Results 1 to 15 of 25

Thread: [Howto] Install and configure basic OpenVPN server for Oleg firmware

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1

    [Howto] Install and configure basic OpenVPN server for Oleg firmware

    Introduction/Installing
    OpenVPN is one of the most useful tools that can be installed on the router (sad that it's not part of the firmware itself, also not part of the excellent raas tutorial that I've re-used).
    OpenVPN is a complex topic and unfortunately I'm not in a position to introduce you to all aspects. Basically the server running on the router allows you to access the router (and other machines on the router's LAN) from a remote machine over the internet like you would do it locally (you have to have OpenVPN client installed and properly configured on the remote machine though). Thus in short you can access the router e.g. from your relatives/friends, from public WiFi hotspots or from your workplace (unless restricted).

    While installing OpenVPN is quite straightforward, it's not just ipkg install but you have to generate keys and set up the firewall properly etc.

    This tutorial helps you in that. In fact it's sufficient to run only a script that does everything for you (questions will be asked though):
    Code:
    #!/bin/sh
    #written by ecaddict, distributed (conveyed) under GPL version 3 or any later version
    
    PORT=${1:-563}
    VSNM=${2}
    CONFIG="/opt/etc/openvpn/server${VSNM}.conf"
    STARTS="/opt/etc/init.d/S20openvpn${VSNM}"
    RSAVAR="/opt/share/easy-rsa/vars"
    CKDIR="/mnt/protected"
    #user editable part end
    
    CONFD="${CONFIG%\/*}"
    CONFF="${CONFIG##*/}"
    INITD="${STARTS%\/*}"
    INITF="${STARTS##*/}"
    VARSD="${RSAVAR%\/*}"
    VARSF="${RSAVAR##*/}"
    VKDIR="${CONFD}/easy-rsa/keys${VSNM}"
    TUNIF="tun0"
    
    ipkg install openssl lzo net-tools easy-rsa psmisc openvpn
    
    export EASY_RSA=${VARSD}
    #creating certificates (if needed)
    if [ ! -d "${VKDIR}" ]; then
     if [ -d "${VARSD}" ]; then
      cd ${VARSD} && [ ! -f ${VARSF}.old ] && cp ${VARSF} ${VARSF}.old
      echo -e "\033[1;32mSeveral questions will be asked that will be reflected in the keys\033[0m"
      echo -e "for private use your answer does not matter. \nSave previously generated keys from ${VARSD}/keys (if any)."
      echo -e "\033[1;32mType the number of clients you need keys for and press Enter\033[0m to continue."
      echo -e "Guess your number of clients well as it takes time both to generate and generate keys again."
      read CKEYN; CKEYN=${CKEYN:-1}; [ "${CKEYN}" -gt 9 ] && CKEYN=9
      ./clean-all
      source ${RSAVAR}
      echo -e "\033[1;32mGenerating CA key\033[0m"
      ./build-ca
      echo -e "\033[1;32mGenerating Diffie-Hellman parameters\033[0m"
      ./build-dh
      echo -e "\033[1;32mGenerating Server key \033[0m" && ./build-key-server server
      I=0; while [ ${I} -lt "${CKEYN}" ]; do
        let "I+=1"
          echo -e "\033[1;32mGenerating keys for client ${I}\033[0m" && ./pkitool --interact --inter client0${I}
      done
      mkdir -p ${VKDIR}
      mv ./keys/server* "${VKDIR}"
      mv ./keys/ca* "${VKDIR}"
      mv ./keys/dh1024.pem "${VKDIR}"
      mv ./keys/client* "${VKDIR}" #temporally
      else
       echo -e "\033[1;31mDirectory ${VARSD} does not exist\033[0m"
       exit 1
      fi
    else
     echo -e "\033[1;33mThe directory ${VKDIR} exists, no keys are generated.\033[0m"
    fi
    
    cd ${CONFD} && [ ! -f ${CONFF}.old ] && mv ${CONFF} ${CONFF}.old
    cat > ${CONFF} << __EOF__
    port ${PORT}
    proto tcp
    dev tun
    ca ${VKDIR}/ca.crt
    cert ${VKDIR}/server.crt
    key ${VKDIR}/server.key
    dh ${VKDIR}/dh1024.pem
    
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 192.168.1.0 255.255.255.0"
    duplicate-cn
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    __EOF__
    
    tar -cvzf ${CKDIR}/vpnkeys${VSNM}.tar.gz ${VKDIR}/ca.crt ${VKDIR}/client0?.crt ${VKDIR}/client0?.key
    
    cd ${INITD} && [ ! -f old.${INITF} ] && mv ${INITF} old.${INITF}
    cat > ${INITF} << __EOF__
    #!/bin/sh
    #
    # Startup script for openvpn as standalone server
    #
    PREFIX="/opt"
    PORT=${PORT}
    NAME=openvpn
    PFILE="/opt/var/run/vpnserver${VSNM}.pid"
    OPTS="--daemon --cd /opt/etc/openvpn --log-append /opt/var/log/openvpn.log --config ${CONFF} --writepid \${PFILE}"
    
    # Make sure IP forwarding is enabled
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # Make device if not present (not devfs)
    if ( [ ! -c /dev/net/tun ] ) then
      # Make /dev/net directory if needed
      if ( [ ! -d /dev/net ] ) then
            mkdir -m 755 /dev/net
      fi
      mknod /dev/net/tun c 10 200
    fi
    
    # Make sure the tunnel driver is loaded
    if ( !(lsmod | grep -q "^tun") ); then
            insmod tun
    fi
    
    if [ -z "\$1" ] ; then
        case \`echo "\$0" | sed 's:^.*/\(.*\):\1:g'\` in
            S??*) rc="start" ;;
            K??*) rc="stop" ;;
            *) rc="usage" ;;
        esac
    else
        rc="\$1"
    fi
    
    case "\$rc" in
        start)
            echo "Starting: \$NAME"
            \${PREFIX}/sbin/\${NAME} \$OPTS
            iptables -I INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
            ;;
        stop)
            if [ -f \${PFILE} ] ; then
              kill \`cat \${PFILE}\` >/dev/null 2>&1
              rm -f \${PFILE}
              iptables -D INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
            else
              killall "\$NAME"
            fi
            ;;
        restart)
            "\$0" stop
            sleep 1
            "\$0" start
            ;;
        *)
            echo "Usage: \$0 (start|stop|restart|usage)"
            ;;
    esac
    
    __EOF__
    
    [ -n "$2" ] && TUNIF="tun+"
    if [ -z "`sed -n 's/-i '${TUNIF}' -j ACCEPT/&/p' /usr/local/sbin/post-firewall`" ]; then
    cat >> /usr/local/sbin/post-firewall << __EOF__
    iptables -I INPUT -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -o ${TUNIF} -j ACCEPT
    iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
    __EOF__
    iptables -I INPUT -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -o ${TUNIF} -j ACCEPT
    iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
     flashfs save && flashfs commit && flashfs enable
    fi
    
    chmod u+x ${INITF}
    ${STARTS} start
    The script will ask how many client keys should be generated (max 9) and typical questions for the keys like your location etc. Answer as you wish but you have to answer with y (yes) to the sign the certificate and commit questions.

    There are the following typical options for the server port for OpenVPN:
    1194 or 443 or 563
    While 1194 is the well known port for OpenVPN, some restrictive firewalls don't allow this port so you may need to use 563 that's typically allowed (and also the script uses) or 443 (https port). If you plan to use port 443, it means that you cannot use it with the lighttpd which is not nice.

    If you wish to use some other port start the script with the port ./install.sh <port>.
    If you plan to start multiple server instances not only have to give different port but also different number or names to them like ./install.sh <port> <number/name>.

    You can download the OpenVPN client from http://openvpn.net/index.php/open-source/downloads.html
    Learn more about OpenVPN:
    http://linux.die.net/man/8/openvpn
    http://openvpn.net/index.php/open-so...ion/howto.html

    The generated client keys are copied to /mnt/protected/
    On Windows you need the following keys (taken from the router):
    C:\Program Files\OpenVPN\config\ca.crt
    C:\Program Files\OpenVPN\config\client.crt
    C:\Program Files\OpenVPN\config\client.key


    If you use port 563/443 then you probably have to set the proxy as well in the client to proxy IP and typically 8080 port.
    (Note: if your proxy uses NTLM authentication you have to run as admin openvpn.exe as the GUI has some issue and --config for the .ovpn file containing
    http-proxy yourproxyIP 8080 stdin ntlm; alternatively use cntlm http://cntlm.sourceforge.net/)

    Here are some snapshots from the example run I've made:
    Name:  CAkey.png
Views: 3678
Size:  93.8 KB
    Name:  SKey.png
Views: 3611
Size:  61.5 KB
    Name:  Skeyq.png
Views: 3651
Size:  96.9 KB

    You can download and run the script from here: install.tar.gz

    If you're fine with the default parameters (single server, port: 563), you can paste the following line to your terminal (single line install).
    Code:
    cd /tmp && wget -O install.tar.gz "http://wl500g.info/attachment.php?attachmentid=8371&d=1318414980" && tar xvzf install.tar.gz && ./install.sh
    By default the starter script is
    /opt/etc/init.d/S20openvpn

    The config file is:
    /opt/etc/openvpn/server.conf

    The keys are located in:
    /opt/etc/openvpn/easy-rsa/keys/
    Last edited by ecaddict; 22-10-2011 at 08:09. Reason: fixed /opt/var/log instead of /var/log

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •