Blog

Blog

DD-WRT + Tunnelblick = OpenVPN

Posted by Nejc Zupan at Aug 12, 2010 05:10 PM |
Filed under: OS X, DD-WRT, OpenVPN

Debating about VPNs on the Sauna Sprint, sprinters convinced me that we should use VPN for remote access to our internal services in our office. And for an extra layer of security when using public networks. So here it goes.

Certificates

I didn't want to install openssl and openvpn on my Macbook just so I could generate access certificates. Luckily, Rackspace Cloud instance with Ubuntu was only 2 minutes away. From there on I just followed the tutorial on creating certificates.

OpenVPN server

Since we already have a Linksys WRT54G router running DD-WRT firmware it was an obvious decision to just use this piece of hardware to act as an OpenVPN server. Off to the DD-WRT download page and grab the package that also has OpenVPN support (dd-wrt.v24_vpn_generic.bin). Quick flash of the router's firmware and we are set.

  1. Enable OpenVPN server in Services and set it's Start type to WAN Up.
  2. Paste in certificates created in advance on a Ubuntu cloud instance.
  3. Paste in OpenVPN server config (find it below).
  4. Configure iptables by going to Administration -> Commands, pasting in iptables config (find it below) and clicking save firewall.
  5. Reboot router.

Tunnelblick OpenVPN client

For OS X users the recommended application for using OpenVPN is Tunnelblick.

1. Go to Tunnelblick's website, download Tunnelblick 3.0 application and install it.

2. Run Tunnelblick. Click install and edit sample configuration file and paste into it client configuration (find it below).

3. In this configuration, find SSL/TLS parms. and replace text bob with a name you used in the first step when creating certificates (same as filename of certificates).

4. Use Terminal to add certificate keys to your Tunnelblick configuration (keys created on Ubuntu cloud instance), again replacing bob in filename.

    • nano ~/Library/Application\ Support/Tunnelblick/Configurations/ca.crt
    • nano ~/Library/Application\ Support/Tunnelblick/Configurations/bob.crt
    • nano ~/Library/Application\ Support/Tunnelblick/Configurations/bob.key

    Now you are ready to use your VPN. Click on Tunnelblick icon next to current time in the top-right corner of your screen and select connect 'openvpn'. All your traffic should now be routed through a secure tunnel to your office.

    Confirm this by visiting http://whatismyip.com. The IP displayed should be your office's IP, meaning you are accessing internet through a tunnel from your office. Hooray!

    Config files

    OpenVpn server config

    push "route 192.168.1.0 255.255.255.0"
server 192.168.2.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

# management parameter allows DD-WRT's OpenVPN Status web page to access the server's management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001

    iptables config

    # enable tunnel
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD 1 --source 192.168.2.0/24 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    

    # NAT the VPN client traffic to the internet
    iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

    Tunnelblick config

    # Specify that we are a client and that we will be pulling certain config file directives from the server.
client

# Use the same setting as you are using on the server.
# On most systems, the VPN will not function unless you partially or fully disable the firewall for the TUN/TAP interface.
dev tun0

# Are we connecting to a TCP or # UDP server?  Use the same setting as on the server.
proto udp

# The hostname/IP and port of the server.
remote <your office IP> 1194

# Keep trying indefinitely to resolve the host name of the OpenVPN server.  
# Very useful on machines which are not permanently connected to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
# NOTE: this cause problems with reverting to default route once VPN is disconnected
# user nobody
# group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# Wireless networks often produce a lot of duplicate packets.  Set this flag to silence duplicate packet warnings.
mute-replay-warnings

# SSL/TLS parms.
ca ca.crt
cert bob.crt
key bob.key

# Enable compression on the VPN link. Don't enable this unless it is also enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 3

# from wiki
remote-cert-tls server
float

# route all traffic through VPN
redirect-gateway def1
dhcp-option DNS <your ISP's primary DNS IP>
dhcp-option DNS <your ISP's secondary DNS IP>

    Back from Helsinki

    Posted by Nejc Zupan at Aug 09, 2010 10:00 PM |
    Filed under: Sprint, Plone

    I'm back from another legendary sprint: Plone Sauna Sprint in Helsinki. No need to say anything more, here are the reports:

    Next on schedule: Plone Conference in Bristol.

    Clickbank integration for Plone

    Posted by Nejc Zupan at Jul 13, 2010 03:20 PM |
    Filed under: Clickbank, Plone

    So you want paid membership on your Plone site? Look no further, we present to you niteoweb.clickbank.

    It's a Plone 4 add-on that integrates ClickBank digital products retailer system with Plone to enable paid memberships on your Plone site. It's very simple to install and use.

    Project page: http://pypi.python.org/pypi/niteoweb.clickbank

    Documentation: http://packages.python.org/niteoweb.clickbank

    Code: http://svn.plone.org/svn/collective/niteoweb.clickbank

    MladiPodjetnik.si performance tweaks

    Posted by Nejc Zupan at May 19, 2010 12:45 PM |
    Filed under: HAProxy, Buildout, Plone

    MladiPodjetnik.si is a portal we've been actively developing since 2006 and has since seen 3 revisions. The latest one, running on Plone 3.1, was running out of juice due to enormous increase in traffic in the last year. It was time to do some performance optimization.

    1. We started out by upgrading Plone to the latest 3.x realease - 3.3.5. A fairly straightforward procedure.

    2. Then we focused on optimizing Zope settings:

    • setting python-check-interval to 1000
    • lowering ZServer threads (we could do this because we were adding ZEO clustering with several Zopes)
    • tweaking ZODB cache size
    • disabling Z2.log
    • specifying only one language (Slovenian) for the Placeless Translation Service
    # add these lines to [instance] section of your buildout.cfg
z2-log = off
zodb-cache-size = 13500
zserver-threads = 1
zope-conf-additional =
    python-check-interval 1000
environment-vars =
    PTS_LANGUAGES sl

    3. Binding to a newer version of zope.i18nmessageid fixes severe memory leaks in Zope.

    [versions]
zope.i18nmessageid = 3.5.1

    4. Finally we built and configured HAProxy load-balancer so we can have several Zopes serving those requests.

    Result: Tweaking proved to be successful as we no longer get time-outs on traffic peaks and the site feels much more snappier than before. Munin graphs confirm this.

    New Plone website - Vodja.si

    Posted by Nejc Zupan at Apr 30, 2010 09:10 AM |
    Filed under: Plone

    It's time for a new website release. This time it's Vodja.si.

    Vodja.si is a presentation website for a NLP and leadership trainer Marjan Račnik.

    The base for the project is default Plone CMS with a unique theme developed from a Photoshop mockup and some Plone add-ons such as ContentWellPortlets.

    The site also has an intranet section where training participants can download materials and do some basic collaboration.

    More about the project on our portfolio page.

    Next 5 items » 1 2 3