PDA

Bekijk de volledige versie : HowTo install OpenVPN server



Tamadite
18-05-2006, 20:12
================================================== =======
NOTES:
I do not take any credit for most of the information herein written. I just collected (copy&paste) most the information and adapted it to be executed under an Asus WL-500g device.

This is a simple setup that has a limited scalability -- one client, one server.

This HowTo is oriented to create a VPN connection between an Asus WL-500g device and a Windows XP client.

ASSUMPTIONS:
i.- firmware: Oleg 1.9.2.7-7b
ii.- root file system on the external USB drive
iii.- telnet/ssh deamon installed and active
iv.- nano editor installed

SOURCES:
i.- http://openvpn.net
ii.- http://www.sprayfly.com/wiki/User_talk:Jonolumb
iii.- This forum
================================================== =======

CONFIGURING THE CLIENT (Windows XP)
Download from http://openvpn.se/download.html openvpn-2.0.7-gui-1.0.3-install.exe which will install both OpenVPN and a Windows GUI. Install everything.
During the installation you will be prompted about authentication of drivers to be installed. You should accept it.

Open "network connections" and rename the connection recently created from "Local Area Connection x" to "tun0" (it should have "TAP-Win32 Adapter V8 (coLinux)" as NIC)

Open a dos-prompt window
C:
cd \Program Files\OpenVPN\config
openvpn --genkey --secret static.key

create a txt file called "client.ovpn" and add the following information:
remote myremote.mydomain
dev tun0
ifconfig 10.8.0.2 10.8.0.1
secret static.key
keepalive 10 60

where myremote.mydomain is the WAN ip address or host name of your Asus WL-500g router.


Install OpenVPN package on WL-500g

ipkg -force-depends install openvpn

Check for message:
Warning: Cannot satisfy the following dependencies for openvpn: kernel-module-tun

But warning can be disregarded, tun is already included in Oleg's firmware.


Create the TUN device node
(users report these two lines below are not necessary any longer. They give error messages. See comment #9)

mkdir /dev/net
mknod /dev/net/tun c 10 200


Load the TUN/TAP kernel module

insmod tun


Enable routing

echo 1 > /proc/sys/net/ipv4/ip_forward


Configuring VPN Server

cd /opt/etc/openvpn
nano server.conf
(add following lines)
dev tun0
ifconfig 10.8.0.1 10.8.0.2
secret static.key
(exit editor)
^O ^X


Copy via FTP the file static.key from WinXP client folder C:\Program Files\OpenVPN\config to Asus wl500g directory /opt/etc/openvpn


Add firewall rules

cd /usr/local/sbin
nano post-firewall

#!/bin/sh
#OpenVPN access from WAN
iptables -D INPUT -j DROP
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1194 -j DNAT --to-destination $4:1194
iptables -A INPUT -j DROP

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

(exit editor)
^O ^X

NOTES:
With WL-500gP eth1 shall be changed to vlan1 and $4 to router's LAN gateway (192.168.1.1)


Start OpenVPN server manually
/sbin/insmod tun
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf

If you want to try the OpenVPN server at this point, without making an autostart, you should execute all iptables commands above written by copy&paste them on the Asus wl500g prompt and jump to the next point called "Trying the VPN tunnel".


Autostart
To automatically start the OpenVPN server processes at boot time:

nano /opt/etc/init.d/S24openvpn

#!/bin/sh

if [ -n "`pidof openvpn`" ]; then
/bin/killall openvpn 2>/dev/null
fi

# load TUN/TAP kernel module
/sbin/insmod tun

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Startup VPN tunnel in daemon mode
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf

(exit editor)
^O ^X


Save and Reboot
chmod +x /opt/etc/init.d/S24openvpn
flashfs save
flashfs commit
flashfs enable
reboot


Trying the VPN tunnel
Execute file client.ovpn in Windows XP (C:\Program Files\OpenVPN\config). A DOS window will appear. Pay attention to message "Initialization Sequence Completed". This message indicates that the VPN connection has been established. (Do not close the DOS window! If you close the DOS window you will close the VPN connection)

To test that everything works as it should try to ping 10.8.0.1 from the client (Windows XP) and to ping 10.8.0.2 from Asus WL-500g. You should get ping responses on both cases. If it is so, everything works!


