ubuntu – Nosce Te Ipsum

Use Linux (Debian/Ubuntu) as a VPN router

October 9, 2011October 9, 2011
by Muhammad

First step would be to make sure that the chosen hardware has a NIC which can easily be found and installed under linux. I had issues getting BM4312 (broadcom) lp-phy (low power) chip to work in my first trial hardware (Dell laptop). Next step is to choose if you wish to use Debian or Ubuntu. Installing server versions are better but remember no GUI by default so if you are GUI lover go with desktop versions and install the server bits you need later.

Once the NICs are operational you need to get the VPN working. This will be different for server and desktop versions. For server you need to install the plugin and create the dialup script (refer to documentation available for the linux flavour you chose). For desktop version the network manager provides easy and graphical way to create this. Once you have the VPN connection configured and tested to work you make the VPN (in our case, PPTP) auto dial after auto-login (Desktop version provides easy way for auto-login). You also need some changes to ip forwarding and firewall to let the traffic from your local network flow via the VPN connection.

For auto-connecting VPN in Desktop (using Network Manager and its VPN plugins) follow the guide below:

create a script file with the code below:
#!/bin/bash # # ############ # SETTINGS # ############ # get_connections_paths() { dbus-send --system --print-reply --dest="$1" "/org/freedesktop/NetworkManagerSettings" "org.freedesktop.NetworkManagerSettings.ListConnections" \ | grep "object path" | cut -d '"' -f2 } # get_connection_settings() { dbus-send --system --print-reply --dest="$1" "$2" org.freedesktop.NetworkManagerSettings.Connection.GetSettings } # get_connection_string_setting() { echo "$1" | grep -A 1 \""$2"\" | grep variant | cut -d '"' -f2 } # get_connection_id() { get_connection_string_setting "$1" "id" } # get_connection_type() { get_connection_string_setting "$1" "type" } # get_device_type_by_connection_type() { echo "$1" | grep -q "ethernet" && echo 1 && return echo "$1" | grep -q "wireless" && echo 2 && return echo 0 } # find_connection_path() { for connection_path in `get_connections_paths "$1"` do connection_settings=`get_connection_settings "$1" "$connection_path"` connection_settings_id=`get_connection_id "$connection_settings"` [ "$connection_settings_id" = "$2" ] && echo "$1" "$connection_path" done } # find_connection_path_everywhere() { find_connection_path "org.freedesktop.NetworkManagerSystemSettings" "$1" find_connection_path "org.freedesktop.NetworkManagerUserSettings" "$1" } # print_connections_ids() { for connection_path in `get_connections_paths "$1"` do connection_settings=`get_connection_settings "$1" "$connection_path"` connection_settings_id=`get_connection_id "$connection_settings"` echo "$connection_settings_id" done } # print_connections_ids_everywhere() { print_connections_ids "org.freedesktop.NetworkManagerSystemSettings" print_connections_ids "org.freedesktop.NetworkManagerUserSettings" } # # ########### # DEVICES # ########### # get_devices_paths() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "/org/freedesktop/NetworkManager" "org.freedesktop.NetworkManager.GetDevices" \ | grep "object path" | cut -d '"' -f2 } # get_device_property() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "$1" "org.freedesktop.DBus.Properties.Get" string:"org.freedesktop.NetworkManager.Device" string:"$2" \ | grep variant | awk '{print $3}' } # get_device_type() { get_device_property "$1" "DeviceType" } # get_device_path_by_device_type() { device_path_by_device_type="/" for device_path in `get_devices_paths` do device_type=`get_device_type "$device_path"` [ "$device_type" = "$1" ] && device_path_by_device_type="$device_path" done echo "$device_path_by_device_type" } # # ####################### # ACTIVES CONNECTIONS # ####################### # get_actives_connections_paths() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "/org/freedesktop/NetworkManager" "org.freedesktop.DBus.Properties.Get" string:"org.freedesktop.NetworkManager" string:"ActiveConnections" \ | grep "object path" | cut -d '"' -f2 } # get_last_active_connection_path() { get_actives_connections_paths | tail -n 1 } # get_parent_connection_path_by_device_type() { parent_connection_path="/" [ "$1" = 0 ] && parent_connection_path=`get_last_active_connection_path` echo "$parent_connection_path" } # get_active_connection_property() { dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" "$1" "org.freedesktop.DBus.Properties.Get" string:"org.freedesktop.NetworkManager.Connection.Active" string:"$2" \ | grep variant | awk -F '"' '{print $2}' } # get_active_connection_service() { get_active_connection_property "$1" "ServiceName" } # get_active_connection_path() { get_active_connection_property "$1" "Connection" } # get_active_connection_path_by_connection_path() { for active_connection_path in `get_actives_connections_paths` do service=`get_active_connection_service $active_connection_path` path=`get_active_connection_path $active_connection_path` [ "$service" = "$1" ] && [ "$path" = "$2" ] && echo "$active_connection_path" done } # print_actives_connections_ids() { for active_connection_path in `get_actives_connections_paths` do service=`get_active_connection_service $active_connection_path` path=`get_active_connection_path $active_connection_path` connection_settings=`get_connection_settings "$service" "$path"` connection_settings_id=`get_connection_id "$connection_settings"` echo "$connection_settings_id" done } # # ############## # START/STOP # ############## # start_connection() { my_connection_complete_path=`find_connection_path_everywhere "$1"` my_connection_settings=`get_connection_settings $my_connection_complete_path` my_connection_type=`get_connection_type "$my_connection_settings"` my_connection_device_type=`get_device_type_by_connection_type "$my_connection_type"` # my_connection_service=`echo $my_connection_complete_path | awk '{print $1}'` my_connection_path=`echo $my_connection_complete_path | awk '{print $2}'` my_connection_device_path=`get_device_path_by_device_type "$my_connection_device_type"` my_parent_connection_path=`get_parent_connection_path_by_device_type "$my_connection_device_type"` # echo "connection_service=$my_connection_service" echo "connection_path=$my_connection_path" echo "connection_device_path=$my_connection_device_path" echo "parent_connection_path=$my_parent_connection_path" # dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" /org/freedesktop/NetworkManager "org.freedesktop.NetworkManager.ActivateConnection" string:"$my_connection_service" objpath:"$my_connection_path" objpath:"$my_connection_device_path" objpath:"$my_parent_connection_path" } # stop_connection() { my_connection_complete_path=`find_connection_path_everywhere "$1"` my_active_connection_path=`get_active_connection_path_by_connection_path $my_connection_complete_path` # echo "active_connection_path=$my_active_connection_path" # dbus-send --system --print-reply --dest="org.freedesktop.NetworkManager" /org/freedesktop/NetworkManager "org.freedesktop.NetworkManager.DeactivateConnection" objpath:"$my_active_connection_path" } # # ######## # MAIN # ######## # invalid_arguments() { echo "Usage: `basename "$0"` connexion_name start|stop" echo "---Available Connections:" print_connections_ids_everywhere echo "---Active Connections:" print_actives_connections_ids exit 0 } # [ "$#" != 2 ] && invalid_arguments # case "$2" in "start") start_connection "$1" ;; "stop") stop_connection "$1" ;; *) invalid_arguments ;; esac

give it a name e.g. “vpn_connect”
copy it to /usr/local/bin
make it executable

sudo cp vpn_connect /usr/local/bin/ sudo chmod ugo+x /usr/local/bin/vpn_connect

now create another script in your home folder which will check if the VPN is connected and if not it will connect it. This script will monitor the VPN connection every 60 seconds and in case it finds it disconnected it will connect it again.

#!/bin/bash for (( ; ; )); do # creating ifinite loop tested=$(vpn|grep -c USA) # VPNNAME here is the name of desired vpn connection to monitor. The results can be: # 0 - this connection does not exist # 1 - connection exists, but not active # 2 - connection exists, and is active case $tested in "0") echo "something is wrong, cannot find desired connection in avaliable list" ;; "1") echo "VPN avaliable, but not connected" vpn_connect USA start ;; "2") echo "VPN seems to work" ;; esac # enter desired time between checks here. sleep 60 done

let’s call it startvpn
make this script executable

sudo chmod ugo+x startvpn or sudo chmod 777 startvpn

you can now put this in the startup applications (if using Desktop version of Ubuntu) or execute it on every reboot by having it in /etc/rc.local

The final part is to have the forwarding and enabled and the route defined. Assuming your VPN connection interface is ppp0.

create a script file with code below:

#!/bin/bash sleep 120 echo 1 >; /proc/sys/net/ipv4/ip_forward iptables -A POSTROUTING -t nat -s 192.168.100.0/24 -o ppp0 -j MASQUERADE iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

this script enables forwarding, routing (from 192.168.100.0/24 network) and make sure that MTUis set correctly otherwise routing does not work fully.

let us call the script as vpn_route
you can now have it run on every boot by copying this code to /etc/rc.local or copy the script file in /etc/init.d/ and then the following command

sudo update-rc.d /etc/init.d/vpn_route defaults

This will add this script to all run level rc folders and will execute it on each boot.

Also make sure that the ‘/proc/sys/net/ipv4/ip_forward’ has value of 1 in it

Now the VPN should auto connect on every boot, will be monitored for disconnection and reconnected in case of disconnection and the forwarding, routing and MTU settings will be applied on every reboot as well.

Enjoy VPN router out of a linux box.

note: help on codes came from various places but will mention these posts specially:

Script for VPN connection
Further script for VPN connection
VPN Connection Sharing forwarding and routing
MTU setting command which bugged me for a while when browsing was half working

General Unix

Setup OpenVPN on Ubuntu / Debian

June 9, 2011June 9, 2011
by Muhammad

this guide contains material from Debian Wiki site with contribution from Kevin Coyner

These notes cover the installation of openvpn on a Debian server and client. Once setup, all internet traffic, including browser traffic, from the client will travel via the VPN to the server. The server config write-up is first, followed by the client write-up further down the page.

This presumes you are not ethernet bridging.

Begin by installing openvpn on server

apt-get install openvpn udev openssl

Now you must create the keys needed by both server and client.

mkdir /etc/openvpn/easy-rsa cp -ai /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa/ vi vars

In the vars file, edit the KEY_* entries at the bottom of the file, such as KEY_COUNTRY, KEY_ORG, KEY_EMAIL, etc. Next, source the vars file and then clean the directory.

. ./vars ./clean-all

Next build the certificates. For the ‘Common Name’ field, you can use anything to your liking. I used ‘OpenVPN-CA-AZEEM’. For the Certificate Authority (build-ca), use ’server’. For the client keys (build-key), use ‘client1′ or ‘client2′ or whatever you like, I used ‘client_azeem’.

./build-ca ./build-key-server server ./build-key client_azeem ./build-key client2

Generate the Diffie Hellman parameters for the server.

.build-dh

When this is done, you will have a number of files in the keys/ subdirectory. Copy the keys listed below to the server’s /etc/openvpn directory.

cd /etc/openvpn

cp easy-rsa/keys/ca.crt .
cp easy-rsa/keys/server.key .
cp easy-rsa/keys/server.crt .
cp easy-rsa/keys/dh1024.pem .

And copy the keys needed for the client either directly to the client via scp or to a USB disk. The files needed by the client are ca.crt, client_kevin.crt, and client_kevin.key (or whatever you named the files when you generated them with the build-key script).

create the openvpn server config file. Start with the example in the docs.

cd /etc/openvpn cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf .

Gunzip it if necessary then edit it. Here’s a simple but workable example:

# [server.conf] port 1194 proto udp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 202.107.105.13" push "dhcp-option DNS 202.108.107.21" keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3

Note the entries for ‘push dhcp-option DNS’. These will be DNS servers that are accessible from your server. They will be pushed out to the client. Change them to your network’s DNS servers. I used 8.8.8.8 as the second one with my network’s router IP as the first DNS.

Now start the openvpn server with either of the following commands.

/etc/init.d/openvpn start or openvpn /etc/openvpn/server.conf

You will need to enable IP forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward

You can make this a permanent change by uncommenting the line:

net.ipv4.ip_forward = 1

in the file /etc/sysctl.conf.

You’ll also have to allow NAT forwarding through your firewall. This will most likely be accomplished with something like the following rule in iptables:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

This assumes you have set up your openvpn server with the IP 10.8.0.0 in the server.conf file as described above.

You can make this command permanent by creating a script file in

/etc/init.d/

I created my file as below:

vim /etc/init.d/iptables_openvpn.sh

the script file contains

#! /bin/sh iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

save the file and run following command

update-rc.d iptab_openvpn.sh defaults

also make the script file executable

chmod +x iptab_openvpn.sh

Don’t forget to open port 1194 on your firewall / router which protects your network where your OpenVPN server now sits.

You can now setup your favourite OpenVPN client. If you want to use OpenVPN client the settings are as below:

In the server config above, you created keys for the client, which you should have already copied from the server to the client’s directory at /etc/openvpn. This includes the ca.crt file.

Next you need a client.conf file, a sample of which is found in the docs.

cd /etc/openvpn cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf . vi client.conf

# [client.conf] client dev tun proto udp remote 66.32.272.181 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun mute-replay-warnings ca /etc/openvpn/ca.crt cert /etc/openvpn/client_kevin.crt key /etc/openvpn/client_kevin.key ns-cert-type server comp-lzo verb 3 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

Some obvious things: You’ll want to use your server’s IP for the remote entry. List your client keys and the server CA. Uncomment the user and group entries.

Not so obvious are the last two lines. These are the key to getting DNS to work correctly on the client. You should check the README.Debian in the openvpn docs, but basically you need to install the deb package resolvconf. Make sure you read the README for resolvconf, as it can potentially conflict with other DNS writing programs on your client.

The last two lines call the script update-resolv-conf, which should be in your /etc/openvpn directory. The script will use resolvconf, and the DNS settings of the openvpn server, to rewrite your client resolv.conf file.

To start openvpn on the client, issue the command:

openvpn --script-security 2 --config /etc/openvpn/client.conf &

You’ll need the –script-security setting to get the update-resolv-conf script to execute. You can place this setting in the client.conf file if you like.

Check your installation by pinging 10.8.0.1 from the client. You should successfully be pinging the server. Check it further by opening a browser and going to http://www.whatismyip.com. It should return the IP of the server, not the client. Note also that if you run the command ifconfig, you’ll see a new entry for tun0.

On both the server and the client, you can control whether your vpn is automatically started on machine startup by editing the AUTOSTART lines in the file /etc/default/openvpn.

another detailed guide including more details on iptables and dnsmasq is available here

Technology

Update to Karamic Koala

November 3, 2009November 3, 2009
by Muhammad

well… i wanted to update my home server to Ubuntu 9.10 from fresh but my existing install offered update… went ahead.. took 1.5 hrs and came back up perfectly fine…

its annoying… i wanted things to go wrong so that i could spend time learning doing something new…

perhaps i should clean it anyway and reinstall from scratch 🙂

May 2023
M	T	W	T	F	S	S
« Oct
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

Tag: ubuntu

Use Linux (Debian/Ubuntu) as a VPN router

Setup OpenVPN on Ubuntu / Debian

Update to Karamic Koala