2 Blocks away: » Building a cheap secure wireless (WLAN) infrastructure with OpenVPN and Linux (an advanced tutorial of OpenVPN)

Building a cheap secure wireless (WLAN) infrastructure with OpenVPN and Linux (an advanced tutorial of OpenVPN)

Step 6: Configuring and installing the Access Points
This is the “boring” job of all of it. You need to configure each Access Point as such, as an Access Point. you should assign a management IP to each one of them and select a VERY VERY difficult password. Write it down though! Next you need to disable any DHCP servers on the APs and also disable any WEP or WPA encryption. This way any client within range can connect to it ,basically. At this point they wont get anywhere though. Connect one AP via the patch cable to the switch where your server is connected. Then connect with any laptop to the AP and see if you get an IP. If you do, ping the OpenVPN server. If you get a reply you are set and can install the other APs as well, if not something needs to be re-checked :).

Step 7: make the route changes (LAN router)
In order for your wireless clients to be able to use the LAN, the LAN needs to know about that new VPN network you just spent so much time on creating. So , you need to add a route entry on your main corporate ROUTER to route all traffic going to the VPN network (192.168.1.0) to 172.10.1.45 (the OpenVPN server). The OpenVPN server will handle the routing to and from the VPN network but your LAN router needs to know where that network is located. Adding a route to the main router will solve this problem as the main router knows where to send the packets to.

Step 8: Configuring the Client (OpenVPN)
The good part about OpenVPN is that the client and server configuration files differ VERY little from each other as you can see by looking at the client config here. The client configuration file needs to be copied to each client. This is always “the same” file. The only thing you need to change for each client is the names of the certificate files. For this example we will install and configure 2 client software packages. Tunnelblick for MAC OS X and OpenVPN GUI for Windows. At this point you should enable IP forwarding on the OpenVPN server for a while with a simple command:

echo 1 > /proc/sys/net/ipv4/ip_forward

. The reason why I mentioned temporarily is because your server is not yet fully secured. But you need to test this all first so, enable it temporarily and disable it (

echo 0 > /proc/sys/net/ipv4/ip_forward

) when you are done.

Tunnelblick: install Tunnelblick by downloading it from HERE and installing it as you would any Mac software. Once installed you probably have to restart, or at least its beneficial. Now, create a directory in the users home directory called openvpn and copy 5 files from the servers KEYS directory into it: the 3 files that start with the users name, the ta.kay file and the dh1024.pem file. You also need the client config with the certificate names correctly. HINT: copy the 3 users files to the client computer and then rename them to something like vpn.pem, vpn.crt etc. this way, all users will have the same names of the files on their machines. and you can use a single client config that never needs to be changed. However on the server you still have the certificate files in the users names.

OpenVPNGUI: The OpenVPNGUI can be found HERE and the installation instructions included are more then enough and not necessary to be repeated. BUT the great thing about the OpenVPN Gui for Windows is that they include instructions to make a complete package that the admin can just install and thats it, configuration included, just the certificate missing. The how-to on this is here.

The client config on any operating system is the same and once you start either Tunnelblick or OpenVPN GUI you should be able to browse the LAN and access network resources in your corporate LAN. You can see the client config for this how-to here: (click to expand and collapse)

OpenVPN client config

#OpenVPN Client config file client # Which TCP/UDP port/ip is the server listening on? remote 10.1.1.2 1194

# TCP or UDP server?
proto tcp

# “dev tun” will create a routed IP tunnel, which is what we want
dev tun

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don’t need to bind to
# a specific local port number.
nobind

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don’t need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.

ca ca.crt
cert vpn.crt
key vpn.key # This file should be kept secret

# Diffie hellman parameters.
dh dh1024.pem

# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to “server”. The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an “HMAC firewall”
# to help block DoS attacks and UDP port flooding.
tls-auth keys/ta.key 1 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

# Enable compression on the VPN link.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 250

# It’s a good idea to reduce the OpenVPN
# daemon’s privileges after initialization.
user nobody
group nobody

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

log-append openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

Technorati Tags: central authentication, cheap solution, corporate lan, fast secure, linux unix, openvpn, open source, security, wep encryption, wireless infrastructure, wlan, wlan meetingroom

Popularity: 58% [?]

Pages: 1 2 3 4 5 6

EMail this post to a friend

kr0ll said on December 11, 2006 at 6:20 pm

WOW, that is some long article. Must have taken ou ages to put this together, kudos thou. Very well done.
//Kr0ll

flosse said on December 12, 2006 at 1:16 am

Thanks, it did. Anyone with recommendations for APs or switches?

bsd said on December 24, 2006 at 10:30 pm

I think, is better to edit the copied .vars and set the following which you will find near the end of this file:

export KEY_COUNTRY=”IN” # Two letters youe countary code
export KEY_PROVINCE=”UT” # Name of your State/Provice
export KEY_CITY=”Chandigarh” # Name of your city
export KEY_ORG=”Anu’s Linux@HOME” # Name of your organization
export KEY_OU=”Wireless Network” # Name of the Unit/Division
export KEY_EMAIL=”admin@cto.homelinux.net” # Admin’s e-mail

before you run . ./vars

flosse said on December 24, 2006 at 10:35 pm

nice one, thanks.
Yes that would be an easier way and saves you a lot of time.

//Flosse

Secure wireless « 0ddn1x: tricks with *nix said on January 4, 2007 at 7:16 am

[…] Secure wireless Filed under: Linux — 0ddn1x @ 2007-01-04 04:09:43 +0000 http://blog.2blocksaway.com/2006/12/11/building-a-cheap-secure-wireless-wlan-infrastructure-with-openvpn-and-linux-an-advanced-tutorial-of-openvpn/ […]

consumer said on January 6, 2007 at 3:55 am

Wow. Nice work.
I am part of popular demand and would like a pdf version.
thanks!

flosse said on January 6, 2007 at 4:08 am

PDF version of this article will be available within this weekend. Also the IPtables tutorial will be done then!

Thanks to everyone

consumer said on January 9, 2007 at 1:29 am

Hello
Thanks for posting the pdfs…however, when I open them in Preview or Acrobat 5/6 Reader or Pro, I see the images, but no text.

This is for both this article and the IPtables. Is there compatibility issue that I am unaware?

flosse said on January 9, 2007 at 3:27 pm

sorry, my bad. It is now fixed on the articles that have PDF and TXT versions. This means all iptables parts, the openvpn and the porn blocking proxy. PDF and txt will from now on uploaded as the articles are written

consumer said on January 9, 2007 at 10:16 pm

cheers to you!

Ricardo Martins » Blog Archive » Constriundo uma infraestrutura wireless segura com OpenVPN e Linux said on March 17, 2007 at 7:36 am

[…] [ link ] Converter em pdf. […]

alex said on April 13, 2007 at 5:28 am

hi nice site.

flosse said on April 13, 2007 at 9:03 am

thanks… glad someone finds it useful

Building a cheap secure wireless (WLAN) infrastructure with OpenVPN and Linux (an advanced tutorial of OpenVPN)

Skip to comment form »

Leave a comment

Entry Details

Light Reading

Other blogs

Security-related Websites

Latest Posts