OpenWrt Forum Archive

Topic: Howto: IPSec and OpenVPN

The content of this topic has been archived on 24 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

From my blog at https://robwicks.wordpress.com/2011/02/ … the-cheap/

Setting up a VPN Gateway on the Cheap
Filed under: computing, linux, security — Tags: Atheros, Broadcom, IKEv2, IP address, IPSec, linux, OpenVPN, Operating Systems, Security, Strongswan, Virtual private network — Robert Wicks @ 2:50 pm Edit This

    * OpenVPN Setup
    * IPSec Setup
    * Final Notes and Tips

I recently got a hand-me-down Trendnet TEW-652BRP router. The label on it indicates that it is version 1.1R. Doing a bit of research, it seems as if the one I have is actually identical to the TEW-632BRP, so I compiled OpenWRT for the TEW-632BRP, and it worked like a charm. The router uses an Atheros AR9130 rev2 chipset with a MIPS processor running at 400Mhz. It features wireless N in the 2.4GHz range, 4MB of flash, which is fairly typical, and 32MB of RAM, which is more than several I’ve seen. The processor is what intrigued me. It is well known that alternative, Linux-based firmwares exist for consumer routers, which can offer an array of new features. I have several compatible models myself. But most of the older Broadcom chipset models have fairly slow processors, so some applications, such as VPNs, perform only moderately well on them.

One of my favorite VPN products is OpenVPN. It performs well, and is simple to set up. A couple of years ago, an excellent analysis of the performance of OpenVPN on a consumer grade router was published. For most home connections, you will get plenty of throughput using either of the VPN solutions we will be setting up. In order to get this up and running, first you must flash the router to get rid of the firmware which came with it and replace it with something altogether more powerful: OpenWrt. Download the backfire image builder from the trunk. Support for this chipset is newer than the Broadcom chipsets in the original Linksys WRT-54G(L) and OpenWrt is under constant development, and the trunk build has run much better than the others on my router. The features I want really push the limits of the storage, so I had to just drop wifi support. Fortunately, I have other wireless routers which I can use for access points on my home network. So these directions are for a command-line-only, wired-access-only router and VPN endpoint. After you get the builder, run

“tar -jxvf OpenWrt-ImageBuilder-ar71xx-for-Linux-x86_64.tar.bz2;cd ??OpenWrt-ImageBuilder-ar71xx-for-Linux-x86_64?

After you get into the directory, run something like the make command below.

    make image PROFILE=”TEW632BRP” PACKAGES=”base-files busybox ddns-scripts dnsmasq dropbear firewall hotplug2 ip iptables iptables-mod-conntrack iptables-mod-conntrack-extra iptables-mod-filter iptables-mod-imq iptables-mod-ipopt iptables-mod-ipsec iptables-mod-nat iptables-mod-nat-extra kernel kmod-button-hotplug kmod-crypto-aes kmod-crypto-authenc kmod-crypto-core kmod-crypto-des kmod-crypto-hmac kmod-crypto-md5 kmod-crypto-sha1 kmod-input-core kmod-input-gpio-buttons kmod-input-polldev kmod-ipsec kmod-ipsec4 kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-core kmod-ipt-filter kmod-ipt-imq kmod-ipt-ipopt kmod-ipt-ipsec kmod-ipt-nat kmod-ipt-nat-extra kmod-ipt-nathelper kmod-iptunnel4 kmod-leds-gpio kmod-sched kmod-textsearch kmod-tun libc libgcc libgmp libiptc liblzo libnl-tiny libopenssl libpthread librt libuci libxtables mini-snmpd miniupnpd mtd openvpn opkg qos-scripts strongswan4 strongswan4-app-charon strongswan4-app-pluto strongswan4-mod-aes strongswan4-mod-attr strongswan4-mod-des strongswan4-mod-dnskey strongswan4-mod-fips-prf strongswan4-mod-gmp strongswan4-mod-hmac strongswan4-mod-kernel-netlink strongswan4-mod-md5 strongswan4-mod-pem strongswan4-mod-pgp strongswan4-mod-pkcs1 strongswan4-mod-pubkey strongswan4-mod-random strongswan4-mod-resolve strongswan4-mod-sha1 strongswan4-mod-sha2 strongswan4-mod-stroke strongswan4-mod-updown strongswan4-mod-x509 strongswan4-mod-xcbc strongswan4-utils tc uci udevtrigger -vsc7385-ucode-ap83 -vsc7385-ucode-pb44 -vsc7395-ucode-ap83 -vsc7395-ucode-pb44 zlib -kmod-ath9k -wpad-mini”

This will install Strongswan and OpenVPN, but, due to only have 4MB of flash storage to work with, will not install the web interface, so we will be doing everything from the command line. After the command above gives you your image, you will need to choose the appropriate one to flash your router. If you are going from the factory firmware, you need to use the recovery image, which, when I build it, is called “??openwrt-ar71xx-generic-tew-632brp-recovery-squashfs-factory.bin.”

You can then flash your firmware by unplugging it, holding down the reset button, plugging it in while the reset button is held down for about 10 seconds, then setting your computer’s IP address to 192.168.0.2 and browsing to 192.168.0.1. Upload the file and flash away. The router will eventually reboot and have an IP address of 192.168.1.1.

You can then set your computer’s IP address to 192.168.1.2 and telnet into 192.168.1.1. The router will allow you in with no password. You can issue the “passwd” command to set the root password, which I recommend. Once you do this, however, you will have to use SSH to log into the router, as telnet is disabled when the root password is set.
OpenVPN Setup

OpenVPN is a very easy to configure, cross-platform, open source VPN, and it now has wide support on third party firmwares such as OpenWRT, DD-WRT, and Tomato (but you will need either TomatoVPN or TomatoUSB). IPSec has the advantage of being a standard which can interoperate with a variety of devices and operating systems where OpenVPN is not available. I figure why not do both? We are going to use certificates to authenticate both of them, so with a bit of care, we can use the exact same certifcates and keys on our router for both services, saving us a little bit of storage. I did my certificate generation on Ubuntu 10.10, but you could use anything which runs OpenVPN and OpenSSL. On Ubuntu, run

    sudo apt-get install openvpn

After the installation completes, copy the entire /usr/share/doc/openvpn/examples/easy-rsa/2.0 directory into your home directory with

    cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 $HOME/

This will give you a “2.0? directory in your home directory. Cd into that directory, and edit the vars file so that it has your organization and personalized information (this is optional). Then edit the openssl.cnf file. You will modify it so that the certificates it generates will be suitable for both OpenVPN and Windows 7?s implementation of IPSec. Go to line 196 in the file, the extendedKeyUsage line. You will also add a new line after this one. Together, they read:

    extendedKeyUsage=clientAuth, serverAuth, 1.3.6.1.5.5.8.2.2
    subjectAltName=DNS:Your.Internet.DNS.Hostname

In place of Your.Internet.DNS.Hostname, put your computer’s hostname. If you are on a home Internet connection, you should use one of the dynamic DNS providers such as DynDNS.com. These lines will enable the Windows 7 IKEv2 VPN client to work with StrongSwan. Be sure to follow the directions here. You can then run the following commands.

    . ./vars
    ./build-dh
    ./build-ca
    ./build-key-server Your.Internet.DNS.Hostname
    ./build-key-pkcs12 client1

As before, replace the Your.Internet.DNS.Hostname with your Internet hostname. One of the good things about the build-key-pkcs12 script is that it generates everything you will need for OpenVPN clients on both Windows and Linux. You will find client1.key, client1.csr, client1.crt, and client1.p12 under the keys directory after running the last command. You will also see files with the same extensions (except the p12 file) prefixed by your Internet hostname. Those files will be installed on your OpenWRT VPN endpoint. The client1 files will be installed on your laptop (or whatever will be connecting into your VPN endpoint). First, we need to copy the server keys we generated into the appropriate places. We will use the default paths for StrongSwan, but OpenVPN will also use them. Run:

    scp keys/Your.Internet.DNS.Hostname.crt root@:/etc/ipsec.d/certs/Your.Internet.DNS.Hostname.crt

    scp keys/Your.Internet.DNS.Hostname.key root@:/etc/ipsec.d/certs/Your.Internet.DNS.Hostname.key

    scp keys/ca.crt root@:/etc/ipsec.d/cacerts/ca.crt

    scp keys/dh1024.pem root@:/etc/openvpn/

SSH into your OpenWRT router and run:

    vi /etc/openvpn/my-vpn.conf

This will create the configuration file you will use, which you will fill with something like this:

    daemon
    server 10.10.10.0 255.255.255.0
    proto udp
    port 1194
    dev tun0
    comp-lzo adaptive
    keepalive 15 60
    verb 2
    push “route 192.168.0.0 255.255.255.0?
    ca /etc/ipsec.d/cacerts/ca.crt
    dh /etc/openvpn/dh1024.pem
    cert /etc/ipsec.d/certs/Your.Internet.DNS.Hostname.crt
    key /etc/ipsec.d/private/Your.Internet.DNS.Hostname.key
    ??tls-auth /etc/openvpn/ta.key 0

You should customize the route to reflect the IP scheme of your internal network. You can also alter the server line to any arbitrary private network. Finally, you can change your port to something other than 1194. Notice that the last line refers to a file, ta.key, which we have not yet created. We can do that on the router itself with the command:

    openvpn –genkey –secret /etc/openvpn/ta.key

Adding this to your OpenVPN configuration will defend against port scanning and DOS attacks. You will need to copy this file to your laptop as well. Your laptop’s OpenVPN configuration will contain something like this:

    client
    dev tun
    proto udp
    remote Your.Internet.DNS.Hostname 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /etc/ipsec.d/cacerts/ca.crt
    dh /etc/openvpn/dh1024.pem
    cert /etc/ipsec.d/certs/Your.Internet.DNS.Hostname.crt
    key /etc/ipsec.d/private/Your.Internet.DNS.Hostname.key
    tls-auth ta.key 1
    comp-lzo
    verb 3

You now have a working OpenVPN configuration, but you still need to modify your firewall rules to allow traffic through. Run

    vi /etc/config/firewall

Add the following lines to the end:

    config ‘rule’

        option ‘src’ ‘wan’
        option ‘target’ ‘ACCEPT’
        option ‘proto’ ‘udp’
        option ‘dest_port’ ’1194?

Save the file. This will configure your firewall to accept inbound OpenVPN traffic. In order to pass the tunneled packets through, we edit the firewall.user file:

    vi /etc/firewall.user

Add the following lines to that file:

    /usr/sbin/iptables -I INPUT -i tun+ -j ACCEPT
    /usr/sbin/iptables -I FORWARD -i tun+ -j ACCEPT

This will allow your VPN to work. Just reboot the router and OpenVPN should work. Now, let’s get to IPSec.
IPSec Setup

IPSec is actually more difficult to configure than OpenVPN, but, being a cross-platform standard, and enjoying kernel-level support, is still a nice feature to have on an Internet gateway. The crypto files have already been put in place, so we just need to edit the configuration. Run:

    vi /etc/ipsec.conf

Modify the files so that it contains:

    config setup

        strictcrlpolicy=no
        nat_traversal=yes
        charondebug=all

    conn %default

        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1

    conn nat-t

        authby=rsasig
        leftfirewall=yes
        left=%defaultroute
        leftcert=Your.Internet.DNS.Hostname.crt
        rightsourceip=10.8.8.0/24
        leftsubnet=192.168.0.0/24
        right=%any
        auto=add

Edit your /etc/ipsec.secrets file and fill it with:

    : RSA Your.Internet.DNS.Hostname.key

Now, we allow the appropriate connections to the firewall. Edit the /etc/config/firewall file and add:

    config ‘rule’

        option ‘src’ ‘wan’
        option ‘proto’ ‘esp’
        option ‘target’ ‘ACCEPT’

    config ‘rule’

        option ‘src’ ‘wan’
        option ‘proto’ ‘udp’
        option ‘dest_port’ ’500?
        option ‘target’ ‘ACCEPT’

    config ‘rule’

        option ‘src’ ‘wan’
        option ‘proto’ ‘udp’
        option ‘dest_port’ ’4500?
        option ‘target’ ‘ACCEPT’

    config ‘rule’

        option ‘src’ ‘wan’
        option ‘proto’ ‘ah’
        option ‘target’ ‘ACCEPT’

Finally, add the following to /etc/firewall.user to enable all the traffic to pass, even to the OpenWRT router itself:

    /usr/sbin/iptables -I INPUT  -m policy –dir in –pol ipsec –proto esp -j ACCEPT
    /usr/sbin/iptables -I FORWARD  -m policy –dir in –pol ipsec –proto esp -j ACCEPT
    /usr/sbin/iptables -I FORWARD  -m policy –dir out –pol ipsec –proto esp -j ACCEPT
    /usr/sbin/iptables -I OUTPUT   -m policy –dir out –pol ipsec –proto esp -j ACCEPT

    This gives full access to all the tunneled traffic. On a Windows 7 client, you can follow this guide. Note that you will have to manually add the route for your home network on Windows 7, due to the limitations of the Agile VPN client. I run a command prompt as administrator and run

    route add 192.168.0.0 mask 255.255.255.0 10.8.8.1

after I connect. Traffic then passes. Things are much easier if you are using StrongSwan as the client. Just edit the /etc/ipsec.conf file on your Linux laptop client to contain the following:

    config setup

        charondebug=all
        nat_traversal=yes
        charonstart=yes
        plutostart=yes

    conn roadwarrior

        left=%defaultroute
        leftcert=client1.crt
        leftfirewall=yes
        leftauth=rsasig
        leftsourceip=%modeconfig
        right=Your.Internet.DNS.Hostname
        rightcert=Your.Internet.DNS.Hostname.crt
        keyexchange=ikev2
        rightsubnet=192.168.0.0/24
        auto=add

As you can see, you will be copying your router cert (and only the cert, not the private key) to your client. You will also copy your client1 key and cert. In a similar manner to the router, your /etc/ipsec.secrets file will contain

    : RSA client1.key

You can read more on the Strongswan client configuration here. Once you have Strongswan configured, you can start ipsec, then issue

    ipsec up roadwarrior

to start the tunnel.
Final Notes and Tips

Be sure to look at the various documentation pages for OpenWRT, OpenVPN, and Strongswan. They have a lot of very useful information. One of the nice things you can do when you have your VPN setup working fully is completely disable all other remote access to your network. You can make your router invisible on the Internet, yet still allow full access to your home resources. With more powerful routers, especially ones with more storage, you can add useful packages to allow full SNMP support, traffic monitoring, the GUI interface, or port knocking.

If you have any questions, please post them in the comments or email me.

I have a Question: why didn't you write a howtobuild?

1. We already have a general
http://wiki.openwrt.org/doc/howto/firmware.compile
http://wiki.openwrt.org/doc/howto/firmware.build

Then, we have some examples:   http://wiki.openwrt.org/doc/start#build.howtos

The benefit should be obvious. It is found easier there, then here. You can crosslink more, since we try to make and keep the wiki modular. That way, we do not have to explain stuff over and over again ;-)  Also, other people could improve your HowTo.

I am hoping that the wiki-articles will provide beginners with some solid help to get started _fast._

Thanks for the tip. I'll take a look and see what I can put together for the wiki. I had not even thought about it, actually.

I am glad to hear that. As you can see here: http://wiki.openwrt.org/meta/start#structure

The howtos are for stuff you could do after flashing (installing), whereas the howtobuilds for stuff before you have an image.

If you should want to write a howto instead of a howtobuild, I hope you don't miss this:  http://wiki.openwrt.org/doc/howto/vpn.overview

I've been circling around this issue for a while, but I am too lazy to write an actual article ;-) I am not even sure if this is necessary, because there already is so much stuff about that on the net. For me, what I've found so far, is not compact enough ;-) We will also need some real life benchmarks, to see how the CPUs really perform. My Wr1043ND handles scp from a etx3 harddisc with 1,7MiB/s, so it should handle VPN traffic in a similar way. Has anyone set up a VPN server on such an embedded device and connected with multiple clients to it, simultaneously, transmitting data?

If my friends and I want to play some game online but in a VPN for example. Or is hamachi better, since the load is handled on the desktop pc, which has very much more power then my router?

The discussion might have continued from here.