FINAL NOTES
i)If you are running Windows XP/SP2 don't forget to add a rule in your Windows XP firewall to accept traffic on port 1194.
ii) HowTo: Routing all client traffic through VPN (http://wl500g.info/showthread.php?t=17034) tutorial available

jonolumb
25-05-2006, 18:33
Hi there, you quoted http://www.sprayfly.com/wiki/User_talk:Jonolumb
as a source in your OpenVPN guide.
In fact, I was using the talk page to gather together the key elements together for a mainstream guide. This has now been created thanks to 'Propa', another user on my Wiki and can be found at http://www.sprayfly.com/wiki/OpenVPN. The new guide contains step by step instructions and goes into a great depth of detail. However, the talk page now longer contains the content that was referred to (unless you look at previous versions in the history).
Cheers
Jono

once
27-11-2006, 09:54
Openvpn along with openssl takes about 5M space.But the wl500g has only about 2M free.That means i have to use USB to mount a free space to use openvpn.Is there anyway to build a VLAN without demanding any other space except for the 2M free space inside.Can freeswan be added into wl500g?

max2950
29-11-2006, 13:56
I guess there is no way to do it without external storage. Small flash drives are now very cheap :rolleyes: ;)

limpo
04-12-2006, 20:46
Hey,

I set up openvpn according to http://www.sprayfly.com/wiki/OpenVPN. And I am able to connect from a windows client to the router and assigned the ip 10.8.0.6.
But the problem is I can only ping local windows machine 10.8.0.6 not the router 10.8.0.1.
On the router I can ping both 10.8.0.6 and 10.8.0.1.
When the openvpn client is disconnected(10.8.0.6) then I can ping 10.8.0.1 from the client.
All I wanted was to try getting this vpn to work from my lan clients to the local router, and also see other shares on lan clients.
Some help would be much appriciated.:)


LAN 192.168.1.0/24

[VPN client 10.8.0.6]-------------------------------------------------------------------------------[WL500g openvpn router 10.8.0.1]


/Limpo

limpo
05-12-2006, 20:34
Hey,

I tried somemore and found out that I can ping and reach shares on clients connected trough the vpn. But I can still not ping(10.8.0.1) or access shares(samba) on the LAN vpn server(asus wl500g).
The settings on both the client and server config, is set to client-to-client. Maybe it neds to be client-to-server? But then I probably cant access lan clients.:mad:

Later,
/Limpo

jrosado
18-06-2007, 16:58
Hi:

Is there anyway to create a vpn server on the asus wl-500gp?

Besides openvpn, is there any other package?

maradamc
11-07-2007, 07:02
I'm with you. Has anyone come up with a way to work this out?

I have been struggling with this for 14 hours now... I started with this Wiki (http://sprayfly.com/wiki/OpenVPN) and tried to modify the directions to only use flash memory. I couldn't do anything with the /opt directory in flash memory due to "Read-only file system" error. So I did:

makedir /usr/local/opt
mount /usr/local/opt /opt
While I could get ipkg update and installs to work, I eventually came close to running out of space and everytime I rebooted the mount would disappear even if I put it (I think) in post-boot.

It seems this thread (http://wl500g.info/showthread.php?t=7551&highlight=openvpn) yields some results but only for wl700g users.

Has anyone figured out how to do this on a wl500gp without an external drive? Can anyone suggest anything else to try? I'm not a linux user normally so I'm struggling with some of the concepts.

Any suggestions would be very helpful. Thanks in advance.

maradamc
11-07-2007, 17:28
I'm going on 2 days with this issue, trying to get OpenVPN installed on Oleg's 1.9.2.7-7g firmware on my wl500gP. I don't have any USB device connected to and would like to know where I can install packages. I started with this Wiki (http://sprayfly.com/wiki/OpenVPN) (http://sprayfly.com/wiki/OpenVPN) and tried to modify the directions to only use flash memory. I couldn't do anything with the /opt directory in flash memory due to "Read-only file system" error. So I tried using a different path:
Quote:

makedir /usr/local/opt
mount /usr/local/opt /opt
I got ipkg update and installs to work, but I came close to maxing out memory and everytime I rebooted the mount would disappear even if I put it (I think) in post-boot.

This thread (http://wl500g.info/showthread.php?t=7551&highlight=openvpn) (http://wl500g.info/showthread.php?t=7551&highlight=openvpn) has some answers but only for wl700g users.

Has anyone figured out how to do this on a wl500gp without an external drive? Can anyone suggest anything else to try? I'm not a linux user normally so I'm struggling with some of the concepts.

Any suggestions would be very helpful. Thanks in advance.

bowmore
14-07-2007, 20:57
Hi:

Is there anyway to create a vpn server on the asus wl-500gp?

Besides openvpn, is there any other package?

I've got openvpn working on my wl-500gp with an external drive.
basically followed http://sprayfly.com/wiki/OpenVPN

Tamadite
02-02-2008, 15:22
When I am trying to connect...

Can you confirm the following:
<<Open "network connections" and rename the connection recently created from "Local Area Connection x" to "tun0" (it should have "TAP-Win32 Adapter V8 (coLinux)" as NIC)>>

piezomotor
07-02-2008, 22:21
made bridge-start.sh shown below

PROBLEM - when I start it my router hangs...

./bridge-start.sh
Thu Feb 7 15:54:58 2008 TUN/TAP device tap0 opened
Thu Feb 7 15:54:58 2008 Persist state set to: ON...

Any idea?

wfleck
08-02-2008, 08:45
Sorry, can't help you since I'm not using the WL500g anymore

tex
06-09-2008, 12:39
Hi, i'm tryng to install openvpn on asus. I stopped when you say: Copy via FTP the file static.key from WinXP client folder C:\Program Files\OpenVPN\config to Asus wl500g directory /opt/etc/openvpn


well, i enabled ftp server in oleg firmware but when i type ftp://192.168.1.1 i find only the folders of the transmission and torrent. I can't find /opt/etc/openvpn.. can you help me please.. thank you

Tamadite
09-09-2008, 21:28
Hi, i'm tryng to install openvpn on asus. I stopped when you say: Copy via FTP the file static.key from WinXP client folder C:\Program Files\OpenVPN\config to Asus wl500g directory /opt/etc/openvpn


well, i enabled ftp server in oleg firmware but when i type ftp://192.168.1.1 i find only the folders of the transmission and torrent. I can't find /opt/etc/openvpn.. can you help me please.. thank you

Copy the file to one of those folders you get when you ftp and then from the asus console move the file with command "mv" to the correct folder.

tex
10-09-2008, 00:44
@tramadite
Thank's very much for answer..with "asus console" you mean the root of ASUS where i go with Putty? If yes, can you also tell me how to explore directory (i mean "dir" of dos) and how to go inside directory ("cd" of dos). Which is the correct instruction to move this file from one directory to the other?
From my question you understand that i've nvere used this language... sorry for that and thank's again for your attention

jimmy_cr
24-09-2008, 06:41
dir = ls
cd.. = cd ..
cd = cd

if you want to "address" file in current directory, it is recommended to use ./file.ext instead of file.ext (put ./ in front of filename)

Quadronix
20-01-2009, 21:39
Hey,

I proceed the whole tutorial (thanks for this), but my asus tells me after every start

"Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
devfs_register(net/tun): could not append to parent, err: -17"
after entering the dmesg command.

Do you have an idea what the problem could be?

thx

hedgy
07-04-2009, 15:49
"Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
devfs_register(net/tun): could not append to parent, err: -17"
after entering the dmesg command.


I got the same error on last Oleg's firmware. You should not invoke next commands:
mkdir /dev/net
mknod /dev/net/tun c 10 200

Only
insmod tun
is necessary.

So you need to change startup script respectively.

rej
27-05-2009, 12:24
Hi guys,

Thanks for the tutorial, I used this and the wlhdd.co.uk one, and I got OpenVPN working, at least sourt of. I am using Ubuntu 9.04 on my machine, so I had to grab bits and pieces from other resources as well, but finally I got it working, at least on the LAN side. I can log in, no problem. But I cannot log in from the WAN side, and I don't really need it from the LAN side :-)

So I am thinking it must be a firewall issue, but I configured the firewall exactly like described - and my rule for ssh works just fine.

My question is whether there is anywhere else the error could be, other than the firewall, considering that it works from LAN?

Thanks in advance.
BR,
René

Tamadite
11-06-2009, 23:16
Why are you bumping? What makes you think that you are doing the correct thing? Delete your bump post so I can work on your answer.... otherwise good luck!

mi5hu
16-06-2009, 15:08
thanks for this tutorial!!!
Now I have a functional vpn between my Xp laptop and wl500gp.
Behind my router I have an ubuntu desktop.
How should I put my desktop in vpn?
I have to install a vpn client in ubuntu or I have to bridge lan interface?
I have to make other changes on router?
Can you make la little tutorial?

Thank you

rej
16-06-2009, 22:54
thanks for this tutorial!!!
Now I have a functional vpn between my Xp laptop and wl500gp.
Behind my router I have an ubuntu desktop.
How should I put my desktop in vpn?
I have to install a vpn client in ubuntu or I have to bridge lan interface?
I have to make other changes on router?
Can you make la little tutorial?

Thank you

Hi!

I am not sure what you are asking - do you want to know how to configure OpenVPN on Ubuntu? I can help you with that tomorrow if that is what you want.

As a sidenote I did get my VPN connection working. By reconfiguring the server (server.conf), the firewall (post-firewall) and the client to TCP instead of UDP, I can connect to my home network from WAN. Anybody got an idea why UDP doesn't work? I didn't change port number or anything else.

BR,
René

mi5hu
16-06-2009, 23:48
thank you for your answer,

yes, a little help in configuring ubuntu will be appreciated

my network architecture is:

XP Laptop --- internet --- router(wl500g) --- Ubuntu Desktop

I want to access Ubuntu Desktop from XP Laptop over VPN

rej
17-06-2009, 10:21
Aaah - I see, so your VPN connection between your outside XP pc and router is up and running, but you cannot access your ubuntu machine on the LAN side of the router. I actually cannot help you there as I have the same problems myself. On http://wlhdd.co.uk/wiki/OpenVPN it says to add the following to your server.conf:

push "route 192.168.0.0 255.255.255.0"
However it does not work on my machine. I have also tried:

push "route 192.168.1.0 255.255.255.0"
It seems more logic to me, but this does not work either. I can access the samba server on my router, but not any of the other machines on the LAN. I guess I have to look at the openVPN documentation to find out how to do this - stay tuned for an update to this.....

BR,
René

Tamadite
17-06-2009, 16:15
thank you for your answer,

yes, a little help in configuring ubuntu will be appreciated

my network architecture is:

XP Laptop --- internet --- router(wl500g) --- Ubuntu Desktop

I want to access Ubuntu Desktop from XP Laptop over VPN

I do not understand why you need to establish a VPN between the Ubuntu desktop and the router. Please advice.

You wrote:

Now I have a functional vpn between my Xp laptop and wl500gp.


