Differences

This shows you the differences between two versions of the page.

doc:howto:vpn.server.openvpn.tap [2013/10/28 08:27]
lorema
doc:howto:vpn.server.openvpn.tap [2014/02/06 01:13] (current)
bibaheu
Line 2: Line 2:
| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/howto/vpn.overview]] | | For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/howto/vpn.overview]] |
-===== Step 1: Install Software =====+===== Install OpenVPN =====
<code bash> <code bash>
opkg install openvpn-openssl opkg install openvpn-openssl
Line 10: Line 10:
<code bash> <code bash>
 +opkg update
opkg list | grep openvpn opkg list | grep openvpn
</code> </code>
-Windows users can either download the standard OpenVPN distribution or get the GUI version from here: http://openvpn.se/download.html . Non-Windows clients just follow the OpenVPN install instructions. 
 +===== Generate keys =====
 +Follow the [[official documentation|http://openvpn.net/index.php/open-source/documentation/howto.html#pki]].
-===== Step 2: Generate Static Key ===== +You can also install''openvpn-easy-rsa'' package for OpenWRT and generate the keys on the router itself:
-Windows users click the icon to generate a static key. Everyone else run: +
- +
-<code bash> +
-# openvpn --genkey --secret static.key +
-</code> +
- +
-This only needs to be done once and then copied to all machines to be part of the VPN. I suggest placing the key file in /etc on the OpenWRT computer and leaving in the default place on Windows.  +
- +
-An alternative way is to install ''openvpn-easy-rsa'' package for OpenWRT and do this batch: +
- +
-<code bash> +
-# ssh 192.168.1.1 (make sure to use the correct IP address of your router) +
-# cd /etc/easy-rsa +
-# nano vars +
-</code> +
- +
-<code bash> +
-#*OPTIONAL* +
-#(Comment out the following lines if you do not want your certificates to expire) +
-export CA_EXPIRE=3650 +
-export KEY_EXPIRE=3650 +
- +
-#(Change these last lines to suit your own country etc) +
-export KEY_COUNTRY="US" +
-export KEY_PROVINCE="CA" +
-export KEY_CITY="SanFrancisco" +
-export KEY_ORG="Fort-Funston" +
-export KEY_EMAIL="me@myhost.mydomain" +
- +
-build-ca +
-build-dh +
-build-key-server server +
-build-key client +
-</code> +
- +
-//This snippet code was copied from [[http://wiki.openwrt.org/inbox/vpn.howto]].// +
- +
-===== Step 3: Setup Server ===== +
-First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall on OpenWRT.  Add the following two lines after the section allowing WAN SSH access: +
<code> <code>
-### Allow SSH from WAN  +opkg update 
-iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT +opkg install openvpn-easy-rsa
-iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT +
- +
-### Allow OpenVPN connections +
-iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT +
-iptables        -A input_rule      -i $WAN -p udp --dport 1194 -j ACCEPT +
- +
-### Port forwarding +
-# Add your stuff here+
</code> </code>
-Alternatively you can edit /etc/config/firewall and add the following to the endThis has the added benefit of causing the firewall rules for ssh and OpenVPN to appear in the LuCI configuration interface. +===== Setup Server ===== 
 +First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall on OpenWRT. Edit /etc/config/firewall and add the following. 
<code> <code>
config 'rule' config 'rule'
-        option 'target' 'ACCEPT' +        option 'name' 'openvpn-udp'
-        option 'src' 'wan'  +
-        option 'proto' 'tcp'   +
-        option 'dest_port' '22' +
-        option '_name' 'ssh-wan' +
-                                 +
-config 'rule' +
-        option '_name' 'openvpn-udp'+
        option 'src' 'wan'         option 'src' 'wan'
        option 'target' 'ACCEPT'         option 'target' 'ACCEPT'
Line 88: Line 35:
</code> </code>
-Some HOWTOs elsewhere on the web recommend the following in /etc/firewall.rules: +Bridge the tap interface you will be using with your lan interface by adding the following two lines to the respective section in /etc/config/network. This assumes your lan consists of wifi interface called wlan0 that will be bridged with tap0 interface used by OpenVPN.
<code> <code>
-iptables -I OUTPUT -o tap+ -j ACCEPT +config interface 'lan' 
-iptables -I INPUT -i tap+ -j ACCEPT + option type 'bridge' 
- + option ifname 'wlan0 tap0'
-iptables -I FORWARD -o tap+ -j ACCEPT +
-iptables -I FORWARD -i tap+ -j ACCEPT+
</code> </code>
- 
- 
-Next we need to add the script to start the bridge: 
- 
-<code bash> 
-#!/bin/sh 
- 
-#/etc/openvpnbridge 
-# OpenVPN Bridge Config File 
-# Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge 
-# Taken from http://openvpn.net/bridge.html 
- 
-# Make sure module is loaded 
-insmod tun 
- 
-# Define Bridge Interface 
-# Preexisting on OpenWRT 
-br="br0" 
- 
-# Define list of TAP interfaces to be bridged, 
-# for example tap="tap0 tap1 tap2". 
