Introduction/Installing
OpenVPN is one of the most useful tools that can be installed on the router (sad that it's not part of the firmware itself, also not part of the excellent raas tutorial that I've re-used).
OpenVPN is a complex topic and unfortunately I'm not in a position to introduce you to all aspects. Basically the server running on the router allows you to access the router (and other machines on the router's LAN) from a remote machine over the internet like you would do it locally (you have to have OpenVPN client installed and properly configured on the remote machine though). Thus in short you can access the router e.g. from your relatives/friends, from public WiFi hotspots or from your workplace (unless restricted).
While installing OpenVPN is quite straightforward, it's not just ipkg install but you have to generate keys and set up the firewall properly etc.
This tutorial helps you in that. In fact it's sufficient to run only a script that does everything for you (questions will be asked though):
The script will ask how many client keys should be generated (max 9) and typical questions for the keys like your location etc. Answer as you wish but you have to answer with y (yes) to the sign the certificate and commit questions.Code:#!/bin/sh #written by ecaddict, distributed (conveyed) under GPL version 3 or any later version PORT=${1:-563} VSNM=${2} CONFIG="/opt/etc/openvpn/server${VSNM}.conf" STARTS="/opt/etc/init.d/S20openvpn${VSNM}" RSAVAR="/opt/share/easy-rsa/vars" CKDIR="/mnt/protected" #user editable part end CONFD="${CONFIG%\/*}" CONFF="${CONFIG##*/}" INITD="${STARTS%\/*}" INITF="${STARTS##*/}" VARSD="${RSAVAR%\/*}" VARSF="${RSAVAR##*/}" VKDIR="${CONFD}/easy-rsa/keys${VSNM}" TUNIF="tun0" ipkg install openssl lzo net-tools easy-rsa psmisc openvpn export EASY_RSA=${VARSD} #creating certificates (if needed) if [ ! -d "${VKDIR}" ]; then if [ -d "${VARSD}" ]; then cd ${VARSD} && [ ! -f ${VARSF}.old ] && cp ${VARSF} ${VARSF}.old echo -e "\033[1;32mSeveral questions will be asked that will be reflected in the keys\033[0m" echo -e "for private use your answer does not matter. \nSave previously generated keys from ${VARSD}/keys (if any)." echo -e "\033[1;32mType the number of clients you need keys for and press Enter\033[0m to continue." echo -e "Guess your number of clients well as it takes time both to generate and generate keys again." read CKEYN; CKEYN=${CKEYN:-1}; [ "${CKEYN}" -gt 9 ] && CKEYN=9 ./clean-all source ${RSAVAR} echo -e "\033[1;32mGenerating CA key\033[0m" ./build-ca echo -e "\033[1;32mGenerating Diffie-Hellman parameters\033[0m" ./build-dh echo -e "\033[1;32mGenerating Server key \033[0m" && ./build-key-server server I=0; while [ ${I} -lt "${CKEYN}" ]; do let "I+=1" echo -e "\033[1;32mGenerating keys for client ${I}\033[0m" && ./pkitool --interact --inter client0${I} done mkdir -p ${VKDIR} mv ./keys/server* "${VKDIR}" mv ./keys/ca* "${VKDIR}" mv ./keys/dh1024.pem "${VKDIR}" mv ./keys/client* "${VKDIR}" #temporally else echo -e "\033[1;31mDirectory ${VARSD} does not exist\033[0m" exit 1 fi else echo -e "\033[1;33mThe directory ${VKDIR} exists, no keys are generated.\033[0m" fi cd ${CONFD} && [ ! -f ${CONFF}.old ] && mv ${CONFF} ${CONFF}.old cat > ${CONFF} << __EOF__ port ${PORT} proto tcp dev tun ca ${VKDIR}/ca.crt cert ${VKDIR}/server.crt key ${VKDIR}/server.key dh ${VKDIR}/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" duplicate-cn keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 __EOF__ tar -cvzf ${CKDIR}/vpnkeys${VSNM}.tar.gz ${VKDIR}/ca.crt ${VKDIR}/client0?.crt ${VKDIR}/client0?.key cd ${INITD} && [ ! -f old.${INITF} ] && mv ${INITF} old.${INITF} cat > ${INITF} << __EOF__ #!