Migrating from linksys -> linux (with VPN!)

Hello everyone!

This guide is for replacing a DDWRT router (turning it into a wireless access point) with Zeroshell on an old computer, properly setting up secure VPN, and getting NAT working properly on your very own network infastructure!

This was my planned out network configuration (and no i do not have a serial connection to the internet, yay for auto connect in packet tracer)

topology
Click for a bigger picture (small formatting space :( )

So now you see exactly what it is we want to do. I used to have everything running off of my WRG54G running DDWRT, but my roommates and I use quite a bit of bandwidth and with 8 mb on onboard memory, needless to say it was the equivalent of a one armed retard trying to take on an army of ninjas, even WITH overclocking enabled.

I’d been looking for a computer to turn into a router for a while, and I finally found one at work last week :)

So I grabbed a copy of zeroshell, and started it up and I was greeted by the main screen. It sets a static IP on eth00 (their naming convention is a bit wonky) to 192.168.0.75, so I plugged into it with my main ethernet port, and set a static ip to the same subnet (google it if you don’t know how).

When I could finally connect I was greeted by the sign in page (of course after the SCARY self signed cert warning)

login

Default U:P == admin:zeroshell

Time to create a new profile, on the top bar, there is a ‘profiles’ tab. Its a good place to start so we can actually save all our settings :)

In this case, there was a WIN95 formatted drive in there, which zeroshell couldn’t read. What I ended up doing was just pluggint it into an IDE reader and formatted it that way, which worked fine.

Either way after creating a new database with all of my info, including hostname, Kerberos, and LDAP stuff, most of which doesn’t really matter (unless you’re going to be using the kerberos and ldap stuff to actually drive something else on your network), the example configuration works fine.

profile

As you can see, I’m running an UBER POWERFULL Pentium II :-P

Now in the ‘Network’ tab we need to set our IP addresses. The dynamic IP won’t stick until theres actually an address to get, so I just set the static IP for ETH00 to 10.0.0.1

It was at this point that I realized that I needed to disable all DHCP/routing functionality on my DDWRT

Logging in I had to change a few things

  • WAN Connection type = disabled
  • Local IP address = 10.0.0.2/24
  • Assign WAN port to swtich
  • DHCP Fowarder (as opposed to server) – followed by the ip of the dhcp server (10.0.0.1)

ddwrtsettings

Since I wasn’t going to be changing anything on my wireless side (I still wanted to use the AP functionality of my DDWRT) there was no need to fiddle with any of those settings.

Finally all we have to do is disable routing. Go to the administration tab and at the bottom hit the Routing button to disable.

routeingdisable

Now we can actually put our machine into place, but you may want to enable the dhcp server first (or you have to assign yourself a static address), it really depends on how much of a pain it is having your computer so close to it :-P :

On the left in the ‘network’ subsection theres a DHCP link, after you click it you need to create a new subnet. Choose the proper interface to broadcast on (eth00 in my case) and set the dhcp pool specifications. I did 10.0.0.10-10.0.0.25 and put in OpenDNS for my primary and secondary DNS (208.67.222.222 and 208.67.220.220).

DHCPNow you want to hook up your WAN interface (ETH01) and get a dynamic address, go back to ‘setup’ on the left and the network tab, and the DynIP button for the corresponding interface.

Dynamic

Now we need to put the router on a NAT, so we can properly translate internal ports to external ones. Click on the Router section, and click the NAT tab, adding both interfaces and clicking ‘save’.

NAT

Thats about it as far as what needs to happen to get routing, DHCP, and dns properly set up so you can now do pretty much anything you want.

Before you start messing with things that could break the world, which in turn causes you to mess up your hard drive containing your configuration, BACKUP YOUR CONFIGURATION. Do it now. Seriously. Although I wouldn’t have written this article if I would’ve done that in the first place.

Go back into the profile manager, click on your profile, and go to “backup” and put it somewhere safe :)

backup

After getting everything working properly with routing set between interfaces, we can utilize one of the coolest functions of Zeroshell, VPN access (almost) out of the box.

Getting VPN to work:

title

For those of you who don’t know what VPNs are, it stands for Virtual Private Networking. It is simply a method of securely connecting to your home network, as if you were physically wired into it, when in fact you are connecting over the internet. This particular method wraps the VPN in 2 layers of security – X.509 Cert and a Kerberos server. Plenty of encryption for an enterprise solution (small scale of course). Keep in mind that you can set this VPN server’s authentication in one of 3 ways: X.509 certificate, Username/Password, or both. In this case, we’re using both.

You need to make a couple decisions though at first.

  • Do you want to have just one user on your VPN?
  • Do you want multiple users with the same username? (not necessarily recommended)
  • What authentication do you want to set up? (credentials + X509 is what i’m using in this)

To start go into the users section on the left, select the admin user and click the X509 tab at the top, which will give you lots of information about that particular user (and any subsequent users as well)

admin

We need to export this certificate and place it in a good location. You should name it to admin.pem if it isn’t already.

This is only one of the certs we need though. We need to the something called the “Trusted CA”. CA stands for Certificate Authority. In the world of certificates, this is a trusted source. The administrative entity that is considered ‘always valid and all knowing’, which in our case is our Zeroshell install. As long as the CA says its fine, any services using it will trust it, much like SSL certs.

Now we need get a copy of our trusted CA and enable the actual VPN functionality of our Zeroshell. What you want to do is click on the Trusted CAs button under the X.509 Configuration, which will spawn a window. Export it as a .pem, and put it somewhere safe.

CANow to enable VPN functionality we need to click the ‘enable’ box, and click save. Complicated, right?

vpn1

Next we need to get a copy of the OpenVPN client. Since I’m using Windows 7 i had to get a RC, with a proper signed driver (shakes fist at microsoft – see my article on the subject though). Also make sure you run the installer in compatibility mode for windows vista and run it as administrator (what a pain in the ass):

http://openvpn.net/release/openvpn-2.1_rc19-install.exe

The newest installer can be found here, but it didn’t seem to work for me when I installed it :(

http://openvpn.net/release/openvpn-2.1_rc20-install.exe

After getting it all installed and whatnot, move CA.pem and admin.pem to:

C:\Program Files\OpenVPN\config

or in my case (for 64 bit machines):

C:\Program Files (x86)\OpenVPN\config

Now get into that directory and create a file named config.ovpn and copy my config from:

http://pastebin.com/f6c913fcd (edited from the Zeroshell OpenVPN configuration – thanks guys!)

Now just edit the first line (well, line 7. First line that matters) and replace ***YOURHOSTNAMEHERE*** with whatever your server’s IP is, and proper port if necessary. You probably want to decrease the verbosity to 3 after you’re sure everything works as well. You should now be able to start the OpenVPN gui, which will start a taskbar icon.

Right click and go to connect, and it should prompt you for a username and password, log in with the admin user, unless you have other users to use.

openvpn

Congrats! You should now be successfully connected to your VPN in a very secure manner!

Getting NAT working:

Alright, for those of you who don’t know what NAT is, it stands for Network Address Translation. This is a fancy way of saying port forwarding, which does exactly what it sounds like it’s doing. It forwards a port on one of your clients on the internal network to the outside world, so that anyone looking at your router from the internet side will ‘see’ that port that gets passed into your network.

 

To recap about my interfaces:

ETH00 is my internal network 10.0.0.0/24

ETH01 is my WAN port, connecting me to the internet

 

So the first entry in my nat table:

I have an FTP server running on port 21 of my laptop which I want to be able to access from anywhere. In order for me to make it so I can connect to my external IP on some port and talk to my laptop, I need to tell my router one of three things. The port on my external interface that I want to connect to, the computer that that port should correspond to, and the port ON the computer that the external port should correspond to.

If you go into the router section on the left, and click the virtual servers tab at the top after that, which will spawn a window for you.

For whatever reason you need to specify your internal interface (the one that takes care of your internal network), which in my case is ETH00 to any IP address (you can restrict services like remote desktop to a single ip, or a range of IP’s if you want.

The local port box specifys the port you want to connect to from the outside

The remote IP is the local IP address of the machine you want to forward to the outside

The remote port is the local port running on said ip address

In this example I have an FTP server running on port 21 on my local network, which is getting forwarded to port 65534, so in order for me to connect to my laptop I need to connect to my.external.ip.address:65534 to talk to my laptop on port 21 properly

virtserver

The same goes for all other services, for bittorrent and any other service you can use the same port for local and remote ports, and it’ll be a 1:1 portmap to your local client. I like to use non-standard ports though, reduces people scanning (and ultimatly trying to gain access to) my services. Tis truly handy :)

The proofs in the pudding:

C:\Users\P0rT_Smoke>nmap -T4 -sV -p65534 71.xx.222.63

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-09 22:12 Pacific Standard Time

Interesting ports on 71-xx-222-63.dhcp.mrqt.mi.charter.com (71.xx.222.63):
PORT      STATE SERVICE VERSION
65534/tcp open  ftp     FileZilla ftpd 0.9.31 beta
Service Info: OS: Windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.42 seconds

Nmap is your friend!

So hopefully now you have an awesome network setup allowing you to securly access any local resources you may  need, as well as foward services you can afford to have ‘on the wire’.

Hope it helped, and keep reading my articles!

3 Responses to “Migrating from linksys -> linux (with VPN!)”

  1. Good tutorial! Very thorough and in-depth. Thanks for posting this! I’m sure it’s going to help a lot of people!

  2. hi, great post.
    let me know why you natting ETH00 and ETH01 ant not only ETH01. ETH01 was connectected to adls port ?.
    Renato

  3. ops , I miss :
    >This was my planned out network configuration (and no i do not have a >serial connection to the internet, yay for auto connect in packet tracer)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: