Menu

YfiTechOpenMeshOpenVPN

Anonymous

OpenMesh and OpenVPN

This page will describe how to configure an OpenMesh node to establish a OpenVPN tunnel between itself and the YFi Hotspot Manager server.

Introduction

  • OpenMesh is a hardware provider of mesh nodes.
  • These mesh nodes are in turn managed through a online mesh dashboard called Cloudtrax (https://www.cloudtrax.com/)
  • The dashboard allows us to specify our own FreeRADIUS servers as well as the UAM pages used by Coova Chilli captive portal.
  • Unfortunately the Cloudtrax controller does not configure the Coova Chilli captive portal in such a way as to disconnect active users.

Options to disconnect active users

  • To disconnect active users on Coova Chilli we have three options.
    • Configure Coova Chilli to except COA (including POD packets) by specifying the COAPORT e.g. HS_COAPORT=3799.
    • Add updating attributes in the Accounting-Response packet from the RADIUS server to make the user's current limit very small which will cause a disconnect. e.g. send ChilliSpot-Max-Total-Octets := 1 in accounting reply packet.
    • Create a way to execute the chilli_query command to terminate a specified user's connection.

OpenVPN and the POD packet

  • We can modify YFi Hotspot Manager in such a way that through convention we will be able to have a OpenVPN tunnel between the mesh node running the captive portal and the YFi server.
  • Lets break the various tasks up into smaller sections to discuss the parts involved.
  • Some of these tasks are once off - their heading will start with Prep ->. The other are operating procedures and will start with Use ->.

Prep -> Configure OpenVPN server

  • Deploy a simplified OpenVPN server as per this Wiki page: Simplified OpenVPN Server
  • Take care that the Perl script which is called by the OpenVPN server is indeed present (SVN 638 and up). You will find it in the /var/www/c2/yfi_cake/setup/radius/raddb.tar.gz file.

  • After you have completed the set-up, ensure that the /etc/openvpn/ccd directory is writable by the Apache web server's user (www-data on Ubuntu) 

    sudo chown www-data. /etc/openvpn/ccd

Prep -> Configure YFi Hotspot Manager

  • Ensure you use SVN version 638 or higher of YFi Hotspot Manager
  • Create a directory called openvpn under the webroot of yfi_cake CakePHP application and store the following files there (two is attached to this page):
    • client.conf: This is the configuration file for the OpenVPN client. REMEMBER the IP Address needs to point to your SVN server. This will sit under /etc/openvpn/ on the mesh node!
    • openvpn: This is the OpenVPN config file located under /etc/config/. This file will have OpenVPN enabled and telling it to use /etc/openvpn/client.conf
    • ca.crt: This is the CA file created during the setup of the OpenVPN server. It is required by the client to verify the validity of the OpenVPN server.

Prep -> Use the custom.sh option

  • Cloudtrax offers us the opportunity to run a custom script once (and there-after if it changed).
  • Attached to this page is the following files which has to be copied to the /var/www/c2/yfi_cake/webroot/openvpn directory.
    • custom.sh This file will be specified in the Cloudtrax dashboard to be called during startup for a specified mesh.
    • yfii_includes.sh This file will be sourced and copied to the mesh node under the /etc/yfii directory by the custom.sh script.
    • yfii_ready.sh This file will be sourced and copied to the mesh node under the /etc/yfii directory by the custom.sh script. Afterwards it will be run. This file uses the functions in yfii_includes.sh to do most of the work dispalyed in the flow diagram below.
  • REMEMBER: There is a variable called YFI_IP in the custom.sh and yfii_includes.sh files that has to change to your server's IP!
  • The following flow diagram display what the custom.sh script will accomplish:

Use -> Register the OpenVPN mesh nodes

  • Record the MAC address of the device(s) in the mesh to which you want to establish a tunnel between them and the YFi Hotspot Manager server.
  • You will typically only do this for the devices which are gateways of the mesh, those devices who are connect to the Internet.
  • Decide what OpenVPN IP Address you are going to give these devices and define them as a NAS with the OpenVPN IP as its IP using YFi Hotspot Manager.
  • Remember to stick to the address pattern of this document: http://openvpn.net/index.php/open-source/documentation/howto.html#policy
  • Edit these devices and enter the MAC address followed with a singe underscore in the Community field e.g. 08-00-27-56-22-0B_
  • The above convention will be utilized by the custom.sh script which we will use with Cloudtrax.
  • In the Cloudtrax controller you need to specify the RADIUS IP Address as the OpenVPN Server's e.g. 10.8.0.1
  • Update the version of custom.sh on the server; wait or simply reboot any mesh node.

Use -> Disable OpenVPN mesh nodes

  • Remove the <MAC>_ value in the Community field.
  • Update the version of custom.sh on the server; wait or simply reboot any mesh node.

Use -> Updating custom.sh

  • The mesh node will only execute custom.sh if it changed from the previous time it was sourced.

  • To force a change you can add something like a comment with a version value in which you can update in order to force a update. 

    #Version 1:0:0

Technical detail

  • This section has more of the technical detail on the OpenVPN configuration on YFi Hotspot Manager.
  • To see if a device sources the custm.sh script, run a tail -f on Apache's log file.

  • Here we can see what happens when a device registers itself with YFi. 

    4.13.11.13 - - [15/Oct/2012:13:00:01 +0200] "GET /c2/yfi_cake/webroot/openvpn/custom.sh HTTP/1.1" 200 840 "-" "Wget/1.13.4 (linux-gnu)"
4.13.11.13- - [15/Oct/2012:13:00:03 +0200] "GET /c2/yfi_cake/webroot/openvpn/yfii_includes.sh HTTP/1.1" 200 6965 "-" "Wget/1.13.4 (linux-gnu)"
4.13.11.13 - - [15/Oct/2012:13:00:04 +0200] "GET /c2/yfi_cake/webroot/openvpn/yfii_ready.sh HTTP/1.1" 200 451 "-" "Wget/1.13.4 (linux-gnu)"
4.13.11.13 - - [15/Oct/2012:13:00:04 +0200] "GET /c2/yfi_cake/openvpns/active_check/AC-86-74-05-75-10 HTTP/1.1" 200 425 "-" "Wget/1.13.4 (linux-gnu)"
4.13.11.13 - - [15/Oct/2012:13:00:36 +0200] "GET /c2/yfi_cake/openvpns/register_device?mac=AC-86-74-05-75-10&pwd=56d9827eeb7374128c8d65af4133a751 HTTP/1.1" 200 426 "-" "Wget/1.13.4 (linux-gnu)"
4.13.11.13 - - [15/Oct/2012:13:00:37 +0200] "GET /c2/yfi_cake/webroot/openvpn/ca.crt HTTP/1.1" 200 1520 "-" "Wget/1.13.4 (linux-gnu)"
4.13.11.13 - - [15/Oct/2012:13:00:37 +0200] "GET /c2/yfi_cake/webroot/openvpn/client.conf HTTP/1.1" 200 502 "-" "Wget/1.13.4 (linux-gnu)"
4.13.11.13 - - [15/Oct/2012:13:00:37 +0200] "GET /c2/yfi_cake/webroot/openvpn/openvpn HTTP/1.1" 200 13292 "-" "Wget/1.13.4 (linux-gnu)"

  • Not all devices in the mesh will require OpenVPN but the custom.sh script is called by each device. Here we see that there is no further action since this particular device does not require a VPN. 

    4.13.11.13 - - [15/Oct/2012:13:05:02 +0200] "GET /c2/yfi_cake/webroot/openvpn/custom.sh HTTP/1.1" 200 840 "-" "Wget/1.13.4 (linux-gnu)"
4.13.11.13 - - [15/Oct/2012:13:05:03 +0200] "GET /c2/yfi_cake/webroot/openvpn/yfii_includes.sh HTTP/1.1" 200 6965 "-" "Wget/1.13.4 (linux-gnu)"
4.13.11.13 - - [15/Oct/2012:13:05:03 +0200] "GET /c2/yfi_cake/webroot/openvpn/yfii_ready.sh HTTP/1.1" 200 451 "-" "Wget/1.13.4 (linux-gnu)"
4.13.11.13 - - [15/Oct/2012:13:05:03 +0200] "GET /c2/yfi_cake/openvpns/active_check/AC-86-74-05-71-55 HTTP/1.1" 200 425 "-" "Wget/1.13.4 (linux-gnu)"

  • There does not seem to be a definite pattern on when the custom.sh script is called and then by which mesh node. When I've for instance rebooted the node x, the first node to source custom.sh was not the node x (one just rebooted), but rather another node in the mesh.

  • It would however seem that the node which source the custom.sh file do compare with a previous version. Here we can see a simple get, and then nothing there after, meaning the custom.sh script was not run probably because it looks the same as a previous one that was sourced. 

    4.13.78.1 - - [15/Oct/2012:13:14:14 +0200] "-" 408 0 "-" "-"
4.13.11.13 - - [15/Oct/2012:13:15:01 +0200] "GET /c2/yfi_cake/webroot/openvpn/custom.sh HTTP/1.1" 200 840 "-" "Wget/1.13.4 (linux-gnu)"
1.69.55.2 - - [15/Oct/2012:13:15:41 +0200] "-" 408 0 "-" "-"

Related

Wiki: YfiTechBeta6VM
Wiki: YfiTechOpenMeshHeartbeat
Wiki: YfiTechOpenVPNSimplified