This shows you the differences between two versions of the page.
openvpn_stuff [2007/04/01 14:35] 66.207.222.14 created |
openvpn_stuff [2013/09/28 16:06] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== setting up openvpn server ====== | ||
- | |||
- | This is old; check if there's new versions of stuff that you should use. | ||
- | |||
- | <code> | ||
- | cd /usr/local/src | ||
- | wget http://openvpn.net/release/openvpn-2.0.tar.gz | ||
- | tar xvfz openvpn-2.0.tar.gz | ||
- | cd openvpn-2.0 | ||
- | apt-get install liblzo-dev | ||
- | ./configure | ||
- | make | ||
- | make install | ||
- | |||
- | mkdir /etc/openvpn | ||
- | mkdir /etc/openvpn/easy-rsa | ||
- | cp /usr/local/src/easy-rsa/* /etc/openvpn/easy-rsa | ||
- | </code> | ||
- | |||
- | **/etc/openvpn/server.conf:** | ||
- | <code> | ||
- | dev tap | ||
- | port 5000 | ||
- | proto tcp-server | ||
- | verb 1 | ||
- | mode server | ||
- | tls-server | ||
- | ping 60 | ||
- | ca /etc/openvpn/ca.crt | ||
- | cert /etc/openvpn/server.crt | ||
- | key /etc/openvpn/server.key | ||
- | dh /etc/openvpn/dh1024.pem | ||
- | ifconfig 192.168.222.1 255.255.255.0 | ||
- | ifconfig-pool 192.168.222.100 192.168.222.200 | ||
- | route 192.168.222.0 255.255.255.0 | ||
- | route-gateway 192.168.222.1 | ||
- | </code> | ||
- | |||
- | |||
- | - make sure you have the supported version of OpenWRT -- get it here: | ||
- | * Linksys WRT54G (up to and including v4) & WRT54GL: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g-squashfs.bin | ||
- | * Motorola WR850G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wr850g-squashfs.bin | ||
- | * Linksys WRT54GS (up to and including v3): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs-squashfs.bin | ||
- | * Linksys WRT54GS (v4): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs_v4-squashfs.bin | ||
- | * Linksys WRT54G3G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g3g-squashfs.bin | ||
- | * Linksys WRTSL54GS: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrtsl54gs-squashfs.bin | ||
- | - plug an ethernet cable from your computer to the LAN1 port on the router | ||
- | - plug an ethernet cable from the router's WAN port to a DHCP-enabled Internet connection | ||
- | - turn off your computer's wifi connection (to ensure that it only has 'net access through the new router) | ||
- | - In a browser on your computer go to address 192.168.1.1 (this is the router's address) | ||
- | - Login leaving username blank and using password **admin** | ||
- | - Go to Wireless -> Basic Wireless Settings and change the Wireless Network Name to **wirelesstoronto**. Change the channel as necessary -- **1** is a good choice. Save settings. | ||
- | - Go to Administration -> Firmware Upgrade | ||
- | - Upgrade the firmware using the openwrt image -- DON'T INTERRUPT IT! | ||
- | - Watch the DMZ light -- it'll come on, then go off. when it goes off, connect to the router: http://192.168.1.1 | ||
- | - Click any link and you should be asked to set a password for the root account; use the standard WT router root password. | ||
- | - Connect to 192.168.1.1 using an SSH client (Linux and Mas OS have built in SSH, on Windows try "Putty":http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html): ssh root@192.168.1.1 | ||
- | - Update and download standard packages, then edit wifidog.conf: <code> | ||
- | ipkg update | ||
- | ipkg install iptables-extra kmod-iptables-extra libpthread libgcc | ||
- | ipkg install http://wirelesstoronto.ca/dist/wifidog_1.1.3_beta6-1_mipsel_whiterussianRC6.ipk | ||
- | vi /etc/wifidog.conf | ||
- | </code> | ||
- | - Specify the GatewayID, as appropriate (this needs to be set on the auth server!). | ||
- | - Uncomment the ExternalInterface line, and change the value to vlan1 | ||
- | - Change the value of the GatewayInterface line to br0 | ||
- | - Paste this into the AuthServer section:<code> | ||
- | AuthServer { | ||
- | Hostname auth.wirelesstoronto.ca | ||
- | SSLAvailable yes | ||
- | Path / | ||
- | } | ||
- | </code> | ||
- | - Save the changes to wifidog.conf file (esc **:wq**) | ||
- | - Set up ntpclient & timezone, then replace S99done:<code> | ||
- | ipkg install ntpclient | ||
- | cd /etc/init.d | ||
- | wget http://wirelesstoronto.ca/dist/S55ntpclient | ||
- | chmod +x /etc/init.d/S55ntpclient | ||
- | /etc/init.d/S55ntpclient | ||
- | |||
- | echo EST5EDT,M3.2.0/02:00,M11.1.0/02:00 > /etc/TZ | ||
- | |||
- | cd /etc/init.d | ||
- | cp S99done S99done.real | ||
- | rm S99done | ||
- | mv S99done.real S99done | ||
- | vi /etc/init.d/S99done | ||
- | </code> | ||
- | - add this to /etc/init.d/S99done:<code> | ||
- | # start crond | ||
- | /usr/sbin/crond -c /etc/crontabs | ||
- | </code> | ||
- | - set up the crontab and run cron:<code> | ||
- | mkdir /etc/crontabs | ||
- | touch /etc/crontabs/root | ||
- | ln -sf /etc/crontabs/root /etc/crontab | ||
- | /usr/sbin/crond -c /etc/crontabs | ||
- | vi /etc/crontab | ||
- | </code> | ||
- | - add this to the end of /etc/crontab:<code> | ||
- | 0 * * * * /usr/sbin/ntpclient -l -h pool.ntp.org -i 5 -s | ||
- | </code> | ||
- | - restart crond for the change to take effect:<code> | ||
- | killall crond | ||
- | /usr/sbin/crond -c /etc/crontabs | ||
- | </code> | ||
- | - install openvpn client on router:<code> | ||
- | ipkg install openvpn | ||
- | mkdir /etc/openvpn | ||
- | cd /etc/openvpn | ||
- | wget http://wirelesstoronto.ca/dist/client.conf | ||
- | vi /etc/openvpn/client.conf | ||
- | </code> | ||
- | - replace NODEID with the real gateway id | ||
- | - download CA cert:<code> | ||
- | cd /etc/openvpn | ||
- | wget http://wirelesstoronto.ca/dist/ca.crt | ||
- | </code> | ||
- | - copy cert stuff from server (it'll prompt you for the password):<code> | ||
- | scp wireless@openvpn.wirelesstoronto.ca:easy-rsa/keys/client(NODEID).* | ||
- | </code><code> | ||
- | chmod 600 client(NODEID).key | ||
- | </code> | ||
- | - install auto-run script:<code> | ||
- | cd /etc/init.d | ||
- | wget http://wirelesstoronto.ca/dist/S90openvpn | ||
- | chmod +x S90openvpn | ||
- | reboot | ||
- | </code> | ||
- | - Congratulations, you're done! | ||
- | |||
- | ===== Notes on using the Motorola WR850 ===== | ||
- | All instructions are the same, but use the correct OpenWRT package, of course. | ||
- | |||
- | By default, the router comes configured with the LAN IP address 192.168.10.1. Either change this to 192.168.1.1 before installing OpenWRT, or after installing OpenWRT, issue the additional commands: | ||
- | <code> | ||
- | nvram unset dhcp_start | ||
- | nvram unset dhcp_end | ||
- | nvram unset dhcp_dns | ||
- | nvram commit | ||
- | </code> | ||
- | |||
- | These variables confuse dnsmasq, and aren't required. | ||
- | |||
- | |||
- | ====== Other router-related stuff ====== | ||
- | |||
- | ===== Other resources ===== | ||
- | |||
- | NYC Wireless have a good "walkthrough":http://www.nycwireless.net/tiki-pagehistory.php?page=WifiDog&preview=39 | ||
- | |||
- | |||
- | ===== Location of old (pre-whiterussian) openvpn packages ===== | ||
- | - http://packages.milkfish.org/boozy/5.5.5/all_packages/libssl_0.9.7d-1_mipsel.ipk | ||
- | - http://212.222.128.68/sven-ola/ipkg/liblzo_1.08_mipsel.ipk | ||
- | - http://wrt54g.free.fr/openwrt/b4/ipkg/openvpn_2.0test19_mipsel.ipk | ||
- | |||
- | ===== Upgrading OpenWRT to latest version (might be out of date) ===== | ||
- | |||
- | Cobbled together from instructions: | ||
- | * http://wiki.openwrt.org/OpenWrtDocs/Installing#head-4f88301b6db87e0ff6c54cb4e65102e7aae8f6d9 | ||
- | * http://wiki.openwrt.org/OpenWrtDocs/Deinstalling | ||
- | |||
- | - Wget new firmware | ||
- | - wget mtd.static | ||
- | - Upgrade using mtd | ||
- | - telnet to 192.168.1.1 and set password using 'passwd'. Telnet will be disabled and SSH enabled. | ||
- | |||
- | ===== Setting up a WDS router ===== | ||
- | |||
- | - don't install wifidog on WDS "leaf" (as opposed to trunk/branch) routers | ||
- | - make sure channel & SSID are correct:<code> | ||
- | nvram set wl_ssid=wirelesstoronto | ||
- | nvram set wl_channel=1 | ||
- | </code> | ||
- | - do:<code> | ||
- | nvram set wl0_lazywds=0 | ||
- | nvram set wl0_wds=00:13:10:44:3b:50 00:13:10:3d:65:59 00:13:10:2d:a9:98 | ||
- | nvram commit | ||
- | </code> | ||
- | - on the "client" router(s) only:<code> | ||
- | rm /etc/init.d/S??dnsmasq | ||
- | </code> | ||
- | - <code>reboot</code> | ||
- | - **YOU MAY NEED TO ADD A STATIC ROUTE:**<code> | ||
- | nvram set static_route=0.0.0.0:0.0.0.0:192.168.1.1:1:br0 | ||
- | nvram commit | ||
- | </code> | ||
- | |||
- | |||
- | ===== making client certificate files on server: ===== | ||
- | |||
- | - ssh to pwd.ca, login as "wireless"<code> | ||
- | cd easy-rsa | ||
- | . ./vars | ||
- | </code> | ||
- | - (ignore the output)<code> | ||
- | ./build-key client[NODEID] | ||
- | </code> | ||
- | - use defaults except for Common Name: **client[NODEID]** | ||
- | - find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder -- KEEP THESE PRIVATE | ||
- | - to copy them to the router, issue these commands on the router:<code> | ||
- | scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn | ||
- | scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn | ||
- | </code> | ||
- | (it'll prompt you for the wireless@pwd.ca password each time) | ||
- | |||