| Access Server: User's and Developer's Guide | ||
|---|---|---|
| <<< Previous | Next >>> | |
This chapter will give you advanced use cases for Access Server. The cases listed here are not so trivial, the simple cases are already listed mostly in Chapter 7.
The most important thing is to change default passwords from Setup → Security settings page.
By default, Access Server discards pairing information after 30 minutes and does not store pairing data permanently. Therefore, rebooting of Access Server removes all pairing information.
To increase the pairing data timeout and to automatically store the pairing data to the permanent storage and to automatically reload the information at reboot, append the following iWRAP commands to the end of /etc/bluetooth.conf file (Setup → Bluetooth settings → Edit startup script in WWW Setup):
# Set pairing data timeout to ~370 days (in seconds)
# Note: timeout counter is restarted at reboot
SET BLUETOOTH PAIREXPIRE 32000000
# Automatically load the pairing data
LOAD /etc/bluetooth.security$p
# Automatically save the pairing data
SET CONTROL AUTOSAVE AUTH,PAIR /etc/bluetooth.security$p
|
Note: Do not forget $p from the filename. It is replaced with the Bluetooth baseband number. In Access Server with multiple basebands forgetting it will make security data to be overwritten by other basebands.
Note: Pairing must be done between each Bluetooth device pairs. There is no way of making a single pairing between a device and all three basebands of the WRAP 2293 Access Server.
Access Server will support most of the digital pens. The examples below are for Nokia Digital Pen SU-1B but they should apply to other pens too.
To setup Access Server for digital pens you have to give following iWRAP commands. The best way to do this is to append the following line to /etc/bluetooth.conf file (Setup → Bluetooth settings → Edit startup script in WWW Setup):
# Load Digital Pen emulation commands
LOAD /etc/bluetooth.pen
|
The /etc/bluetooth.pen must then be created (in WWW Setup, you can do it at Setup → Advanced settings → Edit other configuration files). It should contain the lines following the example below:
# Emulate a phone
SET BLUETOOTH CLASS 500204
SET BLUETOOTH LISTEN 1 "*/usr/sbin/dun"
SDP ADD DUN 1 "Digital Pen DUN"
# Add two pens and their pin codes
SET BLUETOOTH AUTH 00:07:cf:51:f6:8e 9079 --REPLY
SET BLUETOOTH AUTH 00:07:cf:51:d5:2b 6603 --REPLY
# Note: See pen's manual for correct bluetooth address and pin code
# Optionally reject all other incoming connections
SET BLUETOOTH AUTH * - --NEWPAIR
|
After these settings you can pair and use the digital pen with Access Server just like you would use it with a phone. Both modes, receiving pictures to Access Server, and external server via dialup, are supported.
This chapter explains how to create a secure network between your Access Server and a PC running Windows OS. This is done using Virtual Private Networking (VPN) and the particular software in use is OpenVPN, which is open source software and is available for everyone without charge. VPN creates a secure tunnel between Access Server and a PC, which enables you, for example, to control a GPRS connected Access Server in a remote location.
First, download OpenVPN from http://openvpn.se/. A normal OpenVPN version using plain command line interface is available in http://openvpn.net/download.html. The basic instructions naturally apply for both versions, since the actual software is the same. OpenVPN GUI is only available for Windows OS.
For Access Server, you must download the OpenVPN installation packet from https://www.bluegiga.com/techforum/. If you do not have access to the Tech forum, you can apply for access in the same site. In the Tech forum, go to Access Server -> Downloads, where you can find the installation packet called openvpn-2.0.8-1.wpk. Access Server is a Linux system, and only command line interface is provided at this point.
This guide relies on material provided in http://openvpn.net/. If you want more specific information on features described here or other features OpenVPN provides, please visit http://openvpn.net/howto.html.
In Windows, execute the installation file and wait until it is complete. There should be no need for reboot. After this, the OpenVPN icon appears in the system tray. Right-click the icon and you can see the available options
In Access Server, the easiest way to install OpenVPN is through the WWW setup. See Section 2.2 for instructions on how use it.
When in WWW setup, go to Setup → Advanced settings → Upload a software update. There you can choose the openvpn-2.0.8-1.wpk installation packet and upload it to the server. After this you can go to Setup → Advanced settings → System information → List installed software components. If you can see openvpn in this list, the installation is complete.
In this chapter, we create the necessary files to ensure privacy in the VPN, i.e. we will establish a Public Key Infrastructure (PKI). The PKI consists of:
A master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
A separate certificate (also known as a public key) and private key for the server and each client.
OpenVPN uses bi-directional authentication, which means that both server and client will authenticate each other using certificates before connection is considered safe.
To create the files we will use a set of scripts bundled with OpenVPN for Windows. To see how the same thing is done in Linux, see http://openvpn.net/howto.html#pki.
In Windows, open up a Command Prompt window and go to \Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any existing vars.bat and openssl.cnf files):
init-config
|
Now, edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Do not leave any of these parameters blank.
vars
clean-all
build-ca
|
The build-ca builds the certificate authority (CA) certificate and key by invoking the interactive openssl command:
ai:easy-rsa # ./build-ca Generating a 1024 bit RSA private key ............++++++ ...........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FI]: State or Province Name (full name) [NA]: Locality Name (eg, city) [ESPOO]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:OpenVPN-CA Email Address [[email protected]]: |
Note: In the above sequence, the most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, we have used "OpenVPN-CA".
Next, we will generate a certificate and private key for the server:
build-key-server server
|
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".
Generating client certificates is very similar to the previous step:
build-key client
|
If you want to use many clients, then you could use, for example, the following commands:
build-key client1
build-key client2
build-key client3
|
In this case, remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.
Next we'll create Diffie Hellman parameters that must be generated for the OpenVPN server:
build-dh
|
The output is as follows:
ai:easy-rsa # ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................+...........................................
...................+.............+.................+.........
......................................
|
Now you can find the generated keys and certificates in the keys subdirectory. The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files (server.key and client.key) over a secure channel.
Both the server and client devices must have certain configuration files for OpenVPN to determine, for example, which IP addresses to use. In this chapter, we will create a basic configuration file for OpenVPN server and client. We'll make the PC as server and Access Server as the client. An example configuration files can be found here: http://openvpn.net/howto.html#examples. In our example, we use most of the setting described in these files.
Note: The configuration files can be named, for example, server.conf and client.conf in a Linux system. On Windows they would be named server.ovpn and client.ovpn, where the file extension is different.
There are lots of configuration options that can be used with OpenVPN, but this guide only covers the basic approach to set up a working VPN with minimal effort. The minimal server configuration file is like following:
port 1194 proto udp dev tun ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" cert "C:\\Program Files\\OpenVPN\\config\\server.crt" key "C:\\Program Files\\OpenVPN\\config\\server.key" dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem" server 172.30.203.0 255.255.255.0 ifconfig-pool-persist C:\\Program Files\\OpenVPN\\config\\Logs\\ipp.txt keepalive 10 120 persist-key persist-tun status C:\\Program Files\\OpenVPN\\config\\Logs\\openvpn-status.log verb 3 tls-timeout 4 |
port 1194
|
Determines the TCP or UDP port that OpenVPN should listen to. For multiple OpenVPN instances on the same machine, you'll need to use a different port for each one. Make sure your firewall allows traffic through these ports.
proto udp
|
Determines whether to use TCP or UDP. We have chosen UDP in our application.
dev tun
|
Determines whether to use routed IP channel (tun) or an Ethernet tunnel, i.e. Ethernet bridging (tap). 'tap' creates a virtual Ethernet adapter, while 'tun' device is a virtual point-to-point IP link. We have chosen 'tun' because of its better efficiency and scalability.
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
|
This is a so-called master Certificate Authority (CA) certificate. This will be placed in both the server and client devices, it's the same for all devices. Since the server is a Windows machine, we need to use double backslashes ( \\ ) in pathnames. In Linux system one slash ( / ) is used.
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
|
This is the certificate (a.k.a public key) for the server device.
key "C:\\Program Files\\OpenVPN\\config\\server.key"
|
This is the private key for the server device and it should be kept secret.
