FEEDNET

Forth Estuary Experimental Data Network


Home
Network Map
Status 2 day
Status 30 day
Emcomm
Technical Info
Contact Information
Streaming
Feednet Services
Gallery

 

Downloadable PI Image

 

Most of what can be achieved via FEEDNET is courtesy of open source software. The sheer hard work, altruism and inventiveness of all open source authors is gratefully acknowledged here.

 

 

 

VPN.

VPN, or Virtual Private Network allows us to establish a connection to FEEDNET via the public internet.  In other words, imagine that you are at a location where you have no RF link into FEEDNET  but you want to still make use of its facilities and enjoy communication with others on FEEDNET.  You can connect either your PC to the VPN over the internet, or plug a VPN programmed router into your home internet router to provide you with a panel of LAN sockets that provide direct access to FEEDNET.  When you plug in any device to one of these sockets it is as if you are plugging it directly in the back of a genuine FEEDNET node. Use this technique to access the applications with either PC, tablet, mobile telephone or you can plug in something like a Cisco IP telephone.  The diagram below represents this situation.

What do you need to do this?

A VPN account needs to be set up for you on FEEDNET. Associated with this account is a set of digital certificates which are used for security purposes (under normal circumstances we don't want non licenced individuals to gain access to FEEDNET). 

How to connect via your PC

Install the OPENVPN software on your PC/Smartphone and put the digital certificates in a specific directory, together with an OPENVPN ovn configuration file. All will be sent to you by the VPN administrator.  Click on connect

How to connect via a VPN router

Plug the VPN router WAN port into a spare LAN port of your home network. Switch on. After 60 seconds any device plugged into the VPN route will pick up an IP address as if it were on FEEDNET and it will then communicate as if it were connected directly to a mesh node. An ideal VPN router is the Belkin F7D3302v1 which is available on the internet for around 14. It will need to be flashed with new firmware.

 

Configuring the VPN - Server Side


The following openvpn.conf works well for us.  We use a public key infrastructure means of authentication.  Tailor it to your needs.


ifconfig-pool-persist ipp.txt

# address of vpn server
local 10.224.69.46
script-security 2
dev tun
proto udp
port 1194

# The server certificates and key
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
user nobody
group nogroup
 

# We have to decide on a VPN subnet.
server 192.168.8.0 255.255.255.0

# We must provide a route for the vpn clients
route 192.168.96.0 255.255.240.0

# We are using clienbt routers that have subnets
#behind them to connect multiple hosts to the VPN.
client-config-dir /etc/openvpn/ccd
 

# make sure all clients know that any
# address beginning with 10 is the mesh

push "route 10.0.0.0 255.0.0.0"
 

# Make sure that the clients use DNS on the nearest
#  local node so that node names can be used in place of IP addresses
push "dhcp-option DNS 10.224.69.33"


# Override the Client default gateway
push "redirect-gateway def1"
 

push "dhcp-option DOMAIN local.mesh"
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
log-append /var/log/openvpn
keepalive 3 30
cipher BF-CBC
comp-lzo

 

In a separate directory, create a file for each common name. This should contain the subnet range of the subnet that is used for multiple hosts behind the NAT VPN router. Not needed if you're just connecting a single host e.g. a PC.


iroute 192.168.103.0 255.255.255.0
 

Use easy-rsa to generate the PKI - detailed HOWTO is on the OpenVPN site.

 

 

Configuring the VPN - Mesh Node Changes

 (only for VPN admin, not required by VPN users).

Your OpenVPN serve rwill be attached to a mesh node LAN port. This mesh node will be the route to and from the rest of the mesh network. You will need to add to the /etc/config.mesh/olsrd.conf the following entry in the Hna4 part. This will advertise these routes to all other nodes.


Hna4
{
# Internet gateway
# 0.0.0.0 0.0.0.0
# specific small networks reachable through this node
# 15.15.0.0 255.255.255.0
192.168.8.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.96.0 255.255.240.0
}
 

Where 192.168.8.0/24 is the VPN subnet and 192.168.96.0/20 is the range of client subnets attached through NATted remote routers that are attached to the VPN.

Strangely, in the authors experience, this doesn't inform the gateway node itself of these routes so this mesh node will also require manual routes to be added and I have done this by creating a file in the /etc/rc.d directory called S70vpnrouteadd containing


route add -net 192.168.8.0 netmask 255.255.255.0 gw 10.224.69.46
route add -net 192.168.96.0 netmask 255.255.240.0 gw 10.224.69.46
 

In order to provide DNS service from this node to all hosts on the VPN subnets there needs to be a hole punched into the mesh node firewall. Edit /etc/config.mesh/user.firewall and add the following line:

 
iptables -A input_wan -s 192.168.8.0/24 -j ACCEPT
iptables -A input_wan -s 192.168.96.0/20 -l ACCEPT
 

The author also added a rule to the firewall to prevent access to a particular machine on the same subnet as the mesh node since it is not required to accept incoming connections from the mesh network. This has nothing to do with the VPN config but readers might be interested to see the rule anyway.

iptables -I FORWARD -m state --state NEW -d 10.224.69.42 -j DROP

Other rules added relate to port forwarding in which case the author prefers to do this by means of entries in firewall.conf rather than use the web browser facility which in previous versions of firmware did not work too well.

Note: After making any config changes as described above, the easiest way to apply them is to goto the SETUP section of the web management tool and click on Save Changes, followed by reboot.

 

Configuring the VPN on a DD-WRT Router.

You'll need DDWRT-VPN, BIG or MEGA version.  You usually need to flash your router with the mini version that has the correct headers for your model of router, then upgrade DDWRT to the larger version from there.

 

Version for Client access to a wifi AP on the Internet. FirmwARE ddwrt V24-SP2(03/25/13) big

Setup ->

 Basic Setup

WAN Connection Type ->  Automatic DHCP

Router Name  -> Its up to you!

Hostname -> Up to you agian - it really doesn't matter.

MTU - Auto

STP -> Disable

Network Setup (LAN)

Local IP -> Your choice but its important to consiider this - see section on addressing scheme below.

Subnet Mask -> ditto

Gateway -> This will be the same as the LAN IP address

Local DNS -> ditto

WAN Port -> I usualy assign to the switch in this wifi bridge configuration. This will be different in other configurations.

DHCP Type -> DHCP Server

Max DHCP Users -> 50 should be enough

Client Lease Time -> I usually just leave at the default 1440 min

All the DNS server settings left to default 0.0.0.0

WINS -> default 0.0.0.0

Use DNSMasq for DHCP -> ticked

Use DNSMasq for DNS -> ticked

DHCP Authoritative -> not ticked

NTP client -> enable

Time Zone -> IMPORTANT - get this right. wrong time settings will cause VPN authorisation problems.

Other settings on page are default.

Advanced Routing

Operating Mode -> Gateway

Everything else default

Wireless

Basic Settings

Wireless Mode -> Client

Network Mode -> Mixed

Network Name -> the same as the network you want to connect to

Network Configuration -> Bridged

Everything else default.

Wireless Security

Security Mode and other settings -> To suit the wifi network you are connecting to.

Services

Services

DNSMasq -> enabled

Local DNS -> Enabled

No DNS rebind -> Enabled

Additional DNS Masq options

dhcp-option=6,10.224.69.33 (Lan address of the node that the VPN server is connected to)

dhcp-option=150,10.224.69.46 (Lan address of the TFTP server used for configuring CISCO Voip telephones)

 

Everything else default.

VPN

OpenVPN client -> Enable

Server IP/Name -> Public IP address of the VPN server or its DNS name.

Port -> Port number of public facing VPN server, normally 1194

Tunnel Device -> TUN

Tunnel Protocol -> UDP

Encryption Cipher -> Blowfish CBC

Hash Algorithm -> SHA 1

mCertype Verification -> enabled

Advanced Options -> enabled

TLS Cipher -> None

LZO Compression -> Yes

NAT -> Disable

Firewall -> Disable

Bridge Tap to br0 -> Disable

IP Address -> blank

Subnet Mask -> blank

Tunnel MTU setting -> 1500

Tunnel UDP Fragment -> blank (disable)

Tunnel UDP MSS-Fix -> disable

TLS-Auth key -> blank

Additional Config

keepalive 3,60

persist-key

persist-tun

pull

resolve-retry infinite

nobind

Policy Based Routing -> blank

PKCS12 Key -> blank

Static Key -> blank

CA Cert -> insert your CA cert here

Public Client Key -> Insert your public client key here

Private Client Key -> Insert your private key here

Security

Firewall

SPI Firewall -> Disabled (note this exposes you to anything on FEEDNET. You can either enable it and open up routes for your desired traffic, or ensure that you use firewall protection on your PC, or you can trust those others that are on FEEDNET. Rmember that FEEDNET is currently not encrypted and is open access to anyone with a FEEDNET RF link.

