Results 1 to 7 of 7

Thread: [Howto] Install and configure basic OpenVPN server for Oleg firmware

  1. #1

    [Howto] Install and configure basic OpenVPN server for Oleg firmware

    Introduction/Installing
    OpenVPN is one of the most useful tools that can be installed on the router (sad that it's not part of the firmware itself, also not part of the excellent raas tutorial that I've re-used).
    OpenVPN is a complex topic and unfortunately I'm not in a position to introduce you to all aspects. Basically the server running on the router allows you to access the router (and other machines on the router's LAN) from a remote machine over the internet like you would do it locally (you have to have OpenVPN client installed and properly configured on the remote machine though). Thus in short you can access the router e.g. from your relatives/friends, from public WiFi hotspots or from your workplace (unless restricted).

    While installing OpenVPN is quite straightforward, it's not just ipkg install but you have to generate keys and set up the firewall properly etc.

    This tutorial helps you in that. In fact it's sufficient to run only a script that does everything for you (questions will be asked though):
    Code:
    #!/bin/sh
    #written by ecaddict, distributed (conveyed) under GPL version 3 or any later version
    
    PORT=${1:-563}
    VSNM=${2}
    CONFIG="/opt/etc/openvpn/server${VSNM}.conf"
    STARTS="/opt/etc/init.d/S20openvpn${VSNM}"
    RSAVAR="/opt/share/easy-rsa/vars"
    CKDIR="/mnt/protected"
    #user editable part end
    
    CONFD="${CONFIG%\/*}"
    CONFF="${CONFIG##*/}"
    INITD="${STARTS%\/*}"
    INITF="${STARTS##*/}"
    VARSD="${RSAVAR%\/*}"
    VARSF="${RSAVAR##*/}"
    VKDIR="${CONFD}/easy-rsa/keys${VSNM}"
    TUNIF="tun0"
    
    ipkg install openssl lzo net-tools easy-rsa psmisc openvpn
    
    export EASY_RSA=${VARSD}
    #creating certificates (if needed)
    if [ ! -d "${VKDIR}" ]; then
     if [ -d "${VARSD}" ]; then
      cd ${VARSD} && [ ! -f ${VARSF}.old ] && cp ${VARSF} ${VARSF}.old
      echo -e "\033[1;32mSeveral questions will be asked that will be reflected in the keys\033[0m"
      echo -e "for private use your answer does not matter. \nSave previously generated keys from ${VARSD}/keys (if any)."
      echo -e "\033[1;32mType the number of clients you need keys for and press Enter\033[0m to continue."
      echo -e "Guess your number of clients well as it takes time both to generate and generate keys again."
      read CKEYN; CKEYN=${CKEYN:-1}; [ "${CKEYN}" -gt 9 ] && CKEYN=9
      ./clean-all
      source ${RSAVAR}
      echo -e "\033[1;32mGenerating CA key\033[0m"
      ./build-ca
      echo -e "\033[1;32mGenerating Diffie-Hellman parameters\033[0m"
      ./build-dh
      echo -e "\033[1;32mGenerating Server key \033[0m" && ./build-key-server server
      I=0; while [ ${I} -lt "${CKEYN}" ]; do
        let "I+=1"
          echo -e "\033[1;32mGenerating keys for client ${I}\033[0m" && ./pkitool --interact --inter client0${I}
      done
      mkdir -p ${VKDIR}
      mv ./keys/server* "${VKDIR}"
      mv ./keys/ca* "${VKDIR}"
      mv ./keys/dh1024.pem "${VKDIR}"
      mv ./keys/client* "${VKDIR}" #temporally
      else
       echo -e "\033[1;31mDirectory ${VARSD} does not exist\033[0m"
       exit 1
      fi
    else
     echo -e "\033[1;33mThe directory ${VKDIR} exists, no keys are generated.\033[0m"
    fi
    
    cd ${CONFD} && [ ! -f ${CONFF}.old ] && mv ${CONFF} ${CONFF}.old
    cat > ${CONFF} << __EOF__
    port ${PORT}
    proto tcp
    dev tun
    ca ${VKDIR}/ca.crt
    cert ${VKDIR}/server.crt
    key ${VKDIR}/server.key
    dh ${VKDIR}/dh1024.pem
    
