====== setting up openvpn server ======

This is old; check if there's new versions of stuff that you should use.

<code>
cd /usr/local/src
wget http://openvpn.net/release/openvpn-2.0.tar.gz
tar xvfz openvpn-2.0.tar.gz
cd openvpn-2.0
apt-get install liblzo-dev
./configure
make
make install

mkdir /etc/openvpn
mkdir /etc/openvpn/easy-rsa
cp /usr/local/src/easy-rsa/* /etc/openvpn/easy-rsa
</code>

**/etc/openvpn/server.conf:**
<code>
dev tap
port 5000
proto tcp-server
verb 1
mode server
tls-server
ping 60
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
ifconfig 192.168.222.1 255.255.255.0
ifconfig-pool 192.168.222.100 192.168.222.200
route 192.168.222.0 255.255.255.0
route-gateway 192.168.222.1
</code>

**client.conf:**
<code>
dev tap
proto tcp-client
port 5000
ping 15
ping-restart 120
resolv-retry infinite
remote openvpn.wirelesstoronto.ca
tls-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client**NODEID**.crt
key /etc/openvpn/client**NODEID**.key
ifconfig 192.168.222.**NODEID** 255.255.255.0
</code>

===== making client certificate files on server: =====

  - ssh to pwd.ca, login as "wireless"<code>
cd easy-rsa
. ./vars
</code>
  - (ignore the output)<code>
./build-key client[NODEID]
</code>
  - use defaults except for Common Name: **client[NODEID]**
  - find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder -- KEEP THESE PRIVATE
  - to copy them to the router, issue these commands on the router:<code>
scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn
scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn
</code>
(it'll prompt you for the wireless@pwd.ca password each time)



====== working on setting up an openvpn server on a router ======

Instructions adapted from http://forum.openwrt.org/viewtopic.php?id=1800

  - add this to /etc/firewall.user, right after the chunk on WAN SSH:<code>
### Allow OpenVPN connections
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT
iptables        -A input_rule      -i $WAN -p udp --dport 1194 -j ACCEPT
</code>
  - create /etc/openvpnbridge:<code>
#!/bin/sh

#/etc/openvpnbridge
# OpenVPN Bridge Config File
# Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge
# Taken from http://openvpn.net/bridge.html

# Make sure module is loaded
insmod tun

# Define Bridge Interface
# Preexisting on OpenWRT
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Build tap devices
for t in $tap; do
    openvpn --mktun --dev $t
done

# Add TAP interfaces to OpenWRT bridge

for t in $tap; do
    brctl addif $br $t
done

#Configure bridged interfaces

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done
</code>
  - <code>chmod +x /etc/openvpnbridge</code>
  - create /etc/openvpn/server.conf:<code>
port 1194
proto udp
dev tap
keepalive 10 120
status openvpn-status.log
verb 3
secret /etc/openvpn/static.key
</code>
  - static key: /etc/openvpn/static.key:<code>openvpn --genkey --secret static.key</code>
  - test: <code>openvpn /etc/openvpn/server.conf</code>  
  - autostartup script for server (/etc/init.d/S95openvpnserver):<code>
#!/bin/sh
#/etc/init.d/S95openvpnserver
/etc/openvpnbridge
openvpn /etc/openvpn/server.conf &
</code>
  - make it executable:<code>
chmod +x /etc/init.d/S95openvpnserver
</code>
  - client config file:<code>
dev tap
proto udp
remote Your.IP.Goes.Here 1194
resolv-retry infinite
nobind
mute-replay-warnings
secret /etc/openvpn/static.key
verb 3
</code>