OPENVPN Server

Helmonder

By Helmonder
in User Customizations

Recommended Posts

Helmonder Proficient

Helmonder

Posted
Posted

I have trying for some time now to find info at a level I understand on configuring my unraid server to a vpn server.

 

Basically I would like to VPN into my home network from a remote site, it beats opening up a whole lot of different port for different locations and should be pretty secure.

 

I am not able to use my router for this, I need it to be running on a device in my network and unraid is my always-on device so most suited for the job.

 

I have read some posts on it and I get that it is possible but I cannot get me head around how to do it. Can someone help me on this ?

 

I have found the following info on the forum and around:

 

Mostly client:

http://lime-technology.com/forum/index.php?topic=19895.0

 

Router based setup:

http://lime-technology.com/forum/index.php?topic=7352.0

 

On the internet, this is supposed to be a minimalistic version with a static (and therefor less secure) key:

http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html

 

Out of all this I am afraid I cannot get a mix of stuff I can turn into something usefull, can someone ?

Link to comment
lainie Enthusiast

lainie

Posted
Posted

I am also interested in having unRAID as an OpenVPN server. However, with all the posts stating unRAID is not a hardened server (& therefor not meant to be exposed to the Interent)... I am not sure how involved it would be to do things safely.

 

Would love to see a guide on how to strengthen unRAID & setup OpenVPN.

Link to comment
JonathanM Grand Master

JonathanM

Posted
Posted

I am also interested in having unRAID as an OpenVPN server. However, with all the posts stating unRAID is not a hardened server (& therefor not meant to be exposed to the Interent)... I am not sure how involved it would be to do things safely.

 

Would love to see a guide on how to strengthen unRAID & setup OpenVPN.

The security of unraid has been gradually improved as the new versions are released. 4.7 is about as bad as it gets, where root is used for everything, and there is no way to secure the default unraid management interface. The latest release is a little less brain dead as far as root goes, but the management interface is still pretty much untested security wise. If you intelligently expose only the ports you control software wise, it's pretty secure. That means remote management is off limits unless tunneled through a secure channel. I'm pretty sure I remember Tom saying telnet and the management web page will stay insecure for the foreseeable future, so the possibility of putting an unraid box in a DMZ is not happening.

 

Port forward ONLY to services you install and can audit for security risks, and you should be ok. The problem is, nobody wants to take on the liability of setting up a tutorial where it is just too easy to miss or skip something and open up your whole network to the world, so the standard line is "just don't do it".

Link to comment
Helmonder Proficient

Helmonder

Posted
  • Author
Posted

.... That means remote management is off limits unless tunneled through a secure channel. I'm pretty sure I remember Tom saying telnet and the management web page will stay insecure for the foreseeable future, so the possibility of putting an unraid box in a DMZ is not happening.

 

Understood, but all you are saying (or at least, what I am understanding) is that exposing the unraid server to the internet is a bad idea because it is not secure that way. You also state that "a secure channel" would work and that you should only exposte the most necessary ports..

 

I all agree but that is why I -figured- that OpenVPN would be the solution, eg:

 

1) Only one port would be exposed (namely the VPN port)

2) You would have a secure channel

3) The server would not be open to the internet

 

So shouldn't openVPN just be the way to go ?  I am trying to understand what I am missing, If I am nog missing anything then I would like to continue myself trying to get this to work, if my assumptions are wrong I would like to understand why so I can avoid spending time on something that is not going to be a good solution.

 

Link to comment
JonathanM Grand Master

JonathanM

Posted
Posted

1) Only one port would be exposed (namely the VPN port)

2) You would have a secure channel

3) The server would not be open to the internet

That scenario should work perfectly fine. HOWEVER... it relies on things the unraid box has no control over, namely the correct configuration of the router to only forward the correct port. Unraid itself is still not hardened or secure in any way. If you accidentally leave the wrong port forwarded, your network will be owned shortly.

 

All I'm trying to get across is that there is currently no safe way to fully expose the unraid box to the internet, so ANY instructions given will depend on external devices to be configured properly. If you know what you are doing you should be fine, but it's not possible to set up tutorials for every router and network configuration to safely set it up.

 

Personally I run openvpn on my router, so I can access anything on my network as long as my internet is up, I don't have to rely on unraid for my vpn. I also run a virtualbox xp instance with logmein on my unraid host so I can get in without my vpn client while using a friends pc.

Link to comment
Ford Prefect Experienced

Ford Prefect

Posted
Posted

.... That means remote management is off limits unless tunneled through a secure channel. I'm pretty sure I remember Tom saying telnet and the management web page will stay insecure for the foreseeable future, so the possibility of putting an unraid box in a DMZ is not happening.

 

Understood, but all you are saying (or at least, what I am understanding) is that exposing the unraid server to the internet is a bad idea because it is not secure that way. You also state that "a secure channel" would work and that you should only exposte the most necessary ports..

 

I all agree but that is why I -figured- that OpenVPN would be the solution, eg:

 

1) Only one port would be exposed (namely the VPN port)

2) You would have a secure channel

3) The server would not be open to the internet

 

So shouldn't openVPN just be the way to go ?  I am trying to understand what I am missing, If I am nog missing anything then I would like to continue myself trying to get this to work, if my assumptions are wrong I would like to understand why so I can avoid spending time on something that is not going to be a good solution.

 

...well, AFAIK the OpenVPN daemon would expose ONE port...and all other ports are being exposed from vanilla unRAID  ;D

You need to put unRAID behind a firewall and install a forwarding rule to the openvpn port there, at least.

Next best solution would be to run a gateway with openVPN as a VM on an ESXi build and instruct your firewall(router) to forward to that gateway-VM only.

Link to comment
Helmonder Proficient

Helmonder

Posted
  • Author
Posted

.... That means remote management is off limits unless tunneled through a secure channel. I'm pretty sure I remember Tom saying telnet and the management web page will stay insecure for the foreseeable future, so the possibility of putting an unraid box in a DMZ is not happening.

 

Understood, but all you are saying (or at least, what I am understanding) is that exposing the unraid server to the internet is a bad idea because it is not secure that way. You also state that "a secure channel" would work and that you should only exposte the most necessary ports..

 

I all agree but that is why I -figured- that OpenVPN would be the solution, eg:

 

1) Only one port would be exposed (namely the VPN port)

2) You would have a secure channel

3) The server would not be open to the internet

 

So shouldn't openVPN just be the way to go ?  I am trying to understand what I am missing, If I am nog missing anything then I would like to continue myself trying to get this to work, if my assumptions are wrong I would like to understand why so I can avoid spending time on something that is not going to be a good solution.

 

...well, AFAIK the OpenVPN daemon would expose ONE port...and all other ports are being exposed from vanilla unRAID  ;D

You need to put unRAID behind a firewall and install a forwarding rule to the openvpn port there, at least.

Next best solution would be to run a gateway with openVPN as a VM on an ESXi build and instruct your firewall(router) to forward to that gateway-VM only.

 

Ford: that is not correct. The unraid server would be behind the firewall and would only receive traffic over one part from the router.. So there is no way other unraid ports could be open.

Link to comment
Helmonder Proficient

Helmonder

Posted
  • Author
Posted

1) Only one port would be exposed (namely the VPN port)

2) You would have a secure channel

3) The server would not be open to the internet

That scenario should work perfectly fine. HOWEVER... it relies on things the unraid box has no control over, namely the correct configuration of the router to only forward the correct port. Unraid itself is still not hardened or secure in any way. If you accidentally leave the wrong port forwarded, your network will be owned shortly.

 

All I'm trying to get across is that there is currently no safe way to fully expose the unraid box to the internet, so ANY instructions given will depend on external devices to be configured properly. If you know what you are doing you should be fine, but it's not possible to set up tutorials for every router and network configuration to safely set it up.

 

Personally I run openvpn on my router, so I can access anything on my network as long as my internet is up, I don't have to rely on unraid for my vpn. I also run a virtualbox xp instance with logmein on my unraid host so I can get in without my vpn client while using a friends pc.

 

I agree... that is basically the case with any kind of scenario.. But I understood that the fact that doing this wrong could cause issues might be the reason there is no "howto" for it.. Making it necessary to dive into it and understand it before you can configure... I can respect this !

 

I just remembered I had an old router I wasn't using , I just flashed it with dd-wrt. I am keeping it inside my network and will now try to configure the vpn daemon, still not easy but I am getting somewhere.. The moment this works (I will test inside my intranet) I will forward the vpn port from my external router to the dd-wrt router.. That would work right ?

 

There is an adequate amount of info on dd-wrt so I think I can get this to work.. Must be said though that it is equally possible that I will configure something wrong this way :-)

Link to comment
Ford Prefect Experienced

Ford Prefect

Posted
Posted

Understood, but all you are saying (or at least, what I am understanding) is that exposing the unraid server to the internet is a bad idea because it is not secure that way. You also state that "a secure channel" would work and that you should only exposte the most necessary ports..

 

I all agree but that is why I -figured- that OpenVPN would be the solution, eg:

 

1) Only one port would be exposed (namely the VPN port)

2) You would have a secure channel

3) The server would not be open to the internet

 

So shouldn't openVPN just be the way to go ?  I am trying to understand what I am missing, If I am nog missing anything then I would like to continue myself trying to get this to work, if my assumptions are wrong I would like to understand why so I can avoid spending time on something that is not going to be a good solution.

 

...well, AFAIK the OpenVPN daemon would expose ONE port...and all other ports are being exposed from vanilla unRAID  ;D

You need to put unRAID behind a firewall and install a forwarding rule to the openvpn port there, at least.

Next best solution would be to run a gateway with openVPN as a VM on an ESXi build and instruct your firewall(router) to forward to that gateway-VM only.

 

Ford: that is not correct. The unraid server would be behind the firewall and would only receive traffic over one part from the router.. So there is no way other unraid ports could be open.

 

Hmm, maybe I was confused, but that's exactly what I was referring to/recommended in my second line, wasn't it?

openVPN only needs one port...but running it as an add-on in unRAID will not help from not-exposing all other ports of the box, because openVPN will not close/secure the box for you.

As you need to connect that service port of openVPN to the internet, you need a firewall in between.

As I didn't see you referring to a firewall tunnel earlier, I gathered you were going wrong.

..glad that's sorted out now.  :D

 

Link to comment
Helmonder Proficient

Helmonder

Posted
  • Author
Posted

Just succeeded in turning my old Asus WL-500GP v2 into a DD-WRT router.

 

This took me about an hour using the http://www.dd-wrt.com/site/index website.

Only reason it took me longer then 5 minutes was that it took me some time before I figured the router needed to be connected thru a LAN port and not thru the WAN uplink.

 

After flashing the router to dd-wrt and setting up the basics (making sure it did not work as a dhcp server for the major part) I switched to the following howto to configure the VPN daemon on it :

 

http://www.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24%2B#Creating_Certificates_Using_Easy_RSA_in_Windows

 

This actually also was pretty easy (at least I think so),  I now have my secundairy router set up as a vpn server. Next issue will be tracking down howto get a client to connect ( I have a few VPN connections set up before but have not ever done it using certificates). I will add to the thread when I have progress (or lack of it)

Link to comment
aptalca Proficient

aptalca

Posted
Posted

Just succeeded in turning my old Asus WL-500GP v2 into a DD-WRT router.

 

This took me about an hour using the http://www.dd-wrt.com/site/index website.

Only reason it took me longer then 5 minutes was that it took me some time before I figured the router needed to be connected thru a LAN port and not thru the WAN uplink.

 

After flashing the router to dd-wrt and setting up the basics (making sure it did not work as a dhcp server for the major part) I switched to the following howto to configure the VPN daemon on it :

 

http://www.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24%2B#Creating_Certificates_Using_Easy_RSA_in_Windows

 

This actually also was pretty easy (at least I think so),  I now have my secundairy router set up as a vpn server. Next issue will be tracking down howto get a client to connect ( I have a few VPN connections set up before but have not ever done it using certificates). I will add to the thread when I have progress (or lack of it)

 

Wait, you are using a second router as a vpn server?? How come I never thought of that?? I got a couple old routers sitting in the basement.

