Why your brand new router may cause your VoIP to stop working

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
I quote directly from Voip-Info.org:

Many of today’s commercial routers implement SIP ALG (Application-level gateway), coming with this feature enabled by default. While ALG could help in solving NAT related problems, the fact is that many routers’ ALG implementations are wrong and break SIP.

The article goes on to explain why the implementation is broken, and how to disable it in several brands of routers.  Certain VoIP adapter manufacturers also recommend disabling this feature if you are having problems with SIP registration, not being able to receive a call or one-way audio.  But note that this issue can affect any type of SIP-based communications, regardless of hardware or software used.

EDIT (May, 2018): For information on another issue that may cause problems when you switch routers, see this DSLReports thread: SIP registration times.

A Perl script to send Caller ID popups from Asterisk to computers running Growl under OS X on a Mac or Growl for Windows

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
Notice
EDIT March, 2014 and August 2020: If you are running OS X Mavericks or later, or any version of MacOS we recommend that you do NOT use the script shown here, but instead send notifications to a XMPP/Jabber account and use either Apple’s Messages app (formerly iChat) or a third party messaging program such as Adium to receive them, since the message will then display in the Notifications Center and you do not need Growl. See How to send various types of notifications on an incoming call in FreePBX for more information. You may also find this thread on the RasPBX forum useful.

What follows will probably not work on ANY currently supported version of MacOS and is left here as a historical reference only.

Quite some time ago, I wrote a post explaining how you could poll a Linksys or Sipura VoIP adapter or phone once per second, and whenever there was an incoming call, generate a notification popup on your computer, if you have the Growl notification service installed.  However, that method doesn’t work if you’re not using a Linksys or Sipura phone or device.

If you are running Asterisk, there’s another way to do it, and that’s to get Asterisk to send the notifications directly. In order for this to work, the computer on which you want to receive the notifications has to be running Growl (under Mac OS X) or Growl for Windows. You must also configure Growl to receive network notifications. I will note here that if you are using a Mac and have never done that before, you may want to make sure that Growl network notifications work before proceeding, because it appears that under OS X, it’s pretty much a crap shoot whether Growl network notifications will work at all, and when they don’t the Growl folks apparently have no clue as to why they don’t. It seems to be a machine-specific thing – on some Macs they work fine, while on others they don’t work at all.

You must have the Perl language installed on your Asterisk server, and you must have the Net::Growl and Asterisk::AGI modules installed (I’m going to assume you know how to install a Perl module from the CPAN repository – if you have Webmin installed, it can be done from within Webmin). Chances are you already have Asterisk::AGI installed, unless you built your Asterisk server “from scratch” and never installed it, but if you’ve never installed Net::Growl you’ll need to do that first.

Next you want to copy and paste the following Perl script to the filename /var/lib/asterisk/agi-bin/growlsend.agi on your Asterisk server (to create a non-existent file, you can use the touch command, and after that you can edit it in Midnight Commander or by using the text editor of your choice). If this code looks somewhat familiar, it’s because it’s adapted from some code that originally appeared in a FreePBX How-To, which I modified.

#!/usr/bin/perl
use strict;
use warnings;
use Net::Growl;
use Asterisk::AGI;
my $agi = new Asterisk::AGI;
my %input = $agi->ReadParse();
my $num = $input{'callerid'};
my $name = $input{'calleridname'};
my $ext = $input{'extension'};
my $ip = $ARGV[0];

if ( $ip =~ /^([0-9a-f]{2}(:|$)){6}$/i ) {
    $ip = $agi->database_get('growlsend',uc($ip));
}

unless ( $ip =~ /^(d+).(d+).(d+).(d+)$/ ) {
    exit;
}

open STDOUT, '>/dev/null';
fork and exit;

if ( $ARGV[2] ne "" ) {
    $ext = $ARGV[2];
}

# Define months and weekdays in English

my @months = (
    "January", "February", "March", "April", "May", "June",
    "July", "August", "September", "October", "November", "December"
);
my @weekdays = (
    "Sunday", "Monday", "Tuesday", "Wednesday",
    "Thursday", "Friday", "Saturday"
);

# Construct date/time string

my (
    $sec, $min, $hour, $mday, $mon,
    $year, $wday, $yday, $isdst
) = localtime(time);
my $ampm = "AM";
if ( $hour > 12 ) {
    $ampm = "PM";
    $hour = ( $hour - 12 );
}
elsif ( $hour eq 12 ) { $ampm = "PM"; }
elsif ( $hour eq 0 ) { $hour = "12"; }
if ( $min < 10 ) { $min = "0" . $min; }
$year += 1900;

my $fulldate =
"$hour:$min $ampm on $weekdays[$wday], $months[$mon] $mday, $year";

# Next two lines normalize NANP numbers, probably not wanted outside of U.S.A./Canada/other NANP places
$num =~ s/^([2-9])(d{2})([2-9])(d{2})(d{4})$/$1$2-$3$4-$5/;
$num =~ s/^(1)([2-9])(d{2})([2-9])(d{2})(d{4})$/$1-$2$3-$4$5-$6/;

register(host => "$ip",
    application=>"Incoming Call",
    password=>"$ARGV[1]", );
notify(host => "$ip",
    application=>"Incoming Call",
    title=>"$name",
    description=>"$numnfor $extn$fulldate",
    priority=>1,
    sticky=>'True',
    password=>"$ARGV[1]",
    );

Also, if you want to be able to specify computers that you wish to send notifications to using MAC addresses rather than IP addresses (in case computers on your network get their addresses via DHCP, and therefore the IP address of the target computer can change from time to time), then you must in addition install the following Perl script. It requires a command-line utility caller arp-scan so install that if you need to – I used to use nmap for this but they changed the output format, making it harder to parse, and arp-scan is much faster anyway. Call it /var/lib/asterisk/agi-bin/gshelper.agi and note that there are two references to 192.168.0… within it that you may need to change to reflect the scope of your local network, if your network’s IP addresses don’t start with 192.168.0.:

#!/usr/bin/perl
use strict;
use warnings;
my @mac;
# Change the following lines to reflect the scope of your local network, if necessary
my @arp = `arp-scan --quiet --interface=eth0 192.168.0.0/24`;
foreach (@arp) {
        if (index($_, "192.168.0.") == 0) {
                @mac = split(" ");
                `/usr/sbin/asterisk -rx "database put growlsend \U$mac[1] $mac[0]"`;
        }
}

Make sure to modify the permissions on both scripts to make them the same as other scripts in that directory (owner and group should be asterisk, and the file should be executable), and also, if you use the gshelper script, make sure to set up a cron job to run it every so often (I would suggest once per hour, but it’s up to you).

Now go to this page and search for the paragraph starting with, “After you have created that file, check the ownership and permissions” (it’s right under a code block, just a bit more than halfway down the page) and if you are using FreePBX follow the instructions from there on out (if you are not using FreePBX then just read that section of the page so you understand how this works, and in any case ignore the top half of the page, it’s talking about a different notification system entirely).  But note that if you use the above code and have the gshelper.agi program running as a cron job, then after the first time it has run while the computer to receive the notifications is online you should be able to use a computer’s MAC address instead of the IP address.  This only works if you’ve used the modified script on this page, not the one shown in the FreePBX How-To.  As an example, instead of

exten => ****525,1,AGI(growlsend.agi,192.168.0.123,GrowlPassWord,525)

as shown in the example there, you could use

exten => ****525,1,AGI(growlsend.agi,01:23:45:AB:CD:EF,GrowlPassWord,525)

(the above is all one line) where 01:23:45:AB:CD:EF is the MAC address of the computer you want to send the notification to.  Once again, just in case you missed it the first time I said it, this won’t work until the gshelper.agi script has been run at least once while the computer to receive the notifications was online.  If for some reason it still doesn’t appear to work, run the nmap command including everything between the two backticks (`) directly from a Linux command prompt and see if it’s finding the computer (depending on the size of your network, it might be several seconds before you see any output, which is why I don’t try to run this in real time while a call is coming in).

If you are NOT running FreePBX, but instead writing your Asterisk dial plans by hand, then you will have to insert a line similar to one of the above examples into your dial plan, except that you don’t need the four asterisks (****) in front of the extension number, and if it’s not the first line in the context, you’ll probably want to use n rather than 1 for the line designator (and, you won’t be putting the line into extensions_custom.conf because you probably don’t have such a file; instead you’ll just put it right in the appropriate section of your dial plan).  In other words, something like this (using extension 525 as an example):

exten => 525,n,AGI(growlsend.agi,192.168.0.123,GrowlPassWord,525)

This line should go before the line that actually connects the call through to extension 525.  I do not write Asterisk dial plans by hand, so that’s about all the help I can give you. And if you don’t write your dial plans by hand, but you aren’t using FreePBX, then I’m afraid you’ll have to ask for help in whatever forum you use for advice on the particular software that you do use to generate dial plans, because I can’t tell you how to insert the above line (or something like it) into your dial plan.

Virtually everything in this article has already been published in one place or another, but I wanted to get it into an article with a relevant title and cut out some of the extraneous explanations and such.  There are links to all the original sources throughout the article, so feel free to follow those if you want more in-depth commentary.

Mini-review of Beginning OpenVPN 2.0.9 by Markus Feilner and Norbert Graf (Packt Publishing)

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog. In order to comply with Federal Trade Commission regulations, I am disclosing that he received a free product sample of the item under review prior to writing the review, and that any links to Amazon.com in this article are affiliate links, and if you make a purchase through one of those links I will receive a small commission on the sale.
Cover of Beginning OpenVPN 2.0.9

I have previously reviewed the title, “Review of OpenVPN: Building and Integrating Virtual Private Networks by Markus Feilner“, and this is the updated and expanded version of that book. The publisher says that all examples in the book work with version 2.0.9 and 2.1 of OpenVPN. Since the original book was released in 2006, it was definitely due for an update!

Here’s what the publisher wants you to know about the book (my comments will follow):

In Detail

OpenVPN is a powerful, open source SSL VPN application. It can secure site-to-site connections, WiFi, and enterprise-scale remote connections. While being a full-featured VPN solution, OpenVPN is easy to use and does not suffer from the complexity that characterizes other IPsec VPN implementations. It uses the secure and stable TLS/SSL mechanisms for authentication and encryption. This book is an easy introduction to this popular VPN application. After introducing the basics of security and VPN, it moves on to cover using OpenVPN, from installing it on various platforms, through configuring basic tunnels, to more advanced features, such as using the application with firewalls, routers, proxy servers, and OpenVPN scripting.

This is a practical guide to using OpenVPN for building both basic and complex Virtual Private Networks. It will save you a lot of time and help you build better VPNs that suit your requirements. While providing only necessary theoretical background, the book takes a practical approach, presenting plenty of examples. It starts with an introduction into the theory of VPNs and OpenVPN, followed by a simple installation example on almost every available platform. After a concise and ordered list of OpenVPN’s parameters, we dive into connecting several machines in a safe way. The last third of the book deals with professional and high-end scenarios, and also mobile integration. After having read the whole book and followed and understood all the examples, you will be an expert in VPN, Security, and especially in OpenVPN Technology. This book was written for version 2.0.9 of OpenVPN, but all examples have been tested and run smoothly on version 2.1 too.
Read the full Table of Contents for Beginning OpenVPN 2.0.9

What you will learn from this book

  • Install OpenVPN on Windows Server, Vista, and Mac OS X and also on different Linux versions and FreeBSD
  • Learn basic security concepts necessary to understand VPNs and OpenVPN in particular
  • Take a look at encryption matters, symmetric and asymmetric keying, and certificates
  • Connect Windows and Linux systems and safely transfer the necessary encryption keys using WinSCP
  • Learn about OpenVPN, its development, features, resources, advantages, and disadvantages compared to other VPN solutions, especially IPsec
  • Discuss non-standard and advanced methods of installing OpenVPN by compiling the source code provided by the OpenVPN project
  • Create an encryption key for OpenVPN and use it to set up an OpenVPN tunnel between two Windows systems in the same network
  • Create X.509 server and client certificates for use with OpenVPN and learn how to use tools to debug and monitor VPN tunnels
  • Create and administer certificates that have to be transferred to the machines that are supposed to take part in the VPN
  • Configure two different firewall networks that connect to each other through the secure OpenVPN tunnel
  • Install and use XCA and TinyCA2 to generate certificate revocation lists that are used to block unwanted connections by formerly authorized clients
  • Install OpenVPN on Windows Mobile and Smartphones running embedded Linux, like Nokia’s Maemo platform
  • Analyze the flow of datagrams between the VPN servers and the connected networks with tools like ifconfig, ping, traceroute, and mtr

Approach

This book is an easy introduction to OpenVPN. While providing only necessary theoretical background, it takes a practical approach, presenting plenty of examples. It is written in a friendly style making this complex topic easy and a joy to read. It first covers basic VPN concepts, then moves to introduce basic OpenVPN configurations, before covering advanced uses of OpenVPN.

Who this book is written for

This book is for both experienced and new OpenVPN users. If you are interested in security and privacy in the internet, or want to have your notebook or mobile phone connected safely to the internet, the server in your company, or at home, you will find this book useful. It presumes basic knowledge of Linux, but no knowledge of VPNs is required.

Now back to my mini-review. If you read my original review (which explains why I think a VPN can be an important part of securing private VoIP networks, among other uses), you know that I found Mr. Feilner’s original book quite helpful in giving me a grasp on VPNs, a subject I’d known very little about prior to that point. There were a few things I thought could have been covered better, though, so I was interested to see if those things had been addressed in this updated edition.

As I had more or less noted, the author seemed to slightly prefer SuSE Linux over other versions of Linux, and the Shorewall firewall over other Linux firewall solutions, and (in my opinion) the new book still uses more pages than are really necessary talking about how to set up and configure Shorewall, but at least now the authors do provide some minimal information about the far more popular iptables firewall tool (a little over three pages). It would have been nice to see a more in-depth treatment of this subject, because sometimes setting up iptables correctly is one key to getting your VPN to work as you want it to, particularly if you need or want to do anything more complicated than a simple VPN tunnel. It’s a minor nit, to be sure, because there’s plenty of information on the web about how to set up and configure iptables, but I personally would have given that topic more than three pages.

Then I discovered they’d made one addition that I really wanted to see: A totally new chapter on OpenVPN GUI tools, and in particular, a section on Webmin’s OpenVPN plugin. My disappointment again was that this was not a more exhaustive treatment of the subject. Actually, it’s little more than a mention that the plugin exists, and a few screenshots.  Granted that this was more than appeared in the original volume, and just informing readers of the existence of that plugin is no small thing, but when I did my series on Setting up an OpenVPN tunnel using a CentOS-based system as the server and a router flashed with Tomato firmware as the client, it took me two parts to explain how to configure the Webmin plugin.  That same chapter also talks about some client GUI’s for Linux, but doesn’t spend more than a page or two on any of them.

I’m not really faulting the authors here — it’s very apparent that they write about what they know, and they definitely know their stuff when it comes to OpenVPN, whereas they may not be quite as familiar with Webmin or iptables.  That said, Windows users should find all the information they need to set up an OpenVPN tunnel and then some, and Linux newbies get enough information to at least point them in the right direction. As for Mac users, the coverage there is about the same as in the previous edition, which is to say that there’s about three pages on how to install Tunnelblick.  However, much of the information in the book is not OS specific, and those with some experience with Linux or OS X should have no trouble at all following along.

On a positive note, there are many examples and screenshots in the book, and in this one the screenshots are actually readable (well, I did need my reading glasses for a few of them, but then I’m getting to the point where I need my reading glasses to read the cooking directions on a frozen dinner!). And, the authors’ writing style is clear and easy to understand. Also, there’s a totally new (albeit relatively short) chapter on Mobile Security, which may be of interest to some of the “road warriors” out there.

So, my recommendation is this:  If you read Markus Feilner’s previous book on OpenVPN and liked it, you’re almost certainly going to want to read this one, just to get up to date.  If you didn’t read the previous edition but just want to get up to speed on OpenVPN, this really is one of the better books on the subject, provided that you understand that at times you may have to supplement the book with a bit of additional research on the Web, particularly if you are running OS X or Linux as your operating system (but at least you’ll have a much better handle on topics for additional research).

The reason this is a mini-review and not a full review is because due to personal/family issues I haven’t had time to do much more than skim through the new book, rather than give it a complete read as I normally prefer to do.  But since Packt Publishing kindly sent me the book over a month ago, I feel as though it’s a disservice to both them and to the readers of this blog to delay mentioning it any longer. Despite my comments about the paucity of additional pages on the particular topics I’d hoped to read more about, this is still a great book for those who need to set up and secure an OpenVPN tunnel, particularly if you’re just starting out and know next to nothing about VPNs and/or OpenVPN.

Beginning OpenVPN 2.0.9 by Markus Feilner, Norbert Graf (Amazon affiliate link)

How to use fiber optic cable for short runs between buildings (and why you should)

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

Have you ever been in a situation where you want to extend a local network (or maybe an Internet connection) from one building to another that’s separated by some distance, say anywhere from several feet to a few hundred feet? Many people use wireless in this situation, and that’s a perfectly acceptable solution if it works, but it also brings with it a host of security issues. Any signal that is put into the airwaves is one that can potentially be intercepted, particularly if you’re not really familiar with wireless security. I’m not saying you should or should not use wireless, but I do know that some folks aren’t crazy about the idea. Also, there are distance limits on wireless links that can mean that no useable signal will be available where you want it.

Unfortunately, the only alternative to a wireless link between buildings is a physical link (if you ignore more esoteric alternatives that depend on both buildings getting their electrical service from the same power transformer) and there you have two choices, copper or fiber. Assuming you are going to bury a line between the two buildings, how do you know which to use?

I know there are people who would never recommend copper under any circumstances. The reason is that during electrical storms, there can be a difference in electrical potential between two buildings.  This can cause serious amounts of current to flow, especially if lightning strikes nearby, damaging equipment (and in an extreme case, possibly even starting a fire).  Even in cases where the equipment at the endpoints doesn’t seem damaged, the connection can turn very flakey after a lightning strike, with very high packet loss.

The only situation where you might get away with running underground Cat5e (or Cat 6, if you can find it) is to a very nearby building, and then only if you put very good approved lightning protection at both ends of the cable.  The further away the building, the more important that the lightning protectors become (and if the buildings get electrical power from different sources, such as different electrical transformers, then the lightning protection becomes even more essential), and of course good lightning protection costs money.  And even then, if lightning hits very close, it can fry the lightning protectors, meaning the Internet connection will likely be out of service until you can obtain and install replacement protectors.

One other problem to note:  You have probably heard that the theoretical maximum distance for a run of Cat5e/6 cable on a wired network is 100 meters.  That may be true indoors, in a dry environment.  It’s not always true when the cable runs underground and/or is partially exposed to outdoor climatic conditions.  On a run that’s close to the theoretical maximum in length, you may find that a connection that works beautifully during the cold winter months suddenly starts showing high packet loss during the heat and humidity of summer.

The alternative to Cat 5e/6 cable is fiber optic cable.  Fiber is a great alternative because it uses glass fibers rather than copper wire to carry the signals.  Since glass doesn’t conduct electricity, the only way lightning could ever affect it is in a direct strike, where it heats the ground so hot that the glass melts (this actually occasionally happens in areas with sand dunes, where the lightning creates glass sculptures by melting the sand into glass, but it’s very unlikely to happen on regular flat land).

The trouble with trying to use fiber is that just about everyone with any networking experience knows how to use Cat 5e or Cat 6 — you just plug it in to your equipment at each end, or if it doesn’t have plugs then you either use a tool to attach them, or your bring the wire to a modular jack and use a punchdown tool to make the connections (some lightning protectors have punchdown terminals as well).  You can cut the cat 5e or 6 cable to the exact length you need. It’s something many people are familiar with, whereas fiber may as well have been pulled out of an alien spacecraft for all anyone (outside of those in the telecommunications industry) seems to know about it.  If you go searching for pages on the Internet explaining how to install a fiber link between two buildings, good luck in finding anything useful!

Part of the probable reason there aren’t too many general how-tos on the subject is that there are so many variables — there are many types of fiber available, each of which is good for certain specific uses, with many different types of end connectors.  And then you need equipment at each end to connect the fiber to the wired network, and you can’t just run down to the local office supply or big box electronics store to find that. But don’t despair, because I’m going to tell you one way to set up a short range fiber optic link. The caveat here is that I am by no means an expert on this — I’ve been involved in an installation ONCE, but I learned a lot in the process.  Still, if you have questions that aren’t answered on this page, I’m probably not the guy to ask. But I figure that if you’re searching for online information on the subject, any information is better than none!

So let me start by telling you some things you need to know about fiber optic cable:

This fiber still worked! (Photo credit: Paul Timmins)
This fiber still worked! (Photo credit: Paul Timmins)

It comes in two varieties (that you are likely to encounter), singlemode and multimode.  Singlemode fiber usually has a yellow jacket (plastic coating, like the insulation on a copper wire) whereas multimode cable generally has an orange jacket.  For most short run applications (by that I mean distances measured in meters or feet, not kilometers or miles) you’ll use a paired multimode fiber (two fibers side by side, in a jacket that looks a bit like the type of electrical cord used with a table lamp, except the jacket is bright orange and it’s a lot smaller). If you’re a phone or cable company (or connecting to one) then you might have occasion to work with singlemode, but that’s not what we are talking about here. Singlemode is a lot more fragile than multimode – you can do this (photo at right) with multimode and it will probably still work (although anything remotely close to this tight of a bend is definitely NOT recommended – remember this is glass fiber that you’re bending, and if it breaks the cable becomes worthless!)

EDIT by TechNotes editor (March, 2021): Although the above paragraph was true when it was originally written, times change and now the orange jacketed cable, technically designated as OM, OM1, or OM2 cable, is basically obsolete. Nowadays you should probably be buying at least OM3 cable, or OM4 cable or OM5 cable if you can get it, which comes in different colors. More on that in a bit.

You can’t cut and splice fiber (unless you buy some really expen$ive supplies and equipment, and learn how to use them).  You buy the length you need, with the connectors at each end already attached.  If it’s too long, you coil up the excess (not TOO tightly) but you never cut it nor try to splice it, unless you have the specialized equipment that allows you to do so. If a cable is too short and you need to extend it, you can use a device called a fiber optic coupler (instead of “coupler” it may also be referred to as an “adapter” or “joiner”) which is a small plastic device that simply joins two fiber cables together so that the light from one travels into the other. These contain no electronics and therefore are very inexpensive, and can be used in just about any dry location, but there is a small amount of insertion loss that generally won’t matter unless you have an exceptionally long run of fiber or you use too many of them in one fiber run. There are both singlemode and multimode versions of these devices.

At each end, the fiber plugs into a device called a media converter. The media converter (or the SFP module that plugs into the converter — more on that in a moment) contains a laser, and a receiver.  It transmits on one fiber of a pair, and receives on the other.  The one thing you must never do, if you value your eyesight, is look into the laser while the unit is operating.  That also means you can’t plug a fiber cable into the media converter, then look into the other end of the fiber to see if it’s working.  If you think you might forget this important safety precaution, just try to remember that not looking into the laser is as important as not touching a live electrical line — and if that doesn’t scare you, take a course in reading Braille, because you’re probably going to need it.

It’s also possible to buy gigabit switches that can directly accept fiber.  This eliminates the need for a separate media converter at one or both ends, but such switches tend to be a bit on the expensive side, although they also tend to offer more ports than most typical home switches (24 ports, for example).  But there is sometimes a cost in terms of power consumption – for whatever reason, standalone media converters often tend to draw far less power than switches that have fiber ports.  EDIT by TechNotes editor: As time marches on the prices of these are starting to drop AND the speeds of both the ports are increasing.  For example, TRENDnet now offers a 9-Port Unmanaged 2.5G Switch, which includes one 10 GB SFP+ Port and eight 2.5 GB Ethernet ports, and it has been spotted for as low as $89.99 on a Black Friday sale.  That price does not include a 10GBASE-SR SFP+ Multi Mode LC Module (model TEG-10GBSR) which supports distances up to 300m (984 feet), which will set you back an additional $30 or so.  Back when this article was originally written, you paid more than that for just a standalone media converter and SFP module, and you only got 1 GB speed!

Fiber is somewhat fragile, and it can break (and be rendered useless) if it is subjected to too much strain.  You can’t just pull it over a very long length without taping it to something else (that you’ll also be pulling) at regular intervals to relieve the strain. You can buy special, relatively inexpensive network pull string for the purpose, or if you don’t have any of that you can use any high tensile strength string (not twine, it breaks too easily, and avoid stretchy string because that sort of defeats the purpose – you want the string to help pull the fiber, not the other way around). The fiber I’ve seen needs to be inside something to protect it (no direct burial) – you can use cheap irrigation pipe for the purpose, as long as it’s large enough for the connectors at the ends to pull through (don’t try to be thrifty and undersize the pipe, but at the same time realize that fiber with the small LC connectors has plenty of room inside a standard one inch irrigation pipe, assuming you’re not pulling several multiple fiber pairs or other wires and cables). Also, you should use pulling lubricant on long pulls to prevent damage to the fiber jacket.

EDIT by TechNotes editor (March, 2021): Once again, the above was true when originally written, but now you can buy cable that is designated as “Outdoor Armored Duplex Fiber Optic Cable” that is not nearly as fragile as the orange stuff.

When you buy the fiber, it will have connectors attached at each end (at least it had better have, if you want to actually use it — don’t buy bulk cable that doesn’t have the connectors attached!).  These connectors usually have two-letter designations.  Popular types are LC (the smallest you’re likely to encounter, which makes it very popular these days), SC, and ST. The media converter (or switch) has to be able to accept the type of connectors your cable has. If your media converter has an ST connector and the cable has LC connectors, you’re out of luck.  Sometimes you can buy cable with different connectors on each end, so be careful that it matches your media converters. If you find that your cable has one type of connector and your media converter expects another, you may be able to use a fiber optic coupler/adapter and then a very short fiber cable (sometimes referred to as a patch cable) that has the two different types of connectors on the two cable ends. So for example, if your cable is a duplex multimode type that has LC connectors but your media converter accepts ST connectors, you would need a LC-LC duplex multimode fiber optic cable adapter/coupler and then a LC to ST duplex multimode fiber patch cable. You just need to make sure that the patch cable has the same specifications as the cable you are trying to join it to.

If you want to know more about fiber on a technical level, see the Reference Guide To Fiber Optics.

SFPs and GBICs

According to Wikipedia:

A gigabit interface converter (GBIC) is a standard for transceivers, commonly used with Gigabit Ethernet and fibre channel. By offering a standard, hot swappable electrical interface, one gigabit ethernet port can support a wide range of physical media, from copper to long-wave single-mode optical fiber, at lengths of hundreds of kilometers.

The appeal of the GBIC standard in networking equipment, as opposed to fixed physical interface configurations, is its flexibility. Where multiple different optical technologies are in use, an administrator can purchase GBICs as needed, not in advance, and they can be the specific type needed for each link. This lowers the cost of the base system and gives the administrator far more flexibility. On the other hand if it is known that a switch will mostly have one port type (especially if that port type is copper) purchasing a switch with that port type built in will probably be cheaper and take up less space per port.

The GBIC standard is non-proprietary and is defined by the SFF Committee in document # SFF-8053i.

A variation of the GBIC called the mini-GBIC or SFP exists as well. It has the same functionality / modularity but in a smaller form factor.

(Source)

and

The small form-factor pluggable (SFP) is a compact, hot-pluggable transceiver used for both telecommunication and data communications applications. It interfaces a network device mother board (for a switch, router, media converter or similar device) to a fiber optic or copper networking cable. It is a popular industry format supported by several network component vendors.

SFP transceivers are designed to support SONET, Gigabit Ethernet, Fibre Channel, and other communications standards. The standard is expanding to SFP+ which will be able to support data rates up to 10.0 Gbit/s (that will include the data rates for 8 gigabit Fibre Channel, and 10GbE. SFP+ module versions for optics as well as copper are being introduced. In comparison to Xenpak, X2 or XFP type of modules, SFP+ modules leave some of the circuitry to be implemented on the host board instead of inside the module.[1])

(Source)

Okay, in case you weren’t following along, a mini-GBIC, also known as a SFP, is a module that plugs into a media converter or a compatible switch.  What this means to you is that you can buy a media converter, then plug in the SFP that matches the type of fiber and connectors that you have.   So let’s say you have fiber with LC connectors – you get a SFP with LC connectors to match.  Now suppose that at some point you need to replace that fiber with some that has ST connectors – you don’t have to throw out the entire media converter or switch, but instead you just get a new SFP.  Not all media converters accept SFP’s, but many of the newer ones do.  Also, not every manufacturer’s SFP will work with every media converter – if you buy an SFP you have to make sure it’s compatible with the media converter (or switch) that you own. It has become increasingly common to find fiber media converters sold with a compatible SFP as a bundle. (EDIT by TechNotes editor: Now there is an additional consideration:  SFP+ ports and modules have become more common, so you have to make sure that if your media converter or switch has a SFP+ port, you use a SFP+ module with it.)

