Sunday, 23 April 2017

VPN with the Raspberry Pi - this is how it works


A VPN encrypts all traffic on the network level. You can use a VPN to redirect the entire data traffic encrypted via the VPN server at home or in office. The VPN server is also a secure gateway to the network behind it. The VPN server can connect to the entire network with the correct routing that the server communicates to the client. As if you were on the local network. This solution is not only for travelers and field staff who need to access documents in the office while traveling. Also for private users the solution is ideal to get secure and encrypted from public.



The VPN server must be accessible from outside.
 It authenticates the VPN client and connects to other computers in the VPN using routing. For this role, the Raspberry Pi is predestined, since all the tools are available here. The performance of the CPU and the speed of the 100-Mbit Ethernet ports is sufficient for a smaller network, which is connected to the outside via DSL. 

Open VPN: Open Source for servers and clients
A Linux distribution such as Raspbian provides the necessary software packages for building a virtual private network with Open VPN. Not only is the server component free for this VPN protocol, but there are also free clients for Windows , Mac OS, iOS, Android and Linux. The hardware requirements are also clear: A mini Linux system like the Raspberry Pi is required as a server and must be connected to the Internet provider via a router that supports port forwarding. A basic feature that most routers - even very simple models - support. 

Open VPN is designed for professional use,
 And the first configuration of the server always presents a certain hurdle because some software components of the Linux system must be properly configured and matched. This is done on the Raspberry Pi entirely in the Linux tradition in the command line and with text-based configuration files. A few network skills as well as Linux knowledge.

Preparation: Forward a port to the router
The router must also know which queries should be passed from the Internet and which is the participant in the network of the Open VPN servers. To do this, set port forwarding on the router to open a single port specifically to the outside and forward it to the appropriate address on the LAN. The port for Open VPN is port 1194 (UDP). For example, if the Open VPN server on the LAN has the IP 192.168.1.6, the router will route UDP traffic at ports 1194 to the internal IP address and port 1194. The IP address of the Raspberry Pi's network interface (WLAN or Ethernet) can be found there in the command line with the command 
/sbin/ifconfig 
out. The server, which is to accept the VPN connections from outside, must also be accessible from the Internet. This is via a fixed IP address or a unique DNS name. 


In the case of a DSL connection, a fixed IP is lost because the provider assigns new IP addresses each time the connection is established.
 For this case, a dynamic DNS service such as comes noip for aid, also allocates a changing IP address fixed host name in the DNS. Most DSL routers support Noip and automatically assign the new IP of the provider after the setup.

Open VPN: Installation under Raspbian

In the command line of Raspbian / Raspbmc the package manager APT from Debian is used to install Open VPN - you do not have to compile anything yourself. With the two commands 
sudo apt-get update  sudo apt-get install openvpn  
The packages are installed via the existing Internet connection from the software directory of the distribution. For the subsequent creation of your own certificates for VPN encryption, there are ready-made scripts, which still have to be copied to the right place: 
sudo cp -r /usr/share/doc/ openvpn/examples/easy-rsa/2.0 / etc/openvpn/easy-rsa  
Then go with 
cd /etc/openvpn/easy-rsa  
In the script directory and edit with 
sudo nano vars  

The configuration file "vars". Go to the line beginning with "export KEY_CONFIG =" and change it to: 
export KEY_CONFIG=$EASY_RSA/ openssl-1.0.0.cnf  
You can also change the line "EASY_RSA =" 
export EASY_RSA="/etc/openvpn/ easy-rsa"  
The next adjustments are made close to the end of the file to customize the name and identity of the VPN. Many of these parameters are not necessarily relevant to the correct function of the VPN, but must be set: 
export KEY_COUNTRY="USA"  
Country code, for example "USA" for United State. 
export KEY_PROVINCE="BY"  
Any name for the state. 
export KEY_CITY="Muenchen"  
A location that indicates the location. 
export KEY_ORG="MeinVPN"  
A company name of your choice. Can also be simply the domain name. 
export KEY_EMAIL="example@gmail.com"  export KEY_EMAIL=example@gmail.com  
Double-entry of any mail address of the VPN administrator, usually simply the own address. 
export KEY_CN="example.com"  
The desired name for this VPN. The dynamic domain name should be specified here, which was previously set up using Noip. 
export KEY_NAME="MeinVPN"  
Any name for the issuer of the certificates. 
export KEY_OU="MeinVPN"  
An indication of the department name, which can be selected freely. The final two parameters 
export PKCS11_MODULE_ PATH=changeme  export PKCS11_PIN=1284  
Are not used and do not need to be changed.

Server: Generate the keys

Before it comes to creating the keys for the server and for the clients, it is still necessary to create a separate CA certificate for the signature of the keys. This is achieved by first using 
cd /etc/openvpn/easy-rsa  
Go to the script directory and then use 
sudo -s  
Open a root shell. The following commands are then executed immediately with root privileges, and a prepended sudo is not necessary. With 
source ./vars  
Read the previously set variables of the file "vars". Then run the two commands 
./clean-all  ./build-dh  
To generate a clean key directory and the Diffie-Hellmann values ​​necessary for the cryptographic functions of the VPN. The calculation of these random values ​​takes about one minute on the Raspberry Pi. 

Before you can create the certificates for the Open VPN server as well as the clients, it is necessary to create the CA certificate for signing the server and client certificates. This is done with the following two commands: 
./build-ca  ./build-key-server MeinVPN  
After each command, some queries are made of the already defined parameters, and you can simply copy the values ​​in square brackets by pressing the Enter key. The last command to create the server keys also causes the request for an optional password to be left blank. Finally, answer the questions "Sign the certificate?" And "Commit" with "y". 

Next is the actual configuration of the Open VPN server. With the command 
nano /etc/openvpn/server.conf  
Open a new, still empty configuration file in the text editor. Enter the lines that are printed in the box "Configuration file of the Open VPN server". 

For clients: certificates and keys

The server now has all required keys and certificates. However, in order to be able to connect to a VPN client later on, each client needs his own keybund. In this step, you create this by calling 
./build-key client1  
Again, you can return the default values ​​and leave "Password" blank. The client files are also stored in the / etc / openvpn / easy-rsa / keys directory. From this directory you need the files "approx. Cert "," client1.crt "and" client1.key ".

No comments:

Post a Comment