 

The only reason I did not go ahead with flashing my current router is because 1) I did not want to brick it and be without internet for who knows how long it would take me to unbrick it, and 2) I have had so many routers in the past that dropped connection constantly, that with my current router being reliable, I'd rather not change anything to keep it that way

 

Please keep us updated on how it works out for you, because I might just do the same

Link to comment
Helmonder Proficient

Helmonder

Posted
  • Author
Posted

Okay... My first attempt failed so I will be trying a slightly different path.

 

Previously I choose a specific VPN dd-wrt firmware, after setting up everything ok (at least I thought so) I was not able to do anything with the router, vpn would not work, I could not connect wirelessly and if connected wired it also would not work.

 

Because I am really unexperienced in the VPN part I have now done the following:

 

1) installed the most complete version of alternative firmware (dd-wrt.v24_mega_generic);

2) I configured the router as wireless accespoint, not so much because I need it but because I can then see if the router is actually capable of accepting and routing internal traffic, when that works activating the VPN should be only  a "layer on top".

 

I just finished 2) !~ And it works, I am now connected to the secundairy router and have internet connection available without a problem. I found an excellent guide for this:

 

http://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point

 

Use the "Long version", nice thing is that it also explains why it is doing what.

Link to comment
Helmonder Proficient

Helmonder

Posted
  • Author
Posted

Just moved my secundairy router (currently wireless access point) to next to my primary router in the cupboard in the hallway.

 

I moved a wired connection to my primary router to the secundairy (to free op a port) and connected the secundairy router to the primary router.

 

The device I moved to the primary router works !

 

Wireless connecting to my secundary router works !

 

Looks like the secundairy router is now working fully as a wireless access point. Next actions is to activate the vpn function.

 

 

Link to comment
Helmonder Proficient

Helmonder

Posted
  • Author
Posted

And it works external !!!

 

I have just set up PPTP on my iphone, disconnected the wifi, which means I was connecting thru G3 only (read: external connection, not part of my own network anymore).

 

I made sure the PPTP port TCP 1723 is routed thru my primary router towards the secundairy router. The primary router also needed to have PPTP passthru enabled.

 

I am now able to connect over VPN/PPTP from the internet to my internal network and access all my internal devices..

 

This means functionally I now have what I need and it really was not THAT difficult.

 

Remaining issue is that PPTP is not the most secury way of VPN'ing, so I still want to get OpenVPN working and connect thru that.

Link to comment
Helmonder Proficient

Helmonder

Posted
  • Author
Posted

Am happy with it to, I am doing the same stuff you mention. I also am now using my secundairy router (the dd-wrt one) for wireless within my house, I have upped the transmission strength a bit an wireless range has improved. I should have done this a lot earlier.

 

Are you using pptp or OpenVPN on it ?

Link to comment
aptalca Proficient

aptalca

Posted
Posted

Oh well, it turns out my old router is not compatible with ddwrt as it has a marvell chip.

 

So just to try it out, I tried to set up an openvpn server on my win 7 htpc. I had been reading comments on openvpn forums like" Oh, openvpn is so easy, it just works". Yeah, well it didn't, alright. Oh boy, little did I know that win 7 and openvpn simply do not mix.

 

I spent the last three days obsessively trying to get it to work. Finally I got the computers in the tunnel to ping each other, but not any others on the lan, and no internet sharing either.

 

Apparently it mostly has to do with the fact that openvpn does not set up a gateway for the virtual adapter, therefore win 7 makes it a "public network" with no way of changing it to private. So openvpn connects, but no further communication is allowed due to tun and tap being firewalled.

 

There was literally no mention of this in the openvpn how-to's or the dozens of guides that supposedly helped you set up openvpn server on win 7. I finally stumbled upon a forum thread about this issue where A LOT of people were complaining about this issue and the lack of info in the how-to's or guides, but someone offered an interesting solution:

 

I manually set up a fake route to associate a fake gateway, and was able to make it a private network. Now pings go through, but for some reason, openvpn is not able to create the correct routing for other services, or expose the rest of the network through the tunnel. The "route" commands in either the server or client configs get ignored (I am starting the gui elevated). Just pinging is not cutting it for me.

 

I was literally pulling my hair out. Still am  >:(

Link to comment
  • 2 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing