Configura tu router con una VPN
Con una red a través de VPN
Configura el acceso
La contraseña:
passwd
Añade tu llave ssh:
vim /etc/dropbear/authorized_keys
Confirma que tienes acceso por ssh antes de cambiar los parametros siguientes
vim /etc/config/dropbear
config dropbear
option RootPasswordAuth 'off'
option Port '22'
Actualiza e Instala paquetes
opkg update
opkg install vim screen mtr openssl-util openvpn-openssl ca-certificates libustream-openssl ca-bundle
Cambiar el nombre de host del router
vim /etc/config/system
Recarga
/etc/init.d/system reload
Configurando la red
-
añadir interfaces
-
añadir switch rules
vim /etc/config/network
Añade la interfaz que será la VPN
config interface 'leap'
option ifname 'leap'
Añade la interfaz que usará la VPN
config interface 'tunnel'
option type 'bridge'
option proto 'static'
option ifname ' eth0.10'
option netmask '255.255.255.0'
option ipaddr '192.168.10.1/24'
Añade una nueva switch rule (!)ten cuidado con los números, no cambies el switch_vlan que viene por defecto(!)
config switch_vlan
option device 'switch0'
Por defecto deberías tener otras swith rules (switch_vlan) con el número 1 o/y 2, así que da uno nuevo, en este caso el 3:
option vlan '3'
El número de identificación del la interfaz tunnel, eth0.10:
option vid '10'
Y por último añade el puerto ’t' (tagged), el mismo numero que aparece en las otras switch rules
option ports '6t'
Recarga con:
/etc/init.d/network reload
Configurando el cortafuegos
-
añadir zonas
-
añadir transporte
-
añadir reglas
vim /etc/config/firewall
config zone option name leap list network 'leap' option input REJECT option output ACCEPT option forward ACCEPT option masq 1 config zone option name tunnel list network 'tunnel' option input REJECT option output ACCEPT option forward ACCEPT option log 1 config forwarding option src tunnel option dest leap config forwarding option src tunnel option dest wan config forwarding option src lan option dest tunnel config forwarding option src lan option dest leap config rule option name ssh option target ACCEPT option src wan option proto tcp option dest_port 22 config rule option target ACCEPT option name dns-tunnel option src tunnel option dest_port 53 config rule option target ACCEPT option name dhcp-tunnel option src tunnel option dest_port 67-68
Recargar con:
/etc/init.d/firewall reload
Configurando el inalámbrico
- Agregar interfaces wifi
Puedes tener un wifi que te dará acceso a internet en claro usando la red “lan” y el otro que te dará acceso a la VPN usando la red “tunel”.
vim /etc/config/wireless
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '[wifi-name]'
option encryption 'psk2'
option key '[aGreatPassword]'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'tunnel'
option mode 'ap'
option encryption 'psk2'
option ssid '[wifi-name-VPN]'
option key '[aGreatPassword]'
Recarga con:
/etc/init.d/network reload
Añadir la nueva interfaz en el DHCP
vim /etc/config/dhcp
config dhcp 'tunnel'
option interface 'tunnel'
option start '30'
option limit '253'
option leasetime '12h'
Además, añade estas líneas en el ‘config dnsmasq’ porque son necesarias para la VPN:
list server '10.41.0.1'
list server '1.1.1.1'
Setting up OpenVPN
- Añade las IP’s que usa la VPN
- Agregar la ubicación de los certificados que veremos en el paso siguiente “LEAP”
- Cambiar algunos parámetros
Aquí hay un ejemplo de un archivo de configuración:
package openvpn
#################################################
# Sample to include a custom config file. #
#################################################
config openvpn leap
option route_up /etc/leap/openvpn/scripts/route-up.sh
# Set to 1 to enable this instance:
option enabled 1
option log /tmp/ovpn.log
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
option client 1
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
# option dev tap
option dev leap
option dev_type tun
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
option proto tcp
# option proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
list remote "212.129.4.124 443 tcp4"
list remote "212.83.182.127 443 tcp4"
list remote "212.129.62.247 443 tcp4"
list remote "212.129.37.129 443 tcp4"
list remote "212.83.165.160 443 tcp4"
list remote "163.172.126.44 443 tcp4"
list remote "212.83.144.12 443 tcp4"
list remote "212.129.4.141 443 tcp4"
list remote "212.83.146.228 443 tcp4"
list remote "212.83.143.67 443 tcp4"
list remote "199.58.83.12 443 tcp4"
list remote "37.218.244.251 443 tcp4"
list remote "37.218.244.249 443 tcp4"
list remote "199.58.83.10 443 tcp4"
list remote "198.252.153.28 443 tcp4"
list remote "185.220.103.12 443 tcp4"
option script_security 2
option persist_key 1
option persist_local_ip 1
option auth SHA1
option keepalive "10 30"
