OpenVPN Termination on OpenWrt
On Friday, November 1, 2013 Labels: Cracking WEP with BackTrack, OpenVPN Termination on OpenWrt
OpenVPN Termination on OpenWrt
This page contains an overview on how to configure an OpenVPN client on a Linksys WRT54GS running OpenWrt.
Introductory Information
To secure the wireless network link between the WRT client and the remote access point, I chose to setup a VPN tunnel, and route all traffic from the network behind the WRT through this VPN tunnel.
OpenVPN was chosen, due to the availability of packages for OpenWrt and numerous other platforms, the security it provides, and the flexibilty and ease of configuration.
I chose to configure my linux router at the remote end as the OpenVPN server, with the OpenVPN client being the WRT.
Note that I'm using pre-shared keys, rather than SSL/TLS, as it simplifies the configuration.
As the subnet behind the WRT is houwels.sgnet.wafreenet, and it is connecting to the SGNet router, I prefix all OpenVPN configuration files with the name of the subnet, namely houwels.
Network Addressing
The following network addresses are used below:
10.60.68.16/29 client subnet behind WRT
10.60.68.17 LAN interface of WRT
10.60.68.18-22 client PCs behind WRT
10.60.68.232/30 client link between SGNet and WRT
10.60.68.233 virtual interface on SGNet router
10.60.68.234 WLAN interface of WRT
10.60.68.236/30 VPN link between SGNet and WRT
10.60.68.237 VPN end-point on SGNet router
10.60.68.238 VPN end-point on WRT
Substitute your own network addresses when implementing your own configuration.
Install & Configure OpenVPN Server
Install OpenVPN Server
I'm using an OpenVPN 2.0.5 server on a RedHat 9 linux box. Refer to the OpenVPN documentation for information on installing OpenVPN on RedHat and other linux distributions.
Create Static Key
On the linux router, create a pre-shared static key for the VPN link:
openvpn --genkey --secret /etc/openvpn/houwels_static.key
Create Configuration File
The OpenVPN configuration file (/etc/openvpn/houwels_openvpn.conf) on the SGNet linux router is similar to this:
# Use a dynamic tun device.
dev tun0
# 10.60.68.237 is our local VPN endpoint (SGNet).
# 10.60.68.238 is our remote VPN endpoint (WRT).
ifconfig 10.60.68.237 10.60.68.238
# up script will establish routes once the VPN is alive.
up ./houwels.up
# pre-shared static key
secret houwels_static.key
# OpenVPN uses UDP port 1194 by default.
# Each OpenVPN tunnel must use a different port number.
port 1194
# Downgrade UID and GID to "nobody" after initialization for extra security.
user nobody
group nobody
# use LZO compression.
comp-lzo
# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
# Silence the output of replay warnings, which are a common false
# alarm on WiFi networks. This option preserves the security of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings
# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 3
Create Routing Script
OpenVPN can run a script when the VPN link is established. This is useful, as it allows you to add a route through the VPN tunnel.
On the SGNet router, I use the following script (/etc/openvpn/houwels.up) to add a route to the subnet behind the WRT (10.60.68.16/29):
#!/bin/bash
# add route to houwels network via VPN end-point of WRT
route add -net 10.60.68.16 netmask 255.255.255.248 gw $5
Note that the houwels.up script must be executable:
chmod 755 /etc/openvpn/houwels.up
Start OpenVPN
Once configured, start OpenVPN. On my RedHat linux router, it's simply a matter of running
/etc/init.d/openvpn start
and OpenVPN will parse each .conf file it finds in /etc/openvpn/, and start an OpenVPN daemon for each.
Install Components on OpenWrt
Install IPK Packages
Firstly, install the OpenVPN package and dependancies.
ipkg install openvpn
and ipkg will automatically install all required dependancies, including kmod-tun, liblzo, libopenssl, and of course the openvpn package.
The liblzo package provides libraries to support lzo compression for OpenVPN, the libssl package provides libraries for SSL encryption used by OpenVPN, and the kmod-tun package provides the TUN/TAP device driver kernel module required by OpenVPN.
Create Configuration Files
Firstly, create a directory for all OpenVPN configuration files on the WRT:
mkdir /etc/openvpn
Copy the previously created shared static key (houwels_static.key) from the linux router into /etc/openvpn on the WRT.
Create the configuration file for the OpenVPN link, /etc/openvpn/houwels_openvpn.conf:
# Use a dynamic tun device.
dev tun
# OpenVPN server is the SGNet router.
remote 10.60.68.233
# 10.60.68.238 is our local VPN endpoint (WRT).
# 10.60.68.237 is our remote VPN endpoint (SGNet).
ifconfig 10.60.68.238 10.60.68.237
# up script will establish routes once the VPN is alive.
up /etc/openvpn/houwels.up
# pre-shared static key
secret /etc/openvpn/houwels_static.key
# OpenVPN uses UDP port 1194 by default.
# Each OpenVPN tunnel must use a different port number.
port 1194
# Downgrade UID and GID to "nobody" after initialization for extra security.
user nobody
# use LZO compression.
comp-lzo
# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 3
Create a script /etc/openvpn/houwels.up to establish a default route through the VPN once it is active:
#!/bin/ash
# add default route through VPN tunnel
route add -net 0.0.0.0 netmask 0.0.0.0 gw $5
Once again, the houwels.up script must be executable:
chmod 755 /etc/openvpn/houwels.up
Using OpenVPN on OpenWrt
Start OpenVPN
Before OpenVPN can be started, the tun device driver needs to be loaded:
insmod tun
Note that this module will be automatically loaded by OpenWrt during a reboot, as installation of the OpenVPN ipkg has alreadycreated /etc/modules.d/20-tun.
Now manually start OpenVPN using:
openvpn --daemon --config /etc/openvpn/houwels_openvpn.conf
Test the VPN by trying to ping the remote end-point of the VPN tunnel.
If it's not working, increase the verbosity level in the configuration file, restart OpenVPN, and monitor the syslog to see why it might be failing to connect (use logread on OpenWrt, and monitor /var/log/messages on the linux router).
Configure OpenVPN to Auto-Start
To get OpenVPN to start each time the WRT is rebooted, create /etc/init.d/S65openvpn with the following contents:
#!/bin/sh
# start the VPN
openvpn --daemon --config /etc/openvpn/houwels_openvpn.conf --ifconfig-nowarn
and make the script executable:
chmod 755 /etc/init.d/S65openvpn
Completing Configuration
Firewall Script
Note that you'll need to modify the firewall script on the WRT to allow for the VPN tunnel.
I modified the firewall to only allow traffic through the VPN tunnel, and block all other non-VPN-ed traffic.
Performance Testing
Network Architecture
This WRT is connecting to an 802.11b Minitar MNWAPB access point, and hence is restricted to 802.11b 11Mbps speeds.
The throughput was measured by using wget to retrieve a 3MB file over the wireless link.
Initial tests were performed during setup, when the WRT was physically located close to the Minitar access point, so the WRT was associated to the Minitar with a link rate of 11Mbps. The tests were repeated once the WRT was installed at the client site, with similar results.
Throughput Without VPN
Throughput over the wireless link between the WRT and the Minitar was tested at approximately 600 kbytes/sec (ie, typical for an 802.11b wireless link).
Throughput With VPN
Once the VPN tunnel was established, and all traffic routed through it, the tests were repeated. Throughput dropped to approximately 300 kbytes/sec.
The major cause of this slow-down is the CPU in the WRT, as it needs to encrypt and decrypt all the traffic that is passing through the VPN tunnel. This can be observed by monitoring the CPU usage on the WRT while transferring large amounts of traffic through the VPN tunnel - the OpenVPN process consumes 99% of the CPU during this time.
The slow-down caused by the VPN tunnel is acceptable in the situation I'm using the WRT. If this isn't the case, the throughput of the VPN tunnel can be increased by moving the VPN termination from the WRT onto a faster device (ie, a linux router) behind the WRT.
No comments:
Post a Comment