All other settings default.

 

Version for LAN access to a router  on the Internet.  You can then connect your local clients either on Wifi or plug them directly into a LAN port. For this to work you must connect the router to an internet router directly with a cable from the WAN port of the VPN router to a LAN port of the Internet Router/Gateway. This can also be a PC that is on the internet enabled to use Internet Connection Sharing.  Firmware ddwrt V24-SP2(03/25/13) big

Setup ->

 Basic Setup

WAN Connection Type ->  Automatic DHCP

Router Name  -> Its up to you!

Hostname -> Up to you agian - it really doesn't matter.

MTU - Auto

STP -> Disable

Network Setup (LAN)

Local IP -> Your choice but its important to consiider this - see section on addressing scheme below.

Subnet Mask -> ditto

Gateway -> This will be the same as the LAN IP address

Local DNS -> ditto

WAN Port -> Not assigned to switch

DHCP Type -> DHCP Server

Max DHCP Users -> 50 should be enough

Client Lease Time -> I usually just leave at the default 1440 min

All the DNS server settings left to default 0.0.0.0

WINS -> default 0.0.0.0

Use DNSMasq for DHCP -> ticked

Use DNSMasq for DNS -> ticked

DHCP Authoritative -> not ticked

NTP client -> enable

Time Zone -> IMPORTANT - get this right. wrong time settings will cause VPN authorisation problems.

Other settings on page are default.

Advanced Routing

Operating Mode -> Gateway

Everything else default

Wireless

Basic Settings

Wireless Mode -> AP

Network Mode -> Mixed

Network Name -> You decide on a local SSID that you ant to use for your Access Point.

Network Configuration -> Bridged

Everything else default.

Wireless Security

Security Mode and other settings -> Your choice of security mode. Note that it is a very bad idea to have no security at all and FEEDNET team ask you not to leave it disabled. Whatever you decide, the clients must use the same.

Services

Services

DNSMasq -> enabled

Local DNS -> Enabled

No DNS rebind -> Enabled

Additional DNS Masq options

dhcp-option=6,10.224.69.33 (Lan address of the node that the VPN server is connected to)

dhcp-option=150,10.224.69.46 (Lan address of the TFTP server used for configuring CISCO Voip telephones)

 

Everything else default.

VPN

OpenVPN client -> Enable

Server IP/Name -> Public IP address of the VPN server or its DNS name.

Port -> Port number of public facing VPN server, normally 1194

Tunnel Device -> TUN

Tunnel Protocol -> UDP

Encryption Cipher -> Blowfish CBC

Hash Algorithm -> SHA 1

mCertype Verification -> enabled

Advanced Options -> enabled

TLS Cipher -> None

LZO Compression -> Yes

NAT -> Disable

Firewall -> Disable

Bridge Tap to br0 -> Disable

IP Address -> blank

Subnet Mask -> blank

Tunnel MTU setting -> 1500

Tunnel UDP Fragment -> blank (disable)

Tunnel UDP MSS-Fix -> disable

TLS-Auth key -> blank

Additional Config

keepalive 3,60

persist-key

persist-tun

pull

resolve-retry infinite

nobind

Policy Based Routing -> blank

PKCS12 Key -> blank

Static Key -> blank

CA Cert -> insert your CA cert here

Public Client Key -> Insert your public client key here

Private Client Key -> Insert your private key here

Security

Firewall

SPI Firewall -> Disabled (note this exposes you to anything on FEEDNET. You can either enable it and open up routes for your desired traffic, or ensure that you use firewall protection on your PC, or you can trust those others that are on FEEDNET. Rmember that FEEDNET is currently not encrypted and is open access to anyone with a FEEDNET RF link.

All other settings default.

 

 

 

 

 


 

 

Home | Network Map | Status 2 day | Status 30 day | Emcomm | Technical Info | Contact Information | Streaming | Feednet Services | Gallery

 
Last updated: 02/26/16.