Differences

This shows you the differences between two versions of the page.

--- wiki:support:faq [2021/09/21 10:53]
tda
+++ wiki:support:faq [2021/12/22 11:59] (current)
cgu
@@ Line 30: / Line 30: @@
 Nmap scan report for klk-wifc-03002E.klksi.fr (192.168.14.164)
 </code>
+===== How to Reactivate the Ethernet interface using SMS ?=====
+<markdown>
+The Station and the iFemtocell-Evolution have a SIM card slot that can be used to get a cellular connection.
+By default the connection is disabled but the SMS interface is activated, using this interface you can reactivate Ethernet if you have disabled it by error.
+you just need to send the following SMS to the phone number of the SIM card in the gateway:
+```
+[spn:spnpwd] [coset3] configuration/set_value network.lan.type "dhcp"
+```
+</markdown>
+the gateway will answer ''[coset3:ok]'' if the command is valid.\\
+\\
+Then send this SMS:
+<markdown>
+```
+[spn:spnpwd] [updreb] update/reboot
+```
+</markdown>
+The gateway will answer ''[updreb:ok]''
+The gateway will reboot and ethernet connection will be activated on the gateway
 ===== I cannot choose RX window 1 for a class C end-devices =====
@@ Line 114: / Line 138: @@
-===== How to configure OpenVPN with Wanesy SPN =====
+===== How to configure OpenVPN with Wanesy SPN (for POC only) =====
-This section explains how to configure OpenVPN with the Wanesy SPN in a multi-gateways configuration over ethernet or cellular in order to setup a secure channel between the master gateway and the slave gateways.
+This section explains how to configure OpenVPN with the Wanesy SPN in a multi-gateways configuration over Ethernet or cellular in order to set up a secure channel between the master gateway and the slave gateways.
 You will need:
@@ Line 124: / Line 148: @@
   * to configure the OpenVPN clients
   * to enable OpenVPN on the OpenVPN clients
-  * to configure the clients' Packet forwarder
+  * to configure the client's Packet forwarder
   * to add a specific patch to the Packet forwarder
@@ Line 139: / Line 163: @@
 **The OpenVPN server must use a static IP definition.** \\
-For ethernet, you can use a static-IP addressing (LAN configuration) or a domain name (WAN configuration with optionally the dynamic DNS feature if the IP address of the server is often changing but we recommend to use a static-IP address).
+For Ethernet, you can use a static-IP addressing (LAN configuration) or a domain name (WAN configuration with optionally the dynamic DNS feature if the IP address of the server is often changing, but we recommend using a static-IP address).
 <note important>
-**If you have to use a cellular backhaul for your SPN gateways, the OpenVPN server must be accessible from internet.** \\
+**If you have to use a cellular backhaul for your SPN gateways, the OpenVPN server must be accessible from the internet.** \\
 So, for cellular, a public and fixed IP address is mandatory for the OpenVPN server.
 </note>
-Note that if the configuration works for cellular, the same configuratio will work for ethernet.
+Note that if the configuration works for cellular, the same configuration will work for Ethernet.
 === For the SPN Master gateway ===
-**The Master gateway (an OpenVPN client) must have a fixed-IP adressing (ethernet and cellular)** \\
+**The Master gateway (an OpenVPN client) must have a fixed-IP addressing (Ethernet and cellular)** \\
-in order the packet forwarder of the slave gateways to forward properly the received LoRa packets to the Master gateway.
+in order, the packet forwarder of the slave gateways to forward properly the received LoRa packets to the Master gateway.
 === For the slave gateways ===
-**It is not mandatory that the slave gateways (OpenVPN clients) have a fixed-IP adressing (ethernet and cellular)**.
+**It is not mandatory that the slave gateways (OpenVPN clients) have a fixed-IP addressing (Ethernet and cellular)**.
 === Convenience of using OpenVPN ===
@@ Line 165: / Line 189: @@
   * a static definition for addressing the OpenVPN server (domain name or fixed-IP). \\ This definition must be public if you are using cellular for the backhaul of your SPN gateways.
-  * a static definition for the SPN Master gateway acting as an OpenVPN client (fixed-IP for the ethernet and cellular backhaul).
+  * a static definition for the SPN Master gateway acting as an OpenVPN client (fixed-IP for the Ethernet and cellular backhaul).
-For ethernet, fixed-IP addressing is not mandatory for slave gateways.
+For Ethernet, fixed-IP addressing is not mandatory for slave gateways.
 For cellular, standard SIM cards can be used in the slave gateways.
-The following diagram shows the kind of configuration required for each type of backhaul used for the OpenVPN clients gateways (ethernet/cellular) :
+The following diagram shows the kind of configuration required for each type of backhaul used for the OpenVPN clients gateways (Ethernet/Cellular) :
 {{:images:openvpn_architecture_ip_configuration.png?800|}}
@@ Line 195: / Line 219: @@
 {{:images:the_openvpn_truth_chain.png?600|}}
-<note important>**The RootCA can be a self-signed certificate used for test purposes but cannot be used for production.**
+<note important>**The RootCA can be a self-signed certificate used for test purposes, but cannot be used for production.**
 It is better to sign all your certificates by an authenticated/true and trusted CA like GlobalSign, Verisign, GlobalCert, Komodo, etc... (this service is not free).
 </note>
@@ Line 282: / Line 306: @@
 </code>
-fill the pass.txt file with your password and chmod 600 it.
+Fill the pass.txt file with your password and chmod 600 it.
 Start OpenVPN with the following command:
@@ Line 397: / Line 421: @@
 \\
 ==== Special care about FW 4.x.x ====
+\\
+=== introduction ===
 When SPN slaves are using the FW 4.x.x, you must be aware that:
   * OpenVPN configuration must be done manually: process monitoring and process start must be enabled at boot time.
   * Firewall rules must be added to accept the OpenVPN traffic (port 1194 IN/OUT).
-  * **All secrets (OpenVPN keys and certificates) must be written in the ProvenCore TrustZone**. The following WIKI page explains how to proceed: [[https://wikikerlink.fr/wirnet-productline/doku.php?id=wiki:network_mana:vpn_client&s[]=pnr&s[]=uploader]].
+  * **All secrets (OpenVPN keys and certificates) must be written in the ProvenCore TrustZone**. \\ The following WIKI page explains how to proceed: [[https://wikikerlink.fr/wirnet-productline/doku.php?id=wiki:network_mana:vpn_client&s[]=pnr&s[]=uploader]].
   * passphrase must be removed from the p12 file (protecting the client's private key) and replaced by a passphrase in the cyphered package (.enc).
+  * tls-version-min 1.1 and tls-version-max 1.2 directives must be explicitly added in the client's OpenVPN configuration file.
+\\
+=== How to monitor openvpn ===
+this section explains how to enable the openvpn autostart at boot time and enable the openvpn process monitoring.
+Simply add the following file ''openvpn'' in ''/etc/monit'' :
+<code file openvpn>
+check process openvpn matching openvpn
+        start program = "/etc/init.d/openvpn start"
+        stop program = "/etc/init.d/openvpn stop"
+</code>
+=== How to enable openvpn traffic ===
+Add the following file ''iptables_openvpn.rules'' in the ''/etc/firewall.d'' directory :
+<code file iptables_openvpn.rules>
+#Firewall rules to accept OpenVPN traffic
+*filter
+-I INPUT  -m udp -p udp --sport 1194 --dport 1024:65535 -j ACCEPT
+-I INPUT  -m udp -p udp --sport 30000:35000 --dport 1024:65535 -j ACCEPT
+-I OUTPUT -m udp -p udp --sport 1024:65535 --dport 1194 -j ACCEPT
+-I OUTPUT -m udp -p udp --sport 1024:65535 --dport 30000:35000 -j ACCEPT
+COMMIT
+</code>
+=== How to store secrets in the TrustZone ===
+This guide explains how to store secrets in the TrustZone.
+== Installing the crypto library in Ubuntu environment ==
+<code bash>
+# sudo apt install python3-crypto
+</code>
+== Initializing the ProvenCore TrustZone ==
+On the gateway:
+<code bash>
+# pnr_uploader -R -p "kerlinkkerlink"
+</code>
+<code>
+request completed with status: 0
+root@klk-lpbs-060434:~ #
+</code>
+NB: you have to use a different passphrase and stronger !
+== Removing the passphrase from the p12 ==
+Since a new passphrase will be added to the encoded package, the initial passphrase generated when building the p12 package can be removed.
+So regenerate the p12 without passphrase (let empty) as described here: [[https://wikikerlink.fr/wanesy-spn/doku.php?id=wiki:webui:administration:openvpn:pki#p12_packaging_pkcs_121]].
+== Cyphering the client’s certificate and key (p12) ==
+Transfer your client p12 package to your Ubuntu environment (using the ''scp'' command) for cyphering.
