Experiences with OpenVPN-client on ALIX.2D3: Difference between revisions
| Dubiousjim (talk | contribs) m (RealCase OpenVPN-client on ALIX.2D3 moved to Experiences with OpenVPN-client on ALIX.2D3: "RealCase" sounded like a brand name) | m (> category: VPN) | ||
| Line 1: | Line 1: | ||
| {{TOC right}} | |||
| = OpenVPN client on ALIX.2D3 = | = OpenVPN client on ALIX.2D3 = | ||
| We needed to connect a Remote Desktop client (a thinclient) and a SIP-phone to a OpenVPN network to be able to reach some services.<BR> | We needed to connect a Remote Desktop client (a thinclient) and a SIP-phone to a OpenVPN network to be able to reach some services.<BR> | ||
| Line 260: | Line 262: | ||
| Now your changes should be permanently saved to your USB. | Now your changes should be permanently saved to your USB. | ||
| [[ | [[category: VPN]] | ||
Revision as of 12:12, 25 October 2019
OpenVPN client on ALIX.2D3
We needed to connect a Remote Desktop client (a thinclient) and a SIP-phone to a OpenVPN network to be able to reach some services.
It was not possible to install OpenVPN in ether the thinclient or the SIP-phone, so we needed a OpenVPN gateway.
We bought a ALIX.2D3 which would act as gateway for the various clients. This board has 3 NICs, a small size, and doesn't consume much power.
Preparing the ALIX
The ALIX board runs operating system from a CF card.
Installation of Alpine Linux
The Installing Alpine on Compact Flash article contains all information about the installation of Alpine Linux.
Connecting to the ALIX board
The board has no graphic card, so before we get the network configured, we need to configure it through a serial connection.
If you use We need to modify the 'syslinux.cfg' which now is on our CF-card.
Append the following to the lines that start with 'append'.
console=tty1,38400 console=ttyS0,9600
This will cause the console to be displayed on the serial port.
Now you can attach a computer to your ALIX with a serial cable and put your serial-program to listen on 9600/8/N/1
Mounting
The CF card was mounted in the ALIX board and the board was mounted in the enclosure.
setup-alpine
We got connected to your ALIX board through the serial console and could start configuring it.
A nice command is available to setup the basic settings for a new Alpine box.
setup-alpine
setup-webconf
Next we want to configure/install the ACF (web configuration) that gives you posibility to administer your box with a web-browser
setup-webconf
The box now has a ACF running and you can start browsing this box.
But first you need to attach it to a network and figure out what IP address it got.
Because we are running Alpine_1.8 we need to change the default user/password by using a webbrowser to
- go to https://{ip_of_our_ALIX_box}/
- Login with username=alpine password=test123
- Chose 'User management' from the menu at left and delete existing default-accounts and create a new
Time
We will need to set the clock in this box.
Accurate time is needed by openvpn.
Install required packages
- System > Packages > Available > acf-openntpd > "Install"
Configure openntp to set time by going to the {config} tab and enter the following settings:
- Check/Activate the box "Set time on startup"
- Confirm that the "Multiple servers" box holds a record to a valid ntp-server-pool (e.g. 'pool.ntp.org')
- Confirm that all other boxes are empty (unless you have reason to do other)
Finnish it up by pressing [Save]
Now you should [Start] the service and confirm that it started up as supposed (the result is shown on top of the page where you pressed [Start])
Now we need to make sure the process starts at next reboot
- Applications > NTP(openntp) > Status > "Schedule autostart"
We chose the following values
- Startup Sequence = 30
- Add kill link for shutdown = Yes
Saved our settings with [Save] button
sshd
Install required packages
- System > Packages > Available > acf-openssh > "Install"
We put our private keys in it to be able to administer this box remotely
- Applications > ssh > Authorized users > root "Edit this account"
Pasted our keys in the 'SSH Certificate Contents' box and press [Save]
To increase we need to shut down 'PasswordAuthentication'.
We also want to speed up connection by shutting down DNS requests.
In {Expert} tab make sure you have the following settings and then [Save] your changes.
PasswordAuthentication no UseDNS no
Now we need to make sure the process starts at next reboot
- Applications > ssh > Status > "Schedule autostart"
We chose the following values
- Startup Sequence = 40
- Add kill link for shutdown = Yes
Saved our settings with [Save] button
dhcpd
Install required packages
- System > Packages > Available > acf-dhcp > "Install"
Now we can start configuring dhcpd
- Networking > DHCP > Config
We configured the global settings and added a subnet to give out IP addresses.
We need to modify some values from the {Expert} tab.
Update the config with the following values (and press [Save] when done).
ddns-update-style ad-hoc;
The eth2 clients should have Internet access. They will probably need other DNS server than the clients on eth1 that gets their DNS records from a internal DNS server. So we are going to install dnscache (see instructions below) and we need to tell dhcp to configure the clients connected to eth2 to use this blackbox as DNS server.
Next we need to tell dhcpd which NICs to listen on
vi /etc/conf.d/dhcpd
Modify the file so it looks like this:
DHCPD_IFACE="eth1 eth2"
Back to ACF and we now start up dhcp
- Networking > DHCP > Config > [Start]
Now we need to make sure the process starts at next reboot
- Applications > dhcp > Status > "Schedule autostart"
We chose the following values
- Startup Sequence = 90
- Add kill link for shutdown = Yes
Saved our settings with [Save] button
dnscache
The Internet clients will be attached to eth2 interface. Those clients need to resolve internet addresses. We will install dnscache to help the clients to get what they need.
Install required packages
- System > Packages > Available > acf-dnscache > "Install"
Configure it on the {config} tab.
- "IP address to listen on" = (The IP-address of eth2)
Commit your changes by pressing [Save]
We also need to specify which clients are allowed to resolv addresses from DNScache.
This is done at the {Allowed Clients} tab.
Enter the value of the IP addresses that should be able to resolve DNS from dnscache in the filed "IP prefixes to respond to".
Now we need to make sure the process starts at next reboot
- Networking > DNScache > Status > "Schedule autostart"
We choose the following values
- Startup Sequence = 65
- Add kill link for shutdown = Yes
Saved our settings with [Save] button
openvpn
Install required packages
- System > Packages > Available > acf-openvpn > "Install"
Now we need to make sure the process starts at next reboot
- Networking > openvpn > Status > "Schedule autostart"
We chose the following values
- Startup Sequence = 80
- Add kill link for shutdown = Yes
Saved our settings with [Save] button
Next we create a config-file called 'openvpn.conf'
- Networking > openvpn > config > (write 'openvpn.conf' in the "file name" field and then press [Create])
Now we have a record called 'openvpn.conf' in the list, now it's time to configure it by chosing "Expert" action.
Our file looks something like this:
client dev tun proto udp remote "public IP" 1194 resolv-retry infinite nobind ns-cert-type server persist-key persist-tun ca /etc/ssl/openvpn/cacert.pem cert /etc/ssl/openvpn/mycert.pem key /etc/ssl/openvpn/mykey.pem comp-lzo verb 3
Created the certificates and put those on this box by following the http://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF_1.9 instructions.
We need to create the 'dh' file by using the console and type the following command
cd /etc/ssl/openvpn/ && openssl dhparam -out dh1024.pem 1024
firewall
Install required packages
- System > Packages > Available > acf-shorewall > "Install"
sed -i 's/^STARTUP_ENABLED.*/STARTUP_ENABLED=Yes/' /etc/shorewall/shorewall.conf
Now from the expert tab you modify the following config-files.
zones
#ZONE TYPE fw firewall inet ipv4 eth1 ipv4 eth2 ipv4 vpn ipv4
interfaces
#ZONE INTERFACE BROADCAST OPTIONS inet eth0 eth1 eth1 detect dhcp eth2 eth2 detect dhcp vpn tun+ detect
policy
#SOURCE DEST POLICY vpn all ACCEPT eth1 vpn ACCEPT eth2 vpn ACCEPT all all REJECT
rules
#ACTION SOURCE DEST PROTO DEST PORT ACCEPT all fw tcp 22 ACCEPT eth1 fw tcp 80,443 ACCEPT eth2 fw tcp 80,443 ACCEPT vpn fw tcp 80,443 DNS/ACCEPT eth2 fw
Now we need to make sure the process starts at next reboot
- Networking > Firewall > Status > "Schedule autostart"
We chose the following values
- Startup Sequence = 26
- Add kill link for shutdown = Yes
Saved our settings with [Save] button
Rotate logs
We have limited mem on this box, so we need to make sure the logfiles does not flood the memory of our box.
Lets activate rotation on /var/log/messages
- System > System Logging > Config
- "Max size (KB) before rotate" = 1000
- "Number of rotate logs to keep" = 5
 
Finnish you settings by pressing [Save] button below your configuration.
Then you need to restart syslog by pressing [Restart] on the same page.
Save changes
At this point we have made various settings to our system. It's now time to make sure they stay even if we need to reboot the box (or if it get's powered off by some other cause).
First we need to install the ACF-module for lbu
- System > Packages > Available > acf-alpine-conf > "Install"
Now we have a 'Local backups' in you menu (go there).
There is a {Config} tab to configure e.g. where we want to save our configs (we chose usb).
In the "Included item(s)" box we added "root/.ssh/" so that the ssh-keys that we added earlier would be permanently saved.
Now back to {Status} tab to commit the save by pressing [Commit] button.
Now your changes should be permanently saved to your USB.