If you go the SFP route, you have to make sure of three things:  That the connectors match the connectors on your fiber cable, that it’s intended for use with multimode rather than single-mode fiber, and that it’s for intermediate or short reach use (IR or SR — you may also find the designation SX or 1000Base-SX used to indicate a short to intermediate range SFP).  In particular, you don’t want one with long reach optics because unless you use fiber attenuators you’ll overload and probably burn out the receiver at the other end (also, there’s a much greater chance of eye damage if you accidentally glance at the laser). To give you an idea of the difference, the short range optics are generally specified for runs up to a few hundred meters in length, while long range optics have distances specified in kilometers (sometimes as much as 80 km or more!).

So lets say that you want to run a fiber optic cable between two buildings that are a reasonably short distance apart — what do you need?

The first thing you need is a pipe or conduit of some kind between the two buildings.  Irrigation pipe (the stuff you find at any home improvement store, or anyplace that sells underground lawn sprinkling supplies) is fine – remember you aren’t running anything electrical if all you are running is a fiber cable! The main thing is that the pipe or conduit that you use should be relatively smooth inside to minimize pulling resistance. Try to keep bends in the pipe to an absolute minimum. And yes, the pipe could be above ground as long as it’s sunlight resistant and not in a place subject to physical damage (but be aware that black pipe could get VERY hot in direct sunlight, so keep it out of the sun if at all possible). The purpose of the pipe or conduit is to protect the fiber. The pipe must be large enough for the connector (at the fiber cable’s end) to fit inside, with space to spare. If you have to splice sections of pipe together, the connectors may have a smaller inner diameter, so plan accordingly – you don’t want to get halfway through a pull and realize that the diameter at the splice point is too small to continue!

This article isn’t about burying pipe, but I will just suggest that you think about routing it far away from anyplace that people might be digging in the future, if at all possible — and if that’s not possible, then consider burying it as deep as possible, to minimize risk of backhoe failure (or on a farm, of getting plowed up!).

You need network pull string and electrical tape.  The string must be longer than the fiber cable – if it’s twice as long then you could pull just the string through the pipe to use for pulling (a good shop vac and a small wad of paper tied to the end of the string is often enough to get the string started through the pipe), and still have enough left on the far end to tape the fiber cable to the string for the entire length. Do that every few feet, making sure that there’s a little slack in the fiber (not too much) when the string is pulled tight. Be sure to tape the leading end of the fiber connector (with the protective cap on) firmly to the string so it can’t try to flip over or do something equally undesirable during the pull. Note that if you are also pulling any kind of wire through the pipe on the same pull, you could tape the fiber to the wire rather than a string, assuming the wire is strong enough to not stretch during the pull.

EDIT by TechNotes editor (March, 2021): For short runs of cable that is designated as “Outdoor Armored Duplex Fiber Optic Cable” you may not need the pull string and tape, since that cable is less fragile than the orange fiber cable referenced in this article. But for longer runs, or if your pipe or conduit is undersized, I’d still consider using the pull string and tape, to avoid putting too much tension on the cable.

You need pulling lubricant — any electrical supply store sells this stuff. But note that this stuff can dissolve the adhesive on electrical tape (we found this out the hard way), so when you tape the cable to the string, try not to leave the adhesive side exposed.  The trouble is that to really do it right you should use plenty of pulling lubricant, yet at the same time if you do, if you taped carelessly then you may have issues with the tape not holding as it should. That’s not a reason to apply less lubricant, but rather a reason to use a little extra tape and to make your tape wraps nice and tight, so the lube can’t get between the layers of tape (especially at the very start of the pull).

We used some blue gel stuff called Ideal Aqua-Gel II and used a paintbrush to apply it liberally to the fiber cable, after first using a funnel to dump some down the pipe. You can get a gallon pail of this stuff for between $15 and $20 at most electrical supply stores (the places the electricians shop), though you might wind up with another brand. We found that a gallon was really excessive, we could have easily got by with a quart of the stuff (on a 100-meter pull). On the other hand, it was much easier to dip a paint brush into the gallon pail, then slop it onto the fiber cable and down the pipe. You really don’t want to be stingy with it, since friction in the pipe can damage the fiber jacket.

EDIT by TechNotes editor (March, 2021): If you are using cable that is designated as “Outdoor Armored Duplex Fiber Optic Cable” and the run is short, you may not actually need the pulling lubricant, but it is always a good idea to reduce friction.

You need the fiber cable itself.  The type of multimedia fiber cable that we are talking about here comes on a ridiculously small spool (and to me, it always looks larger in photos than it really is, which for years led me to think that it wouldn’t fit through the existing pipe that was used in this situation) — this is what 100 meters of dual fiber looked like before the bubble wrap was removed:

Fiber cable with LC connectors
Fiber cable with LC connectors

The fiber we used was described as “Advanced Interconnect 100 Meter LC-LC Duplex MultiMode Fiber Optic Cable. This Advanced Interconnect cable part number 038-001-964 REV A. Cable is 50/125 OFNP Micron Fiber.” It was obtained from eBay seller isellcables. If you are wondering what a dual LC connector looks like, there is a good photo here. Note that the connector comes with a protective cap, which should be left in place during the pulling process.

EDIT by TechNotes editor (March, 2021): As mentioned earlier, this orange jacketed fiber cable is now considered old technology. What you probably want to use is cable designated as “Outdoor Armored Duplex Fiber Optic Cable” and OM3 or better. Strictly as an example (this is not a recommendation), in 2021 Amazon sells a product called Jeirdus 100Meters 328ft LC to LC 10G OM3 Outdoor Armored Duplex Fiber Optic Cable Jumper Optical Patch Cord Multimode 50/125 100M LC-LC for $128, with other lengths from 5 meters to 300 meters available. Something like that would definitely be preferable to the unprotected orange jacketed cable for outdoor runs, although I would note that because the cable is armored that means it could conduct electricity, even though the fiber connections at each end would still be electrically isolated. For additional electrical isolation you could add a length of unarmored cable at each end, using a LC-LC duplex multimode fiber optic cable adapter/coupler to join the cables together, but you would need to make sure the fiber optic cables you are joining have the same specifications (in particular, don’t connect singlemode to multimode cable).  In case you are wondering, if you have already run the older technology fiber and now want to upgrade (from a 1 GB to a 10 GB connection, for example) you probably don’t need to run new fiber as long as the old stuff is still in good physical condition.  The old orange-jacketed fiber cable seems to handle 10 GB just fine, though there may be unique situations where that is not the case.

You need a couple of fiber media converters, one for each end, and if they use SFP modules you’ll need a couple of those as well.  They look like this:

Fiber media converter
Fiber media converter
Fiber media converter
Fiber media converter

Notice (if you can actually see it in these photos) that the fiber cable is plugged into the SFP module, which in turn is plugged into the media converter — here’s an enlarged and enhanced closeup, where you can just see the end of the SFP (the small chrome part) sticking out of the media converter:

Fiber connects to SFP module, inserted into media converter

This media converter was described on eBay as “Gigabit Fiber media converter multimode MM, 1000Base SX” and “The FIB1-1000ES MM is a Gigabit Ethernet copper to multimode 850nm LC connector fiber media converter. It has an SFP (Small Form Pluggable) slot occupied by an MM 850nm multimode module, Ethernet 1000Base-SX compatible. The Copper interface is an auto negotiating 10/100/1000 BaseT RJ45 interface with auto MDI/MDI-X detection. …” I would point out that it’s important that it actually says 10/100/1000 BaseT if your network runs at anything less than 1000BaseT speeds, because not all media converters will handle multiple speeds or speed conversions. As Paul Timmins told me, “it’s VERY possible for something to ONLY support Gigabit. When you get down to media converter territory, the reason they get cheaper is they have less guts to convert stuff between 1000T and 100T (you need buffers, ability to send gigabit pause frames when your buffers are full, etc).”

EDIT by TechNotes editor (March, 2021): As time has passed newer equipment has become available that can handle speeds up to 10 Gigabits. That may be serious overkill for most home users, but if you are doing heavy video editing or anything else that produces very large files, you may want to look into the higher speed equipment.

As it happened, this eBay sale included a LC SFP with each converter, so those didn’t have to be purchased separately. The seller on these was sales_fo4all. If you search on Amazon or eBay using a phrase such as Fiber Media Converter LC Multi-Mode you should be able to find something similar, possibly at a better price than what we paid.

Below is an individual SFP in its packaging – you can’t see the model number but it’s SFM-7000-S85, which is described as a “1000Base-SX, multi-mode, 550m, 850nm SFP transceiver” and additionally, that “The capacity of SFM-7000-S85 module is 1.25Gbps (Gigabit rate). The transceiver extended range allows operation on either 50/125um or 62.5/125um multi-mode fiber for up to 550m distance. (Note: for 62.5/125um fiber, maximum operating distance is only 275m).” Since our cable was the 50/125 stuff, we could have gone a much greater distance (about 1800 feet) if necessary, and if we’d had a cable that long! In the picture below, the black part on the left is a small protective cap that is removed before you plug in the fiber cable.

SFP module
SFP module

A better picture of a SFP module can be found here.  If you are observant, you may note that both the fiber converter and the SFP module shown above are made by the same company (CTC Union Technonlogies in this case).  You may wonder, as I did, if you can use one manufacturer’s SFP with a different manufacturer’s media converter or SFP-compatible switch.  According to Paul Timmins, “they’re theoretically universal but there’s absolutely nothing preventing them from vendor lockin (they’re active devices with internal serial numbers, etc, that help negotiate the capabilities of the optics with the device itself, and many vendors will refuse to work with another vendor’s GBIC/SFP).”  I’m also told that a certain big name networking equipment manufacturer takes measures to prevent you from using competitor’s SFPs (which can often be overridden with undocumented commands). So if at all possible, when buying new equipment try to buy the media converter and SFP module as a matched set, or failing that, make sure that both the media converter and the SFP module come from the same manufacturer (unless there is some guarantee of compatibility, or the cost difference is great enough that you are willing to take the gamble that it will work). Then all you have to worry about is whether the SFP has the correct connectors to match your cable, and whether it’s the correct power level for the range you are using (again, don’t get anything that’s rated for use with cables of multiple kilometers in length, unless your cable really is that long!).

After you pull the fiber cable, connecting everything up is fairly straightforward. The SFP plugs into the media converter or switch, and the fiber cable plugs into the SFP. You then simply connect the media converters to your existing network at both ends using a Cat 5e or Cat 6 patch cable. Then apply the power to the media converters at both ends (if you don’t apply the power until everything is plugged in, you can’t accidentally look into the laser!).

If you happen to get the type of media converters shown above, you may notice that there are dip switches on the unit.  There are for manually setting the port speed, and full or half duplex mode.  We left these in the factory default position (all up, which is indicated as “UDP/NWAY” mode) and it works fine. Another thing you might wonder is whether you can connect a computer directly to the media converter at the distant end of the connection, and of course the answer is yes, though many people will prefer to connect a switch so that multiple devices can be used. And remember, you do have the option to buy a switch that accepts one or more SFP modules directly, which may mean you won’t need the standalone media converter at that end — but before you do, check the power requirements.  As mentioned above, I found that such switches tended to be a bit power-hungry compared to the standalone media converters shown above.

What about the cost?

The upfront cost of running fiber is more expensive than using Cat 5e or Cat 6 underground, although if you add in the cost of good lightning protection at both ends (or replacing equipment that gets fried by lightning if you don’t use great lightning protection) then the cost difference is less significant. Today you can get 100 meters of fiber optic cable on eBay for about $80, including USPS Priority Mail shipping. The media converters and SFPs are still the expensive items — as I write this, they are going for $127 per set (media converter and SFP) on eBay, plus shipping. Add in the price of incidentals (pipe or conduit, pulling lubricant, network pull string) and you can expect to pay around $400 or perhaps a bit more for a 100-meter run (less if you can re-use existing pipe or conduit, more if you have to pay someone to dig a trench or otherwise run the cable through a difficult place). Of course you would have these same costs when running Cat 5e or Cat 6 underground, except for the media converters, so as a rough rule of thumb the price difference is the added price of the media converters and SFPs, minus the cost of the excellent lightning protection that you won’t need because fiber optic cable doesn’t conduct electricity.

EDIT by TechNotes editor (July, 2020 and March, 2021): It has taken years for prices to drop on these units but it appears the shift toward lower prices has finally begun. Amazon now sells some fiber media converters and SPF’s at significantly lower prices, for example you can get a Gigabit Ethernet Multi-Mode LC Fiber Media Converter (SFP SX Transceiver Included), up to 550M, 10/100/1000Base-Tx to 1000Base-SX from Amazon for under $40 at the time of this edit. We have not tested this item, but think it would work in the same way as the media converter and SPF shown above. Be sure to read the reviews before buying any item, since you probably don’t want to buy units that have a tendency to fail after a few weeks or months of use. You can also now buy fiber media converters and SPF’s rated at 10 Gigabits, though as you may expect the prices for those will be higher. And also, switches that directly accept SPF’s (eliminating the need for a separate standalone Fiber Media Converter) are now starting to become more common, as mentioned earlier you may now be able to obtain a switch with eight 2.5 GB Ethernet ports and one 10 GB SPF+ port for under $100 if you buy it when it is on sale.

And it finally looks like the price of fiber optic cable has started to fall just a bit as well, a 100 Meter Multimode Duplex Fiber Optic Cable (50/125) – LC to LC – Orange purchased from Amazon will run you just a bit under $65, and you may even be able to find better deals than that on eBay or from some other source. But as noted above, you would probably be much better off to use cable that is designated as “Outdoor Armored Duplex Fiber Optic Cable” which although a bit more expensive, should be far more resistant to damage, and will probably last longer. And even if you don’t go the armored cable route, if you are running new cable you would do well to consider avoiding the older technology orange cable shown in this article, in favor of cable designated as OM3 or OM4, or better if available (but if you already have the older stuff you don’t necessarily need to replace it). (End of edit.)

I figure that in practice, the fiber install will cost anywhere from about the same amount to an extra $150 compared to an equivalent Cat 5e/Cat 6 install (again, we’re talking a 100-meter run here), but it will be worth it the next time you have an intense electrical storm nearby and realize that you’re probably not going to lose a lightning protector, computer, or router because of a surge coming in over the network cable.  It will also be worth it if the run is long enough that every hot and humid day results in a degraded connection when using Cat 5e or Cat 6 underground.

I do expect that the use of fiber will become more common in the future, since we will want ever-faster connections and there is a theoretical maximum on connection speed using copper.  At some point, I expect the prices of fiber equipment to fall (the day they start selling it in the big office supply chain stores is the day you will see the price drop to more reasonable levels). But for now, the prices aren’t that unreasonable (especially compared to a few years ago). By the way, if you want to be the next millionaire, design a system that allows people to reliably attach their own connectors to bulk fiber cable, and that sells for under $100. It’s ridiculous that anyone should have to pay four-figure sums just to be able to attach ends to fiber cable.

One other thing I think would help with fiber acceptance is to make an ultra-strong fiber cable that’s designed for difficult pulls – something with enough integral strength that you could pull the cable itself and not have to worry about breaking the glass fibers, and with a thick enough and tough enough jacket to withstand pulls over rough or uneven surfaces.  Basically, fiber cable that could take a lot of abuse without breaking (not that the stuff we used is all that fragile, but still, it would be nice to not have to worry that it can be easily damaged, especially when you’re paying around sixty to seventy bucks for a 100-meter roll).

Thanks and acknowledgements

I want to thank Paul Timmins (the creator of the very useful TelcoData.us Telecommunications Database) for his help and patience in helping me understand all this stuff.  This article could not have been written without his assistance.  Also I want to thank my oldest son, who probably doesn’t want me to mention him by name, for his help and for letting me photograph some of the components in a recent installation.

My purpose in writing this article was to try and help de-mystify some aspects of using fiber optic cable in place of Cat 5e/6 for runs between nearby buildings. Again, I am NOT an expert in this, and I may have left some questions unanswered.  If you have questions or need clarification on some point, or if you see where I’ve made a glaring error, feel free to leave a comment. If I don’t respond, it probably means that I don’t know the answer, but maybe someone else with more expertise than I will chime in and help.

Setting up an OpenVPN tunnel using a CentOS-based system as the server and a router flashed with Tomato firmware as the client – Part 4

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog. The link to Amazon.com in this article is an affiliate link, and if you make a purchase through that link I will receive a small commission on the sale.

Continued from Part 3

If you have set up an OpenVPN server on your system and are using it regularly, eventually you are going to want to trim the log file. Webmin actually makes that easy. Simply click on System, then Log File Rotation. You should see a bunch of existing log file rotation rules. Up near the top of the page there’s a line that reads:

Select all. | Invert selection. | Add a new log file to rotate.

Click on Add a new log file to rotate. You should get a page that looks like this:

Webmin Log File Rotation - Add New File page
Webmin Log File Rotation - Add New File page

The main thing here is to get the correct log file path into the topmost text area. The path will be something like:

/etc/openvpn/servers/servername/logs/openvpn.log

I generally keep all the default settings except for these two:

Rotate even if log file is empty? (I set to No)
Ignore log file if missing? (I set to Yes)

But you can do as you wish. The important thing is to make sure that the log isn’t simply allowed to grow forever Set it up as you like, click Create, and you’re through.

And now a note for FreePBX and Asterisk users.  When setting up an extension, if you use the permit and deny fields to enhance security, the correct way to fill these out may not be intuitive. For example, if you do sip show peers from the CLI, an extension at the client end of the tunnel may show up with an address in the range of addresses assigned by the client router (such as 192.168.5.x) and yet when you fill out the permit field, using that address may not work.  Asterisk’s log file will generally tell you the address it wants to see, and in our case that was 10.8.0.10! No, I don’t know why, but just wanted to give you a “heads up” on that one.

Deny and Permit fields from FreePBX extension page
Deny and Permit fields from FreePBX extension page

I had mentioned in Part 3 some of the things that needed to be done if, from machines on the server side of the VPN tunnel, you wanted to be able to access machines at the client network (where the router with the Tomato firmware is located) that are on the WAN port side of the router.  Bear in mind that anything connected to one of the LAN ports on the router is considered to be part of your VPN, but sometimes you might wish to access a machine or device (such as an “upstream” router) on the WAN side of the router with the Tomato firmware. To do this, you need to add the route to the WAN side network in the server configuration (in the “up” and “down-pre” script sections at the bottom of the Webmin server’s configuration page, using an additional “route add” and an additional “route delete” statement), and then on the client configuration page you must add an additional iroute statement – all of those take the same format as the lines you added to access the network on the LAN side of your client.  At that point, you can access machines on the WAN port side of the Tomato router, but it’s not reciprocal – they can’t access machines on the server side.

Now, I need to make an important distinction here – I’m talking about machines connected to the WAN side of the Tomato-firmware router.  Anything connected to one of that router’s LAN ports should already have full access to your network (on the server side).  But the thing to remember is that ANY traffic sent out by a client connected to the LAN side will go through the tunnel.  In some cases that may not be the desired behavior – you might have a few devices that should use the local Internet connection for all outgoing traffic (that is, as a rule they DON’T send their traffic through the tunnel), BUT you’d like to make an exception so that they can access only the local network on the server side of the tunnel, so that “local” traffic CAN be routed through the tunnel.  So, you’d have such devices on the WAN port side of the Tomato-firmware router (that is, connected to the same “upstream” router or switch as the Tomato-firmware router) so they don’t use your tunnel for the bulk of their traffic.

So the question then becomes, is it possible to allow those devices to use your tunnel ONLY for traffic to the local network on the server side of your tunnel?  Well, it is, but it’s a bit tricky to set up.  Note that you MUST first have it working in the opposite direction (that is, at a machine connected to the server side of the network, you can reach machines on the WAN port side of your Tomato-firmware router – that’s what I was talking about a couple of paragraphs up).  If you can’t do that, you’re not going to get it working in the opposite direction.  If you CAN do that, then here are the additional steps:

In the Tomato-firmware router, click on “Advanced” (in the left-hand menu), then “Firewall”, then check the box next to “Respond to ICMP ping.” You should now be able to ping the Tomato-firmware router from another device on the WAN side of the network (which may be important for testing and troubleshooting).

Next, click on “Administration”, then “Scripts”, then click the “Firewall” tab.  You should see a big text entry box with (probably) nothing in it.  Enter lines similar to the following:

iptables -t nat -I PREROUTING -s 192.168.10.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -t filter -A wanin -s 192.168.10.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -t filter -A wanout -s 192.168.0.0/24 -d 192.168.10.0/24 -j ACCEPT

In this example, addresses on the WAN port side of the Tomato-firmware router are in the 192.168.10.x range, while addresses on the server-side LAN are in the 192.168.0.x range. If either is different on your system, be sure to change all three instances of the appropriate base address.

Then click the Save button at the bottom of the page. After that it should look like this:

Administration | Scripts page | Firewall tab

Reboot the router (or you can ssh in and manually enter each of the lines from a command prompt, if you want to avoid the reboot). Now any traffic for the server-side LAN that reaches the Tomato-firmware router will get passed through the tunnel, but you still need to instruct the individual machines or devices to route that traffic correctly (which may be easier said than done for some machines). I don’t know how you do it from a Windows box, but I can tell you how it’s done on a temporary basis (that is, it survives until the next reboot) on a Linux-based or Mac OS X based machine. For the sake of these examples, assume the Tomato router is at (and can be pinged at) 192.168.10.50:

From a Linux box:
sudo route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.10.50 eth0
(eth0 is the name of the interface used to connect to your local network)

From a Mac OS X box:
At a terminal prompt enter:
sudo route add -net 192.168.0.0 -netmask 255.255.255.0 192.168.10.50
Then, if there are shares on server side of the network that you want to connect to, and you know the host machine’s IP address, open a Finder window, click on “Go” in the top menu bar, and enter this as the destination (substituting the correct IP address for the target machine):
smb://192.168.0.xx:139
Note that in at least some cases, the connect attempt will fail if you don’t explicitly specify the port (:139) – this is apparently some kind of bug in recent versions of OS X.

If anyone knows how this is done on a Windows box, or how to make these route statements persist after a reboot (remember, they must be run by the root user or a user with root-level privileges, which is why the sudo statement is used — and you can’t put sudo in a script because it prompts for a password), please leave a comment and share your knowledge!

If you have followed this series thus far, I should point out that these articles are not static – if I find a mistake, or a better way to do things, they may get changed. On the other hand, since this particular router probably won’t be in my possession much longer, it may be something that I don’t do much more work on.

One thing I had said I would do in this last article is to give you a list of links that I found useful, or at least interesting, while working on this project. I didn’t actually utilize the information in all of these, and some are even a bit off-topic for the subject at hand, but this is just a small fraction of the pages I went through while trying to get this to work:

OpenVPN HOWTO

OpenVPN FAQ

OpenVPN 2.1 man page

The ‘Point and Click’ Home VPN HowTo Guide (this was one of my primary sources)

OpenVPN: Building and Integrating Virtual Private Networks (book – Amazon affiliate link)

Tomato’s Frequently Asked Questions & Tips

Tomato (firmware) page at Wikibooks

An Easy Guide to Installing Tomato on the Asus 520gu

Teddy_bear’s Tomato 1.25 ND USB + FTP/Samba Mod (In my opinion the best firmware mod for Asus WL-520GU – be sure to get the VPN version)

Keith Moyer/SgtPepperKSU’s VPN build with Web GUI (also a great version, particularly if your router isn’t supported by the above version)
His blog

thor2002ro’s SDHC | SNMP | VPN | USB Mod (includes features from both of the above versions plus some additional features, but note that latest versions won’t run on routers with insufficient memory).

Summary of OpenVPN settings in Tomato Firmware

Tomato Firmware forum

Setting Up A Low Cost NAS Using Tomato

Using Tomato QOS

Did I configure QoS VoIP correctly? (message thread)

QOS for SOHO VOIP Solved, Tomato Firmware

Optware installation instructions (supposed to also work with Tomato firmware, potentially allows use of numerous software packages originally written or converted for Linksys NSLU2)

Linux 2.4 NAT HOWTO

OpenVPN IPv6 Tunnel Broker Guide

OpenVPN client configuration for Windows, Linux, Mac OS X and Windows Mobile for Pocket PC

Installing a Virtual Private Network with OpenVPN

EDIT: Create a VPN with the Raspberry Pi

USB disc partitioning utilities available.

“A set of disk utilities that will execute on a Tomato router. With these utilities you can now create ext2 partitions on a USB drive on the router itself, so you don’t have to use a Linux desktop machine to do it anymore.”

“A brief help file is included.”

Download link (filename is “tomato_dskutils.tgz”)
Direct link

And there’s probably plenty of other great links that I’ve missed.

Finally, one more word about the TAP/TUN issue. I would sort have liked to have gotten this working in TAP mode. However when I tried to set it up, OpenVPN (on the server) complained about a missing brctl file. Well, it turned out that the way to get that file was to do yum install bridge-utils – sounds easy, right? I assure you, absolutely nothing about this project was easy, at least not for me.

The problem was that after I had installed the software and switched both sides from TUN to TAP, and then restarted the OpenVPN server, it brought down the entire local network! I mean to tell you, I couldn’t connect to any web pages or do anything else until I physically killed the power to the server box! When I brought it back up and disabled OpenVPN, everything connected to the LAN worked fine again. When I uninstalled bridge-utils and went back to using TUN, the tunnel started working again. I had been up all night, it was coming up on 7:00 AM, and I was just so doggone frustrated by that point that I never even tried to get TAP working again. Besides, I just don’t like doing things that can bring down the entire network. I suspect it was doing some kind of packet flood thing, sort of a denial-of-service attack on my local network – pardon me if I’m not thrilled about the prospect of trying that again!

After some additional online research, I suspect that part of the problem is that after installing bridge-utils, you need to create and/or modify certain files, such as /etc/sysconfig/network-scripts/ifcfg-br0, /etc/sysconfig/network-scripts/ifcfg-eth0, and possibly /etc/sysconfig/network-scripts/ifcfg-eth1 (though I’m not at all sure about that last one). For example, one site I went to (which, for some reason, I could only read by using Google’s cached copy, which is why I’m not giving a link) said, “Configure this server’s network configuration to use a bridge as its primary interface. You do this by bridging the physical ethX and virtual tapX interfaces into one logical br0 interface. The br0 interface will be assigned an IP address, and not the physical or virtual interfaces.” That site also suggests that those files should read as follows (note that I do not recommend following this advice verbatim, see my comments below):

/etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
IPADDR=192.168.0.50 <— local IP of the server
NETMASK=255.255.255.0
ONBOOT=yes

/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes

/etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=tap0
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes

Please note the above is totally untested at this point, and I’m afraid that the advice to modify the existing files (particularly /etc/sysconfig/network-scripts/ifcfg-eth0) may (or may not) be ill-advised. What concerns me is that the /etc/sysconfig/network-scripts/ifcfg-eth0 file seems to contain a lot of essential information that is in effect being thrown out – for example, on our system, it reads as follows:

DEVICE=eth0
BOOTPROTO=static
DHCPCLASS=
HWADDR=00:xx:xx:xx:xx:xx
ONBOOT=yes
TYPE=Ethernet <— NOTE!! 'Ethernet', not 'ETHER'
IPADDR=192.168.0.50
NETMASK=255.255.255.0
BROADCAST=192.168.0.255
NETWORK=192.168.0.0
NOZEROCONF=yes

I’m just not sure what is the proper thing to do here — maybe just add the BRIDGE=br0 line to the existing file? But, if you do decide to try a full replacement of any file, be sure to copy the existing file to a safe location so that if things go badly you can recover your original file!

Some of the comments I have read suggest that TAP mode is not as efficient in transferring data, and/or not as secure (unless you add even more configuration options), so I’m thinking maybe we should leave well enough alone. But, if you have a truly burning desire to get it going, I suggest using the following Google search string for additional information – it may be strange, but it actually produced the most relevant results of all the searches I’ve tried over the last few days:

“/etc/sysconfig/network-scripts/ifcfg-br0” OpenVPN

Hopefully this page won’t show up as the first result! 🙂

If you have any ideas about what went wrong, or in particular, if you manage to get this working in TAP mode, I’d be most interested to hear about it (and how you did it, if you got it working) – the comments are open.

EDIT (November 30, 2011): While I’m not really wanting to reopen this project at this late date (this still remains about the hardest thing I’ve ever tried to do with a computer, and I have a distinct aversion to revisiting it), I did receive an e-mail today from James R, which I will post verbatim here.  NOTE THAT THIS IS NOT TESTED BY ME, SO USE AT YOUR OWN RISK:

From: James R (address redacted)
Subject: OpenVPN in bridged mode
Date: November 30, 2011 11:32:40 AM EST

The following is a script to fix the problems with getting bridged mode OpenVPN working with PBX in a Flash (CentOS 5.7 with Webmin). First you install the third party Webmin OpenVPN module, then use the script below.  I haven’t tested it yet, but I believe it should work if not explain what actions needed to be done to repair it.  Be kind, as my scripting skills are quite poor.


#! /bin/bash

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
sleep 30
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
sleep 1
rpm -K rpmforge-release-0.5.2-2.el5.rf.*.rpm
sleep 1
rpm -i rpmforge-release-0.5.2-2.el5.rf.*.rpm
sleep 1
yum -y install bridge-utils
sleep 30
yum -y install tunctl
sleep 30
yum -y install openvpn
sleep 60

echo "start_cmd=/etc/init.d/openvpn start
openvpn_pid_path=/var/run
openvpn_servers_subdir=servers
zip_cmd=/usr/bin/zip
stop_cmd=/etc/init.d/openvpn stop
openvpn_path=/usr/sbin/openvpn
openvpn_clients_subdir=clients
log_lines=200
openvpn_version=2.0_rc16
openvpn_keys_subdir=keys
openvpn_home=/etc/openvpn
openssl_version=0.9.7e
openssl_path=/usr/bin/openssl
openssl_home=/etc/openvpn/openvpn-ssl.cnf
down_root_plugin=/usr/share/openvpn/plugin/lib/openvpn-down-root.so
br_end_cmd=/usr/libexec/webmin/openvpn/br_scripts/bridge_end
br_start_cmd=/usr/libexec/webmin/openvpn/br_scripts/bridge_start
tail_cmd=
log_refresh=
default_server=
" > /etc/webmin/openvpn/config

cat /usr/libexec/webmin/openvpn/br_scripts/bridge_start | sed
'2iPATH=$PATH:/sbin:/usr/sbin' >
/usr/libexec/webmin/openvpn/br_scripts/bridge_start

cat /usr/libexec/webmin/openvpn/br_scripts/bridge_end | sed
'2iPATH=$PATH:/sbin:/usr/sbin' >
/usr/libexec/webmin/openvpn/br_scripts/bridge_end

(End of James R’s e-mail.  I fixed some punctuation and capitalization in the first paragraph, but otherwise it’s the way he sent it.  I was NOT sure if the final couple of sections were really supposed to be three lines each, or one line each that got broken up by the e-mail software. I suspect the latter, but I’m leaving them as is in case I’m wrong about that. Again, please remember that the above is UNTESTED by me.)

Here’s another bit of information that may be useful for those of you that don’t know much about Linux — here is a very small list of Linux commands that may be useful in diagnosing any problems with your VPN tunnel:

  • ifconfig – shows the current list of  network interfaces.  On both ends of your tunnel you should see a tunx interface when the tunnel is operational. On Windows-based systems a similar command is ipconfig.
  • ip route show – shows current routing information for the system (see also route). ip route list gives a slightly different view.
  • iptables -L – lists the current iptables rules. Add the -v option to get a more verbose display.
  • netstat -r – similar to route but with a slightly different view.
  • ping address – tries to get a response from another connected machine or device.  Note that not all systems or devices will respond to pings.
  • route – shows the current routing tables on the system (see also ip route show).
  • tcpdump -n – this shows a running display of all activity on the network interfaces.  Be careful because this can produce a LOT of output very quickly.  Use Control-C to interrupt, then be prepared to wait until the buffer empties (may take a few seconds).
  • traceroute address – If you run a traceroute to a network address (either on the LAN or on the Internet) it will attempt to show each system the packets pass through on the way to their destination. This can be useful for determining if traffic to a particular destination is actually going through your tunnel. On Windows-based systems use tracert (a holdover from MS-DOS days when filenames were limited to eight characters!).
  • which program-name – not a network command per se, but if you get an error message about a missing program, you can use which program-name to try to determine if the program exists on your system, and the correct path to that program.

Note that there are additional options for most or all of the above commands – read the man page for that command (e.g. man tcpdump) if you are interested, or use a search engine to find more information (yeah, I think most man pages are painful, too). man is short for manual, by the way, not a reference to gender.

Anyway, I’m still trying to catch up on lost sleep, but if I think of anything else pertinent I’ll probably add it to this article, rather than making this series any longer. I hope if you attempt this, it’s not nearly as painful for you as it was for me!

Setting up an OpenVPN tunnel using a CentOS-based system as the server and a router flashed with Tomato firmware as the client – Part 3

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog. The link to Amazon.com in this article is an affiliate link, and if you make a purchase through that link I will receive a small commission on the sale.

Continued from Part 2

Okay, time for the hard part… well, at least it was for me.  Please understand, the instructions at The ‘Point and Click’ Home VPN HowTo Guide, combined with the knowledge I acquired from the book OpenVPN: Building and Integrating Virtual Private Networks (Amazon affiliate link) by Markus Feilner, enabled me to get a tunnel going using a software client with no sweat. But getting it to work with the Tomato VPN client, and in particular, to get it to work the way we needed it to, was a whole other thing. It turned out, as so often happens that some simple configuration changes were all that was needed – but finding the correct configuration changes to make were pure grief.

EDIT: The above-mentioned book has been updated and expanded under a new title — see Mini-review of Beginning OpenVPN 2.0.9 by Markus Feilner and Norbert Graf (Packt Publishing)

I want to digress just a moment to speak about those elitists that seem to frequent certain forums and IRC channels, and just love to tell newbies (often in not so polite terms) that all the answers can be found by using Google. I’ve pretty much figured out that most of the time, the person saying that doesn’t know the answer either, but they are like the schoolyard bully that gets their kicks by picking on others. In this case, Google may have had the answers somewhere, but they sure weren’t showing up in the first few pages of results. Instead, what was showing up was many others who were having the same problems and asking the same questions, but not getting answers! And usually after the first four or five pages of results, the results became even less relevant, if that were possible. Finally, after taking a more or less scattershot approach to seeking help, I came up with a “recipe” that works in this situation. Of course I cannot guarantee it will work for you… heck, I can’t guarantee it will work for me next week… but at least it’s working as I write this. But the next time someone suggests that you should just Google it (or something like that), I suggest you ask them what search terms they would suggest using that will bring you the answer to your question. When whatever they suggest doesn’t work, let them know and ask for more suggestions, and just keep repeating until you find the answer or they get sick of talking to you. If we all did that, I suspect some of the online bullies would discover that maybe they should keep quiet if they don’t know the answer.

Okay, so to begin, let’s make sure we are all on the same page. I assume you’ve installed the Webmin OpenVPN + CA module (again, following the instructions at The ‘Point and Click’ Home VPN HowTo Guide) but if you had difficulty locating the module, try here — as I write this, it appears that the newest version of the module is the OpenVPNadmin WebMin pre-release 2.5 version. And when you try to download it, if you get “Unauthorized access to downloads!”, try a different browser, or make sure JavaScript and cookies are enabled.  You will probably need to download it to your computer first, then upload it to Webmin, if your experience is anything like mine was.

When you go into the module, you’ll initially see a page like this:

OpenVPN administration page
OpenVPN administration page

This is “home base” for this module, so when I say “return to the admin page”, this is the page I mean. It’s also the page you use to create a new Certification Authority (normally you only need to do that once, but if you really want to you can make more). In the upper left corner there is a link labeled “Module Config” – click on it and make sure all the paths are correct:

OpenVPN + CA configuration page
OpenVPN + CA configuration page

A couple notes on this page:  First, although it indicates that “Server Hint for Clients” is a required field, there is no indication of what actually goes there, nor any default value.  Second, the information under “If you use bridge device” is only applicable if you use TAP mode (remember, we’re using TUN), but I do know the defaults are not correct.  Just in case you ever want to try to get TAP mode working, here is what these paths should be (at least on our installation):

Command to start Bridge:
/usr/libexec/webmin/openvpn/br_scripts/bridge_start

Command to stop Bridge:
/usr/libexec/webmin/openvpn/br_scripts/bridge_end

Path to DOWN-ROOT-PLUGIN:
/usr/share/openvpn/plugin/lib/openvpn-down-root.so

Do check the paths on this page, because the defaults aren’t totally correct.  Now let’s return to the admin page.  I probably should have mentioned that you don’t really need to change any of the defaults for making a certificate for just your own use – those values are probably only important if you are creating a certificate that will be used by the public.  Once you have made a certificate, you can click on the Certification Authority List, where you’ll see this page:

OpenVPN Certification Authority page
OpenVPN Certification Authority page

I really don’t know why you can create a new Certification Authority on both this page and the main admin page, but oh well… once you have created one it will show up in the list at the top of the page.  You can click on it to view what you created, but there’s nothing you can change there. The main thing of importance is the “Keys List” link, where you can actually create new keys and view existing ones:

OpenVPN key list and key creation page
OpenVPN key list and key creation page

Okay, now here’s the important thing to remember about key creation: You need one key for your server, and one key for each client.  You will note we have a server key, and client key for the software client (used for testing) and one more for the OpenVPN client on the Asus router.

As you may have surmised, except for the key name field, you can leave everything else at the defaults. However, there is one thing on this page that will lead you astray.  It says, “Server key doesn’t need password!“, which might lead you to think that a client key does need one, but that’s not true.  And if you use a password with your Tomato-based client key, you will never make a successful connection.  The keys are far stronger protection than passwords anyway, so the only reason you might even consider using one is for a software client where you want to keep anyone other than an authorized user from connecting to the VPN tunnel.  Anyway, don’t use a password for your server key or your Tomato OpenVPN client key!!!

Okay, now it’s time to navigate back to the admin page, then click on “VPN list”. Once you have created a server key, you can create your actual server. So click on the New VPN Server button and a page will come up that permits you to create a server configuration.  This is where things get really tricky.  Here is how ours is filled out:

OpenVPN Server page
OpenVPN Server page

Now the above is actually the edit page you get once the server is created and you have returned to edit it.  Note that some values cannot be changed after the initial entry, so be sure you get them right the first time.  In particular, make sure to select tun and not tap. If you do make a mistake, you can always delete the entire server configuration and start over, but that’s a bit of a pain. There are some differences in our configuration and the one at The ‘Point and Click’ Home VPN HowTo Guide, and generally speaking there are good reasons for the differences. But that said, nobody is claiming our configuration is perfect, just that it works! If you see something here you think should be changed, feel free to leave a comment.

Note in particular the text fields at the bottom of the page. Getting those right is the key to making this thing work! So, here’s what’s in each of those:

Additional Configurations:

push “route 192.168.0.0 255.255.255.0”
push redirect-gateway
push “dhcp-option WINS 192.168.0.50”
script-security 2 system

up (script execute after VPN up):

route add -net 192.168.5.0 netmask 255.255.255.0 gw 10.8.0.2 tun0
echo 1 > /proc/sys/net/ipv4/conf/tun0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

down-pre (script execute before VPN down):

route delete -net 192.168.5.0 netmask 255.255.255.0 gw 10.8.0.2 tun0

Of course, in the Additional Configurations section you want the line push “dhcp-option WINS 192.168.0.50” to point to a WINS server on your network, if you have one (if you don’t, just leave that line out).

In the up and down-pre scripts, if you want to be able to reach the local network behind the WAN port of the router on the client side, you should add additional route add and route delete lines in a format similar to those above, but substituting that network’s address range.

Now, once again, I’m NOT saying this is a perfect configuration, just that it works for us. However, if you notice something that just doesn’t look right, feel free to leave a comment. Much of the added configuration was put in so that traffic from the primary LAN to addresses in the 192.168.5.x address space would actually go through the tunnel – that was the hardest part. It was (relatively) easy to create a tunnel in the first place, but getting packets to and from their intended destinations was another matter entirely.

When you have configured your server and clicked “Save”, it should show up in your server list:

OpenVPN Server List page
OpenVPN Server List page

Now click on “Clients List” – there will be a button labeled “New VPN Client” (no screenshot, it’s just a button to click at this point).  Click that button and you will be presented with a client configuration page.  Here’s the one we created for our Tomato OpenVPN client running on the Asus router (again, this is actually the edit page, since the client is already created on our system):

OpenVPN Client Configuration page
OpenVPN Client Configuration page

Most of the settings here will be the defaults but there are two things to pay particular attention to:  First, the “Remote IP” must be the external address of your server – remember that this is the configuration that goes to the client. And second, notice the ccd file content box at the bottom – it is crucial that this be filled in correctly. In our case, we used this line:

iroute 192.168.5.0 255.255.255.0

If you miss this – and I speak from experience on this one – the packets from the Internet or your local LAN just aren’t going to get back to the client end of the tunnel! And remember to add an additional, similar line if you also want to be able to reach the network connected to the WAN port at the client router, substituting the base address of that network for the 192.168.5.0.

Once you have saved this, it should appear in the VPN client list:

OpenVPN Client List page
OpenVPN Client List page

Once you have configured a client, the next step is to export its configuration, particularly the certificate and key files, to your computer using the “Export” link – all the necessary files will be packed up in a ZIP file.  The instructions at The ‘Point and Click’ Home VPN HowTo Guide tell you how to use this file with a software client, but with your Tomato firmware you will have to unzip the file and then open each of the three files (ca.crt, plus the client certificate and key files), in a text editor or viewer. Only those three files are used with the Tomato OpenVPN client; the others in the ZIP archive are not. Then you will need to cut and paste the contents of those files into the three fields that appear under VPN Tunneling | Client | Keys tab in the Tomato firmware (see the screenshot of that page in Part 1 if you’re not sure what file’s contents goes where). With regard to the Client Certificate, there is some extra information at the top of the file that does not need to be pasted into the text field – you only need the two lines —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– plus all the lines in between those two tags. On an Asus WL-520GU router it doesn’t matter much, but there have been cases with some other makes of router where leaving that excess information in was just enough excess data to “brick” the router! So if in doubt, leave the data above the —–BEGIN CERTIFICATE—– line out.

Once you have everything ready, you can go to the OpenVPN admin page in Webmin and start the server, then in your Tomato firmware start the client.  HOPEFULLY the client and server will connect and start communicating.  You can check from the server’s  admin page by clicking on “Active Connection” – hopefully you will see something like this:

OpenVPN Active Connections page
OpenVPN Active Connections page

If you do, congratulations! If not, you have some troubleshooting to do. On the server, take a look at the log file: /etc/openvpn/servers/servername/logs/openvpn.log. On the client, click on Logs (under Status in the left-hand menu) and look at the last several lines. OpenVPN usually doesn’t suffer in silence — when something isn’t working, chances are one or both logs will be filled with messages that may or may not be helpful. You can always try going to Google and using OpenVPN plus the actual error message text (enclosed in quotation marks); once in a while that will actually bring up something useful.

