# New HOWTO: 802.11 + Firewall + VPN

## nhaggin

Greetings, all.

Having undertaken, with many annoying difficulties, to get a working VPN + firewall working on my own 802.11 network, I thought it might be worth documenting for others who might want to give it a try:

http://nhaggin.freeshell.org/wireless-vpn-howto/

It covers both IPSec (2.6 kernel native subsystem) and OpenVPN. If those of you who are interested would give it a read and offer feedback/criticism, I would be most grateful. (I'm sure it still contains quite a few errors.)

----------

## nhaggin

*bump*

Apparently everyone's questions are answered elsewhere, and my stuff is superfluous. Ah, well...on to the next project.

----------

## Flummi

Hey, what a cool Howto. This is exactly, what I have been looking for. Thank you very much. I will report you my success (or - hopefully not - my failure).

Flummi

----------

## fls

Thanks for this nice document nhaggin! I´m currently interested in good stuff about VPN´s since I know I´ll have to do one in the future for the company I work for. Your document gives a clear understanding of the whole matter and that´s why I like it.

Thanks  :Smile: 

----------

## Flummi

Hmmm, I can understand nearly everything you wrote in this howto, but I am totally confused about the file-names you use for the certs, keys, req and so on. I think it would be helpful (at least for me) if you could use some real-existing filenames and post your openssl.conf.

Thanks in advance

Flummi

----------

## nhaggin

Flummi: for some reason, the forums didn't send me an email telling me of your most recent post. Sorry for the delay in getting back. Are you having trouble with generating the CA, generating the host certificates, putting the right names in the VPN config files, or all of the above?

I originally decided not to use "real" filenames to keep the presentation sufficiently general; I've often found that when one specifies filenames people tend to use them unchanged, which can cause issues if my names conflict with something completely different that already exists on someone's machine. But then, *nix folk tend to be smarter about those kinds of things.

I've revised section 5 into something intermediate between my original version and your request; it now includes the relevant portion of the openssl.cnf file. I haven't decided yet whether to change to a set of "real" names; maybe the course of the discussion in this thread will sway me one way or the other.

----------

## No_Code

I'm attempting this and when I go to do the final openssl step, I run into a brick wall. Forgive my "creative" file-naming convention.

```

release ssl # openssl ca -out hostCertFile.pem -in certRequestFile.pem                                                      

Using configuration from /etc/ssl/openssl.cnf

wrong number of fields on line 1 (looking for field 6, got 1, '' left)

Segmentation fault

```

The opening of my openssl.cnf file looks like:

```

# OpenSSL example configuration file.

# This is mostly being used for generation of certificate requests.

#

# This definition stops the following lines choking if HOME isn't

# defined.

HOME                    = .

RANDFILE                = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:

#oid_file               = $ENV::HOME/.oid

oid_section             = new_oids

```

I'm not sure where to go from here. Any input would be greatly appreciated.[/code]

----------

## nhaggin

Hmm...your config file's first few lines are identical to mine, except for the first. Mine starts with the comment marker (#) while yours appears to be blank. It's possible that OpenSSL is looking for either something specific, or a comment; try changing it to the latter.

Your file-naming convention is certainly forgiven.   :Very Happy: 

----------

## nhaggin

Two additional things:

1. I have added a couple more items: a) a "Further References" section which currently contains only one book, and b) a link in section 10 to a tarball of premade scripts, including a Gentoo-style init script for setting everything up.

If the changes aren't there right when you read this, don't panic; they'll be there shortly.

2. If you post to this thread, please tell me whether you're using IPSec or OpenVPN for the VPN portion; I'm curious to know which generates more interest. And if this request baffles you because you were planning to use both, let me know also, since that would indicate my presentation doesn't make it clear that you are supposed to use one or the other, not both. Probably won't happen, but one never knows.

----------

## No_Code

Ok, so I got the keys made and I had a little initial trouble with getting the OpenVPN server started, but eventually I did because the server.up file was not chmod'ed properly. I then attempted to connect to the VPN through the Windows clients that I'm using. Initially, I was getting an error message on the Windows client:

```

read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

```

Then I tried to change the settings in the server.up file. Then the server simply would not start, giving me the message of:

```

Oct  7 18:35:12 [openvpn] TUN/TAP device tun0 opened

Oct  7 18:35:12 [openvpn] /sbin/ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 mtu 1259

Oct  7 18:35:12 [openvpn] /etc/openvpn/server.up tun0 1259 1300 10.0.0.1 10.0.0.2 init

Oct  7 18:35:12 [openvpn] script failed: could not execute shell command

Oct  7 18:35:12 [openvpn] Exiting

```

So then I checked the chmod again and moved the file around; same thing. Then, I tried executing the command contained in the file in the shell myself and it didn't like the syntax. What I don't understand is how route can work at one point, but not work the next, even though the route that I'm trying to add isn't already in the list.

The command that it is trying to execute is:

```
route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
```

Is there something that I am missing here?

----------

## nhaggin

If you try executing that directly from the command line, it won't work. The "up" scripts that you can specify are given a series of command-line arguments, the fifth of which is the IP address of the other endpoint of the tunnel. So if you wanted to run it from the command line, you'd do something like

```
 route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.2 
```

changing 10.0.0.2 to whatever IP address the other endpoint is going to use.

This is probably the right time to mention something else about OpenVPN. I quote from their HOWTO:

 *Quote:*   

> 
> 
> Note that each OpenVPN tunnel needs to run on its own separate port number...At this point in OpenVPN's development, it is not capable of handling any sort of incoming connection template that would allow a single configuration file to describe a large class of potential connecting clients.
> 
> 

 

The "incoming connection template" feature is implemented in OpenVPN 2.0, which is currently in beta.

Because of this limitation in the current stable OpenVPN series, Gentoo has set up the init script to allow automatic startup of multiple server processes with different configurations in the following manner: under /etc/openvpn, you create a directory for each configuration, and place all configuration data in that directory. Read /etc/init.d/openvpn for more details.

I do not mention this in my HOWTO since it is specific to Gentoo; I am undecided as to whether I should add a section detailing the idiosyncrasies of various Linux distributions.

----------

## No_Code

Thanks for the explanation. Alas, it didn't seem to do me any good, even if I changed server.up to what you had posted here. Basically, OpenVPN continues to not start up and the following occurs if I enter the route manually:

```

release root # route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.2                      

SIOCADDRT: Network is unreachable

```

I have TUN/TAP support compiled into my kernel (2.6.8). Do I have to bring up the interface somehow before this can take place? If so, is it brought up like any other standard network interface?

----------

## nhaggin

First: compile TUN/TAP support as a module; if you compile it into the kernel, you'll only ever be able to have one TUN/TAP device.

Second: I should have mentioned this earlier: if you're using a Windows client, you don't have IP-level tunneling (TUN); rather, you have Ethernet bridged tunneling (TAP). Windows has neither kind of functionality built-in, so OpenVPN includes code for a Windows TAP driver. This is probably why, on your initial attempt, the server came up just fine but the client's connection timed out.

Therefore, you have to configure the Linux end (wired endpoint) to use TAP instead of TUN. The following documents are available with regard to this problem on the OpenVPN site:

http://openvpn.sourceforge.net/INSTALL-win32.html

http://openvpn.sourceforge.net/bridge.html

I may rewrite the OpenVPN section of my HOWTO to use Ethernet bridging instead of IP-level tunneling. I originally chose IP-level tunneling because it's really quick to set up IF both sides are running Linux. (IOW, I was lazy.   :Very Happy:  )

----------

## nhaggin

Hmm...I committed a small blooper: according to one of the pages I mention above, the driver for Windows included with OpenVPN does both TUN and TAP. So we're kind of back where we started.

I don't have a wireless machine with Windows running to help you troubleshoot here, so the best I can do is wish you happy hacking. If you do wind up getting something working, though, I'll certainly add it and you'll get a shiny contributor credit.   :Very Happy: 

----------

## Flummi

Hello again,

sorry for this very late replay. I wasn't informed about new postings either. Don't know why. But Thanks, now I able to create my certs without a problem. Thanks alot nhaggin.

Greetings

Flummi

----------

