OpenVPN to a VPS… Secure communications…

There are several potential benefits to setting up a VPN to your Asterisk server. All traffic is encrypted and you don’t need to open lots of ports in the firewall. Also there are no issues with SIP and NAT as traffic is routed over the VPN tunnel.

This is a pretty advanced setup but here is a walkthrough for setting up a VPS as an OpenVPN server and then connecting to it with a TP-LINK router running OpenWRT.

Specifically this router is used – http://www.tp-link.com/en/products/details/?model=TL-WR1043ND. I paid around £40 from Amazon, an absolute bargain for something that will run OpenWRT.

Setting up the router

First you need to flash OpenWRT on to the router. This replaces the original firmware. Here are some instructions for this TP-Link router – http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd?s. I got version 18 of the router and flashed Backfire 10.03.1-rc6 version of OpenWRT.

Next the router was connected via the WAN port on the TP-LINK to my home network. The WAN side of your TP-LINK should be given an IP address from your network DHCP server. It will use this to connect to the Internet.

Now connect a PC to a LAN port using a network cable and you should be given an IP address in the range 192.168.1.0/24

Now make the following changes on the router using a web browser. This will install the OpenVPN software and assign a new IP address to the router. If you use a different subnet you will need to change some settings below to match –

  • Assign a password
  • Change the LAN network address to 10.10.10.1
  • set hostname to tplink1 or some other identifiable name, this is the CN name used later for creating the certs
  • In OpenWRT go to System / Software and click on Update Lists
  • Click Available Packages and install OpenVPN
  • Click System / Administration and enable SSH on the LAN interface
  • Click System / Startup and Enable and Start OpenVPN
  • Reboot the router

On the VPS

First we’re going to install OpenVPN. This will install from rpmforge, which is set up as standard –

yum install openvpn
cp -r /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* /etc/openvpn/
chmod +x /etc/openvpn/*
cd /etc/openvpn

Now, if you’d like you can edit /etc/openvpn/vars and change the settings at the bottom to some sensible defaults. This is not required, but will make creating the certificates easier.

Next we’re going to set up some certificates for OpenVPN. You should run these commands one at a time and answer the questions that are asked –

. ./vars
./clean-all
./build-ca
./build-key-server server
./build-key tplink1

When Creating the tplink1 certs CN should be set to the hostname of the router, in this case tplink1 or some other identifiable hostname.

Now create a file called /etc/openvpn/server.conf with the following settings –

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.20.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 10.10.10.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

Now we’re going to tell OpenVPN to route traffic to our LAN behind the TP-LINK router –

mkdir ccd
echo “iroute 10.10.10.0 255.255.255.0” >> ccd/tplink1

Again tplink1 is the host name used by the router/CN in the certs.

Now fire up OpenVPN –

chkconfig openvpn on
service openvpn start

Next we need to allow the OpenVPN traffic through the local IPTables firewall –

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I INPUT -p udp -m udp –dport 1194 -j ACCEPT
service iptables save

ON THE TP-LINK ROUTER VIA SSH

Next from your PC we’re going to SSH on to the TP-LINK router at 10.10.10.1 and run the following. This will copy the certificate files we created earlier to the router. X.X.X.X should be replaced with your VPS IP –

cd /etc/openvpn
scp X.X.X.X:/etc/openvpn/keys/ca.crt .
scp X.X.X.X:/etc/openvpn/keys/tplink1.key .
scp X.X.X.X:/etc/openvpn/keys/tplink1.crt .

Again tplink1 represents the hostname for the router/CN.

Now create a copy of the original OpenVPN config file –

cp /etc/config/openvpn /etc/config/openvpn.orig

Next we’re going to edit that file and change some settings from the default. These settings start half way down the file under the client configuration settings. Finally reboot the router –

vi /etc/config/openvpnoption enable 1 list remote “X.X.X.X 1194” option cert /etc/openvpn/tplink1.crtoption key /etc/openvpn/tplink1.keyreboot

ON THE TP-LINK ROUTER VIA THE WEB GUI

First we’re going to create a new interface that includes the tun interface created by OpenVPN

  • Network / Interfaces / Add New Interface
  • name – openvpn
  • protocol – unmanaged
  • interface – tun0

and now we’re going to allow traffic through the TP-LINK firewall to the VPN –

  • Network / Firewall / Zones / Add
  • Input / Output / Forward = Accept
  • Covered Networks = openvpn
  • Tick lan in Destination and Source zones

and now Reboot the router.

And we’re done!

If you used the settings above then VPS should be accessible on the IP address via the IP 10.20.0.1.

This is definitely not for the faint hearted as it’s pretty technical and could require some troubleshooting if things don’t work immediately.

Add more sites to this VPN

log on to the VPS or OpenVPN Server, and run to following:

cd /etc/openvpn/
source ./vars
./build-key <<HOSTNAME-OF-SITE>>

Then scp the new certs (/etc/openvpn/keys) to the router and follow the router part from above, and again that site will be able to ping the VPS.

 

Article source: http://bit.ly/JzemQg

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS
This entry was posted in Little Guides, Personal Projects, Usefully Found Stuff and tagged , , , . Bookmark the permalink.

Comments are closed.