Any day you learn something new is a good day


How to build an SSL VPN appliance, DIY style

, posted: 27-Oct-2008 17:02

As Saturday night was really bad weather down here in CHC, for some reason the thought occurred to me that I’d like to be able to remotely access some of my machines on my home LAN.

 

Sunday rolls around, the weather’s still bad so there’ll be no gardening for me today,  time to play with my computers and see if I can work this out.

 

I’ve decided to use an old 2GHZ P4 server with 1.25GB ram as a vmware server host and attempt the SSL appliance as a virtual machine as I can use the host to run other appliances as well down the track.

 

Step 1: Install OS onto host. I decided to use SME Server 7.3 (www.contribs.org) as the host OS. This is a pre-built small business server-type distribution that does everything one would need, has excellent community support, and I know there’s a whitepaper on installing VMWare server 1.07 onto it. And I already had the ISO downloaded and CD at hand.

 

Step 2: 20min later, install VMWare 1.07 Server onto the host. Following this page’s procedure, installing was a breeze; (http://wiki.contribs.org/Vmware#Installation_2)

The section on Remote Access can be skipped.

This step requires a VMWare serial number which is available for free from www.vmware.com when you register for a download of their free products. While registering for a serial number download the VMWare management console as it’s needed to install the appliance later. (Anyone that needs a serial for 1.07 let me know as I registered for ten serials and won't be using more than three)

 

Step 3: Build a VM for the appliance to run on.  I decided to give Ubuntu 8.04.1 Server a go – haven’t used this distro as a server before but I do like the desktop edition so thought I’d see how it goes (also Ubunto is mentioned on the SSL appliance’s installation instructions). Downloaded the iso from http://www.ubuntu.com/getubuntu/download selecting ihug as the mirror – this came down really fast! 400kbps average. Not bad for Lyttelton.

Using the VMWare console on my PC connected to the host and ran the new virtual machine wizard. Gave the VM 256mb RAM, 3GB disk, no floppy, and a CDrom. To install really fast, copy the ISO up to the SME Server host (I used winscp and copied it directly to the host’s virtual machine folder /var/lib/vmware/Virtual Machines) and map the cdrom device directly to the ISO file.

Start the VM and walk through the install. The only package options to select when installing the Ubuntu Server were LAMP and OpenSSH. The installation takes about ten minutes. When the install’s finished stop the VM and remove the virtual CDrom. It’s no longer required. Then start the VM and continue.

 

Step 4: Prepare the VM for installing the SSL VPN frontend. After finding out the DHCP IP that the VM has picked up by logging in as your user and running ifconfig then setting a root password (sudo passwd), the first thing I do to a Linux machine is install Webmin from http://www.webmin.com/. This utility gives you a much easier web page method to administer your Linux machine than fiddling around on the commandline. Granted, the cli gives you the feeling of power (and you can see the progress of apt-get) but Webmin makes everything easy.

Download the webmin .deb file, scp it up to the VM, log in to the VM as your user and sudo su to get a root commandline. The run apt-get install /path/to/webmin_1.440_all.deb to install.

Once webmin’s installed management can be done from https://yourserver:10000

 

The SSL frontend I’ve chosen to go with is Adito.  Adito is the community fork of SSL Explorer. This give you the ability of making network shares, webpages, ssh/vnc ports available to the roadwarrior outside the network via their browser tunneling SSL & java.

Download Adito from http://sourceforge.net/project/showfiles.php?group_id=228294

Installation instructions available on http://adito.wiki.sourceforge.net/installing_and_running_the_adito_server

 

Step 5: Change the IP of your VM to what you want really want it to be. I used webmin to change the IP to the final destination and checked the routing & DNS etc. Use the boot tab’s settings to change it, then reboot to pick up the new IP. (Since the appliance is a virtual machine, rebooting is *very* quick.)

 

Step 6: SSH/console log into the VM, login as root or sudo su to root and install java. This tripped me up as I attempted to install java from webmin, but as Sun’s java needs you to read & accept their terms the webmin installer couldn’t handle it.

 

Apt-get install sun-java5-bin sun-java5-jdk

Apt-get install ant

 

Set the JAVA_HOME environment export to point to the version of sun’s java just installed as per installation instructions.  (export JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun)

 

Extract the tar.gz file of Adito into /opt

 

Change into /opt/adito-0.9.0/ and run ant install from cli

 

The installer for Adito will now run and do its thing. At the end of the install it’ll ask you to browse to https://yourserver:28080 to finish the install. Set up your VM’s IP as an available IP to listen to or it won’t work. This is why changing the IP before installing Adito is a good idea (I rebuilt once before working this out).

 

Once the installation wizard has been run, run ant install-service to set Adito up to auto-start on boot.

 

The final task is to run the ‘Configuring the certificate’ bit of the instructions. I’ve found that the agent works fine without running through the installation instructions after the cert bit.

 

At some point some additional stuff is required, can’t remember when but one of the above steps will ask for the installation of perl, openssl and a few other things. Apt-get install etc etc etc will install these then re-run the command that stopped.

 

Step 7: Log in to Adito and set stuff up.  The default installation used https://youserver:8443 as the https port – I decided to keep this as I’ve already got something else on 443 – log in here, sign in as root with your root password and now resources to be published can be set up.

 

I’ve decided to publish my Azureus web interface, my MythTV web interface, SSH to my VM host, SSH to my Adito box, VNC to my Azureus box, VNC to my MythBackend and a fileshare off my fileserver. More to come!

 

Only failure so far has been attempting to install the vmware-tools into the Ubuntu VM – but I haven’t tried very hard as yet to complete it.

 

Sweet – now I can get Azureus to start downloading torrents for me from anywhere.  And I can schedule MythTV to record stuff for me from anywhere as well.

Other related posts:
OKI B411n & how to reset the NIC
Imaging Edubuntu
Have people never heard of ad blockers?






Comment by Fred Source, on 28-Oct-2008 05:42

ANother option is to simply install the open source home server from www.amahi.org Not only does it install a VPN (with dynamic DNS automatically configured) but it also delivers a fully fledged home server with network boot for backups, user authenticated filesharing, a media server, some collaborative apps, and a whole lot more!


Author's note by nzsouthernman, on 28-Oct-2008 07:24

Hadn't heard of Amahi before.  Just had a look through the site and it looks nice. SME Server can do most of that stuff including the VPN, but my requirement in this case was to be able to connect to my home on standard ports that'll even get through a proxied connection. As well as through any browser that supports java - no software to install & no elevated priviledges required for the logged in user.
I'll be downloading Amahi shortly to see what it's like now. :)


Comment by w00t, on 28-Oct-2008 13:51

Did you consider running both systems as VMs using VMware ESXi rather than running VMware server under SME?


Author's note by nzsouthernman, on 28-Oct-2008 18:51

Sure did, however the server I'm using isn't on the ESX3i hardware compatibility list, and even if it was I'm using an IDE drive in it and ESX3i doesn't support IDE drives for the host OS to go onto. :(  I'd have *LOVED* to have it running ESX... then I wouldn't need SME Server in the mix.


Comment by aj, on 20-Jan-2009 01:20

I'm having a bunch of issues with adito (WINDOWS) installation. -downloaded and installed JDK1.6 -downloaded amd "copied" to c:\ant\ ANT 1.7 -downloaded adito 0.9.1 and put in c:\adito -set environmental variables (ANT_HOME=c:\ant\bin; JAVA_HOME=c:\program files\java\jdk1.50; path=c:\ant\bin) -"copied" tools.jar from previous java setup to c:\ant\lib AND to c:\adito\lib -to go c:\adito and type (ant install) after all is said and done, it says the following BUILD FAILED C:\adito\build.xml:80: The following error occurred while executing this line: C:\adito\adito\build.xml:877: The following error occurred while executing this line: C:\adito\adito-commons-vfs\build.xml:149: Javadoc failed: java.io.IOException: Cannot run program "javadoc.exe": CreateP rocess error=2, The system cannot find the file specified Cannot reach my page on http://localhost/28080 OR http://localhost:8443 OR https://localhost I HAVE LOOKED EVERYWHERE AND BEEN WORKING ON THIS FOR LIKE 15 HOURS. DOES ANYONE KNOW HOW TO GET THIS WORKING ON WINDOWS XP SP2 DESKTOP ---PLEASE HELP


Comment by Lars Werner, on 18-Mar-2009 07:46

As for now you can use my installer: http://lars.werner.no/adito/ This should help alot of people with "less tweak action fingers" to get the installation right. Comments errors on page if needed


Comment by Tony T, on 28-Apr-2009 22:25

Lars - Your Windows installer works a treat. Good work!


Comment by Freddie, on 18-Sep-2010 02:55

Hello All, Can you please let me know if Adito SSL vpn works with IPAD or blackberry browser? Have you guys used it?


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and shown in this blog post.

Your name:

Your e-mail:

Your webpage:

nzsouthernman's profile

Dael 
Christchurch
New Zealand


This blog is mainly going to be for writing down things when I work them out so when I have to try and do it again I don't have to think too hard.  And also to comment on stuff.  Hopefully not too much rant /rant involved.

My latest finished and successful home project;

FreeNAS NAS/SAN Appliance
Celeron 2.8ghz CPU, 1GB RAM, 4x 1TB SATA drives in RAID-5 array, booting from 1GB USB flash drive


Toys in the attic;
PS3
PSP
Nokia E71-3 (Telecom XT)
iPhone 3GS (Vodafone)
MythTV separated backend with 2 DVB-S encoders & 1.2TB disk space & two frontends

Follow me on twitter; http://twitter.com/nzsouthernman