Still stuck? My plan is to add a Part 4 to this series, that will provide links to some of the most useful resources I’ve collected along this journey.  But you can certainly help — if I’ve made any errors in these instructions (not at all unlikely given the sleep I’ve missed during this project), and you find them and can figure out what was incorrect, PLEASE leave a comment. I will warn you that writing to me with your error message will probably get you nowhere – I can definitely play the part of the blind leading the blind, so to speak, but first I have to heal from all the bruises encountered on this journey! 🙂

I sincerely hope these posts have been useful to you! In Part 4 I’ll wrap this up with brief instructions for rotating the log file so it doesn’t grow forever, provide the aforementioned list of links, and give you a bit more insight into why I set this up using TUN mode even though I’d probably have preferred to use TAP.

Setting up an OpenVPN tunnel using a CentOS-based system as the server and a router flashed with Tomato firmware as the client – Part 2

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
Continued from Part 1

EDIT (Jaunary 2011): Since I originally wrote this article in 2009, a new project has appeared called Easy OpenVPN, which is described as “a collection of bash scripts which will install and configure the Open VPN software on your PBXIAF server. Also includes scripts for creating client certificate files.”  The project’s page further notes that these scripts are compatible with the security models used in, and have been tested with PBX In A Flash and Elastix, and that they may be compatible with other PBX distributions, but have not been formally tested.  It also notes that the scripts do not interact directly with Asterisk or FreePBX.  I have NOT tested these scripts, but it sounds as if it they might work on just about any CentOS-based OS.  Certainly, if you are using one of those distributions, it’s worth looking into — it might be a faster and easier way to set up OpenVPN on your server than the procedure I outline here.  Some instructions can be found in this thread.  Even if you go that route, you might still want to read the rest of this series, since it gives some explanations and usage tips that may come in handy if the scripts don’t configure OpenVPN the way you’d like. FURTHER EDIT: If you want a dedicated OpenVPN server, check this out: Create a VPN with the Raspberry Pi (from Linux User & Developer).

Before you can begin to set up the OpenVPN server, there is some preparation work that needs to be done. But first, let’s talk about the prerequisites and assumptions we are making here. In the case of the tunnel I was helping to set up, the OpenVPN server was located on a box that runs the Elastix PBX distribution, which includes the CentOS operating system, plus FreePBX and Asterisk and a few other things. It doesn’t really matter whether the box has other servers on it (of course, if it’s a really old/slow box there may be performance issues), but for the purposes of our instructions here, the most important thing is that you have Webmin installed.  Let me repeat that loud and clear:

You MUST have Webmin installed to use these instructions!

You don’t have Webmin installed and you don’t want to install it? Fine, shoo, away with you then. There are hundreds of other installation guides on the Internet, go find one you like.  You have to keep in mind that with me, whenever there’s a choice between using the Linux command line or manually editing a configuration file, and using a nice GUI, I’ll pick the GUI every time.  Some people (usually long time Linux users) seem to have some philosophical objection to using Webmin – if that’s you then you’re obviously much too smart to need these instructions, so what are you doing here?

I’m going to assume you already have Webmin installed, but if you don’t, try doing yum install webmin — it might already be in a CentOS repository.  If that doesn’t work, you should be able to do this:

wget download.webmin.com/devel/rpm/webmin-current.rpm
rpm -ivh webmin-current.rpm

Once you get Webmin installed (or if you are using a Debian-based distribution such as Ubuntu) go to The ‘Point and Click’ Home VPN HowTo Guide — we’re going to refer to that document several times, so you may want to keep it open in another browser tab. But for now, just follow the instructions related to installing Webmin, starting (for CentOS users) with the subheading “Access Webmin”.  For now, just follow the instructions in the two paragraphs in that section.  On a Debian-based system, I’d try following the entire document, but I can tell you there are parts missing for a CentOS-based system, so stick with us for a bit.

Another assumption we are making is that your primary network (the one the server in on) has addresses in the 192.168.0.1 through 192.168.0.255 range.  It’s okay if the “0” in the third octet is some other number (hopefully it’s not 5, because that what we used at the client end) but the main point is that we’re assuming it’s a small network.  If you’re using more than 255 addresses on the primary network it’s not an insurmountable problem, as long as the client end has its own unique address space.

Open the file /etc/hosts.allow at the server – you should see something like this:

ALL : 192.168.0.0/255.255.255.0

If you do, you could change it to the following two lines (note the change in the netmask in the first line):

ALL : 192.168.0.0/255.255.0.0
ALL : 10.8.0.0/255.255.255.0

However,  if there are any addresses in the range 192.168.0.0 through 192.168.255.255 that are normally reachable but not in your LAN — a primary example is a cable modem status page on 192.168.100.1 — you may not want to extend the scope of your local network quite that much. You could use a more restrictive netmask — for example, you could use these two lines, which is what I’d recommend for this project:

ALL : 192.168.0.0/255.255.240.0
ALL : 10.8.0.0/255.255.255.0

That would specify that anything in the range 192.168.0.0 through 192.168.15.255 is on your local network (including subnets on the other side of your tunnel).  Alternately, if you wish to be a bit more precise and/or secure, you could specify the network(s) at the distant ends of the tunnel individually (using a more restrictive netmask), e.g.:

ALL : 192.168.0.0/255.255.255.0
ALL : 192.168.5.0/255.255.255.0
ALL : 10.8.0.0/255.255.255.0

(If you do the latter, you may also want to add a line for the network on the WAN side of the client router, e.g. ALL : 192.168.1.0/255.255.255.0 to be able to reach devices in that subnet from the server side of the tunnel — assuming that won’t conflict with any addresses on your own local network).

You also need to go into your router (the one between the OpenVPN server and the Internet, that controls the LAN at the server end – not the client router running the Tomato firmware) and expand the scope of your local network.  I can’t give you specific instructions for your router, but generally the principle is the same as in the hosts.allow file – in most cases you need to expand the scope of the local netmask to 255.255.something.0, where something is less restrictive than 255 and includes all local nets on both sides of the tunnel, but not your cable or DSL modem’s status page (don’t worry about the 10.8.0.x addresses, your router won’t see those).  I suggest using 255.255.240.0 and then making sure that your local networks on both ends of the tunnel fall within the range 192.168.0.x through 192.168.15.x. The reason you need to change the netmask is so that when something on your primary LAN tries to connect to an address in the 192.168.5.x range (on the other side of the tunnel), your router will send out an ARP probe to find out which device on the network has that address (getting the OpenVPN server to respond is another issue that we’ll cover later). But if you are trying to get to something on the backside of your router (the modem status page being the prime example), you don’t want your router thinking it’s on your LAN – hence the need for care when changing the netmask.

If for some reason you can’t follow my suggestions about local network range, you’ll still need to figure out an appropriate netmask, both for the etc/hosts.allow file and your server-side router configuration.  Fortunately, there are many pages on the Web that will help you – Google the phrase “netmask calculator” (include the quotes) and you’ll find several sites that will help you calculate an appropriate netmask.  Of course, there are limits on this – you’re going to have a much harder time making this all work if all the local networks on both sides of the tunnel aren’t in the 192.168.x.x range (or, more specifically, don’t have at least the first two octets of the LAN IP address in common).

While you are in the router on the server side of your connection, you need to open UDP port 1194 for incoming traffic and point it at your OpenVPN server – otherwise outside connection attempts will never be received by the server. Don’t open the corresponding TCP port – it’s really not a good idea to use TCP for OpenVPN unless you are forced to do so (by an overly restrictive ISP, for example).

You also need to open up the file /etc/sysctl.conf and make sure that the following line is NOT commented out (add it if it doesn’t already exist):

net.ipv4.ip_forward=1

Also, at a terminal prompt, execute the following:

echo 1 > /proc/sys/net/ipv4/ip_forward

While in the terminal, you SHOULD upgrade OpenVPN to the most current version (or install it if it’s not already installed).  Older versions of OpenVPN will not work with these instructions.  Just type openvpn from a command prompt and at the top of the resulting output it should show you what version you have, if it is installed.  It will look something like this:

OpenVPN 2.2.0 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jun  6 2011

2.2.0 is the version in this example.  But on a recent CentOS install, just doing yum install openvpn only offered to install version 2.0.9, which is too old to work with these instructions!  Here is how I installed a newer version (edited July 27, 2011 to reflect a better way):

Add the dag repository if you haven’t done so already.  In the /etc/yum.repos.d directory, create a new file called dag.repo:

touch /etc/yum.repos.d/dag.repo

Edit the file using any text editor (for example, nano /etc/yum.repos.d/dag.repo) and add the following lines exactly as shown:

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1

Save the edited file and then from a command prompt import the repository’s key:

rpm –import http://apt.sw.be/RPM-GPG-KEY.dag.txt

Now if you do

yum install openvpn

You should get the latest version plus any dependencies (it should offer to upgrade your current version if it is older).  Note that you must use compatible versions of OpenVPN at both the client and server ends, so once you have an OpenVPN tunnel working, it might not be a good idea to just go upgrading the software at one end or the other unless you know the newer version is still compatible with what you’re using on the other end (minor version upgrades are probably okay, but I am not guaranteeing that!).

Now return to The ‘Point and Click’ Home VPN HowTo Guide — you want to find the section headed “Setting Firewall rule(s) to allow VPN web traffic to redirect out eth0” — now I will just say that you need to follow those instructions, but when setting up the actual rules, I found that only two were really important.  So if I were rewriting their instructions, here is how I’d say it:

First we’ll assume that the firewall is not set up yet so click Reset Firewall. Now we need to add some rules. From the Showing IPTable: dropdown select Packet filtering  (filter) where we’ll create the following rule:

Forwarded Packets (FORWARD)

Accept If input interface is tun0
Incoming interface Equals tun0

Then, from the Showing IPTable: dropdown select Network address translation (nat) where we’ll create the following rule — this is the rule that goes along with the VPN “push redirect-gateway”. This allows the VPN web traffic to be routed out through your connection:

Packets after routing (POSTROUTING)

Masquerade If source is 10.8.0.0/24 and output interface is eth0
Source address or network Equals 10.8.0.0/24
Outgoing interface Equals eth0

Why not add the rest of the rules? Well, if you Reset Firewall as instructed, you don’t need them, because they are specifying default conditions. But if you didn’t want to reset the firewall because you already have some preexisting rules, or if you ever actually decide to go in and configure some more restrictive firewall rules, then you may need some of the other rules listed. There’s certainly no harm in adding the other rules, but I’d rather emphasize the two that are absolutely necessary to get this working, assuming you started with a clean slate.

When you are finished, the two rules pages should look like this:

Firewall rule: Accept If input interface is tun0
Firewall rule: Accept If input interface is tun0
Firewall rule: Masquerade If source is 10.8.0.0/24 and output interface is eth0
Firewall rule: Masquerade If source is 10.8.0.0/24 and output interface is eth0

(I know that at this point, some Elastix and FreePBX users may be wondering if the above would interfere with the operation of fail2ban, in the event they have installed it. As far as I can tell, the answer is no… fail2ban communicates with the firewall in a different way, and unless you add rules that explicitly contradict what fail2ban does, I don’t think there will be any issues. However, I do recommend that you temporarily disable fail2ban, possibly from Webmin’s System | Bootup and Shutdown page, prior to connecting a new VoIP adapter or similar device on the client end of a tunnel for the first time. The reason is that if the device fails to register for any reason, such as a mis-typed password, fail2ban might refuse connections even after you fix the issue, and it might even clamp down on other connections from the client end of your tunnel. So get your devices registered and working, then restart fail2ban. Alternately, if turning off fail2ban makes you nervous, you could open /etc/fail2ban/jail.conf in a text editor, then edit the ignoreip option under the [DEFAULT] section to include the IP addresses or network on the client side of your tunnel — for example, you could add 10.8.0.0/24 and 192.168.5.0/24 as address ranges you don’t ever want to ban.)

Once again, return to The ‘Point and Click’ Home VPN HowTo Guide — now you want to start at the section, “Install OpenVPN-admin module” and continue through to the part entitled “Testing the VPN Server using the OpenVPN client GUI from Windows.” If their suggested download method doesn’t work, use the download link on this page to download it to your local machine, then in Webmin install the module “From uploaded file” rather than “From ftp or http URL” as the article suggests. What I suggest you do here is setup TWO clients, one for a soft client you can use for testing purposes, and one that you will use with the OpenVPN client in the Tomato firmware. While you might be able to get a Windows-based client to work using the instructions shown, I can assure you that the Tomato client isn’t going to work until you add a few additional tweaks, which we’ll cover in Part 3. But you can certainly set up and test the Windows-based client if you like, just to assure yourself that the server is actually working.

Just so you don’t spend a couple hours beating yourself up wondering why the server won’t start, I will point out that there’s a glitch in the Webmin OpenVPN module. When you click on the VPN server list and then click on Start to start a server, the server name is supposed to turn from red to black, and the word Start is supposed to turn to Stop. For whatever reason, that doesn’t happen on our server… you can click Start until the cows come home and it still won’t turn black. It probably has something to do with the module configuration itself – for example there’s a setting for PID file path of running OpenVPN processes (*) which by default is set to /var/run, which may not be correct — however, when I changed it to /var/run/openvpn, which does seem to be correct, it made no difference. I just start and stop the server using the buttons at the bottom of the main “OpenVPN Administration” page, which seem to work fine.  EDIT:  See Leon Baker’s comment in the comments section below for a fix for this problem.  Thanks, Leon!

Next up, in Part 3: Configuring the OpenVPN server using Webmin (or more specifically, the changes and additions you need to make to actually get it working as expected). More screenshots!!!

Setting up an OpenVPN tunnel using a CentOS-based system as the server and a router flashed with Tomato firmware as the client – Part 1

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog. The link to Amazon.com in this article is an affiliate link, and if you make a purchase through that link I will receive a small commission on the sale.

