Experiences with OpenVPN-client on ALIX.2D3: Difference between revisions

From Alpine Linux
Line 5: Line 5:
It was not possible to install OpenVPN in ether the thinclient or the SIP-phone, so we needed a OpenVPN gateway.
It was not possible to install OpenVPN in ether the thinclient or the SIP-phone, so we needed a OpenVPN gateway.


We bought a [http://pcengines.ch/alix2d3.htm ALIX.2D3] which would act as gateway for the various clients. This board has 3 NICs, a small size, and doesn't consume much power.   
We bought an [http://pcengines.ch/alix2d3.htm ALIX.2D3] to act as gateway for the various clients. This board has 3 NICs, is small, and doesn't consume much power.   


== Preparing the ALIX ==
== Preparing the ALIX board ==
The ALIX board runs operating system from a CF card.
The ALIX board runs operating system from a Compact Flash card.


=== Installation of Alpine Linux ===
=== Installing Alpine Linux ===
The [[Installing_Alpine_on_Compact_Flash|Installing Alpine on Compact Flash]] article contains all information about the installation of Alpine Linux.
The [[Installing_Alpine_on_Compact_Flash|Installing Alpine on Compact Flash]] article contains all information about the installation of Alpine Linux.


{{Note|The ALIX hardware is not capable to run 64 bit software. Use the x86 version Alpine Linux.}}
{{Note|The ALIX hardware is not capable of running 64 bit software. Use the x86 version of Alpine.}}


=== Connecting to the ALIX board ===
=== Connecting to the ALIX board ===
The board has no graphic card, so before we get the network configured, we need to configure it through a serial connection.
The board has no graphic interface, so before we get the network configured, we need to configure it through a serial connection.


If you use
We need to modify the 'syslinux.cfg' which now is on our CF card.
We need to modify the 'syslinux.cfg' which now is on our CF-card.


Append the following to the lines that start with 'append'.
Append the following to the lines that start with 'append'.
  console=tty1,38400 console=ttyS0,9600
  console=tty1,38400 console=ttyS0,9600
This will cause the console to be displayed on the serial port.
This will send the console output to the serial port.


Now you can attach a computer to your ALIX with a serial cable and put your serial-program to listen on 9600/8/N/1
Now you can attach a computer to your ALIX with a serial cable and a terminal program configured to 9600/8/N/1


=== Mounting ===
=== Mounting ===
The CF card was mounted in the ALIX board and the board was mounted in the enclosure.
The CF card was mounted in the ALIX board and the board was mounted in an enclosure.




== setup-alpine ==
== setup-alpine ==
We got connected to your ALIX board through the serial console and could start configuring it.<BR>
The command to configure the basic settings for a new Alpine box is:
A nice command is available to setup the basic settings for a new Alpine box.
  setup-alpine
  setup-alpine




== setup-webconf ==
== setup-webconf ==
Next we want to configure/install the ACF (web configuration) that gives you posibility to administer your box with a web-browser
Next we want to install and configure the ACF (web configuration) that enables you to administer your box via a web-browser
{{Cmd|setup-webconf}}
{{Cmd|setup-webconf}}
The box now has a ACF running and you can start browsing this box.<BR>
The box now has an ACF running and you can start browsing it.<BR>
But first you need to attach it to a network and figure out what IP address it got.
First you need to attach it to a network and determine the IP address it received.


Because we are running Alpine_1.8 we need to change the default user/password by using a webbrowser to
Because we are running Alpine_1.8 we need to change the default user/password via a webbrowser
* go to https://{ip_of_our_ALIX_box}/
* go to https://{ip_of_our_ALIX_box}/
* Login with username=alpine password=test123
* Log in with username=alpine password=test123
* Chose 'User management' from the menu at left and delete existing default-accounts and create a new
* Chose 'User management' from the menu at left and delete existing default-accounts and create a new one


{{Note|From now on we use ACF to do our configuration and installation. If we need to use the console, you will be instructed.}}
{{Note|From now on we use ACF to do our configuration and installation. If we need to use the console, we'll specify that.}}


== Time ==
== Time ==
We will need to set the clock in this box.<BR>
We need to set the clock on this box.<BR>
Accurate time is needed by openvpn.
OpenVPN needs the correct time.


Install required packages
Install required packages
* System > Packages > Available > acf-openntpd > "Install"
* System > Packages > Available > acf-openntpd > "Install"


Configure openntp to set time by going to the {config} tab and enter the following settings:
Configure openntp to set the time by going to the {config} tab and enter the following settings:
* Check/Activate the box "Set time on startup"
* Check/Activate the box "Set time on startup"
* Confirm that the "Multiple servers" box holds a record to a valid ntp-server-pool ''(e.g. 'pool.ntp.org')''
* Confirm that the "Multiple servers" box contains a record of a valid ntp server ''(e.g. 'pool.ntp.org')''
* Confirm that all other boxes are empty ''(unless you have reason to do other)''
* Confirm that all other boxes are empty ''(unless you have reason to do otherwise)''
Finnish it up by pressing [Save]
Finish by pressing [Save]


Now you should [Start] the service and confirm that it started up as supposed (the result is shown on top of the page where you pressed [Start])
[Start] the service and confirm it's running. (the result is shown on top of the page where you pressed [Start])


Now we need to make sure the process starts at next reboot
Now we need to make sure the process starts at next reboot
* Applications > NTP(openntp) > Status > "Schedule autostart"
* Applications > NTP(openntp) > Status > "Schedule autostart"
We chose the following values
Choose the following values:
* Startup Sequence = 30
* Startup Sequence = 30
* Add kill link for shutdown = Yes
* Add kill link for shutdown = Yes
Saved our settings with [Save] button
Save the settings with the [Save] button




Line 78: Line 76:
We put our private keys in it to be able to administer this box remotely
We put our private keys in it to be able to administer this box remotely
* Applications > ssh > Authorized users > root "Edit this account"
* Applications > ssh > Authorized users > root "Edit this account"
Pasted our keys in the 'SSH Certificate Contents' box and press [Save]
Paste the keys in the 'SSH Certificate Contents' box and press [Save]


To increase we need to shut down 'PasswordAuthentication'.<BR>
To increase security, we need to disable 'PasswordAuthentication'.<BR>
We also want to speed up connection by shutting down DNS requests.<BR>
We can speed up the connection by disabling DNS requests.<BR>
In {Expert} tab make sure you have the following settings and then [Save] your changes.
Under the {Expert} tab make sure you have the following settings, then [Save] your changes.
  PasswordAuthentication no
  PasswordAuthentication no
  UseDNS no
  UseDNS no


Now we need to make sure the process starts at next reboot
To make sure the process starts at next reboot:
* Applications > ssh > Status > "Schedule autostart"
* Applications > ssh > Status > "Schedule autostart"
We chose the following values
Choose the following values:
* Startup Sequence = 40
* Startup Sequence = 40
* Add kill link for shutdown = Yes
* Add kill link for shutdown = Yes
Saved our settings with [Save] button
Save the settings with the [Save] button




Line 100: Line 98:
Now we can start configuring dhcpd
Now we can start configuring dhcpd
* Networking > DHCP > Config
* Networking > DHCP > Config
We configured the global settings and added a subnet to give out IP addresses.  
We configure the global settings and add a subnet to give out IP addresses.  


We need to modify some values from the {Expert} tab.<BR>
We need to modify some values from the {Expert} tab.<BR>
Line 106: Line 104:
  ddns-update-style ad-hoc;
  ddns-update-style ad-hoc;


The eth2 clients should have Internet access. They will probably need other DNS server than the clients on eth1 that gets their DNS records from a internal DNS server. So we are going to install <tt>dnscache</tt> (see instructions below) and we need to tell dhcp to configure the clients connected to eth2 to use this blackbox as DNS server.  
The eth2 clients should have Internet access. They will probably need a different DNS server than the clients on eth1 that get their DNS records from a internal DNS server. So we will install <tt>dnscache</tt> (see instructions below) and we need to tell dhcp to configure the clients connected to eth2 to use this black box as a DNS server.  


Next we need to tell <tt>dhcpd</tt> which NICs to listen on<BR>
Next we need to tell <tt>dhcpd</tt> which NICs to listen on<BR>
{{Note|This needs to be done from console because ACF-dhcp is missing the feature on how to do this.}}
{{Note|This needs to be done from console because ACF-dhcp is missing the feature to do this.}}
{{Cmd|vi /etc/conf.d/dhcpd}}
{{Cmd|vi /etc/conf.d/dhcpd}}
Modify the file so it looks like this:
Modify the file so it looks like this:
Line 115: Line 113:
  DHCPD_IFACE="eth1 eth2"
  DHCPD_IFACE="eth1 eth2"


Back to ACF and we now start up dhcp
Back to ACF. Start DHCP.


* Networking > DHCP > Config > [Start]
* Networking > DHCP > Config > [Start]
Line 123: Line 121:
* Applications > dhcp > Status > "Schedule autostart"
* Applications > dhcp > Status > "Schedule autostart"


We chose the following values
Choose the following values:


* Startup Sequence = 90
* Startup Sequence = 90
* Add kill link for shutdown = Yes
* Add kill link for shutdown = Yes
Saved our settings with [Save] button
Save the settings with the [Save] button


== dnscache ==
== dnscache ==
The Internet clients will be attached to eth2 interface. Those clients need to resolve internet addresses. We will install dnscache to help the clients to get what they need.
The Internet clients will be attached to the eth2 interface. Those clients need to resolve internet addresses. We will install dnscache to help the clients get what they need.


Install required packages
Install required packages
Line 136: Line 134:


Configure it on the {config} tab.
Configure it on the {config} tab.
* "IP address to listen on" = (The IP-address of eth2)
* "IP address to listen on" = (The IP address of eth2)
Commit your changes by pressing [Save]
Commit the changes by pressing [Save]


We also need to specify which clients are allowed to resolv addresses from DNScache.<BR>
We also need to specify which clients are allowed to resolve addresses from DNScache.<BR>
This is done at the {Allowed Clients} tab.<BR>
This is done at the {Allowed Clients} tab.<BR>
Enter the value of the IP addresses that should be able to resolve DNS from dnscache in the filed "IP prefixes to respond to".<BR>
Enter the value of the IP addresses that should be able to resolve DNS from dnscache in the filed "IP prefixes to respond to".<BR>
{{Note|If your clients has IP 10.0.0.2-10.0.0.254 you could enter the value "10.0.0"}}
{{Note|If your clients has IP 10.0.0.2-10.0.0.254 you can enter the value "10.0.0"}}


Now we need to make sure the process starts at next reboot
To make sure the process starts at next reboot:
* Networking > DNScache > Status > "Schedule autostart"
* Networking > DNScache > Status > "Schedule autostart"
We choose the following values
Choose the following values
* Startup Sequence = 65
* Startup Sequence = 65
* Add kill link for shutdown = Yes
* Add kill link for shutdown = Yes
Saved our settings with [Save] button
Save the settings with the [Save] button


== openvpn ==
== openvpn ==
Line 155: Line 153:
* System > Packages > Available > acf-openvpn > "Install"
* System > Packages > Available > acf-openvpn > "Install"


Now we need to make sure the process starts at next reboot
To make sure the process starts at next reboot:
* Networking > openvpn > Status > "Schedule autostart"
* Networking > openvpn > Status > "Schedule autostart"
We chose the following values
Choose the following values:
* Startup Sequence = 80
* Startup Sequence = 80
* Add kill link for shutdown = Yes
* Add kill link for shutdown = Yes
Saved our settings with [Save] button
Save the settings with the [Save] button


Next we create a config-file called 'openvpn.conf'
Next, create a configuration file called 'openvpn.conf'
* Networking > openvpn > config > (write 'openvpn.conf' in the "file name" field and then press [Create])
* Networking > openvpn > config > (write 'openvpn.conf' in the "file name" field then press [Create])
Now we have a record called 'openvpn.conf' in the list, now it's time to configure it by chosing "Expert" action.
Now we have a record called 'openvpn.conf' in the list. Configure it by chosing "Expert" action.


Our file looks something like this:
Our file looks something like this:
Line 184: Line 182:
</PRE>
</PRE>


Created the certificates and put those on this box by following the http://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF_1.9 instructions.<BR>
Create the certificates and install them by following the instructions at: http://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF_1.9.<BR>
We need to create the 'dh' file by using the console and type the following command
Create the 'dh' file by typing the following command via the console:
  cd /etc/ssl/openvpn/ && openssl dhparam -out dh1024.pem 1024
  cd /etc/ssl/openvpn/ && openssl dhparam -out dh1024.pem 1024


Line 195: Line 193:
  sed -i 's/^STARTUP_ENABLED.*/STARTUP_ENABLED=Yes/' /etc/shorewall/shorewall.conf
  sed -i 's/^STARTUP_ENABLED.*/STARTUP_ENABLED=Yes/' /etc/shorewall/shorewall.conf


Now from the expert tab you modify the following config-files.
Modify the following config files at the Expert tab.
=== zones ===
=== zones ===
<PRE>
<PRE>
Line 231: Line 229:
</PRE>
</PRE>


Now we need to make sure the process starts at next reboot
To make sure the process starts at next reboot
* Networking > Firewall > Status > "Schedule autostart"
* Networking > Firewall > Status > "Schedule autostart"
We chose the following values
Choose the following values:
* Startup Sequence = 26
* Startup Sequence = 26
* Add kill link for shutdown = Yes
* Add kill link for shutdown = Yes
Saved our settings with [Save] button
Save the settings with the [Save] button


== Rotate logs ==
== Rotate logs ==
We have limited mem on this box, so we need to make sure the logfiles does not flood the memory of our box.
We have limited storage on this box, so we must prevent the log files from becoming too large.


Lets activate rotation on /var/log/messages
To do that, activate rotation on /var/log/messages
* System > System Logging > Config
* System > System Logging > Config
** "Max size (KB) before rotate" = 1000
** "Max size (KB) before rotate" = 1000
** "Number of rotate logs to keep" = 5
** "Number of rotate logs to keep" = 5
Finnish you settings by pressing [Save] button below your configuration.<BR>
Finish by pressing the [Save] button below your configuration.<BR>
Then you need to restart syslog by pressing [Restart] on the same page.
Restart syslog by pressing [Restart] on the same page.




== Save changes ==
== Save changes ==
At this point we have made various settings to our system. It's now time to make sure they stay even if we need to reboot the box (or if it get's powered off by some other cause).<BR>
At this point we have made various changes to the system. To ensure they persist:
First we need to install the ACF-module for lbu
First, install the ACF-module for lbu
* System > Packages > Available > acf-alpine-conf > "Install"
* System > Packages > Available > acf-alpine-conf > "Install"


Now we have a 'Local backups' in you menu (go there).
Now we have 'Local backups' in the menu (go there).


There is a {Config} tab to configure e.g. where we want to save our configs (we chose usb).<BR>
Use the {Config} tab to set the location to save the configs to (we chose usb).<BR>
In the "Included item(s)" box we added "root/.ssh/" so that the ssh-keys that we added earlier would be permanently saved.
In the "Included item(s)" box add "root/.ssh/" so the ssh-keys we added earlier will be saved permanently.
   
   
Now back to {Status} tab to commit the save by pressing [Commit] button.<BR>
Use the {Status} tab to commit the save by pressing the [Commit] button.<BR>
Now your changes should be permanently saved to your USB.
Your changes should be saved permanently to your USB media.


[[category: VPN]]
[[category: VPN]]

Revision as of 17:44, 25 July 2021

OpenVPN client on ALIX.2D3

We needed to connect a Remote Desktop client (a thinclient) and a SIP-phone to a OpenVPN network to be able to reach some services.
It was not possible to install OpenVPN in ether the thinclient or the SIP-phone, so we needed a OpenVPN gateway.

We bought an ALIX.2D3 to act as gateway for the various clients. This board has 3 NICs, is small, and doesn't consume much power.

Preparing the ALIX board

The ALIX board runs operating system from a Compact Flash card.

Installing Alpine Linux

The Installing Alpine on Compact Flash article contains all information about the installation of Alpine Linux.

Note: The ALIX hardware is not capable of running 64 bit software. Use the x86 version of Alpine.

Connecting to the ALIX board

The board has no graphic interface, so before we get the network configured, we need to configure it through a serial connection.

We need to modify the 'syslinux.cfg' which now is on our CF card.

Append the following to the lines that start with 'append'.

console=tty1,38400 console=ttyS0,9600

This will send the console output to the serial port.

Now you can attach a computer to your ALIX with a serial cable and a terminal program configured to 9600/8/N/1

Mounting

The CF card was mounted in the ALIX board and the board was mounted in an enclosure.


setup-alpine

The command to configure the basic settings for a new Alpine box is:

setup-alpine


setup-webconf

Next we want to install and configure the ACF (web configuration) that enables you to administer your box via a web-browser

setup-webconf

The box now has an ACF running and you can start browsing it.
First you need to attach it to a network and determine the IP address it received.

Because we are running Alpine_1.8 we need to change the default user/password via a webbrowser

  • go to https://{ip_of_our_ALIX_box}/
  • Log in with username=alpine password=test123
  • Chose 'User management' from the menu at left and delete existing default-accounts and create a new one
Note: From now on we use ACF to do our configuration and installation. If we need to use the console, we'll specify that.

Time

We need to set the clock on this box.
OpenVPN needs the correct time.

Install required packages

  • System > Packages > Available > acf-openntpd > "Install"

Configure openntp to set the time by going to the {config} tab and enter the following settings:

  • Check/Activate the box "Set time on startup"
  • Confirm that the "Multiple servers" box contains a record of a valid ntp server (e.g. 'pool.ntp.org')
  • Confirm that all other boxes are empty (unless you have reason to do otherwise)

Finish by pressing [Save]

[Start] the service and confirm it's running. (the result is shown on top of the page where you pressed [Start])

Now we need to make sure the process starts at next reboot

  • Applications > NTP(openntp) > Status > "Schedule autostart"

Choose the following values:

  • Startup Sequence = 30
  • Add kill link for shutdown = Yes

Save the settings with the [Save] button


sshd

Install required packages

  • System > Packages > Available > acf-openssh > "Install"

We put our private keys in it to be able to administer this box remotely

  • Applications > ssh > Authorized users > root "Edit this account"

Paste the keys in the 'SSH Certificate Contents' box and press [Save]

To increase security, we need to disable 'PasswordAuthentication'.
We can speed up the connection by disabling DNS requests.
Under the {Expert} tab make sure you have the following settings, then [Save] your changes.

PasswordAuthentication no
UseDNS no

To make sure the process starts at next reboot:

  • Applications > ssh > Status > "Schedule autostart"

Choose the following values:

  • Startup Sequence = 40
  • Add kill link for shutdown = Yes

Save the settings with the [Save] button


dhcpd

Install required packages

  • System > Packages > Available > acf-dhcp > "Install"

Now we can start configuring dhcpd

  • Networking > DHCP > Config

We configure the global settings and add a subnet to give out IP addresses.

We need to modify some values from the {Expert} tab.
Update the config with the following values (and press [Save] when done).

ddns-update-style ad-hoc;

The eth2 clients should have Internet access. They will probably need a different DNS server than the clients on eth1 that get their DNS records from a internal DNS server. So we will install dnscache (see instructions below) and we need to tell dhcp to configure the clients connected to eth2 to use this black box as a DNS server.

Next we need to tell dhcpd which NICs to listen on

Note: This needs to be done from console because ACF-dhcp is missing the feature to do this.

vi /etc/conf.d/dhcpd

Modify the file so it looks like this:

DHCPD_IFACE="eth1 eth2"

Back to ACF. Start DHCP.

  • Networking > DHCP > Config > [Start]

Now we need to make sure the process starts at next reboot

  • Applications > dhcp > Status > "Schedule autostart"

Choose the following values:

  • Startup Sequence = 90
  • Add kill link for shutdown = Yes

Save the settings with the [Save] button

dnscache

The Internet clients will be attached to the eth2 interface. Those clients need to resolve internet addresses. We will install dnscache to help the clients get what they need.

Install required packages

  • System > Packages > Available > acf-dnscache > "Install"

Configure it on the {config} tab.

  • "IP address to listen on" = (The IP address of eth2)

Commit the changes by pressing [Save]

We also need to specify which clients are allowed to resolve addresses from DNScache.
This is done at the {Allowed Clients} tab.
Enter the value of the IP addresses that should be able to resolve DNS from dnscache in the filed "IP prefixes to respond to".

Note: If your clients has IP 10.0.0.2-10.0.0.254 you can enter the value "10.0.0"

To make sure the process starts at next reboot:

  • Networking > DNScache > Status > "Schedule autostart"

Choose the following values

  • Startup Sequence = 65
  • Add kill link for shutdown = Yes

Save the settings with the [Save] button

openvpn

Install required packages

  • System > Packages > Available > acf-openvpn > "Install"

To make sure the process starts at next reboot:

  • Networking > openvpn > Status > "Schedule autostart"

Choose the following values:

  • Startup Sequence = 80
  • Add kill link for shutdown = Yes

Save the settings with the [Save] button

Next, create a configuration file called 'openvpn.conf'

  • Networking > openvpn > config > (write 'openvpn.conf' in the "file name" field then press [Create])

Now we have a record called 'openvpn.conf' in the list. Configure it by chosing "Expert" action.

Our file looks something like this:

client
dev tun
proto udp
remote "public IP" 1194
resolv-retry infinite
nobind
ns-cert-type server
persist-key
persist-tun
ca /etc/ssl/openvpn/cacert.pem
cert /etc/ssl/openvpn/mycert.pem
key /etc/ssl/openvpn/mykey.pem
comp-lzo
verb 3

Create the certificates and install them by following the instructions at: http://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF_1.9.
Create the 'dh' file by typing the following command via the console:

cd /etc/ssl/openvpn/ && openssl dhparam -out dh1024.pem 1024


firewall

Install required packages

  • System > Packages > Available > acf-shorewall > "Install"
sed -i 's/^STARTUP_ENABLED.*/STARTUP_ENABLED=Yes/' /etc/shorewall/shorewall.conf

Modify the following config files at the Expert tab.

zones

#ZONE	TYPE
fw      firewall
inet    ipv4
eth1    ipv4
eth2    ipv4
vpn     ipv4

interfaces

#ZONE   INTERFACE	BROADCAST	OPTIONS
inet    eth0
eth1    eth1            detect          dhcp
eth2    eth2            detect          dhcp
vpn     tun+            detect

policy

#SOURCE		DEST		POLICY
vpn             all             ACCEPT
eth1            vpn             ACCEPT
eth2            vpn             ACCEPT
all             all             REJECT

rules

#ACTION		SOURCE    DEST     PROTO   DEST PORT
ACCEPT          all       fw       tcp     22
ACCEPT          eth1      fw       tcp     80,443
ACCEPT          eth2      fw       tcp     80,443
ACCEPT          vpn       fw       tcp     80,443
DNS/ACCEPT      eth2      fw

To make sure the process starts at next reboot

  • Networking > Firewall > Status > "Schedule autostart"

Choose the following values:

  • Startup Sequence = 26
  • Add kill link for shutdown = Yes

Save the settings with the [Save] button

Rotate logs

We have limited storage on this box, so we must prevent the log files from becoming too large.

To do that, activate rotation on /var/log/messages

  • System > System Logging > Config
    • "Max size (KB) before rotate" = 1000
    • "Number of rotate logs to keep" = 5

Finish by pressing the [Save] button below your configuration.
Restart syslog by pressing [Restart] on the same page.


Save changes

At this point we have made various changes to the system. To ensure they persist: First, install the ACF-module for lbu

  • System > Packages > Available > acf-alpine-conf > "Install"

Now we have 'Local backups' in the menu (go there).

Use the {Config} tab to set the location to save the configs to (we chose usb).
In the "Included item(s)" box add "root/.ssh/" so the ssh-keys we added earlier will be saved permanently.

Use the {Status} tab to commit the save by pressing the [Commit] button.
Your changes should be saved permanently to your USB media.