User Tools

Site Tools


inbox:vpn.howto

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Previous revision
inbox:vpn.howto [2012/09/06 10:37]
inbox:vpn.howto [2014/07/09 01:47] (current)
masnia
Line 1: Line 1:
 +====== OpenVPN server ======
 +| :!: There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. ​ Some are better than others, and others are an out-of-date muddled mess.  For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with [[doc/​howto/​vpn.openvpn]] instead of this wiki. :!: |
 +
 +It is not that the other wikis aren't worth reading; it is just that (IMHO) [[doc/​howto/​vpn.openvpn]] is a better place to start (it has been rewritten from scratch just a few weeks ago).  ​
 +
 +Although this wiki does cover some material not covered in [[doc/​howto/​vpn.openvpn]] (e.g. non-OpenWrt clients), it might still be a useful place to visit. ​ Maybe you could improve it further rather than edit this wiki?
 +
 |FIXME: Please read [[doc/​howto/​vpn.overview]] and see this old articles on this matter: [[http://​wiki.openwrt.org/?​do=search&​id=vpn]] and help **migrate** them. Check also [[doc:​howto:​vpn.openvpn]] | |FIXME: Please read [[doc/​howto/​vpn.overview]] and see this old articles on this matter: [[http://​wiki.openwrt.org/?​do=search&​id=vpn]] and help **migrate** them. Check also [[doc:​howto:​vpn.openvpn]] |
  
-===== OpenVPN server ===== +====== OpenVPN server ​====== 
-This guide is based on the use of a stable OpenWrt ​8.09.2 ​"Kamikaze" ​with X-Wrt WebUI and OpenVPN. The aim is to show how secure Internet sharing is setup in 7 steps.+This guide is based on the use of a stable OpenWrt "Backfire" ​10.03.1 ​OpenVPN. The aim is to show how secure Internet sharing is setup in 7 steps.
  
 As prerequisite make sure you the router has correct date an time (use the "​date"​ command to verify it). OpenVPN needs the router real time clock (RTC)to be accurate. The RTC accurate configuration can be achieved with ntpclient. Check the wiki on how to install and configure ntpclient. As prerequisite make sure you the router has correct date an time (use the "​date"​ command to verify it). OpenVPN needs the router real time clock (RTC)to be accurate. The RTC accurate configuration can be achieved with ntpclient. Check the wiki on how to install and configure ntpclient.
Line 32: Line 39:
  
 ==== Generate certificates ==== ==== Generate certificates ====
-<​code>​+   - //​OPTIONAL://​ Clean out the ''/​etc/​easy-rsa/​keys''​ directory and start fresh.<​code>​ 
 +clean-all 
 +</​code>​ 
 +   - Build certificates<​code>​
 build-ca build-ca
 build-dh build-dh
 </​code>​ </​code>​
- +   - Create ​the server ​key<​code>​
-*CLARIFICATION NEEDED!* +
-(Use the same password on both the server ​certificate and client) +
- +
-<​code>​+
 build-key-server server build-key-server server
 +</​code>​
 +   - Create client keys. Include a password since many clients may balk at a key without a password.<​html><​br/></​html>​Normal Keys:<​code>​
 build-key client build-key client
 +</​code>​PKCS12 Format (combines the key and ca certificate in one file)<​code>​
 +build-key-pkcs12 client
 </​code>​ </​code>​
 +   - Copy the important files to the ''/​etc/​openvpn''​ directory, so that they are duplicated<​code>​
 +cd /​etc/​easy-rsa/​keys
 +cp ca.crt ca.key dh1024.pem server.crt server.key /​etc/​openvpn/​
 +</​code>​
 +**Note - if a dh2048.pem file was generated - remember to change 1024 to 2048 on the configuration files below.**
 +It's a good idea to make an offline backup of all the generated files in the ''/​etc/​easy-rsa/​keys''​ directory. Use a utility like [[http://​winscp.net/​|WinSCP]] to transfer the files from the router to your computer. For SFTP support, install the SFTP server on the router:
  
 +<​code>​
 +opkg update
 +opkg install openssh-sftp-server
 +</​code>​
 +
 +That way a SFTP client like [[https://​filezilla-project.org/​|Filezilla]] can be used to transfer files to and from the router.
  
 ==== Create OpenVPN configuration ==== ==== Create OpenVPN configuration ====
 +If you are using UCI to configure your system, use this configuration file:
 +<​code>​
 +vi /​etc/​config/​openvpn
 +</​code>​
 +<​code>​
 +config '​openvpn'​ '​lan'​
 +        option '​enable'​ '​1'​
 +        option '​port'​ '​1194'​
 +        option '​proto'​ '​udp'​
 +        option '​dev'​ '​tun'​
 +        option '​ca'​ '/​etc/​easy-rsa/​keys/​ca.crt'​
 +        option '​cert'​ '/​etc/​easy-rsa/​keys/​server.crt'​
 +        option '​key'​ '/​etc/​easy-rsa/​keys/​server.key'​
 +        option '​dh'​ '/​etc/​easy-rsa/​keys/​dh1024.pem'​
 +        option '​ifconfig_pool_persist'​ '/​tmp/​ipp.txt'​
 +        option '​keepalive'​ '10 120'
 +        option '​comp_lzo'​ '​no'​
 +        option '​persist_key'​ '​1'​
 +        option '​persist_tun'​ '​1'​
 +        option '​status'​ '/​var/​log/​openvpn-status.log' ​
 +        option '​verb'​ '​3'​
 +        option '​server'​ '​10.0.0.0 255.255.255.0'​
 +        option '​client_to_client'​ '​1'​
 +        list '​push'​ '​redirect-gateway def1'
 +        list '​push'​ '​dhcp-option DNS 192.168.1.1'​
 + list '​push'​ 'route 192.168.1.0 255.255.255.0'​
 +</​code>​
 +If there are [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html#​revoke|revoked cerficates]] add also
 +<​code>​
 +option '​crl_verify'​ '/​etc/​easy-rsa/​keys/​crl.pem'​
 +</​code>​
 +
 +This will create a VPN on the 10.0.0.x IP range. If you'd like to choose a different IP range, edit it accordingly. Also change the 192.168.1.1 DNS entry to the IP address of your router if different.
 +
 If you are not using UCI configuration,​ use this configuration file: If you are not using UCI configuration,​ use this configuration file:
 <​code>​ <​code>​
Line 52: Line 108:
 </​code>​ </​code>​
  
-|''​+<​code>​
 mode server mode server
 tls-server tls-server
Line 67: Line 123:
 dh /​etc/​easy-rsa/​keys/​dh1024.pem dh /​etc/​easy-rsa/​keys/​dh1024.pem
  
 +client-to-client
 server 10.0.0.0 255.255.255.0 server 10.0.0.0 255.255.255.0
 push "​redirect-gateway def1" push "​redirect-gateway def1"
 push "​dhcp-option DNS 192.168.1.1"​ # Change this to your router'​s LAN IP Address push "​dhcp-option DNS 192.168.1.1"​ # Change this to your router'​s LAN IP Address
-client-to-client+push "route 192.168.1.0 255.255.255.0"​ # Change this to your network
  
