OpenVPN username/password authentication on DD-WRT

In this post I’ll be using DD-WRT build 23320 and an ASUS RT-AC66U router to set up two “always on” VPNs (using openvpn) using username / password authentication. This router supports all the new wifi protocols and in theory has over 1Gbps ability using dual band, also supports 2.4GHz and 5.0Ghz band communication. I’ve used it with DD-WRT without any stability issues for more than 6 months now.

DD-WRT is one of my favourite linux distros, it’s specially made to work on home routers, APs and small appliances. You may download it from: http://www.dd-wrt.com and make sure your equipment is supported by looking into the router database.

Apart from the regular home router needs DD-WRT also support a complete set of network functionality like:

  • FreeRadius
  • PPPoE Serverdd-wrt
  • VPN
  • USB (printing/mass storage)
  • NAS
  • Hotspot
  • SIP Proxy
  • Adblocking
  • Webserver
  • QOS

As I said, I’ll be talking about enhancing the standard functionality of openvpn in dd-wrt. OpenVPN is available on most of the DD-WRT appliances, nevertheless you can only have one vpn connected and it doesn’t support username/password authentication.

Let me describe the setup:asus

  1. Home at country A (localnet 192.168.17.0/27)
  2. Home at country B (localnet 192.168.18.0/27)
  3. External third-party net at country C (localnet 172.17.31.0/23)
  4. In order to see IPTV on country A I need to route all the IPTV network through openvpn server at country B
  5. I want to have full network access to networks on country B and C from country A
  6. I want to have full network access from country B to country A
  7. I don’t want access from country C on country A (or B but it’s not relevant for us)

What’s needed:

  1. DD-WRT enabled router (in this case ASUS RT-AC66U) with support for openvpn (mega version).
  2. OpenVPN endpoint* (in this examples we will be using 2 endpoints, one for country B and another to country C).
  3. User access to those endpoint (username/password/certificates).openvpn

* as an endpoint you may use anykind of applyance or custom-made openvpn solution, if you want to build it fast I’d recommend you Endian FW, Pfsense, or your own OpenVPN installation.

DD-WRT has a very nice graphical interface and we will use it to build our setup, before I configured the router thought the command line, storing all the config data in nvram with the commands:

nvram set _VAR1_=”config blabla”

nvram commit

and the created a startup script that would read all those variables and create the config files.

But as I said there’s a better way of doing it and that’s by using the startup option on the command menu that can be found under administration.

dd-wrt-header

We will create a unique script that will be read when the DD-WRT comes to live and startup our VPNs.

Just go to press edit under the startup place older.

You may insert the text bellow, I’ll describe what it does further on the post.

mkdir /tmp/openvpncl
cat > /tmp/openvpncl/myauth1.txt << EOF
MY_USER_NAME_GOES_HERE
MY_PASSWORD_GOES_HERE
EOF
cat > /tmp/openvpncl/myauth2.txt << EOF
MY_USER_NAME_GOES_HERE
MY_PASSWORD_GOES_HERE
EOF
chmod 500 /tmp/openvpncl/myauth1.txt
chmod 500 /tmp/openvpncl/myauth2.txt
cat > /tmp/openvpncl/route-up_1.sh << EOF
#!/bin/sh
route add -net 23.13.0.0/16 gw xxx.xxx.xxx.xxx #IPTV ROUTES
route add -net 80.24.178.0/23 gw xxx.xxx.xxx.xxx #IPTV ROUTES
route add -net 10.2.2.0/24 gw xxx.xxx.xxx.xxx #IPTV ROUTES
route add -net 10.22.0.0/16 gw xxx.xxx.xxx.xxx #IPTV ROUTES
EOF
cat > /tmp/openvpncl/route-up_2.sh << EOF
#!/bin/sh
route add -net 16.13.0.0/16 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
route add -net 12.24.178.0/23 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
route add -net 13.2.2.0/24 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
route add -net 10.232.0.0/16 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
EOF
chmod 500 /tmp/openvpncl/route-up_1.sh
chmod 500 /tmp/openvpncl/route-up_2.sh
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.conf << EOF
client
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca
auth-user-pass /tmp/openvpncl/myauth1.txt
script-security 2
dev tap1
cipher bf-cbc
auth sha1
remote CHANGE_TO_HOSTNAME_or_IP_1 1194
comp-lzo no
tls-client
tun-mtu 1500
mtu-disc yes
fast-io
EOF
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.conf << EOF
client
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca
auth-user-pass /tmp/openvpncl/myauth2.txt
script-security 2
dev tap2
cipher bf-cbc
auth sha1
remote CHANGE_TO_HOSTNAME_or_IP_2 1194
comp-lzo no
tls-client
tun-mtu 1500
mtu-disc yes
fast-io
EOF
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca << EOF
-----BEGIN CERTIFICATE-----
YOUR_CERTIFICATE_GOES_HERE__dasdadasdasdsasalzELMAkGA1UE
BhMCUFQx CzAJBgNVBAgTAkxYMQswCQYDVQQHEwJMWDEbMBkGA1UEChM
Sd3d3LmxpbnV4LWdl ZXguY29tMQswCQYDVQQLEwJJVDEeMBwGA1UEAx
MVd3d3LmxpbnV4LWdlZXguY29t IENBMSQwIgYJKoZIhvcNAQkBFhVwb
XNvbGl2ZWlyYUBnbWFpbC5jb20wHhcNMTAw MTE0MTk0NzE0WhcNMjUx
MTI1MTAyMTU0WjCBlzELMAkGA1UEBhMCUFQxCzAJBgNV BAgTAkxYMQs
wCQYDVQQHEwJMWDEbMBkGA1UEChMSd3d3LmxpbnV4LWdlZXguY29t MQ
swCQYDVQlfhoashoadasiodasiodqwenzczcpzocp4LWdlZXguY29tIE
NBMSQw IgYJKoZIhvcNAQkBFhVwbXNvbGl2zdsadsasdadsZWlyYUBnb
-----END CERTIFICATE-----
EOF
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca << EOF
-----BEGIN CERTIFICATE-----
YOUR_CERTIFICATE_GOES_HERE__dasdadasdasdsasalzELMAkGA1UE
BhMCUFQx CzAJBgNVBAgTAkxYMQswCQYDVQQHEwJMWDEbMBkGA1UEChM
Sd3d3LmxpbnV4LWdl ZXguY29tMQswCQYDVQQLEwJJVDEeMBwGA1UEAx
MVd3d3LmxpbnV4LWdlZXguY29t IENBMSQwIgYJKoZIhvcNAQkBFhVwb
XNvbGl2ZWlyYUBnbWFpbC5jb20wHhcNMTAw MTE0MTk0NzE0WhcNMjUx
MTI1MTAyMTU0WjCBlzELMAkGA1UEBhMCUFQxCzAJBgNV BAgTAkxYMQs
wCQYDVQQHEwJMWDEbMBkGA1UEChMSd3d3LmxpbnV4LWdlZXguY29t MQ
swCQYDVQlfhoashoadasiodasiodqwenzczcpzocp4LWdlZXguY29tIE
NBMSQw IgYJKoZIhvcNAQkBFhVwbXNvbGl2zdsadsasdadsZWlyYUBnb
-----END CERTIFICATE-----
EOF
chmod 700 /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca
chmod 700 /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca
sleep 5

(nohup openvpn –config /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.conf –route-up /tmp/openvpncl/route-up1.sh &) > /dev/null
(nohup openvpn –config /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.conf –route-up /tmp/openvpncl/route-up2.sh &) > /dev/null

If you know openvpn a bit deeper you may find odd that I’m not using LZO compression, this is done on purpose, LZO will limit the bandwidth available on the router because of cpu usage. In my case most of the traffic is already compressed (ssh, mp4, images, and so on). With LZO I would find my cpu near 100% with traffic around 25Mbps. So I prefer to disable it and compress the traffic between the endpoints at application level. This allows me to have 100Mbps+ throughput on the VPN link with this router + DD-WRT config.

You will have to edit the firewall place older on DD-WRT , once again press edit and insert the following:

iptables -I FORWARD 1 -i br0 -o tap1 -j ACCEPT
iptables -I FORWARD 2 -i tap1 -o br0 -j ACCEPT
iptables -I FORWARD 3 -i br0 -0 tap2 -j ACCEPT
iptables -I INPUT 1 -i tap1 -o br0 -j ACCEPT

The startup script is nothing more than a set of commands that will be run to create the configuration files on DD-WRT , please be advised that you will have the VPNs in plain text on the configuration, this may pose a security risk. Nevertheless it’s not less insecure than have the full configuration relaying on certificates as if someone is able to retrieve your data from  DD-WRT he will also be able to retrieve the certificates. If you really don’t want to have the password on plain text you won’t be able to fully automate the VPN startup process.

The iptables rules are need in order to allow access to the different networks, this is the most basic set of rules that will allow the configuration I proposed at the beginning. Finally please don’t forget to change the route-upX.sh scripts to match your needs.

Happy networking with DD-WRT!

Pedro Oliveira

 

TOR 0.4.17 for Redhat and it’s clones (CentOS, Scientific Linux, etc)

Hi!

Here is the new version of TOR rpm package, you may also install other mainstreams versions from EPEL, currently this one is the latest.

This package is for RHEL 6.4 and all it’s clones (CentOS, Scientific Linux, etc)

tor-0.2.4.17.rc-tor.0.rh6_4.x86_64

md5sum: 11bf2bf0e0185f85e9433d5c1b5ddeb8

scr code: https://www.torproject.org/dist/tor-0.2.4.17-rc.tar.gz

to install:

rpm -Uvh tor-0.2.4.17.rc-tor.0.rh6_4.x86_64

 

or

yum localinstall  tor-0.2.4.17.rc-tor.0.rh6_4.x86_64

 

Hope it helps,

Pedro Oliveira

Google Galaxy Nexus security flaw using face unlock

Hello everyone,

Today I was playing MW3 on my Playstation3 and I thought it would be nice to have the online players face somewhat showing on the screen, I was imagining how this could be done so I look for inspiration on my newest gadget the GALAXY NEXUS which just arrived a few days ago.

One of the functionalities I like the most is the face recognition feature and I use it from day one.

But first let me tell you what i think about the Galaxy Nexus, I’m so thrilled with it that i don’t see any negative spots yet, the one i can remember it’s also a positive thing and is it’s size.

Apart from that the screen is simply astonishing and the speed and easy to use make this phone a rock star, I know this isn’t an objective review on the mobile phone but this post is not intended to be a review.

On the other end there is a functionality that is also a very big security flaw – FACE UNLOCK.

Google warns you about face recognition not being the safest of methods to unlock your phone, but nevertheless you can pass the locking feature just by using any other photo of you.

I used my facebook.com photos to unlock the phone and I had about 80% success with a couple of face photos, nevertheless I didn’t succeed with the profile photo (maybe the resolution was too low, on the smaller picture). This trick took me less than a minute to accomplish.

It’s not an high tech hack, and it probably works if your phone is stolen or lost, but it won’t save you from your jealous girlfriend (or boyfriend), won’t save you from your dads or sons. In the end it’s way too easy for someone familiar with you to access your personal data if you use face unlock.

Maybe this could be fixed using the phone proximity sensor that could be used to determine the distance of the phone to the face (i was only successful using the phone about 10-15cm from the monitor), also recording the phone relative inclination with the face and finally by detecting any type of movement on the moment the face is being verified.

Despite one of the biggest innovations being a big “no go” at least in my opinion, I still love my Nexus.

That’s all folks,

Pedro Oliveira