Tag Archives: DD-WRT

OpenVPN over SSH

Prelude

I’ve recently moved to Barcelona to continue my Computer Science studies on UB. First thing I noticed walking into the University building was my mobile happily notifying me that it has found a known network. Ah, of course: eduroam. My Slovenian eduroam account from University of Ljubljana should be valid throughout Europe for accessing the eduroam wireless network. And indeed it is. Nice.

Troubles on the horizon

Alas … there is a downside. Apparently the IT dept at UB is filtering OpenVPN and IPsec traffic. I’m soo used to having these that I feel “naked” using a public network without encrypting all my communications.

Now wait a minute, what do I see here, SSH traffic goes through without problems? If SSH goes through, then it should possible to tunnel basically anything through it. Even an OpenVPN tunnel. Yep, tunneling a tunnel over a tunnel, that’s the idea :).

The solution

After some fiddling around, this is how I did it (referencing my original setup):

  1. Find a server somewhere on the net you can SSH to, so you can setup a SOCKS proxy:

    $ ssh <some_IP_on_the_net> -D 6666
    
  2. Change protocol in OpenVPN’s server.conf to use TCP rather than UDP. Normally, using UDP is better, but if you want tunneling over SOCKS, you need TCP:

    proto tcp
    
  3. Change protocol in OpenVPN’s iptables config:

    iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
    
  4. Now modify the client.conf to use TCP and to use SOCKS proxy:

    proto tcp
    socks-proxy 127.0.0.1 6666
    route <some_IP_on_the_net> 255.255.255.255 net_gateway
    

Notice the last line: it adds a specific rule to route traffic to your SSH server directly and not through OpenVPN. This keeps the SOCKS proxy alive and kicking. All other traffic is still routed through OpenVPN tunnel to keep your communications safe.

DD-WRT + Tunnelblick = OpenVPN

Debating about VPNs on the Sauna Sprint, sprinters convinced me that we should use VPN for remote access to our internal services in our office. And for an extra layer of security when using public networks. So here it goes.

Certificates

I didn’t want to install openssl and openvpn on my Macbook just so I could generate access certificates. Luckily, Rackspace Cloud instance with Ubuntu was only 2 minutes away. From there on I just followed the tutorial on creating certificates.

OpenVPN server

Since we already have a Linksys WRT54G router running DD-WRT firmware it was an obvious decision to just use this piece of hardware to act as an OpenVPN server. Off to the DD-WRT download page and grab the package that also has OpenVPN support (dd-wrt.v24_vpn_generic.bin). Quick flash of the router’s firmware and we are set.

  1. Enable OpenVPN server in Services and set it’s Start type to WAN Up.
  2. Paste in certificates created in advance on a Ubuntu cloud instance.
  3. Paste in OpenVPN server config (find it below).
  4. Configure iptables by going to Administration -> Commands, pasting in iptables config (find it below) and clicking save firewall.
  5. Reboot router.

Tunnelblick OpenVPN client

For OS X users the recommended application for using OpenVPN is Tunnelblick.

1. Go to Tunnelblick’s website, download Tunnelblick 3.0 application and install it.

2. Run Tunnelblick. Click install and edit sample configuration file and paste into it client configuration (find it below).

3. In this configuration, find SSL/TLS parms. and replace text bob with a name you used in the first step when creating certificates (same as filename of certificates).

4. Use Terminal to add certificate keys to your Tunnelblick configuration (keys created on Ubuntu cloud instance), again replacing bob in filename.

  • nano ~/Library/Application\ Support/Tunnelblick/Configurations/ca.crt
  • nano ~/Library/Application\ Support/Tunnelblick/Configurations/bob.crt
  • nano ~/Library/Application\ Support/Tunnelblick/Configurations/bob.key

Now you are ready to use your VPN. Click on Tunnelblick icon next to current time in the top-right corner of your screen and select connect ‘openvpn’. All your traffic should now be routed through a secure tunnel to your office.

Confirm this by visiting http://whatismyip.com. The IP displayed should be your office’s IP, meaning you are accessing internet through a tunnel from your office. Hooray!

Config files

OpenVpn server config

push "route 192.168.1.0 255.255.255.0"
server 192.168.2.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

# management parameter allows DD-WRT's OpenVPN Status web page to access the server's management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001

iptables config

# enable tunnel
iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
# NAT the VPN client traffic to the internet
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

Tunnelblick config

# Specify that we are a client and that we will be pulling certain config file directives from the server.
client

# Use the same setting as you are using on the server.
# On most systems, the VPN will not function unless you partially or fully disable the firewall for the TUN/TAP interface.
dev tun0

# Are we connecting to a TCP or # UDP server?  Use the same setting as on the server.
proto udp

# The hostname/IP and port of the server.
remote <your office IP> 1194

# Keep trying indefinitely to resolve the host name of the OpenVPN server.  
# Very useful on machines which are not permanently connected to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
# NOTE: this cause problems with reverting to default route once VPN is disconnected
# user nobody
# group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# Wireless networks often produce a lot of duplicate packets.  Set this flag to silence duplicate packet warnings.
mute-replay-warnings

# SSL/TLS parms.
ca ca.crt
cert bob.crt
key bob.key

# Enable compression on the VPN link. Don't enable this unless it is also enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 3

# from wiki
remote-cert-tls server
float

# route all traffic through VPN
redirect-gateway def1
dhcp-option DNS <your ISP's primary DNS IP>
dhcp-option DNS <your ISP's secondary DNS IP>