This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
openvpn_stuff [2007/04/01 14:35] 66.207.222.14 created |
openvpn_stuff [2007/04/14 14:27] gabe |
||
---|---|---|---|
Line 37: | Line 37: | ||
</code> | </code> | ||
- | + | **client.conf:** | |
- | - make sure you have the supported version of OpenWRT -- get it here: | + | <code> |
- | * Linksys WRT54G (up to and including v4) & WRT54GL: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g-squashfs.bin | + | dev tap |
- | * Motorola WR850G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wr850g-squashfs.bin | + | proto tcp-client |
- | * Linksys WRT54GS (up to and including v3): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs-squashfs.bin | + | port 5000 |
- | * Linksys WRT54GS (v4): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs_v4-squashfs.bin | + | ping 15 |
- | * Linksys WRT54G3G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g3g-squashfs.bin | + | ping-restart 120 |
- | * Linksys WRTSL54GS: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrtsl54gs-squashfs.bin | + | resolv-retry infinite |
- | - plug an ethernet cable from your computer to the LAN1 port on the router | + | remote openvpn.wirelesstoronto.ca |
- | - plug an ethernet cable from the router's WAN port to a DHCP-enabled Internet connection | + | tls-client |
- | - turn off your computer's wifi connection (to ensure that it only has 'net access through the new router) | + | ca /etc/openvpn/ca.crt |
- | - In a browser on your computer go to address 192.168.1.1 (this is the router's address) | + | cert /etc/openvpn/client**NODEID**.crt |
- | - Login leaving username blank and using password **admin** | + | key /etc/openvpn/client**NODEID**.key |
- | - Go to Wireless -> Basic Wireless Settings and change the Wireless Network Name to **wirelesstoronto**. Change the channel as necessary -- **1** is a good choice. Save settings. | + | ifconfig 192.168.222.**NODEID** 255.255.255.0 |
- | - Go to Administration -> Firmware Upgrade | + | |
- | - Upgrade the firmware using the openwrt image -- DON'T INTERRUPT IT! | + | |
- | - Watch the DMZ light -- it'll come on, then go off. when it goes off, connect to the router: http://192.168.1.1 | + | |
- | - Click any link and you should be asked to set a password for the root account; use the standard WT router root password. | + | |
- | - Connect to 192.168.1.1 using an SSH client (Linux and Mas OS have built in SSH, on Windows try "Putty":http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html): ssh root@192.168.1.1 | + | |
- | - Update and download standard packages, then edit wifidog.conf: <code> | + | |
- | ipkg update | + | |
- | ipkg install iptables-extra kmod-iptables-extra libpthread libgcc | + | |
- | ipkg install http://wirelesstoronto.ca/dist/wifidog_1.1.3_beta6-1_mipsel_whiterussianRC6.ipk | + | |
- | vi /etc/wifidog.conf | + | |
</code> | </code> | ||
- | - Specify the GatewayID, as appropriate (this needs to be set on the auth server!). | ||
- | - Uncomment the ExternalInterface line, and change the value to vlan1 | ||
- | - Change the value of the GatewayInterface line to br0 | ||
- | - Paste this into the AuthServer section:<code> | ||
- | AuthServer { | ||
- | Hostname auth.wirelesstoronto.ca | ||
- | SSLAvailable yes | ||
- | Path / | ||
- | } | ||
- | </code> | ||
- | - Save the changes to wifidog.conf file (esc **:wq**) | ||
- | - Set up ntpclient & timezone, then replace S99done:<code> | ||
- | ipkg install ntpclient | ||
- | cd /etc/init.d | ||
- | wget http://wirelesstoronto.ca/dist/S55ntpclient | ||
- | chmod +x /etc/init.d/S55ntpclient | ||
- | /etc/init.d/S55ntpclient | ||
- | echo EST5EDT,M3.2.0/02:00,M11.1.0/02:00 > /etc/TZ | + | ===== making client certificate files on server: ===== |
- | cd /etc/init.d | + | - ssh to pwd.ca, login as "wireless"<code> |
- | cp S99done S99done.real | + | cd easy-rsa |
- | rm S99done | + | . ./vars |
- | mv S99done.real S99done | + | |
- | vi /etc/init.d/S99done | + | |
</code> | </code> | ||
- | - add this to /etc/init.d/S99done:<code> | + | - (ignore the output)<code> |
- | # start crond | + | ./build-key client[NODEID] |
- | /usr/sbin/crond -c /etc/crontabs | + | |
</code> | </code> | ||
- | - set up the crontab and run cron:<code> | + | - use defaults except for Common Name: **client[NODEID]** |
- | mkdir /etc/crontabs | + | - find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder -- KEEP THESE PRIVATE |
- | touch /etc/crontabs/root | + | - to copy them to the router, issue these commands on the router:<code> |
- | ln -sf /etc/crontabs/root /etc/crontab | + | scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn |
- | /usr/sbin/crond -c /etc/crontabs | + | scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn |
- | vi /etc/crontab | + | |
</code> | </code> | ||
- | - add this to the end of /etc/crontab:<code> | + | (it'll prompt you for the wireless@pwd.ca password each time) |
- | 0 * * * * /usr/sbin/ntpclient -l -h pool.ntp.org -i 5 -s | + | |
- | </code> | + | |
- | - restart crond for the change to take effect:<code> | + | |
- | killall crond | + | |
- | /usr/sbin/crond -c /etc/crontabs | + | |
- | </code> | + | |
- | - install openvpn client on router:<code> | + | |
- | ipkg install openvpn | + | |
- | mkdir /etc/openvpn | + | |
- | cd /etc/openvpn | + | |
- | wget http://wirelesstoronto.ca/dist/client.conf | + | |
- | vi /etc/openvpn/client.conf | + | |
- | </code> | + | |
- | - replace NODEID with the real gateway id | + | |
- | - download CA cert:<code> | + | |
- | cd /etc/openvpn | + | |
- | wget http://wirelesstoronto.ca/dist/ca.crt | + | |
- | </code> | + | |
- | - copy cert stuff from server (it'll prompt you for the password):<code> | + | |
- | scp wireless@openvpn.wirelesstoronto.ca:easy-rsa/keys/client(NODEID).* | + | |
- | </code><code> | + | |
- | chmod 600 client(NODEID).key | + | |
- | </code> | + | |
- | - install auto-run script:<code> | + | |
- | cd /etc/init.d | + | |
- | wget http://wirelesstoronto.ca/dist/S90openvpn | + | |
- | chmod +x S90openvpn | + | |
- | reboot | + | |
- | </code> | + | |
- | - Congratulations, you're done! | + | |
- | ===== Notes on using the Motorola WR850 ===== | ||
- | All instructions are the same, but use the correct OpenWRT package, of course. | ||
- | By default, the router comes configured with the LAN IP address 192.168.10.1. Either change this to 192.168.1.1 before installing OpenWRT, or after installing OpenWRT, issue the additional commands: | ||
- | <code> | ||
- | nvram unset dhcp_start | ||
- | nvram unset dhcp_end | ||
- | nvram unset dhcp_dns | ||
- | nvram commit | ||
- | </code> | ||
- | These variables confuse dnsmasq, and aren't required. | + | ====== working on setting up an openvpn server on a router ====== |
+ | Instructions adapted from http://forum.openwrt.org/viewtopic.php?id=1800 | ||
- | ====== Other router-related stuff ====== | + | - add this to /etc/firewall.user, right after the chunk on WAN SSH:<code> |
+ | ### Allow OpenVPN connections | ||
+ | iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT | ||
+ | iptables -A input_rule -i $WAN -p udp --dport 1194 -j ACCEPT | ||
+ | </code> | ||
+ | - create /etc/openvpnbridge:<code> | ||
+ | #!/bin/sh | ||
- | ===== Other resources ===== | + | #/etc/openvpnbridge |
+ | # OpenVPN Bridge Config File | ||
+ | # Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge | ||
+ | # Taken from http://openvpn.net/bridge.html | ||
- | NYC Wireless have a good "walkthrough":http://www.nycwireless.net/tiki-pagehistory.php?page=WifiDog&preview=39 | + | # Make sure module is loaded |
+ | insmod tun | ||
+ | # Define Bridge Interface | ||
+ | # Preexisting on OpenWRT | ||
+ | br="br0" | ||
- | ===== Location of old (pre-whiterussian) openvpn packages ===== | + | # Define list of TAP interfaces to be bridged, |
- | - http://packages.milkfish.org/boozy/5.5.5/all_packages/libssl_0.9.7d-1_mipsel.ipk | + | # for example tap="tap0 tap1 tap2". |
- | - http://212.222.128.68/sven-ola/ipkg/liblzo_1.08_mipsel.ipk | + | tap="tap0" |
- | - http://wrt54g.free.fr/openwrt/b4/ipkg/openvpn_2.0test19_mipsel.ipk | + | |
- | ===== Upgrading OpenWRT to latest version (might be out of date) ===== | + | # Build tap devices |
+ | for t in $tap; do | ||
+ | openvpn --mktun --dev $t | ||
+ | done | ||
- | Cobbled together from instructions: | + | # Add TAP interfaces to OpenWRT bridge |
- | * http://wiki.openwrt.org/OpenWrtDocs/Installing#head-4f88301b6db87e0ff6c54cb4e65102e7aae8f6d9 | + | |
- | * http://wiki.openwrt.org/OpenWrtDocs/Deinstalling | + | |
- | - Wget new firmware | + | for t in $tap; do |
- | - wget mtd.static | + | brctl addif $br $t |
- | - Upgrade using mtd | + | done |
- | - telnet to 192.168.1.1 and set password using 'passwd'. Telnet will be disabled and SSH enabled. | + | |
- | ===== Setting up a WDS router ===== | + | #Configure bridged interfaces |
- | - don't install wifidog on WDS "leaf" (as opposed to trunk/branch) routers | + | for t in $tap; do |
- | - make sure channel & SSID are correct:<code> | + | ifconfig $t 0.0.0.0 promisc up |
- | nvram set wl_ssid=wirelesstoronto | + | done |
- | nvram set wl_channel=1 | + | |
</code> | </code> | ||
- | - do:<code> | + | - <code>chmod +x /etc/openvpnbridge</code> |
- | nvram set wl0_lazywds=0 | + | - create /etc/openvpn/server.conf:<code> |
- | nvram set wl0_wds=00:13:10:44:3b:50 00:13:10:3d:65:59 00:13:10:2d:a9:98 | + | port 1194 |
- | nvram commit | + | proto udp |
+ | dev tap | ||
+ | keepalive 10 120 | ||
+ | status openvpn-status.log | ||
+ | verb 3 | ||
+ | secret /etc/openvpn/static.key | ||
</code> | </code> | ||
- | - on the "client" router(s) only:<code> | + | - static key: /etc/openvpn/static.key:<code>openvpn --genkey --secret static.key</code> |
- | rm /etc/init.d/S??dnsmasq | + | - test: <code>openvpn /etc/openvpn/server.conf</code> |
+ | - autostartup script for server (/etc/init.d/S95openvpnserver):<code> | ||
+ | #!/bin/sh | ||
+ | #/etc/init.d/S95openvpnserver | ||
+ | /etc/openvpnbridge | ||
+ | openvpn /etc/openvpn/server.conf & | ||
</code> | </code> | ||
- | - <code>reboot</code> | + | - make it executable:<code> |
- | - **YOU MAY NEED TO ADD A STATIC ROUTE:**<code> | + | chmod +x /etc/init.d/S95openvpnserver |
- | nvram set static_route=0.0.0.0:0.0.0.0:192.168.1.1:1:br0 | + | </code> |
- | nvram commit | + | - client config file:<code> |
+ | dev tap | ||
+ | proto udp | ||
+ | remote Your.IP.Goes.Here 1194 | ||
+ | resolv-retry infinite | ||
+ | nobind | ||
+ | mute-replay-warnings | ||
+ | secret /etc/openvpn/static.key | ||
+ | verb 3 | ||
</code> | </code> | ||
- | |||
- | ===== making client certificate files on server: ===== | ||
- | |||
- | - ssh to pwd.ca, login as "wireless"<code> | ||
- | cd easy-rsa | ||
- | . ./vars | ||
- | </code> | ||
- | - (ignore the output)<code> | ||
- | ./build-key client[NODEID] | ||
- | </code> | ||
- | - use defaults except for Common Name: **client[NODEID]** | ||
- | - find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder -- KEEP THESE PRIVATE | ||
- | - to copy them to the router, issue these commands on the router:<code> | ||
- | scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn | ||
- | scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn | ||
- | </code> | ||
- | (it'll prompt you for the wireless@pwd.ca password each time) | ||