Experiences with OpenVPN-client on ALIX.2D3: Difference between revisions
|  (→openvpn:  DH notes) | m (This board is obsolete and cannot be used on modern version of Alpine.) | ||
| (19 intermediate revisions by 8 users not shown) | |||
| Line 1: | Line 1: | ||
| {{Obsolete|The AMD Geode LX800 processor used on this board does not support the SSE instruction required to run modern versions of Alpine Linux.}} | |||
| = OpenVPN client on ALIX.2D3 = | = OpenVPN client on ALIX.2D3 = | ||
| We needed to connect a  | We needed to connect a Remote Desktop client (a thinclient) and a SIP-phone to a OpenVPN network to be able to reach some services.<BR> | ||
| It was not possible to install  | It was not possible to install OpenVPN in ether the thinclient or the SIP-phone, so we needed a OpenVPN gateway. | ||
| We bought  | We bought an [http://pcengines.ch/alix2d3.htm ALIX.2D3] to act as gateway for the various clients. This board has 3 NICs, is small, and doesn't consume much power.   | ||
| == Preparing the ALIX == | == Preparing the ALIX board == | ||
| The ALIX | The ALIX board runs operating system from a Compact Flash card. | ||
| ===  | === Installing Alpine Linux === | ||
| [[ | The [[Installing Alpine on Compact Flash]] article contains all information about the installation of Alpine Linux. | ||
| {{Note|The ALIX hardware is not capable of running 64 bit software. Use the x86 version of Alpine.}} | |||
| === Connecting to the ALIX board === | === Connecting to the ALIX board === | ||
| The board has no graphic | The board has no graphic interface, so before we get the network configured, we need to configure it through a serial connection. | ||
| We need to modify the 'syslinux.cfg' which now is on our CF | |||
| We need to modify the 'syslinux.cfg' which now is on our CF card. | |||
| Append the following to the lines that start with 'append'. | Append the following to the lines that start with 'append'. | ||
|   console=tty1,38400 console=ttyS0,9600 |   console=tty1,38400 console=ttyS0,9600 | ||
| This will  | This will send the console output to the serial port. | ||
| Now you can attach a computer to your ALIX with a serial cable and  | Now you can attach a computer to your ALIX with a serial cable and a terminal program configured to 9600/8/N/1 | ||
| === Mounting === | === Mounting === | ||
| The CF | The CF card was mounted in the ALIX board and the board was mounted in an enclosure. | ||
| == setup-alpine == | == setup-alpine == | ||
| The command to configure the basic settings for a new Alpine box is: | |||
|   setup-alpine |   setup-alpine | ||
| == setup-webconf == | == setup-webconf == | ||
| Next we want to configure | Next we want to install and configure the ACF (web configuration) that enables you to administer your box via a web-browser | ||
| {{Cmd|setup-webconf}} | |||
| The box now has  | The box now has an ACF running and you can start browsing it.<BR> | ||
| First you need to attach it to a network and determine the IP address it received. | |||
| Because we are running Alpine_1.8 we need to change the default user/password  | Because we are running Alpine_1.8 we need to change the default user/password via a webbrowser | ||
| * go to https://{ip_of_our_ALIX_box}/ | * go to <nowiki>https://{ip_of_our_ALIX_box}/</nowiki> | ||
| *  | * Log in with username=alpine password=test123 | ||
| * Chose 'User management' from the menu at left and delete existing default-accounts and create a new | * Chose 'User management' from the menu at left and delete existing default-accounts and create a new one | ||
| {{Note|From now on we use ACF to do our configuration and installation. If we need to use the console, we'll specify that.}} | |||
| == Time == | |||
| We need to set the clock on this box.<BR> | |||
| OpenVPN needs the correct time. | |||
| Install required packages | |||
| * System > Packages > Available > acf-openntpd > "Install" | |||
| Configure openntp to set the time by going to the {config} tab and enter the following settings: | |||
| * Check/Activate the box "Set time on startup" | |||
| * Confirm that the "Multiple servers" box contains a record of a valid ntp server ''(e.g. 'pool.ntp.org')'' | |||
| * Confirm that all other boxes are empty ''(unless you have reason to do otherwise)'' | |||
| Finish by pressing [Save] | |||
| [Start] the service and confirm it's running. (the result is shown on top of the page where you pressed [Start]) | |||
| Now we need to make sure the process starts at next reboot | |||
| * Applications > NTP(openntp) > Status > "Schedule autostart" | |||
| Choose the following values: | |||
| * Startup Sequence = 30 | |||
| * Add kill link for shutdown = Yes | |||
| Save the settings with the [Save] button | |||
| == sshd == | == sshd == | ||
| Line 58: | Line 76: | ||
| We put our private keys in it to be able to administer this box remotely | We put our private keys in it to be able to administer this box remotely | ||
| * Applications > ssh > Authorized users > root "Edit this account" | * Applications > ssh > Authorized users > root "Edit this account" | ||
| Paste the keys in the 'SSH Certificate Contents' box and press [Save] | |||
| To increase we need to  | To increase security, we need to disable 'PasswordAuthentication'.<BR> | ||
| We  | We can speed up the connection by disabling DNS requests.<BR> | ||
| Under the {Expert} tab make sure you have the following settings, then [Save] your changes. | |||
|   PasswordAuthentication no |   PasswordAuthentication no | ||
|   UseDNS no |   UseDNS no | ||
| To make sure the process starts at next reboot: | |||
| * Applications > ssh > Status > "Schedule autostart" | * Applications > ssh > Status > "Schedule autostart" | ||
| Choose the following values: | |||
| * Startup Sequence = 40 | * Startup Sequence = 40 | ||
| * Add kill link for shutdown = Yes | * Add kill link for shutdown = Yes | ||
| Save the settings with the [Save] button | |||
| == dhcpd == | == dhcpd == | ||
| Line 79: | Line 98: | ||
| Now we can start configuring dhcpd | Now we can start configuring dhcpd | ||
| * Networking > DHCP > Config | * Networking > DHCP > Config | ||
| We  | We configure the global settings and add a subnet to give out IP addresses.   | ||
| We need to modify some values from the {Expert} tab.<BR> | We need to modify some values from the {Expert} tab.<BR> | ||
| Line 85: | Line 104: | ||
|   ddns-update-style ad-hoc; |   ddns-update-style ad-hoc; | ||
| Next we need to tell dhcpd which  | The eth2 clients should have Internet access. They will probably need a different DNS server than the clients on eth1 that get their DNS records from a internal DNS server. So we will install <tt>dnscache</tt> (see instructions below) and we need to tell dhcp to configure the clients connected to eth2 to use this black box as a DNS server.  | ||
| Next we need to tell <tt>dhcpd</tt> which NICs to listen on<BR> | |||
| {{Note|This needs to be done from console because ACF-dhcp is missing the feature to do this.}} | |||
| {{Cmd|vi /etc/conf.d/dhcpd}} | |||
| Modify the file so it looks like this: | Modify the file so it looks like this: | ||
|   DHCPD_IFACE="eth1 eth2" |   DHCPD_IFACE="eth1 eth2" | ||
| Back to ACF  | Back to ACF. Start DHCP. | ||
| * Networking > DHCP > Config > [Start] | * Networking > DHCP > Config > [Start] | ||
| Now we need to make sure the process starts at next reboot | Now we need to make sure the process starts at next reboot | ||
| * Applications > dhcp > Status > "Schedule autostart" | * Applications > dhcp > Status > "Schedule autostart" | ||
| Choose the following values: | |||
| * Startup Sequence = 90 | * Startup Sequence = 90 | ||
| * Add kill link for shutdown = Yes | * Add kill link for shutdown = Yes | ||
| Save the settings with the [Save] button | |||
| == dnscache == | |||
| The Internet clients will be attached to the eth2 interface. Those clients need to resolve internet addresses. We will install dnscache to help the clients get what they need. | |||
| Install required packages | |||
| * System > Packages > Available > acf-dnscache > "Install" | |||
| Configure it on the {config} tab. | |||
| * "IP address to listen on" = (The IP address of eth2) | |||
| Commit the changes by pressing [Save] | |||
| We also need to specify which clients are allowed to resolve addresses from DNScache.<BR> | |||
| This is done at the {Allowed Clients} tab.<BR> | |||
| Enter the value of the IP addresses that should be able to resolve DNS from dnscache in the filed "IP prefixes to respond to".<BR> | |||
| {{Note|If your clients has IP 10.0.0.2-10.0.0.254 you can enter the value "10.0.0"}} | |||
| To make sure the process starts at next reboot: | |||
| * Networking > DNScache > Status > "Schedule autostart" | |||
| Choose the following values | |||
| * Startup Sequence = 65 | |||
| * Add kill link for shutdown = Yes | |||
| Save the settings with the [Save] button | |||
| == openvpn == | == openvpn == | ||
| Line 105: | Line 153: | ||
| * System > Packages > Available > acf-openvpn > "Install" | * System > Packages > Available > acf-openvpn > "Install" | ||
| To make sure the process starts at next reboot: | |||
| * Networking > openvpn > Status > "Schedule autostart" | * Networking > openvpn > Status > "Schedule autostart" | ||
| Choose the following values: | |||
| * Startup Sequence = 80 | * Startup Sequence = 80 | ||
| * Add kill link for shutdown = Yes | * Add kill link for shutdown = Yes | ||
| Save the settings with the [Save] button | |||
| Next  | Next, create a configuration file called 'openvpn.conf' | ||
| * Networking > openvpn > config > (write 'openvpn.conf' in the "file name" field  | * Networking > openvpn > config > (write 'openvpn.conf' in the "file name" field then press [Create]) | ||
| Now we have a record called 'openvpn.conf' in the list | Now we have a record called 'openvpn.conf' in the list. Configure it by chosing "Expert" action. | ||
| Our file looks something like this: | Our file looks something like this: | ||
| Line 130: | Line 178: | ||
| cert /etc/ssl/openvpn/mycert.pem | cert /etc/ssl/openvpn/mycert.pem | ||
| key /etc/ssl/openvpn/mykey.pem | key /etc/ssl/openvpn/mykey.pem | ||
| comp-lzo | comp-lzo | ||
| verb 3 | verb 3 | ||
| </PRE> | </PRE> | ||
| Create the certificates and install them by following the instructions at: [[Generating SSL certs with ACF 1.9]].<BR> | |||
| Create the 'dh' file by typing the following command via the console: | |||
|   cd /etc/ssl/openvpn/ && openssl dhparam -out dh1024.pem 1024 |   cd /etc/ssl/openvpn/ && openssl dhparam -out dh1024.pem 1024 | ||
| == firewall == | == firewall == | ||
| Line 145: | Line 193: | ||
|   sed -i 's/^STARTUP_ENABLED.*/STARTUP_ENABLED=Yes/' /etc/shorewall/shorewall.conf |   sed -i 's/^STARTUP_ENABLED.*/STARTUP_ENABLED=Yes/' /etc/shorewall/shorewall.conf | ||
| Modify the following config files at the Expert tab. | |||
| === zones === | === zones === | ||
| <PRE> | <PRE> | ||
| Line 177: | Line 225: | ||
| ACCEPT          eth1      fw       tcp     80,443 | ACCEPT          eth1      fw       tcp     80,443 | ||
| ACCEPT          eth2      fw       tcp     80,443 | ACCEPT          eth2      fw       tcp     80,443 | ||
| ACCEPT          vpn       fw       tcp     80,443 | |||
| DNS/ACCEPT      eth2      fw | |||
| </PRE> | </PRE> | ||
| To make sure the process starts at next reboot | |||
| * Networking > Firewall > Status > "Schedule autostart" | * Networking > Firewall > Status > "Schedule autostart" | ||
| Choose the following values: | |||
| * Startup Sequence = 26 | * Startup Sequence = 26 | ||
| * Add kill link for shutdown = Yes | * Add kill link for shutdown = Yes | ||
| Save the settings with the [Save] button | |||
| == Rotate logs == | |||
| We have limited storage on this box, so we must prevent the log files from becoming too large. | |||
| To do that, activate rotation on /var/log/messages | |||
| * System > System Logging > Config | |||
| ** "Max size (KB) before rotate" = 1000 | |||
| ** "Number of rotate logs to keep" = 5 | |||
| Finish by pressing the [Save] button below your configuration.<BR> | |||
| Restart syslog by pressing [Restart] on the same page. | |||
| == Save changes == | == Save changes == | ||
| At this point we have made various  | At this point we have made various changes to the system. To ensure they persist: | ||
| First  | First, install the ACF-module for lbu | ||
| * System > Packages > Available > acf-alpine-conf > "Install" | * System > Packages > Available > acf-alpine-conf > "Install" | ||
| Now we have  | Now we have 'Local backups' in the menu (go there). | ||
| Use the {Config} tab to set the location to save the configs to (we chose usb).<BR> | |||
| In the "Included item(s)" box  | In the "Included item(s)" box add "root/.ssh/" so the ssh-keys we added earlier will be saved permanently. | ||
| Use the {Status} tab to commit the save by pressing the [Commit] button.<BR> | |||
| Your changes should be saved permanently to your USB media. | |||
| [[category: VPN]] | |||
Latest revision as of 07:48, 13 January 2024
|  The AMD Geode LX800 processor used on this board does not support the SSE instruction required to run modern versions of Alpine Linux. (Discuss) | 
OpenVPN client on ALIX.2D3
We needed to connect a Remote Desktop client (a thinclient) and a SIP-phone to a OpenVPN network to be able to reach some services.
It was not possible to install OpenVPN in ether the thinclient or the SIP-phone, so we needed a OpenVPN gateway.
We bought an ALIX.2D3 to act as gateway for the various clients. This board has 3 NICs, is small, and doesn't consume much power.
Preparing the ALIX board
The ALIX board runs operating system from a Compact Flash card.
Installing Alpine Linux
The Installing Alpine on Compact Flash article contains all information about the installation of Alpine Linux.
Connecting to the ALIX board
The board has no graphic interface, so before we get the network configured, we need to configure it through a serial connection.
We need to modify the 'syslinux.cfg' which now is on our CF card.
Append the following to the lines that start with 'append'.
console=tty1,38400 console=ttyS0,9600
This will send the console output to the serial port.
Now you can attach a computer to your ALIX with a serial cable and a terminal program configured to 9600/8/N/1
Mounting
The CF card was mounted in the ALIX board and the board was mounted in an enclosure.
setup-alpine
The command to configure the basic settings for a new Alpine box is:
setup-alpine
setup-webconf
Next we want to install and configure the ACF (web configuration) that enables you to administer your box via a web-browser
setup-webconf
The box now has an ACF running and you can start browsing it.
First you need to attach it to a network and determine the IP address it received.
Because we are running Alpine_1.8 we need to change the default user/password via a webbrowser
- go to https://{ip_of_our_ALIX_box}/
- Log in with username=alpine password=test123
- Chose 'User management' from the menu at left and delete existing default-accounts and create a new one
Time
We need to set the clock on this box.
OpenVPN needs the correct time.
Install required packages
- System > Packages > Available > acf-openntpd > "Install"
Configure openntp to set the time by going to the {config} tab and enter the following settings:
- Check/Activate the box "Set time on startup"
- Confirm that the "Multiple servers" box contains a record of a valid ntp server (e.g. 'pool.ntp.org')
- Confirm that all other boxes are empty (unless you have reason to do otherwise)
Finish by pressing [Save]
[Start] the service and confirm it's running. (the result is shown on top of the page where you pressed [Start])
Now we need to make sure the process starts at next reboot
- Applications > NTP(openntp) > Status > "Schedule autostart"
Choose the following values:
- Startup Sequence = 30
- Add kill link for shutdown = Yes
Save the settings with the [Save] button
sshd
Install required packages
- System > Packages > Available > acf-openssh > "Install"
We put our private keys in it to be able to administer this box remotely
- Applications > ssh > Authorized users > root "Edit this account"
Paste the keys in the 'SSH Certificate Contents' box and press [Save]
To increase security, we need to disable 'PasswordAuthentication'.
We can speed up the connection by disabling DNS requests.
Under the {Expert} tab make sure you have the following settings, then [Save] your changes.
PasswordAuthentication no UseDNS no
To make sure the process starts at next reboot:
- Applications > ssh > Status > "Schedule autostart"
Choose the following values:
- Startup Sequence = 40
- Add kill link for shutdown = Yes
Save the settings with the [Save] button
dhcpd
Install required packages
- System > Packages > Available > acf-dhcp > "Install"
Now we can start configuring dhcpd
- Networking > DHCP > Config
We configure the global settings and add a subnet to give out IP addresses.
We need to modify some values from the {Expert} tab.
Update the config with the following values (and press [Save] when done).
ddns-update-style ad-hoc;
The eth2 clients should have Internet access. They will probably need a different DNS server than the clients on eth1 that get their DNS records from a internal DNS server. So we will install dnscache (see instructions below) and we need to tell dhcp to configure the clients connected to eth2 to use this black box as a DNS server.
Next we need to tell dhcpd which NICs to listen on
vi /etc/conf.d/dhcpd
Modify the file so it looks like this:
DHCPD_IFACE="eth1 eth2"
Back to ACF. Start DHCP.
- Networking > DHCP > Config > [Start]
Now we need to make sure the process starts at next reboot
- Applications > dhcp > Status > "Schedule autostart"
Choose the following values:
- Startup Sequence = 90
- Add kill link for shutdown = Yes
Save the settings with the [Save] button
dnscache
The Internet clients will be attached to the eth2 interface. Those clients need to resolve internet addresses. We will install dnscache to help the clients get what they need.
Install required packages
- System > Packages > Available > acf-dnscache > "Install"
Configure it on the {config} tab.
- "IP address to listen on" = (The IP address of eth2)
Commit the changes by pressing [Save]
We also need to specify which clients are allowed to resolve addresses from DNScache.
This is done at the {Allowed Clients} tab.
Enter the value of the IP addresses that should be able to resolve DNS from dnscache in the filed "IP prefixes to respond to".
To make sure the process starts at next reboot:
- Networking > DNScache > Status > "Schedule autostart"
Choose the following values
- Startup Sequence = 65
- Add kill link for shutdown = Yes
Save the settings with the [Save] button
openvpn
Install required packages
- System > Packages > Available > acf-openvpn > "Install"
To make sure the process starts at next reboot:
- Networking > openvpn > Status > "Schedule autostart"
Choose the following values:
- Startup Sequence = 80
- Add kill link for shutdown = Yes
Save the settings with the [Save] button
Next, create a configuration file called 'openvpn.conf'
- Networking > openvpn > config > (write 'openvpn.conf' in the "file name" field then press [Create])
Now we have a record called 'openvpn.conf' in the list. Configure it by chosing "Expert" action.
Our file looks something like this:
client dev tun proto udp remote "public IP" 1194 resolv-retry infinite nobind ns-cert-type server persist-key persist-tun ca /etc/ssl/openvpn/cacert.pem cert /etc/ssl/openvpn/mycert.pem key /etc/ssl/openvpn/mykey.pem comp-lzo verb 3
Create the certificates and install them by following the instructions at: Generating SSL certs with ACF 1.9.
Create the 'dh' file by typing the following command via the console:
cd /etc/ssl/openvpn/ && openssl dhparam -out dh1024.pem 1024
firewall
Install required packages
- System > Packages > Available > acf-shorewall > "Install"
sed -i 's/^STARTUP_ENABLED.*/STARTUP_ENABLED=Yes/' /etc/shorewall/shorewall.conf
Modify the following config files at the Expert tab.
zones
#ZONE TYPE fw firewall inet ipv4 eth1 ipv4 eth2 ipv4 vpn ipv4
interfaces
#ZONE INTERFACE BROADCAST OPTIONS inet eth0 eth1 eth1 detect dhcp eth2 eth2 detect dhcp vpn tun+ detect
policy
#SOURCE DEST POLICY vpn all ACCEPT eth1 vpn ACCEPT eth2 vpn ACCEPT all all REJECT
rules
#ACTION SOURCE DEST PROTO DEST PORT ACCEPT all fw tcp 22 ACCEPT eth1 fw tcp 80,443 ACCEPT eth2 fw tcp 80,443 ACCEPT vpn fw tcp 80,443 DNS/ACCEPT eth2 fw
To make sure the process starts at next reboot
- Networking > Firewall > Status > "Schedule autostart"
Choose the following values:
- Startup Sequence = 26
- Add kill link for shutdown = Yes
Save the settings with the [Save] button
Rotate logs
We have limited storage on this box, so we must prevent the log files from becoming too large.
To do that, activate rotation on /var/log/messages
- System > System Logging > Config
- "Max size (KB) before rotate" = 1000
- "Number of rotate logs to keep" = 5
 
Finish by pressing the [Save] button below your configuration.
Restart syslog by pressing [Restart] on the same page.
Save changes
At this point we have made various changes to the system. To ensure they persist: First, install the ACF-module for lbu
- System > Packages > Available > acf-alpine-conf > "Install"
Now we have 'Local backups' in the menu (go there).
Use the {Config} tab to set the location to save the configs to (we chose usb).
In the "Included item(s)" box add "root/.ssh/" so the ssh-keys we added earlier will be saved permanently.
Use the {Status} tab to commit the save by pressing the [Commit] button.
Your changes should be saved permanently to your USB media.