User Login      + Register  

Configure VPN  SecureOffice  xoops  29-Nov-2020 17:10  0  5116 reads

1        SecureOffice VPN

SecureOffice supports OpenVPN and all other protocols supported by OpenWrt for client (connect to external VPN servers) and server (provide VPN services for secure remote access clients) applications. Instructions are provided for the following usage scenarios:

  • Secure internet access using commercial VPN providers via a dedicated WiFi connection and / or ethernet port. (VPN WiFi hotspot) Computers using these VPN connections are automatically protected and isolated from the SecureOffice network. This does not prevent you from using provider VPN clients / settings on your other computers / devices. Use this for:
    • secure browsing for client computers / laptops, including DNS leak protection using a WiFi / ethernet VPN connection.
    • view geographically restricted content (Netflix, Hulu, etc) using your streaming media devices connected to VPN hotspot or ethernet port.
    • provide isolated WiFi (internet access) for your guests, clients or temporary employees with no access to your local network. If your SecureOffice WiFi card does not support multiple SSID's, this will be your only WiFi connection. WiFi cards that support multiple SSID's can offer VPN and full access to local LAN resources simultaneously, depending on which SSID you connect to.
    • create totally isolated internet connections (virtual ISP's). Very useful for testing your internet services from various global locations without having to purchase multiple internet connections. This is partially how the SecureOffice team tests network and VoIP performance.
    • run servers and websites over VPN. Be globally agile, always one step ahead of those who would "shut you down". This is partially how the SecureOffice team runs test servers, prior to deployment on real servers. Caution: this application requires a very high degree of trust in the VPN provider. There are also additional VPN provider technical requirements such as no firewall, or if there is a firewall, non-Symmetric NAT and ability to forward multiple ports.
  • Secure access to local protected SecureOffice resources by running OpenVPN services for remote clients. Use this for:
    • Build a distributed network of SecureOffice (or other) computers / servers, connected by VPN for geographically distributed clients / enterprises.
    • Bypass Symmetric NAT's and other means used by many cellular data providers use to block VoIP and other competing services. This allows SecurePBX SIP telephony extensions to function on cellphones. Symmetric NAT's are incapable of port forwarding and communication from one IP address using multiple ports is impossible, breaking multi-port protocols such as VoIP.
    • Secure remote access to protected SecureOffice resources such as services, files, email, IP cameras, etc.

Subsequent configuration steps require the following skills:

  • Ability to remotely access the SecureOffice linux command prompt, using Putty or other SSH client from another PC or laptop. It is possible to use the local SecureOffice console or keyboard, but copy / paste is not possible (unless Xorg-server and lxterminal is installed), making it a cumbersome experience.
  • Ability to use the nano text editor.

It is possible to perform many of these configuration steps using the OpenWrt web GUI. To do so, consult the OpenWrt Wiki for instructions.

2        OpenVPN Client Connections

SecureOffice can simultaneously be a client for external VPN servers and / or server for private VPN services such as client devices remotely connected to SecureOffice or a network of other SecureOffice nodes, forming a larger geographically distributed, load sharing enterprise (or dissident) network with full remote access for VPN clients.

2.1    Install OpenVPN Packages

OpenWrt / SecureOffice VPN requires three packages to be installed:

  • Package "ip-full" allows control of advanced routing features used by the custom SecureOffice VPN scripts package.
  • Package "openvpn-openssl" is the actual OpenVPN program and libraries required to create and manage VPN connections.
  • Package "luci-app-openvpn" is the OpenWrt web GUI for configuring simple VPN connections. It is not used to create the VPN configuration files in this section because it is cumbersome to enter the advanced configuration settings required. All VPN connections in this section are configured using SecureOffice Linux shell prompt in a SSH session. This does not preclude creating additional simple VPN connections using the Luci GUI or, using Luci, controlling (enable / disable, start / stop) the VPN connections created in this section.

From a command prompt, execute the following commands to install OpenVPN packages and dependencies:

  • "opkg update; opkg install ip-full openvpn-openssl luci-app-openvpn"
  • "cp /etc/config/openvpn /etc/config/openvpn_ref" Save default config for reference.