/bin/sh # # Startup script for openvpn as standalone server # PREFIX="/opt" PORT=${PORT} NAME=openvpn PFILE="/opt/var/run/vpnserver${VSNM}.pid" OPTS="--daemon --cd /opt/etc/openvpn --log-append /opt/var/log/openvpn.log --config ${CONFF} --writepid \${PFILE}" # Make sure IP forwarding is enabled echo 1 > /proc/sys/net/ipv4/ip_forward # Make device if not present (not devfs) if ( [ ! -c /dev/net/tun ] ) then # Make /dev/net directory if needed if ( [ ! -d /dev/net ] ) then mkdir -m 755 /dev/net fi mknod /dev/net/tun c 10 200 fi # Make sure the tunnel driver is loaded if ( !(lsmod | grep -q "^tun") ); then insmod tun fi if [ -z "\$1" ] ; then case \`echo "\$0" | sed 's:^.*/\(.*\):\1:g'\` in S??*) rc="start" ;; K??*) rc="stop" ;; *) rc="usage" ;; esac else rc="\$1" fi case "\$rc" in start) echo "Starting: \$NAME" \${PREFIX}/sbin/\${NAME} \$OPTS iptables -I INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT ;; stop) if [ -f \${PFILE} ] ; then kill \`cat \${PFILE}\` >/dev/null 2>&1 rm -f \${PFILE} iptables -D INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT else killall "\$NAME" fi ;; restart) "\$0" stop sleep 1 "\$0" start ;; *) echo "Usage: \$0 (start|stop|restart|usage)" ;; esac __EOF__ [ -n "$2" ] && TUNIF="tun+" if [ -z "`sed -n 's/-i '${TUNIF}' -j ACCEPT/&/p' /usr/local/sbin/post-firewall`" ]; then cat >> /usr/local/sbin/post-firewall << __EOF__ iptables -I INPUT -i ${TUNIF} -j ACCEPT iptables -I FORWARD -i ${TUNIF} -j ACCEPT iptables -I FORWARD -o ${TUNIF} -j ACCEPT iptables -I OUTPUT -o ${TUNIF} -j ACCEPT __EOF__ iptables -I INPUT -i ${TUNIF} -j ACCEPT iptables -I FORWARD -i ${TUNIF} -j ACCEPT iptables -I FORWARD -o ${TUNIF} -j ACCEPT iptables -I OUTPUT -o ${TUNIF} -j ACCEPT flashfs save && flashfs commit && flashfs enable fi chmod u+x ${INITF} ${STARTS} start
There are the following typical options for the server port for OpenVPN:
1194 or 443 or 563
While 1194 is the well known port for OpenVPN, some restrictive firewalls don't allow this port so you may need to use 563 that's typically allowed (and also the script uses) or 443 (https port). If you plan to use port 443, it means that you cannot use it with the lighttpd which is not nice.
If you wish to use some other port start the script with the port ./install.sh <port>.
If you plan to start multiple server instances not only have to give different port but also different number or names to them like ./install.sh <port> <number/name>.
You can download the OpenVPN client from http://openvpn.net/index.php/open-source/downloads.html
Learn more about OpenVPN:
http://linux.die.net/man/8/openvpn
http://openvpn.net/index.php/open-so...ion/howto.html
The generated client keys are copied to /mnt/protected/
On Windows you need the following keys (taken from the router):
C:\Program Files\OpenVPN\config\ca.crt
C:\Program Files\OpenVPN\config\client.crt
C:\Program Files\OpenVPN\config\client.key
If you use port 563/443 then you probably have to set the proxy as well in the client to proxy IP and typically 8080 port.
(Note: if your proxy uses NTLM authentication you have to run as admin openvpn.exe as the GUI has some issue and --config for the .ovpn file containing
http-proxy yourproxyIP 8080 stdin ntlm; alternatively use cntlm http://cntlm.sourceforge.net/)
Here are some snapshots from the example run I've made:
You can download and run the script from here: install.tar.gz
If you're fine with the default parameters (single server, port: 563), you can paste the following line to your terminal (single line install).
By default the starter script isCode:cd /tmp && wget -O install.tar.gz "http://wl500g.info/attachment.php?attachmentid=8371&d=1318414980" && tar xvzf install.tar.gz && ./install.sh
/opt/etc/init.d/S20openvpn
The config file is:
/opt/etc/openvpn/server.conf
The keys are located in:
/opt/etc/openvpn/easy-rsa/keys/