Please confirm you have understood FINAL NOTES point (ii). If I got it correctly, that should be the answer to your problem.

mi5hu
18-06-2009, 13:26
I succeeded!!!
I started all over again from zero.
I don't know where I did wrong
I kept the same firewall rules from this tutorial

server.conf is:


sdev tun0
proto udp
dh dh1024.pem
ifconfig-pool-persist ipp.txt
client-config-dir ccd
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
verb 3
ca ca.crt
cert asus.crt
key asus.key
push "route 192.168.99.0 255.255.255.0"



and in client:


client
dev tun0
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca "\\Program Files\\OpenVPN\\config\\ca.crt"
cert "\\Program Files\\OpenVPN\\config\\laptopxp.crt"
key "\\Program Files\\OpenVPN\\config\\laptopxp.key"
comp-lzo
verb 3

rej
18-06-2009, 22:57
Hi!
I am not sure what you are asking - do you want to know how to configure OpenVPN on Ubuntu? I can help you with that tomorrow if that is what you want.

Here is a short guide to installing and configuring ubuntu to VPN. It does require that you are knowledged in linux/ubuntu, and it does require you to read the above guide for windows (or the one over at wlhdd.co.uk).

First install the OpenVPN client (from command prompt):

sudo apt-get install network-manager-openvpn
This installs all the neccessary packages needed to use the VPN client

If you have already generated the client certificates e.g. on an XP machine, all you have to do is left click on your network icon in the notification area and go to VPN Connections -> Configure VPN... Then you click import. Select your client.ovpn (make sure the certificates is located as indicated in the client.ovpn file). Then you are pretty much set to go. To log on to your vpn network click the network icon in the notification area and choose network connctions -> whateveryoucalledyourconnection. A fireball should now fly around your notification area icon until it connects and shows a small lock.

If you also want to generate your keys and certificates on your linux machine, copy the example configuration directory to your home directory. Stand in your home directory, then:

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .
navigate to easy-rsa/2.0 directory. I this directory all the configuration files you find in the XP version is located and you more or less just follow the XP guide either in this thread or in the wlhdd.co.uk guide. I have only encountered one difference, init-config does not exist, so don't run this command :-)

BR,
René

sarlacc
19-06-2009, 14:50
I can access the samba server on my router, but not any of the other machines on the LAN.

I have the same problem. Do you succeed in it? Maybe it is necessary to configure smb.conf :
interfaces = eth0 192.168.1.1
hosts allow = 192.168.1.1 ... 127.0.0.1

rej
30-06-2009, 16:20
I have the same problem. Do you succeed in it? Maybe it is necessary to configure smb.conf :
interfaces = eth0 192.168.1.1
hosts allow = 192.168.1.1 ... 127.0.0.1

No I have not gotten it to work. I will take it up on a later time, first I got to get the router stable while running with a USB stick attached...

By the way, I don't think working on the samba server on the router will help you - in theory you don't even need samba running on your router to access samba on computers in your workgroup.

BR,
René

Csali
01-03-2010, 09:09
Hi,

I read the tutorial and installed OpenVpn via ipkg on my wl500gpv2.

My problem is that I cannot start openvpn:

[user@WL500gpv2 sbin]$ /opt/sbin/openvpn
-sh: /opt/sbin/openvpn: not found
[user@WL500gpv2 sbin]$ ls -l /opt/sbin/openvpn
-rwxr-xr-x 1 user root 769724 Feb 22 05:12 /opt/sbin/openvpn

What could be the problem???

KpaH4iTo
31-03-2010, 14:13
Hi,
thanks for this tutorial! but i have a problem with it. When i trying to connect from Xp client outside the router, the client do not connect to the router:


Wed Mar 31 14:41:00 2010 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Wed Mar 31 14:41:00 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Mar 31 14:41:00 2010 TAP-WIN32 device [tun0] opened: \\.\Global\{CEA93030-2985-4747-B3D3-4267FB40C32B}.tap
Wed Mar 31 14:41:00 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.252 on interface {CEA93030-2985-4747-B3D3-4267FB40C32B} [DHCP-serv: 10.8.0.1, lease-time: 31536000]
Wed Mar 31 14:41:00 2010 Successful ARP Flush on interface [196612] {CEA93030-2985-4747-B3D3-4267FB40C32B}
Wed Mar 31 14:41:00 2010 UDPv4 link local (bound): [undef]:1194
Wed Mar 31 14:41:00 2010 UDPv4 link remote: **.**.**.**:1194


