn-server.sh client <user_name> <user_email> <user_password>", with no spaces or quotes in any parameters. This will create OpenVPN client configuration files (bridged / tap and routed / tun) for one client which contains all required certificates. Repeat to create as many unique client configuration files as needed, differentiated by client identity and password.

If you intend to use a single client configuration file for multiple clients, be aware that revoking the certificate will revoke credentials for all clients using the certificate (part of client configuration file). This is not recommended, since new credentials will have to be issued for all non-revoked clients. To enable this, uncomment "#duplicate-cn" in the server config file.

Clients will normally use routed / TUN configuration files. Clients, such as PC's requiring ability to browse / access network resources on the SecureOffice local LAN should use bridged / TAP configuration files / connections.

At date of writing, the SecureOffice team is aware of only one Android OpenVPN application reliably supporting bridged / tap connections. It is an inexpensive paid application, highly recommended. It is called "VPN Client Pro" (colucci-web.it) available from Google PlayStore.

3.1.4Open Firewall Ports For VPN Servers

Two ports "BRIDGED_PORT" and "ROUTED_PORT" (defaults: 1190, 1191) are specified in "/etc/ssl/openvpn/openvpn-server.sh". These ports need to be opened on the SecureOffice firewall.

"nano /etc/config/firewall". Add two entries at the end:

config rule

option target 'ACCEPT'

option src 'wan'

option proto 'tcp udp'

option dest_port '1190'

option name 'vpn_server_bridged'

 

config rule

option target 'ACCEPT'

option src 'wan'

option proto 'tcp udp'

option dest_port '1191'

option name 'vpn_server_routed'

Figure 12: VPN Firewall Ports

Replacing the "dest_port" values with the assigned "BRIDGED_PORT" and "ROUTED_PORT" respectively.

Device tap0 must be bridged to the SecureOffice LAN. In file "/etc/config/network", under "config interface 'lan'", change "option ifname 'eth1'" to "option ifname 'eth1 tap0'"

Enter "/etc/init.d/network restart; /etc/init.d/openvpn restart" to have the settings take effect.

Note: If using LAN Topology (SecureOffice behind main router), The VPN server ports (1190, 1191, tcp, udp) must be forwarded to SecureOffice on the main router.

3.2    Test SecureOffice VPN Servers

3.2.1Import Configuration Files To Clients

The OpenVPN client configuration files (which include SSL certificates) are:

  • /etc/ssl/openvpn/<user_name>-<domain>-bridged.ovpn, (use for bridged connections)
  • /etc/ssl/openvpn/<user_name>-<domain>-routed.ovpn (use for routed connections)

These configuration files can be imported into any client PC, phone or device supporting OpenVPN. The transfer / import method is device / OpenVPN client application specific. Search the internet to determine how to transfer files and import into the VPN application for your device. WinSCP can be used to transfer the configuration files to another PC and, from there to other devices. Cellphones and Android devices may need the configuration files to be transferred using a SD card.

3.2.2Test Bridged VPN Connection

Bridged VPN connections provide clients access to the entire SecureOffice LAN and broadcast traffic. It is equivalent to being physically connected to the LAN, including ability to browse network neighborhood. Use bridged connection to access services on the SecureOffice LAN which rely on broadcast traffic such as network browsing.

3.2.3Test Routed VPN Connection

Routed VPN connections have less overhead than bridged connections due to broadcast traffic not going over the VPN interface. Use routed connections for applications like SecurePBX extensions (phone numbers on cellphone) and access to private resources such as IP cameras.

Rating 0/5
Rating: 0/5 (0 votes)
Votes are disable!
Print article
The comments are owned by the author. We aren't responsible for their content.

Technologies Used:

Design by: XOOPS UI/UX Team