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 192.168.1.0 255.255.255.0"
    duplicate-cn
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    __EOF__
    
    tar -cvzf ${CKDIR}/vpnkeys${VSNM}.tar.gz ${VKDIR}/ca.crt ${VKDIR}/client0?.crt ${VKDIR}/client0?.key
    
    cd ${INITD} && [ ! -f old.${INITF} ] && mv ${INITF} old.${INITF}
    cat > ${INITF} << __EOF__
    #!/bin/sh
    #
    # Startup script for openvpn as standalone server
    #
    PREFIX="/opt"
    PORT=${PORT}
    NAME=openvpn
    PFILE="/opt/var/run/vpnserver${VSNM}.pid"
    OPTS="--daemon --cd /opt/etc/openvpn --log-append /opt/var/log/openvpn.log --config ${CONFF} --writepid \${PFILE}"
    
    # Make sure IP forwarding is enabled
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # Make device if not present (not devfs)
    if ( [ ! -c /dev/net/tun ] ) then
      # Make /dev/net directory if needed
      if ( [ ! -d /dev/net ] ) then
            mkdir -m 755 /dev/net
      fi
      mknod /dev/net/tun c 10 200
    fi
    
    # Make sure the tunnel driver is loaded
    if ( !(lsmod | grep -q "^tun") ); then
            insmod tun
    fi
    
    if [ -z "\$1" ] ; then
        case \`echo "\$0" | sed 's:^.*/\(.*\):\1:g'\` in
            S??*) rc="start" ;;
            K??*) rc="stop" ;;
            *) rc="usage" ;;
        esac
    else
        rc="\$1"
    fi
    
    case "\$rc" in
        start)
            echo "Starting: \$NAME"
            \${PREFIX}/sbin/\${NAME} \$OPTS
            iptables -I INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
            ;;
        stop)
            if [ -f \${PFILE} ] ; then
              kill \`cat \${PFILE}\` >/dev/null 2>&1
              rm -f \${PFILE}
              iptables -D INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
            else
              killall "\$NAME"
            fi
            ;;
        restart)
            "\$0" stop
            sleep 1
            "\$0" start
            ;;
        *)
            echo "Usage: \$0 (start|stop|restart|usage)"
            ;;
    esac
    
    __EOF__
    
    [ -n "$2" ] && TUNIF="tun+"
    if [ -z "`sed -n 's/-i '${TUNIF}' -j ACCEPT/&/p' /usr/local/sbin/post-firewall`" ]; then
    cat >> /usr/local/sbin/post-firewall << __EOF__
    iptables -I INPUT -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -o ${TUNIF} -j ACCEPT
    iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
    __EOF__
    iptables -I INPUT -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -o ${TUNIF} -j ACCEPT
    iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
     flashfs save && flashfs commit && flashfs enable
    fi
    
    chmod u+x ${INITF}
    ${STARTS} start
    The script will ask how many client keys should be generated (max 9) and typical questions for the keys like your location etc. Answer as you wish but you have to answer with y (yes) to the sign the certificate and commit questions.

    There are the following typical options for the server port for OpenVPN:
    1194 or 443 or 563
    While 1194 is the well known port for OpenVPN, some restrictive firewalls don't allow this port so you may need to use 563 that's typically allowed (and also the script uses) or 443 (https port). If you plan to use port 443, it means that you cannot use it with the lighttpd which is not nice.

    If you wish to use some other port start the script with the port ./install.sh <port>.
    If you plan to start multiple server instances not only have to give different port but also different number or names to them like ./install.sh <port> <number/name>.

    You can download the OpenVPN client from http://openvpn.net/index.php/open-source/downloads.html
    Learn more about OpenVPN:
    http://linux.die.net/man/8/openvpn
    http://openvpn.net/index.php/open-so...ion/howto.html

    The generated client keys are copied to /mnt/protected/
    On Windows you need the following keys (taken from the router):
    C:\Program Files\OpenVPN\config\ca.crt
    C:\Program Files\OpenVPN\config\client.crt
    C:\Program Files\OpenVPN\config\client.key


    If you use port 563/443 then you probably have to set the proxy as well in the client to proxy IP and typically 8080 port.
    (Note: if your proxy uses NTLM authentication you have to run as admin openvpn.exe as the GUI has some issue and --config for the .ovpn file containing
    http-proxy yourproxyIP 8080 stdin ntlm; alternatively use cntlm http://cntlm.sourceforge.net/)

    Here are some snapshots from the example run I've made:
    Name:  CAkey.png
Views: 2451
Size:  93.8 KB
    Name:  SKey.png
Views: 2427
Size:  61.5 KB
    Name:  Skeyq.png
Views: 2453
Size:  96.9 KB

    You can download and run the script from here: install.tar.gz

    If you're fine with the default parameters (single server, port: 563), you can paste the following line to your terminal (single line install).
    Code:
    cd /tmp && wget -O install.tar.gz "http://wl500g.info/attachment.php?attachmentid=8371&d=1318414980" && tar xvzf install.tar.gz && ./install.sh
    By default the starter script is
    /opt/etc/init.d/S20openvpn

    The config file is:
    /opt/etc/openvpn/server.conf

    The keys are located in:
    /opt/etc/openvpn/easy-rsa/keys/
    Last edited by ecaddict; 22-10-2011 at 08:09. Reason: fixed /opt/var/log instead of /var/log

  2. #2

    Accessing Samba share and SWAT via OpenVPN

    Accessing Samba share and SWAT (Samba Web Administration Tool) via OpenVPN

    For this you have to change some configuration files. Maybe I'll script it later on but it's really simple.

    /opt/etc/samba/smb.conf
    Make sure that in the [global] section you allow 10.8.0.0 that is you have to have something like this for host allow

    Code:
    hosts allow = 192.168.1. 10.8.0.0/24
    After restarting Samba with either /opt/etc/init.d/S80samba or restarting the router you can access the share.

    Browsing does not work (so you have to know the name of your share), the reasons are beyond the depth of this tutorial.

    So in windows you can use map network drive e.g. for mnt share
    \\10.8.0.1\mnt
    or
    \\192.168.1.1\mnt (especially with Samba3)
    (the second works if route was successfully pushed via OpenVPN client, which e.g. with Windows 7 may require "Run as administrator" for OpenVPN client).

    In Total Commander you can just change to the share e.g. (Samba is not too fast if you don't have a fast network connection it but works)
    cd \\10.8.0.1\mnt

    Accessing SWAT requires some more change, you have to edit the file:
    /opt/etc/xinetd.d/swat

    making sure that it contains 10.8.0.0/24 so it contains a line something like this:
    Code:
    only_from = localhost 192.168.1.0/24 10.8.0.0/24
    After xinetd (/opt/etc/init.d/S10xinetd) or router restart you can access SWAT from your web browser via:
    http://10.8.0.1:901
    or
    http://192.168.1.1:901 (especially with Samba3)
    Last edited by ecaddict; 30-09-2011 at 09:59. Reason: Added Samba/SWAT access

  3. #3
    Hey
    Im trying to install OpenVPN on my asus wl-500gp (v1) with attached usb-hdd but im stuck on generating keys from easy-rsa.
    It's running Oleg 1.9.2.7-10

    ./install.sh
    Package openssl (0.9.7m-6) installed in root is up to date.
    Package lzo (2.03-1) installed in root is up to date.
    Package net-tools (1.60-6) installed in root is up to date.
    Package easy-rsa (2.0rc1SAN-3) installed in root is up to date.
    Package psmisc (22.13-1) installed in root is up to date.
    Package openvpn (2.2.0-1) installed in root is up to date.
    Nothing to be done
    Several questions will be asked that will be reflected in the keys
    for private use your answer does not matter.
    Save previously generated keys from /opt/share/easy-rsa/keys (if any).
    Type the number of clients you need keys for and press Enter to continue.
    Guess your number of clients well as it takes time both to generate and generate keys again.
    1
    Please source the vars script first (i.e. "source ./vars")
    Make sure you have edited it to reflect your configuration.
    ./install.sh: ./install.sh: 55: source: not found
    Generating CA key
    Please edit the vars script to reflect your configuration,
    then source it with "source ./vars".
    Next, to start with a fresh PKI configuration and to delete any
    previous certificates and keys, run "./clean-all".
    Finally, you can run this tool (pkitool) to build certificates/keys.
    Generating Diffie-Hellman parameters
    Please source the vars script first (i.e. "source ./vars")
    Make sure you have edited it to reflect your configuration.
    Generating Server key
    Please edit the vars script to reflect your configuration,
    then source it with "source ./vars".
    Next, to start with a fresh PKI configuration and to delete any
    previous certificates and keys, run "./clean-all".
    Finally, you can run this tool (pkitool) to build certificates/keys.
    Generating keys for client 1
    Please edit the vars script to reflect your configuration,
    then source it with "source ./vars".
    Next, to start with a fresh PKI configuration and to delete any
    previous certificates and keys, run "./clean-all".
    Finally, you can run this tool (pkitool) to build certificates/keys.
    cannot stat `./keys/server*': No such file or directory
    cannot stat `./keys/ca*': No such file or directory
    cannot stat `./keys/dh1024.pem': No such file or directory
    cannot stat `./keys/client*': No such file or directory
    tar: /opt/etc/openvpn/easy-rsa/keys/client0?.key: No such file or directory
    tar: /opt/etc/openvpn/easy-rsa/keys/client0?.crt: No such file or directory
    tar: /opt/etc/openvpn/easy-rsa/keys/ca.crt: No such file or directory
    tar: Error exit delayed from previous errors
    Starting: openvpn

