| Access Server: User's and Developer's Guide | ||
|---|---|---|
| <<< Previous | Next >>> | |
This chapter will give you advanced use cases for Access Server. The cases listed here are not so trivial, the simple cases are already listed mostly in Chapter 6.
By default, Access Server discards pairing information after 30 minutes and does not store pairing data permanently. Therefore, rebooting of Access Server removes all pairing information.
To increase the pairing data timeout and to automatically store the pairing data to the permanent storage and to automatically reload the information at reboot, append the following iWRAP commands to the end of /etc/bluetooth.conf file (Setup → Bluetooth settings → Edit startup script in WWW Setup):
# Set pairing data timeout to ~370 days (in seconds)
# Note: timeout counter is restarted at reboot
SET BLUETOOTH PAIREXPIRE 32000000
# Automatically load the pairing data
LOAD /etc/bluetooth.security$p
# Automatically save the pairing data
SET CONTROL AUTOSAVE AUTH,PAIR /etc/bluetooth.security$p
|
Note: Do not forget $p from the filename. It is replaced with the Bluetooth radio number. On a multiradio Access Server, forgetting it will make the security data to be overwritten by the other Bluetooth processes.
Note: Pairing must be done between each Bluetooth device pairs. There is no way of making a single pairing between a device and all three basebands of the WRAP 2293 Access Server.
Access Server will support most of the digital pens. The examples below are for Nokia Digital Pen SU-1B but they should apply to other pens too.
To setup Access Server for digital pens you have to give following iWRAP commands. The best way to do this is to append the following line to /etc/bluetooth.conf file (Setup → Bluetooth settings → Edit startup script in WWW Setup):
# Load Digital Pen emulation commands
LOAD /etc/bluetooth.pen
|
The /etc/bluetooth.pen must then be created (in WWW Setup, you can do it at Setup → Advanced settings → Edit other configuration files). It should contain the lines following the example below:
# Emulate a phone
SET BLUETOOTH CLASS 500204
SET BLUETOOTH LISTEN 1 "*/usr/sbin/dun"
SDP ADD DUN 1 "Digital Pen DUN"
# Add two pens and their pin codes
SET BLUETOOTH AUTH 00:07:cf:51:f6:8e 9079 --REPLY
SET BLUETOOTH AUTH 00:07:cf:51:d5:2b 6603 --REPLY
# Note: See pen's manual for correct bluetooth address and pin code
# Optionally reject all other incoming connections
SET BLUETOOTH AUTH * - --NEWPAIR
|
After these settings you can pair and use the digital pen with Access Server just like you would use it with a phone. Both modes, receiving pictures to Access Server, and external server via dialup, are supported.
SPP-over-IP is middleware software running in Access Servers. It offers a transparent way to transmit data from Bluetooth Serial Port Profile (SPP) enabled devices to server computers or PCs. Several transport medias are supported, such as Ethernet, Wi-Fi or and GPRS.
The SPP-over-IP application enables transparent data transfer between any Bluetooth Serial Port Profile (SPP) complaint device and a server, laptop or desktop connected to the same network. This enables plug n' play connectivity from a Bluetooth network to any standard TCP/IP based network. See Figure 8-1 for an overview of the application and a brief introduction to its functionality.
Features of SPP-over-IP are:
Access Server 2291 supports 7 incoming SPP connections.
Access Server 2293 supports 21 incoming SPP connections.
SPP-over-IP can be used over Ethernet, Wi-Fi or GRPS networks.
SPP-over-IP also works over Bluetooth Personal Area Networking (PAN) connections, so not all Access Servers need to be physically (cable) connected to the TCP/IP network, but some Access Servers can linked using the Bluetooth PAN connection. This is referred to as repeater operation.
If SPP-over-IP application cannot open the TCP connection to defined IP address and port, the SPP connection will not be accepted.
If the TCP server on PC is closed, all SPP connections will be closed as well.
When Access Server is in its default configuration, it tries to enable sniff power saving mode on all active Bluetooth connections to minimize power consumption.
SPP-over-IP can also be used to opposite direction, i.e. Access Server opens the Bluetooth connections to dedicated Bluetooth devices. See Section 8.4.1.4 for more details.
SPP-over-IP can also be combined with the Tactical Software' s serial/IP software. Serial/IP software converts automatically the TCP connection to virtual COM ports on the host PC, so legacy applications utilizing COM-ports instead of TCP/IP can also be used.
