Differences

This shows you the differences between two versions of the page.

--- openvpn_stuff [2007/04/01 14:35]
66.207.222.14 created
+++ openvpn_stuff [2013/09/28 16:06] (current)
@@ Line 37: / Line 37: @@
 </code>
+**client.conf:**
-  - make sure you have the supported version of OpenWRT -- get it here:
+<code>
-    * Linksys WRT54G (up to and including v4) & WRT54GL: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g-squashfs.bin
+dev tap
-    * Motorola WR850G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wr850g-squashfs.bin
+proto tcp-client
-    * Linksys WRT54GS (up to and including v3): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs-squashfs.bin
+port 5000
-    * Linksys WRT54GS (v4): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs_v4-squashfs.bin
+ping 15
-    * Linksys WRT54G3G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g3g-squashfs.bin
+ping-restart 120
-    * Linksys WRTSL54GS: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrtsl54gs-squashfs.bin
+resolv-retry infinite
-  - plug an ethernet cable from your computer to the LAN1 port on the router
+remote openvpn.wirelesstoronto.ca
-  - plug an ethernet cable from the router's WAN port to a DHCP-enabled Internet connection
+tls-client
-  - turn off your computer's wifi connection (to ensure that it only has 'net access through the new router)
+ca /etc/openvpn/ca.crt
-  - In a browser on your computer go to address 192.168.1.1 (this is the router's address)
+cert /etc/openvpn/client**NODEID**.crt
-  - Login leaving username blank and using password **admin**
+key /etc/openvpn/client**NODEID**.key
-  - Go to Wireless -> Basic Wireless Settings and change the Wireless Network Name to **wirelesstoronto**.  Change the channel as necessary -- **1** is a good choice.  Save settings.
+ifconfig 192.168.222.**NODEID** 255.255.255.0
-  - Go to Administration -> Firmware Upgrade
-  - Upgrade the firmware using the openwrt image -- DON'T INTERRUPT IT!
-  - Watch the DMZ light -- it'll come on, then go off.  when it goes off, connect to the router: http://192.168.1.1
-  - Click any link and you should be asked to set a password for the root account; use the standard WT router root password.
-  - Connect to 192.168.1.1 using an SSH client (Linux and Mas OS have built in SSH, on Windows try "Putty":http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html): ssh root@192.168.1.1
-  - Update and download standard packages, then edit wifidog.conf: <code>
-ipkg update
-ipkg install iptables-extra  kmod-iptables-extra libpthread libgcc
-ipkg install http://wirelesstoronto.ca/dist/wifidog_1.1.3_beta6-1_mipsel_whiterussianRC6.ipk
-vi /etc/wifidog.conf
 </code>
-  - Specify the GatewayID, as appropriate (this needs to be set on the auth server!).
-  - Uncomment the ExternalInterface line, and change the value to vlan1
-  - Change the value of the GatewayInterface line to br0
-  - Paste this into the AuthServer section:<code>
-AuthServer {
-Hostname auth.wirelesstoronto.ca
-SSLAvailable yes
-Path /
-}
-</code>
-  - Save the changes to wifidog.conf file (esc **:wq**)
-  - Set up ntpclient & timezone, then replace S99done:<code>
-ipkg install ntpclient
-cd /etc/init.d
-wget http://wirelesstoronto.ca/dist/S55ntpclient
-chmod +x /etc/init.d/S55ntpclient
-/etc/init.d/S55ntpclient
-echo EST5EDT,M3.2.0/02:00,M11.1.0/02:00 > /etc/TZ
+===== making client certificate files on server: =====
-cd /etc/init.d
+  - ssh to pwd.ca, login as "wireless"<code>
-cp S99done S99done.real
+cd easy-rsa
-rm S99done
+. ./vars
-mv S99done.real S99done
-vi /etc/init.d/S99done
 </code>
-  - add this to /etc/init.d/S99done:<code>
+  - (ignore the output)<code>
-# start crond
+./build-key client[NODEID]
-/usr/sbin/crond -c /etc/crontabs
 </code>
-  - set up the crontab and run cron:<code>
+  - use defaults except for Common Name: **client[NODEID]**
-mkdir /etc/crontabs
+  - find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder -- KEEP THESE PRIVATE
-touch /etc/crontabs/root
+  - to copy them to the router, issue these commands on the router:<code>
-ln -sf /etc/crontabs/root /etc/crontab
+scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn
-/usr/sbin/crond -c /etc/crontabs
+scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn
-vi /etc/crontab
 </code>
-  - add this to the end of /etc/crontab:<code>
+(it'll prompt you for the wireless@pwd.ca password each time)
-* * * * /usr/sbin/ntpclient -l -h pool.ntp.org -i 5 -s
-</code>
-  - restart crond for the change to take effect:<code>
-killall crond
-/usr/sbin/crond -c /etc/crontabs
-</code>
-  - install openvpn client on router:<code>
-ipkg install openvpn
-mkdir /etc/openvpn
-cd /etc/openvpn
-wget http://wirelesstoronto.ca/dist/client.conf
-vi /etc/openvpn/client.conf
-</code>
-  - replace NODEID with the real gateway id
-  - download CA cert:<code>
-cd /etc/openvpn
-wget http://wirelesstoronto.ca/dist/ca.crt
-</code>
-  - copy cert stuff from server (it'll prompt you for the password):<code>
-scp wireless@openvpn.wirelesstoronto.ca:easy-rsa/keys/client(NODEID).*
-</code><code>
-chmod 600 client(NODEID).key
-</code>
-  - install auto-run script:<code>
-cd /etc/init.d
-wget http://wirelesstoronto.ca/dist/S90openvpn
-chmod +x S90openvpn
-reboot
-</code>
-  - Congratulations, you're done!
-===== Notes on using the Motorola WR850 =====
-All instructions are the same, but use the correct OpenWRT package, of course.
-By default, the router comes configured with the LAN IP address 192.168.10.1.  Either change this to 192.168.1.1 before installing OpenWRT, or after installing OpenWRT, issue the additional commands:
-<code>
-nvram unset dhcp_start
-nvram unset dhcp_end
-nvram unset dhcp_dns
-nvram commit
-</code>
-These variables confuse dnsmasq, and aren't required.
+====== working on setting up an openvpn server on a router ======
+Instructions adapted from http://forum.openwrt.org/viewtopic.php?id=1800
-====== Other router-related stuff ======
+  - add this to /etc/firewall.user, right after the chunk on WAN SSH:<code>
+### Allow OpenVPN connections
+iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT
+iptables        -A input_rule      -i $WAN -p udp --dport 1194 -j ACCEPT
+</code>
+  - create /etc/openvpnbridge:<code>
+#!/bin/sh
-===== Other resources =====
+#/etc/openvpnbridge
+# OpenVPN Bridge Config File
+# Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge
+# Taken from http://openvpn.net/bridge.html
-NYC Wireless have a good "walkthrough":http://www.nycwireless.net/tiki-pagehistory.php?page=WifiDog&preview=39
+# Make sure module is loaded
+insmod tun
+# Define Bridge Interface
+# Preexisting on OpenWRT
+br="br0"
-===== Location of old (pre-whiterussian) openvpn packages =====
+# Define list of TAP interfaces to be bridged,
-  - http://packages.milkfish.org/boozy/5.5.5/all_packages/libssl_0.9.7d-1_mipsel.ipk
+# for example tap="tap0 tap1 tap2".
-  - http://212.222.128.68/sven-ola/ipkg/liblzo_1.08_mipsel.ipk
+tap="tap0"
-  - http://wrt54g.free.fr/openwrt/b4/ipkg/openvpn_2.0test19_mipsel.ipk
-===== Upgrading OpenWRT to latest version (might be out of date) =====
+# Build tap devices
+for t in $tap; do
+    openvpn --mktun --dev $t
+done
-Cobbled together from instructions:
+# Add TAP interfaces to OpenWRT bridge
-  * http://wiki.openwrt.org/OpenWrtDocs/Installing#head-4f88301b6db87e0ff6c54cb4e65102e7aae8f6d9
-  * http://wiki.openwrt.org/OpenWrtDocs/Deinstalling
-  - Wget new firmware
+for t in $tap; do
-  - wget mtd.static
+    brctl addif $br $t
-  - Upgrade using mtd
+done
-  - telnet to 192.168.1.1 and set password using 'passwd'. Telnet will be disabled and SSH enabled.
-===== Setting up a WDS router =====
+#Configure bridged interfaces
-  - don't install wifidog on WDS "leaf" (as opposed to trunk/branch) routers
+for t in $tap; do
-  - make sure channel & SSID are correct:<code>
+    ifconfig $t 0.0.0.0 promisc up
-nvram set wl_ssid=wirelesstoronto
+done
-nvram set wl_channel=1
 </code>
-  - do:<code>
+  - <code>chmod +x /etc/openvpnbridge</code>
-nvram set wl0_lazywds=0
+  - create /etc/openvpn/server.conf:<code>
-nvram set wl0_wds=00:13:10:44:3b:50 00:13:10:3d:65:59 00:13:10:2d:a9:98
+port 1194
-nvram commit
+proto udp
+dev tap
+keepalive 10 120
+status openvpn-status.log
+verb 3
+secret /etc/openvpn/static.key
 </code>
-  - on the "client" router(s) only:<code>
+  - static key: /etc/openvpn/static.key:<code>openvpn --genkey --secret static.key</code>
-rm /etc/init.d/S??dnsmasq
+  - test: <code>openvpn /etc/openvpn/server.conf</code>
+  - autostartup script for server (/etc/init.d/S95openvpnserver):<code>
+#!/bin/sh
+#/etc/init.d/S95openvpnserver
+/etc/openvpnbridge
+openvpn /etc/openvpn/server.conf &
 </code>
-  - <code>reboot</code>
+  - make it executable:<code>
-  - **YOU MAY NEED TO ADD A STATIC ROUTE:**<code>
+chmod +x /etc/init.d/S95openvpnserver
-nvram set static_route=0.0.0.0:0.0.0.0:192.168.1.1:1:br0
+</code>
-nvram commit
+  - client config file:<code>
+dev tap
+proto udp
+remote Your.IP.Goes.Here 1194
+resolv-retry infinite
+nobind
+mute-replay-warnings
+secret /etc/openvpn/static.key
+verb 3
 </code>
-===== making client certificate files on server: =====
-  - ssh to pwd.ca, login as "wireless"<code>
-cd easy-rsa
-. ./vars
-</code>
-  - (ignore the output)<code>
-./build-key client[NODEID]
-</code>
-  - use defaults except for Common Name: **client[NODEID]**
-  - find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder -- KEEP THESE PRIVATE
-  - to copy them to the router, issue these commands on the router:<code>
-scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn
-scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn
-</code>
-(it'll prompt you for the wireless@pwd.ca password each time)

Wireless Toronto

User Tools

Site Tools

Differences

Page Tools