 : Please read vpn.overview and see this old articles on this matter: http://wiki.openwrt.org/?do=search&id=vpn and help migrate them. Check also vpn.openvpn |
OpenVPN server
This guide is based on the use of a stable OpenWrt 8.09.2 "Kamikaze" with X-Wrt WebUI and OpenVPN. The aim is to show how secure Internet sharing is setup in 7 steps.
As prerequisite make sure you the router has correct date an time (use the "date" command to verify it). OpenVPN needs the router real time clock (RTC)to be accurate. The RTC accurate configuration can be achieved with ntpclient. Check the wiki on how to install and configure ntpclient.
Installation
opkg update opkg install openvpn openvpn-easy-rsa
Configure certificates
cd /etc/easy-rsa vi vars
*OPTIONAL* (Comment out the following lines if you do not want your certificates to expire)
export CA_EXPIRE=3650 export KEY_EXPIRE=3650
(Change these last lines to suit your own country etc)
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain"
Generate certificates
build-ca build-dh
*CLARIFICATION NEEDED!* (Use the same password on both the server certificate and client)
build-key-server server build-key client
Create OpenVPN configuration
If you are not using UCI configuration, use this configuration file:
vi /etc/openvpn/openvpn.conf
mode server tls-server ### network options port 1194 proto udp dev tun ### Certificate and key files ca /etc/easy-rsa/keys/ca.crt cert /etc/easy-rsa/keys/server.crt key /etc/easy-rsa/keys/server.key dh /etc/easy-rsa/keys/dh1024.pem server 10.0.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 192.168.1.1" # Change this to your router's LAN IP Address client-to-client ### (optional) compression (Can be slow) #comp-lzo persist-key persist-tun verb 3 keepalive 10 120 log-append /var/log/openvpn/openvpn.log
If you are using UCI to configure your system, use this configuration file:
vi /etc/config/openvpn
config 'openvpn' 'lan'
option 'enable' '1'
option 'port' '1194'
option 'proto' 'udp'
option 'dev' 'tun'
option 'ca' '/etc/easy-rsa/keys/ca.crt'
option 'cert' '/etc/easy-rsa/keys/server.crt'
option 'key' '/etc/easy-rsa/keys/server.key'
option 'dh' '/etc/easy-rsa/keys/dh1024.pem'
option 'ifconfig_pool_persist' '/tmp/ipp.txt'
option 'keepalive' '10 120'
option 'comp_lzo' '0'
option 'persist_key' '1'
option 'persist_tun' '1'
option 'status' '/var/log/openvpn-status.log'
option 'verb' '3'
option 'server' '10.0.0.0 255.255.255.0'
list 'push' 'dhcp-option DOMAIN lan'
list 'push' 'dhcp-option DNS 192.168.1.1'
Configure the firewall
vi /etc/config/firewall
config 'include'
option 'path' '/etc/firewall.user'
config 'rule'
option 'target' 'ACCEPT'
option 'name' 'VPN'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '1194'
|
vi /etc/firewall.user
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
|
Autostart needed?
- Start openvpn:
/etc/init.d/openvpn start- Enable openvpn to let it be automatically loaded by
init at startup
/etc/init.d/openvpn enable
Configure the client
GNU/Linux
mkdir ~/VirtualNet
Windows # Create a folder called example VirtualNet in C:/Program Files
Download ca.crt client.crt client.key dh1024.pem
located in /etc/easy-rsa/keys/ on the router, and place them in the VirtualNet dir
# Open up a text editor and add the following lines…
# Save the file as client.ovpn in VirtualNet
client
tls-client
dev tun
proto udp
remote SERVER-IP 1194 # Change to your router's External IP
resolv-retry infinite
nobind
ca ca.crt
cert client.crt
key client.key
dh dh1024.pem
#comp-lzo
persist-tun
persist-key
verb 3 |
Client Usage GNU/Linux - Download OpenVPN
Debian
sudo apt-get install openvpn
Arch Linux
pacman -S openvpn
Gentoo
emerge openvpn
Client Usage Windows - Download OpenVPN client
On Windows XP / 32 Bit
http://openvpn.se/download.html *Choose Installation Package*
On Windows Vista 64
- It seems like Windows Vista 64 does not like the tun/tap driver from the client package;
So we need to download the entire OpenVPN pack including Server & Client from http://openvpn.net/index.php/open-source/downloads.html \\Choose Windows Installer
Client Usage on Android
- Install and run the Android OpenVPN Installer from Friedrich Schäuffelhut (http://goo.gl/9kKVB). (Make note of the application preqrequisites)
- Install the Android OpenVPN Settings App from Friedrich Schäuffelhut (http://goo.gl/l2DfA).
- Copy the ca.crt, dh1024.pem, client.crt, and client.key to /mnt/sdcard/openvpn/{profile}. Where {profile} is your host connection name.
- Create an OpenVPN configuration file (.conf) using the GNU/Linux example as a guide, place this in the /mnt/sdcard/openvpn/{profile} directory along with files above
- Once the files are loaded on the device, use the OpenVPN Settings app to complete the configuration and initiate connection.
Note: You may need to install tun.ko using the TUN.ko Installer (http://goo.gl/mFX8v). tun.ko may also be compiled into your kernel in which case the tun.ko module is not necessary on your Android device.
Note: tap connections do work on Android with this OpenVPN client. However, tap connections may use up extra bandwidth for non-TCP protocols.
Client Usage MacOS X / iOS / ...
TODO
Client Usage GNU/Linux Connect
cd /home/your-user/VirtualNet/ sudo openvpn client.ovpn
Client Usage Windows Connect
- browse to the VirtualNet dir
- Right click on
client.ovpnand choose run with OpenVPN GUI
inbox/vpn.howto.txt · Last modified: 2013/05/17 11:36 by ezhov