This shows you the differences between two versions of the page.
openvpn_stuff [2007/04/02 14:23] 66.207.222.14 |
openvpn_stuff [2013/09/28 16:06] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== setting up openvpn server ====== | ||
- | |||
- | This is old; check if there's new versions of stuff that you should use. | ||
- | |||
- | <code> | ||
- | cd /usr/local/src | ||
- | wget http://openvpn.net/release/openvpn-2.0.tar.gz | ||
- | tar xvfz openvpn-2.0.tar.gz | ||
- | cd openvpn-2.0 | ||
- | apt-get install liblzo-dev | ||
- | ./configure | ||
- | make | ||
- | make install | ||
- | |||
- | mkdir /etc/openvpn | ||
- | mkdir /etc/openvpn/easy-rsa | ||
- | cp /usr/local/src/easy-rsa/* /etc/openvpn/easy-rsa | ||
- | </code> | ||
- | |||
- | **/etc/openvpn/server.conf:** | ||
- | <code> | ||
- | dev tap | ||
- | port 5000 | ||
- | proto tcp-server | ||
- | verb 1 | ||
- | mode server | ||
- | tls-server | ||
- | ping 60 | ||
- | ca /etc/openvpn/ca.crt | ||
- | cert /etc/openvpn/server.crt | ||
- | key /etc/openvpn/server.key | ||
- | dh /etc/openvpn/dh1024.pem | ||
- | ifconfig 192.168.222.1 255.255.255.0 | ||
- | ifconfig-pool 192.168.222.100 192.168.222.200 | ||
- | route 192.168.222.0 255.255.255.0 | ||
- | route-gateway 192.168.222.1 | ||
- | </code> | ||
- | |||
- | **client.conf:** | ||
- | <code> | ||
- | dev tap | ||
- | proto tcp-client | ||
- | port 5000 | ||
- | ping 15 | ||
- | ping-restart 120 | ||
- | resolv-retry infinite | ||
- | remote openvpn.wirelesstoronto.ca | ||
- | tls-client | ||
- | ca /etc/openvpn/ca.crt | ||
- | cert /etc/openvpn/client**NODEID**.crt | ||
- | key /etc/openvpn/client**NODEID**.key | ||
- | ifconfig 192.168.222.**NODEID** 255.255.255.0 | ||
- | </code> | ||
- | |||
- | ===== making client certificate files on server: ===== | ||
- | |||
- | - ssh to pwd.ca, login as "wireless"<code> | ||
- | cd easy-rsa | ||
- | . ./vars | ||
- | </code> | ||
- | - (ignore the output)<code> | ||
- | ./build-key client[NODEID] | ||
- | </code> | ||
- | - use defaults except for Common Name: **client[NODEID]** | ||
- | - find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder -- KEEP THESE PRIVATE | ||
- | - to copy them to the router, issue these commands on the router:<code> | ||
- | scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn | ||
- | scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn | ||
- | </code> | ||
- | (it'll prompt you for the wireless@pwd.ca password each time) | ||
- | |||
- | |||
- | |||
- | ====== working on setting up an openvpn server on a router ====== | ||
- | |||
- | Instructions adapted from http://forum.openwrt.org/viewtopic.php?id=1800 | ||
- | |||
- | - add this to /etc/firewall.user, right after the chunk on WAN SSH:<code> | ||
- | ### Allow OpenVPN connections | ||
- | iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT | ||
- | iptables -A input_rule -i $WAN -p udp --dport 1194 -j ACCEPT | ||
- | </code> | ||
- | - create /etc/openvpnbridge:<code> | ||
- | #!/bin/sh | ||
- | |||
- | #/etc/openvpnbridge | ||
- | # OpenVPN Bridge Config File | ||
- | # Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge | ||
- | # Taken from http://openvpn.net/bridge.html | ||
- | |||
- | # Make sure module is loaded | ||
- | insmod tun | ||
- | |||
- | # Define Bridge Interface | ||
- | # Preexisting on OpenWRT | ||
- | br="br0" | ||
- | |||
- | # Define list of TAP interfaces to be bridged, | ||
- | # for example tap="tap0 tap1 tap2". | ||
- | tap="tap0" | ||
- | |||
- | # Build tap devices | ||
- | for t in $tap; do | ||
- | openvpn --mktun --dev $t | ||
- | done | ||
- | |||
- | # Add TAP interfaces to OpenWRT bridge | ||
- | |||
- | for t in $tap; do | ||
- | brctl addif $br $t | ||
- | done | ||
- | |||
- | #Configure bridged interfaces | ||
- | |||
- | for t in $tap; do | ||
- | ifconfig $t 0.0.0.0 promisc up | ||
- | done | ||
- | </code> | ||
- | - <code>chmod +x /etc/openvpnbridge</code> | ||
- | - create /etc/openvpn/server.conf:<code> | ||
- | port 1194 | ||
- | proto udp | ||
- | dev tap | ||
- | keepalive 10 120 | ||
- | status openvpn-status.log | ||
- | verb 3 | ||
- | secret /etc/openvpn/static.key | ||
- | </code> | ||
- | - static key: /etc/openvpn/static.key:<code>openvpn --genkey --secret static.key</code> | ||
- | - test: <code>openvpn /etc/openvpn/server.conf</code> | ||
- | - client config file:<code> | ||
- | dev tap | ||
- | proto udp | ||
- | remote Your.IP.Goes.Here 1194 | ||
- | resolv-retry infinite | ||
- | nobind | ||
- | mute-replay-warnings | ||
- | secret /etc/openvpn/static.key | ||
- | verb 3 | ||
- | </code> | ||
- | - autostartup script for server (/etc/init.d/S95openvpnserver):<code> | ||
- | #!/bin/sh | ||
- | #/etc/init.d/S95openvpnserver | ||
- | /etc/openvpnbridge | ||
- | openvpn /etc/openvpn/server.conf & | ||
- | </code> | ||
- | |||