There are numerous open source firewall, router and network server projects. In this two-part tutorial we will discuss the free community version of Endian. It’s a Linux distribution that can turn any system into a full-featured network and Internet security appliance.
There are numerous open source server, firewall and router and projects, but few, like Endian, are also Linux distros that can turn any system into both a full-featured network and Internet security appliance. We step through a basic Endian config, including setting up the Internet connection and creating a local network, and then setting up the OpenVPN server.
First, we will perform the basic configuration of Endian. This includes setting up the Internet connection and creating a local network with DHCP enabled. Then, we will set up the OpenVPN server. (Note that this tutorial is based on Endian Firewall Community version 2.4, released May 29 2010.)
You’ll see how to configure Road Warrior VPN connections, so you can securely access your network from remote locations or protect local traffic on public Internet ports or Wi-Fi hotspots. You’ll also see how to configure gateway-to-gateway VPN connections, so you can securely connect multiple offices together via the Internet.
Then, you can look into the other features, such as the stateful packet inspection firewall, application-level proxies with antivirus support, virus and spam-filtering for email, and content filtering of Web traffic.
Installing the Endian Community Edition
First, prepare server (or PC) with the following system requirements:
- CPU: Intel x86 compatible (500MHz minimum, 1GHz recommended)
- RAM: 256MB minimum (512MB recommended)
- Disk: SCSI, SATA, SAS or IDE disk required (4GB minimum)
- CD-ROM: IDE, SCSI or USB CDROM drive required for installation
- Network Cards: At least two Ethernet cards are required, one for the WAN/Internet and one for the LAN.
Endian will automatically format the drive during the installation, so make sure all data is backed up before installing. During the initial installation, you must have a monitor and keyboard hooked up. However, once you have Endian installed and can access the web-based front end, you can go headless.
To get started, download the ISO CD image file and burn it to a disc.
To get started, pop in the Endian CD you burned and restart the machine. It should automatically boot into Endian and bring up the installation screens. You’ll select a language, it will portion your drive, and you’ll set the IP address of the Endian machine. Once successfully installed, remove the CD, and it will boot up. When you see the main Endian screen (as shown in Figure 1), which displays the IP address and boot menu, you can unplug the monitor and keyboard and continue with the next section.
The Main Endian Screen
Performing the Initial Configuration
Now you must find out which network interface is the default LAN port, so you can log in to the web-based front end to configure Endian. To get started, set a network interface on a PC to a static IP address within the range of the address you assigned to Endian. If you set Endian to 192.168.1.1 during the installation, you could set your PC to 192.168.1.2.
Now plug an Ethernet cable into the PC and plug the other end into a port on the Endian machine. Give it a moment to attempt a connection. On the PC, enter the IP address you assigned to Endian into a web browser. If the web-based front end appears (you’ll first see a warning about the SSL certificate), then you have the correct network interface. If nothing loads, try the next port on the Endian machine, and so on until you find it.
Once you find the default LAN port, ignore the SSL certificate warning, as Endian uses self-signed certificates. Next, you’ll see the welcome page of the initial configuration wizard. This wizard will help you set your language and time zone, read and accept the license, set the passwords, and configure the basic network settings.
During the network setup wizard, you’ll discover that Endian assigns colors to interfaces:
- Green – LAN
- Red – WAN/Internet
- Orange – DMZ
- Blue – Wi-Fi
Once you apply the configuration and the services have reloaded, you’ll be prompted to log in. Log in with the default username of “admin” and the password you created earlier. If somehow the password you created didn’t save (e.g., if you hit cancel rather than continue), you can use the default password of “endian.”
After you log in, one of the first things you’ll probably want to do is enable DHCP on the LAN or Wi-Fi interfaces. Click the Services link, select Enabled for the desired interfaces, and hit Save.
Then you can go back to the settings of your network adapter on your PC, erase the static IP details, and re-enable automatic (DHCP) addressing. The PC should then receive an IP address within the range of the IP you set earlier for that interface.
At this point, the basic functions are configured, and you can hook up the Endian machine in the production environment. Connect the Internet cable to the WAN interface. You can plug a switch into the LAN interface for additional ports.
Enabling the OpenVPN server
On the web-based front end, click the VPN link. Select the OpenVPN server enabled checkbox, as Figure 2 shows. If the Dynamic IP pool start address is the same as the Endian address, enter something different. Click Save and Restart to continue.
OpenVPN server enabled checkbox
By default, the server is set to use pre-shared key (PSK) authentication, which is what we’re going to cover. This means clients use the usernames and passwords you create to log into the VPN server. You have the option of using certificate-based authentication, where you create and distribute certificate files for each client. For maximum security, implement both PSK and certificate authentication.
You can set the authentication and other server settings on the Advanced tab.
Continue on to Part 2 to learn how to set up and create OpenVPN client accounts.
Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.