|
A while back I
had to set up a firewall/router for a new branch office which also
needed to be connected to our domain and servers. Our other branch
offices had ADSL routers with IPSEC vpns to the server subnet but in
this case the office was already equipped with an ethernet connection to
the internet so our usual vpn setup was not going to be possible.
The solution
that seemed most appealing for a small office firewall was Smoothwall
Express. I had used it before and it is excellent. It also has a wealth
of contributed add-ons, one of which could solve the second part of the
problem – the VPN. The ZERINA mod for Smoothwall provides a nice GUI
interface for OpenVPN, as well as the openvpn stack itself, and if
paired with another Smoothie, would provide the net-to-net vpn I was
looking for.
On the branch
office side ( which will be the client end of the vpn ) I just needed a
two interface firewall and a low power consumption ,compact and quiet
machine .
The Asus EEE
Box was perfect for this – tiny and with a very low power consumption (
about 12W I think ). The only drawback is the single ethernet connection
– I needed two. USB ehternet adapters to the rescue!
SmoothWall
comes with compiled USB modules for pegasus (ADMtek AN986) chipsets and
also kaweth (Kawasaki LSI KL5KUSB101B) chipsets. With only a bit of
fiddling, you can get any of the USB NICs that use these chipsets to be
used as any of the interfaces on your SmoothWall. Click here for a list of USB NICs and chipsets.
I used the Belkin F5D5050 10/100 USB NIC and it works very well.
The first thing to do is download Smoothwall Express. At the time of writing this the latest version is 3.0 SP2:
Standard version: http://sourceforge.net/projects/smoothwall/files/SmoothWall/3.0%20SP2/smoothwall-express-3.0-sp2-i386.iso/download
Dev Version:
http://sourceforge.net/projects/smoothwall/files/SmoothWall/3.0%20SP2/smoothwall-express-3.0-sp2-devel-i386.iso/download
To install
one of the NICs with built in support the standard version will do. If
drivers need to be compiled then you would need the dev version ( which
also functions as a normal Smoothie ).
Download the
ISO , burn it to disc and install on the target machine according to the
instructions on the Smoothwall site. For the EEE Box an external CD
drive is required.
Initially select the internal NIC for the GREEN ( ie internal network ) interface and select ISDN/Modem for the RED interface.
NB My EEE Box
was a slightly older model and has the Realtek 8168 NIC, which is
natively supported by Smoothwall. The later versions have the JMicron
250 NIC which is not supported and a custom kernel would need building (
or the jme module could be compiled and loaded on an existing smoothie
and the CustomISO mod could be used to make an installable image for the
newer EEE Box ). An alternative device if that is too much trouble is
the Giada Slim N10U - a fantastic little machine from China, even
smaller than the EEE Box and which does have the Realtek 8168 NIC.
To get your
USB NIC working, you will need to log into your SmoothWall box and
determine which USB chipset driver is needed for your USB controller.
Some usb-?hci type modules should already be running - type lsmod to
see what it has actually loaded. Type modprobe pegasus or modprobe
kaweth depending on the chipset of your USB NIC. You should see the
lights on your USB NIC come to life when the correct module is loaded.
Again, type lsmod and see that the module has indeed loaded. If you now
see, for example, usb-?hci as well as pegasus then we are halfway there.
Next you will
need to edit /var/smoothwall/ethernet/settings. For the interface using
the USB NIC, you will need to change 3 lines to get the USB NIC
working, as well as assign this interface an IP, netmask, netaddress and
broadcast address as appropriate. In the table below I'll assume this
is your RED NIC. If it is another interface in your SmoothWall machine,
just change the appropriate interface details. I will also assume that
the usb-uhci module was the module that you successfully loaded in the
previous step as its the most common. Finally, I'll assume that you wish
to use the pegasus USB NIC driver module. You will need to make the
following changes:
|
settings file option
|
required setting
|
|
RED DRIVER
|
RED_DRIVER=pegasus
|
|
RED_DRIVER_OPTIONS
|
RED_DRIVER_OPTIONS=
|
|
RED_DISPLAY_DRIVER
|
RED_DISPLAYDRIVER=pegasus
|
As for your
IP Address and related settings, these are dependant on your network
layout, and if you are unsure what to set them to, you may need to seek
professional advice. Or you could try these (ADDRESS=192.168.1.1,
NETMASK=255.255.255.0, NETADDRESS=192.168.1.0, and
BROADCAST=192.168.1.255) on for size.
After doing
this, save this file and exit the editor. You should now reboot your
SmoothWall box to ensure that the changes we made above will actually
work with a normal boot. Once you have rebooted and seen the USB lights
on the NIC, you should then have a look at the Web Interface on your
regular workstation and see if the interface you configured shows on the
"information" screen. The interface should have an "inet", "bcast" and
"mask" address, and on the third line of the output you should see the
word "UP" at the beginning of the line. If this all looks OK, then you
should be able to ping that interface from your workstation.
Now we have a two interface firewall running. Next we need to create the VPN.
Set up central office OpenVPN server
1 Install Zerina ( http://zerina.dyndns.org/ZERINA-experimental.run)
wget http://zerina.dyndns.org/ZERINA-experimental.run
sh ZERINA-experimental.run
Or you can download zerina ( version
0.9.8_sw_beta11_196.1194 , openvpn version2.1.4) plus necessary addons
for NUT UPS monitoring, samba, backup, URL filter mods as a gzipped tar
file from this site here.
2 Open the smoothwall gui and go to the VPN tab.
3 Select OpenVPN
4 Don't change anything at first, just click on “Save Global Settings”
5 Generate the root and host certificates:
Click on “Set up Root/Host Certificates”
Organisation name=<Your organisation eg mycompany>
Smoothwall's Hostname=<The FQDN of your smoothie eg smoothie1.mydomain.com>
Your email address=<Your email address eg
myemail@mydomain.com>
Your Department=<Your department eg IT>
City=<City name eg Sydney>
State or Province=<Your state eg NSW>
Country=<Your Country eg Australia>
Then click “Set up Root/Host Certificates”
It might take a while for these to be generated.
6 Create the server side net-to-net connection:
Click on “Add” under the “Net-to-Net connection status and control:” section
Select the “Create a Net-to-Net Virtual Private Network” option
Name=<Name of connection eg VPNserver>
Role=OpenVPN Server
Local VPN hostname or IP=<IP address of RED interface eg 10.1.1.24>
Local LAN subnet=<Green interface subnet eg 10.10.10.25/255.255.255.0>
OpenVPN
tunnel subnet=<subnet for the tunnel ( must not conflict with any
network that may need to be reached and must be different to the client
tunnel subnet) eg 10.36.241.0/255.255.255.0>
Remote
hostname or IP=<the public IP address that the client's RED interface
connects to the internet with eg 10.1.1.26 (in this example the client
and server are VMs running on an internal network – this would normally
be a routable address)>
Remote LAN subnet=<the client LAN subnet on which the client side computers reside eg 10.10.12.0/255.255.255.0>
Protocol=<desired protocol to use eg TCP (recommended)>
LZO Compression=<compression required or not (yes recommended)>
Encryption=<Encryption type (default is blowfish)>
MTU size=<MTU size required (1400 recommended)
Destination port=<desired port to run on eg 1194>
Enabled=yes
Authentication section
We need to generate the client certificates here
Users Full Name or System Hostname=<client system name eg smoothie2>
Users email address=<Client side email address eg
clilentmail@mydomain.com>
Users Department=<Client Side department eg Sales>
Organisation Name=<Organisation Name eg mycompany>
City=<City name eg Sydney>
State or Province=<Your state eg NSW>
Country=<Your Country eg Australia>
Valid Until=<validity period of the certificate in days eg 1825 )>
7 Click “Save”
The screen should look like:
8 Next to the “Disconnected” Status there is an icon to download the Client package. Click on that and save it.
Set up satellite office OpenVPN client
1 Install Zerina as before
2 Generate the Root and Host certificates
3 Click “Set up Root/Host Certificates”
4 Add a new Net-to-Net Connection
Select the “Upload a ZERINA Net-to-Net client package” option and browse to the client package that was downloaded previously.
5 Click “Add”
6 Click “Approve”
7 The Client vpn setup screen looks like this now:
8 Click on the Pencil icon to edit the connection and enable it:
9 Click “Save”
10 Click “Start OpenVPN Services”
11 The screen should now look like this on the client:
… and like this on the server:
The net-to-net VPN is now set up.
|