I tryng to telnet **.**.**.** 1194 and there is no answer


C:\Documents and Settings\alexx>telnet **.**.**.** 1194
Подключение к **.**.**.**...Не удалось открыть подключение к этому узлу, на по
рт 1194: Сбой подключения

I think that may be a port 1194 is not opened...
Please help!)

Tamadite
14-04-2010, 23:27
No I have not gotten it to work. I will take it up on a later time, first I got to get the router stable while running with a USB stick attached...

By the way, I don't think working on the samba server on the router will help you - in theory you don't even need samba running on your router to access samba on computers in your workgroup.

BR,
René

You need to route the traffic between tun0 and eth0 interfaces. Use iptables.

sarlacc
16-04-2010, 00:17
1. Are the red lines necessary? There is nothing similar in other openvpn tutorials.

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

2. How can I reload firewall rules (on the fly) without rebooting correctly?

sarlacc
16-04-2010, 00:23
You need to route the traffic between tun0 and eth0 interfaces. Use iptables.

How? This way?


iptables -t nat -I PREROUTING -i vlan1 -p udp --dport 1194 -j DNAT --to-destination 192.168.1.1:1194

better -I or -A?

(WL-500gP)

Kosmotaur
16-04-2010, 18:02
Hi,

Tried to follow the tutorial exactly, didn't work. Then I tried to tweak the post-firewall rules, yet no matter what I'm doing, I keep getting:

xxx.dyndns.org isn't responding on port 1194 (openvpn)
when scanning the 1194 port
And yes, I am able to eg. ssh into my router with the given dyndns host.
Conclusion: I don't know how to open the 1194 port for the OpenVPN client to even start doing transactions. Please, help.

Tamadite
14-05-2010, 22:32
How? This way?


iptables -t nat -I PREROUTING -i vlan1 -p udp --dport 1194 -j DNAT --to-destination 192.168.1.1:1194

better -I or -A?

(WL-500gP)

"I" or "A"? It depends on the policy of the table. More on Google.

How to route between tun0 and eth0? What about Googling for a bit only?

http://ubuntuforums.org/showthread.php?t=607519

Just in case the link above gets broken:


echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t filter -A FORWARD -i tun0 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.3.2 -j MASQUERADE

I have not tried it my self so I can not confirm if it works. I guess 192.168.3.2 should be replaced by the tun0 IP address.

Tamadite
14-05-2010, 22:44
Hi,

Tried to follow the tutorial exactly, didn't work. Then I tried to tweak the post-firewall rules, yet no matter what I'm doing, I keep getting:

xxx.dyndns.org isn't responding on port 1194 (openvpn)
when scanning the 1194 port
And yes, I am able to eg. ssh into my router with the given dyndns host.
Conclusion: I don't know how to open the 1194 port for the OpenVPN client to even start doing transactions. Please, help.

If firewall rules and the notes given and the end of the rules do not help to open the port, you should take a look at the policy you have on the INPUT and PREROUTING tables to see if it is "I" (insert) or "A" (append) the parameter to use on the rules.

On the other hand "isn't responding on port 1194" does not imply the port is not open. It implies there is no service responding to the request on port 1194; reasons can be multiple, e.g. no service behind the port, closed port, etc.

dreamer69
23-05-2010, 12:49
Adding --float to client.ovpn solved the problem.


I'm trying to connect to OpenVPN for days now and i keep getting this error

TCP/UDP: Incoming packet rejected from 192.168.18.254:1194[2], expected peer address: 79.112.107.146:1194 (allow this incoming source address/port by removing --remote or adding --float) .
I would really appreciate if someone could help me out.

post-firewall looks like this

#!/bin/sh
# this opens the ssh port to internet! Be sure to have strong passwords!
iptables -I INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --sport 1194 --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1194 --dport 1194 -j ACCEPT

#OpenVPN access from WAN
iptables -D INPUT -j DROP
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1194 -j DNAT
--to-destination 192.168.18.254:1194
iptables -A INPUT -j DROP

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT


ifconfig

ifconfig
br0 Link encap:Ethernet HWaddr 00:1D:60:9F:1D:3C
inet addr:192.168.18.254 Bcast:192.168.18.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2431 errors:0 dropped:0 overruns:0 frame:0
TX packets:1883 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:582528 (568.8 KiB) TX bytes:826719 (807.3 KiB)

eth0 Link encap:Ethernet HWaddr 00:1D:60:9F:1D:3C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:306676 (299.4 KiB)
Interrupt:4 Base address:0x1000

eth1 Link encap:Ethernet HWaddr 00:1D:60:9F:1D:3C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1824 errors:0 dropped:0 overruns:0 frame:0
TX packets:1263 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:680250 (664.3 KiB) TX bytes:368687 (360.0 KiB)
Interrupt:5 Base address:0x2000

eth2 Link encap:Ethernet HWaddr 00:1D:60:9F:1D:3C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2424 errors:0 dropped:0 overruns:0 frame:112907
TX packets:2577 errors:31 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:615892 (601.4 KiB) TX bytes:1004952 (981.3 KiB)
Interrupt:12 Base address:0x4000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ppp0 Link encap:Point-to-Point Protocol
inet addr:xxx.xxx.107.146 P-t-P:10.0.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING MULTICAST MTU:1492 Metric:1
RX packets:1529 errors:0 dropped:0 overruns:0 frame:0
TX packets:1163 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:600547 (586.4 KiB) TX bytes:340013 (332.0 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


server.conf

dev tun
proto udp
ifconfig 10.8.0.1 10.8.0.2
secret /opt/etc/openvpn/static.key
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
comp-lzo
keepalive 10 60
daemon


client.ovpn

remote xxx.xxx.xxx.xxx ;server IP address
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
comp-lzo
keepalive 10 60
redirect-gateway def1
route-method exe
route-delay 2
dhcp-option DNS 10.8.0.1

Works great connecting from LAN , but i can't connect from WAN.

hodecp
30-07-2010, 22:13
Hi,

I read the tutorial and installed OpenVpn via ipkg on my wl500gpv2.

My problem is that I cannot start openvpn:

[user@WL500gpv2 sbin]$ /opt/sbin/openvpn
-sh: /opt/sbin/openvpn: not found
[user@WL500gpv2 sbin]$ ls -l /opt/sbin/openvpn
-rwxr-xr-x 1 user root 769724 Feb 22 05:12 /opt/sbin/openvpn

What could be the problem???

Hi Csali, I had the same problem and could find reason for long time. By I found the solution. The problem is in uClib library, which is to be installed explicitly with IPKG http://wl500g.info/showthread.php?t=8205.

Petr

Khurram
31-05-2012, 19:39
I did ipkg update+upgrade and now openvpn is just messed up. openvpn mkturn gives a segmentation fault error.

I looked around on the web and found that the problem lies with an update to openssl and it is suggested to go back to an earlier version. I have no idea how to do this. Can someone help?

Thanks.

Khurram
31-05-2012, 21:41
Well, I fixed the problem by removing both packages and re-installing it. Detailed steps follow:

1) ipkg remove openvpn
2) ipkg remove lynx (I had to do this as lynx requires openssl)
3) ipkg remove openssl
4) reboot router (I believe this step is very important as openssl would not install till I rebooted the router)
5) ipkg upgrade
6) ipkg update
7) ipkg openssl
8) ipkg openssl-dev
9) ipkg openvpn