Feb 052014
 February 5, 2014  Posted by at 2:20 pm documentation, networking, security, vpn Tagged with: , , ,  21 Responses »

OpenVPN Client/Server Implemenation

==== key signing ====
You can host the certificate authority on the vyos device itself. This is obviously not as secure as hosting it on a separate system. If someone was to get into the vyos they would have access to all your keys and would be able to sign new keys against the CA. Nonetheless, it is convenient and secure-enough for many sites. This is how it can be done.
From the VyOS, copy the easy-rsa directory into /config, where it won’t get lost on an upgrade.

cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2
vi /config/easy-rsa2/vars

edit the options at the bottom of /config/easy-rsa2/vars to personalize them. Increasing KEY_SIZE to 2048 is recommended. Also, you can increase the certificate authority and key expiration. These are the defaults:

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

now load the variables

$ cd /config/easy-rsa2/
$ source ./vars

start fresh in case there is something old lingering around in there. This will delete all keys, etc.

$ ./clean-all

Build the certificate authority files

$ ./build-ca

Build the diffie-hellman key exchange

$ ./build-dh

Build the key for the server

$ ./build-key-server js-server

Copy the certs and keys into /config/auth

sudo cp /config/easy-rsa2/keys/ca.crt /config/auth/
sudo cp /config/easy-rsa2/keys/dh1024.pem /config/auth/
sudo cp /config/easy-rsa2/keys/js-server.key /config/auth/
sudo cp /config/easy-rsa2/keys/js-server.crt /config/auth/

Now you can build the key for the client and distribute to them
use ./build-key to generate a certificate that will connect to the vpn without a pass-phrase and ./build-key-pass if you want the user to enter a pass-phrase before connecting. ./build-key-pass is more secure in case someone steals your certificate and key they will still need to enter a password to connect.

$ ./build-key jimmy

answer all questions accordingly and be sure to answer yes to “Sign the certificate?” the “1 out of 1 certificate requests certified, commit?”
Now copy the keys and certs and create a config for Jimmy to remote in with. This is how I do it.
first make a directory for the client in /config/easy-rsa2/keys

cd /config/easy-rsa2/keys
mkdir jimmy
cp jimmy* jimmy/
cp ca.crt jimmy/

create a client config with your favorite text editor,

vi jimmy/jsvpnserver.ovpn

and add the following

proto udp
remote-cert-tls server
verb 2
dev tun0
cert jimmy.crt
key jimmy.key
ca ca.crt
remote [vpn-server host or ip] 1194

From your local computer download the config directory (jimmy) from the vpn server

$ scp -r vyos@ .

this copies the jimmy directory into the current directory on your computer (the period designates current directory). If your on MS Windows you will need to use cygwin or putty-scp to do this. Also, if using MS Windows you will need to run unix2dos on those files
from your computer where you downloaded the jimmy folder to.

unix2dos jimmy/*

I wrote a script to do all this for you -> http://jasonschaefer.com/stuff/easyrsa-user-setup-vyos.sh.txt

Setting up the OpenVPN Server

The server subnet needs to be a different subnet from your LAN. Set it to something unique that will be unlikely on any remote networks your clients will be on.
The “–push route” needs to be changed to the subnet on the LAN of the router. The one you will VPN in to reach.

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet
set interfaces openvpn vtun0 server name-server
set interfaces openvpn vtun0 server domain-name jasonschaefer.com
set interfaces openvpn vtun0 server push-route
set service dns forwarding listen-on vtun0
set interfaces openvpn vtun0 tls cert-file /config/auth/js-server.crt
set interfaces openvpn vtun0 tls key-file /config/auth/js-server.key
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem

#Set the firewall to allow openvpn through

set firewall name wan-local rule 40 action accept
set firewall name wan-local rule 40 destination port openvpn
set firewall name wan-local rule 40 protocol udp


Thats it! Your done!


basic instructions:

generate the passive key for head office from inside the easyrsa folder

source ./vars
./build-key-server site2site_server-passive
scp keys/site2site_server-passive.* user@vpn-server-passive-host:/config/auth/

#active key for branch office, this side initiates the vpn handshakes

./build-key site2site_active
scp keys/site2site_active.* user@vpn-server-active-host:/config/auth/

active site files in /config/auth/

passive site files in /config/auth/


#site to site openvpn

set interfaces openvpn vtun9
set interfaces openvpn vtun9 local-address 172.16.9.[1 | 2]
set interfaces openvpn vtun9 remote-address 172.16.9.[1 | 2]
set interfaces openvpn vtun9 remote-host [remote-vpn-host]