+Perform the following command:
+<code bash>
+# python3 pnrcipher.py -f client.p12 -p « kerlinkkerlink »
+</code>
+A ''client.p12.enc'' file is generated.
+Transfer back this encoded file to your gateway using the ''scp'' command.
+== Updating the client's OpenVPN configuration file ==
+Add the following lines for TLS compatibility:
+<code bash>
+# Mandatory Param
+tls-version-min 1.1
+tls-version-max 1.2
+</code>
+Replace the "pkcs12 client.p12" directive by the following line:
+<code>
+pkcs12 [[INLINE]] /trustzone/securestorage/block10 "kerlinkkerlink"
+</code>
+Remove or comment the ca directive :
+<code>
+# cert ca.crt
+</code>
+Add the directive ''remote-cert-tls server'' to avoid MITM attacks:
+<code>
+remote-cert-tls server
+</code>
+Here is an example of configurationfile to use:
+<code>
+#################################################
+#                                               #
+# Client-side OpenVPN 2.X config file for       #
+# connecting to multi-client server.            #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#                                               #
+#################################################
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+# SSL/TLS parms.
+# See the server config file for more
+# description.  It's best to use
+# a separate .crt/.key file pair
+# for each client.  A single ca
+# file can be used for all clients.
+#pkcs12 [[INLINE]]
+# Verify server certificate by checking that the
+# certicate has the correct key usage set.
+# This is an important precaution to protect against
+# a potential attack discussed here:
+#  http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the keyUsage set to
+#   digitalSignature, keyEncipherment
+# and the extendedKeyUsage to
+#   serverAuth
+# EasyRSA can do this for you.
+remote-cert-tls server
+# Protocol
+proto udp
+#Tunnel
+dev vpn0
+dev-type tun
+#shared key server-client
+#tls-auth ta.key 0
+nobind
+#Server
+remote 192.168.1.10
+#Certification Authority Certificate - Server Authentication
+# cert ca.crt
+#User Key and Certificate - Client Authentication
+pkcs12 [[INLINE]] /trustzone/securestorage/block10 "kerlinkkerlink"
+cipher AES-256-CBC
+#auth SHA256
+tls-version-min "1.1"
+tls-version-max "1.2"
+mssfix 1200
+comp-lzo
+askpass pass.txt
+# 0 -- Strictly no calling of external programs.
+# 1 -- (Default) Only call built-in executables such as  ifconfig,
+# ip, route, or netsh.
+# 2  --  Allow  calling  of  built-in executables and user-defined
+# scripts.
+# 3 -- Allow passwords to be passed to scripts  via  environmental
+# variables (potentially unsafe).
+script-security 2
+</code>
+== Cyphering the client's OpenVPN configuration file ==
+Transfer the client configuration file to your Ubuntu environment and perform the following commands:
+<code bash>
+# mv client-openvpn.conf provencore-openvpn.conf
+# python3 pnrcipher.py -f provencore-openvpn.conf -p « kerlinkkerlink »
+</code>
+A ''provencore-openvpn.conf.enc'' file is generated.
+Transfer back the encoded file to your gateway (using the ''scp'' command).
+== Uploading files (p12 and configuration file) in the TrustZone ==
+<code bash>
+# pnr_uploader -u -f client.p12.enc  -b 10
+</code>
+<code bash>
+uploading 3408 bytes
+request completed with status: 0
+</code>
+<code bash>
+# pnr_uploader -u -f provencore-openvpn.conf.enc  -b 2
+</code>
+<code bash>
+uploading 2048 bytes
+request completed with status: 0
+</code>
+== Starting openvpn ==
+Before starting OpenVPN, the following file must be stored in the ''/etc/openvpn'' as a "bootstrap":
+<code bash>
+#################################################
+#                                               #
+# Client-side OpenVPN 2.X config file for       #
+# connecting to multi-client server.            #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#                                               #
+#################################################
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+# Use the same setting as you are using on
+# the server.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev vpn0
+dev-type tun
+# Are we connecting to a TCP or
+# UDP server?  Use the same setting as
+# on the server.
+;proto tcp
+proto udp
+# The hostname/IP and port of the server.
+# You can have multiple remote entries
+# to load balance between the servers.
+remote 192.168.1.10
+# Choose a random host from the remote
+# list for load-balancing.  Otherwise
+# try hosts in the order specified.
+;remote-random
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server.  Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+# Downgrade privileges after initialization (non-Windows only)
+# Keep running as root to be able modifying routing (no persist)
+;user nobody
+;group nogroup
+# Try to preserve some state across restarts.
+persist-key
+# Do not enable persist options related to routing as
+# connman can be restarted and can unconfigure routes and interface
+;persist-tun
+;persist-local-ip
+;persist-remote-ip
+# If you are connecting through an
+# HTTP proxy to reach the actual OpenVPN
+# server, put the proxy server/IP and
+# port number here.  See the man page
+# if your proxy server requires
+# authentication.
+;http-proxy-retry # retry on connection failures
+;http-proxy [proxy server] [proxy port #]
+# Announce to TCP sessions running over the
+# tunnel that they should limit their send packet
+# sizes such that after OpenVPN has encapsulated them,
+# the resulting UDP packet size that OpenVPN sends
+# to its peer will not exceed max bytes.
+mssfix 1200
+# Wireless networks often produce a lot
+# of duplicate packets.  Set this flag
+# to silence duplicate packet warnings.
+;mute-replay-warnings
+# SSL/TLS parms.
+# See the server config file for more
+# description.  It's best to use
+# a separate .crt/.key file pair
+# for each client.  A single ca
+# file can be used for all clients.
+pkcs12 [[INLINE]]
+# Verify server certificate by checking that the
+# certicate has the correct key usage set.
+# This is an important precaution to protect against
+# a potential attack discussed here:
+#  http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the keyUsage set to
+#   digitalSignature, keyEncipherment
+# and the extendedKeyUsage to
+#   serverAuth
+# EasyRSA can do this for you.
+#remote-cert-tls server
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+;tls-auth ta.key 1
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+cipher AES-256-CBC
+# Enable compression on the VPN link.
+# Don't enable this unless it is also
+# enabled in the server config file.
+comp-lzo
+# Set log file verbosity.
+verb 3
+# Silence repeating messages
+;mute 20
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 60 600
+# 0 -- Strictly no calling of external programs.
+# 1 -- (Default) Only call built-in executables such as  ifconfig,
+# ip, route, or netsh.
+# 2  --  Allow  calling  of  built-in executables and user-defined
+# scripts.
+# 3 -- Allow passwords to be passed to scripts  via  environmental
+# variables (potentially unsafe).
+script-security 2
+# up   Executed after TCP/UDP socket bind and TUN/TAP open.
+# down Executed after TCP/UDP and TUN/TAP close.
+;up /etc/openvpn/update-resolv-conf
+;down /etc/openvpn/update-resolv-conf
+# Use route-up instead of up as up is already used !
+;route-up
+#askpass pass.txt
+</code>
+<code bash>
+monit openvpn start
+</code>
+=== Tool ===
+The following tool is designed to automate previous tasks :
+  * Cyphering VPN certifcates and keys,
+  * Writing secrets in the ProvenCore Trustzone,
+  * Activating the packet forwarder (CPF) and updating the forwarding IP (to send LoRa packets to the SPN Master Gateway),
+  * Activating the monitoring of openvpn process (start and stop).
+This script generates a package to install on the gateway.
+{{ :wiki:generate_spn_openvpn_package_v1.0.tar.gz |}}
+# usage: ./generate_ipk.sh <GW_EUI> <p12> <server-IP> <passwd> <forwarding-IP>
+Ex: ./generate_ipk.sh 7276FF002E060434 client.p12 192.168.1.24 kerlinkkerlink 10.8.0.2
+generates a package named ''configure-openvpn-spn-2e060434_1.0_klkgw.ipk''.
+<note important>
+ \\
+KERLINK does not maintain this script. This script has been tested with FW 4.3.3 and it may have some incompatibilities with future Keros SW releases.
+</note>
+=== Recommandations ===
+  * For Production, don't use a self-root CA certificate but a certificate authenticated by a trusted entity like Comodo, GoDaddy, DigiCert, etc...
+  * Care about the expiration date of your generated certificates.

Wanesy™ SPN (End Of Life)

User Tools

Site Tools

Differences

Page Tools