Experiences with OpenVPN-client on ALIX.2D3

From Alpine Linux
Revision as of 04:26, 26 March 2012 by Fab (talk | contribs) (→‎dhcpd)

OpenVPN client on ALIX.2D3

We needed to connect a Remote Desktop client (a thinclient) and a SIP-phone to a OpenVPN network to be able to reach some services.
It was not possible to install OpenVPN in ether the thinclient or the SIP-phone, so we needed a OpenVPN gateway.

We bought a ALIX.2D3 which would act as gateway for the various clients. This board has 3 NICs, a small size, and doesn't consume much power.

Preparing the ALIX

The ALIX board runs operating system from a CF card.

Installation of Alpine Linux

The Installing Alpine on Compact Flash article contains all information about the installation of Alpine Linux.

Note: The ALIX hardware is not capable to run 64 bit software. Use the x86 version Alpine Linux.

Connecting to the ALIX board

The board has no graphic card, so before we get the network configured, we need to configure it through a serial connection.

If you use We need to modify the 'syslinux.cfg' which now is on our CF-card.

Append the following to the lines that start with 'append'.

console=tty1,38400 console=ttyS0,9600

This will cause the console to be displayed on the serial port.

Now you can attach a computer to your ALIX with a serial cable and put your serial-program to listen on 9600/8/N/1

Mounting

The CF card was mounted in the ALIX board and the board was mounted in the enclosure.


setup-alpine

We got connected to your ALIX board through the serial console and could start configuring it.
A nice command is available to setup the basic settings for a new Alpine box.

setup-alpine


setup-webconf

Next we want to configure/install the ACF (web configuration) that gives you posibility to administer your box with a web-browser

setup-webconf

The box now has a ACF running and you can start browsing this box.
But first you need to attach it to a network and figure out what IP address it got.

Because we are running Alpine_1.8 we need to change the default user/password by using a webbrowser to

  • go to https://{ip_of_our_ALIX_box}/
  • Login with username=alpine password=test123
  • Chose 'User management' from the menu at left and delete existing default-accounts and create a new
Note: From now on we use ACF to do our configuration and installation. If we need to use the console, you will be instructed.

Time

We will need to set the clock in this box.
Accurate time is needed by openvpn.

Install required packages

  • System > Packages > Available > acf-openntpd > "Install"

Configure openntp to set time by going to the {config} tab and enter the following settings:

  • Check/Activate the box "Set time on startup"
  • Confirm that the "Multiple servers" box holds a record to a valid ntp-server-pool (e.g. 'pool.ntp.org')
  • Confirm that all other boxes are empty (unless you have reason to do other)

Finnish it up by pressing [Save]

Now you should [Start] the service and confirm that it started up as supposed (the result is shown on top of the page where you pressed [Start])

Now we need to make sure the process starts at next reboot

  • Applications > NTP(openntp) > Status > "Schedule autostart"

We chose the following values

  • Startup Sequence = 30
  • Add kill link for shutdown = Yes

Saved our settings with [Save] button


sshd

Install required packages

  • System > Packages > Available > acf-openssh > "Install"

We put our private keys in it to be able to administer this box remotely

  • Applications > ssh > Authorized users > root "Edit this account"

Pasted our keys in the 'SSH Certificate Contents' box and press [Save]

To increase we need to shut down 'PasswordAuthentication'.
We also want to speed up connection by shutting down DNS requests.
In {Expert} tab make sure you have the following settings and then [Save] your changes.

PasswordAuthentication no
UseDNS no

Now we need to make sure the process starts at next reboot

  • Applications > ssh > Status > "Schedule autostart"

We chose the following values

  • Startup Sequence = 40
  • Add kill link for shutdown = Yes

Saved our settings with [Save] button


dhcpd

Install required packages

  • System > Packages > Available > acf-dhcp > "Install"

Now we can start configuring dhcpd

  • Networking > DHCP > Config

We configured the global settings and added a subnet to give out IP addresses.

We need to modify some values from the {Expert} tab.
Update the config with the following values (and press [Save] when done).

ddns-update-style ad-hoc;

The eth2 clients should have Internet access. They will probably need other DNS server than the clients on eth1 that gets their DNS records from a internal DNS server. So we are going to install dnscache (see instructions below) and we need to tell dhcp to configure the clients connected to eth2 to use this blackbox as DNS server.

Next we need to tell dhcpd which NICs to listen on

Note: This needs to be done from console because ACF-dhcp is missing the feature on how to do this.

vi /etc/conf.d/dhcpd

Modify the file so it looks like this:

DHCPD_IFACE="eth1 eth2"

Back to ACF and we now start up dhcp

  • Networking > DHCP > Config > [Start]

Now we need to make sure the process starts at next reboot

  • Applications > dhcp > Status > "Schedule autostart"

We chose the following values

  • Startup Sequence = 90
  • Add kill link for shutdown = Yes

Saved our settings with [Save] button

dnscache

The Internet clients will be attached to eth2 interface. Those clients need to resolve internet addresses. We will install dnscache to help the clients to get what they need.

Install required packages

  • System > Packages > Available > acf-dnscache > "Install"

Configure it on the {config} tab.

  • "IP address to listen on" = (The IP-address of eth2)

Commit your changes by pressing [Save]

We also need to specify which clients are allowed to resolv addresses from DNScache.
This is done at the {Allowed Clients} tab.
Enter the value of the IP-addresses that should be able to resolve DNS from dnscache in the filed "IP prefixes to respond to".
Note: If your clients has IP 10.0.0.2-10.0.0.254 you could enter the value "10.0.0"

Now we need to make sure the process starts at next reboot

  • Networking > DNScache > Status > "Schedule autostart"

We chose the following values

  • Startup Sequence = 65
  • Add kill link for shutdown = Yes

Saved our settings with [Save] button


openvpn

Install required packages

  • System > Packages > Available > acf-openvpn > "Install"

Now we need to make sure the process starts at next reboot

  • Networking > openvpn > Status > "Schedule autostart"

We chose the following values

  • Startup Sequence = 80
  • Add kill link for shutdown = Yes

Saved our settings with [Save] button

Next we create a config-file called 'openvpn.conf'

  • Networking > openvpn > config > (write 'openvpn.conf' in the "file name" field and then press [Create])

Now we have a record called 'openvpn.conf' in the list, now it's time to configure it by chosing "Expert" action.

Our file looks something like this:

client
dev tun
proto udp
remote "public IP" 1194
resolv-retry infinite
nobind
ns-cert-type server
persist-key
persist-tun
ca /etc/ssl/openvpn/cacert.pem
cert /etc/ssl/openvpn/mycert.pem
key /etc/ssl/openvpn/mykey.pem
comp-lzo
verb 3

Created the certificates and put those on this box by following the http://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF_1.9 instructions.
We need to create the 'dh' file by using the console and type the following command

cd /etc/ssl/openvpn/ && openssl dhparam -out dh1024.pem 1024


firewall

Install required packages

  • System > Packages > Available > acf-shorewall > "Install"
sed -i 's/^STARTUP_ENABLED.*/STARTUP_ENABLED=Yes/' /etc/shorewall/shorewall.conf

Now from the expert tab you modify the following config-files.

zones

#ZONE	TYPE
fw      firewall
inet    ipv4
eth1    ipv4
eth2    ipv4
vpn     ipv4

interfaces

#ZONE   INTERFACE	BROADCAST	OPTIONS
inet    eth0
eth1    eth1            detect          dhcp
eth2    eth2            detect          dhcp
vpn     tun+            detect

policy

#SOURCE		DEST		POLICY
vpn             all             ACCEPT
eth1            vpn             ACCEPT
eth2            vpn             ACCEPT
all             all             REJECT

rules

#ACTION		SOURCE    DEST     PROTO   DEST PORT
ACCEPT          all       fw       tcp     22
ACCEPT          eth1      fw       tcp     80,443
ACCEPT          eth2      fw       tcp     80,443
ACCEPT          vpn       fw       tcp     80,443
DNS/ACCEPT      eth2      fw

Now we need to make sure the process starts at next reboot

  • Networking > Firewall > Status > "Schedule autostart"

We chose the following values

  • Startup Sequence = 26
  • Add kill link for shutdown = Yes

Saved our settings with [Save] button

Rotate logs

We have limited mem on this box, so we need to make sure the logfiles does not flood the memory of our box.

Lets activate rotation on /var/log/messages

  • System > System Logging > Config
    • "Max size (KB) before rotate" = 1000
    • "Number of rotate logs to keep" = 5

Finnish you settings by pressing [Save] button below your configuration.
Then you need to restart syslog by pressing [Restart] on the same page.


Save changes

At this point we have made various settings to our system. It's now time to make sure they stay even if we need to reboot the box (or if it get's powered off by some other cause).
First we need to install the ACF-module for lbu

  • System > Packages > Available > acf-alpine-conf > "Install"

Now we have a 'Local backups' in you menu (go there).

There is a {Config} tab to configure e.g. where we want to save our configs (we chose usb).
In the "Included item(s)" box we added "root/.ssh/" so that the ssh-keys that we added earlier would be permanently saved.

Now back to {Status} tab to commit the save by pressing [Commit] button.
Now your changes should be permanently saved to your USB.