#standard openvpn port is 1194, best used for client/server mode. prevents ovpn config from needing port setting

set interfaces openvpn vtun9 local-port 1195
set interfaces openvpn vtun9 remote-port 1195
set interfaces openvpn vtun9 mode site-to-site
set interfaces openvpn vtun9 tls ca-cert-file /root/ca.crt
#the passive site cert/key needs to be signed as a server!
set interfaces openvpn vtun9 tls key-file /root/[passive.key | active.key ]
set interfaces openvpn vtun9 tls cert-file /root/[passive.crt | active.crt]
set interfaces openvpn vtun9 tls role [active | passive]
#dh1024.pem is required on passive host only!
set interfaces openvpn vtun9 tls dh-file /root/dh1024.pem

#open firewall for openvpn

set firewall name wan-local rule 20 action accept
set firewall name wan-local rule 20 destination port 1195
set firewall name wan-local rule 20 protocol tcp_udp

#set static routes to networks on other side of vpn, if any

set protocols static route next-hop 172.16.9.[1 | 2]
set protocols static route next-hop 172.16.9.[1 | 2]



How to reach your vpn server and avoid using a static ip. We will be using afraid.org to automatically update a hostname’s A record with the public ip of your Vyos VPN server.

You will need to register for an account at https://freedns.afraid.org. Then create a subdomain, for this example it will be myvpnserver.mooo.com. Go to the “Dynamic DNS” section and copy the “Direct URL”.

Create a script under /config/scripts on your Vyos.
vi /config/scripts/myvpnserver.mooo.com.sh

/usr/bin/curl -k [paste your direct url here]

Make it executable
chmod 755 /config/scripts/myvpnserver.mooo.com.sh

Now tell Vyos to run this with cron.
set system task-scheduler task dynamicDNS executable path /config/scripts/myvpnserver.mooo.com.sh
set system task-scheduler task dynamicDNS interval 15m



vyos@router:~$ cd /config/easy-rsa2/

vyos@router:/config/easy-rsa2$ ./revoke-full jimmy

Using configuration from /config/easy-rsa2/openssl.cnf
Revoking Certificate 0E.
Data Base Updated
Using configuration from /config/easy-rsa2/openssl.cnf
jimmy.crt: /C=US/ST=NM/L=SantaFe/O=Blah/CN=jimmy/emailAddress=jimmy@localhost.local
error 23 at 0 depth lookup:certificate revoked

The error 23 at 0 … is normal and expected.

Now copy the updated CRL (certificate revocation list) to /config/auth
vyos@router:/config/easy-rsa2$ cp keys/crl.pem /config/auth/

If this is the first revocation you need to add it to the config as well:

vyos@router:~$ configure
vyos@router# set interfaces openvpn vtun0 tls crl-file /config/auth/crl.pem
vyos@router# save; commit; exit
Saving configuration to ‘/config/config.boot’…
No configuration changes to commit



You can verify the revoked keys with the openssl command
vyos@router:~$ openssl crl -in /config/auth/crl.pem -text

Revoked Certificates:
    Serial Number: 08
        Revocation Date: Jan 30 00:19:24 2016 GMT
    Serial Number: 0E
        Revocation Date: Jul 13 22:51:50 2016 GMT

In the above example keys 08 and 0E have been revoked
vyos@router:~$ cat /config/easy-rsa2/keys/index.txt

V	230804225528Z		        02	unknown	/C=US/ST=NM/L=SantaFe/O=SITC/CN=jason/emailAddress=jason@local
R	230806213443Z	160130001924Z	08	unknown	/C=US/ST=NM/L=SantaFe/O=Blah/CN=john/emailAddress=john@localhost
R	260711225142Z	160713225150Z	0E	unknown	/C=US/ST=NM/L=SantaFe/O=Blah/CN=jimmy/emailAddress=jimmy@localhost.local

From this file index.txt, you can ascertain which serial numbers belong to which users!

Jul 072013
 July 7, 2013  Posted by at 12:54 pm firewall, networking, Tutorial, wireless Tagged with: , ,  7 Responses »

In this scenario we will be implementing a openWRT as a wireless access point only. One wireless essid will be LAN accessible and the other will be segregated from the LAN but able to access the WAN. The openWRT in this example will not be the gateway to the network. Another device is the gateway and there is an existing dhcp server.

                            PUBLIC wifi
                     public gateway and dhcp server
                   Source NAT to
ISP <-Gateway-> LAN wired <-openWRT-> 
                           LAN wifi (wpa2+aes)

1. Add a new wireless access point


2. Settings for the new wireless access point. Create a new network interface of “public”. Don’t use any encryption, as this is for general public use.


3. Edit network interface for the public network


4. Edit PUBLIC interface settings. Set to static address and enable DHCP server for this new network.


5. Edit the LAN interface. Set the lan interface to an un-used ip of the existing network. Don’t set to “dhcp client” as you will lose connectivity and need to perform a recovery on your openwrt device. Be sure to disabled the DHCP server as the existing network already has one.


6. Add a new zone and call it “public_zone”. Masquarade it and put it in the public network. Allow forwarding to and from “lan” zone. We will limit this later with specific firewall rules.


7. This is what the general firewall zones should look like


8. Under the Firewall -> Traffic Rules section add a new Source NAT Rule. Call it “pub2lan“. Set the “Source zone” to “public_zone” and the “Destination zone” to “lan” and set the drop down option “To source IP” to br-lan interface, in this example its Leave “To source port” blank. This SNAT rule will translate all traffic on the public wireless network of into the IP of This is the redirect rule from /etc/config/firewall

config redirect
option target 'SNAT'
option src 'public_zone'
option dest 'lan'
option proto 'all'
option name 'pub2lan'
option src_dip ''
option enabled '1'

9. Setup a “New forward rule:” Set name to allow2gw or similar. Source zone to “public_zone” Destination zone to “lan” Click “Add and edit…” Protocols should be “Any”, Destination address is the gateway of the network. In this case The following is the /etc/config/firewall rule for reference. This will allow traffic from the public_zone to reach the gateway of the network.


config rule
option target 'ACCEPT'
option proto 'all'
option name 'allow2gw'
option src 'public_zone'
option dest 'lan'
option dest_ip ''

10. Setup a “New forward rule”. Set the name to drop2lan or similar. Set the Source zone to “public_zone” and Destination zone to “lan”. Click “Add and edit…” Set Protocol to “Any”, Destination address to custom and enter the subnet of the LAN. In this case its, set “Action” to “drop”. You can add more rules like this one to limit access to other networks or hosts as needed.


config rule
option name 'drop2lan'
option src 'public_zone'
option proto 'all'
option target 'DROP'
option dest 'lan'
option dest_ip ''


11. Firewall Traffic Rule overview. There is an error on this view. The following rules have “option proto ‘all'” set and the luci web interface shows “Any TCP+UDP”. This is simply a bug in the luci interface and can be ignored. The order of these rules is very important. In this case you can see we added the “Allow to” before the “Drop to”. If reversed, the lan including the gateway would not be accessible from the public wireless AP. Therefore, you would not be able to reach the Internet.


May 232013
 May 23, 2013  Posted by at 10:59 am firewall, networking, wireless Tagged with: , ,  No Responses »

In this post I will outline how to use zones to create public firewalled networks. A device that can bring up multiple interfaces per radio is very attractive here. One essid for private wireless and another for open public wireless. The Atheros ath9k chipsets are very well supported in this regard because they are free software.
This post is different than my older post where we have a private LAN behind our WAN interface that we need to protect… In this scenario we have our ISP connected directly to the openWRT WAN port and we need to bring up a public wireless that is segregated from the LAN. Like so:

                                         "public wifi"
ISP <-openWRT fw-> LAN <-public_zone-> PUBLIC
                 "private LAN wifi"

Obviously the zone can be utilized however you like. Another common option would be to firewall a open wireless network from the LAN. And forgo the insecure nature of a “secured” wireless altogether. The OpenWRT could be running openvpn, that you connect to over the “insecure” wireless, now thats secure!

The following steps are done via the web interface (luci).

1. Start by adding a new wireless interface. In this case to the 5ghz radio. You can do this again for the 2.4ghz radio. wireless 1. add

2. Set the essid and network name “public”. This will allow us to use firewall zones to segregate the networks, rather than excluding individual rfc1918 subnets like in the first example.wireless 2. new wifi settings


3. Edit the interface “PUBLIC” so that we can set it as a static ip.wireless 3. edit interface

4. Change the protocol to “static address” set a ip for it and a subnet. DO NOT set a gateway. This will write a new default gateway to the routing table and cause the internet to break occasionally. Setup a dhcp server for this network.wireless 4. public interface

5. In the firewall section. Setup a zone called something like “public_zone” and assign it to the “public” network. And allow it to forward to “WAN” zone.wireless 5. firewall zone

6. This is what the general firewall zone’s should look like now.wireless 6. general firewall zone

Be sure to test it. Connect to the public and try and nmap a known host on the private and vice versa. A few times I have needed to reboot the router for everything to start working properly. It could be because I tinkered too much and caused a hickup. Just something to keep in mind..


Oct 132009
 October 13, 2009  Posted by at 2:25 pm documentation, networking, wireless Tagged with: , , , , , , ,  No Responses »

start -> run -> regedit
make a backup, if you want.


look through the list of subkeys (0000, 0001, etc)
DriverDesc keyword will tell you which network adapter. For example, “NVIDIA nForce Networking Controller”
when you find it, right click and add -> new -> string value

new keyword:

Value Name: = NetworkAddress
Value Data: = your new MAC, with no space or : For example, 0019DB71C830

then type:

ipconfig /release
ipconfig /renew
ipconfig /all   (to verify the new mac took)

Now your a l33t Winblows H4|<3r! If you want to go back to your hardware MAC, remove the NetworkAddress key and restart the interface. FYI, in gnu/linux follow these simple steps to change your MAC address

ifconfig eth0 hw ether 00:19:DB:71:C8:30

if you get this error

SIOCSIFHWADDR: Device or resource busy - you may need to down the interface

do this

ifconfig eth0 down

and try to change the MAC again.