Some readers of this blog may recall that several months ago I had wished for a Simple VPN device – back then I had written:

There is another type of software that ought to be moved into its own box, and that is Virtual Private Network (VPN) client and server software. Yes, I’m aware of OpenVPN, and I tried to find setup instructions that someone like me could understand, but to no avail – it looks like you need a degree in computer networking to understand how to set up this type of software. And yet, built into hardware devices, it could be immensely useful in certain circumstances. Let’s consider the following diagram:

Diagram showing position of "client side" and "server side" VPN devices

In this particular case we have a SIP-based VoIP adapter at a remote location. Anyone who has worked with Asterisk behind the wrong kind of firewall knows the issues involved with using SIP and not having things set up just so (one-way audio, anyone)? But also, we may for whatever reason want that “remote” VoiP adapter to appear as if it were on the local network (maybe we have an ISP playing games with SIP packets?). So we plug the VoIP adapter into our “VPN Client-Side Device” and on the other end, we have a companion “VPN Server-Side Device” which in this case makes two connections to the router – one to receive the “tunneled” data and the second to send the unencrypted data back onto the local network. The green arrows represent the “tunnel”, the orange arrows show where the data from the VoIP adapter enters and exits the tunnel. Please note this is entirely a wired connection, we aren’t using wireless anywhere here. Also note that as far as the VoIP adapter is concerned, the only network it can “see” is the one at the other end of the tunnel – under no circumstances can it access the Internet other than by going through the tunnel.

I show this using a VoIP adapter, but I’m sure that people could think of a lot of other ways this could be used, and a lot of other devices that could be connected to the client end.

Now some will probably argue that it is inefficient to have a device that does nothing but provide the tunnel. But that’s the point – almost anyone could set this up. If you send the client-side device to your grandmother, she can set it up (well, maybe that’s pushing it a bit, but you get my point). People who would never touch a Linux box or a server could use this.

I want to tell you, when I wrote that I had no idea just how difficult it would be to actually get VPN tunneling working using OpenVPN.  The problem isn’t that it doesn’t work — actually, it works quite well — the problem is that it’s a real bear to set up, unless you have someone who knows what they are doing walk you through it.  Unfortunately, you may not haves someone who knows what they are doing to help you, so you’re stuck with me (unless you can find a better page on the subject – if such exists, please let us know in a comment).

The real issue is that you have to learn so many new things at once to make this work.  So, my attempt here is going to be to try and give you a “cookbook”, with plenty of screenshots so you can see how things actually look when everything is configured.  I’m actually also going to approach this in a slightly backward manner, showing you how to configure the client first, then the server.  My theory is that you will think that configuring the client is so simple that configuring the server can’t be much harder, and you’ll get sucked into the project before you realize what you’ve gotten yourself into! 🙂

By the way, what we are doing here doesn’t look exactly like the diagram above – instead it looks more like this (note that the “Primary Router” on the client side can be omitted if you don’t need any UN-tunneled connections, or if the DSL or Cable modem has a built-in router):

Diagram showing position of OpenVPN client and OpenVPN server in data flow
Diagram showing position of OpenVPN client and OpenVPN server in data flow

For our client, we need something that you can plug your desired device into. You may have a laptop, and you want to communicate securely with a home office. You may have a VoIP adapter, and you want to make secure calls to a remote Asterisk server.  While you can run a software client on the Laptop, when you have a hardware device like a VoIP adapter your choices become more limited.  The solution is to purchase a router that is capable of being re-flashed with custom firmware.  In this case we are going to use the Tomato firmware, and in particular, a version of the firmware designed to support OpenVPN as either a client or a server. Here we’re going to use it as a client. The idea will be that ANY device plugged into the router will automatically use the VPN tunnel, and if for some reason the tunnel isn’t available then the connected device will not be able to communicate, therefore there’s little chance that an insecure communication can take place.

Some readers will already have a router capable of running Tomato firmware, and some will not.  The main Tomato Firmware page shows which routers are supported.  If you do not already have one of these and plan to buy one, I recommend that you consider the Asus WL-520GU. I know that the main Tomato firmware page says there’s no USB support for that model, but that’s not necessary for what we’re going to do, and it’s not even true if you use the recommended firmware build. The reason I suggest using the WL-520GU is because I’m told that although it’s not totally impossible to “brick” the router by doing a bad flash, if you do make a mistake, your chances of being able to recover (so that the router isn’t consigned to being an expensive paperweight) are far better than with some other models.

I should mention here that I inherited this project from someone else who couldn’t get it to work.  I had made the mistake of casually suggesting they get the Asus router if they wanted to attempt this, only to find them on my doorstep with router in hand.  So again, I’m not saying this will be easy, and the one thing I will not tell you how to do is how to get the Tomato firmware onto your router.  The reason is that if I give you instructions and leave out a step and you brick your router, you will be mad at me.  Better you find someone else’s instructions, and if they’ve left out a step, you can be mad at them. I will mention that, at least in the case of the Asus router I had here, it was a two-step process – I used the Asus Firmware Restoration Utility to first install DD-WRT (using these instructions) and then used DD-WRT’s web interface (Administration -> Firmware Upgrade) to install Tomato (I’m skipping a whole tale of woe and grief that transpired between those two events). Basically I followed the instructions at An Easy Guide to Installing Tomato on the Asus 520gu, but I’m not telling you to do that — it’s up to you which instructions you wish to follow.

Why Tomato instead of DD-WRT?  Because Tomato works, that’s why. But if you want to try getting it working on DD-WRT, go ahead, knock yourself silly (only one tip for you, from a tweet by @pista01 on Twitter —  if you keep getting TLS errors, make sure your NTP client is set up). If you succeed, great for you. If you don’t, you’re welcome to come back here and continue on.

But don’t just grab the first build of the Tomato firmware that you see. You need one that includes VPN support.  There are two versions I would highly recommend — if you have taken my advice and acquired an Asus WL-520GU (or similar model with built-in USB port), then I recommend teddy bear’s build because it enables the “missing” USB support, and also includes the VPN support from SgtPepperKSU’s build — which is the one you should get if you DON’T have the Asus WL-520GU, but instead have some other compatible router (EDIT: Advanced users may also wish to check out thor2002ro’s build, which offers both the VPN and USB support from the aforementioned builds, plus support for SDHC, SNMP, and perhaps other additional features.  I haven’t tested that one at all, and note that recent versions probably won’t work with many router models due to memory requirements, so unless you really need one of the features in that version and know that your router supports it, I’d stick with one of the other versions). Make sure you read up on the chosen build and be sure you get the correct firmware version.  For the Asus I used the binary from inside the tomato-1.25-ND-USB-8632-vpn3.3.rar archive, but since then a newer version has been released (tomato-1.25-ND-USB-8634-vpn3.4.rar was released in August, 2009), or you may prefer a different version.

tomatoIn this series you will see several screenshots.  I’m using the custom “Tomato USB” theme, so the colors and “look” may be a bit different than what you see, but other than that everything’s in the same place as with the default theme. Later (after taking the screenshots) I replaced the tomato.png file from the theme with the one you see at the right, which I happen to like a little bit better.

Two other caveats: Although this router has wireless capability, for this application we aren’t going to use it — it’s going to be used on a wired network only.  That said, once you get it set up and working, feel free to experiment with the wireless capabilities if you like — just be aware that if something on the wireless side of things doesn’t work, I really can’t assist you. And also, we’re assuming that everything plugged into this router will be using the VPN tunnel full time, which implies that this router might (perhaps in a majority of cases) be plugged into another router, so that some other devices can access the local Internet connection, while the devices plugged into this router are limited to going through the tunnel. Note that if this router is plugged into another router, it would be preferable (but not absolutely essential) if it were in that router’s DMZ, so that you don’t have double NAT (Network Address Translation) taking place.

And now, a word about OpenVPN.  OpenVPN supports two different modes of operation — TAP and TUN.  In this case, we are using TUN.  We MIGHT explore TAP at a later time, but TUN is easier to set up, and ANYTHING that can be done to simplify this process is worthwhile.  The main difference, from the users point of view, is that using TUN the two ends of the tunnel occupy two different portions of the local address range.  In this case, on our “home” LAN, the addresses are in the 192.168.0.x range and are assigned by the main router.  At the client end of the tunnel, the router running the Tomato firmware will hand out addresses in the 192.168.5.x range.  Neither router steps on the other’s toes, so to speak, when handing out addresses.  And there is one other difference — although shared directories can be accessed across the network, Windows/Samba shares cannot be “seen” on opposite ends of the tunnel. If you know they are there and know the IP address and share name of the hosting device, you can still access them, but the mechanism that advertises shares doesn’t cross the tunnel.

With TAP, on the other hand, the router at the primary location hands out IP addresses in the same local address range to devices on both sides of the tunnel, and also (in theory, anyway) shares will be “advertised” across the tunnel.  Sound like what you’d want, right?  Except that when we tried to set it up on the server side, somehow we managed to bring down the entire network – it basically acted like a denial-of-service attack on the entire LAN, and the problem stopped the moment we went back to using TUN. After you’ve messed with this stuff long enough, something like that can leave a rather bitter taste in your mouth, so we decided to stick with what worked.  In our particular application, seeing shares across the LAN would not be essential. Even if you eventually want to try using TAP, I suggest setting it up using TUN first, then when you have achieved that you can cross your fingers and try switching the mode to TUN at both ends.  I doubt it will work easily for you, but experimentation is certainly welcome.

If you want to know more about TUN/TAP and other OpenVPN options, you might want to get the book Beginning OpenVPN 2.0.9 (Amazon affiliate link) by Markus Feilner and Norbert Graf — see my recent mini-review of this book (links edited February, 2010 to reflect updated and expanded edition of the book).

So with the preliminaries out of the way, let’s get to the client screenshots…

Tomato Firmware - Basic | Network page
Tomato Firmware – Basic | Network page

This first shot shows the header, sidebar, and Save/Cancel buttons. Since the settings are probably a bit hard to read, we’ll zoom in on the pertinent part:

Settings portion of Basic | Network page
Settings portion of Basic | Network page

The main thing to keep in mind here is that the subnet you select must not conflict with address assignments on the primary network at the server. Next, on the Router Identification page, enter a Hostname to identify the router:

Basic | Identification page
Basic | Identification page

One thing I have read in several places is that it’s important for the time to be set accurately at the client.  For your choice of time servers there are several presets, but if you use Custom you can specify one or more of your own as the first choice(s), if you have a machine on your network that acts as an NTP server:

Basic | Time page
Basic | Time page

At this point you should probably go to the Administration | Admin Access page and set things up there to your liking. Remember that anything you make accessible on the router’s local LAN will also be accessible on the other side of your tunnel using the same security methods, so be careful.

Now to what we came for… setting up the VPN client. Click on VPN Tunneling and then on Client. I’ll say that one more time – you MUST click on Client. It’s far too easy to skip that step and accidentally be trying to configure a server! Then you should be at the Client 1, Basic tab:

VPN | Client page, Basic tab
VPN | Client page, Basic tab

Of course, the button at the bottom of the page will sat “Start Now” instead of “Stop Now” – I took these screenshots through the tunnel, so I couldn’t very well stop it to get that little detail right! After setting that up you want to click on the Advanced tab:

VPN | Client page, Advanced tab
VPN | Client page, Advanced tab

Note that the connection retry value is -1 (which means infinite retries) and there are two added lines in the custom configuration section:

keepalive 10 120
float

In case the connection to the server or the Internet goes down for a time, those settings should cause the client to keep attempting to re-establish the connection to the server. The float command is useful if your client is at a location where the ISP might change the IP address without advance notice — it is supposed to allow the VPN connection to survive an IP address change. You can omit float if your client is at a fixed IP address that is not subject to change.

And then the Keys tab – just take a look now, when we move on to the server I’ll explain how these are filled in:

VPN | Client page, Keys tab
VPN | Client page, Keys tab

There is one more thing that needs to be done (besides adding the keys) for our tunnel on the client side. Go to Administration | Scripts and click on the WAN Up tab. Enter the following two lines into the text box:

route del -net 0.0.0.0
route add -host `nvram get vpn_client1_addr` gw `nvram get wan_gateway`

The second line may wrap on your display due to length. You may want to copy and paste those lines so you get them right, but if you must type them, note that the ` characters are actually backticks – the small apostrophe-like character on the key to the left of the “1” key (the number 1) near the top left corner of most keyboards (well, in my part of the world, anyway). Then click on the Save button way down at the bottom of the page. If you fail to do this and your tunnel ever goes down (server dies or is inaccessible, etc.) there is a possibility that traffic that should go through the tunnel will use the local Internet connection instead.  These two lines will keep that from happening. When you are done it should look like this:

Administration | Scripts page | WAN Up tab
Administration | Scripts page | WAN Up tab

Just a note for future reference: You can optionally add an additional line here to allow you to get to something “upstream” of the network on the WAN side of the router. For example, let’s say you have configured the server to allow you to connect to devices on both the LAN subnet (192.168.5.x in our example here) and also devices connected to the primary router, in other words, on the WAN side of the router running the Tomato firmware (which were in the 192.168.1.x range on our example setup). But let’s suppose that upstream of that, you have a cable modem at 192.168.100.1 at the client location that you’d also like to be able to access. As long as you don’t have a conflicting address elsewhere in your network, you could add a line such as this in your WAN Up script:

route add -net 192.168.100.0 netmask 255.255.255.0 gw `nvram get wan_gateway`

… which would allow access to anything in the range of 192.168.100.0 through 192.168.100.255. If you want to be more specific, you can narrow it down to an exact address:

route add -host 192.168.100.1 gw `nvram get wan_gateway`

We’ll cover what else has to be done to enable this type of additional routing at the server end in the upcoming installments, but the above is what has to be done at the client-side router that is running the Tomato firmware. Note that you do not normally have to a a line such as this to get to devices on the same subnets as the LAN or WAN ports of the router, but just for anything upstream of the network that the WAN port of the router is connected to. If you don’t understand why you might want to add this type of additional routing now, just ignore this information for the time being, but make sure you do add the first two lines I mentioned above.

Once your tunnel is operational, you should go to the Advanced | Routing page and look at the Current Routing Table. Your addresses will differ (this was a test setup; you probably will see a wider range of addresses) but the main thing you want to make sure is that there is never an entry of default (or 0.0.0.0) in the destination column that goes to any interface other than a tunnel (tun11 in this illustration) — you should never see that whether the tunnel is enabled or disabled. If you do, then something’s likely wrong with the two lines you entered above (under the WAN Up tab):

Advanced | Routing page
Advanced | Routing page

So, that’s the basic client setup. Wasn’t too difficult, right? Ah, but just wait until we get going on the server — hopefully I can make it easy enough that you won’t have about three weeks worth of sleepless nights, when you occasionally mutter under your breath things like “Why? Why?? Why??? WHY won’t this damn thing work!”, and other things I’d rather not put on the Internet! But before I can write the next part, I REALLY need to catch some ZZZ’s, so the server will have to wait for part 2.

Review of OpenVPN: Building and Integrating Virtual Private Networks by Markus Feilner (Packt Publishing)

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog. In order to comply with Federal Trade Commission regulations, I am disclosing that he received a free product sample of the item under review prior to writing the review, and that any links to Amazon.com in this article are affiliate links, and if you make a purchase through one of those links I will receive a small commission on the sale.
Cover of OpenVPN: Building and Integrating Virtual Private Networks
Cover of OpenVPN: Building and Integrating Virtual Private Networks

Before I start, let me give you a brief description of what’s in each chapter (this is taken directly from the Packt Publishing web site):

  • Chapter 1 looks at what VPNs are, how they evolved during the last decade, why it is necessary to modern enterprises, how typical VPNs work. The chapter also covers some essential networking concepts.
  • Chapter 2 explains VPN security issues, including symmetric and asymmetric encryption, the SSL/TLS library, and SSL certificates.
  • Chapter 3 introduces OpenVPN. In this chapter, we learn about the history of OpenVPN, how OpenVPN works, and how OpenVPN compares to IPSec VPN applications.
  • Chapter 4 covers installing OpenVPN on both Windows, the Mac, Linux, and FreeBSD. It covers the installation on Linux from the source code and RPM packages. Installation on Suse and Debian is covered in detail.
  • In Chapter 5, an encryption key for OpenVPN is created and it is then used to setup up our first OpenVPN Tunnel between two windows systems in the same network. The key is then copied on a Linux system and this system is connected through a tunnel to the first windows machine.
  • Chapter 6 shows how to create x509 server and client certificates for use with OpenVPN. easy-rsa which comes with OpenVPN and is available for both Windows and Linux is used.
  • Chapter 7 reviews the syntax of the command line tool openvpn, which enables building tunnels quickly. The configuration options of openvpn are covered in detail with examples.
  • Chapter 8 shows how to make the example tunnels created earlier safer and persistent by choosing a reliable combination of configuration file parameters. It then covers how to configure firewalls on Linux and Windows to work with OpenVPN.
  • Chapter 9 focuses on using xca, the advanced Windows tool with which x509 certificates can be easily managed. Its Linux equivalent, Tinyca2, which can even manage multiple certificate authorities, is also covered.
  • Chapter 10 covers advanced OpenVPN configurations, including Tunneling through a proxy server, pushing routing commands to clients, pushing and setting the default route through a tunnel, Distributed compilation through VPN tunnels with distcc, and OpenVPN scripting.
  • Chapter 11 shows how to debug and monitor VPN tunnels. It covers standard networking tools that can be used for scanning and testing the connectivity of a VPN server.

Although this may seem like a strange subject for this blog, I have recently become interested in the concept of Virtual Private Networks (VPN) because of the increasing number of attacks on Asterisk-based system based on spoof SIP credentials. SIP, the most popular protocol for VoIP, is an inherently insecure protocol – it relies on password protection only, and on most Asterisk boxes and in many VoIP devices and software products, the password is stored in plain text. On many systems, the user name is the same as the extension number, so all a potential intruder has to do is start a brute-force attack guessing passwords. The use of strong passwords along with the use of software like Fail2Ban (with iptables) can help minimize the exposure, but in the end it’s still only password protection.

Therefore, my feeling is that it would be much better to restrict extensions to access from within the local network (wherever possible), using the permit/deny fields in FreePBX or some similar mechanism, and then “tunnel” remote extensions through a secure VPN, so they appear to be on the local network.  The VPN could do the heavy lifting for security (even making the actual calls secure, although that wasn’t a priority in my situation).  My problem was that I knew next to nothing about VPN’s, and most of the pages on the Web seemed to assume at least some prior knowledge.  I needed something that would take me from zero knowledge to VPN guru.  Unfortunately, at my age it’s a case of “the spirit is willing but the brain is a bit weak”, so I realized that the “guru” part might not come very quickly (just as a comparison, I’ve been playing with FreePBX since back in the Asterisk@Home days, and there’s still a lot I don’t understand, but for the first year or so I felt totally lost).

Since the folks at Packt Publishing were willing to send me a review copy of OpenVPN: Building and Integrating Virtual Private Networks, I decided to see if I could actually learn anything from the book.  The first thing you need to know is that there are many types of VPN’s out there, and each will only communicate with its own kind, as it were.  The problem with most other tunnels is that they are either not all that secure, or contain proprietary code, or are incredibly complicated to set up and use (or some combination of the above).  OpenVPN has several advantages, perhaps the biggest being that it’s open source (so you can, if you are so inclined, examine the code and make sure there are no “backdoors” built in), that it can be as secure as you want it to be (and it’s not that difficult to make it very secure), and that it doesn’t rely on a third-party service over which you have no control (like one VPN application that touts itself as “zero-configuration”). So of all the VPN methods out there, OpenVPN seemed like a logical choice.

Now, having said that, the book covers its subject in a very logical manner.  Advanced readers (those already familiar with the principles behind VPNs) might find the introductory material in the first chapters a bit tedious, but believe me, it was just what I needed to help me get a grasp on the subject. As you go further through the book, there are many actual examples, first showing how to set up a working VPN tunnel, then how to add additional security, and finally how to troubleshoot connections.  If you are brand new at this, like me, you will probably find that you learn a great deal from the first chapters but find the latter chapters (especially Chapter 10) a bit beyond your comprehension at first.  However, the person who has some networking or VPN experience under their belt may think the first chapters a bit elementary, but will find the real meat they are looking for in the latter parts of the book. Either way, I guarantee you will come away with a greater comprehension of the subject.

The book shows how to install OpenVPN on several platforms (Windows, Mac OS X using Tunnelblick, FreeBSD, and SuSE, Debian, and Redhat/Fedora based versions of Linux), but it seems like some platforms are better covered than others.  A disproportionate number of examples and screenshots seem to be based on a Windows installation, whereas the Mac gets very little coverage. Because there are so many variations of Linux, the coverage there is mixed, although it seems like SuSE and Debian are better covered than Fedora-based versions, which was just a little bit disappointing because most Asterisk and FreePBX systems are based on CentOS, which is a Fedora-based OS. But most of the information in this book is not OS specific, so I didn’t have any real problem following along.

The biggest disappointment for me was in Chapter 8, where the book covers the use of Webmin, but primarily as an aid to administration of the Shorewall firewall.  Many Asterisk/FreePBX systems don’t use Shorewall, but instead use iptables (if they have a firewall on the Asterisk server at all).  But what was really disappointing was that there was no mention of, nor instructions for the use of the OpenVPN + CA module for Webmin (page is in Italian, but here is a description in English). I can only guess that because the book was first released in May,  2006 and version 1.0 of the Webmin module had only just been released in January of that same year, the author perhaps hadn’t had an opportunity to work with the module before the final draft of the book was submitted to the publisher. I hope that if this book is ever updated and republished, there will be consideration given to adding a chapter on the use of the Webmin module to set up and administer OpenVPN. In the meantime, you can find instructions for using the OpenVPN + CA module in The ‘Point and Click’ Home VPN HowTo Guide.

That said, I felt I learned a great deal from this book.  I was able to set up an OpenVPN server (using the Webmin module, but the book definitely helped me understand the purpose of the various options, and when I checked the configuration file that the module generated I was able to spot a couple of things that weren’t the way they should be for my setup and was able to change them) and the Windows client.  It all worked beautifully.

My project now, when I have absolutely nothing else to do, is trying to get the OpenVPN client running on an Asus WL-520gu router that has the DD-WRT firmware installed (I inherited this project from someone else who couldn’t do it).  So far this has proven to be a tough nut to crack – although it should be easy because (if you get the right version of DD-WRT) there is a built-in OpenVPN client with a handy configuration page, it just doesn’t seem to work “out of the box” – and from what I’m reading on the ‘net, for every one person who says they’ve got it working, there are about twenty others who have become incredibly frustrated by the process (example here – note that the original poster says he got it working, but that’s followed by about 16 pages of comments, mostly by people who just can’t seem to get it to go).  It’s a bit strange because the Windows client will work perfectly (indicating it’s not an issue with the server) but the firmware client in DD-WRT just doesn’t seem to work.  If I ever get it figured out, I’ll try to post what I did in this blog, but so far I’ve had no luck.  That, however, is not the fault of the book – in my opinion it’s the fault of the writers of the DD-WRT firmware, who apparently included a half-baked OpenVPN client interface in the firmware (I know, it’s free software so I can’t really complain, but one does wish that they’d taken a bit more care to make sure it worked).

After having read the book, I do feel fairly confident that if I should throw in the towel and decide to dump DD-WRT and install a different firmware on the router (I’m thinking about trying the Tomato firmware with USB support) I would be able to install an OpenVPN client from scratch and make it work.  Probably the main reason I haven’t wanted to do that is because I very much prefer using a GUI to do things, and would like to try to make the OpenVPN GUI in DD-WRT work (even if it requires a little help), but so far that doesn’t seem to be panning out.

But I digress a bit – anyway, if you are wanting to learn about OpenVPN, whether or not you are a rank beginner you will benefit from this book. The numerous examples and screenshots make it almost impossible to fail to get an OpenVPN tunnel up and running (providing you’re not using a questionable firmware client). And, as I said above, the book is laid out in a very logical progression, so I really didn’t feel totally lost at any point (as so often happens when I try to read technical books). Especially in the case where your boss suddenly decides he needs VPN tunneling capability, and wants you to have one up and running in a very short timeframe, this would be the book to get!

OpenVPN: Building and Integrating Virtual Private Networks by Markus Feilner (Amazon affiliate link)

EDIT: This book has been updated and expanded under a new title — see Mini-review of Beginning OpenVPN 2.0.9 by Markus Feilner and Norbert Graf (Packt Publishing)

Stop entering passwords: How to set up ssh public/private key authentication for connections to a remote server

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which in turn was reposted with the permission of the original author from a now-defunct Macintosh-oriented blog. It is reposted with his permission. Comments dated before the year 2013 were originally posted to The Michigan Telephone Blog.

This article assumes that you are already able to ssh into a remote server using a password (that is, that your account has been created on the remote system and you are able to access it). Here’s how to set up ssh public/private key authentication so you don’t have to use the password on future logins, or so you can use Public Key authentication with MacFusion.

First, open a terminal or iTerm window as we will be using it for most of the following operations. First, navigate to your home directory, and see if there is a folder called .ssh. Note that Finder will NOT show you this directory unless you have it set to show all file extensions, so since we are at a command line prompt anyway, it’s easiest to just type “cd ~” (without the quotes) to go to your home directory in Terminal or iTerm and type “ls -a” (again without the quotes – always omit the quotes when we quote a command) to see if the .ssh directory exists. If it does, go into the directory (”cd .ssh”) and see if there are two files called id_rsa and id_rsa.pub (use “ls -a” again). If either the directory or the files do not exist, you will need to create them.

ssh-keygen -t rsa -f ~/.ssh/id_rsa -C "your@emailaddress.com"

Replace your@emailaddress.com with your email address – this is just to make sure the keys are unique, because by default it will use your_user_name@your_machine_name.local, which might come up with something too generic, like john@Mac.local. It’s unlikely that anyone else is using your e-mail address in a key.  If this process fails with a “Permission denied” error, it might be because SELinux is enabled.  To check that theory, see How to Disable SELinux, which will show you how to disable it temporarily (for testing) or permanently.

Now, from your terminal window on your local system, execute this command:

ssh-copy-id username@remote

You can run ssh-copy-id -h or man ssh-copy-id to see the available options, but normally you don’t need any. In the event your system does not have ssh-copy-id installed, you can instead run the following three commands from a terminal or iTerm window on your local system. Whichever method you use, replace username with your login name and remote with the address of the remote system. Note that you should NOT be logged into the remote system when you execute these – these are run from a command prompt on your local system, and you probably will be prompted to enter your password (for the remote system):

ssh username@remote ‘mkdir ~/.ssh;chmod 700 ~/.ssh’

The above creates the .ssh directory on the remote system and gives it the correct permissions. If the command fails (for example, I’ve had it complain that mkdir isn’t a valid command, even though it is on just about every Unix/Linux system), then either you have copied and pasted the above line and WordPress changed the single quotes to the “prettified” versions (so change them back) or you may have to actually log into the remote system (using a password) and enter the two commands individually (mkdir ~/.ssh followed by chmod 700 ~/.ssh). Then, if you don’t already have an authorized_keys file on the remote system, go back to your local terminal or iTerm window for this:

scp ~/.ssh/id_rsa.pub username@remote:~/.ssh/authorized_keys

The above creates a new list of authorized keys on the remote system (overwriting any existing file with that name) and copies your public key to it.  If you already have such a file and don’t want it overwritten, then you’ll have to manually add the contents of your local ~/.ssh/id_rsa.pub file to the end of the ~/.ssh/authorized_keys file on the remote system.

ssh username@remote ‘chmod 600 ~/.ssh/authorized_keys’

This fixes the permissions on the authorized_keys file on the remote system. Once again, there may be the odd situation where you can only run the command within the single quotes from the remote system.

And, that’s basically all there is to it. If you are the system administrator of the remote system, but you don’t ever plan to login from a remote location as root, then for extra security edit the file /etc/ssh/sshd_config on the remote system (you’ll probably have to be root, or use sudo to do this task). Just use your favorite text editor on the remote system to open the file, and look for a line that says:

PermitRootLogin yes

And change the “yes” to “no”.

If you are still asked for a password after you are finished making the above changes, look for a line in /etc/ssh/sshd_config that says:

StrictModes yes

And change the “yes” to “no”. You’ll need to reboot or restart the ssh server for this to take effect. An alternate, and probably more secure fix is to check the permissions on your home directory – if it is not writable by anyone but the owner, then it should not be necessary to change the StrictModes parameter. For more troubleshooting hints see Debugging SSH public key authentication problems.

The above are very basic instructions for setting up ssh public/private key authentication. There are other ways to do this (including some that are arguably a bit more secure) but we wanted to keep it simple. Hopefully this will help someone who is using ssh, MacFusion, etc. and wants something a bit more secure and less bothersome than password access.

One other note:  If you find the connection drops within a minute or so, particularly after you’ve just purchased a new router, then on the client machine running Mac OS X edit the file /private/etc/ssh_config (under Linux it’s /etc/ssh/sshd_config and I don’t know what it would be called under Windows, or if they even have such a file) and add this line:

ClientAliveInterval 60

If it still stops working lower the timeout to 30. See How to fix ssh timeout problems for more information.

If you find my instructions confusing, try SSH Passwordless Login Using SSH Keygen in 5 Easy Steps.

And, for hints on making ssh more secure (particularly if you permit access from the Internet in general and not just your local network), see this article on Securing OpenSSH (via the CentOS wiki).