Zeroshell: Part 2 – VPN & NAT

Firstly let me just say thank you to everyone who’s been reading! 3 days and 8,330 hits! I really didn’t know so many people cared about what I have to say!

(In the time it took me to write this article my hits jumped up to 11,114 hits! Holy crap!)

So coming back to my previous post:

Getting DDWRT to play nice with Zeroshell

After getting everything working properly with routing set between interfaces, we can utilize one of the coolest functions of Zeroshell, VPN access (almost) out of the box.

Getting VPN to work:

title

For those of you who don’t know what VPNs are, it stands for Virtual Private Networking. It is simply a method of securely connecting to your home network, as if you were physically wired into it, when in fact you are connecting over the internet. This particular method wraps the VPN in 2 layers of security – X.509 Cert and a Kerberos server. Plenty of encryption for an enterprise solution (small scale of course). Keep in mind that you can set this VPN server’s authentication in one of 3 ways: X.509 certificate, Username/Password, or both. In this case, we’re using both.

You need to make a couple decisions though at first.

  • Do you want to have just one user on your VPN?
  • Do you want multiple users with the same username? (not necessarily recommended)
  • What authentication do you want to set up? (credentials + X509 is what i’m using in this)

To start go into the users section on the left, select the admin user and click the X509 tab at the top, which will give you lots of information about that particular user (and any subsequent users as well)

admin

We need to export this certificate and place it in a good location. You should name it to admin.pem if it isn’t already.

This is only one of the certs we need though. We need to the something called the “Trusted CA”. CA stands for Certificate Authority. In the world of certificates, this is a trusted source. The administrative entity that is considered ‘always valid and all knowing’, which in our case is our Zeroshell install. As long as the CA says its fine, any services using it will trust it, much like SSL certs.

Now we need get a copy of our trusted CA and enable the actual VPN functionality of our Zeroshell. What you want to do is click on the Trusted CAs button under the X.509 Configuration, which will spawn a window. Export it as a .pem, and put it somewhere safe.

CANow to enable VPN functionality we need to click the ‘enable’ box, and click save. Complicated, right?

vpn1

Next we need to get a copy of the OpenVPN client. Since I’m using Windows 7 i had to get a RC, with a proper signed driver (shakes fist at microsoft). Also make sure you run the installer in compatibility mode for windows vista and run it as administrator (what a pain in the ass):

http://openvpn.net/release/openvpn-2.1_rc19-install.exe

The newest installer can be found here, but it didn’t seem to work for me when I installed it :(

http://openvpn.net/release/openvpn-2.1_rc20-install.exe

After getting it all installed and whatnot, move CA.pem and admin.pem to:

C:\Program Files\OpenVPN\config

or in my case (64 bit machines)

C:\Program Files (x86)\OpenVPN\config

Now get into that directory and create a file named config.ovpn and copy my config from:

http://pastebin.com/f6c913fcd (edited from the Zeroshell OpenVPN configuration – thanks guys!)

Now just edit the first line to hold whatever your server’s IP is, and proper port if necessary. You probably want to decrease the verbosity to 3 after you’re sure everything works as well. You should now be able to start the OpenVPN gui, which will start a taskbar icon.

Right click and go to connect, and it should prompt you for a username and password, log in with the admin user, unless you have other users to use.

openvpn

You should now be successfully connected to your VPN in a very secure manner!

Getting NAT working:

Alright, for those of you who don’t know what NAT is, it stands for Network Address Translation. This is a fancy way of saying port forwarding, which does exactly what it sounds like it’s doing. It forwards a port on one of your clients to the outside world, so that anyone looking at your router from the internet will ‘see’ into your network.

First about my interfaces:

ETH00 is my internal network 10.0.0.0/24

ETH01 is my WAN port, connecting me to the internet

So the first entry in my nat table:

I have an FTP server running on port 21 of my laptop which I want to be able to access from anywhere. In order for me to make it so I can connect to my external IP on some port and talk to my laptop, I need to tell my router what to do.

If you go into the router section on the left, and click the virtual servers tab at the top after that, which will spawn a window for you.

For whatever reason you need to specify your internal interface (the one that takes care of your internal network), which in my case is ETH00 to any IP address (you can restrict services like remote desktop to a single ip, or a range of IP’s if you want.

The local port box specifys the port you want to connect to from the outside

The remote IP is the local IP address of the machine you want to forward to the outside

The remote port is the local port running on said ip address

In this example I have an FTP server running on port 21 on my local network, which is getting forwarded to port 65534, so in order for me to connect to my laptop I need to connect to my.external.ip.address:65534 to talk to my laptop properly

virtserver

The same goes for all other services, for bittorrent use the same port for local and remote ports, and it’ll be a 1:1 portmap to your local client. Tis truly handy :)

The proofs in the pudding:

C:\Users\P0rT_Smoke>nmap -T4 -sV -p65534 71.xx.222.63

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-09 22:12 Pacific Standard Time

Interesting ports on 71-xx-222-63.dhcp.mrqt.mi.charter.com (71.xx.222.63):
PORT      STATE SERVICE VERSION
65534/tcp open  ftp     FileZilla ftpd 0.9.31 beta
Service Info: OS: Windows

Service detection performed. Please report any incorrect results at http://nmap.
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.42 seconds

So hopefully now you have an awesome network setup allowing you to securly access any local resources you may  need, as well as foward services you can afford to have ‘on the wire’.

Nmap is your friend!

See, even Trinity used nMap to save all of humanity. It can work for you too!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: