How to build an SSL VPN appliance, DIY style

Sunday rolls around, the weather’s still bad so there’ll be no gardening for me today,  time to play with my computers and see if I can work this out.

I’ve decided to use an old 2GHZ P4 server with 1.25GB ram as a vmware server host and attempt the SSL appliance as a virtual machine as I can use the host to run other appliances as well down the track.

Step 1: Install OS onto host. I decided to use SME Server 7.3 (www.contribs.org) as the host OS. This is a pre-built small business server-type distribution that does everything one would need, has excellent community support, and I know there’s a whitepaper on installing VMWare server 1.07 onto it. And I already had the ISO downloaded and CD at hand.

Step 2: 20min later, install VMWare 1.07 Server onto the host. Following this page’s procedure, installing was a breeze; (http://wiki.contribs.org/Vmware#Installation_2)

The section on Remote Access can be skipped.

This step requires a VMWare serial number which is available for free from www.vmware.com when you register for a download of their free products. While registering for a serial number download the VMWare management console as it’s needed to install the appliance later. (Anyone that needs a serial for 1.07 let me know as I registered for ten serials and won't be using more than three)

Step 3: Build a VM for the appliance to run on.  I decided to give Ubuntu 8.04.1 Server a go – haven’t used this distro as a server before but I do like the desktop edition so thought I’d see how it goes (also Ubunto is mentioned on the SSL appliance’s installation instructions). Downloaded the iso from http://www.ubuntu.com/getubuntu/download selecting ihug as the mirror – this came down really fast! 400kbps average. Not bad for Lyttelton.

Using the VMWare console on my PC connected to the host and ran the new virtual machine wizard. Gave the VM 256mb RAM, 3GB disk, no floppy, and a CDrom. To install really fast, copy the ISO up to the SME Server host (I used winscp and copied it directly to the host’s virtual machine folder /var/lib/vmware/Virtual Machines) and map the cdrom device directly to the ISO file.

Start the VM and walk through the install. The only package options to select when installing the Ubuntu Server were LAMP and OpenSSH. The installation takes about ten minutes. When the install’s finished stop the VM and remove the virtual CDrom. It’s no longer required. Then start the VM and continue.

Step 4: Prepare the VM for installing the SSL VPN frontend. After finding out the DHCP IP that the VM has picked up by logging in as your user and running ifconfig then setting a root password (sudo passwd), the first thing I do to a Linux machine is install Webmin from http://www.webmin.com/. This utility gives you a much easier web page method to administer your Linux machine than fiddling around on the commandline. Granted, the cli gives you the feeling of power (and you can see the progress of apt-get) but Webmin makes everything easy.

Download the webmin .deb file, scp it up to the VM, log in to the VM as your user and sudo su to get a root commandline. The run apt-get install /path/to/webmin_1.440_all.deb to install.

Once webmin’s installed management can be done from https://yourserver:10000

The SSL frontend I’ve chosen to go with is Adito.  Adito is the community fork of SSL Explorer. This give you the ability of making network shares, webpages, ssh/vnc ports available to the roadwarrior outside the network via their browser tunneling SSL & java.

Download Adito from http://sourceforge.net/project/showfiles.php?group_id=228294

Installation instructions available on http://adito.wiki.sourceforge.net/installing_and_running_the_adito_server

Step 5: Change the IP of your VM to what you want really want it to be. I used webmin to change the IP to the final destination and checked the routing & DNS etc. Use the boot tab’s settings to change it, then reboot to pick up the new IP. (Since the appliance is a virtual machine, rebooting is *very* quick.)

Step 6: SSH/console log into the VM, login as root or sudo su to root and install java. This tripped me up as I attempted to install java from webmin, but as Sun’s java needs you to read & accept their terms the webmin installer couldn’t handle it.

Apt-get install sun-java5-bin sun-java5-jdk

Apt-get install ant

Set the JAVA_HOME environment export to point to the version of sun’s java just installed as per installation instructions.  (export JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun)

Extract the tar.gz file of Adito into /opt

Change into /opt/adito-0.9.0/ and run ant install from cli

The installer for Adito will now run and do its thing. At the end of the install it’ll ask you to browse to https://yourserver:28080 to finish the install. Set up your VM’s IP as an available IP to listen to or it won’t work. This is why changing the IP before installing Adito is a good idea (I rebuilt once before working this out).

Once the installation wizard has been run, run ant install-service to set Adito up to auto-start on boot.

The final task is to run the ‘Configuring the certificate’ bit of the instructions. I’ve found that the agent works fine without running through the installation instructions after the cert bit.

At some point some additional stuff is required, can’t remember when but one of the above steps will ask for the installation of perl, openssl and a few other things. Apt-get install etc etc etc will install these then re-run the command that stopped.

Step 7: Log in to Adito and set stuff up.  The default installation used https://youserver:8443 as the https port – I decided to keep this as I’ve already got something else on 443 – log in here, sign in as root with your root password and now resources to be published can be set up.

I’ve decided to publish my Azureus web interface, my MythTV web interface, SSH to my VM host, SSH to my Adito box, VNC to my Azureus box, VNC to my MythBackend and a fileshare off my fileserver. More to come!

Only failure so far has been attempting to install the vmware-tools into the Ubuntu VM – but I haven’t tried very hard as yet to complete it.

Sweet – now I can get Azureus to start downloading torrents for me from anywhere.  And I can schedule MythTV to record stuff for me from anywhere as well.

Other related posts:
Novopay - my thoughts as to why this has been a debacle
Playing with Python
iPhone apps I've recently found and love.