HowTo install OpenVPN server

[Tamadite]

================================================== =======
NOTES:
I do not take any credit for most of the information herein written. I just collected (copy&paste) most the information and adapted it to be executed under an Asus WL-500g device.

This is a simple setup that has a limited scalability -- one client, one server.

This HowTo is oriented to create a VPN connection between an Asus WL-500g device and a Windows XP client.

ASSUMPTIONS:
i.- firmware: Oleg 1.9.2.7-7b
ii.- root file system on the external USB drive
iii.- telnet/ssh deamon installed and active
iv.- nano editor installed

SOURCES:
i.- http://openvpn.net
ii.- http://www.sprayfly.com/wiki/User_talk:Jonolumb
iii.- This forum
================================================== =======

CONFIGURING THE CLIENT (Windows XP)
Download from http://openvpn.se/download.html openvpn-2.0.7-gui-1.0.3-install.exe which will install both OpenVPN and a Windows GUI. Install everything.
During the installation you will be prompted about authentication of drivers to be installed. You should accept it.

Open "network connections" and rename the connection recently created from "Local Area Connection x" to "tun0" (it should have "TAP-Win32 Adapter V8 (coLinux)" as NIC)

Open a dos-prompt window
C:
cd \Program Files\OpenVPN\config
openvpn --genkey --secret static.key

create a txt file called "client.ovpn" and add the following information:
remote myremote.mydomain
dev tun0
ifconfig 10.8.0.2 10.8.0.1
secret static.key
keepalive 10 60

where myremote.mydomain is the WAN ip address or host name of your Asus WL-500g router.


Install OpenVPN package on WL-500g

ipkg -force-depends install openvpn

Check for message:
Warning: Cannot satisfy the following dependencies for openvpn: kernel-module-tun

But warning can be disregarded, tun is already included in Oleg's firmware.


Create the TUN device node
(users report these two lines below are not necessary any longer. They give error messages. See comment #9)

mkdir /dev/net
mknod /dev/net/tun c 10 200


Load the TUN/TAP kernel module

insmod tun


Enable routing

echo 1 > /proc/sys/net/ipv4/ip_forward


Configuring VPN Server

cd /opt/etc/openvpn
nano server.conf
(add following lines)
dev tun0
ifconfig 10.8.0.1 10.8.0.2
secret static.key
(exit editor)
^O ^X


Copy via FTP the file static.key from WinXP client folder C:\Program Files\OpenVPN\config to Asus wl500g directory /opt/etc/openvpn


Add firewall rules

cd /usr/local/sbin
nano post-firewall

#!/bin/sh
#OpenVPN access from WAN
iptables -D INPUT -j DROP
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1194 -j DNAT --to-destination $4:1194
iptables -A INPUT -j DROP

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

(exit editor)
^O ^X

NOTES:
With WL-500gP eth1 shall be changed to vlan1 and $4 to router's LAN gateway (192.168.1.1)


Start OpenVPN server manually
/sbin/insmod tun
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf

If you want to try the OpenVPN server at this point, without making an autostart, you should execute all iptables commands above written by copy&paste them on the Asus wl500g prompt and jump to the next point called "Trying the VPN tunnel".


Autostart
To automatically start the OpenVPN server processes at boot time:

nano /opt/etc/init.d/S24openvpn

#!/bin/sh

if [ -n "`pidof openvpn`" ]; then
/bin/killall openvpn 2>/dev/null
fi

# load TUN/TAP kernel module
/sbin/insmod tun

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Startup VPN tunnel in daemon mode
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf

(exit editor)
^O ^X


Save and Reboot
chmod +x /opt/etc/init.d/S24openvpn
flashfs save
flashfs commit
flashfs enable
reboot


Trying the VPN tunnel
Execute file client.ovpn in Windows XP (C:\Program Files\OpenVPN\config). A DOS window will appear. Pay attention to message "Initialization Sequence Completed". This message indicates that the VPN connection has been established. (Do not close the DOS window! If you close the DOS window you will close the VPN connection)

To test that everything works as it should try to ping 10.8.0.1 from the client (Windows XP) and to ping 10.8.0.2 from Asus WL-500g. You should get ping responses on both cases. If it is so, everything works!


FINAL NOTES
i)If you are running Windows XP/SP2 don't forget to add a rule in your Windows XP firewall to accept traffic on port 1194.
ii) HowTo: Routing all client traffic through VPN tutorial available

[jonolumb]

Hi there, you quoted http://www.sprayfly.com/wiki/User_talk:Jonolumb
as a source in your OpenVPN guide.
In fact, I was using the talk page to gather together the key elements together for a mainstream guide. This has now been created thanks to 'Propa', another user on my Wiki and can be found at http://www.sprayfly.com/wiki/OpenVPN. The new guide contains step by step instructions and goes into a great depth of detail. However, the talk page now longer contains the content that was referred to (unless you look at previous versions in the history).
Cheers
Jono

[Tamadite]

When I am trying to connect...

