OpenVPN and Raspberry Pi 3 – part 1

I used to use the remote access VPN that came with my SRX100 and now SRX300. However, it is limited to two users only. I need more than two users. I thought of using the Raspberry Pi and OpenVPN since OpenVPN can be used on most platforms – Windows, MacOS (or OSX), Linux, and mobile devices such as Android, and iOS.

Another issue that I found was on the iOS devices, I could not VPN-in to my SRX via PulseSecure app. I kept getting this whenever I tried to VPN-in.

pulsesecure_ios

Figure 1

There are times that I don’t have a laptop with me. Therefore, access using my phone is important. It seems like OpenVPN meets my requirements for home VPN.

I am going to split this post into two.

  • Part 1 – configuring OpenVPN on a Raspberry Pi 3 and setting up Destination NAT on the Juniper SRX
  • Part 2 – configuring OpenVPN on the clients (Ubuntu, OSX, iOS)

Let’s get started:

The installation is pretty simple thanks to pivpn. I would highly recommend that if your public IP is dynamic, make sure you choose the Use a public DNS then enter you hostname. I used no-ip service for mine. Anyways, the script is pretty straight forward. The issue now is the Pi’s iptables. By default, OpenVPN is not allowed. This guide will help you configuring the iptables.

If you follow those two guides, you pi should be good to go. Now we need to configure the SRX to allow inbound traffic from anywhere on the Internet to the Pi via Destination NAT / port-forwarding.

SSH to the SRX, and create an application for the OpenVPN ports. OpenVPN uses 1194/udp.

Example 1

set applications application OPENVPN-APP term UDP-1194 protocol udp
set applications application OPENVPN-APP term UDP-1194 destination-port 1194

Create a destination NAT pool

Example 2

set security nat destination pool untrust_TO_PI-OPENVPN address 192.168.9.2/32
set security nat destination pool untrust_TO_PI-OPENVPN address port 1194

Then create a rule-set for inbound traffic.

Example 3

set security nat destination rule-set DST-NAT from zone untrust
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN description "OPEN VPN DESTINATION NAT"
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN match destination-address 1.1.1.1/32
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN match destination-port 1194
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN then destination-nat pool untrust_TO_PI-OPENVPN

The Destination NAT is created. We need to create a policy to allow the inbound traffic. Let’s start with creating an address-book

Example 4

set security address-book global address PI-OPENVPN-BOOK 192.168.9.2/32

Then an inbound security policy

Example 5

set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN description "INBOUND TRAFFIC FROM untrust TO PI-OPENVPN VIA PORT 1194"
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN match source-address any
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN match destination-address PI-OPENVPN-BOOK
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN match application OPENVPN-APP
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN then permit

At this point, you should be able to VPN in. However, do not test the VPN from inside your LAN. This will not work because when you were configuring your Pi VPN, you specified you public IP or DDNS. Therefore, in your .ovpn profile, it shows the destination is you public IP. Now, if you really want to VPN from you LAN, you would need to configure the SRX with U-Turn NAT, but that’s going to be for another discussion.

Now, you would need to create a security policy to allow the VPN users to reach the internal destination.

Example 6

set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN description "ALLOW DYNAMIC VPN TO REACH THE TRUST ZONE RESOURCES"
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match source-address any
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match destination-address any
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match application any
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN then permit

The last part is to tell SRX that you have a new network 10.8.0.0/24. By default, OpenVPN uses 10.8.0.0/24 for the VPN users. You may be able to send traffic to your destination, but the SRX does not know how to get to 10.8.0.0/24. Add a static route with the next-hop is the Pi.

Example 7

set routing-options static route 10.8.0.0/24 next-hop 192.168.9.2

That’s about it.

Cheers

 

Advertisements

About networkshinobi

This blog is about the things I learned about computers and networking to help me to remember them as I push further my studies. I created this blog to help myself to continue my education; and if you find this blog helpful for your studies, that is great. That is one of the reasons why I made this blog, to share my interest and knowledge. Also, all the entries/posts I made are based on my views, opinion and for educational purposes only. If you see some mistakes, feel free to drop some comments. I would appreciate all the helpful comments. Thanks
This entry was posted in CCNA Security, Juniper, Linux, Misc., Sec, Security and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s