ecaddict
20-09-2011, 17:00
Introduction/Installing
OpenVPN is one of the most useful tools that can be installed on the router (sad that it's not part of the firmware itself, also not part of the excellent raas tutorial that I've re-used) (http://wl500g.info/showthread.php?t=23684).
OpenVPN is a complex topic and unfortunately I'm not in a position to introduce you to all aspects. Basically the server running on the router allows you to access the router (and other machines on the router's LAN) from a remote machine over the internet like you would do it locally (you have to have OpenVPN client installed and properly configured on the remote machine though). Thus in short you can access the router e.g. from your relatives/friends, from public WiFi hotspots or from your workplace (unless restricted).
While installing OpenVPN is quite straightforward, it's not just ipkg install but you have to generate keys and set up the firewall properly etc.
This tutorial helps you in that. In fact it's sufficient to run only a script that does everything for you (questions will be asked though):
#!/bin/sh
#written by ecaddict, distributed (conveyed) under GPL version 3 or any later version
PORT=${1:-563}
VSNM=${2}
CONFIG="/opt/etc/openvpn/server${VSNM}.conf"
STARTS="/opt/etc/init.d/S20openvpn${VSNM}"
RSAVAR="/opt/share/easy-rsa/vars"
CKDIR="/mnt/protected"
#user editable part end
CONFD="${CONFIG%\/*}"
CONFF="${CONFIG##*/}"
INITD="${STARTS%\/*}"
INITF="${STARTS##*/}"
VARSD="${RSAVAR%\/*}"
VARSF="${RSAVAR##*/}"
VKDIR="${CONFD}/easy-rsa/keys${VSNM}"
TUNIF="tun0"
ipkg install openssl lzo net-tools easy-rsa psmisc openvpn
export EASY_RSA=${VARSD}
#creating certificates (if needed)
if [ ! -d "${VKDIR}" ]; then
if [ -d "${VARSD}" ]; then
cd ${VARSD} && [ ! -f ${VARSF}.old ] && cp ${VARSF} ${VARSF}.old
echo -e "\033[1;32mSeveral questions will be asked that will be reflected in the keys\033[0m"
echo -e "for private use your answer does not matter. \nSave previously generated keys from ${VARSD}/keys (if any)."
echo -e "\033[1;32mType the number of clients you need keys for and press Enter\033[0m to continue."
echo -e "Guess your number of clients well as it takes time both to generate and generate keys again."
read CKEYN; CKEYN=${CKEYN:-1}; [ "${CKEYN}" -gt 9 ] && CKEYN=9
./clean-all
source ${RSAVAR}
echo -e "\033[1;32mGenerating CA key\033[0m"
./build-ca
echo -e "\033[1;32mGenerating Diffie-Hellman parameters\033[0m"
./build-dh
echo -e "\033[1;32mGenerating Server key \033[0m" && ./build-key-server server
I=0; while [ ${I} -lt "${CKEYN}" ]; do
let "I+=1"
echo -e "\033[1;32mGenerating keys for client ${I}\033[0m" && ./pkitool --interact --inter client0${I}
done
mkdir -p ${VKDIR}
mv ./keys/server* "${VKDIR}"
mv ./keys/ca* "${VKDIR}"
mv ./keys/dh1024.pem "${VKDIR}"
mv ./keys/client* "${VKDIR}" #temporally
else
echo -e "\033[1;31mDirectory ${VARSD} does not exist\033[0m"
exit 1
fi
else
echo -e "\033[1;33mThe directory ${VKDIR} exists, no keys are generated.\033[0m"
fi
cd ${CONFD} && [ ! -f ${CONFF}.old ] && mv ${CONFF} ${CONFF}.old
cat > ${CONFF} << __EOF__
port ${PORT}
proto tcp
dev tun
ca ${VKDIR}/ca.crt
cert ${VKDIR}/server.crt
key ${VKDIR}/server.key
dh ${VKDIR}/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
__EOF__
tar -cvzf ${CKDIR}/vpnkeys${VSNM}.tar.gz ${VKDIR}/ca.crt ${VKDIR}/client0?.crt ${VKDIR}/client0?.key
cd ${INITD} && [ ! -f old.${INITF} ] && mv ${INITF} old.${INITF}
cat > ${INITF} << __EOF__
#!/bin/sh
#
# Startup script for openvpn as standalone server
#
PREFIX="/opt"
PORT=${PORT}
NAME=openvpn
PFILE="/opt/var/run/vpnserver${VSNM}.pid"
OPTS="--daemon --cd /opt/etc/openvpn --log-append /opt/var/log/openvpn.log --config ${CONFF} --writepid \${PFILE}"
# Make sure IP forwarding is enabled
echo 1 > /proc/sys/net/ipv4/ip_forward
# Make device if not present (not devfs)
if ( [ ! -c /dev/net/tun ] ) then
# Make /dev/net directory if needed
if ( [ ! -d /dev/net ] ) then
mkdir -m 755 /dev/net
fi
mknod /dev/net/tun c 10 200
fi
# Make sure the tunnel driver is loaded
if ( !(lsmod | grep -q "^tun") ); then
insmod tun
fi
if [ -z "\$1" ] ; then
case \`echo "\$0" | sed 's:^.*/\(.*\):\1:g'\` in
S??*) rc="start" ;;
K??*) rc="stop" ;;
*) rc="usage" ;;
esac
else
rc="\$1"
fi
case "\$rc" in
start)
echo "Starting: \$NAME"
\${PREFIX}/sbin/\${NAME} \$OPTS
iptables -I INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
;;
stop)
if [ -f \${PFILE} ] ; then
kill \`cat \${PFILE}\` >/dev/null 2>&1
rm -f \${PFILE}
iptables -D INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
else
killall "\$NAME"
fi
;;
restart)
"\$0" stop
sleep 1
"\$0" start
;;
*)
echo "Usage: \$0 (start|stop|restart|usage)"
;;
esac
__EOF__
[ -n "$2" ] && TUNIF="tun+"
if [ -z "`sed -n 's/-i '${TUNIF}' -j ACCEPT/&/p' /usr/local/sbin/post-firewall`" ]; then
cat >> /usr/local/sbin/post-firewall << __EOF__
iptables -I INPUT -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -o ${TUNIF} -j ACCEPT
iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
__EOF__
iptables -I INPUT -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -o ${TUNIF} -j ACCEPT
iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
flashfs save && flashfs commit && flashfs enable
fi
chmod u+x ${INITF}
${STARTS} start
The script will ask how many client keys should be generated (max 9) and typical questions for the keys like your location etc. Answer as you wish but you have to answer with y (yes) to the sign the certificate and commit questions.
There are the following typical options for the server port for OpenVPN:
1194 or 443 or 563
While 1194 is the well known port for OpenVPN, some restrictive firewalls don't allow this port so you may need to use 563 that's typically allowed (and also the script uses) or 443 (https port). If you plan to use port 443, it means that you cannot use it with the lighttpd which is not nice.
If you wish to use some other port start the script with the port ./install.sh <port>.
If you plan to start multiple server instances not only have to give different port but also different number or names to them like ./install.sh <port> <number/name>.
You can download the OpenVPN client from http://openvpn.net/index.php/open-source/downloads.html
Learn more about OpenVPN:
http://linux.die.net/man/8/openvpn
http://openvpn.net/index.php/open-source/documentation/howto.html
The generated client keys are copied to /mnt/protected/
On Windows you need the following keys (taken from the router):
C:\Program Files\OpenVPN\config\ca.crt
C:\Program Files\OpenVPN\config\client.crt
C:\Program Files\OpenVPN\config\client.key
If you use port 563/443 then you probably have to set the proxy as well in the client to proxy IP and typically 8080 port.
(Note: if your proxy uses NTLM authentication you have to run as admin openvpn.exe as the GUI has some issue and --config for the .ovpn file containing
http-proxy yourproxyIP 8080 stdin ntlm; alternatively use cntlm http://cntlm.sourceforge.net/)
Here are some snapshots from the example run I've made:
8285
8286
8287
You can download and run the script from here: 8371
If you're fine with the default parameters (single server, port: 563), you can paste the following line to your terminal (single line install).
cd /tmp && wget -O install.tar.gz "http://wl500g.info/attachment.php?attachmentid=8371&d=1318414980" && tar xvzf install.tar.gz && ./install.sh
By default the starter script is
/opt/etc/init.d/S20openvpn
The config file is:
/opt/etc/openvpn/server.conf
The keys are located in:
/opt/etc/openvpn/easy-rsa/keys/
OpenVPN is one of the most useful tools that can be installed on the router (sad that it's not part of the firmware itself, also not part of the excellent raas tutorial that I've re-used) (http://wl500g.info/showthread.php?t=23684).
