 : Please read vpn.overview and see this old articles on this matter: http://wiki.openwrt.org/?do=search&id=vpn and help migrate them. Check also vpn.openvpn |
OpenVPN server
This guide is based on the use of a stable OpenWrt 8.09.2 "Kamikaze" with X-Wrt WebUI and OpenVPN. The aim is to show how secure Internet sharing is setup in 7 steps.
As prerequisite make sure you the router has correct date an time (use the "date" command to verify it). OpenVPN needs the router real time clock (RTC)to be accurate. The RTC accurate configuration can be achieved with ntpclient. Check the wiki on how to install and configure ntpclient.
Installation
opkg update opkg install openvpn openvpn-easy-rsa
Configure certificates
cd /etc/easy-rsa vi vars
*OPTIONAL* (Comment out the following lines if you do not want your certificates to expire)
export CA_EXPIRE=3650 export KEY_EXPIRE=3650
(Change these last lines to suit your own country etc)
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain"
Generate certificates
build-ca build-dh
*CLARIFICATION NEEDED!* (Use the same password on both the server certificate and client)
build-key-server server build-key client
Create OpenVPN configuration
vi /etc/openvpn/openvpn.conf
mode server
tls-server
### network options
port 1194
proto udp
dev tun
### Certificate and key files
ca /etc/easy-rsa/keys/ca.crt
cert /etc/easy-rsa/keys/server.crt
key /etc/easy-rsa/keys/server.key
dh /etc/easy-rsa/keys/dh1024.pem
server 10.0.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1" # Change this to your router's LAN IP Address
client-to-client
### (optional) compression (Can be slow)
#comp-lzo
persist-key
persist-tun
verb 3
keepalive 10 120
log-append /var/log/openvpn/openvpn.log
|
Configure the firewall
vi /etc/config/firewall
config 'include'
option 'path' '/etc/config/firewall.user'
config 'rule'
option 'target' 'ACCEPT'
option 'name' 'VPN'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '1194'
|
vi /etc/firewall.user
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
|
Configure the client
GNU/Linux
mkdir ~/VirtualNet
Windows # Create a folder called example VirtualNet in C:/Program Files
Download ca.crt client.crt client.key dh1024.pem
located in /etc/easy-rsa/keys/ on the router, and place them in the VirtualNet dir
# Open up a text editor and add the following lines…
# Save the file as client.ovpn in VirtualNet
client
tls-client
dev tun
proto udp
remote SERVER-IP 1194 # Change to your router's External IP
resolv-retry infinite
nobind
ca ca.crt
cert client.crt
key client.key
dh dh1024.pem
#comp-lzo
persist-tun
persist-key
verb 3 |
Client Usage GNU/Linux - Download OpenVPN
Debian
sudo apt-get install openvpn
Arch Linux
pacman -S openvpn
Gentoo
emerge openvpn
Client Usage Windows - Download OpenVPN client
On Windows XP / 32 Bit
http://openvpn.se/download.html *Choose Installation Package*
On Windows Vista 64
- It seems like Windows Vista 64 does not like the tun/tap driver from the client package;
So we need to download the entire OpenVPN pack including Server & Client from http://openvpn.net/index.php/open-source/downloads.html \\Choose Windows Installer
Client Usage Android / MacOS X / iOS / ...
TODO
Client Usage GNU/Linux Connect
cd /home/your-user/VirtualNet/ sudo openvpn client.ovpn
Client Usage Windows Connect
- browse to the VirtualNet dir
- Right click on
client.ovpnand choose run with OpenVPN GUI
inbox/vpn.howto.txt · Last modified: 2011/12/25 13:37 by cheblin