HOWTO: MBL as OpenVPN server

Hi,

as promised I have made a script to install Openvpn as a server and let you easily create windows, mac and linux clients from it.

This script installs all the right software, preps the server config (after asking questions) and then you can generate keys, install.

Assumed knowledge/software:

You need to be familiar with SSH into your My Book Live and run basic shell commands

You need to be able to apt-get install stuff (there is probably another howto for this)

Networking and VPN concepts are also a pre-requisite. Don’t do this if you don’t know what you are doing.

You need to understand how openvpn works and how to do a port forward on your router.

Sample Diagram of the setup here:

http://www.lucidchart.com/publicSegments/view/4f9ab640-b5e8-4ad9-8ad0-6dd80a02c999/image.png

You can download the package script here:

http://dl.dropbox.com/u/5627587/mbl/openvpn-server-wdlive-0.1.tar.gz

Or ssh into your MBL and wget like so:

wget  http://dl.dropbox.com/u/5627587/mbl/openvpn-server-wdlive-0.1.tar.gz

then extract it and run ./install.sh

tar zxvf openvpn-server-wdlive-0.1.tar.gz

cd openvpn-server-wdlive-0.1

./install.sh

Please answer the questions carefully. If you make a mistake try do CTRL+C and run ./install.sh again.

Once its installed and it says the server restarted successfully, you can generate a certificate with the ‘ovs’ command

ovs help will help you

ovs build-windows-client

will build a zip file with a config file and a cert file you can drop into the config directory on windows

likewise for mac and linux (you can use the mac one

ovs build-mac-client

Then you can connect and browse as per the network diagram.

ovs status will show you who is connected and their current throughput (uses ifstat)

This is really quick and dirty and I have done some basic testing. Don’t blame me if it breaks your stuff.

Happy to answer any questions.

Enjoy strongly encrypted remote connections to your mybooklive.

And yes, as long as you portfoward 1194 UDP only, this should be rock solid in terms of security.

I would have used a 2048bit DHparams key, but it would take nearly 20mins to generate on this hardware.

2 Likes

Hi!

Thanks a lot for this installation script.

All works fine except using ‘ovs status’ : ‘/usr/share/openvpn-server/scripts/status: line 25: ifstat: command not found’

I saw during install that ifstat wasn’t installed correctly.

openvpn-server-wdlive-0.1/
openvpn-server-wdlive-0.1/install.sh
openvpn-server-wdlive-0.1/bin/
openvpn-server-wdlive-0.1/bin/ovs
openvpn-server-wdlive-0.1/config-templates/
openvpn-server-wdlive-0.1/config-templates/ovpn-client.conf
openvpn-server-wdlive-0.1/config-templates/openssl.cnf
openvpn-server-wdlive-0.1/init-server-config.sh
openvpn-server-wdlive-0.1/scripts/
openvpn-server-wdlive-0.1/scripts/help
openvpn-server-wdlive-0.1/scripts/build-windows-client
openvpn-server-wdlive-0.1/scripts/build-mac-client
openvpn-server-wdlive-0.1/scripts/functions.sh
openvpn-server-wdlive-0.1/scripts/build-ddwrt-client
openvpn-server-wdlive-0.1/scripts/revoke-cert
openvpn-server-wdlive-0.1/scripts/status
ByteServer:~# cd openvpn-server-wdlive-0.1
ByteServer:~/openvpn-server-wdlive-0.1# ./install.sh
Reading package lists... Done
Building dependency tree
Reading state information... Done
zip is already the newest version.
openvpn is already the newest version.
openvpn set to manually installed.
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
  ifstat: Depends: libsnmp15 (>= 5.4.1~dfsg) but it is not going to be installed
E: Broken packages
Setting up server config. Please answer the questions correctly.
This is a very rough script, so tread carefully

 Trying to install ifstat manually gives me the same error.

I’m really new to linux and it would be nice to get help with this.

And another thing is how to start and stop the OpenVPN-Server service via script would be nice to know, too! :wink:

And last to change change the subnet of the OpenVPN subnet, is it just to change in ‘/var/lib/openvpn-server/openvpn/ifconfig-pool.txt’ and ‘/etc/openvpn/xxx-server.conf’ ?

Thank you for your efforts!

Hi Knapster.

To change the subnet you change the ‘server’ line in /etc/openvpn/yourorg-server.conf.

Where yourorg is the name you chose during install.

But you may be barking up the wrong tree - only change the server subnet if it conflicts with your own. OpenVPN is not trying to hand out IPs on your LAN, it has a seperate subnet for VPN clients.

If you want to enable VPN clients to get to machines other than your NAS on your LAN, you need to enable ip forwarding, which you can do in the OpenVPN config, add this line:

up " echo 1 > /proc/sys/net/ipv4/ip_forward"

which will turn your WDlive into a router, and route traffic between the tun interface and the eth0 interface. Then you need to ALSO add a route back to the VPN subnet on your router. Many routers can do this. Its called adding a static route, and the route format will be in english:

The VPN subnet (eg 172.22.6.0 netmask 255.255.255.0) is out the IP of the NAS (eg 192.168.0.240).

Adding a routeback over the LAN will be different for different routers, and some can’t even do it, but its the best way.

Oh and then to apply any changes you make the config file:

‘/etc/init.d/openvpn restart’

works just fine. 

As for ifstat, like I said the pre-requisite was you could apt-get install stuff, but to help you out, I enabled it by editing /etc/apt/sources.list, and uncommenting this line so it only contains this:

deb http://ftp.us.debian.org/debian/ squeeze main

‘#’ is a comment in most linux config files.

and then doing ‘apt-get update’ and then you can ‘apt-get install ifstat’

Now you can apt-get install all sorts of dangerous stuff, so tread carefully. Dangerous in the sense it will conflict with the WD customisations, and break everything.

Thanx!

That fixed it!

My sources.list looked like this:

deb http://archive.debian.org/debian-archive/debian/ lenny main contrib non-free
deb-src http://archive.debian.org/debian-archive/debian/ lenny main contrib non-free
deb http://archive.debian.org/debian-archive/debian-security/ lenny/updates main 
deb-src http://archive.debian.org/debian-archive/debian-security/ lenny/updates main
#deb http://ftp.us.debian.org/debian/ squeeze main
#deb http://ftp.us.debian.org/debian/ sid main
#deb http://ftp.us.debian.org/debian/ experimental main

 I tried it before uncommenting the squeeze line, but it did not work.

Commenting out all the other archive repositories and only have the squeeze one active did the fix, nice!

THX!

No worries.

Let me know how it goes and if it works well for you. Particularly interested in a speedtest.

I’m hessiant making any alterations…  If you read back in past messages when “squeeze” stuff is used then things go wrong within the MBL.

You don’t need to install any packages to make it work. Just ignore any errors from apt-get and 1 part of ‘ovs status’ won’t work.

The primary dependencies are openssl and openvpn (and various shell utilities), which should already be installed.