Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
> Openvpn Step-by-step Guide, Static key, ethernet bridge
Robert83
post Apr 2 2004, 12:13 PM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Note : I've installed OpenVPN on WhiteBox Enterprise Linux 3.0 Final/Fixed , but this guide should work on other distributions as well.


Chapter I. Checking Kernel if it has BRIDGE and TUN enabled :


1.
CODE
uname -r
wich will show your current kernel version

2. cd /boot

3. First
CODE
cat config-kernel_version_shown_by_uname-r | grep CONFIG_BRIDGE=

then
CODE
cat config-kernel_version_shown_by_uname-r | grep CONFIG_TUN=


4. If it shows this :
CODE
   [root@demon boot]# cat config-2.4.22-1.2174.nptl | grep CONFIG_BRIDGE=
   CONFIG_BRIDGE=m
   [root@demon boot]# cat config-2.4.22-1.2174.nptl | grep CONFIG_TUN=
   CONFIG_TUN=m
   

Then you'll need to recompile your kernel [see Chapter II.]
If it shows this :
CODE
   [root@demon boot]# cat config-2.4.22-1.2174.nptl | grep CONFIG_BRIDGE=
   CONFIG_BRIDGE=y
   [root@demon boot]# cat config-2.4.22-1.2174.nptl | grep CONFIG_TUN=
   CONFIG_TUN=y
   

Then you can go directly to Chapter III.


Chapter II : Recompiling the kernel


1. You must know what kernel version you have :
CODE
uname -r


2. If you use Whitebox then type in a terminal window :
CODE
yum install kernel-source

and it will download the kernel source for you and put it in /usr/src/linux-your_kernel_version_number
If you use Red Hat or Fedora Core , then you can download apt-get from http://apt.freshrpms.net/
for Red Hat 9 http://ftp.freshrpms.net/pub/freshrpms/red...c6-fr1.i386.rpm
for Fedora Core 1 http://ftp.freshrpms.net/pub/freshrpms/fed...0.1.fr.i386.rpm
I recomend that you download it to /home/apt-get , once you have downloaded it :
a.) cd /home/apt-get
b.) rpm -Uvh apt-the_version_you_downloaded.rpm
c.) apt-get update
d.) apt-get dist-upgrade [just making sure that your packages are up to date]
e.) apt-get install kernel-source , it will show you a list of available kernels for your distribution
CODE
               [root@demon root]# apt-get install kernel-source
               Reading Package Lists... Done
               Building Dependency Tree... Done
               Package kernel-source is a virtual package provided by:
               kernel-source#2.4.22-1.2174.nptl_37.rhfc1.at 2.4.22-1.2174.nptl_37.rhfc1.at
               kernel-source#2.4.22-1.2174.nptl 2.4.22-1.2174.nptl [Installed]
               kernel-source#2.4.22-1.2115.nptl 2.4.22-1.2115.nptl
               You should explicitly select one to install.
               E: Package kernel-source is a virtual package with multiple good providers.
               

This will be probably a different list for you , showing different kernels . Note : you must download
the kernel source wich has the same version number as your current kernel , remember , you can
check your kernel version anytime by typing in uname -r in a terminal window [or console]
.
When you know wich kernel source you need to download you simply type [!!!EXAMPLE!!!] :
CODE
               apt-get install kernel-source#2.4.22-1.2174.nptl_37.rhfc1.at
               

and it will download the kernel source for you , and put it in /usr/src/linux-your_kernel_version_number

3. cd /usr/src/linux-your_kernel_version_number

4. make mrproper

5. cp /boot/config-your_kernel_version_number /usr/src/linux-your_kernel_version_number/.config

6. Now use whatever editor you like the best [X based or VI, Emacs , Joe , Pico etc...] and modify
the following lines in the .config file :
CODE
            CONFIG_BRIDGE=m
            CONFIG_TUN=m
           

change them to
CODE
            CONFIG_BRIDGE=y
            CONFIG_TUN=y
           


7. modify the Makefile !!!EXAMPLE!!! your version number will be different
CODE
            VERSION = 2
            PATCHLEVEL = 4
            SUBLEVEL = 22
            EXTRAVERSION = -1.2174.nptlcustom
           

remove that custom

8.
CODE
make dep


9.
CODE
make bzImage
note : go outside for a while, this is your chance smile.gif

10.
CODE
make modules
note : go outside for a while, this is your LAST chance biggrin.gif

11.
CODE
make modules_install


12.
CODE
cp /arch/i386/boot/bzImage /boot/vmlinuz-your_kernel_version_number

13.
CODE
cp System.map /boot/System.map-your_kernel_version_number

14.
CODE
reboot



Chapter III : Installing Bridge-Utils

1. if you are using WhiteBox then type in a terminal window :
CODE
            yum install bridge-utils
           

if you are using Red Hat 9 download apt-get from here :
http://ftp.freshrpms.net/pub/freshrpms/red...c6-fr1.i386.rpm
if you are using Fedora Core 1 download apt-get from here :
http://ftp.freshrpms.net/pub/freshrpms/fed...0.1.fr.i386.rpm
Download it to /home/apt-get , once downloaded do the following :
CODE
            cd /home/apt-get
            rpm -Uvh apt-[blablablabla].rpm
            apt-get update
            OPTIONAL: I WOULD UPDATE ALL MY PACKAGES apt-get dist-upgrade
            apt-get install bridge-utils
           



Chapter IV : Installing OpenVPN


1.You can download OpenVPN from : http://dag.wieers.com/home-made/apt/ just go to the bottom of the site and select your Linux Distro and find the packages LZO and OpenVPN , and download both
to /home/OpenVPN

2.
CODE
            cd /home/OpenVPN
            rpm -Uvh lzo-[blablablabla].rpm
            rpm -Uvh openvpn-[blablablabla].rpm
           


Chapter V : Configuring Bridge and OpenVPN

INFO : I'll use 2 computers for this example, computer 1 IP=192.168.0.10 and computer 2 IP=192.168.0.20

WARNING : THE SECURITY YOU GET HERE , SHOULD BE USED IN LAN'S , DON'T TRY TO CONNECT TWO COMPUTERS THAT ARE 1000 MILES AWAY FROM EACH OTHER, STATIC KEYS ARE NOT !!!THAT!!!
SAFE


BEFORE YOU START CONFIGURING

GENERATE A RANDOM STATIC KEY ON COMPUTER 1

CODE
cd /home
openvpn --genkey --secret key


Now there will be a file called key in your /home directory

COPY !!!!THIS FILE!!!! TO THE REMOTE COMPUTER 2. /home USING MIDNIGHT COMMANDER'S SHELL LINK
OR USE A FLOPPY, JUST MAKE SURE YOU TRANFER THE KEY USING A SECURE METHOD, FLOPPY WOULD BE THE SAFEST


! >>> both key's must be in /home on both computers , you can put it to some other place , but if you do
you also must change the --secret /home/key to --secret /youredir/yourefilename in your
/etc/rc.d/rc.local file<<< !


1.
> > > C O M P U T E R - 1 < < <

Use whatever editor you like to use

a.) cd /etc/
and add the following line to your modules.conf
CODE
    alias char-major-10-200 tun
   


b.) cd /etc/rc.d
and add the following lines to your rc.local
CODE
    openvpn --mktun --dev tap0
    brctl addbr br0
    brctl addif br0 tap0
    brctl addif br0 eth0
    brctl addif br0 eth1
    ifconfig tap0 0.0.0.0 promisc up
    ifconfig eth0 0.0.0.0 promisc up
    ifconfig eth1 0.0.0.0 promisc up
    ifconfig br0 192.168.0.10 netmask 255.255.255.0 broadcast 192.168.0.255
    openvpn --tun-mtu 1500 --tun-mtu-extra 64 --dev tap0 /
                 --secret /home/key /
                 --ping 40 --float --comp-lzo --daemon
     

!!!! INSTEAD OF / use that other character which tilts to the LEFT !!!!, AFTER --dev tap0 AND AFTER
--secret /home/key ONLY!!!



2.
> > > C O M P U T E R - 2 < < <

a.) cd /etc/
and add the following line to your modules.conf
CODE
    alias char-major-10-200 tun
   


b.) cd /etc/rc.d
and add the following lines to your rc.local
CODE
    openvpn --mktun --dev tap0
    brctl addbr br0
    brctl addif br0 tap0
    brctl addif br0 eth0
    brctl addif br0 eth1
    ifconfig tap0 0.0.0.0 promisc up
    ifconfig eth0 0.0.0.0 promisc up
    ifconfig eth1 0.0.0.0 promisc up
    ifconfig br0 192.168.0.20 netmask 255.255.255.0 broadcast 192.168.0.255
    openvpn --tun-mtu 1500 --tun-mtu-extra 64 --dev tap0  /
                 --secret /home/key  /
                 --ping 30 --remote 192.168.0.10 --float --daemon
   

!!!! INSTEAD OF / use that other character which tilts to the LEFT !!!!, AFTER --dev tap0 AND AFTER
--secret /home/key ONLY!!!


3. Now reboot both Computer 1. and Computer 2. , MAKE SURE THAT THEY ARE CONNECTED TOGEATHER SOMEHOW, TROUGH A SWITCH OR DIRECLTY! , WAIT TILL BOTH COMPUTERS ARE UP AND RUNNING , WHEN THEY REACH THE LOGIN SCREEN , WAIT APROX 2-5 SEC

4. > > > C O M P U T E R - 1 < < <

CODE
      ping 192.168.0.20
     

if it works be happy, if not , read this GUIDE again, maybe you missed something

5. > > > C O M P U T E R - 2 < < <

CODE
       ping 192.168.0.10
       

if it works be happy again smile.gif , if not , well... read this GUIDE again , maybe you missed something

Chapter VI. : Using IP tables to allow traffic only trough the VPN , and drop everything else

INFO : this is the same for both computers so I will write it down only once

1.
CODE
             cd /home
             touch iptables1
             

Use whatever editor you like the best to add these lines to the iptables1 file
CODE
             iptables -A INPUT -p udp --dport 5000 -j ACCEPT
             iptables -N drop-and-log-it
             iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
             iptables -A drop-and-log-it -j DROP
             iptables -A INPUT -i tun+ -j ACCEPT
             iptables -A FORWARD -i tun+ -j ACCEPT
             iptables -A INPUT -i tap+ -j ACCEPT
             iptables -A FORWARD -i tap+ -j ACCEPT
             iptables -A INPUT -i br0 -j ACCEPT
             iptables -A FORWARD -i br0 -j ACCEPT
             iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
             iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
             iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it
             

2.
CODE
             /etc/init.d/iptables stop
             source /home/iptables1
             iptables-save > /etc/sysconfig/iptables
             /etc/init.d/iptables start
             

Make sure that iptables starts up at every reboot, do it with setup from a terminal window, or trough GUI services , or just add another line to your /etc/rc.d/rc.local
CODE
             /etc/init.d/iptables start
             


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post

Posts in this topic
- Robert83   Openvpn Step-by-step Guide   Apr 2 2004, 12:13 PM


Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 20th October 2017 - 01:04 PM