Running openVPN client on Conduit?

[Brian Wyld]

In order to connect my ‘cloud’ servers to/from my Conduit gateway via a 3G/4G connection, I’d like to have each one connect into my VPN server (so I can then use a internal IP address to exchange http requests to/from nodeRED).

This seems nicely secure and easy way to do this (rather than having to deal with inbound https requests to nodeRED via a non-fixed IP allocated on the mobile data network side).

Any reason not to do it this way (before I get into how to get an openVPN client on the box…. any pointers for this also?)

thanks for any comments!

Brian

[Jeff Hatch]

Brian,

I do not see anything in particular preventing you from doing this. I’m assuming that this is an AEP Conduit, so installing openVPN may be a little trickier that our mLinux Conduit, but it is probably still doable.

The VPN connection will be initiated by the Conduit via the ppp interface, correct? I have never done much analysis on what the additional bandwidth the VPN would use, so you might also want to factor that into your data usage. There may be very little difference, though, between HTTPS and the VPN. In fact a long running VPN connection might have lower bandwidth requirements than a bunch of HTTPS sessions.

The big trick will be getting the OpenVPN installed and working.

Jeff

[Brian Wyld]

Any ideas on what is required to install packages on the Conduit?
Will I need to build them from source (aie aie)?

cheers

Brian

[Brian Wyld]

Actually, I see the multitech package repositry (http://www.multitech.net/mlinux/feeds/3.1/arm926ejste/) seems to have openVPN packages….
[ ] openvpn_2.1.3-r0.0_arm926ejste.ipk 22-Jul-2015 16:23 207K

Anyone tried using these?

cheers

Brian

[Jason Reiss]

If you have an internet connection and run
> opkg update
> opkg install openvpn

It will install that package for you to try.
I don’t know if anyone has.

[Jeff Hatch]

Brian,

One more important thing to note:

Before you upgrade the Conduit firmware, make sure to save your openVPN configuration off the Conduit. You will have to re-install openVPN and reconfigure it after a firmware upgrade as the firmware upgrade for AEP re-flashes the entire FS.

This may change in the future, but for now that is the way it is.

Jeff Hatch

[Brian Wyld]

Hi,

Thanks Jason, OpenVPN installed no problem; config ok. Had to create a init.d script for it but otherwise no issues to get it to work.

Noted for the firmware upgrade issue.

Thanks for the pointers!

Now to try getting it to work over the ppp over 4G interface….

A+

Brian

[Brian Wyld]

Hint for anyone else trying this : the default iptables setup on the conduit doesn’t allow inbound connections (eg http, ssh, icmp) over non-lan interfaces….
Took a while to work out that this was why I couldn’t ping it via the openvpn tunnel….
Currently running without the iptables in place until I add the magic to let ping, ssh, and http via openvpn tun interfaces…

[Brian Wyld]

Hi all,

Trying to get my openvpn tunnel to come up/down in sync with the ppp.
Seems like to should be simple : just create 2 scripts in /etc/ppp/ip-up.d and ip-down.d, to do /etc/init.d/openvpn start / stop….

However… my script in ip-up.d never seems to be called? Is there something special about the Conduit’s ppp install/operation?

thanks

Brian

[Brian Wyld]

AH yes, and the reason to start/stop the openvpn tunnel in sync with ppp, is to be able to run the iptables command in the openvpn script to allow in/out traffic thru it!
iptables -A INPUT -i tun0 -j ACCEPT
(in start_vpn())

Brian

[Jeff Hatch]

Brian,

The ip-up script should be getting executed by pppd once the ppp connection is up and the ppp interface can be configured. With regards to running your script, it should be working if the script is set up correctly. Have you verified that the run-parts utility will run your script when it is pointed at the right directory? What you’re trying to do is reasonable, and should work. If run-parts can run your script when you do it by hand, then it should get executed after ip-up.

Let me know if that is not the case, maybe post a copy of your script. If nothing else I can try to start something in a similar manner.

Jeff

[Brian Wyld]

Well,
# run-parts /etc/ppp/ip-up.d
ran my openvpn-start script when invoked by hand (once ppp was up)
But it hadn’t been run automatically when the ppp came up!

Where should the run-parts call be happening? I am probably a bit thick here, but when I look at the ip-up script (/etc/ppp/ip-up) I see no call to run-parts!
Or does pppd do it directly?

thanks

[Jeff Hatch]

Brian,

From what I can tell, (I’m not an expert in this area) I don’t think that pppd tries to run the run-parts utility. You will need to invoke it from somewhere like ip-up when you want to run your start script. Either that or if you’re just simply trying to start openvpn, you can call that script explicitly.

Jeff

[William Laing]

Good Day –

Just reading this thread from several years ago now:

+ is OpenVPN still the preferred remote access method for AEP Conduits (besides DeviceHQ)
+ does a firmware upgrade still overwrite OpenVPN?

Thanks,
William

[Brian Wyld]

Hi William,

Yes, we’re still using OpenVPN to connect our conduits (actually mLinux versions now) to our backend cloud. We’ve a collection of scripts now for install and running this with watchdogs, monitoring etc that mean its pretty reliable…

And yes, a firmware upgrade still overwrites OpenVPN. This isn’t a biggy as we dont have many firmware updates in the field… especially as we use a backend loraserver LNS these days rather than the built-in LNS…

A+

Brian

[William Laing]

Thank you for the information, Brian.

We’ll install OpenVPN and experiment with use cases.

Best,
William

[Brian Wyld]

ok good luck!

Brian

[Author]

Posts