2.2.9 Change File Permissions
List of Figures
Figure 2: VPN Bridge DNS Configuration
Figure 3: VPN Bridge Firewall Configuration
Figure 4: VPN Wifi Hotspot Configuration
Figure 5: VPN Server Firewall Configuration
SecureOffice supports OpenVPN and all other protocols supported by OpenWrt for client (connect to external VPN servers) and server (provide VPN services for secure remote access clients) applications. Instructions are provided for the following usage scenarios:
Subsequent configuration steps require the following skills:
It is possible to perform many of these configuration steps using the OpenWrt web GUI. To do so, consult the OpenWrt Wiki for instructions.
SecureOffice can simultaneously be a client for external VPN servers and / or server for private VPN services such as client devices remotely connected to SecureOffice or a network of other SecureOffice nodes, forming a larger geographically distributed, load sharing enterprise (or dissident) network with full remote access for VPN clients.
OpenWrt / SecureOffice VPN requires three packages to be installed:
From a command prompt, execute the following commands to install OpenVPN packages and dependencies:
Most VPN providers focus on the far larger Windows market, with fancy custom applications to select VPN servers from multiple countries. Very few directly provide the OpenVPN configuration files usable for OpenWrt / OpenVPN / SecureOffice. OpenWrt does provide a web GUI (Services->OpenVPN) for configuring OpenVPN connections, but requires having the config settings beforehand. It is just as easy to create the necessary configuration files.
One approach is to download and alter (userid, password, VPN server) one of the OpenVPN config files for various VPN services provided by SecureOffice. Configuration files for the following VPN providers can be downloaded (free) from here.
There is absolutely nothing preventing users from doing the research to determine OpenVPN configuration for a VPN provider and creating their own configuration, as discussed below for Hide My Ass (HMA).
No pro / con recommendations for any of the following VPN providers is provided, all have been verified. Any requests for recommendations will be met with "no comment". The reason is, it is YOUR information privacy at stake requiring due diligence on your part. Further, any recommendation may not stand the test of time as providers change policies due to intimidation by those who believe they have a right to monitor and control the free flow of information that is so crucial to all of us staying informed, comprehending reality and adapting (AKA: surviving).
OpenVPN Configuration files are available for the following VPN providers:
It is assumed the point of having a commercial VPN connection (on SecureOffice) is to bridge it to a dedicated WiFi SSID, or ethernet port, for VPN connection sharing. The following instructions assume you have subscribed to the custom SecureOffice package / script repository and are using TUN devices. If not, you will have to consult the OpenWrt Wiki and internet to achieve this functionality. If you can choose TAP as the VPN interface type, the configuration differences between TUN and TAP bridging are discussed.
Most commercial VPN providers allow multiple connections, so using one for SecureOffice does not preclude other simultaneous VPN connections (using provider supplied clients or OpenVPN) on other laptops and devices. For devices already connected to SecureOffice VPN it is redundant to connect over this VPN connection using another device VPN connection, since the overhead of VPN over VPN will slow your connection.
The best method is to acquire the Windows or Linux OpenVPN config files from the VPN provider and alter them to suit your requirements. For example, if you download and extract the Hide My Ass (HMA) VPN configuration files you will find 534 configuration files. Half of them are for UDP protocol, half of them are for TCP protocol. Once you decide on UDP versus TCP, that leaves 267 configuration files, one per country / server combination. Inspecting these files, they are all identical, except the server domain name / IP address / port, with identical SSL certificates in each. Choose the one you want for SecureOffice and alter it to suit preferences.
Use the OpenWrt OpenVPN Client Wiki page and any OpenVPN related information from the VPN provider for guidance. It is suggested to follow only the "Config Files" (connection requirements) settings from the VPN provider and subsequent configuration instructions in this document.
If you intend to use the SecureOffice custom VPN scripts (necessary for easy setup of VPN WiFi hotspots and VPN servers), it is necessary to alter your provider's VPN configuration (/etc/openvpn/provider/provider.conf) file to include the following values:
Further configuration instructions (DHCP, Network, Firewall entries) follow in this document.
Once you have a working connection, if not on the above list, please tar your configuration files (minus user credentials) and send them in a message (Contact Us) with subject "VPN providers" so they can be added to the above list, benefiting the entire user base. This also applies to VPN providers who wish to be "on the list".
The beginning of each supplied configuration file (provider.conf) contains instructions for getting the provider server list and OpenVPN config files for all servers, plus some troubleshooting hints regarding certificate expiry and what to do when the provider changes configuration requirements, breaking the VPN connection.
It is assumed you will also be running OpenVPN TUN and TAP servers for remote access to SecureOffice files and services, or, as a remote client on the SecureOffice LAN. Two devices are reserved for this purpose: tun0 and tap0. This means that additional VPN connections must start their device numbering at 1, for example: tun1, tap1. All supplied provider configuration files use tun1. If another VPN connection uses tun1, this number must be changed to the next unallocated device number and network, firewall configuration entries must be added to use the device.
For now (until your connection is working), it is recommended not to modify any settings in the provider.conf file.
Experts, or the curious can edit the provider config file: "nano /etc/openvpn/<provider name>/<provider name>.conf", making any desired changes.
Once your connection is working and the network and firewall are configured to your satisfaction, the provider VPN server list can be consulted and the final VPN server (geographic location, streaming compatible, etc) can be configured by editing the <provider name>.conf file.
This file contains your user id (line 1) and password (line 2) for your VPN service provider.
Edit the file ("nano user.txt") and change your VPN user id and password entries.
Each of the provider configuration directories contains a file named "config", with contents (example):
config openvpn 'purevpn'
option enabled '0'
option config '/etc/openvpn/purevpn/purevpn.conf'
Add the contents of this config file to the end of the OpenVPN configuration file (/etc/config/openvpn), changing "enabled" to '1':
Note that if the VPN provider supports breaking geo-access restrictions to Netflix, Hulu, etc, they use specific servers (that must be selected and configured) for this purpose.
Once the connection is successful, enter "ping -I tunX yahoo.com" where X is the tun device number (default 1). You should see ping responses or error messages. Fix any errors before proceeding.
Enter "/etc/init.d/openvpn stop" to close the VPN connection.
This is an optional step. Do the test if you want to avoid the minor cost of subscribing to the premium SecureOffice package / script repository for scripts which will allow you to easily bridge TAP connections to share VPN connections.
Your VPN provider must support TUN devices to bridge connections from VPN to other devices such as WiFi and ethernet interfaces. This allows connected devices such as TV Boxes, DVD players, Smart TV's with NetFlix / Hulu, etc to share the VPN connection to bypass geo-restrictions (watch US NetFlix from outside US).
These are optional configuration steps.
It is possible to create numerous VPN configurations, differing only by server location, with differing filenames for each location. These connections can be controlled using the OpenWrt Luci web GUI.
Once you have narrowed the list of VPN servers you are interested in connecting to, clone and rename the provider VPN configuration files, with filenames of form: "<provider>.<ISO country code>.<city><Netflix>.conf", where <city> and <Netflix> are optional. ISO Country codes can be determined from here.
As an example: "/etc/openvpn/purevpn/purevpn.CA.Montreal.conf" (purevpn, Canada, Montreal, not a Netflix server). This naming convention allows you to use Luci to easily choose VPN connections. Note that all VPN configurations for each VPN provider are kept in the same "/etc/openvpn/<provider>" directory.
Each OpenVPN provider configuration file requires an entry of the following form in file "/etc/config/openvpn", using the naming convention above:
config openvpn <Provider>
option enabled '0'
option config '/etc/openvpn/<Provider>/<provider><ISO_country_code><city><Netflix>.conf
Rename reference working VPN configuration file according to naming convention above. Example: "mv /etc/openvpn/hma/hma.conf /etc/openvpn/hma/hma.US.Miami.conf"
Perform the following steps (for each desired VPN server):
This restricts access (security) to the provider configuration files to the file owner (root, unless a different user has been configured).
From a SecureOffice command prompt, enter: "chmod 400 /etc/openvpn/<provider name>/*"
TODO: Write It. PPTP has been verified with SecureOffice.
These protocols create uniquely named devices which replace "openvpn tunX / tapX" devices in subsequent connection configuration instructions.
Previous configuration was concerned with setting up the virtual Ethernet device (tunX / tapX, pptp-pppX, etc) and requirements for connecting it to the VPN provider. The following sections deal with configuring SecureOffice to use the VPN device for various usage scenarios. If using PPTP, L2TP IPsec or SSTP connections, replace tunX with the corresponding device name in subsequent instructions.
It is assumed users are interested in sharing the VPN connection for multiple clients / applications. The best, perhaps only way to do this is to create a dedicated LAN, to provide DHCP services and route traffic between the VPN interface and the dedicated LAN.
Caveat: Sharing (bridging) OpenVPN connections requires the VPN provider support TAP which not many do. To achieve bridging using TUN devices, use the custom OpenVPN scripts to configure your VPN connections.
OpenVPN uses but does not create network interfaces (tunX / tapX, pptp-pppX, etc). That is the job of OpenWrt networking, requiring configuration.
The VPN interface (tapX, tunX, pptp-pppX, etc) is the virtual network device over which all VPN traffic flows.
For detailed information regarding these and other configuration settings in file "/etc/config/network", consult the OpenWrt Network Documentation.
Using a SecureOffice SSH command prompt, enter "nano /etc/config/network". Add the following entries at the end of the file:
config interface 'tun1'
option ifname 'tun1'
option proto 'none'
config interface 'client_vpn'
#option ifname 'tapX ethX'
option proto 'static'
option type 'bridge'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
#option force_link '1'
#option bridge_empty '1'
option ip6assign '60'
Save the file and exit nano.
Clients on the VPN bridge require DNS and DHCP services, in addition to basic network connectivity. Clients may also use static IP addresses within the VPN LAN / bridge address range, but outside the DHCP range, if desired.
For detailed information regarding these and other configuration settings in file "/etc/config/dhcp", consult the OpenWrt DNS and DHCP Documentation.
Using a SecureOffice SSH command prompt, enter "nano /etc/config/dhcp". Add an entry of the following form:
config dhcp 'client_vpn'
option interface 'client_vpn'
option dhcpv6 'server'
option ra 'server'
option limit '150'
option start '100'
option force '1'
option leasetime '12h'
list dhcp_option '6,22.214.171.124,126.96.36.199'
Save the file and exit nano.
This setting (forwarding) can be omitted if you are using a tap device, since tap devices are already bridged to the "client_vpn" LAN / bridge in file "/etc/config/network".
For detailed information regarding these and other configuration settings in file "/etc/config/firewall", consult the OpenWrt Firewall Documentation.
Using a SecureOffice SSH command prompt, enter "nano /etc/config/firewall". Add entries of the following form:
option name 'tun1'
option network 'tun1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option name 'client_vpn'
list network 'client_vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option src 'client_vpn'
option dest 'tun1'
option src 'tun1'
option dest 'client_vpn'
Save the file and exit nano.
The VPN interface will be bridged to a dedicated WIFI SSID, providing isolation of local network and secure browsing and / or breaking geo location (VPN server dependent) for WiFi clients.
For detailed information regarding these and other configuration settings in file "/etc/config/wireless", consult the OpenWrt Wireless Documentation.
A WIFI SSID (Service Set IDentifier) is the network name you see when browsing WiFi connections.
If you have a WiFi card capable of hosting multiple SSID's (hardware requirements), create a new entry for it, otherwise, alter the existing entry.
Using a SecureOffice SSH command prompt, enter "nano /etc/config/wireless". Add entries of the following form:
option device 'radio0'
option network 'client_vpn'
option mode 'ap'
option ssid 'your choice'
option encryption 'psk2'
option key 'your choice'
This is a very basic configuration. OpenWrt wireless is very flexible. Consult the wireless documentation for additional encryption and authentication options.
Provides private VPN connections between your (roaming) device and SecureOffice acting as a VPN server. This is used for full remote access to local resources, with your device being on the SecureOffice LAN.
An example application is to eliminate your cellphone bill by having your cellphone VPN connected to SecureOffice, as a SecurePBX extension. So long as your cellphone has an internet (WiFi or data) connection, you can make / receive calls using your home phone line. Missed calls will go to SecurePBX voicemail. An added "bonus" is when you are "home sick" (but living life of Riley, roaming), it will appear you are at home. Nobody will know your real location.
Private VPN connections may also be used to allow SecureOffice to be a VPN client, securely connected to a larger private LAN as part of a corporate or globally distributed private network. For example, SecurePBX installations in regional nodes can be networked together for a much larger, globally distributed secure telephone network. In this scenario, there is one master private VPN server, with all others as VPN clients. Users wishing to accomplish this will have to do their own research, bearing in mind that standard Linux and VPN methods are compatible with SecureOffice.
TODO: Add some more links, as HowTo pointers.
Clients, such as PC's, cellphones or other SecureOffice nodes can remotely and securely join the SecureOffice LAN network, for reasons of security, bypassing Symmetric NAT's (which break VoIP or any protocol that requires listening to multiple ports) of many mobile networks.
It is assumed that you are using the custom OpenVPN scripts to configure your VPN servers and create client / server SSH keys. Otherwise, you will have to consult the OpenWrt OpenVPN documentation to configure your VPN servers and create SSH keys.
In addition to the VPN server instructions in custom OpenVPN scripts, the ports that the VPN server(s) use must be opened on the SecureOffice firewall.
Using a SecureOffice SSH command prompt, enter "nano /etc/config/firewall". Add entries of the following form (one per VPN server instance):
option target 'ACCEPT'
option name 'Allow-OpenVpn'
option proto 'tcpudp'
option dest_port '<server port number>'
option src 'wan'
The services configured above need to be restarted for changes to take effect.
In file "/etc/config/openvpn", ensure that "enabled" is set to "1" for the VPN connection you intend to test, disabling all others.
You can either enter "reboot" at a command prompt and reconnect to SecureOffice, or, restart the services.
To restart the services:
If you want OpenVPN to automatically start at boot, enter "/etc/init.d/openvpn enable" at a command prompt.
To start the enabled (client / server) VPN connections, enter "/etc/init.d/openvpn start" at a command prompt.
Focus on one connection at a time.
Each VPN connection has a log file called "/var/log/<provider_name>.log". For each connection, use nano to open the log file to determine if there are any warnings or errors. Do an internet search to determine causes / remedies of warnings and errors, some of which may affect security. Fix any you can. Warnings pertaining to "push options" may be normal. Restart OpenVPN after any configuration change (/etc/init.d/openvpn restart).
On successful connection, the logfile will end with "Initialization Sequence Completed". Entering the "logread" command will display "Interface 'device' is now up". Entering the "ifconfig" command will display information, such as IP address of the VPN interface / device.
VPN internet connectivity can be determined by entering "ping -I <device> yahoo.com".
If the connection is working, there will be a continuous ping response. Exit ping by entering "CTL+c". (together). You are done testing basic VPN device connectivity for this connection.
Ping may fail due to DNS misconfiguration (bad address or host). A strong indication of this is that ping does not respond with "PING yahoo.com (<IP Address>)". If this is the case, verify your settings in "/etc/config/network" and "/etc/config/dhcp", entered above, restarting services if necessary. Alternatively, check the OpenWrt DNS Wiki for troubleshooting hints.
Do not proceed until ping using the VPN device is successful.
Assuming the connection is bridged to a WiFi SSID, connect to it using a PC or Android device, test and fix any internet connectivity issues. Test and fix any DNS leaks. More comprehensive testing is discussed here.
When successful, do the same for any other VPN client connections, then test VPN server connections (if used).
Focus on one connection at a time. It is assumed that you have either configured using SecureOffice custom VPN scripts or, done it yourself and have OpenVPN client configuration available and installed on a client PC.
Enable the routed / tun server first. Connect (using client PC) to SecureOffice VPN server. Inspect logfiles for both client and server to determine if there are any warnings or errors. Do an internet search to determine causes / remedies of warnings and errors, some of which may affect security. Fix any you can. Warnings pertaining to "push options" may be normal. Restart OpenVPN after any configuration change (/etc/init.d/openvpn restart).
From a command prompt window on the client PC, enter "ping <Your SecureOffice LAN address>", there should be a valid response, indicating you are securely connected and can remotely access resources on the SecureOffice LAN.
From a command prompt window on the client device (may have to install a ping app for Android), enter "ping yahoo.com", there should be a valid response.
Using a web browser, on the client device, ensure you can access the internet.