    easy-rsa vars : /opt/share/easy-rsa
    # easy-rsa parameter settings

    # NOTE: If you installed from an RPM,
    # don't edit this file in place in
    # /usr/share/openvpn/easy-rsa --
    # instead, you should copy the whole
    # easy-rsa directory to another location
    # (such as /etc/openvpn) so that your
    # edits will not be wiped out by a future
    # OpenVPN package upgrade.

    # This variable should point to
    # the top level of the easy-rsa
    # tree.
    export EASY_RSA="/opt/share/easy-rsa"

    #
    # This variable should point to
    # the requested executables
    #
    export OPENSSL="openssl"
    #export PKCS11TOOL="pkcs11-tool" - uncommented as i don't have it, is it even avaliable and required? (README said it can be uncommented)
    export GREP="grep"


    # This variable should point to
    # the openssl.cnf file included
    # with easy-rsa.
    export KEY_CONFIG=`/opt/share/easy_rsa/openssl.cnf` <--- changed this to openssl.cnf from whichopensslcnf (tested both) as README said

    # Edit this variable to point to
    # your soon-to-be-created key
    # directory.
    #
    # WARNING: clean-all will do
    # a rm -rf on this directory
    # so make sure you define
    # it correctly!
    export KEY_DIR="/opt/etc/openvpn/easy_rsa/keys"

    # Issue rm -rf warning
    echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

    # Increase this to 2048 if you
    # are paranoid. This will slow
    # down TLS negotiation performance
    # as well as the one-time DH parms
    # generation process.
    export KEY_SIZE=1024

    # In how many days should the root CA key expire?
    export CA_EXPIRE=3650

    # In how many days should certificates expire?
    export KEY_EXPIRE=3650

    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="SanFrancisco"
    export KEY_ORG="Fort-Funston"
    export KEY_EMAIL="me@myhost.mydomain"
    any idea what is wrong with my config ?

  4. #4
    Quote Originally Posted by seb101 View Post
    Hey
    Im trying to install OpenVPN on my asus wl-500gp (v1) with attached usb-hdd but im stuck on generating keys from easy-rsa.
    It's running Oleg 1.9.2.7-10




    easy-rsa vars : /opt/share/easy-rsa


    any idea what is wrong with my config ?
    replace this line within script:

    source ${RSAVAR}
    with this:

    . ${RSAVAR}
    It worked for me.

  5. #5
    I've got the same problem.
    Tried replacing the line suggested in the post above - didn't help.

    Code:
    install.sh
    Package openssl (0.9.7m-6) installed in /opt/ is up to date.
    Package lzo (2.03-1) installed in /opt/ is up to date.
    Package net-tools (1.60-6) installed in /opt/ is up to date.
    Package easy-rsa (2.0rc1SAN-3) installed in /opt/ is up to date.
    Package psmisc (22.13-1) installed in /opt/ is up to date.
    Package openvpn (2.2.0-1) installed in /opt/ is up to date.
    Nothing to be done
    Successfully terminated.
    Several questions will be asked that will be reflected in the keys
    for private use your answer does not matter.
    Save previously generated keys from /opt/share/easy-rsa/keys (if any).
    Type the number of clients you need keys for and press Enter to continue.
    Guess your number of clients well as it takes time both to generate and generate keys again.
    3
    Please source the vars script first (i.e. "source ./vars")
    Make sure you have edited it to reflect your configuration.
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /opt/share/easy-rsa/keys
    Generating CA key
      Please edit the vars script to reflect your configuration,
      then source it with "source ./vars".
      Next, to start with a fresh PKI configuration and to delete any
      previous certificates and keys, run "./clean-all".
      Finally, you can run this tool (pkitool) to build certificates/keys.
    Generating Diffie-Hellman parameters
    Please source the vars script first (i.e. "source ./vars")
    Make sure you have edited it to reflect your configuration.
    Generating Server key
      Please edit the vars script to reflect your configuration,
      then source it with "source ./vars".
      Next, to start with a fresh PKI configuration and to delete any
      previous certificates and keys, run "./clean-all".
      Finally, you can run this tool (pkitool) to build certificates/keys.
    Generating keys for client 1
      Please edit the vars script to reflect your configuration,
      then source it with "source ./vars".
      Next, to start with a fresh PKI configuration and to delete any
      previous certificates and keys, run "./clean-all".
      Finally, you can run this tool (pkitool) to build certificates/keys.
    Generating keys for client 2
      Please edit the vars script to reflect your configuration,
      then source it with "source ./vars".
      Next, to start with a fresh PKI configuration and to delete any
      previous certificates and keys, run "./clean-all".
      Finally, you can run this tool (pkitool) to build certificates/keys.
    Generating keys for client 3
      Please edit the vars script to reflect your configuration,
      then source it with "source ./vars".
      Next, to start with a fresh PKI configuration and to delete any
      previous certificates and keys, run "./clean-all".
      Finally, you can run this tool (pkitool) to build certificates/keys.
    cannot stat `./keys/server*': No such file or directory
    cannot stat `./keys/ca*': No such file or directory
    cannot stat `./keys/dh1024.pem': No such file or directory
    cannot stat `./keys/client*': No such file or directory
    tar: /opt/etc/openvpn/easy-rsa/keys/ca.crt: No such file or directory
    tar: /opt/etc/openvpn/easy-rsa/keys/client0?.crt: No such file or directory
    tar: /opt/etc/openvpn/easy-rsa/keys/client0?.key: No such file or directory
    tar: error exit delayed from previous errors
    Starting: openvpn
    Anyone knows what is causing this and how to fix it?

  6. #6
    Quote Originally Posted by ekze View Post
    I've got the same problem.
    Tried replacing the line suggested in the post above - didn't help.
    Anyone knows what is causing this and how to fix it?
    Try
    Code:
    cp /opt/share/easy-rsa/* /opt/etc/openvpn/easy-rsa

  7. #7
    Can you please help me. I am trying to install OpenVPN server but I am getting this error. I have already replaced string "source ${RSAVAR}" with ". ${RSAVAR} ". but still that error.

    I am having Oleg 1.9.2.7-10.

    Matej


    Code:
    [admin@WL-0018F33B6971 /tmp]$ ./install.sh
    Package openssl (0.9.7m-6) installed in /opt/ is up to date.
    Package lzo (2.03-1) installed in /opt/ is up to date.
    Package net-tools (1.60-6) installed in /opt/ is up to date.
    Package easy-rsa (2.0rc1SAN-3) installed in /opt/ is up to date.
    Package psmisc (22.13-1) installed in /opt/ is up to date.
    Package openvpn (2.2.0-1) installed in /opt/ is up to date.
    Nothing to be done
    Successfully terminated.
    Several questions will be asked that will be reflected in the keys
    for private use your answer does not matter.
    Save previously generated keys from /opt/share/easy-rsa/keys (if any).
    Type the number of clients you need keys for and press Enter to continue.
    Guess your number of clients well as it takes time both to generate and generate keys again.
    1
    Please source the vars script first (i.e. "source ./vars")
    Make sure you have edited it to reflect your configuration.
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /opt/share/easy-rsa/keys
    Generating CA key
      Please edit the vars script to reflect your configuration,
      then source it with "source ./vars".
      Next, to start with a fresh PKI configuration and to delete any
      previous certificates and keys, run "./clean-all".
      Finally, you can run this tool (pkitool) to build certificates/keys.
    Generating Diffie-Hellman parameters
    Please source the vars script first (i.e. "source ./vars")
    Make sure you have edited it to reflect your configuration.
    Generating Server key
      Please edit the vars script to reflect your configuration,
      then source it with "source ./vars".
      Next, to start with a fresh PKI configuration and to delete any
      previous certificates and keys, run "./clean-all".
      Finally, you can run this tool (pkitool) to build certificates/keys.
    Generating keys for client 1
      Please edit the vars script to reflect your configuration,
      then source it with "source ./vars".
      Next, to start with a fresh PKI configuration and to delete any
      previous certificates and keys, run "./clean-all".
      Finally, you can run this tool (pkitool) to build certificates/keys.
    mv: unable to rename `./keys/server*': No such file or directory
    mv: unable to rename `./keys/ca*': No such file or directory
    mv: unable to rename `./keys/dh1024.pem': No such file or directory
    mv: unable to rename `./keys/client*': No such file or directory
    tar: /mnt/protected/vpnkeys.tar.gz: No such file or directory
    Starting: openvpn

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •