Experiences with OpenVPN-client on ALIX.2D3

From Alpine Linux
Revision as of 08:19, 3 August 2009 by Mhavela (talk | contribs) (→‎openvpn: DH notes)

OpenVPN client on ALIX.2D3

We needed to connect a RemoteDesktop client (a thinclient) and a SIP-phone to a OpenVPN-network to be able to reach some services.
It was not possible to install openvpn in ether the thinclient or the SIP-phone, so we needed a OpenVPN gateway.

We bought a ALIX.2D3 which would act as gateway for the various clients.
(This board has 3 nics)

Preparing the ALIX

The ALIX-board was shipped with a enclosure and a CF-card.

Prepare CF

Installing_Alpine_on_Compact_Flash has instructions on how to prepare a CF.
Basically we followed this doc (except that we used Alpine-1.8.3 instead of installing Alpine-1.9).

Connecting to the ALIX board

The board has no graphic-card, so before we get the network configured, we need to configure it through a serial-cable.
We need to modify the 'syslinux.cfg' which now is on our CF-card.

Append the following to the lines that start with 'append'.

console=tty1,38400 console=ttyS0,9600

This will cause the console to be displayed on the serial port.

Now you can attach a computer to your ALIX with a serial cable and put your serial-program to listen on 9600/8/N/1


The CF-card was mounted in the ALIX-board and the board was mounted in the enclosure.


We got connected to your ALIX board through the serial console and could start configuring it.
A nice command is available to setup the basic settings for a new Alpine box.



Next we want to configure/install the ACF (webconfiguration) that gives you posibility to administer your box with a web-browser


The box now has a ACF running and you can start browsing this box.
But first you need to attach it to a network and figure out what IP-address it got.

Because we are running Alpine_1.8 we need to change the default user/password by using a webbrowser to

  • go to https://{ip_of_our_ALIX_box}/
  • Login with username=alpine password=test123
  • Chose 'User management' from the menu at left and delete existing default-accounts and create a new


We will need to set the clock in this box.
Accurate time is needed by openvpn.

From your console, run the following command:

rc_add -vks 30 rdate

Note: From now on we use ACF to do our configuration and installation.
If we need to use the console, you will be instructed.


Install required packages

  • System > Packages > Available > acf-openssh > "Install"

We put our private keys in it to be able to administer this box remotely

  • Applications > ssh > Authorized users > root "Edit this account"

Pasted our keys in the 'SSH Certificate Contents' box and press [Save]

To increase we need to shut down 'PasswordAuthentication'.
We also want to speed up connection by shutting down DNS requests.
In {Expert} tab make sure you have the following settings and then [Save] your changes.

PasswordAuthentication no
UseDNS no

Now we need to make sure the process starts at next reboot

  • Applications > ssh > Status > "Schedule autostart"

We chose the following values

  • Startup Sequence = 40
  • Add kill link for shutdown = Yes

Saved our settings with [Save] button


Install required packages

  • System > Packages > Available > acf-dhcp > "Install"

Now we can start configuring dhcpd

  • Networking > DHCP > Config

We configured the global settings and added a subnet to give out IP-addresses.

We need to modify some values from the {Expert} tab.
Update the config with the following values (and press [Save] when done).

ddns-update-style ad-hoc;

Next we need to tell dhcpd which nics to listen on
Note: This needs to be done from console because ACF-dhcp is missing the feature on how to do this.

vi /etc/conf.d/dhcpd

Modify the file so it looks like this:

DHCPD_IFACE="eth1 eth2"

Back to ACF and we now start up dhcp

  • Networking > DHCP > Config > [Start]

Now we need to make sure the process starts at next reboot

  • Applications > dhcp > Status > "Schedule autostart"

We chose the following values

  • Startup Sequence = 90
  • Add kill link for shutdown = Yes

Saved our settings with [Save] button


Install required packages

  • System > Packages > Available > acf-openvpn > "Install"

Now we need to make sure the process starts at next reboot

  • Networking > openvpn > Status > "Schedule autostart"

We chose the following values

  • Startup Sequence = 80
  • Add kill link for shutdown = Yes

Saved our settings with [Save] button

Next we create a config-file called 'openvpn.conf'

  • Networking > openvpn > config > (write 'openvpn.conf' in the "file name" field and then press [Create])

Now we have a record called 'openvpn.conf' in the list, now it's time to configure it by chosing "Expert" action.

Our file looks something like this:

dev tun
proto udp
remote "public IP" 1194
resolv-retry infinite
ns-cert-type server
ca /etc/ssl/openvpn/cacert.pem
cert /etc/ssl/openvpn/mycert.pem
key /etc/ssl/openvpn/mykey.pem
dh /etc/ssl/openvpn/dh1024.pem
verb 3

Created the certificates and put those on this box by following the http://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF_1.9 instructions.
We need to create the 'dh' file by using the console and type the following command

cd /etc/ssl/openvpn/ && openssl dhparam -out dh1024.pem 1024


Install required packages

  • System > Packages > Available > acf-shorewall > "Install"
sed -i 's/^STARTUP_ENABLED.*/STARTUP_ENABLED=Yes/' /etc/shorewall/shorewall.conf

Now from the expert tab you modify the following config-files.


fw      firewall
inet    ipv4
eth1    ipv4
eth2    ipv4
vpn     ipv4


inet    eth0
eth1    eth1            detect          dhcp
eth2    eth2            detect          dhcp
vpn     tun+            detect


vpn             all             ACCEPT
eth1            vpn             ACCEPT
eth2            vpn             ACCEPT
all             all             REJECT


ACCEPT          all       fw       tcp     22
ACCEPT          eth1      fw       tcp     80,443
ACCEPT          eth2      fw       tcp     80,443

Now we need to make sure the process starts at next reboot

  • Networking > Firewall > Status > "Schedule autostart"

We chose the following values

  • Startup Sequence = 26
  • Add kill link for shutdown = Yes

Saved our settings with [Save] button

Save changes

At this point we have made various settings to our system. It's now time to make sure they stay even if we need to reboot the box (or if it get's powered off by some other cause).
First we need to install the ACF-module for lbu

  • System > Packages > Available > acf-alpine-conf > "Install"

Now we have a 'Local backups' in you menu (go there).

There is a {Config} tab to configure e.g. where we want to save our configs (we chose usb).
In the "Included item(s)" box we added "root/.ssh/" so that the ssh-keys that we added earlier would be permanently saved.

Now back to {Status} tab to commit the save by pressing [Commit] button.
Now your changes should be permanently saved to your USB.