Show by Label

Friday, April 8, 2016

OpenVPN Proof of Concept Part II




In the meantime, I have installed an OpenVPN server on my router. 

A while ago, I purchased the Asus RT-AC68U, reportedly one of the best wireless routers on the market. It also natively supports OpenVPN in various configurations. Setting up an OpenVPN server was a matter of a few mouse-clicks. I’m not going to cover that here, because it’s so simple if you have this router, or very different of you don’t.

Another bonus with this Asus router is that you can get a free hostname address that automatically updates itself when your internet provider decides to change your public IP address. Mine is in the form of mychoosenroutername.asuscomm.com

If you don’t have this possibility offered, you need to get this service from a provider that does and install the software that keeps track of the public IP address changes.
Assuming you have your router setup and you have a public hostname, you can follow this link in detail, or just have a look to see how it can be done.

 Setting up the test-rig
Because I wanted to test a couple of things while in the testing phase, I didn’t want to pack my stuff and go to a friend/family member that would allow me to use their SOHO link to get me outside access to the router. You need to knock on the porthole of the router from the “outside”. 

To facilitate that, I created a very simple wireless Repeater.
The link on the raspberrypi.org forums to create a general purpose Repeater is here :

The next step was to setup the Repeater to log-in through the wireless Access Point instead of the Router. This was simply a matter of adding another network setup in the wpa-supplicant file. I used the priority option to let the Repeater automatically switch to the Access Point if it is up, or fall back to the Router if not.

Boot the Repeater and change this file:

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

Add or create the following two networks:

network={
   ssid=”HMA-RPi”
   psk=”The password for it”
   id_str=”AP”
   priority=2
}
network={
   ssid=”ASUS-RTR”
   psk=”The password for it”
   id_str=”RTR”
   priority=1
}

The higher the priority number is, the higher the priority, so in this case, the HMA-RPi has priority over the ASUS-RTR.
Run sudo poweroff to bring the Repeater down again.

Setting up the Wireless Access Point
In this complicated test-rig, I also need to use the wireless Access Point with the HMA! OpenVPN again. This part of the test-rig setup will get me from a wireless Access Point to the public internet through the HMA! OpenVPN tunnel.

To start the testing process in this complicated link, I booted the Access Point first. To make it function in the test-rig, I would need to load the OpenVPN iptables rules and start the HMA! OpenVPN client. 

I did that with a couple of little scripts that I made.

nano start_vpn
#!/bin/bash
sudo iptables-restore /etc/iptables/vpn-rules.v4
sudo ./hma-vpn.sh -c vpnlogin -d HMA-server-location

Make the script executable. The –c option loads a file (vpnlogin) with two lines that has the HMA! username and the password.  Make sure you remove the access rights other than for owner for the vpnlogin script. The –d option lists the city location you can find in the long list of HMA! server locations.

Then I created a script to flush the iptables rules.
nano clean_iptables

#!/bin/bash
sudo iptables –F
sudo iptables -t nat –F
sudo iptables -X

Make this script executable. 

The iptables rules for a VPN client are a little different from those of a server configuration.  First clean the iptables rules by running the above script, then load these rules. (second line has no break):

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

Save them:

sudo sh -c "iptables-save > /etc/iptables/vpn-rules.v4"

And also create a script to report the Public IP address.

nano pip

#!/bin/bash
wget http://ipinfo.io/ip -qO -

Make that script executable as well.
After booting the Access Point, run the following:

./clean_iptables
./start_vpn

Wait a few seconds for the tunnel creation to finish. Then run

./pip

Check and to see if you indeed connected to the HMA! server in the country/city location you selected.

Setting up the Repeater
During this testing, you need to have a console and keyboard attached to the Repeater Pi, so if you have a Model (1) B, with only two USB ports, you need to use a USB hub to connect the keyboard. Now you can boot the wireless Repeater again.

Log in to the Repeater and run iwconfig to see if the Repeater logged in to the Access Point, and also if it provided a second Access Point.

At this point I’m assuming you already installed OpenVPN on the Repeater. If not do that now (sudo apt-get install openvpn).

My Asus router created an OpenVPN client setup file called client.ovpn and I could download that through my browser to the PC. I used a USB stick to move it to the /etc/openvpn directory on the Repeater, and I renamed it to asus-client.ovpn.

I edited the asus-client.ovpn file.

nano /etc/openvpn/asus-client.ovpn

And I added/modified these lines:

auth-user-pass /home/pi/vpnlogin
auth-nocache
verb 3

The first line adds a link to the file with the username and password you set in the server setup on the router. Create that file, like you did earlier for the Access Point, but obviously, use the username and password you created during the VPV server setup on the Router. Don’t forget to change the access rights. Verb 3 means verbosity level 3 and it shows more details on the console so you can see what is going on.

I created the following VPN startup script:
nano start-ovpn

#!/bin/bash
sudo openvpn –config /etc/openvpn/asus-client.ovpn

I also created the same pip and iptables-clean scripts as we just did on the Access Point.
After you created the pip file, run it with ./pip and check if you still got access to the same HMA! server through the Repeater.

Now we’re going to create the iptables rules for the Repeater. First clean iptables by running the iptables-clean script, then run these lines.

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

After they loaded without errors, save them:

sudo sh -c "iptables-save > /etc/iptables/vpn-rules.v4"

Now start the OpenVPN client on the Repeater.

./start-ovpn

We’re not running the OpenVPN client in the background, so we can see what is going on by looking at the console.  If everything went well, you can see that the tunnel got created and the client made a connection to the public IP address of your Router. Yeah!

Now, remember that I wanted to use the client setup to get around the Netflix geo-restrictions. The standard port that OpenVPN uses is 1194. It is unlikely, but possible, that the Netflix Geo-police actually does some packet analysis and when it sees this port, it can potentially switch you off. I suggest that you use the port that https uses, which is port 443. This will make it a lot less obvious that we’re using a VPN connection.

To change the port, you need to go back to the Router and change the port for the OpenVPN server. You also need to change the port in the asus-client.ovpn file. And you can run yet another test.

Now that you have this working, let’s go the extra mile. 
Grab your iPAD and switch the wireless connection to that of the Repeater. Login and run a ping to a website that returns pings to test the link all the way. Now go to Safari and to the site whatismyipaddress.com. If everything went well, it will report the public IP address of your router. YEAH! We went full circle!

Now, if you are tempted to run a speedtest, don’t be surprised if you get atrocious results. My providers offers a 12 mS ping to the closest server and 150+Mbps down and 15+Mbps up. Through this complicated link, I only get a ping of 16ms, 6Mbps down and 8Mbps up, and it varies a lot especially with much lower numbers to even below 1Mbps if I move the iPAD far away. 

Remember however that we run a tunnel within a tunnel, and we use three wireless adapters in the link. I understand that every wireless adapter more than halves the speed, even though you place the channels as far apart as possible by using  channels 1, 6 and 11. 

After I a ran a few tests, I checked ifconfig for errors and overruns on both wlan ports of the Repeater, but there weren’t any. Only wlan1 (ap) showed 640 dropped packets out of 4.7 MiB for the RX part. On the Access Point I had some drops on the tunnel, and 1.743 out of 30.985 packets (23.5 MiB) in the RX field. I’m pretty sure this can be tweaked and the speed issue is probably another can of worms, but I’m not going there yet.

In any case, the link is fully functional and with this test-rig up and running, you and I can experiment with the configurations to our heart’s delight. 

My next step is to reconfigure my Access Point and take it to another SOHO location where I can set it up and test the link again with my iPAD and the Netflix app as I will use it when I’m out of the country again.

Stay tuned for the final bit.

2 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete