Difference between revisions of "OpenVPN & LZO for the PPC LinkStation"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
m (OpenLink)
 
(21 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
{{Template:Articles}}
 
''<font color=red><small>
 
''<font color=red><small>
This article  
+
This article Based on work by frontalot and andre. Originally by andre. at Linkstationwiki.org
Based on work by frontalot and Andre Berger.
+
Originally by Andre Berger.
+
at Linkstationwiki.org
+
 
</small></font>''<br>
 
</small></font>''<br>
 +
<table align=right><tr><td>http://openvpn.net/images/whirl.jpg</td></tr></table>
 +
=OpenVPN=
 +
'''[[w:OpenVPN|OpenVPN]]'''<ref> [http://openvpn.net/ OpenVPN project homepage]</ref><ref>[[w:OpenVPN|Wikipedia: OpenVPN]]</ref> is a [[w:virtual private network|virtual private network]] (VPN) package for creating point-to-point encrypted tunnels between host computers. It was written by [[w:James Yonan|James Yonan]].
  
OpenVPN/LZO binaries for the PPC LinkStation. See http://openvpn.net and http://www.oberhumer.com/opensource/lzo/ for more information. This package requires that you have already installed the files from Projects.DevelopmentTools and Projects.KernelModules. You may download the latest versions from the downloads area.
+
It allows peers to authenticate to each other using a preshared private key, certificates, or username/password. It makes extensive use of the [[w:OpenSSL|OpenSSL]] encryption library, and uses the [[w:Transport Layer Security|SSLv3/TLSv1]] protocol. It is available on Linux, xBSD, Mac OSX, and Windows 2000/XP. It offers a wealth of security and control features. It is not a "web-based" VPN, and is not compatible with [[w:IPsec|IPsec]] or any other VPN package. The entire package consists of one binary for both client and server connections, an optional configuration file, and one or more key files depending on the authentication method used.
 
+
<font color=red> Warning : This version is outdated and insecure. Please refer to the compilation instructions (in red) at the bottom of the page!</font>
+
 
+
== Version ==
+
  
 +
Another method for VPN is [[Virtual Private Networking - PPTP|PPTP]].
 +
==OpenVPN implementation==
 +
*'''Encryption''' - OpenVPN uses the [[w:OpenSSL|OpenSSL]] library to provide [[w:encryption|encryption]] of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the [[w:HMAC|HMAC]] packet authentication feature to add an additional layer of security to the connection (referred to as an "HMAC Firewall" by the creator). It can also use hardware acceleration to get better encryption performance.
 +
*'''Authentication''' - OpenVPN has several ways to [[w:authentication|authenticate]] peers to one another. OpenVPN offers preshared secret key, certificate-based, and username/password-based authentication. Preshared secret key is the easiest, with certificate based being the most robust and feature-rich. The username/password is a new feature (version 2.0) that can be used with or without a client certificate (the server still needs a certificate). The source tarball includes a sample perl script to verify the username/password with [[w:pluggable authentication module|PAM]] and a C auth-pam plugin.
 +
*'''Networking''' - OpenVPN multiplexes all communications over a single IP port. It can run over [[w:User Datagram Protocol|UDP]] (preferred, and default) or [[w:Transmission Control Protocol|TCP]]. It has the ability to work through most [[w:proxy servers|proxy servers]] (including [[w:HTTP|HTTP]]) and is good at working through [[w:NAT|NAT]] and getting out through firewalls. The server configuration has the ability to "push" certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options. OpenVPN offers two types of interfaces for networking via the [[w:TUN/TAP|Universal Tun/Tap driver]]. It can create either a layer-3 based IP tunnel, or a layer-2 based Ethernet "tap" that can carry any type of Ethernet traffic. OpenVPN can optionally use the [[w:LZO|LZO]] compression library to compress the data stream. [[w:Internet Assigned Numbers Authority|IANA]] assigned port 1194 as the official port number for OpenVPN. Newer versions of the program now default to that port. A feature in the 2.0 version allows for one process to manage several simultaneous tunnels, as opposed to the original "one tunnel per process" restriction on the 1.x series. OpenVPN's use of common network protocols (TCP and UDP) makes it a desirable alternative to [[w:IPsec|IPsec]] in situations where an [[w:Internet service provider|ISP]] may block specific [[w:virtual private network|VPN]] protocols in order to force users to subscribe to a higher-priced, "business grade," service tier.
 +
*'''Security''' - OpenVPN offers several internal security features.  It runs in [[w:userspace|userspace]], instead of requiring IP stack (and therefore kernel) operation.  OpenVPN has the ability to drop root privileges, use mlockall<ref>[http://www.opengroup.org/onlinepubs/009695399/functions/mlockall.html OpenGroup - mlockall]</ref> to prevent swapping sensitive data to disk, and enter a [[w:chroot jail|chroot jail]] after initialization.
 +
== Installation ==
 +
===Outdated Method===
 +
{{Warning| This version is outdated and insecure. Please refer to the compilation instructions (in red) at the bottom of the page!}}
  
 
The current version ppc-openvpn-lzo-v2 features OpenVPN 2.0 and LZO 2.0.1.
 
The current version ppc-openvpn-lzo-v2 features OpenVPN 2.0 and LZO 2.0.1.
  
=== ppc-openvpn-lzo-v2 ===
+
<big>'''ppc-openvpn-lzo-v2'''</big>
 
+
 
*''' CHANGES'''
 
*''' CHANGES'''
 
 
*''' COPYRIGHT'''
 
*''' COPYRIGHT'''
 
 
*''' GPL'''
 
*''' GPL'''
 
 
*''' LGPL'''
 
*''' LGPL'''
 
 
*''' README'''
 
*''' README'''
 
 
*''' openvpn2-with-lzo-201-v2.tar.gz'''
 
*''' openvpn2-with-lzo-201-v2.tar.gz'''
 
 
=== openvpn2-with-lzo-201-v2 ===
 
  
 +
<big>'''openvpn2-with-lzo-201-v2'''</big>
 
*''' etc/init.d/openvpn'''
 
*''' etc/init.d/openvpn'''
 
 
*''' etc/rc.d/rc2.d/S16openvpn'''
 
*''' etc/rc.d/rc2.d/S16openvpn'''
 
 
*''' usr/local/include/lzo/'''
 
*''' usr/local/include/lzo/'''
 
 
*''' usr/local/include/lzo/lzoconf.h'''
 
*''' usr/local/include/lzo/lzoconf.h'''
 
 
*''' usr/local/include/lzo/lzodefs.h'''
 
*''' usr/local/include/lzo/lzodefs.h'''
 
 
*''' usr/local/include/lzo/lzoutil.h'''
 
*''' usr/local/include/lzo/lzoutil.h'''
 
 
*''' usr/local/include/lzo/lzo_asm.h'''
 
*''' usr/local/include/lzo/lzo_asm.h'''
 
 
*''' usr/local/include/lzo/lzo1.h'''
 
*''' usr/local/include/lzo/lzo1.h'''
 
 
*''' usr/local/include/lzo/lzo1a.h'''
 
*''' usr/local/include/lzo/lzo1a.h'''
 
 
*''' usr/local/include/lzo/lzo1b.h'''
 
*''' usr/local/include/lzo/lzo1b.h'''
 
 
*''' usr/local/include/lzo/lzo1c.h'''
 
*''' usr/local/include/lzo/lzo1c.h'''
 
 
*''' usr/local/include/lzo/lzo1f.h'''
 
*''' usr/local/include/lzo/lzo1f.h'''
 
 
*''' usr/local/include/lzo/lzo1x.h'''
 
*''' usr/local/include/lzo/lzo1x.h'''
 
 
*''' usr/local/include/lzo/lzo1y.h'''
 
*''' usr/local/include/lzo/lzo1y.h'''
 
 
*''' usr/local/include/lzo/lzo1z.h'''
 
*''' usr/local/include/lzo/lzo1z.h'''
 
 
*''' usr/local/include/lzo/lzo2a.h'''
 
*''' usr/local/include/lzo/lzo2a.h'''
 
 
*''' usr/local/lib/liblzo.a'''
 
*''' usr/local/lib/liblzo.a'''
 
 
*''' usr/local/lib/liblzo.la'''
 
*''' usr/local/lib/liblzo.la'''
 
 
*''' usr/local/lib/liblzo2.a'''
 
*''' usr/local/lib/liblzo2.a'''
 
 
*''' usr/local/lib/liblzo2.la'''
 
*''' usr/local/lib/liblzo2.la'''
 
 
*''' usr/local/sbin/openvpn'''
 
*''' usr/local/sbin/openvpn'''
 
 
*''' usr/local/man/man8/openvpn.8'''
 
*''' usr/local/man/man8/openvpn.8'''
 
 
*''' dev/net/tun'''
 
*''' dev/net/tun'''
 
 
*''' dev/tap0'''
 
*''' dev/tap0'''
 
 
*''' dev/tap1'''
 
*''' dev/tap1'''
 
 
*''' dev/tap10'''
 
*''' dev/tap10'''
 
 
*''' dev/tap11'''
 
*''' dev/tap11'''
 
 
*''' dev/tap12'''
 
*''' dev/tap12'''
 
 
*''' dev/tap13'''
 
*''' dev/tap13'''
 
 
*''' dev/tap14'''
 
*''' dev/tap14'''
 
 
*''' dev/tap15'''
 
*''' dev/tap15'''
 
 
*''' dev/tap2'''
 
*''' dev/tap2'''
 
 
*''' dev/tap3'''
 
*''' dev/tap3'''
 
 
*''' dev/tap4'''
 
*''' dev/tap4'''
 
 
*''' dev/tap5'''
 
*''' dev/tap5'''
 
 
*''' dev/tap6'''
 
*''' dev/tap6'''
 
 
*''' dev/tap7'''
 
*''' dev/tap7'''
 
 
*''' dev/tap8'''
 
*''' dev/tap8'''
 
 
*''' dev/tap9'''
 
*''' dev/tap9'''
 
 
*''' lib/modules/2.4.17_mvl21-sandpoint/kernel/drivers/net/tun.o'''  
 
*''' lib/modules/2.4.17_mvl21-sandpoint/kernel/drivers/net/tun.o'''  
 
 
 
== Installation ==
 
  
 
Uncompress the first tarball, which contains a README (etc.) and the tarball with the OpenVPN/LZO files to install onto your system.
 
Uncompress the first tarball, which contains a README (etc.) and the tarball with the OpenVPN/LZO files to install onto your system.
 
 
  tar -xvzf ppc-openvpn-lzo-v2.tar.gz
 
  tar -xvzf ppc-openvpn-lzo-v2.tar.gz
 
  cd ppc-openvpn-lzo-v2
 
  cd ppc-openvpn-lzo-v2
 
  tar -C / -xvzf openvpn2-with-lzo-201-v2.tar.gz
 
  tar -C / -xvzf openvpn2-with-lzo-201-v2.tar.gz
 +
Configuration files following the scheme /etc/openvpn/*.conf will be loaded automatically at system startup. Please refer to http://openvpn.net/howto.html and http://openvpn.net/examples.html for more information on how to use OpenVPN.
  
 +
===OpenLink===
 +
====Complile From Source====
 +
<font color=red>Compilation instructions and required additional files:
 +
* http://hvkls.dyndns.org/downloads/documentation/README-openvpn.txt <ref>http://hvkls.dyndns.org/downloads/documentation/README-openvpn.txt</ref>
 +
* http://hvkls.dyndns.org/downloads/openvpn_configfiles-ppc.tar.gz
 +
</font>
  
== Setup ==
+
=====Configuration=====
 +
Configuration files following the scheme /etc/openvpn/*.conf will be loaded automatically at system startup <ref>http://openvpn.net/howto.html and http://openvpn.net/examples.html - More information on how to use OpenVPN</ref>
  
 +
====Ipkg PowerPC====
 +
<font color=red> untested</font>
 +
*Install [[Ipkg on the Linkstation (for end-users)]] and enable the NSLU2 Feed: [[Ipkg Package List: PowerPC]]
 +
*Install openvpn
 +
ipkg install openvpn
 +
=====Configuration=====
  
Configuration files following the scheme /etc/openvpn/*.conf will be loaded automatically at system startup. Please refer to http://openvpn.net/howto.html and http://openvpn.net/examples.html for more information on how to use OpenVPN.
+
Create the TUN device node:<ref>[http://www.nslu2-linux.org/wiki/HowTo/SetUpOpenVPNServer NSLU2-Linux - HowTo / SetUpOpenVPNServer]\</ref>
 +
# mkdir /dev/net
 +
# mknod /dev/net/tun c 10 200
 +
Load the TUN/TAP kernel module:
 +
# insmod tun
 +
Enable routing:
 +
# echo 1 > /proc/sys/net/ipv4/ip_forward
 +
 
 +
Follow the directions in the OpenVPN 2.0 HOWTO to for instructions on generating certificates and keys for the OpenVPN server and client(s) at http://openvpn.net/howto.html#pki
 +
 
 +
Create directory /opt/etc/openvpn/easy-rsa/keysCopy and copy the server key files there.
 +
 
 +
Follow the directions in the OpenVPN 2.0 HOWTO to create configuration files for server and client(s)on http://openvpn.net/howto.html#config
 +
 
 +
Start the OpenVPN server process from the command line to test connectivity in accordance with the OpenVPN 2.0 HOWTO reference at http://openvpn.net/howto.html#start
 +
 +
# mkdir -p /opt/etc/openvpn/easy-rsa/keys
  
 +
Follow the directions in the OpenVPN 2.0 HOWTO to create configuration files for server and client(s)on http://openvpn.net/howto.html#config
  
== Compilation instructions ==
+
Start the OpenVPN server process from the command line to test connectivity in accordance with the OpenVPN 2.0 HOWTO reference at http://openvpn.net/howto.html#start
  
 +
===FreeLink===
 +
* [[:Category:Kernel|Upgrade to Kernel 2.6 PPC Only]]
 +
* Then use [[w:apt-get|apt-get]] to install openvpn
 +
apt-get install openvpn
 +
====Configuration====
 +
configuration in /etc/openvpn
 +
create the secret key<ref>http://www.debian-administration.org/articles/35</ref>
 +
<ref>http://sarwiki.informatik.hu-berlin.de/OpenVPN_%28deutsch%29</ref>
 +
openvpn --gen-key --secret openvpn.sec
  
<font color=red>Compilation instructions and necessary additional files can be found at http://hvkls.dyndns.org/downloads/, grab “ls1-openvpn-howto.txt” and “ls1-openvpn-configfiles.tar.gz”</font>
+
=References=
 +
<references/>
  
 
[[Category:LS1]]
 
[[Category:LS1]]
 
[[Category:HG]]
 
[[Category:HG]]
[[Category:Projects]
+
[[Category:Projects]]
 +
[[Category:Software]]

Latest revision as of 17:34, 19 May 2007

This article Based on work by frontalot and andre. Originally by andre. at Linkstationwiki.org

whirl.jpg

Contents

OpenVPN

OpenVPN[1][2] is a virtual private network (VPN) package for creating point-to-point encrypted tunnels between host computers. It was written by James Yonan.

It allows peers to authenticate to each other using a preshared private key, certificates, or username/password. It makes extensive use of the OpenSSL encryption library, and uses the SSLv3/TLSv1 protocol. It is available on Linux, xBSD, Mac OSX, and Windows 2000/XP. It offers a wealth of security and control features. It is not a "web-based" VPN, and is not compatible with IPsec or any other VPN package. The entire package consists of one binary for both client and server connections, an optional configuration file, and one or more key files depending on the authentication method used.

Another method for VPN is PPTP.

OpenVPN implementation

  • Encryption - OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the HMAC packet authentication feature to add an additional layer of security to the connection (referred to as an "HMAC Firewall" by the creator). It can also use hardware acceleration to get better encryption performance.
  • Authentication - OpenVPN has several ways to authenticate peers to one another. OpenVPN offers preshared secret key, certificate-based, and username/password-based authentication. Preshared secret key is the easiest, with certificate based being the most robust and feature-rich. The username/password is a new feature (version 2.0) that can be used with or without a client certificate (the server still needs a certificate). The source tarball includes a sample perl script to verify the username/password with PAM and a C auth-pam plugin.
  • Networking - OpenVPN multiplexes all communications over a single IP port. It can run over UDP (preferred, and default) or TCP. It has the ability to work through most proxy servers (including HTTP) and is good at working through NAT and getting out through firewalls. The server configuration has the ability to "push" certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options. OpenVPN offers two types of interfaces for networking via the Universal Tun/Tap driver. It can create either a layer-3 based IP tunnel, or a layer-2 based Ethernet "tap" that can carry any type of Ethernet traffic. OpenVPN can optionally use the LZO compression library to compress the data stream. IANA assigned port 1194 as the official port number for OpenVPN. Newer versions of the program now default to that port. A feature in the 2.0 version allows for one process to manage several simultaneous tunnels, as opposed to the original "one tunnel per process" restriction on the 1.x series. OpenVPN's use of common network protocols (TCP and UDP) makes it a desirable alternative to IPsec in situations where an ISP may block specific VPN protocols in order to force users to subscribe to a higher-priced, "business grade," service tier.
  • Security - OpenVPN offers several internal security features. It runs in userspace, instead of requiring IP stack (and therefore kernel) operation. OpenVPN has the ability to drop root privileges, use mlockall[3] to prevent swapping sensitive data to disk, and enter a chroot jail after initialization.

Installation

Outdated Method

Nuvola apps important.png 
WARNING!

This version is outdated and insecure. Please refer to the compilation instructions (in red) at the bottom of the page!


The current version ppc-openvpn-lzo-v2 features OpenVPN 2.0 and LZO 2.0.1.

ppc-openvpn-lzo-v2

  • CHANGES
  • COPYRIGHT
  • GPL
  • LGPL
  • README
  • openvpn2-with-lzo-201-v2.tar.gz

openvpn2-with-lzo-201-v2

  • etc/init.d/openvpn
  • etc/rc.d/rc2.d/S16openvpn
  • usr/local/include/lzo/
  • usr/local/include/lzo/lzoconf.h
  • usr/local/include/lzo/lzodefs.h
  • usr/local/include/lzo/lzoutil.h
  • usr/local/include/lzo/lzo_asm.h
  • usr/local/include/lzo/lzo1.h
  • usr/local/include/lzo/lzo1a.h
  • usr/local/include/lzo/lzo1b.h
  • usr/local/include/lzo/lzo1c.h
  • usr/local/include/lzo/lzo1f.h
  • usr/local/include/lzo/lzo1x.h
  • usr/local/include/lzo/lzo1y.h
  • usr/local/include/lzo/lzo1z.h
  • usr/local/include/lzo/lzo2a.h
  • usr/local/lib/liblzo.a
  • usr/local/lib/liblzo.la
  • usr/local/lib/liblzo2.a
  • usr/local/lib/liblzo2.la
  • usr/local/sbin/openvpn
  • usr/local/man/man8/openvpn.8
  • dev/net/tun
  • dev/tap0
  • dev/tap1
  • dev/tap10
  • dev/tap11
  • dev/tap12
  • dev/tap13
  • dev/tap14
  • dev/tap15
  • dev/tap2
  • dev/tap3
  • dev/tap4
  • dev/tap5
  • dev/tap6
  • dev/tap7
  • dev/tap8
  • dev/tap9
  • lib/modules/2.4.17_mvl21-sandpoint/kernel/drivers/net/tun.o

Uncompress the first tarball, which contains a README (etc.) and the tarball with the OpenVPN/LZO files to install onto your system.

tar -xvzf ppc-openvpn-lzo-v2.tar.gz
cd ppc-openvpn-lzo-v2
tar -C / -xvzf openvpn2-with-lzo-201-v2.tar.gz

Configuration files following the scheme /etc/openvpn/*.conf will be loaded automatically at system startup. Please refer to http://openvpn.net/howto.html and http://openvpn.net/examples.html for more information on how to use OpenVPN.

OpenLink

Complile From Source

Compilation instructions and required additional files:

Configuration

Configuration files following the scheme /etc/openvpn/*.conf will be loaded automatically at system startup [5]

Ipkg PowerPC

untested

ipkg install openvpn
Configuration

Create the TUN device node:[6]

# mkdir /dev/net
# mknod /dev/net/tun c 10 200

Load the TUN/TAP kernel module:

# insmod tun

Enable routing:

# echo 1 > /proc/sys/net/ipv4/ip_forward

Follow the directions in the OpenVPN 2.0 HOWTO to for instructions on generating certificates and keys for the OpenVPN server and client(s) at http://openvpn.net/howto.html#pki

Create directory /opt/etc/openvpn/easy-rsa/keysCopy and copy the server key files there.

Follow the directions in the OpenVPN 2.0 HOWTO to create configuration files for server and client(s)on http://openvpn.net/howto.html#config

Start the OpenVPN server process from the command line to test connectivity in accordance with the OpenVPN 2.0 HOWTO reference at http://openvpn.net/howto.html#start

# mkdir -p /opt/etc/openvpn/easy-rsa/keys

Follow the directions in the OpenVPN 2.0 HOWTO to create configuration files for server and client(s)on http://openvpn.net/howto.html#config

Start the OpenVPN server process from the command line to test connectivity in accordance with the OpenVPN 2.0 HOWTO reference at http://openvpn.net/howto.html#start

FreeLink

apt-get install openvpn

Configuration

configuration in /etc/openvpn create the secret key[7] [8]

openvpn --gen-key --secret openvpn.sec

References

  1. OpenVPN project homepage
  2. Wikipedia: OpenVPN
  3. OpenGroup - mlockall
  4. http://hvkls.dyndns.org/downloads/documentation/README-openvpn.txt
  5. http://openvpn.net/howto.html and http://openvpn.net/examples.html - More information on how to use OpenVPN
  6. NSLU2-Linux - HowTo / SetUpOpenVPNServer\
  7. http://www.debian-administration.org/articles/35
  8. http://sarwiki.informatik.hu-berlin.de/OpenVPN_%28deutsch%29