Table_of_Contents
1 Virtual Private Network Scripts
2.1 VPN Client Configuration Pre-Requisites
3.1.1Script Prerequisites
3.1.2Create VPN Server Configs And Certs
3.1.3Create VPN Client Configs And Certs
3.1.4Open Firewall Ports For VPN Servers
3.2 Test SecureOffice VPN Servers
3.2.1Import Configuration Files To Clients
3.2.2Test Bridged VPN Connection
3.2.3Test Routed VPN Connection
List of Figures
Figure 1: Isolated VPN Clients
Figure 2: Remote VPN Clients
Figure 3: Create VPN Client Bridge
Figure 4: VPN Client DHCP Configuration
Figure 5: VPN Client Firewall Configuration
Figure 6: VPN WiFi Hotspot Configuration
Figure 7: VPN Define PPTP Connection
Figure 8: VPN PPTP Hotplug Script
Figure 9: VPN Forward Ports to Server
Figure 10: VPN Server Script Usage
Figure 11: OpenVPN Server Configuration
Figure 12: VPN Firewall Ports
Various scripts to make managing OpenVPN connections, configuration, routing and creation of client / server keys an easy, semi-automated process.
VPN Client scripts are used to provide isolated VPN hotspot and / or ethernet port(s). A commercial VPN provider is required to provide the VPN connection. SecureOffice makes this connection available as an additional WiFi hotspot and / or dedicated ethernet ports.
Local devices connected to the VPN hotspot and / or ethernet port(s) are totally isolated from SecureOffice local resources and have only secure internet access using a commercial VPN server. In the figure below, green is secure traffic that nobody can eavesdrop, red is traffic that can be listened to but (thanks to VPN) all user identification and location data is anonymous. Further, if using https for connections, hackers cannot decrypt the traffic to collect passwords or other information.
Figure 1: Isolated VPN Clients
There are two VPN client scripts.
"/etc/openvpn/iface_updown.sh" is used to automatically configure the advanced routing required to bridge OpenVPN TUN (due to lack of commercial VPN provider support for TAP) interfaces and other VPN protocols (such as PPTP) to WiFi SSID's and, optionally, real (additional) ethernet interfaces. This allows sharing VPN connections with client devices connected via WiFi or dedicated ethernet ports. This script can be used for the following purposes:
"/etc/openvpn/firewall_updown.sh" is (optionally) used to forward ports between the VPN bridge and VPN interface. It is called by "/etc/openvpn/iface_updown.sh" if a server (for port forwarding) is specified as a parameter. This allows running websites and other services over a VPN connection. This, in effect provides another isolated ISP / internet connection. The SecureOffice team uses this functionality to test servers and VOIP quality over long distances, since the server can appear to be located anywhere on the planet using commercial VPN servers. If intending to use this functionality, make sure your VPN provider does not block any ports. Some VPN providers do block ports and provide paid port forwarding or static IP servers as options, an alternative way to forward ports.
A commercial VPN provider is NOT required for SecureOffice VPN server functionality.
This script configures SecureOffice to be a VPN server, allowing remote VPN clients full, secure access to SecureOffice resources, making remote clients appear to be local, providing remote access to SecureOffice for road warriors. This is how remote SecurePBX extensions (phones), PC's and other devices are securely connected to SecureOffice as remote clients, appearing as local devices and local resources such as IP cameras and applications (Home Assistant, NextCloud, etc) are accessed remotely. There is no possibility of eavesdroppers or hackers, since private SSL encryption certificates (impossible to forge) are used.
Network topology for SecureOffice as a VPN server is shown below (Green is full secured, encrypted communications):
Figure 2: Remote VPN Clients
This script automates the following complex, tedious, error prone functions, necessary for SecureOffice to be an OpenVPN server for secure remote client access:
To install the scripts, at a SecureOffice command prompt, enter:
Local VPN (WiFi hotspot, optional bridged ethernet ports) clients connect to a dedicated bridge isolated from SecureOffice resources. The bridge, firewall and DHCP services must be configured to support the client VPN functionality. File "/etc/openvpn/openwrt_readme.txt" summarizes the configuration pre-requisites.
Create bridge and VPN interface for local VPN clients. This is also where to optionally bridge dedicated ethernet port(s). Add following to file "/etc/config/network":
# Arbitrary bridge name 'ext_vpn' must match name in /etc/config/dhcp, /etc/config/firewall and /etc/config/wireless
# Bridge created and bound to some interface (/etc/config/network):
config interface 'ext_vpn'
#option ifname 'ethX' # optional: ethernet device to also bind to. Do not add WiFi device.
option proto 'static'
option type 'bridge'
option ipaddr '192.168.20.1' # RFC 1918 private address. eg: 192.168.20.1 that does not conflict with LAN>
option netmask '255.255.255.0'
option ip6assign '60' # IPV6 address
# Create client VPN interface and bind to tun/tap
config interface 'tun1'
option ifname 'tun1'
option proto 'none'
Figure 3: Create VPN Client Bridge
Add VPN Client DHCP Configuration. Add following to file "/etc/config/dhcp":
# DHCP interface and range defined (/etc/config/dhcp):
config dhcp 'ext_vpn'
option interface 'ext_vpn'
option dhcpv6 'server'
option ra 'server'
option start '100'
option limit '150'
option force '1'
option leasetime '12h'
list dhcp_option '6,8.8.8.8,8.8.4.4' # DNS servers
Figure 4: VPN Client DHCP Configuration
Create isolated VPN firewall zone, define forwarding rules. Assumes first free TUN device is "tun1" Add following to file "/etc/config/firewall":
# Firewall zones created, forwarding defined (/etc/config/firewall)
config zone
option name 'tun1'
option network 'tun1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'ext_vpn'
list network 'ext_vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'ext_vpn'
option dest 'tun1'
config forwarding
option src 'tun1'
option dest 'ext_vpn'
Figure 5: VPN Client Firewall Configuration
Create isolated VPN WiFi hotspot. Add the following to file "/etc/config/wireless". Note that if WiFi is not capable of multiple SSID's (most are), alter the only entry:
# If creating VPN Wifi hotspot, add new SSID if Wifi capable of multiple SSID's, or alter only SSID entry (/etc/config/wireless)
config wifi-iface
option device 'radio0' # radio to use
option network 'ext_vpn' # bridge to VPN bridge
option mode 'ap'
option ssid 'your choice'
option encryption 'psk2' # do not change unless you know what you are doing
option key 'your choice'
Figure 6: VPN WiFi Hotspot Configuration
After entering the above configuration, SecureOffice must be rebooted or enter "/etc/init.d/network restart" to apply the changes.
The path of the iface_updown script is placed in the client VPN configuration file and called when the VPN TUN device becomes connected or disconnected. The "iface_updown" script automatically configures IP traffic routing to mimic TAP device (bridge) functionality using OpenVPN TUN devices.
The PPTP device will be named pptp-pppX, where X is the device number.
To configure / define a PPTP connection, add the following to "/etc/config/network":
config interface 'ppp0'
option disabled '0'
option proto 'pptp'
option ipv6 '1'
option username '<your vpn provider user name>'
option password '<your vpn provider password>'
option defaultroute '0'
option server '<IP address or URL of pptp server>'
Figure 7: VPN Define PPTP Connection
An example hotplug script is in "/etc/openvpn/example_hotplug/30-ppp0". Copy it to "/etc/hotplug.d/iface/30-ppp0". This script will be executed (to setup routes, DNS, etc) every time the interface goes up / down. The script is shown below:
#!/bin/sh
# Example openwrt hotplug script to be placed in /etc/hotplug.d/iface
# Rename to XX-$VPN_IF where XX is numeric execution order (lowest first)
# VPN_IF interface (pppX, ...) as defined in /etc/config/network
VPN_IF=ppp0
# Isolated bridge for $INTERFACE as defined in /etc/config/network
BRIDGE=ext_vpn
# Optional, server to forward ports to (as defined in /etc/openvpn/firewall_updown.sh)
# If SERVER="", no port forwarding and anything connected to bridge will be totally isolated except for internet access
#SERVER=10.0.0.128
# 0 | 1 to log events
LOG=1
LOGFILE=/var/log/hotplug-$INTERFACE.log
# script parmaters: $0=bridge $1=logging(0|1) $3= optional server to port forward to using firewall_updown.sh
[ "$ACTION" = "ifup" -a "$INTERFACE" = "$VPN_IF" ] && {
#logger "$0 iface $INTERFACE up"
sh -x /etc/openvpn/iface_updown.sh $BRIDGE $LOG $SERVER > $LOGFILE
#/etc/init.d/fw3 reload
}
[ "$ACTION" = "ifdown" -a "$INTERFACE" = "$VPN_IF" ] && {
#logger "#0 iface $INTERFACE down"
sh -x /etc/openvpn/iface_updown.sh $BRIDGE $LOG $SERVER > $LOGFILE
}
exit 0
Figure 8: VPN PPTP Hotplug Script
From a command prompt, enter "nano /etc/hotplug.d/iface/30-ppp0". Change the following parameters to match your configuration.
The pptp connection can be brought up / down by entering "ifup ppp0", "ifdown ppp0" respectively/
To use the up / down script to provide isolated (not VPN, internet access only) connections, copy "/etc/openvpn/example_hotplug/30-ppp0" to "/etc/hotplug.d/iface/30-ethX", where "X" is the device number of your WAN interface (default: eth1).
Configure as above (PPTP), changing VPN_IF=ppp0 to "ethX" (WAN interface)
If your VPN provider does not close ports (firewall) or can forward ports (may charge extra), it is possible to run websites and other services over VPN which allows your services to appear to be running from another geographic location. With a VPN provider that does not keep logs and "obey" your local "authorities", nobody can link you to the services, such as websites.
The server (may be SecureOffice hosted virtual machine) must have a static IP address on the SecureOffice LAN. Ports are forwarded to the server's IP address
To forward ports, enter "nano /etc/openvpn/firewall_updown.sh" to define which ports to forward. An example set of port forwards are shown below for web, email and VOIP telephony services:
# ("Enabled [0 | 1]" "Start_Port[:End_Port]" "protocol" "Server to forward to" "Comment")
FWD_0=("1" "80:90" "tcp" "$server" "Forward_Http_to_$server")
FWD_1=("1" "443" "tcp" "$server" "Forward_Https_to_$server")
FWD_2=("1" "5060:5080" "tcp" "$server" "Redirect-SIP")
FWD_3=("1" "5060:5080" "udp" "$server" "Redirect-SIP")
FWD_4=("1" "$rtp_range" "udp" "$server" "Redirect-RTP")
FWD_5=("1" "25" "tcp" "$server" "Redirect-SMTP")
FWD_6=("1" "2525" "tcp" "$server" "Redirect-SMTP-alt")
FWD_7=("1" "465" "tcp" "$server" "Redirect-SMTP-secure")
FWD_8=("1" "110" "tcp" "$server" "Redirect-POP3")
FWD_9=("1" "995" "tcp" "$server" "Redirect-POP3-secure")
FWD_10=("1" "143" "tcp" "$server" "Redirect-IMAP")
FWD_11=("1" "993" "tcp" "$server" "Redirect-IMAP-secure")
FWD_ARRAY=(
FWD_0[@]
FWD_1[@]
FWD_2[@]
FWD_3[@]
FWD_4[@]
FWD_5[@]
FWD_6[@]
FWD_7[@]
FWD_8[@]
FWD_9[@]
FWD_10[@]
FWD_11[@]
)
COUNT=${#FWD_ARRAY[@]}
Figure 9: VPN Forward Ports to Server
Remove any entries not required. Add any additional port forwards and save the file.
This script is called by "/etc/openvpn/iface_updown.sh" with the server IP address as a parameter when the VPN interface goes up or down. The server IP address must be added as a parameter to the "/etc/openvpn/iface_updown.sh" script which may be OpenVPN or hotplug.
If OpenVPN is managing the interface, edit the provider OpenVPN configuration file ("/etc/openvpn/<provider>/<provider>.conf") and add the server IP address to the up / down script parameters. For example:
Change "up '/etc/openvpn/iface_updown.sh ext_vpn 0'" to "up '/etc/openvpn/iface_updown.sh ext_vpn 0 <server_IP>'"
Change "down '/etc/openvpn/iface_updown.sh ext_vpn 0'" to "down '/etc/openvpn/iface_updown.sh ext_vpn 0 <server_IP>'"
If the interface is managed by hotplug, define "SERVER=<server_IP> in the "/etc/hotplug.d/<script name>" file.
This script allows SecureOffice to be a VPN server for secure remote access to SecureOffice, as a bridged or routed server (simultaneously for different clients). The differences between bridged and routed VPN connections and when to use each are explained here.
These functions are performed by script "/etc/ssl/openvpn/openvpn-server.sh"
Script usage is best explained by running it without parameters, to display help: "/etc/ssl/openvpn/openvpn-server.sh".
Prerequisites:
Change variables at beginning of /etc/ssl/openvpn/openvpn-server.sh to match your installation / preferences
Change variables at beginning of /etc/ssl/openvpn/openvpn-server.cnf to match your installation / preferences
Caveat: No spaces in any parameters, else enclose in quotes
Usage:
"/etc/ssl/openvpn/openvpn-server.sh server":
Create openvpn server certificates
Creates openvpn tap server configuration file: /etc/ssl/openvpn/<domain>-bridged.conf
Creates openvpn tun server configuration file: /etc/ssl/openvpn/<domain>-routed.conf
"/etc/ssl/openvpn/openvpn-server.sh client "user_name" "user_email" "user_password" "user_challenge_password" (optional):
Create openvpn client certificates
Using "user_challenge_password" is discouraged
Client output certificates: /etc/ssl/openvpn/<domain>-<user_name>.key.pem, /etc/ssl/openvpn/<domain>-<user_name>.crt.pem
Client output configuration files: /etc/ssl/openvpn/<user_name>-<domain>-bridged.ovpn, /etc/ssl/openvpn/<user_name>-<domain>-routed.ovpn
Figure 10: VPN Server Script Usage
Beginning of file "/etc/ssl/openvpn/openvpn-server.sh" contains VPN server configuration settings such as protocol (tcp / udp), server ports and tap / tun device numbers. Change them according to your preferences. It is suggested to leave the device numbers at "0" and start VPN client device numbers at "1".
Beginning of file "/etc/ssl/openvpn/openvpn-server.cnf" contains VPN certificate configuration settings such as key size, location and organization. Change them according to your preferences.
Enter "/etc/ssl/openvpn/openvpn-server.sh server". This will create all files required to run VPN bridged (tap) and routed (tun) servers on SecureOffice. The generated configuration files are:
Edit "nano /etc/config/openvpn", adding the following configuration entries.
config openvpn 'vpn_server_bridged'
option enabled '1'
option config '/etc/ssl/openvpn/<domain>-bridged.conf'
config openvpn 'vpn_server_routed'
option enabled '1'
option config '/etc/ssl/openvpn/<domain>-routed.conf'
Figure 11: OpenVPN Server Configuration
Enter "/etc/ssl/openvpn/openvpn-server.sh client <user_name> <user_email> <user_password>", with no spaces or quotes in any parameters. This will create OpenVPN client configuration files (bridged / tap and routed / tun) for one client which contains all required certificates. Repeat to create as many unique client configuration files as needed, differentiated by client identity and password.
If you intend to use a single client configuration file for multiple clients, be aware that revoking the certificate will revoke credentials for all clients using the certificate (part of client configuration file). This is not recommended, since new credentials will have to be issued for all non-revoked clients. To enable this, uncomment "#duplicate-cn" in the server config file.
Clients will normally use routed / TUN configuration files. Clients, such as PC's requiring ability to browse / access network resources on the SecureOffice local LAN should use bridged / TAP configuration files / connections.
At date of writing, the SecureOffice team is aware of only one Android OpenVPN application reliably supporting bridged / tap connections. It is an inexpensive paid application, highly recommended. It is called "VPN Client Pro" (colucci-web.it) available from Google PlayStore.
Two ports "BRIDGED_PORT" and "ROUTED_PORT" (defaults: 1190, 1191) are specified in "/etc/ssl/openvpn/openvpn-server.sh". These ports need to be opened on the SecureOffice firewall.
"nano /etc/config/firewall". Add two entries at the end:
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '1190'
option name 'vpn_server_bridged'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '1191'
option name 'vpn_server_routed'
Figure 12: VPN Firewall Ports
Replacing the "dest_port" values with the assigned "BRIDGED_PORT" and "ROUTED_PORT" respectively.
Device tap0 must be bridged to the SecureOffice LAN. In file "/etc/config/network", under "config interface 'lan'", change "option ifname 'eth1'" to "option ifname 'eth1 tap0'"
Enter "/etc/init.d/network restart; /etc/init.d/openvpn restart" to have the settings take effect.
Note: If using LAN Topology (SecureOffice behind main router), The VPN server ports (1190, 1191, tcp, udp) must be forwarded to SecureOffice on the main router.
The OpenVPN client configuration files (which include SSL certificates) are:
These configuration files can be imported into any client PC, phone or device supporting OpenVPN. The transfer / import method is device / OpenVPN client application specific. Search the internet to determine how to transfer files and import into the VPN application for your device. WinSCP can be used to transfer the configuration files to another PC and, from there to other devices. Cellphones and Android devices may need the configuration files to be transferred using a SD card.
Bridged VPN connections provide clients access to the entire SecureOffice LAN and broadcast traffic. It is equivalent to being physically connected to the LAN, including ability to browse network neighborhood. Use bridged connection to access services on the SecureOffice LAN which rely on broadcast traffic such as network browsing.
Routed VPN connections have less overhead than bridged connections due to broadcast traffic not going over the VPN interface. Use routed connections for applications like SecurePBX extensions (phone numbers on cellphone) and access to private resources such as IP cameras.
|
Technologies Used: