VPNForDummies

Why join?

Why join FBBVPN?

The VPN is mostly used for:

• Making your NATTED machine reachable from zaphod since you have your own IP address(es)
• Connecting one LAN to another (you can have 192.168.X.0/24 and have it routable from zaphod if you want)
• A non-isp-run SMTP server which will allow mails through
• More secure IRC/POP/IMAP/etc access
• Proxy server access if you are browsing from unknown networks (icafe's, etc) it will all go via VPN if you want
• GPRS/3G users find that OpenVPN is useful with it's zlib compression in minimising traffic
• All VPN connections are natted meaning you can make outside-world connections via it to work around ISP firewalls
• Encrypted non firewall access to voip.lagged if you have firewall issues with SIP
• A 1024bit RSA encrypted PEM pre-shared keys and private CA signed darknet with CRL support :P
• If you dont have enough Zaphod diskspace you can mod_proxy your stuff to home.
• You will be part of the leet club

New and recommended method

Changes using the new method:

• Uses CA signed certificates, no pre-shared keys anymore, compromised machines can have certificates revoked
• Minimal config on client side (no .up files, etc. for routing, VPN will push this to you
• Slightly harder to set-up (the various certficiates and keys can be confusing but is pretty much one-time only)
• Better routing management - out of the box you can route to any other VPN user or the LAN behind him (if he allows this)

How to:

• Install OpenVPN & Openssl (if you're already running it 'mkdir /etc/openvpn/old ; mv /etc/openvpn/* /etc/openvpn/old/')
• Decide on a name, <whatever>.wan.zaphod.lagged.za.net this will be a 192.168.100.X ip assigned by Zaphod, <whatever> is ofcourse a valid dns name, no brackets :P
• Run:

mkdir /etc/openvpn/keys
mkdir /var/log/openvpn
cd /etc/openvpn/keys
openssl req -newkey rsa:1024 -out <whatever>.wan.zaphod.lagged.za.net.pem -nodes -keyout <whatever>.wan.zaphod.lagged.za.net-key.pem -days 5475

• Under "Common Name" enter: <whatever>.wan.zaphod.lagged.za.net DO NOT ENTER YOUR OWN NAME AND SURNAME DAMNIT
• Do not enter a challange password
• Send <whatever>.wan.zaphod.lagged.za.net.pem to FBBCA (FB) to get signed by his CA in a secure fashion (scp + perms!) . This means you should do

chmod og-r <whatever>.wan.zaphod.lagged.za.net*
scp <whatever>.wan.zaphod.lagged.za.net.pem mylogin@zaphod.lagged.za.net:

and on zaphod check that the perms look like this:

mylogin@zaphod:~$ ls -l <whatever>.wan.zaphod.lagged.za.net.pem 
-rw------- 1 mylogin mylogin 729 2007-08-23 15:14 <whatever>.wan.zaphod.lagged.za.net.pem

• While waiting for FBBCA scp /etc/openvpn/certs/* to your machine (ignore permissions errors those are secret files), like:

cd /etc/openvpn/keys
scp mylogin@zaphod.lagged.za.net:/etc/openvpn/certs/* .

• Receive <whatever>.wan.zaphod.lagged.za.net-crt.pem from FBBCA, and shove in /etc/openvpn/keys/

Make a /etc/openvpn/client.conf (client.conf is a example, you can have multiple configs but not to zaphod same time please!)

In this example we use UDP port 1194 which is the standard UDP OpenVPN Listener now:

dev tun0
tls-client
# 1 below means "client"
tls-auth keys/ta.key 1
ca      keys/openvpn-ca.pem
cert    keys/<whatever>.wan.zaphod.lagged.za.net-crt.pem
key     keys/<whatever>.wan.zaphod.lagged.za.net-key.pem
# Our OpenVPN peer
remote vpn.lagged.za.net
tls-remote vpn.lagged.za.net
pull
nobind
port 1194
user nobody
group nogroup
comp-lzo
persist-tun
persist-key
verb 3
log-append      /var/log/openvpn/openvpn.log
status          /var/log/openvpn/status.log

Please _NOTE_ if you are not _really_ connecting to zaphod.lagged.za.net and using another hostname (or proxy-via) you _MUST_ change "tls-remote" to be "zaphod.lagged.za.net" and "remote" to point to the IP/name the VPN must connect to. The reasoning for the true-value of tls-remote is that X509Name gets checked by Openvpn if it DOES NOT MATCH the hostname you are connecting to the TLS will fail.

vpn.lagged Connections

vpn.lagged is a new dedicated VPN box

• vpn.lagged.za.net tcp 23

This is a static-keys method for broodblik.wan.zaphod.lagged.za.net alone

• vpn.lagged.za.net udp 1080

Standard OpenVPN UDP method uses 'socat' portforwarding towards port 1194

• vpn.lagged.za.net udp 1194

Standard OpenVPN UDP method accepted. Current users: maanskyn.wan

• vpn.lagged.za.net udp 1202

Standard OpenVPN UDP method uses 'socat' portforwarding towards port 1194

OpenSSL Certs

To check the validity of your certificate(s), do:

fbotha@zaphod:~$ openssl x509 -in <name>.wan.zaphod.lagged.za.net-crt.pem -startdate -enddate
notBefore=Jul  2 21:50:23 2007 GMT
notAfter=Aug  1 21:50:23 2007 GMT
-----BEGIN CERTIFICATE-----
MI<SNIP>
-----END CERTIFICATE-----
fbotha@zaphod:~$

Some of the first certificates only lived for a month :P

[edit]

vpn.lagged Routing

VPN.lagged is the new dedicated VPN box, I will slowly be moving people over to this box, the biggest change is that 192.168.100.x IP's will now become 192.168.99.x, there is routing between these networks so nothing should break when migrating between these networks.

• 192.168.3.0/24 = .london.wan.zaphod.lagged.za.net Use: FB London Home network
• 192.168.3.1 = router.london.wan.zapod.lagged.za.net Use: FB ADSL router
• 192.168.3.2 = wrt54g.london.wan.zaphod.lagged.za.net Use: DD-WRT GW
• 192.168.3.10 = aki.london.wan.zaphod.lagged.za.net Use: FB Laptop
• 192.168.3.12 = xbox360.london.wan.zaphod.lagged.za.net Use: Xbox360
• 192.168.3.16 = media.london.wan.zaphod.lagged.za.net Use: Media-PC box
• 192.168.3.13 = sharon-dell-laptop.london.wan.zaphod.lagged.za.net Use: Sharon Laptop
• 192.168.3.18 = server.london.wan.zaphod.lagged.za.net Use: Home server box
• 192.168.3.19 = dualphoneBS.london.wan.zaphod.lagged.za.net Use: Skype H/W phone
• 192.168.3.21 = wii.london.wan.zaphod.lagged.za.net Use: Wii
• 192.168.3.14 = nokia-e70.london.wan.zaphod.lagged.za.net Use: FB's Nokia
• 192.168.3.33 = blah.london.wan.zaphod.lagged.za.net Use: FB desktop
• 192.168.3.240-254 = OpenWifi Users
• 192.168.4.0/24 = .stellies.wan.zaphod.lagged.za.net Use: FB Parents Home in Stellenbosch
• 192.168.4.5 = fb-laptop.stellies.wan.zaphod.lagged.za.net Use: FB DHCP Laptop space
• 192.168.4.6 = moms-pc.stellies.wan.zaphod.lagged.za.net Use: FB Mom PC
• 192.168.4.8 = nokia-e70.stellies.wan.zaphod.lagged.za.net Use: FB's Nokia
• 192.168.4.9 = dads-laptop.stellies.wan.zaphod.lagged.za.net Use: FB Dad Laptop
• 192.168.4.75 = dualphoneBS.stellies.wan.zaphod.lagged.za.net Use: Skype H/W phone
• 192.168.5.0/24 = .gavin.wan.zaphod.lagged.za.net Use: Sharon Brother VPN JHB
• 192.168.5.5 = fb-laptop.gavin.wan.zaphod.lagged.za.net Use: FB Laptop
• 192.168.5.6 = gavin-pc.gavin.wan.zaphod.lagged.za.net Use: Gavin's PC
• 192.168.5.9 = xbox-gavin.gavin.wan.zaphod.lagged.za.net Use: Gavin's XBOX
• 192.168.5.11 = michael.gavin.wan.zaphod.lagged.za.net Use: Michael's PC
• 192.168.5.13 = discbox.gavin.wan.zaphod.lagged.za.net Use: Local storage box
• 192.168.5.14 = dualphoneBS.gavin.wan.zaphod.lagged.za.net Use: Skype H/W phone
• 192.168.5.15 = brandon.gavin.wan.zaphod.lagged.za.net Use: Brandon's PC
• 192.168.6.0/24 = .maanskyn.wan.zaphod.lagged.za.net Use: Maanskyn CapeTown flat
• 192.168.7.0/24 = .mentat.wan.zaphod.lagged.za.net Use: Trax VPN Paarl
• 192.168.99.1 = darknet-router.wan.zaphod.lagged.za.net Use: vpn.lagged router & gateway
• 192.168.99.10 = ns1.wan.zaphod.lagged.za.net Use: London Nameserver, used for talking to VPN routers, etc.
• 192.168.99.11 = stellies-router.wan.zaphod.lagged.za.net VPNPointIP, LAN behind this is 192.168.4.0/24
• 192.168.99.12 = leroux-work.wan.zaphod.lagged.za.net Use: Leroux's Work, using udp1080 as 1194/1202 is firewalled by ISP
• 192.168.99.13 = genugtig.wan.zaphod.lagged.za.net Use: Neilen's SUN box (DISCONTINUED, see 10.30.10.13 instead)
• 192.168.99.14 = leroux-home.wan.zaphod.lagged.za.net Use: Leroux's Home
• 192.168.99.15 = maanskyn.wan.zaphod.lagged.za.net Use: Maanskyn CapeTown flat, LAN behind this is 192.168.6.0/24
• 192.168.99.16 = wanbalans.wan.zaphod.lagged.za.net Use: Brick House
• 192.168.99.17 = chewy.wan.zaphod.lagged.za.net Use: Chewy Work Box
• 192.168.100.1 = zaphod.wan.zaphod.lagged.za.net Use: Zaphod itself over VPN
• 192.168.100.50 = vpn-gateway.wan.zaphod.lagged.za.net Use: Gateway to bridge to the legacy VPN clients
• 192.168.103.1 = static-keys.wan.zaphod.lagged.za.net Use: All VPN's not able to do cert based auth in this subnet
• 192.168.103.2 = Ex kbase - FREE NOW
• 192.168.103.3 = broodblik.wan.zaphod.lagged.za.net Use: Maanskyn UCT box, toward us on tcp port 23
• 10.30.0.0/16 = cournot VPN run by Sexybalrog
• 10.30.10.1 = cournot.sun.ac.za, cournot.cournot.wan.zaphod.lagged.za.net
• 10.30.10.6 = mvsoffice.cournot.wan.zaphod.lagged.za.net Use: mvs office @ sun.ac.za
• 10.30.10.7 = vpn.lagged.za.net gateway from cournot network
• 10.30.10.10 = mvslaptop.cournot.wan.zaphod.lagged.za Use: mvs laptop
• 10.30.10.12 = k517.cournot.wan.zaphod.lagged.za.net Use: Restricted knowledge
• 10.30.10.13 = genugtig.cournot.wan.zaphod.lagged.za Use: brick office @ sun.ac.za

Old not-recommended Method

NEWSFLASH This method is probably unsupported and may result in your computering becoming part of the next-gen evil russian bot-net that will help to start world war III.

• Install openvpn
• Put the following in /etc/openvpn/zaphod.conf

dev tun
ifconfig 192.168.100.<REPLACE_WITH_YOUR_ASSIGNED_IP> 192.168.100.1
remote zaphod.lagged.za.net

# script to run to establish routes
up ./zaphod.up

# Our pre-shared static key
secret ./zaphod.key
# proto udp
# OR proto tcp-client
port <1196 for UDP, 1195 for tcp-client>
user nobody
group nogroup

ping 15
verb 3
# lzo compression
comp-lzo
log-append  /var/log/openvpn/openvpn.log
status /var/log/openvpn/zaphod.log
persist-tun
persist-key

• Change the config file to reflect your assigned IP address.
• Setup your routes in /etc/openvpn/zaphod.up, e.g.

#!/bin/sh
route add -net 192.168.100.0 netmask 255.255.255.0 gw $5

# Optional
route add somehost.net dev tun0

and make sure it is executable.

• Ask Estaga to generate a key file, and place in /etc/openvpn/zaphod.key
• If you run Debian/Ubuntu/some related system, there's a bug in the package -- the log file isn't created. Fix by doing

$ sudo mkdir /var/log/openvpn
$ sudo touch /var/log/openvpn/openvpn.log
$ sudo touch /var/log/openvpn/zaphod.log
$ sudo chgrp -R adm /var/log/openvpn

• Run openvpn, e.g.

$ sudo /etc/init.d/openvpn start
Starting virtual private network daemon: zaphod(OK).

If everything went well, you should now be able to ping 192.168.100.1!