I have recently stumbled upon SmoothWall Express 3.0 SP1. I am getting down-right giddy thinking about all the neat things I can do at home with this thing.
SmoothWall Express is a stand-alone, open-source firewall project. It has a large, active community full of helpful people. Some of these helpful people create mods to extend the functionality such as the ultra useful Full Firewall Control mod.
In my experiments I was able to create a very tiny box with two NICs, little RAM (256MB), a spare Pentium 4 I had laying around, and a 2GB Compact Flash card as the local storage. This poor excuse for a machine was able to stand up to some pretty heavy traffic– without ever passing .25 load, mind you– including a few test torrents totaling over 1,000 connected peers.
My ultimate goal is the separation of all traffic according to use. I might have one public, outward-facing interface for the Internet connection and three inward-facing interfaces for the local traffic (private wired, private wireless, and an internal DMZ). I also plan to build a beefy VMware ESXi box so I can sandbox each of my services (vpn, web, SQL, e-mail, ect) and do nearly all of the networking within virtual hardware.
After one week of struggle, head ache, and a very patient girlfriend I have OpenVPN running in a bridged configuration! What follows are the steps that I had taken (minus the blood, sweat, and tears):
- Read the OpenVPN HOWTO! Nothing will replace the knowledge of how this beast works.
- Bridge your OpenVPN virtual network adapter with your local LAN-side adapter. Make sure to set your bridge adapter network information (IP, netmask, ect) to what your local LAN adapter information was set to. I did come across a decent guide with images in my travels for Windows.
- Generate the certificates. Do not forget to generate the Generate Diffie Hellman keys as this was a small road block for me. (I am just going to link this one since this step is easy and is explained very well in the HOWTO.) Copy the ca.crt, client1.crt, and client1.key files to your clients. It is also a good idea to read the section on Hardening OpenVPN Security and generating a ta.key.
- Create your configuration files using the samples as a base making sure to use your new bridge adapters IP and netmask as your server configurations IP and netmask. These samples are also included in the OpenVPN distribution. (I am including my working configurations below.)
- Fire up the server and then the client.
- Read the OpenVPN HOWTO!
server-bridge [Server IP] [Server Netmask] [OpenVPN DHCP Range Start] [OpenVPN DHCP Range End]
keepalive 10 120
tls-auth ta.key 0
remote [VPN IP] [VPN Port]
tls-remote [Server Common Name]
tls-auth ta.key 1
- All my testing was done with OpenVPN v2.1.1.
- A bridge configuration will give your VPN clients IPs on your local LAN. Make sure you choose a free range of IPs that does not conflict with anything (including an existing DHCP server).
- Make sure to disable any firewalls on the bridged adapter if you can. If that is a problem– say your bridged adapter is plugged directly into a WAN connection– you will need to experiment since I did not have to go that far in my setup.
- I have done most of my testing on Windows XP Professional SP3 and Ubuntu 9.10. These configurations should work for any support platform.
- I have chosen to allow OpenVPN to dish out the IPs instead of my local DHCP server. The reason for this is some clients will not allow this functionally based on client OS. Since I was already using most of my IPs for DHCP I just lowered the number of available DHCP addresses and set OpenVPN to use those as it wished.
- Some versions of Windows have an issue bridging the adapter properly. It will say it worked but there is still another step you need to take. Check out this article for more information.
- If you are unfamiliar with networking and subnetting Wikipedia may be a good place to start.
With the OpenVPN HOWTO and this information you should be able to avoid the headache I went through.
I would very, very, very much like to thank #openvpn on the freenode IRC servers! Without them I would still be at this thing. You guys helped me so much and I appreciate it so much.
I have done a lot of experimentation since I originally wrote this. I have updated this article with my current configs.
I recently purchased a Synology DS409 (more on that another time). This has prompted me to restart work on something I have wanted to do since I moved into my apartment three years ago: build an infrastructure to house my e-mail, web, various media, and other content all in one place, all under my direct control. I also want these technologies to allow me to access everything as if I were home. This is not a difficult goal to accomplish– given the right equipment– but does require a number of moving parts that all need to work together. For example, the DS409 will now contain the web root for my web server which will run on a separate box. This not only unifies everything but also allows for RAID protection and backup of a single entity instead of worrying about monitoring several scripts on several boxes.
The following are the products/projects I am looking to employ:
- Synology (DS409): For a while I was looking at Openfiler but the Synology OS offers more functionally for roughly the same price plus free, fast tech support if needed.
- Linux (Ubuntu): This will be the platform most services will on. It is efficient with its resources and has a huge, active community.
- OpenVPN: This is provide direct access to everything while I am away as if I were not.
- TrueCrypt: For data at rest that that requires absolute secrecy.
- Apache 2.2 + PHP 5: Between the various Apache web servers and PHP I have gotten so much work done these are now staples in my environment.
- MySQL and SQLite: My tried and true database software for nearly as long as I have been working with SQL.
- Orb: An oddity in the Microsoft world, this server will stream my media to nearly any device while dynamically adjusting its bandwidth usage.
Most of these are open-source and free.