Tuesday, June 05, 2007

Requiescat In Pace

It has been a fantastically horrible month in my real life. I'll just leave it at that. All my current projects, including the portal I was hoping to launch, are pretty much indefinitely on hold.

In other news, I've been trying to find a better way of connecting to my home network while abroad. I've been using SSH to connect and locally forward ports to the home network, but that meant every service had to be hard-coded. Instead I've been evaluating OpenVPN on OpenWRT. Both are amazing projects, and both worthy of considerable attention.

I haven't evaluated OpenWRT in nearly four years now... they had just started using a package manager when I last tried to flash my WRT54Gv2. It's in an amazingly well-adjusted and highly advanced state now... it was hard to believe how flexible the OS & utilities were. Everything worked out of the box with a minimum of hacking. Especially for someone like myself who used to construct Linux home firewalls out of old workstations, this fit my schema perfectly. I was a HyperWRT guy, but as that firmware grew stale I moved an entire distro-in-RAM.

OpenVPN is further evidence of why IPSec tunnels just never gained proper adoption in the roadwarrior market segment. They work fantastic when joining disparate networks through concentrators, but they just don't offer the flexibility, interoperability and ease-of-use that SSL tunnels do. I was an IPSec advocate in the days of FreeS/WAN, but once opportunistic encryption adoption didn't reach ubiquity they supposedly just closed up shop. PPTP offers good interoperability and ease-of-use, but was ultimately PPP with some wrappers around it. OpenVPN has proven itself to be a secure and flexible compromise between the two while still maintaining ease of use behind firewalls, proxies and NAT's. It may lack a certain "purity" of IPSec, but for roadwarrior and ad-hoc connections OpenVPN is indispensable.

Juniper Networks has a pretty good "Instant Virtual Extranet" platform that incorporates an SSL-based VPN solution which does a great job - it even supports Linux. I have to give a big tip o' the hat to Juniper Networks on that one - the actually developed a VPN client that works properly in Linux. Launch a Java Applet, grant it rights to install a client stub on your machine, then an SSL tun0 interface automagically pops up on your Linux box. Bravo.

But I digress.

The NetworkManager GUI within both Gnome and KDE has support for OpenVPN tunnels, so I decided to give it a try. At first I attempted the most simple case using a static key. For the life of me I couldn't get static key support to work with NetworkManager... it wouldn't even establish a connection despite the fact that it worked manually on the console. I gave up on static keys and instead created a public key infrastructure, issuing client keys when needed. This allowed me to establish a connection just fine, but it brought one critical bug to the surface: DNS resolution was subsequently borked, since NetworkManager wiped out resolv.conf once the tunnel was initialized. Fooey.

So instead I created a manual script that initiates the tunnel. That appears to be working pretty well now... no big worries. For now it's a straight UDP tunnel, but I might change it to TCP down the road.

The configuration wasn't too bad - I followed the HOWTO Quickstart pretty much by the letter by creating the keys, issuing them to clients then using their sample server and client config files. On OpenWRT, all I had to do was create an /etc/init.d/S50openvpn script to start OpenVPN on startup, then add the following firewall rules:
### OpenVPN traffic
## -- Permit initial negotiation
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
## -- Permit tun interfaces
iptables -A forwarding_rule -i tun+ -j ACCEPT

Now I'm able to connect and browse at will. Not too shabby!

Amazing that you can build a VPN concentrator, WAP, firewall and management station for a little more than $50. Ultimately you end up with more usability than you could get with a $200 cheapo desktop.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.