Experiences with OpenVPN-client on ALIX.2D3: Difference between revisions
(Openvpn certs) |
(→firewall: Firewall setup) |
||
| Line 124: | Line 124: | ||
== firewall == | == firewall == | ||
Install required packages | |||
* System > Packages > Available > acf-shorewall > "Install" | |||
Now | |||
Now from the expert tab you modify the following config-files. | |||
=== zones === | |||
<PRE> | |||
#ZONE TYPE | |||
fw firewall | |||
inet ipv4 | |||
eth1 ipv4 | |||
eth2 ipv4 | |||
vpn ipv4 | |||
</PRE> | |||
=== interfaces === | === interfaces === | ||
<PRE> | |||
#ZONE INTERFACE BROADCAST OPTIONS | |||
inet eth0 | |||
eth1 eth1 detect dhcp | |||
eth2 eth2 detect dhcp | |||
vpn tun+ detect | |||
</PRE> | |||
=== policy === | === policy === | ||
<PRE> | |||
#SOURCE DEST POLICY | |||
vpn all ACCEPT | |||
eth1 vpn ACCEPT | |||
eth2 vpn ACCEPT | |||
all all REJECT | |||
</PRE> | |||
Revision as of 14:59, 30 July 2009
OpenVPN client on ALIX.2D3
We needed to connect a RemoteDesktop client (a thinclient) and a SIP-phone to a OpenVPN-network to be able to reach some services.
It was not possible to install openvpn in ether the thinclient or the SIP-phone, so we needed a OpenVPN gateway.
We bought a ALIX.2D3 which would act as gateway for the various clients.
File:Alix2b3.jpg
(This board has 3 nics)
Preparing the ALIX
The ALIX-board was shipped with a enclosure and a CF-card.
Prepare CF
Installing_Alpine_on_Compact_Flash has instructions on how to prepare a CF.
Basically we followed this doc (except that we used Alpine-1.8.3 instead of installing Alpine-1.9).
Connecting to the ALIX board
The board has no graphic-card, so before we get the network configured, we need to configure it through a serial-cable.
We need to modify the 'syslinux.cfg' which now is on our CF-card.
Append the following to the lines that start with 'append'.
console=tty1,38400 console=ttyS0,9600
This will cause the console to be displayed on the serial port.
Now you can attach a computer to your ALIX with a serial cable and put your serial-program to listen on 9600/8/N/1
Mounting
The CF-card was mounted in the ALIX-board and the board was mounted in the enclosure.
setup-alpine
We got connected to your ALIX board through the serial console and could start configuring it.
A nice command is available to setup the basic settings for a new Alpine box.
setup-alpine
setup-webconf
Next we want to configure/install the ACF (webconfiguration) that gives you posibility to administer your box with a web-browser
setup-webconf
The box now has a ACF running and you can start browsing this box.
But first you need to attach it to a network and figure out what IP-address it got.
Because we are running Alpine_1.8 we need to change the default user/password by using a webbrowser to
- go to https://{ip_of_our_ALIX_box}/
- Login with username=alpine password=test123
- Chose 'User management' from the menu at left and delete existing default-accounts and create a new
Note: From now on we use ACF to do our configuration and installation.
If we need to use the console, you will be instructed.
sshd
Install required packages
- System > Packages > Available > acf-openssh > "Install"
We put our private keys in it to be able to administer this box remotely
- Applications > ssh > Authorized users > root "Edit this account"
Pasted our keys in the 'SSH Certificate Contents' box and press [Save]
Now we need to make sure the process starts at next reboot
- Applications > ssh > Status > "Schedule autostart"
We chose the following values
- Startup Sequence = 40
- Add kill link for shutdown = Yes
Saved our settings with [Save] button
dhcpd
Install required packages
- System > Packages > Available > acf-dhcp > "Install"
Now we can start configuring dhcpd
- Networking > DHCP > Config
We configured the global settings and added a subnet to give out IP-addresses.
We need to modify some values from the {Expert} tab.
Update the config with the following values (and press [Save] when done).
ddns-update-style ad-hoc;
Next we need to tell dhcpd which nics to listen on
Note: This needs to be done from console because ACF-dhcp is missing the feature on how to do this.
vi /etc/conf.d/dhcpd
Modify the file so it looks like this:
DHCPD_IFACE="eth1 eth2"
Back to ACF and we now start up dhcp
- Networking > DHCP > Config > [Start]
Now we need to make sure the process starts at next reboot
- Applications > dhcp > Status > "Schedule autostart"
We chose the following values
- Startup Sequence = 90
- Add kill link for shutdown = Yes
Saved our settings with [Save] button
openvpn
Install required packages
- System > Packages > Available > acf-openvpn > "Install"
Now we need to make sure the process starts at next reboot
- Networking > openvpn > Status > "Schedule autostart"
We chose the following values
- Startup Sequence = 80
- Add kill link for shutdown = Yes
Saved our settings with [Save] button
Next we create a config-file called 'openvpn.conf'
- Networking > openvpn > config > (write 'openvpn.conf' in the "file name" field and then press [Create])
Now we have a record called 'openvpn.conf' in the list, now it's time to configure it by chosing "Expert" action.
Our file looks something like this:
client dev tun proto udp remote "public IP" 1194 resolv-retry infinite nobind ns-cert-type server persist-key persist-tun ca /etc/ssl/openvpn/cacert.pem cert /etc/ssl/openvpn/mycert.pem key /etc/ssl/openvpn/mykey.pem comp-lzo verb 3
Created the certificates and put those on this box by following the http://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF_1.9 instructions.
firewall
Install required packages
- System > Packages > Available > acf-shorewall > "Install"
Now from the expert tab you modify the following config-files.
zones
#ZONE TYPE fw firewall inet ipv4 eth1 ipv4 eth2 ipv4 vpn ipv4
interfaces
#ZONE INTERFACE BROADCAST OPTIONS inet eth0 eth1 eth1 detect dhcp eth2 eth2 detect dhcp vpn tun+ detect
policy
#SOURCE DEST POLICY vpn all ACCEPT eth1 vpn ACCEPT eth2 vpn ACCEPT all all REJECT