-tap="tap0" 
- 
-# Build tap devices 
-for t in $tap; do 
-    openvpn --mktun --dev $t 
-done 
- 
-# Add TAP interfaces to OpenWRT bridge 
- 
-for t in $tap; do 
-    brctl addif $br $t 
-done 
- 
-#Configure bridged interfaces 
- 
-for t in $tap; do 
-    ifconfig $t 0.0.0.0 promisc up 
-done 
-</code> 
- 
-This file will create the OpenVPN tap devices and add them to the default OpenWRT ethernet/wifi bridge. As indicated I call it ''/etc/openvpnbridge''. Make sure to ''chmod +x'' to ensure that it is executable.  
Next comes the OpenVPN server config file: Next comes the OpenVPN server config file:
-<code ini+<code> 
-# Which TCP/UDP port should OpenVPN listen on+config 'openvpn' 'your_name' 
-port 1194 + option 'tls_server' '1' 
- + option 'port' '1194' # to bypass restrictive firewalls, you might consider running OpenVPN on port 443 or 22 
-# TCP or UDP server? + option 'proto' 'udp' # TCP might be more reliable but slower; if you change this to tcp, change the firewall rule as well 
-proto udp + option 'dev' 'tap0' 
- + option 'ca' '/path/to/ca.crt' 
-# ";dev tap" will create an ethernet tunnel. + option 'cert' '/path/to/server.crt' 
-dev tap + option 'key' '/path/to/server.key' 
- + option 'dh' '//path/to/dh1024.pem' 
- + option 'server_bridge' '192.168.1.1 255.255.255.0 192.168.1.220 192.168.1.229' # this assumes the lan is 192.168.1.1/24 and will give out address in range 192.168.1.220-229 
-# The keepalive directive causes ping-like + list 'push' 'dhcp-option DNS 192.168.1.1' # this will make the clients use openwrt for DNS resolution 
-# messages to be sent back and forth over + list 'push' 'redirect-gateway def1' # this redirects all traffic over vpn 
-# the link so that each side knows when + option 'client_to_client' '1' 
-# the other side has gone down+ option 'comp_lzo' 'yes' 
-# Ping every 10 seconds, assume that remote + option 'keepalive' '10 120' 
-# peer is down if no ping received during + option 'status' '/tmp/openvpn_tap0.status' 
-# a 120 second time period. + option 'persist_key' '1' 
-keepalive 10 120 + option 'persist_tun' '1' 
- + option 'verb' '3' 
-# Enable compression on the VPN link. + option 'mute' '20'
-# If you enable it here, you must also +
-# enable it in the client config file+
-;comp-lzo +
- +
-# The persist options will try to avoid +
-# accessing certain resources on restart +
-# that may no longer be accessible because +
-# of the privilege downgrade. +
-;persist-key +
-;persist-tun +
- +
-# Output a short status file showing +
-# current connections, truncated +
-# and rewritten every minute. +
-status openvpn-status.log +
- +
-# Set the appropriate level of log +
-# file verbosity. +
-+
-# 0 is silent, except for fatal errors +
-# 4 is reasonable for general usage +
-# 5 and 6 can help to debug connection problems +
-# 9 is extremely verbose +
-verb 3 +
- +
-# Silence repeating messages.  At most 20 +
-# sequential messages of the same message +
-# category will be output to the log. +
-;mute 20 +
- +
-#Static Key +
-secret /etc/openvpn.key+
</code> </code>
 +
 +===== Configure Client =====
-I call this file ''/etc/server.ovpn''. At this point you can start OpenVPN for testing:+Client configuration must correspond with the server configuration. Something like this with the IP address of the VPN server should work:
-''openvpn /etc/server.ovpn'' +<code>
- +
-With logread you should be able to see if it started up normally. +
- +
-===== Step 4: Configure Client ===== +
- +
-Client configuration is pretty simple. Just place the following file in the config directory and remember to change the server IP address to match: +
- +
-<code ini>+
dev tap dev tap
- 
proto udp proto udp
- 
-# The hostname/IP and port of the server. 
-# You can have multiple remote entries 
-# to load balance between the servers. 
remote Your.IP.Goes.Here 1194 remote Your.IP.Goes.Here 1194
- 
- 
-# Keep trying indefinitely to resolve the 
-# host name of the OpenVPN server.  Very useful 
-# on machines which are not permanently connected 
-# to the internet such as laptops. 
resolv-retry infinite resolv-retry infinite
- 
-# Most clients don't need to bind to 
-# a specific local port number. 
-nobind 
- 
-# Try to preserve some state across restarts. 
-;persist-key 
-;persist-tun 
- 
- 
-# Wireless networks often produce a lot 
-# of duplicate packets.  Set this flag 
-# to silence duplicate packet warnings. 
mute-replay-warnings mute-replay-warnings
- +comp-lzo
- +
-secret secret.key +
- +
- +
-# Enable compression on the VPN link. +
-# Don't enable this unless it is also +
-# enabled in the server config file. +
-;comp-lzo +
- +
-# Set log file verbosity.+
verb 3 verb 3
- +keepalive 10 120 
-# Silence repeating messages +persist-key 
-;mute 20+persist-tun 
 +nobind
</code> </code>
-Now that should be it. Start the OpenVPN client either through the GUI or command line and it should link up.  +===== Wrap Up =====
- +
-===== Step 5: Wrap Up =====+
If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful. If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful.
If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable: If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable:
-<code bash> 
-#!/bin/sh 
-#/etc/init.d/S46openvpn 
-/etc/openvpnbridge 
-openvpn /etc/server.ovpn & 
-</code> 
-In Backfire 10.03.1 /etc/init.d/openvpn appears to be present already.  Edit it to add the following above the "append_param()" function:+In Backfire 10.03.1 edit /etc/init.d/openvpn and add the following above the "append_param()" function:
'' ''
Line 276: Line 99:
'' ''
-Then enable openvpn to start on boot from the LuCI interface (System->Startup), or from the command line with+This is not needed in Attitude Adjustment
-<code bash>+Then enable openvpn to start on boot with: 
 + 
 +<code>
/etc/init.d/openvpn enable /etc/init.d/openvpn enable
</code> </code>
-===== Notes =====+===== Static leases =====
 +Put this into your /etc/config/opevpn:
<code> <code>
-# auf dem OpenVPN-Server ein virtuelles bridge-iface über das tap0 und das eth0 interface. +option topology subnet 
-# apt-get install bridge-utils +option 'ifconfig_pool_persist' '/etc/openvpn/ipp.txt 0' 
-# openvpn --mktun --dev tap0  erzeugt tap-device +</code>
-# brctl addbr br0              erzeugt bridge+
-# brctl addif br0 eth0        anflanschen von eth0 an br0 +/etc/openvpn/ipp.txt has this format: 
-# brctl addif br0 tap0        anflanschen von tap0 an br0 +<code> 
- +CN,192.168.1.235 # CN is the COMMON NAME specified in the clients security certificate
-# ifconfig tap0 0.0.0.0 promisc up +
-# ifconfig eth0 0.0.0.0 promisc up +
-# ifconfig br0 192.168.8.2 netmask 255.255.255.0 broadcast 192.168.8.255 +
-# route add default gw 192.168.8.1 +
- +
-# iptables -A INPUT -i tap0 -j ACCEPT +
-# iptables -A INPUT -i eth0 -j ACCEPT +
-# iptables -A FORWARD -i br0 -j ACCEPT +
- +
-### OpenVPN +
-# dev tap +
-# dev-node tap-bridge +
-# server-bridge 192.168.8.1 255.255.255.0 192.168.8.220 192.168.8.240 (Achtung: Kollision mit DHCP vermeiden!) +
- +
- +
-######## /etc/network/interfaces ########## +
- +
-auto lo +
-iface lo inet loopback +
-allow-hotplug eth0 +
- +
-iface eth0 inet static +
-  up ifconfig eth0 promisc up +
- +
-# the primary network iface +
-auto br0 +
-iface br0 inet static +
-  adress 192.168.8.2 +
-   netmask 255.255.255.0 +
-   network 192.168.8.+
-  broadcast 192.168.8.255 +
-  gateway 192.168.8.1 +
-  bridge_ports eth0 tap0 +
-  bridge_fd 1 +
-  bridge_stp off +
-  brdge_hello 1 +
- +
-# tap0 for OpenVPN +
-auto tap0 +
-iface tap0 inet manual +
-  pre-up tunctl -t tap0 +
-  up ifconfig promisc tap0 up +
-  post-up brctl addif intern tap0 +
-  down ifconfig tap0 down +
-  post-down tunctl -d tap0+
</code> </code>

Back to top

doc/howto/vpn.server.openvpn.tap.1382945267.txt.bz2 · Last modified: 2013/10/28 08:27 by lorema