 ### (optional) compression (Can be slow) ### (optional) compression (Can be slow)
 #comp-lzo #comp-lzo
 +
 persist-key persist-key
 persist-tun persist-tun
Line 80: Line 138:
 keepalive 10 120 keepalive 10 120
 log-append /​var/​log/​openvpn/​openvpn.log log-append /​var/​log/​openvpn/​openvpn.log
-''​| 
- 
-If you are using UCI to configure your system, use this configuration file: 
-<​code>​ 
-vi /​etc/​config/​openvpn 
-</​code>​ 
-<​code>​ 
-config '​openvpn'​ '​lan'​ 
-        option '​enable'​ '​1'​ 
-        option '​port'​ '​1194'​ 
-        option '​proto'​ '​udp'​ 
-        option '​dev'​ '​tun'​ 
-        option '​ca'​ '/​etc/​easy-rsa/​keys/​ca.crt'​ 
-        option '​cert'​ '/​etc/​easy-rsa/​keys/​server.crt'​ 
-        option '​key'​ '/​etc/​easy-rsa/​keys/​server.key'​ 
-        option '​dh'​ '/​etc/​easy-rsa/​keys/​dh1024.pem'​ 
-        option '​ifconfig_pool_persist'​ '/​tmp/​ipp.txt'​ 
-        option '​keepalive'​ '10 120' 
-        option '​comp_lzo'​ '​1'​ 
-        option '​persist_key'​ '​1'​ 
-        option '​persist_tun'​ '​1'​ 
-        option '​status'​ '/​var/​log/​openvpn-status.log' ​ 
-        option '​verb'​ '​3'​ 
-        option '​server'​ '​10.0.0.0 255.255.255.0'​ 
-        list '​push'​ '​dhcp-option DOMAIN lan' 
-        list '​push'​ '​dhcp-option DNS 192.168.1.1'​ 
 </​code>​ </​code>​
  
Line 115: Line 147:
 |''​ |''​
 config '​include'​ config '​include'​
-        option '​path'​ '/etc/config/​firewall.user'​+        option '​path'​ '/​etc/​firewall.user'​
  
 config '​rule'​ config '​rule'​
Line 157: Line 189:
 # Create a folder called example VirtualNet in C:/Program Files # Create a folder called example VirtualNet in C:/Program Files
  
-Download ca.crt client.crt client.key dh1024.pem +Download ​''​ca.crt'',​ ''​client.crt'',​ ''​client.key'',​ and ''​dh1024.pem'' ​located in ''/​etc/​easy-rsa/​keys/''​ on the router, and place them in the VirtualNet dir
-located in ''/​etc/​easy-rsa/​keys/''​ on the router, and place them in the VirtualNet dir+
  
 # Open up a text editor and add the following lines... # Open up a text editor and add the following lines...
Line 178: Line 209:
 persist-tun persist-tun
 persist-key persist-key
-verb 3''​|+verb 3 
 +''​|
  
 ===== Client Usage GNU/Linux - Download OpenVPN ===== ===== Client Usage GNU/Linux - Download OpenVPN =====
Line 206: Line 238:
   *It seems like Windows Vista 64 does not like the tun/tap driver from the client package;\\ So we need to download the entire OpenVPN pack including Server & Client from http://​openvpn.net/​index.php/​open-source/​downloads.html \\Choose Windows Installer   *It seems like Windows Vista 64 does not like the tun/tap driver from the client package;\\ So we need to download the entire OpenVPN pack including Server & Client from http://​openvpn.net/​index.php/​open-source/​downloads.html \\Choose Windows Installer
  
-===== Client Usage Android / MacOS X / iOS / ... =====+===== Client Usage on Android ​===== 
 + 
 +  - Install and run the __OpenVPN for Android__ by Arne Schwabe (http://​goo.gl/​1Gu0sm).  
 +  - Copy the ''​client.p12''​ file to your SD card or internal memory. 
 +  - Create a new profile. Under "​Basic"​ settings, supply your router'​s WAN [[http://​www.whatsmyip.org/​|IP address or server address]] and disable "LZO Compression."​ Choose "​PKCS12 File" under "​Type"​ and select ''​client.p12''​ file. Enter your key's password under "​PKCS12 Password"​ to have it automatically log in. 
 + 
 +Note: You may need to install tun.ko using the __TUN.ko Installer__ (http://​goo.gl/​mFX8v). ​ tun.ko may also be compiled into your kernel in which case the tun.ko module is not necessary on your Android device. 
 + 
 +===== Client Usage MacOS X / iOS / ... =====
 TODO TODO
  
inbox/vpn.howto.1346920676.txt.bz2 · Last modified: 2012/09/06 10:37 (external edit)