Firstly let me just say thank you to everyone who’s been reading! 3 days and 8,330 hits! I really didn’t know so many people cared about what I have to say!
(In the time it took me to write this article my hits jumped up to 11,114 hits! Holy crap!)
So coming back to my previous post:
After getting everything working properly with routing set between interfaces, we can utilize one of the coolest functions of Zeroshell, VPN access (almost) out of the box.
Getting VPN to work:
For those of you who don’t know what VPNs are, it stands for Virtual Private Networking. It is simply a method of securely connecting to your home network, as if you were physically wired into it, when in fact you are connecting over the internet. This particular method wraps the VPN in 2 layers of security – X.509 Cert and a Kerberos server. Plenty of encryption for an enterprise solution (small scale of course). Keep in mind that you can set this VPN server’s authentication in one of 3 ways: X.509 certificate, Username/Password, or both. In this case, we’re using both.
You need to make a couple decisions though at first.
- Do you want to have just one user on your VPN?
- Do you want multiple users with the same username? (not necessarily recommended)
- What authentication do you want to set up? (credentials + X509 is what i’m using in this)
To start go into the users section on the left, select the admin user and click the X509 tab at the top, which will give you lots of information about that particular user (and any subsequent users as well)
We need to export this certificate and place it in a good location. You should name it to admin.pem if it isn’t already.
This is only one of the certs we need though. We need to the something called the “Trusted CA”. CA stands for Certificate Authority. In the world of certificates, this is a trusted source. The administrative entity that is considered ‘always valid and all knowing’, which in our case is our Zeroshell install. As long as the CA says its fine, any services using it will trust it, much like SSL certs.
Now we need get a copy of our trusted CA and enable the actual VPN functionality of our Zeroshell. What you want to do is click on the Trusted CAs button under the X.509 Configuration, which will spawn a window. Export it as a .pem, and put it somewhere safe.
Now to enable VPN functionality we need to click the ‘enable’ box, and click save. Complicated, right?
Next we need to get a copy of the OpenVPN client. Since I’m using Windows 7 i had to get a RC, with a proper signed driver (shakes fist at microsoft). Also make sure you run the installer in compatibility mode for windows vista and run it as administrator (what a pain in the ass):
The newest installer can be found here, but it didn’t seem to work for me when I installed it :(
After getting it all installed and whatnot, move CA.pem and admin.pem to:
or in my case (64 bit machines)
C:\Program Files (x86)\OpenVPN\config
Now get into that directory and create a file named config.ovpn and copy my config from:
http://pastebin.com/f6c913fcd (edited from the Zeroshell OpenVPN configuration – thanks guys!)
Now just edit the first line to hold whatever your server’s IP is, and proper port if necessary. You probably want to decrease the verbosity to 3 after you’re sure everything works as well. You should now be able to start the OpenVPN gui, which will start a taskbar icon.
Right click and go to connect, and it should prompt you for a username and password, log in with the admin user, unless you have other users to use.
You should now be successfully connected to your VPN in a very secure manner!
Getting NAT working:
Alright, for those of you who don’t know what NAT is, it stands for Network Address Translation. This is a fancy way of saying port forwarding, which does exactly what it sounds like it’s doing. It forwards a port on one of your clients to the outside world, so that anyone looking at your router from the internet will ‘see’ into your network.
First about my interfaces:
ETH00 is my internal network 10.0.0.0/24
ETH01 is my WAN port, connecting me to the internet
So the first entry in my nat table:
I have an FTP server running on port 21 of my laptop which I want to be able to access from anywhere. In order for me to make it so I can connect to my external IP on some port and talk to my laptop, I need to tell my router what to do.
If you go into the router section on the left, and click the virtual servers tab at the top after that, which will spawn a window for you.
For whatever reason you need to specify your internal interface (the one that takes care of your internal network), which in my case is ETH00 to any IP address (you can restrict services like remote desktop to a single ip, or a range of IP’s if you want.
The local port box specifys the port you want to connect to from the outside
The remote IP is the local IP address of the machine you want to forward to the outside
The remote port is the local port running on said ip address
In this example I have an FTP server running on port 21 on my local network, which is getting forwarded to port 65534, so in order for me to connect to my laptop I need to connect to my.external.ip.address:65534 to talk to my laptop properly
The same goes for all other services, for bittorrent use the same port for local and remote ports, and it’ll be a 1:1 portmap to your local client. Tis truly handy :)
The proofs in the pudding:
C:\Users\P0rT_Smoke>nmap -T4 -sV -p65534 71.xx.222.63
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-09 22:12 Pacific Standard Time
Interesting ports on 71-xx-222-63.dhcp.mrqt.mi.charter.com (71.xx.222.63):
PORT STATE SERVICE VERSION
65534/tcp open ftp FileZilla ftpd 0.9.31 beta
Service Info: OS: Windows
Service detection performed. Please report any incorrect results at http://nmap.
Nmap done: 1 IP address (1 host up) scanned in 2.42 seconds
So hopefully now you have an awesome network setup allowing you to securly access any local resources you may need, as well as foward services you can afford to have ‘on the wire’.
Nmap is your friend!
See, even Trinity used nMap to save all of humanity. It can work for you too!