# Choose a random host from the remote
# list for load_balancing. Otherwise
# try hosts in the order specified.
# option remote_random 1
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
option resolv_retry infinite
# Most clients don't need to bind to
# a specific local port number.
option nobind 1
# Try to preserve some state across restarts.
option persist_key 1
option persist_tun 1
option user nobody
option group nogroup
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
# retry on connection failures:
# option http_proxy_retry 1
# specify http proxy address and port:
# option http_proxy "192.168.1.100 8080"
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
# option mute_replay_warnings 1
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
option ca /etc/leap/openvpn/ca.pem
option cert /etc/leap/openvpn/cert.pem
option key /etc/leap/openvpn/privkey.pem
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build_key_server
# script in the easy_rsa folder will do this.
option remote_cert_tls server
# If a tls_auth key is used on the server
# then every client must also have the key.
# option tls_auth "/etc/openvpn/ta.key 1"
option tls_client
option tls_cipher DHE-RSA-AES128-SHA
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
option cipher AES-128-CBC
# Set log file verbosity.
option verb 1
# Silence repeating messages
# option mute 20
¡Espera para recargar o para iniciar openvpn! Deberías hacer el siguiente paso antes:
Setting up LEAP
-
Crear la carpeta LEAP
-
Copiar 2 scripts
-
Crear la carpeta LEAP/OPENVPN
-
Copiar 2 scripts
mkdir /etc/leap mkdir /etc/leap/openvpn vim /etc/leap/renew.sh
Copia este script en renew.sh
#/!/bin/bash
#https://api.black.riseup.net:443/1/cert
DIR=/etc/leap
OVPNDIR=/etc/leap/openvpn
API='https://api.black.riseup.net:443'
wget --ca-certificate $DIR/ca.crt -O $DIR/combined.pem $API/1/cert
openssl x509 -subject -noout -in $DIR/combined.pem
openssl x509 -dates -noout -in $DIR/combined.pem
openssl x509 -purpose -noout -in $DIR/combined.pem
openssl rsa -check -inform PEM -pubout -in $DIR/ combined.pem > $DIR/pubkey.pem
if openssl x509 -in $DIR/combined.pem > $DIR/cert.pem
then
echo "cert success"
cp $DIR/cert.pem $OVPNDIR/cert.pem
else
echo "cert fail"
fi
if openssl rsa -check -inform PEM -in $DIR/combined.pem > $DIR/privkey.pem
then
echo "privkey succes"
cp $DIR/privkey.pem $OVPNDIR/privkey.pem
else
echo "privkey fail"
fi
Tambien,
vim /etc/leap/statopenvpn.sh
Este script dentro:
#/!/bin/bash
#https://api.demo.bitmask.net:4430/1/cert
#wget -O combined.pem https://api.demo.bitmask.net:4430/1/cert
OVPNDIR=/etc/leap/openvpn
/usr/sbin/openvpn --setenv LEAPOPENVPN 1 \
--nobind \
--client \
--dev leap \
--dev-type tun \
--tls-client \
--remote-cert-tls server \
--script-security 2 \
--persist-key \
--persist-local-ip \
--user nobody \
--group nogroup \
--verb 7 \
--remote 212.129.4.124 443 tcp4 \
--remote 212.83.182.127 443 tcp4 \
--remote 212.129.62.247 443 tcp4 \
--remote 212.129.37.129 443 tcp4 \
--remote 212.83.165.160 443 tcp4 \
--remote 163.172.126.44 443 tcp4 \
--remote 212.83.144.12 443 tcp4 \
--remote 212.129.4.141 443 tcp4 \
--remote 212.83.146.228 443 tcp4 \
--remote 212.83.143.67 443 tcp4 \
--remote 199.58.83.12 443 tcp4 \
--remote 37.218.244.251 443 tcp4 \
--remote 37.218.244.249 443 tcp4 \
--remote 199.58.83.10 443 tcp4 \
--remote 198.252.153.28 443 tcp4 \
--remote 185.220.103.12 443 tcp4 \
--tls-cipher DHE-RSA-AES128-SHA \
--cipher AES-128-CBC \
--auth SHA1 \
--keepalive 10 30 \
--ca $OVPNDIR/ca.pem \
--cert $OVPNDIR/cert.pem \
--key $OVPNDIR/privkey.pem \
--route-noexec \
--up $OVPNDIR/scripts/up.sh \
--route-up $OVPNDIR/scripts/route-up.sh \
#--ipchange $OVPNDIR/scripts/up.sh \
#--down $OVPNDIR/scripts/up.sh \
#--user nobody \
#--group nogroup \
Tambien este fichero
vim /etc/leap/openvpn/route-up.sh
Y copia este script dentro
#!/bin/sh -x
ip='/sbin/ip'
# Checks to see if there is an IP routing table named 'vpn', create if missing
if [ $(cat /etc/iproute2/rt_tables | grep vpn | wc -l) -eq 0 ]; then
echo "100 vpn" >> /etc/iproute2/rt_tables
fi
$ip rule | sed -n 's/.*\(from[ \t]*[0-9\.]*\).*vpn/\1/p' | while read RULE
do
$ip rule del ${RULE}
#echo del: $rule
done
if $ip route add unreachable default table vpn
then
echo "default unreachable already there"
else
echo "added default unreable in table vpn"
fi
# Delete the default route setup when the OpenVPN tunnel was established
$ip route del 128.0.0.0/1 via ${route_vpn_gateway}
$ip route del 0.0.0.0/1 via ${route_vpn_gateway}
# Add routes to the vpn routing table
$ip rule add from ${ifconfig_local} lookup vpn
# Add the route to direct all traffic using the the vpn routing table to the tunX interface
$ip route add 128.0.0.0/1 dev ${dev} table vpn
$ip route add 0.0.0.0/1 dev ${dev} table vpn
exit 0
Crea este fichero:
vim /etc/leap/openvpn/up.sh
Y copia este script:
#!/bin/ash -x
#./openvpn/scripts/up.sh leap 1500 1559 10.41.0.19 255.255.248.0 init
date >> /tmp/ovpn-up.log
env >> /tmp/ovpn-up.log
ip addr show dev "$dev"
if [[ "$script_type" == 'up' ]]
then
#cat >> /tmp/ovpn-cmd.log <<EOF
#ip route add $route_vpn_gateway via $route_net_gateway table 33
#ifconfig $dev $ifconfig_local $ifconfig_netmask up
#ip route add default via $route_vpn_gateway table 33
#EOF
echo up
else
echo "not up"
fi
Lanza la VPN
- Renueva el certificado y verifica que se ha descargado
- Stop openvpn
- Ejecuta el script startopenvpn.sh y comprueba que la VPN funciona
- Iniciar OpenVPN
- Comprueba si todo funciona correctamente
Primero, descarga los certificados ejecutando este script:
/etc/leap/renew.sh
Asegúrate de que OpenVPN no esté ejecutándose
/etc/init.d/openvpn stop
Utiliza dos ventanas (con screen) para hacer comprobaciones mientras el script se está ejecutando, una vez hecho harás Ctrl+C para detenerlo.
/etc/leap/startopenvpn.sh
En la segunda ventana: Comprueba si aparece la interfaz leap y anota la IP que usa:
ip a
Por ejemplo:
28: leap: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
inet 10.41.0.67/21 brd 10.41.7.255 scope global leap
Comprueba con ip route, debería aparecer la IP 10.41.0.67 y br-tunnel, de esta manera:
0: from all lookup local
32764: from 10.41.0.67 lookup vpn
32765: from all iif br-tunnel lookup vpn
32766: from all lookup main
32767: from all lookup default
Si este último no aparece, hacer esto:
ip rule add from all iif br-tunnel lookup vpn
Comprueba la tabla vpn si aparece 10.41.0.0/21:
ip route show table vpn
Si aparece esto:
0.0.0.0/1 dev leap scope link
unreachable default
128.0.0.0/1 dev leap scope link
Necesitas hacer estas lineas:
ip route del 0.0.0.0/1 table vpn
ip route del 128.0.0.0/1 table vpn
ip route add 0.0.0.0/1 via 10.41.0.1 dev leap table vpn
ip route add 10.41.0.0/21 dev leap table vpn
ip route add 128.0.0.0/1 via 10.41.0.1 dev leap table vpn
Entonces, comprueba si la VPN está funcionando:
ping -I 10.41.0.67 1.1.1.1
Así que, si todo funciona, ahora puedes detener el script startopenvpn.sh con CTRL+C E iniciar openvpn
/etc/init.d/openvpn start
Podría suceder que necesites rehacer renew.sh y recargar openvpn. Por si acaso, verifica cada uno de los pasos desde ip a hasta ping con la openvpn ejecutandose y sin el script startopenvpn.sh
Así que tu wifi que usa la interfaz de lan va por internet en claro y la wifi que usa tunnel va por la VPN de LEAP, comprueba des del device que se conecte a cada uno de los dos wifi con mtr o traceroute