User Tools
wiki:support:faq
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
wiki:support:faq [2021/09/28 09:36] tda |
wiki:support:faq [2021/12/22 11:59] (current) cgu |
||
|---|---|---|---|
| Line 30: | Line 30: | ||
| Nmap scan report for klk-wifc-03002E.klksi.fr (192.168.14.164) | Nmap scan report for klk-wifc-03002E.klksi.fr (192.168.14.164) | ||
| </code> | </code> | ||
| + | |||
| + | ===== How to Reactivate the Ethernet interface using SMS ?===== | ||
| + | |||
| + | <markdown> | ||
| + | The Station and the iFemtocell-Evolution have a SIM card slot that can be used to get a cellular connection. | ||
| + | By default the connection is disabled but the SMS interface is activated, using this interface you can reactivate Ethernet if you have disabled it by error. | ||
| + | you just need to send the following SMS to the phone number of the SIM card in the gateway: | ||
| + | |||
| + | |||
| + | ``` | ||
| + | [spn:spnpwd] [coset3] configuration/set_value network.lan.type "dhcp" | ||
| + | ``` | ||
| + | </markdown> | ||
| + | the gateway will answer ''[coset3:ok]'' if the command is valid.\\ | ||
| + | \\ | ||
| + | Then send this SMS: | ||
| + | <markdown> | ||
| + | ``` | ||
| + | [spn:spnpwd] [updreb] update/reboot | ||
| + | ``` | ||
| + | </markdown> | ||
| + | The gateway will answer ''[updreb:ok]'' | ||
| + | The gateway will reboot and ethernet connection will be activated on the gateway | ||
| + | | ||
| ===== I cannot choose RX window 1 for a class C end-devices ===== | ===== I cannot choose RX window 1 for a class C end-devices ===== | ||
| Line 116: | Line 140: | ||
| ===== How to configure OpenVPN with Wanesy SPN (for POC only) ===== | ===== How to configure OpenVPN with Wanesy SPN (for POC only) ===== | ||
| - | This section explains how to configure OpenVPN with the Wanesy SPN in a multi-gateways configuration over ethernet or cellular in order to setup a secure channel between the master gateway and the slave gateways. | + | This section explains how to configure OpenVPN with the Wanesy SPN in a multi-gateways configuration over Ethernet or cellular in order to set up a secure channel between the master gateway and the slave gateways. |
| You will need: | You will need: | ||
| Line 124: | Line 148: | ||
| * to configure the OpenVPN clients | * to configure the OpenVPN clients | ||
| * to enable OpenVPN on the OpenVPN clients | * to enable OpenVPN on the OpenVPN clients | ||
| - | * to configure the clients' Packet forwarder | + | * to configure the client's Packet forwarder |
| * to add a specific patch to the Packet forwarder | * to add a specific patch to the Packet forwarder | ||
| Line 139: | Line 163: | ||
| **The OpenVPN server must use a static IP definition.** \\ | **The OpenVPN server must use a static IP definition.** \\ | ||
| - | For ethernet, you can use a static-IP addressing (LAN configuration) or a domain name (WAN configuration with optionally the dynamic DNS feature if the IP address of the server is often changing but we recommend to use a static-IP address). | + | For Ethernet, you can use a static-IP addressing (LAN configuration) or a domain name (WAN configuration with optionally the dynamic DNS feature if the IP address of the server is often changing, but we recommend using a static-IP address). |
| <note important> | <note important> | ||
| - | **If you have to use a cellular backhaul for your SPN gateways, the OpenVPN server must be accessible from internet.** \\ | + | **If you have to use a cellular backhaul for your SPN gateways, the OpenVPN server must be accessible from the internet.** \\ |
| So, for cellular, a public and fixed IP address is mandatory for the OpenVPN server. | So, for cellular, a public and fixed IP address is mandatory for the OpenVPN server. | ||
| </note> | </note> | ||
| - | Note that if the configuration works for cellular, the same configuratio will work for ethernet. | + | Note that if the configuration works for cellular, the same configuration will work for Ethernet. |
| === For the SPN Master gateway === | === For the SPN Master gateway === | ||
| - | **The Master gateway (an OpenVPN client) must have a fixed-IP adressing (ethernet and cellular)** \\ | + | **The Master gateway (an OpenVPN client) must have a fixed-IP addressing (Ethernet and cellular)** \\ |