Note: SPP-over-IP requires, and is only supported by, Access Server software version 2.0.4 or higher
With the standard configuration, SPP-over-IP works as described below:
Listens for incoming Serial Port Profile (SPP) connections
Takes control of all incoming connections
Opens a TCP connection to the defined IP address and TCP port
Forwards all incoming data from the SPP device to the established TCP connection and vice versa
All the server computer needs to do is to listen for incoming TCP connections from Access Server to a specified TCP port and receive/send the application data.
The SPP-over-IP application can also be used in a so-called repeater mode. This feature is useful when all Access Servers can not be directly connected to the TCP/IP network, but they can be connected to other Access Servers by using Bluetooth PAN-connection. PAN enables transmitting TCP/IP packets wirelessly over Bluetooth. The figure below illustrates this configuration:
SPP-over-IP software can also be used over GPRS instead of wired Ethernet connection. This requires that Access Server is equipped with a working GSM/GPRS compact flash card. See Access Server manual for supported cards.
Notice when using GPRS:
Data upload rate is around 8-12kbps (depending on GPRS card)
Data download rate is around 32-40bbps (depending on GPRS card)
Data transmission delays can be very high, sometimes even seconds
GPRS connection may be unreliable and break easily. This should be taken account when designing the system. If GPRS connection breaks, all the TCP and Bluetooth connections will also be closed.
In the basic SPP-over-IP use case, Access Server is in passive mode and only accepts incoming connections. It is however possible to implement a system where Access Server opens the Bluetooth connections to the defined static Bluetooth devices or, alternatively, on ad-hoc basis.
In this case, special software must be developed for Access Server, which handles the outgoing connections and decides where they are opened to. This software can be developed with the Access Server Software Development Kit (SDK). The software can be written with C, C++ or standard Linux scripts.
SPP-over-IP can also be used together with Tactical Software' s serial/IP software. Serial/IP software simply converts the TCP connections into virtual COM ports on the host computer. This is very useful in applications, which do not have support for TCP/IP but support COM ports instead.
An evaluation version of Serial/IP can be downloaded from:
http://www.tacticalsoftware.com/products/serialip.htm
This chapter briefly instructs you how can configure SPP-over-IP to work in different network setups or use cases.
Note: Configuration examples are based on Access Server software 2.2.0 and newer. In older builds, the configuration files must be edited manually, since WWW configuration is not available.
SPP-over-IP is easiest to configure through the WWW setup, which allows you to access all the necessary configurations.
First, you must figure out the Access Server IP address (if it is connected to a TCP/IP network). This is easiest to do with the WRAPFinder software:
Start the WRAPFinder software
Scan your network for available Access Servers
Choose the correct Access Server
Press the Connect button
Your web browser opens the WWW setup of the selected Access Server.
Once the browser window has opened, click the Setup link
Type in you user name and password and you get access to the main view of the setup:
Note: Before enabling SPP-over-IP, you must disable the serialport application, since it might interfere with SPP-over-IP. The serialport application can be disabled from: Applications -> Default boot-up applications.
Serialport must be off for SPP-over-IP to work. In software version 3.0, serialport application has been disabled by default.
SPP-over-IP settings are modified through Bluetooth settings -> Edit startup script
You must add the following lines manually:
Enable Bluetooth Serial Port Profile: SDP ADD SERIALPORT 2 "SPP-over-IP"
Syntax:
SDP ADD [service] [channel] ["NAME"]
|
Enable SPP-over-IP: SET BLUETOOTH LISTEN 2 10.1.1.60:5000
Syntax:
SET BLUETOOTH LISTEN [channel] [IP-address]:[port]
|
In the example configuration above, RFCOMM channel 2 is used with the SPP service. You can, however, use any other free channel as well. Notice however that the RFCOMM channel must be same in both SDP ADD and SET BLUETOOTH LISTEN configurations.
In the second configuration, the IP address is 10.1.1.60 and the TCP-port is 5000. You must change these to match your system, that is, the IP address must be the address of the listening server.
Once you have done your configuration, press the Save button and restart the server so that the settings take place.
If you want to configure Access Server also to act as a repeater (see Figure 8-2) you must make some additional configurations. Add the line below to your Bluetooth start-up script:
Enable repeater: SET CONTROL AUTOEXEC CALL 00:07:80:80:31:C9 PAN-NAP
Syntax:
SET CONTROL AUTOEXEC [command]
|
You must replace the Bluetooth address used in the example (00:07:80:80:31:C9) with the Bluetooth address of the Access Server, on which you want to receive the PAN connection.
Note: The server receiving the PAN connection must have the PAN-NAP profile enabled. No other configuration is needed.
The Bluetooth PIN codes must match between the repeater and the master Access Server.
Obexsender is one of the built-in applications in Access Server. It is dedicated to Bluetooth proximity marketing, content distribution, location based services, and much more. Access Server plus Obexsender provide the user with a ready platform to start content distribution including all the necessary Bluetooth functions from discovering the devices to transmitting the content. The user needs to only focus on what, when, and to whom to send the content - rest is taken care of by Access Server and Obexsender.
The figure below illustrates a simplified Obexsender network:
Automatic device discovery and content push over a Bluetooth connection
18 simultaneous Bluetooth connections with one Access Server
Upload speed even up to 75KB/sec with Bluetooth 2.0+EDR
Content can be stored locally - with external memory even up to 2GB space
Wide networking support: Bluetooth, Ethernet, Wi-Fi, GPRS and 3G
Secure remote connections over a Virtual Private Networking
Remote file system support
Lots of filtering options, such as device type, or distance from access server
Extensive logging
Interaction between Access Servers
Content time stamping
This chapter describes some possible Obexsender use cases.
This is the standard functionality in Obexsender. In content push mode, Obexsender is scanning for devices and pushing it to clients who belong to the target group (not opted out by filtering).
Obexsender can also be configured into a content pull mode. In this mode, the transaction is initiated by the user. The user can send any file to the server or alternatively a file containing some specific string such as "MP3" or "NOKIA N73". The server parses the received file and as a response tries to push a corresponding file to the user if such exists.
In the scan mode, Access Server simply scans for nearby Bluetooth devices and logs the number of devices found as well some basic information about them. The scan mode is useful if one just want to discover how many devices there are in the vicinity of an Access Server.
Scan mode is actually not part of Obexsender, but a different application running on Access Server.
This chapter contains instructions from the most basic Obexsender configuration to the more advanced use cases.
The easiest and fastest way to configure Obexsender is through the WWW setup. To do this, your Access Server must be connected to the same network as your PC or, alternatively, you can also use a direct Ethernet cross cable or a Bluetooth PAN connection. By default, Access Server uses DHCP, so if you connect it to your LAN, it must support DHCP as well.
Once you have successfully connected Access Server, start the "WRAPFinder" software. WRAPFinder lists all the Access servers in the same network as your PC.
If Access Server does not show immediately, you may need to push the Rescan button a couple of times.
Next, select the correct Access Server and press the Connect button in the WRAPFinder user interface. An internet browser window opens with the Access Server IP address in the address bar.
Click the "setup" link. A login screen is opened. Enter a correct user name and password.
After a successful login, you get access to the WWW setup main page.
Note: At this point, you should check your access server software version. Obexsender works only with software version 2.2.0 and newer. At the bottom of the screen you should see a line saying:
Access Server, S/N 0511170051 (wrap-2-2)�- �Copyright � Bluegiga Technologies Inc, 2001-2006If the version is older than "wrap-2-2", you must first update your Access Server. Latest software releases and instructions can be found from www.bluegiga.com/techforum/
If you have software version 2.2.0 in your Access server, you need to update Obexsender to the latest version. It offers many new, useful and necessary features that include:
Retry delay, scan delay and reply delay
Dump delay
Possibility to save incoming files, i.e. remote requests
Watchdog support
Regexp and Unicode support
Other minor bug fixes and improvements
The rest of the manual concentrates on the latest Obexsender, but it also covers all the features offered by previous Obexsender. The main menu of latest (at the time of writing) Obexsender is shown in Figure 8-19
By default, the Obexsender application is disabled, so as a first task you should of course enable it if. This is quite simply done from the following page in the WWW setup (Figure 8-20): Access Server - Setup - Applications - Default bootup applications
Obexsender is enabled after a reboot. However, if you have not completed rest of the configuration, do not reboot Access Server yet.
Note: For Obexsender to start at all, you must define at least one file to be sent from:
Access Server - Setup - Applications - ObexSender settings - Edit configuration file
For more information, see Section 8.5.3.6, chapter "Send these files in this order".
Next, you can move on to the basic Obexsender configuration. As a first step please go the to the WWW setup page in Access Server - Setup - Applications - ObexSender settings.
On this page (Figure 8-19) you can configure the basic Obexsender settings. Use the Help links to get some basic information about each configuration. More detailed descriptions you can find below:
Bluetooth friendly name - [string]
This name is the Bluetooth friendly name shown to other Bluetooth devices. For example, when Obexsender is used in push mode, this name is shown as a sender in a mobile phone screen.
With meta tags, you can for example include the radio number in the name. Please click Help for more information about tags.
Delay between inquiries - [seconds]
Obexsender uses a standard Bluetooth inquiry (device discovery) to find nearby Bluetooth devices. This configuration defines the time interval between inquiries i.e. how frequently new devices are being searched for.
Delay between reply scans - [seconds]
This value determines how often OBEX in-folder (/tmp/obex) is scanned for remote requests. A low value increases CPU usage.
If previous was ok, timeout before sending again - [seconds]
If a file has been successfully sent to a device, this timeout defines when content can be sent again to the same device.
If previous was reject, timeout before trying again - [seconds]
If a file transmission to a device has failed or user has declined the file, this timeout defines when Obexsender can send content to the same device again.
Delay between retrying call - [seconds]
When the user does not accept or reject the file, Obexsender will try to send the file again. This setting determines the timeout before the resend occurs. This is useful in case the user does not notice the incoming Bluetooth transmission. The default value is 120 seconds, because many mobile phones tend to keep the Bluetooth link open for 120 seconds before closing it.
If you want to disable this feature, you can use the same value as in "ok delay" or "reject delay", i.e. the two previous settings.
Delay after scanning - [seconds]
When a remote request from user has been received, this setting determines how long Obexsender will wait until the response file is sent back to the user. The default value is 5 seconds, because some mobile phones are not able to receive files over Bluetooth until at least 5 seconds has passed from sending.
Delay between multiple files - [integer]
The working range of Obexsender can be configured or limited with this setting. RSSI, or "Receiver Signal Strength Indicator" defines the distance to the receiving device in dBm. This value ranges from 128 to 0.
-128 = maximum rang
-65 = medium range
-30 = minimum range
Most of the Bluetooth devices, especially mobile phones are so-called "Class 2" devices, meaning that their range is approximately 10-20 meters. So even if Access Sever is a "Class 1" device (100-200 meters) RSSI value -128 does not mean that it can serve all devices within 100-200 meter range, but it rather means that it can serve all devices within 10-20 meter range.
Log file name - [string or IP-address]
This configuration defines the path and name of the Obexsender log file (for example /usr/local/obexsender/obexsender.log). Log file contains information about successful and unsuccessful transmissions, timestamps and information about sent files.
You can also use an IP address of a log server as a parameter. Type "-" to use syslog.
Log prefix - [string]
This prefix is put in front of every event in the log file. Type "-" for none (default).
Tip: If syslog is used for logging, the prefix is an easy way to separate Obexsender from other application logs.
If sending was failure, log it too - [selection]
If this is enabled, failed transmissions will be logged too.
Register to watchdog daemon - [selection]
If this is enabled, Obexsender will make Access Server reboot automatically if Bluetooth radios have stopped responding.
iWRAP password - [string]
If you have defined a password for the iWRAP (Bluetooth) interface you must have the same password configured here.
Type "-" for none (default).
Edit configuration file - [link]
This link opens the raw Obexsender configuration file (/etc/obexsender.conf by default) and allows you to edit it manually. It also allows you to change some advanced settings that are not included in the basic configuration. Please see Section 8.5.3.6 for more information.
Upload a new file - [link]
This link allows you to upload files into the Obexsender file system.
List files - [link]
This link allows you to browse files on the Obexsender file system.
View log - [link]
This link allows you to view the Obexsender log file if it exists. By default, a summary of the logged events is displayed. Detailed information is available by clicking the date links.
Delete log - [link]
This link will delete the current log file.
You can easily upload new content (files) for Obexsender by selecting Upload a new file in the Obexsender main menu. All you need to do is browse for the file you want to upload and click "Upload". You will see a confirmation note, for example "File /usr/local/obexsender/Bike.jpg uploaded" .
At the moment, you can only upload to /mnt/mtd directory from WWW setup. If you would like to upload to some other directory, you must use secure FTP to accomplish that. This is because normal FTP is disabled by default in Access Server. One good software for secure file transmission in Windows is WinSCP.
Here you can alter all the settings available for Obexsender. It includes all the settings covered in last chapter and more. Here we will go through only the settings that can be configured only from the obexsender.conf file, since basic configuration is already covered in previous chapters.
Note: Lines beginning with the hash character "#" are comments and Obexsender will ignore them.
# Use these iWRAPs for sending/inquiry
|
Here you can choose which radios you want to use to send files. By default all radios are in use, but for example if you would like to use just the first radio, you can disable other radios like this:
baseband 127.0.0.1 10101
#baseband 127.0.0.1 10102
#baseband 127.0.0.1 10103
#baseband 127.0.0.1 10104
|
Baseband 10104 is used for testing purposes only.
# Don't send to these bluetooth devices
|
With this setting, you can define Bluetooth addresses you do not want to serve. The default setting is:
ignore 00:07:80:
|
This is the manufacturer ID for Bluegiga Technologies, so Obexsender can avoid sending to its own radios and to other Access Servers in the same area.
# Always send to these test devices when found (60s interval)
|
Devices defined here will be sent files every 60 seconds. Other timeout settings are ignored when these devices are in Access Server' s range. Usually used for testing purposes only.
# Obexserver's directory (for remote requests)
|
This option defines the destination directory for files users send to Access Server, i.e. it' s the OBEX in-folder for remote requests.
# Automatically reboot Access Server if all iWRAPs fail
|
Obexsender will make Access Server reboot if all Bluetooth radios stop responding for some reason. By default watchdog service is enabled (recommended).
# Send these files in this order. If none listed then do not inquiry
|
Files will be sent to remote devices in the order they are listed here. For example if you want to transmit first tp1.gif and then tp2.gif, you can enter it like this:
file /usr/local/obexsender/tp1.gif
file /usr/local/obexsender/tp2.gif
|
If no files are specified, Obexsender will not start at all.
# Timestamp is Weekday, Starthour-Endhour or WeekdayStarthour-Endhour
|
Timestamps allow files to be sent only on specific days and/or times. Examples:
file /usr/local/obexsender/image1.jpg Fri (file is sent only on Fridays)
file /usr/local/obexsender/image2.jpg 8-14 (file is sent every day between 8am and 2pm)
file /usr/local/obexsender/image3.jpg Tue8-14 (file is sent only on Tuesdays between 8am and 2pm)
|
# Parse remote requests, send file back
|
With this setting, you can configure Obexsender to send a file to a user only if this file is specifically requested. Requesting for file can be done, for example, by sending a calling card with specified keyword. Keyword is extended regular expression (regex) and case-non-sensitive. Keyword is matched for actual content in the file (for example text strings, but also header information is taken into account) and bdaddress (Bluetooth address of the user' s device, format is "00-00-00-00-00-00"). Examples:
Only keyword is specified:
reply GIF /usr/local/obexsender/pic.gif
|
When a user sends a GIF image to Access Server, he will then receive pic.gif in return. Keyword "GIF" actually matches to the header information of the file, which contains "GIF" string. This way you can match to other know file formats too, like "VCF", i.e. electronic calling card.
Only bdaddress is specified as keyword:
reply 00:17:d5:5a:99:1d /usr/local/obexsender/pic.gif
|
In this case, it does not matter what file user sends to Access Server, since the Bluetooth address of his mobile is recognized directly.
# Delete non-matching remote requests
|
If non-matching remote request are received, they will be immediately deleted. This option is enabled by default, but you can disable it, for example, if you have some other usage for Object Push and FTP profiles.
# Be verbose (0-4)
|
With this option, you can configure the detail level in the Obexsender log file. By default "verbose" is written only once in the configuration file, which means level 1 is in use. If you want more detailed logging, "verbose" can be written more than once, like this:
verbose
verbose
|
Now you would have level 2 in use. Level 4 is the maximum.
# Filename for saving ignore-list for reboots
|
You can choose to save the information on already served devices, so you can form a so-called "ignore list". If this ignore list is saved in flash memory, it will be preserved even if Access Server is rebooted. By default, this option is disabled, but you can enable it by adding the time interval, which defines how often the ignore list is updated. We recommend you use a rather big value, like 900 seconds (15 minutes) because a really small value will cause constant stress on the flash memory and could physically burn it as time passes.
# Broadcast processed basebands to other senders
|
If there are many Access Servers running Obexsender in the same network, they can exchange information about remote devices they have already served. This way other servers won' t push content to users that already have received files from some other server.
You can send this information to all Access Servers (broadcast-ip) in the network or just to a single server (unicast-ip). You can also define the interface name for this, but basically "nap" (network access point) is the only choice. It will automatically check the broadcast address in the "nap" interface in Access Server and use it for information exchange.
By default, all remote requests are stored to the /tmp/obex folder and deleted after they have been processed. It is however possible to save the remote request files to a safe location. The following procedure shows how to automatically copy these files to an example folder /mnt/remote_request. (NOTE: you must first create this folder!):
Create a copier script /usr/local/bin/copier. You can do it for example in the WWW setup -> Advanced settings -> Edit other configuration files and typing here /usr/local/bin/copier. Put the following script into the file:
#!/bin/sh
# to be called from obexsender: --fork /usr/local/bin/copier
SAVEDIR="/mnt/remote_request" # This directory must exist!
/bin/cp "$1" "${SAVEDIR}/$3`/bin/date "+%s"`-`echo $1 | /usr/bin/cut -f 2 -d-`"
|
Make the script executable by giving command chmod a+rx /usr/local/bin/copier at the command line interface.
Edit /etc/bluetooth.conf and add the following line:
SET BLUETOOTH LISTEN 3 "/usr/sbin/obexserver --bdaddr $b --prefix $b-$P- --fork /usr/local/bin/copier" 110
|
Restart Access Server
Now all incoming files are copied to the /mnt/remote_request directory. The format of the files is bdaddr-btserverport-timestamp-filename.ext.
Obexsender creates log about its operation to a specified log file. By default, no log file is specified, so you should do this first with instructions provided in Section 8.5.3.4.
When you choose View log in the Obexsender menu, you can only see the summary of Obexsender action, i.e how many successes, failures and retries there are. When you select the date or Total in the summary view, you will see more details. You will see to which Bluetooth address the content was sent and if the transmission was a failure or success, or if transmission will be retried later. See some example logging in the figure below:
If you want to see even more details about how Obexsender is performing, you can increase the verbosity level of logging. See Section 8.5.3.6, chapter "Be verbose (0-4)". Full verbose logging is usually needed in problem solving only.
Troubleshooting:
Obexsender is not sending anything?
Make sure you have at least one content file specified to be sent in the Obexsender configuration file (Obexsender.conf). See Section 8.5.3.6, chapter "Send these files in this order".
Also check that Obexsender is activated, see Section 8.5.3.3.
Mobiles receive files only to 10-20 meters. Isn' t Obexsender supposed to work up to 100 meters?
Almost all mobile phones are so-called "Class 2" devices, which means that their maximum range is about 10 meters. In good conditions they can achieve even 30 meters.
If you know there are "Class 1" devices (range up to 100 meters) in the area, you can check the RSSI value you have set, which determines the operational range of Obexsender. See chapter Section 8.5.3.4.
Known issues:
If you enter a non-existing path in "Log file name" configuration, Obexsender will fail to start.
If you have entered a password for the iWRAP (Bluetooth) interface and the same password is not set in the Obexsender configuration, Obexsender will fail to start.
If several log files are defined in obexsender.conf, Obexsender will fail to start
This chapter explains how to create a secure network between your Access Server and a PC running Windows OS. This is done using Virtual Private Networking (VPN) and the particular software in use is OpenVPN, which is open source software and is available for everyone without charge. VPN creates a secure tunnel between Access Server and a PC, which enables you, for example, to control a GPRS connected Access Server in a remote location.
First, download OpenVPN from http://openvpn.se. A normal OpenVPN version using plain command line interface is available in http://openvpn.net/download.html. The basic instructions naturally apply for both versions, since the actual software is the same. OpenVPN GUI is only available for Windows OS.
For Access Server, you must download the OpenVPN installation packet from www.bluegiga.com/techforum. If you do not have access to the Tech forum, you can apply for access in the same site. In the Tech forum, go to Access Server -> Downloads, where you can find the installation packet called openvpn-2.0.8-1.wpk. Access Server is a Linux system, and only command line interface is provided at this point.
This guide relies on material provided in http://openvpn.net/. If you want more specific information on features described here or other features OpenVPN provides, please visit http://openvpn.net/howto.html.
In Windows, execute the installation file and wait until it is complete. There should be no need for reboot. After this, the OpenVPN icon appears in the system tray. Right-click the icon and you can see the available options
In Access Server, the easiest way to install OpenVPN is through the WWW setup. Just enter the server IP address in you web browser and log in. If you do not know the IP address, you can use the WRAPfinder application to find out the IP address. WRAPfinder is located in the CD provided with the server.
When in WWW setup, go to Advanced settings -> Upload a software update. There you can choose the openvpn-2.0.8-1.wpk installation packet and upload it to the server. After this you can go back to the Advanced settings page and choose List installed software components. If you can see openvpn in this list, the installation is complete.
In this chapter, we create the necessary files to ensure privacy in the VPN, i.e. we will establish a Public Key Infrastructure (PKI). The PKI consists of:
A master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
A separate certificate (also known as a public key) and private key for the server and each client.
OpenVPN uses bi-directional authentication, which means that both server and client will authenticate each other using certificates before connection is considered safe.
To create the files we will use a set of scripts bundled with OpenVPN for Windows. To see how the same thing is done in Linux, see http://openvpn.net/howto.html#pki.
In Windows, open up a Command Prompt window and go to \Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any existing vars.bat and openssl.cnf files):
init-config
|
Now, edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Do not leave any of these parameters blank.
vars
clean-all
build-ca
|
The build-ca builds the certificate authority (CA) certificate and key by invoking the interactive openssl command:
ai:easy-rsa # ./build-ca Generating a 1024 bit RSA private key ............++++++ ...........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FI]: State or Province Name (full name) [NA]: Locality Name (eg, city) [ESPOO]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:OpenVPN-CA Email Address [[email protected]]: |
Note: In the above sequence, the most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, we have used "OpenVPN-CA".
Next, we will generate a certificate and private key for the server:
build-key-server server
|
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".
Generating client certificates is very similar to the previous step:
build-key client
|
If you want to use many clients, then you could use, for example, the following commands:
build-key client1
build-key client2
build-key client3
|
In this case, remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.
Next we'll create Diffie Hellman parameters that must be generated for the OpenVPN server:
build-dh
|
The output is as follows:
ai:easy-rsa # ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................+...........................................
...................+.............+.................+.........
......................................
|
Now you can find the generated keys and certificates in the keys subdirectory. The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files (server.key and client.key) over a secure channel.
Both the server and client devices must have certain configuration files for OpenVPN to determine, for example, which IP addresses to use. In this chapter, we will create a basic configuration file for OpenVPN server and client. We'll make the PC as server and Access Server as the client. An example configuration files can be found here: http://openvpn.net/howto.html#examples. In our example, we use most of the setting described in these files.
Note: The configuration files can be named, for example, server.conf and client.conf in a Linux system. On Windows they would be named server.ovpn and client.ovpn, where the file extension is different.
There are lots of configuration options that can be used with OpenVPN, but this guide only covers the basic approach to set up a working VPN with minimal effort. The lines needed in the server configuration file are listed below. After each line, an explanation follows, see Figure 8-23:
port 1194
|
Determines the TCP or UDP port that OpenVPN should listen to. For multiple OpenVPN instances on the same machine, you'll need to use a different port for each one. Make sure your firewall allows traffic through these ports.
proto udp
|
Determines whether to use TCP or UDP. We have chosen UDP in our application.
dev tun
|
Determines whether to use routed IP channel (tun) or an Ethernet tunnel, i.e. Ethernet bridging (tap). 'tap' creates a virtual Ethernet adapter, while 'tun' device is a virtual point-to-point IP link. We have chosen 'tun' because of its better efficiency and scalability.
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
|
This is a so-called master Certificate Authority (CA) certificate. This will be placed in both the server and client devices, it's the same for all devices. Since the server is a Windows machine, we need to use double backslashes ( \\ ) in pathnames. In Linux system one slash ( / ) is used.
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
|
This is the certificate (a.k.a public key) for the server device.
key "C:\\Program Files\\OpenVPN\\config\\server.key"
|
This is the private key for the server device and it should be kept secret.
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
|
This file refers to Diffie-Hellman key exchange, which is a cryptographic protocol that allows two devices that have no prior knowledge of each other to establish a shared secret key over an insecure connection.
server 172.30.203.0 255.255.255.0
|
Here we create the VPN subnet. In this example, the server will take 172.30.203.1 for itself, the rest will be left for clients to use. Each client will be able to reach the server on 172.30.203.1.
ifconfig-pool-persist C:\\Program Files\\OpenVPN\\config\\Logs\\ipp.txt
|
This file maintains a record of client <-> virtual IP address associations. If OpenVPN goes down or is restarted, reconnecting clients can be assigned the same virtual IP address that was previously assigned.
keepalive 10 120
|
This feature causes ping-like messages to be sent back and forth over the link so that each side knows when the other side has gone down. The default parameter "10 120" makes ping occur every 10 seconds and remote peer is assumed down if no ping is received within 120 seconds.
persist-key
|
Persist features try to avoid accessing certain resources on restart that may no longer be accessible.
persist-tun
|
See above.
status C:\\Program Files\\OpenVPN\\config\\Logs\\openvpn-status.log
|
OpenVPN outputs a short status description to this file showing current connections. This file is truncated and rewritten every minute.
verb 3
|
This sets the verbosity level of the log file.
0 is silent, except for fatal errors
4 is reasonable for general use
5 and 6 can help to debug connection problems
9 is extremely verbose
tls-timeout 4
|
Packet retransmit timeout on TLS control channel if no acknowledgment from remote end within n seconds (n = 4 in this example).
Just like with the server configuration file, we'll describe here the basic client settings needed in our example setup, see Figure 8-24:
client
|
Here we specify that we are a client and that we will be pulling certain config file directives from the server.
dev tun
|
This setting is the same as in the server configuration file. Use the same setting you're using in the server.
proto udp
|
This setting is the same as in the server configuration file. Use the same setting you're using in the server.
remote 10.1.1.35 1194
|
This setting configures the hostname/IP and port of the server.
resolv-retry infinite
|
Keep trying indefinitely to resolve the host name of the OpenVPN server. Very useful on machines which are not permanently connected to the internet, such as laptops.
nobind
|
Most clients don't need to bind to a specific local port number.
persist-key
|
This setting is the same as in the server configuration file. Use the same setting you're using in the server.
persist-tun
|
This setting is the same as in the server configuration file. Use the same setting you're using in the server.
ca /usr/local/openvpn/conf/ca.crt
|
This is the same ca.crt file as in the server. See server config file descriptions for more information.
cert /usr/local/openvpn/conf/client.crt
|
This is the certificate (a.k.a public key) for the client device.
key /usr/local/openvpn/conf/client.key
|
This is the private key for the client device.
verb 3
|
Sets the verbosity level of the log file.
First, place the configuration files in the client and server. Like in the examples, the location for these files can be, for example, C:\Program Files\OpenVPN\config in Windows and /usr/local/openvpn/config in Linux. Next, copy the authentication files ( ca.crt, server.crt, server.key, client.crt and client.key) into the same directories.
The OpenVPN server must be accessible from the internet:
open UDP port 1194 on the firewall (or the TCP/UDP port you've configured), or
set up a port forward rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server
make sure TUN/TAP device is allowed access through firewalls
To start the OpenVPN server right-click on the .ovpn file on Windows and choose "Start OpenVPN on this config file" or by right-clicking the GUI icon on taskbar and start correct config file from there. It's also possible to start from command line:
openvpn [server_config_file]
|
Where "server_config_file" is in our Windows examples is server.ovpn.
A normal server startup should look like this (output will vary across platforms):
Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005
Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef]
Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb 6 20:46:38 2005 Initialization Sequence Completed
|
We'll start the client from Linux command line:
openvpn [client_config_file]
|
Where "client_config_file" is in our examples client.conf.
A normal client startup looks similar to the server output and should end with the "Initialization Sequence Completed" message.
Now, try a ping across the VPN from the client:
ping 10.8.0.1
|
If the ping succeeds, you have a functioning VPN.
| <<< Previous | Home | Next >>> |
| I/O API | Certification Information and WEEE Compliance |