|Hardware||Banana Pi m64|
|OperatingSystem||Armbian 4.14 nightly build|
In this tutorial we will describe a site2site VPN tunnel connection between to companies using a single-board-computer.
The bpi-m64 we use in this tutorial has 4 cores. To compile as fast as possible we execute make jobs with 4 cores -j4
apt update && apt-get -qq -y upgrade apt -y install build-essential bzip2
On my Armbian system I had the problem that I wasn’t able to start strongswan after I installed it. It looked like that there were missing modules in the kernel configuration. After a time I found on the Armbian Forum that the only problem was that I had to reboot because apt upgrade did a kernel upgrade. So reboot now.
mkdir /opt/gmp_src cd /opt/ wget https://gmplib.org/download/gmp/gmp-6.1.2.tar.lz apt -y install lzip lzip --decompress *.lz tar xf *.tar -C /opt/gmp_src --strip-components=1 cd gmp_src ./configure make -j4 make check make install
mkdir /opt/strongswan cd /opt/ wget https://download.strongswan.org/strongswan.tar.bz2 tar xjvf strongswan.tar.bz2 -C /opt/strongswan --strip-components=1 cd strongswan
You can add different functionalities to the strongswan configuration
./configure --prefix=/usr --sysconfdir=/etc
e.g. if you wanna connect Windows 7/10 clients with user and password authentication
./configure --prefix=/usr --sysconfdir=/etc --enable-eap-identity --enable-eap-mschapv2 --enable-md4
You can find different options on the strongswan wiki page: https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf
make -j4 make install
Create the file /etc/init.d/strongswan and copy the next lines into it.
chmod 755 /etc/init.d/strongswan systemctl enable strongswan
Now you can reboot or simply restart the strongswan service
service strongswan restart service strongswan status
Goal of this tutorial is to set up a certificate authority. This so called CA creates certificates for your clients which will be used for authenticating connecting clients. Feel free to read more about it on Wikipedia: https://en.wikipedia.org/wiki/Certificate_authority
We will use two bpi-m64 SBCs as server on this site.
Flash armbian to two bpi-m64. You can do it with this tutorial and connect to it with SSH.
We will name the CA as ca and the gateway as gw. Change the name bananpi-m64 in following files
vi /etc/hosts vi /etc/hostname
Connect with the gateway and install OwnCloud on it.
mkdir -p /var/www/html/data/root/files/ca_transfer/ cd /var/www/html/ sudo -u www-data php occ files:scan --all
After then install Strongswan
Maybe you have to setup a mailserver first. At least you have to install and configure sSMTP on this server.
We’ll use an user named ca for the management of the CA.
ca' (1001) with groupca’ …
Because the user has to install packages later on, we have to add him to the sudoers list
usermod -aG sudo ca
Add a host config do your /home/ca/.ssh/config so you can connect to the server with ssh gw
mkdir /home/ca/.ssh vi /home/ca/.ssh/config
Also configure the connection to this server so you don’t need a password. Described here
Download the CA environment from github to the server named ca
apt-get update apt-get install git cd /opt/ git clone https://github.com/rothirschtec/RT-Blog-CA.git chown -R ca: RT-Blog-CA chmod -R 700 RT-Blog-CA cd RT-Blog-CA
Copy the file central/templates/defaults.sh to def_locl.sh. The def_locl will not be overwritten by a git pull and is ignored in the .gitignore file.
Here you can define
For this tutorial you have to be connected to the ca server (that one you installed in the last tutorial) over ssh. Change to the directory of the git repository you have downloaded.
Here you can easily create a new CA with the script createCA
The first execution informs us about missing dependencies. So we’ll install them.
sudo apt install pwgen uuid-runtime
Now we can execute the script again
The script tells you anything you have to know. Fill everything out like you want it to be. On this site we have created a CA with following conditions
So this is it. You created your first CA.
Look at this: https://github.com/rothirschtec/RT-Blog-KDC