Migrating from linksys -> linux (with VPN!)
This guide is for replacing a DDWRT router (turning it into a wireless access point) with Zeroshell on an old computer, properly setting up secure VPN, and getting NAT working properly on your very own network infastructure!
This was my planned out network configuration (and no i do not have a serial connection to the internet, yay for auto connect in packet tracer)
So now you see exactly what it is we want to do. I used to have everything running off of my WRG54G running DDWRT, but my roommates and I use quite a bit of bandwidth and with 8 mb on onboard memory, needless to say it was the equivalent of a one armed retard trying to take on an army of ninjas, even WITH overclocking enabled.
I’d been looking for a computer to turn into a router for a while, and I finally found one at work last week :)
So I grabbed a copy of zeroshell, and started it up and I was greeted by the main screen. It sets a static IP on eth00 (their naming convention is a bit wonky) to 192.168.0.75, so I plugged into it with my main ethernet port, and set a static ip to the same subnet (google it if you don’t know how).
When I could finally connect I was greeted by the sign in page (of course after the SCARY self signed cert warning)
Default U:P == admin:zeroshell
Time to create a new profile, on the top bar, there is a ‘profiles’ tab. Its a good place to start so we can actually save all our settings :)
In this case, there was a WIN95 formatted drive in there, which zeroshell couldn’t read. What I ended up doing was just pluggint it into an IDE reader and formatted it that way, which worked fine.
Either way after creating a new database with all of my info, including hostname, Kerberos, and LDAP stuff, most of which doesn’t really matter (unless you’re going to be using the kerberos and ldap stuff to actually drive something else on your network), the example configuration works fine.
As you can see, I’m running an UBER POWERFULL Pentium II :-P
Now in the ‘Network’ tab we need to set our IP addresses. The dynamic IP won’t stick until theres actually an address to get, so I just set the static IP for ETH00 to 10.0.0.1
It was at this point that I realized that I needed to disable all DHCP/routing functionality on my DDWRT
Logging in I had to change a few things
- WAN Connection type = disabled
- Local IP address = 10.0.0.2/24
- Assign WAN port to swtich
- DHCP Fowarder (as opposed to server) – followed by the ip of the dhcp server (10.0.0.1)
Since I wasn’t going to be changing anything on my wireless side (I still wanted to use the AP functionality of my DDWRT) there was no need to fiddle with any of those settings.
Finally all we have to do is disable routing. Go to the administration tab and at the bottom hit the Routing button to disable.
Now we can actually put our machine into place, but you may want to enable the dhcp server first (or you have to assign yourself a static address), it really depends on how much of a pain it is having your computer so close to it :-P :
On the left in the ‘network’ subsection theres a DHCP link, after you click it you need to create a new subnet. Choose the proper interface to broadcast on (eth00 in my case) and set the dhcp pool specifications. I did 10.0.0.10-10.0.0.25 and put in OpenDNS for my primary and secondary DNS (184.108.40.206 and 220.127.116.11).
Now we need to put the router on a NAT, so we can properly translate internal ports to external ones. Click on the Router section, and click the NAT tab, adding both interfaces and clicking ‘save’.
Thats about it as far as what needs to happen to get routing, DHCP, and dns properly set up so you can now do pretty much anything you want.
Before you start messing with things that could break the world, which in turn causes you to mess up your hard drive containing your configuration, BACKUP YOUR CONFIGURATION. Do it now. Seriously. Although I wouldn’t have written this article if I would’ve done that in the first place.
Go back into the profile manager, click on your profile, and go to “backup” and put it somewhere safe :)
After getting everything working properly with routing set between interfaces, we can utilize one of the coolest functions of Zeroshell, VPN access (almost) out of the box.
Getting VPN to work:
For those of you who don’t know what VPNs are, it stands for Virtual Private Networking. It is simply a method of securely connecting to your home network, as if you were physically wired into it, when in fact you are connecting over the internet. This particular method wraps the VPN in 2 layers of security – X.509 Cert and a Kerberos server. Plenty of encryption for an enterprise solution (small scale of course). Keep in mind that you can set this VPN server’s authentication in one of 3 ways: X.509 certificate, Username/Password, or both. In this case, we’re using both.
You need to make a couple decisions though at first.
- Do you want to have just one user on your VPN?
- Do you want multiple users with the same username? (not necessarily recommended)
- What authentication do you want to set up? (credentials + X509 is what i’m using in this)
To start go into the users section on the left, select the admin user and click the X509 tab at the top, which will give you lots of information about that particular user (and any subsequent users as well)
We need to export this certificate and place it in a good location. You should name it to admin.pem if it isn’t already.
This is only one of the certs we need though. We need to the something called the “Trusted CA”. CA stands for Certificate Authority. In the world of certificates, this is a trusted source. The administrative entity that is considered ‘always valid and all knowing’, which in our case is our Zeroshell install. As long as the CA says its fine, any services using it will trust it, much like SSL certs.
Now we need get a copy of our trusted CA and enable the actual VPN functionality of our Zeroshell. What you want to do is click on the Trusted CAs button under the X.509 Configuration, which will spawn a window. Export it as a .pem, and put it somewhere safe.
Next we need to get a copy of the OpenVPN client. Since I’m using Windows 7 i had to get a RC, with a proper signed driver (shakes fist at microsoft – see my article on the subject though). Also make sure you run the installer in compatibility mode for windows vista and run it as administrator (what a pain in the ass):
The newest installer can be found here, but it didn’t seem to work for me when I installed it :(
After getting it all installed and whatnot, move CA.pem and admin.pem to:
or in my case (for 64 bit machines):
C:\Program Files (x86)\OpenVPN\config
Now get into that directory and create a file named config.ovpn and copy my config from:
http://pastebin.com/f6c913fcd (edited from the Zeroshell OpenVPN configuration – thanks guys!)
Now just edit the first line (well, line 7. First line that matters) and replace ***YOURHOSTNAMEHERE*** with whatever your server’s IP is, and proper port if necessary. You probably want to decrease the verbosity to 3 after you’re sure everything works as well. You should now be able to start the OpenVPN gui, which will start a taskbar icon.
Right click and go to connect, and it should prompt you for a username and password, log in with the admin user, unless you have other users to use.
Congrats! You should now be successfully connected to your VPN in a very secure manner!
Getting NAT working:
Alright, for those of you who don’t know what NAT is, it stands for Network Address Translation. This is a fancy way of saying port forwarding, which does exactly what it sounds like it’s doing. It forwards a port on one of your clients on the internal network to the outside world, so that anyone looking at your router from the internet side will ‘see’ that port that gets passed into your network.
To recap about my interfaces:
ETH00 is my internal network 10.0.0.0/24
ETH01 is my WAN port, connecting me to the internet
So the first entry in my nat table:
I have an FTP server running on port 21 of my laptop which I want to be able to access from anywhere. In order for me to make it so I can connect to my external IP on some port and talk to my laptop, I need to tell my router one of three things. The port on my external interface that I want to connect to, the computer that that port should correspond to, and the port ON the computer that the external port should correspond to.
If you go into the router section on the left, and click the virtual servers tab at the top after that, which will spawn a window for you.
For whatever reason you need to specify your internal interface (the one that takes care of your internal network), which in my case is ETH00 to any IP address (you can restrict services like remote desktop to a single ip, or a range of IP’s if you want.
The local port box specifys the port you want to connect to from the outside
The remote IP is the local IP address of the machine you want to forward to the outside
The remote port is the local port running on said ip address
In this example I have an FTP server running on port 21 on my local network, which is getting forwarded to port 65534, so in order for me to connect to my laptop I need to connect to my.external.ip.address:65534 to talk to my laptop on port 21 properly
The same goes for all other services, for bittorrent and any other service you can use the same port for local and remote ports, and it’ll be a 1:1 portmap to your local client. I like to use non-standard ports though, reduces people scanning (and ultimatly trying to gain access to) my services. Tis truly handy :)
The proofs in the pudding:
C:\Users\P0rT_Smoke>nmap -T4 -sV -p65534 71.xx.222.63
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-09 22:12 Pacific Standard Time
Interesting ports on 71-xx-222-63.dhcp.mrqt.mi.charter.com (71.xx.222.63):
PORT STATE SERVICE VERSION
65534/tcp open ftp FileZilla ftpd 0.9.31 beta
Service Info: OS: Windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.42 seconds
Nmap is your friend!
So hopefully now you have an awesome network setup allowing you to securly access any local resources you may need, as well as foward services you can afford to have ‘on the wire’.
Hope it helped, and keep reading my articles!