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
|
This file refers to Diffie-Hellman key exchange, which is a cryptographic protocol that allows two devices that have no prior knowledge of each other to establish a shared secret key over an insecure connection.
server 172.30.203.0 255.255.255.0
|
Here we create the VPN subnet. In this example, the server will take 172.30.203.1 for itself, the rest will be left for clients to use. Each client will be able to reach the server on 172.30.203.1.
ifconfig-pool-persist C:\\Program Files\\OpenVPN\\config\\Logs\\ipp.txt
|
This file maintains a record of client <-> virtual IP address associations. If OpenVPN goes down or is restarted, reconnecting clients can be assigned the same virtual IP address that was previously assigned.
keepalive 10 120
|
This feature causes ping-like messages to be sent back and forth over the link so that each side knows when the other side has gone down. The default parameter "10 120" makes ping occur every 10 seconds and remote peer is assumed down if no ping is received within 120 seconds.
persist-key
|
Persist features try to avoid accessing certain resources on restart that may no longer be accessible.
persist-tun
|
See above.
status C:\\Program Files\\OpenVPN\\config\\Logs\\openvpn-status.log
|
OpenVPN outputs a short status description to this file showing current connections. This file is truncated and rewritten every minute.
verb 3
|
This sets the verbosity level of the log file.
0 is silent, except for fatal errors
4 is reasonable for general use
5 and 6 can help to debug connection problems
9 is extremely verbose
tls-timeout 4
|
Packet retransmit timeout on TLS control channel if no acknowledgment from remote end within n seconds (n = 4 in this example).
Just like with the server configuration file, we'll describe here the basic client settings needed in our example configuration:
client dev tun proto udp remote 192.168.42.1 1194 resolv-retry infinite nobind persist-key persist-tun ca /usr/local/openvpn/ca.crt cert /usr/local/openvpn/conf/client1.crt key /usr/local/openvpn/conf/client1.key verb 3 |
client
|
Here we specify that we are a client and that we will be pulling certain config file directives from the server.
dev tun
|
This setting is the same as in the server configuration file. Use the same setting you're using in the server.
proto udp
|
This setting is the same as in the server configuration file. Use the same setting you're using in the server.
remote 192.168.42.1 1194
|
This setting configures the hostname/IP and port of the server.
resolv-retry infinite
|
Keep trying indefinitely to resolve the host name of the OpenVPN server. Very useful on machines which are not permanently connected to the Internet, such as laptops.
nobind
|
Most clients don't need to bind to a specific local port number.
persist-key
|
This setting is the same as in the server configuration file. Use the same setting you're using in the server.
persist-tun
|
This setting is the same as in the server configuration file. Use the same setting you're using in the server.
ca /usr/local/openvpn/conf/ca.crt
|
This is the same ca.crt file as in the server. See server config file descriptions for more information.
cert /usr/local/openvpn/conf/client.crt
|
This is the certificate (a.k.a public key) for the client device.
key /usr/local/openvpn/conf/client.key
|
This is the private key for the client device.
verb 3
|
Sets the verbosity level of the log file.
First, place the configuration files in the client and server. Like in the examples, the location for these files can be, for example, C:\Program Files\OpenVPN\config in Windows and /usr/local/openvpn/config in Linux. Next, copy the authentication files ( ca.crt, server.crt, server.key, client.crt and client.key) into the same directories.
The OpenVPN server must be accessible from the internet:
open UDP port 1194 on the firewall (or the TCP/UDP port you've configured), or
set up a port forward rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server
make sure TUN/TAP device is allowed access through firewalls
To start the OpenVPN server right-click on the .ovpn file on Windows and choose "Start OpenVPN on this config file" or by right-clicking the GUI icon on taskbar and start correct config file from there. It's also possible to start from command line:
openvpn [server_config_file]
|
Where "server_config_file" is in our Windows examples is server.ovpn.
A normal server startup should look like this (output will vary across platforms):
Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005
Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef]
Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb 6 20:46:38 2005 Initialization Sequence Completed
|
We'll start the client from Linux command line:
openvpn [client_config_file]
|
Where "client_config_file" is in our examples client.conf.
A normal client startup looks similar to the server output and should end with the "Initialization Sequence Completed" message.
Now, try a ping across the VPN from the client:
ping 10.8.0.1
|
If the ping succeeds, you have a functioning VPN.
| <<< Previous | Home | Next >>> |
| Finder Protocol | Certification Information and WEEE Compliance |