Osman Yılmaz Mah. Kızılay Cd No:41/C Gebze Kocaeli 0 262 644 9027 - 0 546 768 9783
» Teknik Bilgiler
» Windows Çözümleri» Terimler & Bilgiler» PHP Hakkında» MYSQL» Linux Güvenlik» JQUERY» Javascript» İnternet & Ağ» Diğer Bilgiler» Bilgisayar Hakkında» Arama Motorları
****

» Bilgisayar teknik servisi ve danışmanlık hizmetleri » Bilgisayar sistemlerinde Güvenlik ve Güvenilirlik» Bilgisayarınızdaki sorunlar canınızı sıkıyorsa bu fiyatları kaçırmayın. Periyodik bakım sayesinde bilgisayarınızın ömrünü uzatabileceğinizi unutmayın. » Virüslerden korunma yolları nelerdir?» İnternet, her geçen gün daha fazla kişiye ulaşmaktadır. İnternet siteleri en etkili ve düşük maliyetli tanıtım aracıdır. Firmanın tanıtımının o firmaya getiri sağlayacağı muhakkaktır. Tanıtılamayan bir hizmet yada bir ürünün tüketicisine ulaştırılamayacağı ve aynı şekilde pazarlanamayacağı herkes tarafından bilinmektedir. » Network Yönetim Sistemi » Güvenlik Danışmanlığı Hizmetleri» Anahtar Sözcükleri Tıklatma Başına Ödeme Reklamlarıyla Sınayın » Ev kullanıcısı veya işletmeler için yerinde teknik servis hizmeti, konusunda uzman personellerimiz tarafından randevu yöntemiyle ve marka bağımsız olarak gerçekleştirilmektedir.» İş Yerinde hizmet periyodik bakım ve acil çağrı olmak üzere 2 şekilde verilmektedir. Periyodik bakımlar ve acil durumlar çerçevesinde teknik servisimiz firmanızı ziyaret edecek, sorunlara yerinde müdahale edecek ve sorununuzu en kısa zamanda çözecektir. Yerinde destek kapsamında anlaşmaya göre periyodik olarak tüm sistemlerinizin genel bakımı yapılacaktır.» Apple, İpad, Notebook, Minibook, Dizüstü ve Masaüstü Bilgisayar Teknik Servisi» Sistem Destek Hizmetleri İşletim sistemi desteği, Microsoft BackOffice desteği, Sunucu üzerinde çalışan üçüncü parti yazılımlar, İstemci üzerinde çalışan üçüncü parti yazılımlar, İletişim ağı (network) sistem desteği, Sistem yazılımları kuruluş hizmetleri,» Ağ kurulumu, yönetimi ve güvenliği, Özel yazılımlar ve paket programlara çözümler, Donanım çözümleri ve danışmanlık hizmeti, Akınsoft çözümleri, Akınsoft Sektörel Program çözümleri, Güvenlik Kamera çözümleri, Web hosting hizmetleri, Web tasarım hizmetleri ve danışmanlık hizmetleridir. Hızlı, kesintisiz, güvenli, hizmet ve destek sunuyoruz.» Sunucu Kurulumu» TTnet Aile Koruma Şifresi» İşletmenizin bütün bilgileri bilgisayarinizda ama verileriniz kayboldu, yada bilgisayariniz hasar gördü. Yanlışlıkla dosyaları sildiniz, hatta format attınız, virüs bulaştı ve disk açmıyor. » Windows 2003/2008 Server Kurulum ve Teknik Destek İşlemleri » İster faaliyet alanınız ya da firmanızın ihtiyaçları doğrultusunda sıra dışı, ister sonuç odaklı basit ama işlevsel tasarım olsun, ABC Bilgisayar Hizmetleri kurumsal imajınızı en iyi şekilde yansıtan ve ihtiyaçlarınızı en uygun biçimde karşılayan, kullanımı kolay, ziyaretçi dostu siteleri hayata geçiriyor.
How to set up a satellite office firewall/router with vpn connectivity to a central office using Smoothwall and Zerina / OpenVPN

A while back I had to set up a firewall/router for a new branch office which also needed to be connected to our domain and servers. Our other branch offices had ADSL routers with IPSEC vpns to the server subnet but in this case the office was already equipped with an ethernet connection to the internet so our usual vpn setup was not going to be possible.

The solution that seemed most appealing for a small office firewall was Smoothwall Express. I had used it before and it is excellent. It also has a wealth of contributed add-ons, one of which could solve the second part of the problem – the VPN. The ZERINA mod for Smoothwall provides a nice GUI interface for OpenVPN, as well as the openvpn stack itself, and if paired with another Smoothie, would provide the net-to-net vpn I was looking for.



On the branch office side ( which will be the client end of the vpn ) I just needed a two interface firewall and a low power consumption ,compact and quiet machine .

The Asus EEE Box was perfect for this – tiny and with a very low power consumption ( about 12W I think ). The only drawback is the single ethernet connection – I needed two. USB ehternet adapters to the rescue!

SmoothWall comes with compiled USB modules for pegasus (ADMtek AN986) chipsets and also kaweth (Kawasaki LSI KL5KUSB101B) chipsets. With only a bit of fiddling, you can get any of the USB NICs that use these chipsets to be used as any of the interfaces on your SmoothWall. Click here for a list of USB NICs and chipsets.

I used the Belkin F5D5050 10/100 USB NIC and it works very well.

The first thing to do is download Smoothwall Express. At the time of writing this the latest version is 3.0 SP2:

Standard version: http://sourceforge.net/projects/smoothwall/files/SmoothWall/3.0%20SP2/smoothwall-express-3.0-sp2-i386.iso/download

Dev Version:

http://sourceforge.net/projects/smoothwall/files/SmoothWall/3.0%20SP2/smoothwall-express-3.0-sp2-devel-i386.iso/download

 

 

To install one of the NICs with built in support the standard version will do. If drivers need to be compiled then you would need the dev version ( which also functions as a normal Smoothie ).

Download the ISO , burn it to disc and install on the target machine according to the instructions on the Smoothwall site. For the EEE Box an external CD drive is required.

Initially select the internal NIC for the GREEN ( ie internal network ) interface and select ISDN/Modem for the RED interface.

NB My EEE Box was a slightly older model and has the Realtek 8168 NIC, which is natively supported by Smoothwall. The later versions have the JMicron 250 NIC which is not supported and a custom kernel would need building ( or the jme module could be compiled and loaded on an existing smoothie and the CustomISO mod could be used to make an installable image for the newer EEE Box ). An alternative device if that is too much trouble is the Giada Slim N10U - a fantastic little machine from China, even smaller than the EEE Box and which does have the Realtek 8168 NIC.



To get your USB NIC working, you will need to log into your SmoothWall box and determine which USB chipset driver is needed for your USB controller. Some usb-?hci type modules should already be running - type lsmod to see what it has actually loaded. Type modprobe pegasus or modprobe kaweth depending on the chipset of your USB NIC. You should see the lights on your USB NIC come to life when the correct module is loaded. Again, type lsmod and see that the module has indeed loaded. If you now see, for example, usb-?hci as well as pegasus then we are halfway there.



Next you will need to edit /var/smoothwall/ethernet/settings. For the interface using the USB NIC, you will need to change 3 lines to get the USB NIC working, as well as assign this interface an IP, netmask, netaddress and broadcast address as appropriate. In the table below I'll assume this is your RED NIC. If it is another interface in your SmoothWall machine, just change the appropriate interface details. I will also assume that the usb-uhci module was the module that you successfully loaded in the previous step as its the most common. Finally, I'll assume that you wish to use the pegasus USB NIC driver module. You will need to make the following changes:

 

settings file option

required setting

 RED DRIVER 

 RED_DRIVER=pegasus

 RED_DRIVER_OPTIONS 

 RED_DRIVER_OPTIONS= 

 RED_DISPLAY_DRIVER 

 RED_DISPLAYDRIVER=pegasus 



 

 

 

 

 

As for your IP Address and related settings, these are dependant on your network layout, and if you are unsure what to set them to, you may need to seek professional advice. Or you could try these (ADDRESS=192.168.1.1, NETMASK=255.255.255.0, NETADDRESS=192.168.1.0, and BROADCAST=192.168.1.255) on for size.



After doing this, save this file and exit the editor. You should now reboot your SmoothWall box to ensure that the changes we made above will actually work with a normal boot. Once you have rebooted and seen the USB lights on the NIC, you should then have a look at the Web Interface on your regular workstation and see if the interface you configured shows on the "information" screen. The interface should have an "inet", "bcast" and "mask" address, and on the third line of the output you should see the word "UP" at the beginning of the line. If this all looks OK, then you should be able to ping that interface from your workstation.



Now we have a two interface firewall running. Next we need to create the VPN.

 

Set up central office OpenVPN server

 

 

1 Install Zerina ( http://zerina.dyndns.org/ZERINA-experimental.run)

 

wget http://zerina.dyndns.org/ZERINA-experimental.run
sh ZERINA-experimental.run


Or you can download zerina ( version 0.9.8_sw_beta11_196.1194 , openvpn version2.1.4) plus necessary addons for NUT UPS monitoring, samba, backup, URL filter mods as a gzipped tar file from this site here.

 

2 Open the smoothwall gui and go to the VPN tab.

3 Select OpenVPN

 

4 Don't change anything at first, just click on “Save Global Settings”

 

5 Generate the root and host certificates:

Click on “Set up Root/Host Certificates”

Organisation name=<Your organisation eg mycompany>

Smoothwall's Hostname=<The FQDN of your smoothie eg smoothie1.mydomain.com>

Your email address=<Your email address eg myemail@mydomain.com>

Your Department=<Your department eg IT>

City=<City name eg Sydney>

State or Province=<Your state eg NSW>

Country=<Your Country eg Australia>

 

Then click “Set up Root/Host Certificates”

 

It might take a while for these to be generated.

 

 

6 Create the server side net-to-net connection:

Click on “Add” under the “Net-to-Net connection status and control:” section

Select the “Create a Net-to-Net Virtual Private Network” option

 

Name=<Name of connection eg VPNserver>

Role=OpenVPN Server

Local VPN hostname or IP=<IP address of RED interface eg 10.1.1.24>

Local LAN subnet=<Green interface subnet eg 10.10.10.25/255.255.255.0>

OpenVPN tunnel subnet=<subnet for the tunnel ( must not conflict with any network that may need to be reached and must be different to the client tunnel subnet) eg 10.36.241.0/255.255.255.0>

Remote hostname or IP=<the public IP address that the client's RED interface connects to the internet with eg 10.1.1.26 (in this example the client and server are VMs running on an internal network – this would normally be a routable address)>

Remote LAN subnet=<the client LAN subnet on which the client side computers reside eg 10.10.12.0/255.255.255.0>

Protocol=<desired protocol to use eg TCP (recommended)>

LZO Compression=<compression required or not (yes recommended)>

Encryption=<Encryption type (default is blowfish)>

MTU size=<MTU size required (1400 recommended)

Destination port=<desired port to run on eg 1194>

Enabled=yes

 

Authentication section

We need to generate the client certificates here

Users Full Name or System Hostname=<client system name eg smoothie2>

Users email address=<Client side email address eg clilentmail@mydomain.com>

Users Department=<Client Side department eg Sales>

Organisation Name=<Organisation Name eg mycompany>

City=<City name eg Sydney>

State or Province=<Your state eg NSW>

Country=<Your Country eg Australia>

Valid Until=<validity period of the certificate in days eg 1825 )>

 

7 Click “Save”

The screen should look like:

 

openvpn2.jpeg

 





 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

8 Next to the “Disconnected” Status there is an icon to download the Client package. Click on that and save it.

 

 

Set up satellite office OpenVPN client

 

1 Install Zerina as before

 

2 Generate the Root and Host certificates

 

OpenVpn4.jpeg

 

 

 

 

3 Click “Set up Root/Host Certificates”

 

 

4 Add a new Net-to-Net Connection

Select the “Upload a ZERINA Net-to-Net client package” option and browse to the client package that was downloaded previously.

 

OpenVpn5.jpeg

 

 

5 Click “Add”

 

 

OpenVpn6.jpeg

 

 

6 Click “Approve”

 

7 The Client vpn setup screen looks like this now:

 

 

OpenVpn7.jpeg

 

 

8 Click on the Pencil icon to edit the connection and enable it:

 

 

OpenVpn8.jpeg

 

 

 

9 Click “Save”

10 Click “Start OpenVPN Services”

 

11 The screen should now look like this on the client:

 

OpenVpn9.jpeg

 

… and like this on the server:

 

 

OpenVpn10.jpeg

 

The net-to-net VPN is now set up.

 

 


Osman Yılmaz Mah. Kızılay Cd No:41/C Gebze Kocaeli 0 262 644 9027 - 0 546 768 9783