opkg install openvpn

is all that is needed. Windows users can either download the standard OpenVPN distribution or get the GUI version from here:

http://openvpn.se/download.html

Non-Windows clients just follow the OpenVPN install instructions.

Windows users click the icon to generate a static key. Everyone else run:

# openvpn --genkey --secret static.key

This only needs to be done once and then copied to all machines to be part of the VPN. I suggest placing the key file in /etc on the OpenWRT computer and leaving in the default place on Windows.

An alternative way is to install openvpn-easy-rsa package for OpenWRT and do this batch:

# ssh 192.168.1.1 (make sure to use the correct IP address of your router)
# cd /etc/easy-rsa
# nano vars

#*OPTIONAL*
#(Comment out the following lines if you do not want your certificates to expire)
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
 
#(Change these last lines to suit your own country etc)
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
 
build-ca
build-dh
build-key-server server
build-key client

This snippet code was copied from http://wiki.openwrt.org/inbox/vpn.howto.

First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall on OpenWRT. Add the following two lines after the section allowing WAN SSH access:

### Allow SSH from WAN 
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT

### Allow OpenVPN connections
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT
iptables        -A input_rule      -i $WAN -p udp --dport 1194 -j ACCEPT

### Port forwarding
# Add your stuff here

Alternatively you can edit /etc/config/firewall and add the following to the end. This has the added benefit of causing the firewall rules for ssh and OpenVPN to appear in the LuCI configuration interface.

config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'wan' 
        option 'proto' 'tcp'  
        option 'dest_port' '22'
        option '_name' 'ssh-wan'
                                 
config 'rule'
        option '_name' 'openvpn-udp'
        option 'src' 'wan' 
        option 'target' 'ACCEPT'
        option 'proto' 'udp'   
        option 'dest_port' '1194'

Some HOWTOs elsewhere on the web recommend the following in /etc/firewall.rules:

iptables -I OUTPUT -o tap+ -j ACCEPT
iptables -I INPUT -i tap+ -j ACCEPT

iptables -I FORWARD -o tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -j ACCEPT

Next we need to add the script to start the bridge:

#!/bin/sh
 
#/etc/openvpnbridge
# OpenVPN Bridge Config File
# Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge
# Taken from http://openvpn.net/bridge.html
 
# Make sure module is loaded
insmod tun
 
# Define Bridge Interface
# Preexisting on OpenWRT
br="br0"
 
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
 
# Build tap devices
for t in $tap; do
    openvpn --mktun --dev $t
done
 
# Add TAP interfaces to OpenWRT bridge
 
for t in $tap; do
    brctl addif $br $t
done
 
#Configure bridged interfaces
 
for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

This file will create the OpenVPN tap devices and add them to the default OpenWRT ethernet/wifi bridge. As indicated I call it /etc/openvpnbridge. Make sure to chmod +x to ensure that it is executable.

Next comes the OpenVPN server config file:

# Which TCP/UDP port should OpenVPN listen on?
port 1194
 
# TCP or UDP server?
proto udp
 
# "dev tap" will create an ethernet tunnel.
dev tap
 
 
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
 
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo
 
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
;persist-key
;persist-tun
 
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
 
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
 
# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
 
#Static Key
secret /etc/openvpn.key

I call this file /etc/server.ovpn. At this point you can start OpenVPN for testing:

openvpn /etc/server.ovpn

With logread you should be able to see if it started up normally.

Client configuration is pretty simple. Just place the following file in the config directory and remember to change the server IP address to match:

dev tap
 
proto udp
 
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote Your.IP.Goes.Here 1194
 
 
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
 
# Most clients don't need to bind to
# a specific local port number.
nobind
 
# Try to preserve some state across restarts.
;persist-key
;persist-tun
 
 
# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings
 
 
secret secret.key
 
 
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo
 
# Set log file verbosity.
verb 3
 
# Silence repeating messages
;mute 20

Now that should be it. Start the OpenVPN client either through the GUI or command line and it should link up.

If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful.

If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable:

#!/bin/sh
#/etc/init.d/S46openvpn
/etc/openvpnbridge
openvpn /etc/server.ovpn &

In Backfire 10.03.1 /etc/init.d/openvpn appears to be present already. Edit it to add the following above the "append_param()" function:

# Make sure tun/tap devices are present /etc/openvpnbridge

Then enable openvpn to start on boot from the LuCI interface (System→Startup), or from the command line with

/etc/init.d/openvpn enable

# auf dem OpenVPN-Server ein virtuelles bridge-iface über das tap0 und das eth0 interface.
# apt-get install bridge-utils
# openvpn --mktun --dev tap0   erzeugt tap-device
# brctl addbr br0              erzeugt bridge

# brctl addif br0 eth0         anflanschen von eth0 an br0
# brctl addif br0 tap0         anflanschen von tap0 an br0

# ifconfig tap0 0.0.0.0 promisc up
# ifconfig eth0 0.0.0.0 promisc up
# ifconfig br0 192.168.8.2 netmask 255.255.255.0 broadcast 192.168.8.255
# route add default gw 192.168.8.1

# iptables -A INPUT -i tap0 -j ACCEPT
# iptables -A INPUT -i eth0 -j ACCEPT
# iptables -A FORWARD -i br0 -j ACCEPT

### OpenVPN
# dev tap
# dev-node tap-bridge
# server-bridge 192.168.8.1 255.255.255.0 192.168.8.220 192.168.8.240 (Achtung: Kollision mit DHCP vermeiden!)


######## /etc/network/interfaces ##########

auto lo
iface lo inet loopback
allow-hotplug eth0

iface eth0 inet static
   up ifconfig eth0 promisc up

# the primary network iface
auto br0
iface br0 inet static
   adress 192.168.8.2
   netmask 255.255.255.0
   network 192.168.8.0
   broadcast 192.168.8.255
   gateway 192.168.8.1
   bridge_ports eth0 tap0
   bridge_fd 1
   bridge_stp off
   brdge_hello 1

# tap0 for OpenVPN
auto tap0
iface tap0 inet manual
   pre-up tunctl -t tap0
   up ifconfig promisc tap0 up
   post-up brctl addif intern tap0
   down ifconfig tap0 down
   post-down tunctl -d tap0