OpenVPN is a complex topic and unfortunately I'm not in a position to introduce you to all aspects. Basically the server running on the router allows you to access the router (and other machines on the router's LAN) from a remote machine over the internet like you would do it locally (you have to have OpenVPN client installed and properly configured on the remote machine though). Thus in short you can access the router e.g. from your relatives/friends, from public WiFi hotspots or from your workplace (unless restricted).
While installing OpenVPN is quite straightforward, it's not just ipkg install but you have to generate keys and set up the firewall properly etc.
This tutorial helps you in that. In fact it's sufficient to run only a script that does everything for you (questions will be asked though):
#!/bin/sh
#written by ecaddict, distributed (conveyed) under GPL version 3 or any later version
PORT=${1:-563}
VSNM=${2}
CONFIG="/opt/etc/openvpn/server${VSNM}.conf"
STARTS="/opt/etc/init.d/S20openvpn${VSNM}"
RSAVAR="/opt/share/easy-rsa/vars"
CKDIR="/mnt/protected"
#user editable part end
CONFD="${CONFIG%\/*}"
CONFF="${CONFIG##*/}"
INITD="${STARTS%\/*}"
INITF="${STARTS##*/}"
VARSD="${RSAVAR%\/*}"
VARSF="${RSAVAR##*/}"
VKDIR="${CONFD}/easy-rsa/keys${VSNM}"
TUNIF="tun0"
ipkg install openssl lzo net-tools easy-rsa psmisc openvpn
export EASY_RSA=${VARSD}
#creating certificates (if needed)
if [ ! -d "${VKDIR}" ]; then
if [ -d "${VARSD}" ]; then
cd ${VARSD} && [ ! -f ${VARSF}.old ] && cp ${VARSF} ${VARSF}.old
echo -e "\033[1;32mSeveral questions will be asked that will be reflected in the keys\033[0m"
echo -e "for private use your answer does not matter. \nSave previously generated keys from ${VARSD}/keys (if any)."
echo -e "\033[1;32mType the number of clients you need keys for and press Enter\033[0m to continue."
echo -e "Guess your number of clients well as it takes time both to generate and generate keys again."
read CKEYN; CKEYN=${CKEYN:-1}; [ "${CKEYN}" -gt 9 ] && CKEYN=9
./clean-all
source ${RSAVAR}
echo -e "\033[1;32mGenerating CA key\033[0m"
./build-ca
echo -e "\033[1;32mGenerating Diffie-Hellman parameters\033[0m"
./build-dh
echo -e "\033[1;32mGenerating Server key \033[0m" && ./build-key-server server
I=0; while [ ${I} -lt "${CKEYN}" ]; do
let "I+=1"
echo -e "\033[1;32mGenerating keys for client ${I}\033[0m" && ./pkitool --interact --inter client0${I}
done
mkdir -p ${VKDIR}
mv ./keys/server* "${VKDIR}"
mv ./keys/ca* "${VKDIR}"
mv ./keys/dh1024.pem "${VKDIR}"
mv ./keys/client* "${VKDIR}" #temporally
else
echo -e "\033[1;31mDirectory ${VARSD} does not exist\033[0m"
exit 1
fi
else
echo -e "\033[1;33mThe directory ${VKDIR} exists, no keys are generated.\033[0m"
fi
cd ${CONFD} && [ ! -f ${CONFF}.old ] && mv ${CONFF} ${CONFF}.old
cat > ${CONFF} << __EOF__
port ${PORT}
proto tcp
dev tun
ca ${VKDIR}/ca.crt
cert ${VKDIR}/server.crt
key ${VKDIR}/server.key
dh ${VKDIR}/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
__EOF__
tar -cvzf ${CKDIR}/vpnkeys${VSNM}.tar.gz ${VKDIR}/ca.crt ${VKDIR}/client0?.crt ${VKDIR}/client0?.key
cd ${INITD} && [ ! -f old.${INITF} ] && mv ${INITF} old.${INITF}
cat > ${INITF} << __EOF__
#!/bin/sh
#
# Startup script for openvpn as standalone server
#
PREFIX="/opt"
PORT=${PORT}
NAME=openvpn
PFILE="/opt/var/run/vpnserver${VSNM}.pid"
OPTS="--daemon --cd /opt/etc/openvpn --log-append /opt/var/log/openvpn.log --config ${CONFF} --writepid \${PFILE}"
# Make sure IP forwarding is enabled
echo 1 > /proc/sys/net/ipv4/ip_forward
# Make device if not present (not devfs)
if ( [ ! -c /dev/net/tun ] ) then
# Make /dev/net directory if needed
if ( [ ! -d /dev/net ] ) then
mkdir -m 755 /dev/net
fi
mknod /dev/net/tun c 10 200
fi
# Make sure the tunnel driver is loaded
if ( !(lsmod | grep -q "^tun") ); then
insmod tun
fi
if [ -z "\$1" ] ; then
case \`echo "\$0" | sed 's:^.*/\(.*\):\1:g'\` in
S??*) rc="start" ;;
K??*) rc="stop" ;;
*) rc="usage" ;;
esac
else
rc="\$1"
fi
case "\$rc" in
start)
echo "Starting: \$NAME"
\${PREFIX}/sbin/\${NAME} \$OPTS
iptables -I INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
;;
stop)
if [ -f \${PFILE} ] ; then
kill \`cat \${PFILE}\` >/dev/null 2>&1
rm -f \${PFILE}
iptables -D INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
else
killall "\$NAME"
fi
;;
restart)
"\$0" stop
sleep 1
"\$0" start
;;
*)
echo "Usage: \$0 (start|stop|restart|usage)"
;;
esac
__EOF__
[ -n "$2" ] && TUNIF="tun+"
if [ -z "`sed -n 's/-i '${TUNIF}' -j ACCEPT/&/p' /usr/local/sbin/post-firewall`" ]; then
cat >> /usr/local/sbin/post-firewall << __EOF__
iptables -I INPUT -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -o ${TUNIF} -j ACCEPT
iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
__EOF__
iptables -I INPUT -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -o ${TUNIF} -j ACCEPT
iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
flashfs save && flashfs commit && flashfs enable
fi
chmod u+x ${INITF}
${STARTS} start
The script will ask how many client keys should be generated (max 9) and typical questions for the keys like your location etc. Answer as you wish but you have to answer with y (yes) to the sign the certificate and commit questions.
There are the following typical options for the server port for OpenVPN:
1194 or 443 or 563
While 1194 is the well known port for OpenVPN, some restrictive firewalls don't allow this port so you may need to use 563 that's typically allowed (and also the script uses) or 443 (https port). If you plan to use port 443, it means that you cannot use it with the lighttpd which is not nice.
If you wish to use some other port start the script with the port ./install.sh <port>.
If you plan to start multiple server instances not only have to give different port but also different number or names to them like ./install.sh <port> <number/name>.
You can download the OpenVPN client from http://openvpn.net/index.php/open-source/downloads.html
Learn more about OpenVPN:
http://linux.die.net/man/8/openvpn
http://openvpn.net/index.php/open-source/documentation/howto.html
The generated client keys are copied to /mnt/protected/
On Windows you need the following keys (taken from the router):
C:\Program Files\OpenVPN\config\ca.crt
C:\Program Files\OpenVPN\config\client.crt
C:\Program Files\OpenVPN\config\client.key
If you use port 563/443 then you probably have to set the proxy as well in the client to proxy IP and typically 8080 port.
(Note: if your proxy uses NTLM authentication you have to run as admin openvpn.exe as the GUI has some issue and --config for the .ovpn file containing
http-proxy yourproxyIP 8080 stdin ntlm; alternatively use cntlm http://cntlm.sourceforge.net/)
Here are some snapshots from the example run I've made:
8285
8286
8287
You can download and run the script from here: 8371
If you're fine with the default parameters (single server, port: 563), you can paste the following line to your terminal (single line install).
cd /tmp && wget -O install.tar.gz "http://wl500g.info/attachment.php?attachmentid=8371&d=1318414980" && tar xvzf install.tar.gz && ./install.sh
By default the starter script is
/opt/etc/init.d/S20openvpn
The config file is:
/opt/etc/openvpn/server.conf
The keys are located in:
/opt/etc/openvpn/easy-rsa/keys/