2.2    Commercial VPN Providers

Most VPN providers focus on the far larger Windows market, with fancy custom applications to select VPN servers from multiple countries. Very few directly provide the OpenVPN configuration files usable for OpenWrt / OpenVPN / SecureOffice. OpenWrt does provide a web GUI (Services->OpenVPN) for configuring OpenVPN connections, but requires having the config settings beforehand. It is just as easy to create the necessary configuration files.

One approach is to download and alter (userid, password, VPN server) one of the OpenVPN config files for various VPN services provided by SecureOffice. Configuration files for the following VPN providers can be downloaded (free) from here.

There is absolutely nothing preventing users from doing the research to determine OpenVPN configuration for a VPN provider and creating their own configuration, as discussed below for Hide My Ass (HMA).

The OpenWrt Wiki and internet searches provide a wealth of knowledge regarding OpenWrt VPN in general, problem solving and configuration requirements for specific VPN providers.

No pro / con recommendations for any of the following VPN providers is provided, all have been verified. Any requests for recommendations will be met with "no comment". The reason is, it is YOUR information privacy at stake requiring due diligence on your part. Further, any recommendation may not stand the test of time as providers change policies due to intimidation by those who believe they have a right to monitor and control the free flow of information that is so crucial to all of us staying informed, comprehending reality and adapting (AKA: surviving).

OpenVPN Configuration files are available for the following VPN providers:

It is assumed the point of having a commercial VPN connection (on SecureOffice) is to bridge it to a dedicated WiFi SSID, or ethernet port, for VPN connection sharing. The following instructions assume you have subscribed to the custom SecureOffice package / script repository and are using TUN devices. If not, you will have to consult the OpenWrt Wiki and internet to achieve this functionality. If you can choose TAP as the VPN interface type, the configuration differences between TUN and TAP bridging are discussed.

Most commercial VPN providers allow multiple connections, so using one for SecureOffice does not preclude other simultaneous VPN connections (using provider supplied clients or OpenVPN) on other laptops and devices. For devices already connected to SecureOffice VPN it is redundant to connect over this VPN connection using another device VPN connection, since the overhead of VPN over VPN will slow your connection.

2.2.1      Configure VPN Not In Above List

The best method is to acquire the Windows or Linux OpenVPN config files from the VPN provider and alter them to suit your requirements. For example, if you download and extract the Hide My Ass (HMA) VPN configuration files you will find 534 configuration files. Half of them are for UDP protocol, half of them are for TCP protocol. Once you decide on UDP versus TCP, that leaves 267 configuration files, one per country / server combination. Inspecting these files, they are all identical, except the server domain name / IP address / port, with identical SSL certificates in each. Choose the one you want for SecureOffice and alter it to suit preferences.

Use the OpenWrt OpenVPN Client Wiki page and any OpenVPN related information from the VPN provider for guidance. It is suggested to follow only the "Config Files" (connection requirements) settings from the VPN provider and subsequent configuration instructions in this document.

If you intend to use the SecureOffice custom VPN scripts (necessary for easy setup of VPN WiFi hotspots and VPN servers), it is necessary to alter your provider's VPN configuration (/etc/openvpn/provider/provider.conf) file to include the following values:

  • "route-noexec" Do not use VPN server pushed routes. Up / down scripts handle routes.
  • "route-metric 1"
  • "script-security 2" Allow scripts to run on connect / disconnect.
  • If you are using an OpenVPN tap device, change "tun1" to "tap1" (or, "tapX", next free tap device number).
  • If you are using the custom VPN scripts and tun device, uncomment (remove "#") at the beginning of next two lines.
  • "up /etc/openvpn/iface_updown.sh client_vpn 0" Connection up script to run, interface to bridge to, no logging.
  • "down /etc/openvpn/iface_updown.sh client_vpn 0" Connection down script to run, interface to bridge to, no logging.

Further configuration instructions (DHCP, Network, Firewall entries) follow in this document.

Once you have a working connection, if not on the above list, please tar your configuration files (minus user credentials) and send them in a message (Contact Us) with subject "VPN providers" so they can be added to the above list, benefiting the entire user base. This also applies to VPN providers who wish to be "on the list".

2.2.2      Configure VPN From Above List

  • Right click on the desired "config files" link above, select "Copy Hyperlink"
  • Open a SecureOffice command prompt using Putty or other SSH client.
  • From a SecureOffice command prompt, enter "mkdir -p /etc/openvpn".
  • From a SecureOffice command prompt, enter "wget --no-check-certificate -P /tmp <the link you copied above>". For example: "wget --no-check-certificate -P /tmp https://www.rossco.org/Downloads/OpenWrt/Files/openvpn/PrivateInternetAccessVPN.tar.gz"
  • The above command will download the Private Internet Access VPN configuration files archive to "/tmp/PrivateInternetAccessVPN.tar.gz", or in general, the tar,gz archive for the selected provider configuration.
  • Untar the archive: "cd /etc/openvpn; tar -zxvf /tmp/<the tar.gz file you downloaded>". This will extract and display a list of configuration files extracted to directory "/etc/openvpn/<provider name>".
  • The files are "<provider name>.conf", "*.cert", "*.key files", "user.txt" and "config".
  • Change to the provider files directory: "cd /etc/openvpn/<provider name>"

The beginning of each supplied configuration file (provider.conf) contains instructions for getting the provider server list and OpenVPN config files for all servers, plus some troubleshooting hints regarding certificate expiry and what to do when the provider changes configuration requirements, breaking the VPN connection.

2.2.3      Modify Provider Configuration File

It is assumed you will also be running OpenVPN TUN and TAP servers for remote access to SecureOffice files and services, or, as a remote client on the SecureOffice LAN. Two devices are reserved for this purpose: tun0 and tap0. This means that additional VPN connections must start their device numbering at 1, for example: tun1, tap1. All supplied provider configuration files use tun1. If another VPN connection uses tun1, this number must be changed to the next unallocated device number and network, firewall configuration entries must be added to use the device.

For now (until your connection is working), it is recommended not to modify any settings in the provider.conf file.

Experts, or the curious can edit the provider config file: "nano /etc/openvpn/<provider name>/<provider name>.conf", making any desired changes.

Once your connection is working and the network and firewall are configured to your satisfaction, the provider VPN server list can be consulted and the final VPN server (geographic location, streaming compatible, etc) can be configured by editing the <provider name>.conf file.

2.2.4      Modify User Credential File

This file contains your user id (line 1) and password (line 2) for your VPN service provider.

Edit the file ("nano user.txt") and change your VPN user id and password entries.

2.2.5      Modify OpenVPN Configuration File

Each of the provider configuration directories contains a file named "config", with contents (example):

config openvpn 'purevpn'

option enabled '0'

option config '/etc/openvpn/purevpn/purevpn.conf'

Add the contents of this config file to the end of the OpenVPN configuration file (/etc/config/openvpn), changing "enabled" to '1':

  • From a SecureOffice SSH console prompt: "nano /etc/openvpn/<provider name>/config".
  • Select and copy all text. Mouse left click, drag over all text (selects), right click (copies all text to clipboard). Exit nano (CTL + x).
  • Edit the OpenVPN configuration file: "nano /etc/config/openvpn". Using cursor keys, navigate to file end. Right click (paste clipboard contents). Using cursor keys, change enabled entry to '1'.
  • Save file and exit nano.

Note that if the VPN provider supports breaking geo-access restrictions to Netflix, Hulu, etc, they use specific servers (that must be selected and configured) for this purpose.

2.2.6      Test OpenVPN Connection

  • From a SecureOffice SSH command prompt enter: "/etc/init.d/openvpn enable; /etc/init.d/openvpn start" to enable the VPN connection at boot and start the connection..
  • From a SecureOffice SSH command prompt enter: "ls /var/log" to identify the provider.log file.
  • From a SecureOffice SSH command prompt enter: "tail -f /var/log/<logfile identified above>". This will display connection progress messages.
  • You will see "Initialization Sequence Completed" (successful connection) or messages will stop with an error indication.
  • Enter "CTL+c" to stop monitoring the OpenVPN connection log.
  • Fix (consult VPN provider help / support) or internet research any errors before proceeding.

Once the connection is successful, enter "ping -I tunX yahoo.com" where X is the tun device number (default 1). You should see ping responses or error messages. Fix any errors before proceeding.

Enter "/etc/init.d/openvpn stop" to close the VPN connection.

2.2.7      Test If TUN Supported By VPN

This is an optional step. Do the test if you want to avoid the minor cost of subscribing to the premium SecureOffice package / script repository for scripts which will allow you to easily bridge TAP connections to share VPN connections.

Your VPN provider must support TUN devices to bridge connections from VPN to other devices such as WiFi and ethernet interfaces. This allows connected devices such as TV Boxes, DVD players, Smart TV's with NetFlix / Hulu, etc to share the VPN connection to bypass geo-restrictions (watch US NetFlix from outside US).

You can (optionally) test TUN support by modifying the TAP VPN configuration by following these instructions.

2.2.8      Manage Various VPN Locations Using Luci

All configured VPN connections can be enabled / disabled, started / stopped using the OpenWrt Luci web GUI.

These are optional configuration steps.

It is possible to create numerous VPN configurations, differing only by server location, with differing filenames for each location. These connections can be controlled using the OpenWrt Luci web GUI.

Once you have narrowed the list of VPN servers you are interested in connecting to, clone and rename the provider VPN configuration files, with filenames of form: "<provider>.<ISO country code>.<city><Netflix>.conf", where <city> and <Netflix> are optional. ISO Country codes can be determined from here.

As an example: "/etc/openvpn/purevpn/purevpn.CA.Montreal.conf" (purevpn, Canada, Montreal, not a Netflix server). This naming convention allows you to use Luci to easily choose VPN connections. Note that all VPN configurations for each VPN provider are kept in the same "/etc/openvpn/<provider>" directory.

Each OpenVPN provider configuration file requires an entry of the following form in file "/etc/config/openvpn", using the naming convention above:

config openvpn <Provider>

option enabled '0'

option config '/etc/openvpn/<Provider>/<provider><ISO_country_code><city><Netflix>.conf

Rename reference working VPN configuration file according to naming convention above. Example: "mv /etc/openvpn/hma/hma.conf /etc/openvpn/hma/hma.US.Miami.conf"

Perform the following steps (for each desired VPN server):

  • Copy reference VPN configuration file to new server file. Example: "cp /etc/openvpn/hma/hma.US.Miami.conf /etc/openvpn/hma/hma.CA.Toronto.conf"
  • Edit (nano) the new server configuration file to specify correct server, ports and any other server specific requirements. You may have to consult the providers VPN server list and OpenVPN configuration files.
  • Add an entry for the new server in file "/etc/config/openvpn" as above.

Each of the VPN connections can now be controlled using the Luci web GUI (Services->OpenVPN).

2.2.9      Change File Permissions

This restricts access (security) to the provider configuration files to the file owner (root, unless a different user has been configured).

From a SecureOffice command prompt, enter: "chmod 400 /etc/openvpn/<provider name>/*"

3        PPTP Client Connections

TODO: Write It. PPTP has been verified with SecureOffice.

OpenWrt has HowTo's for PPTP and L2TP / IPsec. If SSTP support is required, modify Linux howto's (internet search) for OpenWrt.

These protocols create uniquely named devices which replace "openvpn tunX / tapX" devices in subsequent connection configuration instructions.

4        Configure Commercial VPN Connections

Previous configuration was concerned with setting up the virtual Ethernet device (tunX / tapX, pptp-pppX, etc) and requirements for connecting it to the VPN provider. The following sections deal with configuring SecureOffice to use the VPN device for various usage scenarios. If using PPTP, L2TP IPsec or SSTP connections, replace tunX with the corresponding device name in subsequent instructions.

It is assumed users are interested in sharing the VPN connection for multiple clients / applications. The best, perhaps only way to do this is to create a dedicated LAN, to provide DHCP services and route traffic between the VPN interface and the dedicated LAN.

Caveat: Sharing (bridging) OpenVPN connections requires the VPN provider support TAP which not many do. To achieve bridging using TUN devices, use the custom OpenVPN scripts to configure your VPN connections.

4.1    Create VPN Interface And Bridge

OpenVPN uses but does not create network interfaces (tunX / tapX, pptp-pppX, etc). That is the job of OpenWrt networking, requiring configuration.

The VPN interface (tapX, tunX, pptp-pppX, etc) is the virtual network device over which all VPN traffic flows.

The VPN bridge is a separate dedicated LAN, for isolated VPN traffic, which all VPN clients connect to, using bridged WiFi or real ethernet ports.

For detailed information regarding these and other configuration settings in file "/etc/config/network", consult the OpenWrt Network Documentation.

Using a SecureOffice SSH command prompt, enter "nano /etc/config/network". Add the following entries at the end of the file:

config interface 'tun1'

option ifname 'tun1'

option proto 'none'

 

config interface 'client_vpn'

#option ifname 'tapX ethX'

option proto 'static'

option type 'bridge'

option ipaddr '10.0.0.1'

option netmask '255.255.255.0'

#option force_link '1'

#option bridge_empty '1'

option ip6assign '60'

Figure 1:VPN Interface and Bridge Network Configuration

  • If this is the first client (tun0, tap0 are reserved for SecureOffice VPN server) VPN connection, using tun, keep 'tun1'. If using a tap adapter, change "tun1" to "tap1". Otherwise, replace both instances of 'tun1' with the adapter type and number you are configuring. For example: tun2, tap2.
  • The client "interface" name can be anything, but you must use the chosen name everywhere that "client_vpn" is mentioned.
  • The "ifname" entry contains a list of all devices that are to be members of this bridge. Do not add tunX (TUN devices cannot be bridged), or the WiFi network interface, that is configured elsewhere. This is how TAP devices and additional ethernet ports (starting with eth2, which may be a USB ethernet dongle) are added to the VPN bridge / LAN. If using only TUN devices, omit or leave the "ifname" field commented.
  • The "ipaddr" entry is the base address of the VPN LAN / bridge, it can be any RFC 1918 private address as discussed in LAN Configuration, so long as it does not conflict with the SecureOffice LAN address (default 192.168.10.1). For example: 192.168.2.1. Shared VPN clients will receive DHCP addresses from this LAN / bridge.
  • Changing any other entries is not recommended unless you really know what you are doing. This will "void your warrantee".

Save the file and exit nano.

4.2    Configure VPN DHCP And DNS

Clients on the VPN bridge require DNS and DHCP services, in addition to basic network connectivity. Clients may also use static IP addresses within the VPN LAN / bridge address range, but outside the DHCP range, if desired.

For detailed information regarding these and other configuration settings in file "/etc/config/dhcp", consult the OpenWrt DNS and DHCP Documentation.

Using a SecureOffice SSH command prompt, enter "nano /etc/config/dhcp". Add an entry of the following form:

config dhcp 'client_vpn'

option interface 'client_vpn'

option dhcpv6 'server'

option ra 'server'

option limit '150'

option start '100'

option force '1'

option leasetime '12h'

list dhcp_option '6,8.8.8.8,8.8.4.4'

Figure 2:VPN Bridge DNS Configuration

  • The "interface" name can be anything, but you must use the chosen name everywhere that "client_vpn" is mentioned.
  • The "start" value determines the first DHCP address allocated to clients. The "limit" value determines the number of clients and the last DHCP address allocated to clients. For example (using the settings above), if the base address of the VPN bridge (previous section) was set to 192.168.2.1, the first client DHCP address will be 192.168.2.100 and, the last address will be 192.168.2.250 (start plus limit).
  • The "list dhcp_option '6,8.8.8.8,8.8.4.4'" specifies the DNS servers that will be handed out to DHCP clients. The above value is for Google DNS servers, which are fast and exist in most, if not all countries, making geo-location by DNS impossible. Do not change these addresses to anything (such as your ISP's DNS servers which will allow your VPN clients to be geographically located, breaking streaming and other geo-restricted services). If alternate DNS servers are required, use the servers recommended by your VPN provider, or choose ones from this list for your VPN alias location.
  • It is not necessary to alter any other settings.

Save the file and exit nano.

4.3    Configure VPN Firewall Settings

This setting (forwarding) can be omitted if you are using a tap device, since tap devices are already bridged to the "client_vpn" LAN / bridge in file "/etc/config/network".

For detailed information regarding these and other configuration settings in file "/etc/config/firewall", consult the OpenWrt Firewall Documentation.

Using a SecureOffice SSH command prompt, enter "nano /etc/config/firewall". Add entries of the following form:

config zone

option name 'tun1'

option network 'tun1'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'REJECT'

option masq '1'

option mtu_fix '1'

 

config zone

option name 'client_vpn'

list network 'client_vpn'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'REJECT'

 

config forwarding

option src 'client_vpn'

option dest 'tun1'

 

config forwarding

option src 'tun1'

option dest 'client_vpn'

Figure 3:VPN Bridge Firewall Configuration

  • If using a tap device, replace all instances of "tun1" with "tapX", where X is the tap device number if you changed it. Only the "zone" configuration settings are required for tun devices, if they are bound to a bridge. The "forwarding" entries are not required for TAP devices.
  • Replace all instances of "tun1" with "tunX", where X is the tun device number if you changed it.
  • Replace all instances of "client_vpn" with the VPN LAN / bridge name, if you changed it.

Save the file and exit nano.

4.4    Configure WIFI SSID As VPN Hotspot

The VPN interface will be bridged to a dedicated WIFI SSID, providing isolation of local network and secure browsing and / or breaking geo location (VPN server dependent) for WiFi clients.

For detailed information regarding these and other configuration settings in file "/etc/config/wireless", consult the OpenWrt Wireless Documentation.

A WIFI SSID (Service Set IDentifier) is the network name you see when browsing WiFi connections.

If you have a WiFi card capable of hosting multiple SSID's (hardware requirements), create a new entry for it, otherwise, alter the existing entry.

Using a SecureOffice SSH command prompt, enter "nano /etc/config/wireless". Add entries of the following form:

config wifi-iface

option device 'radio0'

option network 'client_vpn'

option mode 'ap'

option ssid 'your choice'

option encryption 'psk2'

option key 'your choice'

Figure 4:VPN Wifi Hotspot Configuration

  • The "device" entry is the name of the radio used, from the "wifi-device" option list in the same file.
  • The "network" entry is the name of the bridge (client_vpn) created for VPN.
  • The "ssid" entry is the name of your VPN WiFi network. For example: "my_vpn".
  • The "encryption" entry may be "none" for a no encryption isolated VPN hotspot. Otherwise, use "psk2".
  • The "key" entry is the password for WiFi clients. Omit this entry for a completely open (no password) isolated VPN hotspot.

This is a very basic configuration. OpenWrt wireless is very flexible. Consult the wireless documentation for additional encryption and authentication options.

Skip ahead to test VPN connections.

5        SecureOffice VPN Server

Provides private VPN connections between your (roaming) device and SecureOffice acting as a VPN server. This is used for full remote access to local resources, with your device being on the SecureOffice LAN.

An example application is to eliminate your cellphone bill by having your cellphone VPN connected to SecureOffice, as a SecurePBX extension. So long as your cellphone has an internet (WiFi or data) connection, you can make / receive calls using your home phone line. Missed calls will go to SecurePBX voicemail. An added "bonus" is when you are "home sick" (but living life of Riley, roaming), it will appear you are at home. Nobody will know your real location.

Private VPN connections may also be used to allow SecureOffice to be a VPN client, securely connected to a larger private LAN as part of a corporate or globally distributed private network. For example, SecurePBX installations in regional nodes can be networked together for a much larger, globally distributed secure telephone network. In this scenario, there is one master private VPN server, with all others as VPN clients. Users wishing to accomplish this will have to do their own research, bearing in mind that standard Linux and VPN methods are compatible with SecureOffice.

TODO: Add some more links, as HowTo pointers.

Clients, such as PC's, cellphones or other SecureOffice nodes can remotely and securely join the SecureOffice LAN network, for reasons of security, bypassing Symmetric NAT's (which break VoIP or any protocol that requires listening to multiple ports) of many mobile networks.

It is assumed that you are using the custom OpenVPN scripts to configure your VPN servers and create client / server SSH keys. Otherwise, you will have to consult the OpenWrt OpenVPN documentation to configure your VPN servers and create SSH keys.

In addition to the VPN server instructions in custom OpenVPN scripts, the ports that the VPN server(s) use must be opened on the SecureOffice firewall.

Using a SecureOffice SSH command prompt, enter "nano /etc/config/firewall". Add entries of the following form (one per VPN server instance):

config rule

option target 'ACCEPT'

option name 'Allow-OpenVpn'

option proto 'tcpudp'

option dest_port '<server port number>'

option src 'wan'

Figure 5:VPN Server Firewall Configuration

Where <server port number> is the "port" setting from the VPN server configuration (/etc/config/openvpn) manually created or, configured by custom OpenVPN scripts.

6        Start And Test VPN Connections

The services configured above need to be restarted for changes to take effect.

In file "/etc/config/openvpn", ensure that "enabled" is set to "1" for the VPN connection you intend to test, disabling all others.

You can either enter "reboot" at a command prompt and reconnect to SecureOffice, or, restart the services.

To restart the services:

  • Enter "/etc/init.d/dnsmasq restart"
  • Enter "/etc/init.d/network restart"

If you want OpenVPN to automatically start at boot, enter "/etc/init.d/openvpn enable" at a command prompt.

To start the enabled (client / server) VPN connections, enter "/etc/init.d/openvpn start" at a command prompt.

6.1    Client Connections

Focus on one connection at a time.

Each VPN connection has a log file called "/var/log/<provider_name>.log". For each connection, use nano to open the log file to determine if there are any warnings or errors. Do an internet search to determine causes / remedies of warnings and errors, some of which may affect security. Fix any you can. Warnings pertaining to "push options" may be normal. Restart OpenVPN after any configuration change (/etc/init.d/openvpn restart).

On successful connection, the logfile will end with "Initialization Sequence Completed". Entering the "logread" command will display "Interface 'device' is now up". Entering the "ifconfig" command will display information, such as IP address of the VPN interface / device.

VPN internet connectivity can be determined by entering "ping -I <device> yahoo.com".

If the connection is working, there will be a continuous ping response. Exit ping by entering "CTL+c". (together). You are done testing basic VPN device connectivity for this connection.

Ping may fail due to DNS misconfiguration (bad address or host). A strong indication of this is that ping does not respond with "PING yahoo.com (<IP Address>)". If this is the case, verify your settings in "/etc/config/network" and "/etc/config/dhcp", entered above, restarting services if necessary. Alternatively, check the OpenWrt DNS Wiki for troubleshooting hints.

Do not proceed until ping using the VPN device is successful.

On another computer with no active internet connection, connect to the SecureOffice VPN WiFi SSID configured above or, the VPN bridged ethernet port (optionally) configured above.

Assuming the connection is bridged to a WiFi SSID, connect to it using a PC or Android device, test and fix any internet connectivity issues. Test and fix any DNS leaks. More comprehensive testing is discussed here.

When successful, do the same for any other VPN client connections, then test VPN server connections (if used).

6.2    Server Connections

Focus on one connection at a time. It is assumed that you have either configured using SecureOffice custom VPN scripts or, done it yourself and have OpenVPN client configuration available and installed on a client PC.

Enable the routed / tun server first. Connect (using client PC) to SecureOffice VPN server. Inspect logfiles for both client and server to determine if there are any warnings or errors. Do an internet search to determine causes / remedies of warnings and errors, some of which may affect security. Fix any you can. Warnings pertaining to "push options" may be normal. Restart OpenVPN after any configuration change (/etc/init.d/openvpn restart).

Use another (not what SecureOffice uses) neighbor's ISP or WiFi hotspot, or an android client device with a cellular data connection as the client internet connection.

From a command prompt window on the client PC, enter "ping <Your SecureOffice LAN address>", there should be a valid response, indicating you are securely connected and can remotely access resources on the SecureOffice LAN.

From a command prompt window on the client device (may have to install a ping app for Android), enter "ping yahoo.com", there should be a valid response.

Using a web browser, on the client device, ensure you can access the internet.

If using a bridged / tun VPN connection, ensure you can browse the network neighborhood and see other devices on the SecureOffice local LAN.

Rating 0/5
Rating: 0/5 (0 votes)
Votes are disable!
Print article
The comments are owned by the author. We aren't responsible for their content.

Technologies Used:

Design by: XOOPS UI/UX Team