opkg install openvpn
is all that is needed. Windows users can either download the standard OpenVPN distribution or get the GUI version from here:
Non-Windows clients just follow the OpenVPN install instructions.
Windows users click the icon to generate a static key. Everyone else run:
# openvpn --genkey --secret static.key
This only needs to be done once and then copied to all machines to be part of the VPN. I suggest placing the key file in /etc on the OpenWRT computer and leaving in the default place on Windows.
An alternative way is to install
openvpn-easy-rsa package for OpenWRT and do this batch:
# ssh 192.168.1.1 (make sure to use the correct IP address of your router) # cd /etc/easy-rsa # nano vars
#*OPTIONAL* #(Comment out the following lines if you do not want your certificates to expire) export CA_EXPIRE=3650 export KEY_EXPIRE=3650 #(Change these last lines to suit your own country etc) export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="email@example.com" build-ca build-dh build-key-server server build-key client
This snippet code was copied from http://wiki.openwrt.org/inbox/vpn.howto.
First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall on OpenWRT. Add the following two lines after the section allowing WAN SSH access:
### Allow SSH from WAN iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT ### Allow OpenVPN connections iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT iptables -A input_rule -i $WAN -p udp --dport 1194 -j ACCEPT ### Port forwarding # Add your stuff here
Alternatively you can edit /etc/config/firewall and add the following to the end. This has the added benefit of causing the firewall rules for ssh and OpenVPN to appear in the LuCI configuration interface.
config 'rule' option 'target' 'ACCEPT' option 'src' 'wan' option 'proto' 'tcp' option 'dest_port' '22' option '_name' 'ssh-wan' config 'rule' option '_name' 'openvpn-udp' option 'src' 'wan' option 'target' 'ACCEPT' option 'proto' 'udp' option 'dest_port' '1194'
Some HOWTOs elsewhere on the web recommend the following in /etc/firewall.rules:
iptables -I OUTPUT -o tap+ -j ACCEPT iptables -I INPUT -i tap+ -j ACCEPT iptables -I FORWARD -o tap+ -j ACCEPT iptables -I FORWARD -i tap+ -j ACCEPT
Next we need to add the script to start the bridge:
#!/bin/sh #/etc/openvpnbridge # OpenVPN Bridge Config File # Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge # Taken from http://openvpn.net/bridge.html # Make sure module is loaded insmod tun # Define Bridge Interface # Preexisting on OpenWRT br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Build tap devices for t in $tap; do openvpn --mktun --dev $t done # Add TAP interfaces to OpenWRT bridge for t in $tap; do brctl addif $br $t done #Configure bridged interfaces for t in $tap; do ifconfig $t 0.0.0.0 promisc up done
This file will create the OpenVPN tap devices and add them to the default OpenWRT ethernet/wifi bridge. As indicated I call it
/etc/openvpnbridge. Make sure to
chmod +x to ensure that it is executable.
Next comes the OpenVPN server config file:
# Which TCP/UDP port should OpenVPN listen on? port 1194 # TCP or UDP server? proto udp # "dev tap" will create an ethernet tunnel. dev tap # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. ;comp-lzo # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. ;persist-key ;persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 #Static Key secret /etc/openvpn.key
I call this file
/etc/server.ovpn. At this point you can start OpenVPN for testing:
With logread you should be able to see if it started up normally.
Client configuration is pretty simple. Just place the following file in the config directory and remember to change the server IP address to match:
dev tap proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote Your.IP.Goes.Here 1194 # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Try to preserve some state across restarts. ;persist-key ;persist-tun # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. mute-replay-warnings secret secret.key # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. ;comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20
Now that should be it. Start the OpenVPN client either through the GUI or command line and it should link up.
If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful.
If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable:
#!/bin/sh #/etc/init.d/S46openvpn /etc/openvpnbridge openvpn /etc/server.ovpn &
In Backfire 10.03.1 /etc/init.d/openvpn appears to be present already. Edit it to add the following above the "append_param()" function:
# Make sure tun/tap devices are present
Then enable openvpn to start on boot from the LuCI interface (System→Startup), or from the command line with
# auf dem OpenVPN-Server ein virtuelles bridge-iface über das tap0 und das eth0 interface. # apt-get install bridge-utils # openvpn --mktun --dev tap0 erzeugt tap-device # brctl addbr br0 erzeugt bridge # brctl addif br0 eth0 anflanschen von eth0 an br0 # brctl addif br0 tap0 anflanschen von tap0 an br0 # ifconfig tap0 0.0.0.0 promisc up # ifconfig eth0 0.0.0.0 promisc up # ifconfig br0 192.168.8.2 netmask 255.255.255.0 broadcast 192.168.8.255 # route add default gw 192.168.8.1 # iptables -A INPUT -i tap0 -j ACCEPT # iptables -A INPUT -i eth0 -j ACCEPT # iptables -A FORWARD -i br0 -j ACCEPT ### OpenVPN # dev tap # dev-node tap-bridge # server-bridge 192.168.8.1 255.255.255.0 192.168.8.220 192.168.8.240 (Achtung: Kollision mit DHCP vermeiden!) ######## /etc/network/interfaces ########## auto lo iface lo inet loopback allow-hotplug eth0 iface eth0 inet static up ifconfig eth0 promisc up # the primary network iface auto br0 iface br0 inet static adress 192.168.8.2 netmask 255.255.255.0 network 192.168.8.0 broadcast 192.168.8.255 gateway 192.168.8.1 bridge_ports eth0 tap0 bridge_fd 1 bridge_stp off brdge_hello 1 # tap0 for OpenVPN auto tap0 iface tap0 inet manual pre-up tunctl -t tap0 up ifconfig promisc tap0 up post-up brctl addif intern tap0 down ifconfig tap0 down post-down tunctl -d tap0
doc/howto/vpn.server.openvpn.tap.txt · Last modified: 2013/04/03 11:41 by mforkel