Difference between revisions of "OpenVPN for Palm Pre"
(→OpenVPN client installation: Add pointer to PreVPNc GUI project.) |
|||
| (31 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | ==Introduction== | |
| + | OpenVPN enables you to build a secure virtual private network (VPN) connection from your Palm device to another available OpenVPN server, over an encrypted TLS connection. For encryption, it uses the libraries of the OpenSSL program. On the transport layer, it can use TCP or UDP. The secure connection, or "tunnel", between client and server is created using virtual network devices, using the [http://en.wikipedia.org/wiki/TUN/TAP TUN/TAP] kernel drivers. With optware, openvpn is easily installable on your palm devices via ipkg. An application scenario could be to connect your Palm device via 3G to your home network, accessing data and services hosted by a NAS, for example. | ||
| − | + | ==OpenVPN client installation== | |
| − | + | To setup a connection to an available OpenVPN endpoint, you need the appropriate kernel module (tun.ko) on your Palm device and build a client-configuration depending and what type of connection you want to create (bridged or routed). The optware OpenVPN ipkg is a clean installation as the clipboard below proves. The Palm Pre/Pixi Linux OS is compiled with the /dev/tun driver built in, so you can ignore the module dependency warning. There are two projects to create GUIs for webOS - [http://code.google.com/p/prevpnc/ PreVPNc on Google Code] and [http://gitorious.org/pre-openvpn pre-openvpn on Gitorious.org]. | |
| − | |||
note: oinstall is alias oinstall="sudo ipkg-opt install" | note: oinstall is alias oinstall="sudo ipkg-opt install" | ||
| − | <pre> | + | <pre><nowiki> |
┌─(box@castle)-(09:28:44)-> | ┌─(box@castle)-(09:28:44)-> | ||
└─(~)--> $ oinstall openvpn | └─(~)--> $ oinstall openvpn | ||
| Line 17: | Line 17: | ||
Configuring openvpn | Configuring openvpn | ||
Successfully terminated. | Successfully terminated. | ||
| + | </nowiki></pre> | ||
| − | <nowiki> | + | ==OpenVPN client configuration== |
| + | OpenVPN is deployed quickly and easily. The [http://openvpn.net/ OpenVPN.net] website and source installations contain configuration scripts that can make OpenVPN connect to your home or work when WiFi is activated. The following excerpt assumes that you already have available the following things: | ||
| + | *a certificate for yourself / your device (in the example, called palmpre.crt) | ||
| + | *the issuing certificate authority (ca.crt) | ||
| + | *a key-file (palmpre.key) | ||
| + | *a client configuration for your Palm device (palmpre.ovpn) | ||
| + | Be aware, that the abovementioned filenames are only examples. Most likely, you would create these files yourself.<br> | ||
| + | '''It is highly suggested that you make yourself familiar in creating your own keys (and certificates), in case you are not provided with from a very trusted source!'''<br> As you create certificates, keys, and certificate signing requests yourself, understand that only .key files should be kept confidential. .crt and .csr files can be sent over insecure channels such as plaintext email.You should never need to copy a .key file between computers. Normally each computer will have its own certificate/key pair.<br> | ||
| + | Have a look at the wiki [http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP#Telnet_Management_Interface Setup optware OpenVPN on a NAS], giving you exact instructions how to. For easy key management, the package easy-rsa provides necessary tools. It is also available via optware and well documented on the OpenVPN website. | ||
| + | <pre><nowiki> | ||
┌─(root@castle)-(10:17:05)-> | ┌─(root@castle)-(10:17:05)-> | ||
└─(/opt/etc/openvpn)--> # unzip palmpre.zip | └─(/opt/etc/openvpn)--> # unzip palmpre.zip | ||
| Line 29: | Line 39: | ||
inflating: palmpre/dh2048.pem | inflating: palmpre/dh2048.pem | ||
inflating: palmpre/palmpre.ovpn | inflating: palmpre/palmpre.ovpn | ||
| + | </nowiki></pre> | ||
| + | ==Starting OpenVPN== | ||
| + | For a first connection test, you should start openvpn on your Palm device allowing it to write to standard out. Thereby, you will be able to follow allong, if anything goes awry during the initialization sequence: | ||
| + | <pre><nowiki> | ||
| + | openvpn --config /opt/etc/openvpn/palmpre/palmpre.ovpn | ||
| + | </nowiki></pre> | ||
| + | If it connects successfully , you could start it as a background task (adding &), redirecting output to /dev/null. (You could write an upstart script, see the example for the Hamachi VPN in the resources below.) | ||
| + | <pre><nowiki> | ||
┌─(root@castle)-(10:19:33)-> | ┌─(root@castle)-(10:19:33)-> | ||
└─(/opt/etc/openvpn)--> # openvpn --config /opt/etc/openvpn/palmpre/palmpre.ovpn >>/dev/null& | └─(/opt/etc/openvpn)--> # openvpn --config /opt/etc/openvpn/palmpre/palmpre.ovpn >>/dev/null& | ||
| + | </nowiki></pre> | ||
| − | (...While pinging google, | + | ==Testing connection== |
| − | + | When testing access to your openvpn endpoint (server) from your Palm device, it can be benefitial if both can connect only via the openvpn tunnel (and not reach each other via an alternate route in your home network). The following scenario assumes, that a Palm device connects via openvpn to a private network (possibly your home network) from outside, using 3G (EVDO, UMTS). You can test this by turning off wifi and ssh to your Palm device using a Bluetooth PAN. See if your Palm device still has internet access over 3G, when turning off wifi. (While pinging google, drop wifi and monitor via SSH over Bluetooth PAN): | |
| + | <pre><nowiki> | ||
64 bytes from 74.125.67.100: seq=5 ttl=52 time=46.505 ms | 64 bytes from 74.125.67.100: seq=5 ttl=52 time=46.505 ms | ||
64 bytes from 74.125.67.100: seq=6 ttl=52 time=45.603 ms | 64 bytes from 74.125.67.100: seq=6 ttl=52 time=45.603 ms | ||
| Line 45: | Line 65: | ||
64 bytes from 74.125.67.100: seq=13 ttl=50 time=105.896 ms | 64 bytes from 74.125.67.100: seq=13 ttl=50 time=105.896 ms | ||
64 bytes from 74.125.67.100: seq=14 ttl=50 time=104.523 ms | 64 bytes from 74.125.67.100: seq=14 ttl=50 time=104.523 ms | ||
| − | + | </nowiki></pre> | |
| + | If you ping IPs in your home network now (the openvpn endpoint/gateway or other IPs behind), traffic to your private network is routed through the encrypted tunnel: | ||
| + | <pre><nowiki> | ||
┌─(root@castle)-(10:33:54)-> | ┌─(root@castle)-(10:33:54)-> | ||
└─(/opt/etc/openvpn/palmpre)--> # ping 192.218.1.10 | └─(/opt/etc/openvpn/palmpre)--> # ping 192.218.1.10 | ||
| Line 66: | Line 88: | ||
64 bytes from 192.218.0.218: seq=1 ttl=64 time=182.556 ms | 64 bytes from 192.218.0.218: seq=1 ttl=64 time=182.556 ms | ||
64 bytes from 192.218.0.218: seq=2 ttl=64 time=123.016 ms | 64 bytes from 192.218.0.218: seq=2 ttl=64 time=123.016 ms | ||
| + | </nowiki></pre> | ||
| − | + | ==OpenVPN IRC channel== | |
| + | The OpenVPN IRC channel ##OpenVPN exists on the same Freenode server #WebOS-Internals is located on. Please stop by either channel with questions after visiting [http://openvpn.net] | ||
| + | ==Further resources== | ||
| + | #[http://openvpn.net/ OpenVPN.net] The official website of OpenVPN. See the excellent Documentation! (Community software > Documentation > Howto) | ||
| + | #[http://openvpn.net/easyrsa.html Easy-RSA] Key management tool for OpenVPN | ||
| + | #[http://www.webos-internals.org/wiki/HamachiVPN Hamachi on Pre]. Use the popular, proprietary Hamachi for VPN on your Palm device. | ||
| + | #[http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP#OpenVPN_GUI Optware OpenVPN on a QNAP Nas] gives you a good example of a complete configuration. | ||
Latest revision as of 06:36, 22 October 2010
Introduction
OpenVPN enables you to build a secure virtual private network (VPN) connection from your Palm device to another available OpenVPN server, over an encrypted TLS connection. For encryption, it uses the libraries of the OpenSSL program. On the transport layer, it can use TCP or UDP. The secure connection, or "tunnel", between client and server is created using virtual network devices, using the TUN/TAP kernel drivers. With optware, openvpn is easily installable on your palm devices via ipkg. An application scenario could be to connect your Palm device via 3G to your home network, accessing data and services hosted by a NAS, for example.
OpenVPN client installation
To setup a connection to an available OpenVPN endpoint, you need the appropriate kernel module (tun.ko) on your Palm device and build a client-configuration depending and what type of connection you want to create (bridged or routed). The optware OpenVPN ipkg is a clean installation as the clipboard below proves. The Palm Pre/Pixi Linux OS is compiled with the /dev/tun driver built in, so you can ignore the module dependency warning. There are two projects to create GUIs for webOS - PreVPNc on Google Code and pre-openvpn on Gitorious.org.
note: oinstall is alias oinstall="sudo ipkg-opt install"
┌─(box@castle)-(09:28:44)-> └─(~)--> $ oinstall openvpn Installing openvpn (2.1_rc15-1) to root... Downloading http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/unstable/openvpn_2.1_rc15-1_arm.ipk openvpn: unsatisfied recommendation for kernel-module-tun Installing lzo (1.08-2) to root... Downloading http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/unstable/lzo_1.08-2_arm.ipk Configuring lzo Configuring openvpn Successfully terminated.
OpenVPN client configuration
OpenVPN is deployed quickly and easily. The OpenVPN.net website and source installations contain configuration scripts that can make OpenVPN connect to your home or work when WiFi is activated. The following excerpt assumes that you already have available the following things:
- a certificate for yourself / your device (in the example, called palmpre.crt)
- the issuing certificate authority (ca.crt)
- a key-file (palmpre.key)
- a client configuration for your Palm device (palmpre.ovpn)
Be aware, that the abovementioned filenames are only examples. Most likely, you would create these files yourself.
It is highly suggested that you make yourself familiar in creating your own keys (and certificates), in case you are not provided with from a very trusted source!
As you create certificates, keys, and certificate signing requests yourself, understand that only .key files should be kept confidential. .crt and .csr files can be sent over insecure channels such as plaintext email.You should never need to copy a .key file between computers. Normally each computer will have its own certificate/key pair.
Have a look at the wiki Setup optware OpenVPN on a NAS, giving you exact instructions how to. For easy key management, the package easy-rsa provides necessary tools. It is also available via optware and well documented on the OpenVPN website.
┌─(root@castle)-(10:17:05)-> └─(/opt/etc/openvpn)--> # unzip palmpre.zip Archive: palmpre.zip creating: palmpre/ inflating: palmpre/ca.crt inflating: palmpre/palmpre.key inflating: palmpre/palmpre.crt inflating: palmpre/palmpre.conf inflating: palmpre/dh2048.pem inflating: palmpre/palmpre.ovpn
Starting OpenVPN
For a first connection test, you should start openvpn on your Palm device allowing it to write to standard out. Thereby, you will be able to follow allong, if anything goes awry during the initialization sequence:
openvpn --config /opt/etc/openvpn/palmpre/palmpre.ovpn
If it connects successfully , you could start it as a background task (adding &), redirecting output to /dev/null. (You could write an upstart script, see the example for the Hamachi VPN in the resources below.)
┌─(root@castle)-(10:19:33)-> └─(/opt/etc/openvpn)--> # openvpn --config /opt/etc/openvpn/palmpre/palmpre.ovpn >>/dev/null&
Testing connection
When testing access to your openvpn endpoint (server) from your Palm device, it can be benefitial if both can connect only via the openvpn tunnel (and not reach each other via an alternate route in your home network). The following scenario assumes, that a Palm device connects via openvpn to a private network (possibly your home network) from outside, using 3G (EVDO, UMTS). You can test this by turning off wifi and ssh to your Palm device using a Bluetooth PAN. See if your Palm device still has internet access over 3G, when turning off wifi. (While pinging google, drop wifi and monitor via SSH over Bluetooth PAN):
64 bytes from 74.125.67.100: seq=5 ttl=52 time=46.505 ms 64 bytes from 74.125.67.100: seq=6 ttl=52 time=45.603 ms 64 bytes from 74.125.67.100: seq=7 ttl=52 time=49.132 ms 64 bytes from 74.125.67.100: seq=8 ttl=52 time=101.013 ms 64 bytes from 74.125.67.100: seq=9 ttl=52 time=1556.213 ms <-- cutover wifi to evdo 64 bytes from 74.125.67.100: seq=10 ttl=52 time=561.371 ms 64 bytes from 74.125.67.100: seq=11 ttl=52 time=54.932 ms 64 bytes from 74.125.67.100: seq=12 ttl=50 time=109.436 ms 64 bytes from 74.125.67.100: seq=13 ttl=50 time=105.896 ms 64 bytes from 74.125.67.100: seq=14 ttl=50 time=104.523 ms
If you ping IPs in your home network now (the openvpn endpoint/gateway or other IPs behind), traffic to your private network is routed through the encrypted tunnel:
┌─(root@castle)-(10:33:54)-> └─(/opt/etc/openvpn/palmpre)--> # ping 192.218.1.10 PING 192.218.1.10 (192.218.1.10): 56 data bytes 64 bytes from 192.218.1.10: seq=0 ttl=42 time=456.665 ms 64 bytes from 192.218.1.10: seq=1 ttl=42 time=260.773 ms 64 bytes from 192.218.1.10: seq=2 ttl=42 time=268.189 ms ┌─(root@castle)-(10:35:13)-> └─(/opt/etc/openvpn/palmpre)--> # ping 192.218.0.1 PING 192.218.0.1 (192.218.0.1): 56 data bytes 64 bytes from 192.218.0.1: seq=0 ttl=64 time=259.552 ms 64 bytes from 192.218.0.1: seq=1 ttl=64 time=114.898 ms 64 bytes from 192.218.0.1: seq=2 ttl=64 time=118.958 ms ┌─(root@castle)-(10:35:40)-> └─(/opt/etc/openvpn/palmpre)--> # ping 192.218.0.218 PING 192.218.0.218 (192.218.0.218): 56 data bytes 64 bytes from 192.218.0.218: seq=0 ttl=64 time=502.137 ms 64 bytes from 192.218.0.218: seq=1 ttl=64 time=182.556 ms 64 bytes from 192.218.0.218: seq=2 ttl=64 time=123.016 ms
OpenVPN IRC channel
The OpenVPN IRC channel ##OpenVPN exists on the same Freenode server #WebOS-Internals is located on. Please stop by either channel with questions after visiting [1]
Further resources
- OpenVPN.net The official website of OpenVPN. See the excellent Documentation! (Community software > Documentation > Howto)
- Easy-RSA Key management tool for OpenVPN
- Hamachi on Pre. Use the popular, proprietary Hamachi for VPN on your Palm device.
- Optware OpenVPN on a QNAP Nas gives you a good example of a complete configuration.