Can you confirm the following:
<<Open "network connections" and rename the connection recently created from "Local Area Connection x" to "tun0" (it should have "TAP-Win32 Adapter V8 (coLinux)" as NIC)>>

[tex]

Hi, i'm tryng to install openvpn on asus. I stopped when you say: Copy via FTP the file static.key from WinXP client folder C:\Program Files\OpenVPN\config to Asus wl500g directory /opt/etc/openvpn


well, i enabled ftp server in oleg firmware but when i type ftp://192.168.1.1 i find only the folders of the transmission and torrent. I can't find /opt/etc/openvpn.. can you help me please.. thank you

[Tamadite]

Hi, i'm tryng to install openvpn on asus. I stopped when you say: Copy via FTP the file static.key from WinXP client folder C:\Program Files\OpenVPN\config to Asus wl500g directory /opt/etc/openvpn


well, i enabled ftp server in oleg firmware but when i type ftp://192.168.1.1 i find only the folders of the transmission and torrent. I can't find /opt/etc/openvpn.. can you help me please.. thank you

Copy the file to one of those folders you get when you ftp and then from the asus console move the file with command "mv" to the correct folder.

[tex]

@tramadite
Thank's very much for answer..with "asus console" you mean the root of ASUS where i go with Putty? If yes, can you also tell me how to explore directory (i mean "dir" of dos) and how to go inside directory ("cd" of dos). Which is the correct instruction to move this file from one directory to the other?
From my question you understand that i've nvere used this language... sorry for that and thank's again for your attention

[jimmy_cr]

dir = ls
cd.. = cd ..
cd = cd

if you want to "address" file in current directory, it is recommended to use ./file.ext instead of file.ext (put ./ in front of filename)

[Quadronix]

Hey,

I proceed the whole tutorial (thanks for this), but my asus tells me after every start

"Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
devfs_register(net/tun): could not append to parent, err: -17"
after entering the dmesg command.

Do you have an idea what the problem could be?

thx

[hedgy]

"Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
devfs_register(net/tun): could not append to parent, err: -17"
after entering the dmesg command.

I got the same error on last Oleg's firmware. You should not invoke next commands:
mkdir /dev/net
mknod /dev/net/tun c 10 200

Only
insmod tun
is necessary.

So you need to change startup script respectively.

[rej]

Hi guys,

Thanks for the tutorial, I used this and the wlhdd.co.uk one, and I got OpenVPN working, at least sourt of. I am using Ubuntu 9.04 on my machine, so I had to grab bits and pieces from other resources as well, but finally I got it working, at least on the LAN side. I can log in, no problem. But I cannot log in from the WAN side, and I don't really need it from the LAN side :-)

So I am thinking it must be a firewall issue, but I configured the firewall exactly like described - and my rule for ssh works just fine.

My question is whether there is anywhere else the error could be, other than the firewall, considering that it works from LAN?

Thanks in advance.
BR,
René

[Tamadite]

Why are you bumping? What makes you think that you are doing the correct thing? Delete your bump post so I can work on your answer.... otherwise good luck!

[mi5hu]

thanks for this tutorial!!!
Now I have a functional vpn between my Xp laptop and wl500gp.
Behind my router I have an ubuntu desktop.
How should I put my desktop in vpn?
I have to install a vpn client in ubuntu or I have to bridge lan interface?
I have to make other changes on router?
Can you make la little tutorial?

Thank you

[rej]

thanks for this tutorial!!!
Now I have a functional vpn between my Xp laptop and wl500gp.
Behind my router I have an ubuntu desktop.
How should I put my desktop in vpn?
I have to install a vpn client in ubuntu or I have to bridge lan interface?
I have to make other changes on router?
Can you make la little tutorial?

Thank you

Hi!

I am not sure what you are asking - do you want to know how to configure OpenVPN on Ubuntu? I can help you with that tomorrow if that is what you want.

As a sidenote I did get my VPN connection working. By reconfiguring the server (server.conf), the firewall (post-firewall) and the client to TCP instead of UDP, I can connect to my home network from WAN. Anybody got an idea why UDP doesn't work? I didn't change port number or anything else.

BR,
René

[mi5hu]

thank you for your answer,

yes, a little help in configuring ubuntu will be appreciated

my network architecture is:

XP Laptop --- internet --- router(wl500g) --- Ubuntu Desktop

I want to access Ubuntu Desktop from XP Laptop over VPN

[rej]

Aaah - I see, so your VPN connection between your outside XP pc and router is up and running, but you cannot access your ubuntu machine on the LAN side of the router. I actually cannot help you there as I have the same problems myself. On http://wlhdd.co.uk/wiki/OpenVPN it says to add the following to your server.conf:

Code:

 push "route 192.168.0.0 255.255.255.0"

However it does not work on my machine. I have also tried:

Code:

 push "route 192.168.1.0 255.255.255.0"

It seems more logic to me, but this does not work either. I can access the samba server on my router, but not any of the other machines on the LAN. I guess I have to look at the openVPN documentation to find out how to do this - stay tuned for an update to this.....

BR,
René