Wifi-to: Come collegarsi a CisarNet WiFi via VPN con un computer Linux
WiFi-to: HOW TO CONNECT TO AN OPENVPN ACCESS SERVER FROM A LINUX COMPUTER.
[Gustavo I0OJJ – November 2011]
Indice |
Description
OpenVPN [=Virtual Private Network] is a robust and highly flexible VPN daemon which supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.
OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it; in fact it supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.
It is a free and open source software application written by James Yonan and is published under the GNU General Public License (GPL).
The CisarNet WiFi server center
The CisarNet WiFi center being used in a multiclient-server configuration, allows the server to release an authentication certificate for every client, using signature and Certificate authority.
It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features. Furthermore, it is setup to work with the TAP virtual networking interfaces that exist on many platforms and other hardware already employed on the growing CisarNet project.
How to access to the CisarNet WiFi server center
To connect to access server from a Linux client computer you need to do the following steps:
1. Install an OpenVPN client for Linux
2. Obtaining by the CisarNet WiFi responsible the client configuration file, typically named 'client.ovpn' (filled according to the server setup), and the related security certificates
3. Run he OpenVPN client by using the aforementioned configuration files.
Installing an OpenVPN client
Usually, the easiest way to install an OpenVPN client is to use the package management system owned by your specific Linux/Unix distribution.
For example, on Fedora/CentOS/RedHat distributions, run the following command (as root):
yum install openvpn
On Debian/Ubuntu distributions, run the following command (as root):
apt-get install openvpn
… and then follow the particular distribution setup.
Installation procedures at I0OJJ site
Since actually I'm operating a Linux Slackware 10.1 distribution there is no way to get a ready-to-use 'openvpn' package, so program must be compiled starting from the source's package.
At time of this writing I found the newest openvpn-2.2.1.tar.gz (Jul 01, 2011) package, ready to be downloaded at 'http://openvpn.net/index.php/open-source/download.html'
Compiling procedures
Copy the just downloaded archive in your preferred directory, i.e. /usr/local/src and then:
tar xvfzp openvpn-2.2.1.tar.gz
and obtain the ../openvpn-2.2.1 directory, then 'cd' to that directory and
./configure --disable-lzo (since the CisarNet WiFi server don't use the 'lzo' compression)
make
...and if everything went OK we obtain the 'openvpn' executable.
Installing and running the openvpn client (a Spartan way)
Since a few days ago, Renzo IW0SAB, announced the openvpn certification setup and in the meanwhile I received by Paolo IK0PCJ the config file and the RSA certificates for accessing the CisarNet WiFi server located in Gubbio (Italy).
“Keep it simple to be the efficient” is one of my sentences so, since I'm using on 95% of linux operation the classical 'tty' console, any setup was tested by using 'only' the line-command procedure.
Furthermore, being the openvpn rich of hundreds switches/commands, it results high configurable according to our particular needs.
Files were organized into the '/home/openvpn' directory according the following tree:
/home/openvpn |-- ca.crt |-- client1.crt |-- client1.key |-- client.ovpn |-- openvpn |-- openvpn.hlp `-- README.txt
and then setup the startup command line at the end of the 'rc.local' file as follows:
#!/bin/sh # # rc.local (Nov 11, 2011) # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # …sleep 1 cd /home/openvpn sleep 1 ./openvpn --config client.ovpn --script-security 2 --log /var/log/openvpn --daemon
in particular:
the --daemon switch forces the application to run on background; the --log /var/log/openvpn switch forces the creation for the pertinent 'openvpn' log
Final results
If everything went OK you get the 'tap0' kernel interface which can be easily verified by giving the 'ifconfig' command (as of the following example):
ax0 Link encap:AMPR AX.25 HWaddr I0OJJ-10 inet addr:44.134.32.241 Bcast:44.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MTU:256 Metric:1 RX packets:1 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:12 (12.0 b) TX bytes:0 (0.0 b) ax1 Link encap:AMPR AX.25 HWaddr IR0FRX inet addr:44.134.32.242 Bcast:44.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MTU:256 Metric:1 RX packets:199 errors:0 dropped:0 overruns:0 frame:0 TX packets:31 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:15862 (15.4 Kb) TX bytes:3614 (3.5 Kb) ax2 Link encap:AMPR AX.25 HWaddr IR0FRT-2 inet addr:44.134.32.243 Bcast:44.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MTU:256 Metric:1 RX packets:7 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:108 (108.0 b) TX bytes:348 (348.0 b) ax3 Link encap:AMPR AX.25 HWaddr IR0JW-5 inet addr:44.134.32.244 Bcast:44.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MTU:256 Metric:1 RX packets:10 errors:0 dropped:0 overruns:0 frame:0 TX packets:10 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:288 (288.0 b) TX bytes:366 (366.0 b) eth0 Link encap:Ethernet HWaddr 00:00:B4:AA:E0:6E inet addr:192.168.1.105 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4560 errors:0 dropped:0 overruns:0 frame:0 TX packets:4778 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:858168 (838.0 Kb) TX bytes:544249 (531.4 Kb) Interrupt:5 Base address:0x4000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:591 errors:0 dropped:0 overruns:0 frame:0 TX packets:591 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:51115 (49.9 Kb) TX bytes:51115 (49.9 Kb) sl0 Link encap:Serial Line IP inet addr:192.168.1.100 P-t-P:44.134.33.71 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:236 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:754 (754.0 b) TX bytes:946 (946.0 b) tap0 Link encap:Ethernet HWaddr 00:FF:2B:22:19:DF inet addr:10.254.44.4 Bcast:10.254.44.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2658 errors:0 dropped:0 overruns:0 frame:0 TX packets:101 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:284465 (277.7 Kb) TX bytes:7433 (7.2 Kb) tun0 Link encap:Point-to-Point Protocol inet addr:192.168.1.100 P-t-P:192.168.1.113 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:256 Metric:1 RX packets:126 errors:0 dropped:0 overruns:0 frame:0 TX packets:460 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:8046 (7.8 Kb) TX bytes:63245 (61.7 Kb)
The 'route' command will show the 'tap0' kernel interface bound with the 10.0.0.0 CisarNet WiFi as follows:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.113 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 44.134.32.233 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 44.134.33.71 0.0.0.0 255.255.255.255 UH 0 0 0 sl0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.254.44.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0 10.0.0.0 10.254.44.1 255.0.0.0 UG 0 0 0 tap0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 44.0.0.0 10.254.44.1 255.0.0.0 UG 0 0 0 tap0 44.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ax0 44.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ax1 44.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ax2 44.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ax3 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
Any comments/help requests may be addressed to: g.ponza [at] tin.it … good luck!