| - | in order the packet forwarder of the slave gateways to forward properly the received LoRa packets to the Master gateway. | + | in order, the packet forwarder of the slave gateways to forward properly the received LoRa packets to the Master gateway. |
| === For the slave gateways === | === For the slave gateways === | ||
| - | **It is not mandatory that the slave gateways (OpenVPN clients) have a fixed-IP adressing (ethernet and cellular)**. | + | **It is not mandatory that the slave gateways (OpenVPN clients) have a fixed-IP addressing (Ethernet and cellular)**. |
| === Convenience of using OpenVPN === | === Convenience of using OpenVPN === | ||
| Line 165: | Line 189: | ||
| * a static definition for addressing the OpenVPN server (domain name or fixed-IP). \\ This definition must be public if you are using cellular for the backhaul of your SPN gateways. | * a static definition for addressing the OpenVPN server (domain name or fixed-IP). \\ This definition must be public if you are using cellular for the backhaul of your SPN gateways. | ||
| - | * a static definition for the SPN Master gateway acting as an OpenVPN client (fixed-IP for the ethernet and cellular backhaul). | + | * a static definition for the SPN Master gateway acting as an OpenVPN client (fixed-IP for the Ethernet and cellular backhaul). |
| - | For ethernet, fixed-IP addressing is not mandatory for slave gateways. | + | For Ethernet, fixed-IP addressing is not mandatory for slave gateways. |
| For cellular, standard SIM cards can be used in the slave gateways. | For cellular, standard SIM cards can be used in the slave gateways. | ||
| - | The following diagram shows the kind of configuration required for each type of backhaul used for the OpenVPN clients gateways (ethernet/cellular) : | + | The following diagram shows the kind of configuration required for each type of backhaul used for the OpenVPN clients gateways (Ethernet/Cellular) : |
| {{:images:openvpn_architecture_ip_configuration.png?800|}} | {{:images:openvpn_architecture_ip_configuration.png?800|}} | ||
| Line 195: | Line 219: | ||
| {{:images:the_openvpn_truth_chain.png?600|}} | {{:images:the_openvpn_truth_chain.png?600|}} | ||
| - | <note important>**The RootCA can be a self-signed certificate used for test purposes but cannot be used for production.** | + | <note important>**The RootCA can be a self-signed certificate used for test purposes, but cannot be used for production.** |
| It is better to sign all your certificates by an authenticated/true and trusted CA like GlobalSign, Verisign, GlobalCert, Komodo, etc... (this service is not free). | It is better to sign all your certificates by an authenticated/true and trusted CA like GlobalSign, Verisign, GlobalCert, Komodo, etc... (this service is not free). | ||
| </note> | </note> | ||
| Line 282: | Line 306: | ||
| </code> | </code> | ||
| - | fill the pass.txt file with your password and chmod 600 it. | + | Fill the pass.txt file with your password and chmod 600 it. |
| Start OpenVPN with the following command: | Start OpenVPN with the following command: | ||
| Line 409: | Line 433: | ||
| * tls-version-min 1.1 and tls-version-max 1.2 directives must be explicitly added in the client's OpenVPN configuration file. | * tls-version-min 1.1 and tls-version-max 1.2 directives must be explicitly added in the client's OpenVPN configuration file. | ||
| \\ | \\ | ||
| - | === step-by-step guide === | + | |
| + | |||
| + | === How to monitor openvpn === | ||
| + | |||
| + | this section explains how to enable the openvpn autostart at boot time and enable the openvpn process monitoring. | ||
| + | |||
| + | Simply add the following file ''openvpn'' in ''/etc/monit'' : | ||
| + | |||
| + | <code file openvpn> | ||
| + | check process openvpn matching openvpn | ||
| + | start program = "/etc/init.d/openvpn start" | ||
| + | stop program = "/etc/init.d/openvpn stop" | ||
| + | </code> | ||
| + | |||
| + | === How to enable openvpn traffic === | ||
| + | |||
| + | Add the following file ''iptables_openvpn.rules'' in the ''/etc/firewall.d'' directory : | ||
| + | |||
| + | <code file iptables_openvpn.rules> | ||
| + | #Firewall rules to accept OpenVPN traffic | ||
| + | |||
| + | *filter | ||
| + | -I INPUT -m udp -p udp --sport 1194 --dport 1024:65535 -j ACCEPT | ||
| + | -I INPUT -m udp -p udp --sport 30000:35000 --dport 1024:65535 -j ACCEPT | ||
| + | -I OUTPUT -m udp -p udp --sport 1024:65535 --dport 1194 -j ACCEPT | ||
| + | -I OUTPUT -m udp -p udp --sport 1024:65535 --dport 30000:35000 -j ACCEPT | ||
| + | COMMIT | ||
| + | </code> | ||
| + | |||
| + | |||
| + | === How to store secrets in the TrustZone === | ||
| This guide explains how to store secrets in the TrustZone. | This guide explains how to store secrets in the TrustZone. | ||
| Line 596: | Line 650: | ||
| == Starting openvpn == | == Starting openvpn == | ||
| + | |||
| + | Before starting OpenVPN, the following file must be stored in the ''/etc/openvpn'' as a "bootstrap": | ||
| <code bash> | <code bash> | ||
| - | /etc/init.d/openvpn start | + | ################################################# |
| + | # # | ||
| + | # Client-side OpenVPN 2.X config file for # | ||
| + | # connecting to multi-client server. # | ||
| + | # # | ||
| + | # Comments are preceded with '#' or ';' # | ||
| + | # # | ||
| + | ################################################# | ||
| + | |||
| + | # Specify that we are a client and that we | ||
| + | # will be pulling certain config file directives | ||
| + | # from the server. | ||
| + | client | ||
| + | |||
| + | # Use the same setting as you are using on | ||
| + | # the server. | ||
| + | # On most systems, the VPN will not function | ||
| + | # unless you partially or fully disable | ||
| + | # the firewall for the TUN/TAP interface. | ||
| + | ;dev tap | ||
| + | dev vpn0 | ||
| + | dev-type tun | ||
| + | |||
| + | # Are we connecting to a TCP or | ||
| + | # UDP server? Use the same setting as | ||
| + | # on the server. | ||
| + | ;proto tcp | ||
| + | proto udp | ||
| + | |||
| + | # The hostname/IP and port of the server. | ||
| + | # You can have multiple remote entries | ||
| + | # to load balance between the servers. | ||
| + | remote 192.168.1.10 | ||
| + | |||
| + | # Choose a random host from the remote | ||
| + | # list for load-balancing. Otherwise | ||
| + | # try hosts in the order specified. | ||
| + | ;remote-random | ||
| + | |||
| + | # Keep trying indefinitely to resolve the | ||
| + | # host name of the OpenVPN server. Very useful | ||
| + | # on machines which are not permanently connected | ||
| + | # to the internet such as laptops. | ||
| + | resolv-retry infinite | ||
| + | |||
| + | # Most clients don't need to bind to | ||
| + | # a specific local port number. | ||
| + | nobind | ||
| + | |||
| + | # Downgrade privileges after initialization (non-Windows only) | ||
| + | # Keep running as root to be able modifying routing (no persist) | ||
| + | ;user nobody | ||
| + | ;group nogroup | ||
| + | |||
| + | # Try to preserve some state across restarts. | ||
| + | persist-key | ||
| + | # Do not enable persist options related to routing as | ||
| + | # connman can be restarted and can unconfigure routes and interface | ||
| + | ;persist-tun | ||
| + | ;persist-local-ip | ||
| + | ;persist-remote-ip | ||
| + | |||
| + | # If you are connecting through an | ||
| + | # HTTP proxy to reach the actual OpenVPN | ||
| + | # server, put the proxy server/IP and | ||
| + | # port number here. See the man page | ||
| + | # if your proxy server requires | ||
| + | # authentication. | ||
| + | ;http-proxy-retry # retry on connection failures | ||
| + | ;http-proxy [proxy server] [proxy port #] | ||
| + | |||
| + | # Announce to TCP sessions running over the | ||
| + | # tunnel that they should limit their send packet | ||
| + | # sizes such that after OpenVPN has encapsulated them, | ||
| + | # the resulting UDP packet size that OpenVPN sends | ||
| + | # to its peer will not exceed max bytes. | ||
| + | mssfix 1200 | ||
| + | |||
| + | # Wireless networks often produce a lot | ||
| + | # of duplicate packets. Set this flag | ||
| + | # to silence duplicate packet warnings. | ||
| + | ;mute-replay-warnings | ||
| + | |||
| + | # SSL/TLS parms. | ||
| + | # See the server config file for more | ||
| + | # description. It's best to use | ||
| + | # a separate .crt/.key file pair | ||
| + | # for each client. A single ca | ||
| + | # file can be used for all clients. | ||
| + | pkcs12 [[INLINE]] | ||
| + | |||
| + | # Verify server certificate by checking that the | ||
| + | # certicate has the correct key usage set. | ||
| + | # This is an important precaution to protect against | ||
| + | # a potential attack discussed here: | ||
| + | # http://openvpn.net/howto.html#mitm | ||
| + | # | ||
| + | # To use this feature, you will need to generate | ||
| + | # your server certificates with the keyUsage set to | ||
| + | # digitalSignature, keyEncipherment | ||
| + | # and the extendedKeyUsage to | ||
| + | # serverAuth | ||
| + | # EasyRSA can do this for you. | ||
| + | #remote-cert-tls server | ||
| + | |||
| + | # If a tls-auth key is used on the server | ||
| + | # then every client must also have the key. | ||
| + | ;tls-auth ta.key 1 | ||
| + | |||
| + | # Select a cryptographic cipher. | ||
| + | # This config item must be copied to | ||
| + | # the client config file as well. | ||
| + | ;cipher BF-CBC # Blowfish (default) | ||
| + | ;cipher AES-128-CBC # AES | ||
| + | ;cipher DES-EDE3-CBC # Triple-DES | ||
| + | cipher AES-256-CBC | ||
| + | |||
| + | # Enable compression on the VPN link. | ||
| + | # Don't enable this unless it is also | ||
| + | # enabled in the server config file. | ||
| + | comp-lzo | ||
| + | |||
| + | # Set log file verbosity. | ||
| + | verb 3 | ||
| + | |||
| + | # Silence repeating messages | ||
| + | ;mute 20 | ||
| + | |||
| + | # The keepalive directive causes ping-like | ||
| + | # messages to be sent back and forth over | ||
| + | # the link so that each side knows when | ||
| + | # the other side has gone down. | ||
| + | # Ping every 10 seconds, assume that remote | ||
| + | # peer is down if no ping received during | ||
| + | # a 120 second time period. | ||
| + | keepalive 60 600 | ||
| + | |||
| + | # 0 -- Strictly no calling of external programs. | ||
| + | # 1 -- (Default) Only call built-in executables such as ifconfig, | ||
| + | # ip, route, or netsh. | ||
| + | # 2 -- Allow calling of built-in executables and user-defined | ||
| + | # scripts. | ||
| + | # 3 -- Allow passwords to be passed to scripts via environmental | ||
| + | # variables (potentially unsafe). | ||
| + | script-security 2 | ||
| + | |||
| + | # up Executed after TCP/UDP socket bind and TUN/TAP open. | ||
| + | # down Executed after TCP/UDP and TUN/TAP close. | ||
| + | ;up /etc/openvpn/update-resolv-conf | ||
| + | ;down /etc/openvpn/update-resolv-conf | ||
| + | |||
| + | # Use route-up instead of up as up is already used ! | ||
| + | ;route-up | ||
| + | |||
| + | #askpass pass.txt | ||
| + | </code> | ||
| + | |||
| + | <code bash> | ||
| + | monit openvpn start | ||
| </code> | </code> | ||
| + | |||
| + | |||
| + | === Tool === | ||
| + | |||
| + | The following tool is designed to automate previous tasks : | ||
| + | |||
| + | * Cyphering VPN certifcates and keys, | ||
| + | * Writing secrets in the ProvenCore Trustzone, | ||
| + | * Activating the packet forwarder (CPF) and updating the forwarding IP (to send LoRa packets to the SPN Master Gateway), | ||
| + | * Activating the monitoring of openvpn process (start and stop). | ||
| + | |||
| + | This script generates a package to install on the gateway. | ||
| + | |||
| + | {{ :wiki:generate_spn_openvpn_package_v1.0.tar.gz |}} | ||
| + | |||
| + | # usage: ./generate_ipk.sh <GW_EUI> <p12> <server-IP> <passwd> <forwarding-IP> | ||
| + | |||
| + | Ex: ./generate_ipk.sh 7276FF002E060434 client.p12 192.168.1.24 kerlinkkerlink 10.8.0.2 | ||
| + | |||
| + | generates a package named ''configure-openvpn-spn-2e060434_1.0_klkgw.ipk''. | ||
| + | |||
| + | <note important> | ||
| + | \\ | ||
| + | KERLINK does not maintain this script. This script has been tested with FW 4.3.3 and it may have some incompatibilities with future Keros SW releases. | ||
| + | </note> | ||
| + | |||
| + | === Recommandations === | ||
| + | |||
| + | * For Production, don't use a self-root CA certificate but a certificate authenticated by a trusted entity like Comodo, GoDaddy, DigiCert, etc... | ||
| + | * Care about the expiration date of your generated certificates. | ||
wiki/support/faq.1632814595.txt.gz · Last modified: 2021/09/28 09:36 by tda
Page Tools
