Featured Post

HOW TO: Install VPN server on Ubuntu when server is behind firewall

The whole point in this post is to run your own VPN service, and allow you to connect remote devices to your home network. To start off yo...

Mar 7, 2014

OpenVPN on NAS4Free

If you are using a more recent version of NAS4Free than 9.2, check out the following guide:
http://www.geekfreely.com/2015/12/howto-openvpn-installation-guide-for.html

Otherwise, continue...

In this post I intend to describe the steps required for securing your NAS4Free server so that all external communication with it is conducted via VPN.  To achieve this we are going to setup OpenVPN on the NAS4Free server and configure it to use a VPN service, which there are many to choose from.


While this site contains information regarding bittorrents, please note I do not necessarily agree with the opinions of any external site I link to, and I do not condone, or conduct illegal downloading.

Important Notes:

  • This was conducted on a FULL NAS4Free installation, not embedded.
  • Change /mnt/Data to your own storage location
  • Change 192.168.0.* to your NAS4Free IP address
  • Some of the directories may already exists from previous HOWTOs
cd /mnt/Data
mkdir Extensions
cd Extensions
mkdir var
mkdir usr
mkdir tmp

INSTALLING OPENVPN

Set the temporary directory for the packages, as well as the site to fetch packages from (if you are installing onto a 32 bit system change “amd64″ to “i386″):

setenv PKG_TMPDIR /mnt/Data/Extensions/tmp/
setenv PACKAGESITE "http://ftp6.us.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-9.0-release/Latest/"

Install OpenVPN:
pkg_add -rv openvpn

Move openvpn file so it does not get executed every time when system is being started, otherwise your boot process will get stopped and you will be asked for a username/password.  NAS4Free executes all the files inside "rc.d" folder on startup.

mv /usr/local/etc/rc.d/openvpn /usr/local/etc/openvpn/

Install Certificates and .ovpn files.
mkdir /usr/local/etc/openvpn

Download your certificates *.crt as well as *.ovpn , rename them to *.crt->openvpn.crt and *.ovpn->openvpn.conf copy them using WinSCP to /usr/local/etc/openvpn/

Once copied edit the openvpn.conf and you should see something like that:

client
dev tun
proto udp
remote 11.170.97.173 443 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca openvpn.crt
auth-user-pass
comp-lzo
verb 3

Add the following line to openvpn.conf, so passwords aren't stored in memory:
auth-nocache  Don't use auth-nocache, as renegotiation after timeout will fail.

Just make sure after "ca" there is openvpn.crt, also check the 2nd line if you have got dev tun or dev tap

Test OpenVPN connection:
/usr/local/etc/openvpn/openvpn onestart /usr/local/etc/openvpn/openvpn.conf

Download the following torrent to make sure your legal torrents are downloaded privately:
http://torguard.net/checkmytorrentipaddress.php

Edit rc.conf to enable OpenVPN.  Open up your NAS' web interface and head to System > Advanced > rc.conf and add the following variables:P

openvpn_enable with a value of YES
openvpn_if with a value of tun or tap depending on the contents of openvpn.conf

Now we need to make it autostart, so back to SSH:
pkg_add -r expect

nano /usr/local/etc/openvpn/autosignon

In the file just insert:
#!/usr/local/bin/expect -f
set force_conservative 0
spawn /usr/local/etc/openvpn/openvpn start /usr/local/etc/openvpn/openvpn.conf
match_max 100000
expect -exact "Enter Auth Username:"
send -- "YOUR USERNAME!\r"
expect -exact "Enter Auth Password:"
send -- "YOUR PASSWORD!\r"
expect eof

Save your changes and make that script executable by running the following command:

chmod +x autosignon

AUTOSTART OPENVPN
In NAS4Free webGUI, navigate to: “System|Advanced|Command scripts” and insert the following start-up command (PreInit):

/usr/local/etc/openvpn/autosignon

CONFIGURE FIREWALL
So this is a bit hit or miss for me, I almost feel like I am having to restart my NAS4Free box before I see the changes from the firewall applied. My VPN provider doesn't have a list anymore for which IPs they assign, so I just have to kinda guess. The purpose of the firewall is to provide detection if the event of the VPN service going down, and by protection we mean - no external connection.


If you wish to test your NAS4Free box IP directly from command line, install curl.

pkg_add -rv curl

Then enter the following:

curl ifconfig.me

But you can also check your torrent client directly too!
http://checkmytorrentip.net/torrentip/checkMyTorrentIp.png.torrent

9/15/2014 Update:  CHange torrent IP tracking address.

No comments: