User Tools

Site Tools


openvpn_stuff

setting up openvpn server

This is old; check if there's new versions of stuff that you should use.

cd /usr/local/src
wget http://openvpn.net/release/openvpn-2.0.tar.gz
tar xvfz openvpn-2.0.tar.gz
cd openvpn-2.0
apt-get install liblzo-dev
./configure
make
make install

mkdir /etc/openvpn
mkdir /etc/openvpn/easy-rsa
cp /usr/local/src/easy-rsa/* /etc/openvpn/easy-rsa

/etc/openvpn/server.conf:

dev tap
port 5000
proto tcp-server
verb 1
mode server
tls-server
ping 60
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
ifconfig 192.168.222.1 255.255.255.0
ifconfig-pool 192.168.222.100 192.168.222.200
route 192.168.222.0 255.255.255.0
route-gateway 192.168.222.1

client.conf:

dev tap
proto tcp-client
port 5000
ping 15
ping-restart 120
resolv-retry infinite
remote openvpn.wirelesstoronto.ca
tls-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client**NODEID**.crt
key /etc/openvpn/client**NODEID**.key
ifconfig 192.168.222.**NODEID** 255.255.255.0

making client certificate files on server:

  1. ssh to pwd.ca, login as “wireless”
    cd easy-rsa
    . ./vars
  2. (ignore the output)
    ./build-key client[NODEID]
  3. use defaults except for Common Name: client[NODEID]
  4. find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder – KEEP THESE PRIVATE
  5. to copy them to the router, issue these commands on the router:
    scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn
    scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn

(it'll prompt you for the wireless@pwd.ca password each time)

working on setting up an openvpn server on a router

Instructions adapted from http://forum.openwrt.org/viewtopic.php?id=1800

  1. add this to /etc/firewall.user, right after the chunk on WAN SSH:
    ### Allow OpenVPN connections
    iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT
    iptables        -A input_rule      -i $WAN -p udp --dport 1194 -j ACCEPT
  2. create /etc/openvpnbridge:
    #!/bin/sh
    
    #/etc/openvpnbridge
    # OpenVPN Bridge Config File
    # Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge
    # Taken from http://openvpn.net/bridge.html
    
    # Make sure module is loaded
    insmod tun
    
    # Define Bridge Interface
    # Preexisting on OpenWRT
    br="br0"
    
    # Define list of TAP interfaces to be bridged,
    # for example tap="tap0 tap1 tap2".
    tap="tap0"
    
    # Build tap devices
    for t in $tap; do
        openvpn --mktun --dev $t
    done
    
    # Add TAP interfaces to OpenWRT bridge
    
    for t in $tap; do
        brctl addif $br $t
    done
    
    #Configure bridged interfaces
    
    for t in $tap; do
        ifconfig $t 0.0.0.0 promisc up
    done
  3. chmod +x /etc/openvpnbridge
  4. create /etc/openvpn/server.conf:
    port 1194
    proto udp
    dev tap
    keepalive 10 120
    status openvpn-status.log
    verb 3
    secret /etc/openvpn/static.key
  5. static key: /etc/openvpn/static.key:
    openvpn --genkey --secret static.key
  6. test:
    openvpn /etc/openvpn/server.conf
  7. autostartup script for server (/etc/init.d/S95openvpnserver):
    #!/bin/sh
    #/etc/init.d/S95openvpnserver
    /etc/openvpnbridge
    openvpn /etc/openvpn/server.conf &
  8. make it executable:
    chmod +x /etc/init.d/S95openvpnserver
  9. client config file:
    dev tap
    proto udp
    remote Your.IP.Goes.Here 1194
    resolv-retry infinite
    nobind
    mute-replay-warnings
    secret /etc/openvpn/static.key
    verb 3
openvpn_stuff.txt · Last modified: 2013/09/28 17:06 (external edit)