This is an old revision of the document!
====== setting up openvpn server ====== This is old; check if there's new versions of stuff that you should use. <code> cd /usr/local/src wget http://openvpn.net/release/openvpn-2.0.tar.gz tar xvfz openvpn-2.0.tar.gz cd openvpn-2.0 apt-get install liblzo-dev ./configure make make install mkdir /etc/openvpn mkdir /etc/openvpn/easy-rsa cp /usr/local/src/easy-rsa/* /etc/openvpn/easy-rsa </code> **/etc/openvpn/server.conf:** <code> dev tap port 5000 proto tcp-server verb 1 mode server tls-server ping 60 ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem ifconfig 192.168.222.1 255.255.255.0 ifconfig-pool 192.168.222.100 192.168.222.200 route 192.168.222.0 255.255.255.0 route-gateway 192.168.222.1 </code> **client.conf:** <code> dev tap proto tcp-client port 5000 ping 15 ping-restart 120 resolv-retry infinite remote openvpn.wirelesstoronto.ca tls-client ca /etc/openvpn/ca.crt cert /etc/openvpn/client**NODEID**.crt key /etc/openvpn/client**NODEID**.key ifconfig 192.168.222.**NODEID** 255.255.255.0 </code> ===== making client certificate files on server: ===== - ssh to pwd.ca, login as "wireless"<code> cd easy-rsa . ./vars </code> - (ignore the output)<code> ./build-key client[NODEID] </code> - use defaults except for Common Name: **client[NODEID]** - find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder -- KEEP THESE PRIVATE - to copy them to the router, issue these commands on the router:<code> scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn </code> (it'll prompt you for the wireless@pwd.ca password each time) ====== working on setting up an openvpn server on a router ====== Instructions adapted from http://forum.openwrt.org/viewtopic.php?id=1800 - add this to /etc/firewall.user, right after the chunk on WAN SSH:<code> ### Allow OpenVPN connections iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT iptables -A input_rule -i $WAN -p udp --dport 1194 -j ACCEPT </code> - create /etc/openvpnbridge:<code> #!/bin/sh #/etc/openvpnbridge # OpenVPN Bridge Config File # Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge # Taken from http://openvpn.net/bridge.html # Make sure module is loaded insmod tun # Define Bridge Interface # Preexisting on OpenWRT br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Build tap devices for t in $tap; do openvpn --mktun --dev $t done # Add TAP interfaces to OpenWRT bridge for t in $tap; do brctl addif $br $t done #Configure bridged interfaces for t in $tap; do ifconfig $t 0.0.0.0 promisc up done </code> - <code>chmod +x /etc/openvpnbridge</code> - create /etc/server.ovpn:<code> port 1194 proto udp dev tap keepalive 10 120 status openvpn-status.log verb 3 secret /etc/openvpn/static.key </code> - static key: /etc/openvpn/static.key:<code>openvpn --genkey --secret static.key</code> - test: <code>openvpn /etc/openvpn/server.conf</code> - client config file:<code> dev tap proto udp remote Your.IP.Goes.Here 1194 resolv-retry infinite nobind mute-replay-warnings secret /etc/openvpn/static.key verb 3 </code> - autostartup script for server:<code> #!/bin/sh #/etc/init.d/S46openvpn /etc/openvpnbridge openvpn /etc/server.ovpn & </code>
