Page 1 of 2 12 LastLast
Results 1 to 15 of 25

Thread: [Howto] Install and configure basic OpenVPN server for Oleg firmware

  1. #1

    [Howto] Install and configure basic OpenVPN server for Oleg firmware

    Introduction/Installing
    OpenVPN is one of the most useful tools that can be installed on the router (sad that it's not part of the firmware itself, also not part of the excellent raas tutorial that I've re-used).
    OpenVPN is a complex topic and unfortunately I'm not in a position to introduce you to all aspects. Basically the server running on the router allows you to access the router (and other machines on the router's LAN) from a remote machine over the internet like you would do it locally (you have to have OpenVPN client installed and properly configured on the remote machine though). Thus in short you can access the router e.g. from your relatives/friends, from public WiFi hotspots or from your workplace (unless restricted).

    While installing OpenVPN is quite straightforward, it's not just ipkg install but you have to generate keys and set up the firewall properly etc.

    This tutorial helps you in that. In fact it's sufficient to run only a script that does everything for you (questions will be asked though):
    Code:
    #!/bin/sh
    #written by ecaddict, distributed (conveyed) under GPL version 3 or any later version
    
    PORT=${1:-563}
    VSNM=${2}
    CONFIG="/opt/etc/openvpn/server${VSNM}.conf"
    STARTS="/opt/etc/init.d/S20openvpn${VSNM}"
    RSAVAR="/opt/share/easy-rsa/vars"
    CKDIR="/mnt/protected"
    #user editable part end
    
    CONFD="${CONFIG%\/*}"
    CONFF="${CONFIG##*/}"
    INITD="${STARTS%\/*}"
    INITF="${STARTS##*/}"
    VARSD="${RSAVAR%\/*}"
    VARSF="${RSAVAR##*/}"
    VKDIR="${CONFD}/easy-rsa/keys${VSNM}"
    TUNIF="tun0"
    
    ipkg install openssl lzo net-tools easy-rsa psmisc openvpn
    
    export EASY_RSA=${VARSD}
    #creating certificates (if needed)
    if [ ! -d "${VKDIR}" ]; then
     if [ -d "${VARSD}" ]; then
      cd ${VARSD} && [ ! -f ${VARSF}.old ] && cp ${VARSF} ${VARSF}.old
      echo -e "\033[1;32mSeveral questions will be asked that will be reflected in the keys\033[0m"
      echo -e "for private use your answer does not matter. \nSave previously generated keys from ${VARSD}/keys (if any)."
      echo -e "\033[1;32mType the number of clients you need keys for and press Enter\033[0m to continue."
      echo -e "Guess your number of clients well as it takes time both to generate and generate keys again."
      read CKEYN; CKEYN=${CKEYN:-1}; [ "${CKEYN}" -gt 9 ] && CKEYN=9
      ./clean-all
      source ${RSAVAR}
      echo -e "\033[1;32mGenerating CA key\033[0m"
      ./build-ca
      echo -e "\033[1;32mGenerating Diffie-Hellman parameters\033[0m"
      ./build-dh
      echo -e "\033[1;32mGenerating Server key \033[0m" && ./build-key-server server
      I=0; while [ ${I} -lt "${CKEYN}" ]; do
        let "I+=1"
          echo -e "\033[1;32mGenerating keys for client ${I}\033[0m" && ./pkitool --interact --inter client0${I}
      done
      mkdir -p ${VKDIR}
      mv ./keys/server* "${VKDIR}"
      mv ./keys/ca* "${VKDIR}"
      mv ./keys/dh1024.pem "${VKDIR}"
      mv ./keys/client* "${VKDIR}" #temporally
      else
       echo -e "\033[1;31mDirectory ${VARSD} does not exist\033[0m"
       exit 1
      fi
    else
     echo -e "\033[1;33mThe directory ${VKDIR} exists, no keys are generated.\033[0m"
    fi
    
    cd ${CONFD} && [ ! -f ${CONFF}.old ] && mv ${CONFF} ${CONFF}.old
    cat > ${CONFF} << __EOF__
    port ${PORT}
    proto tcp
    dev tun
    ca ${VKDIR}/ca.crt
    cert ${VKDIR}/server.crt
    key ${VKDIR}/server.key
    dh ${VKDIR}/dh1024.pem
    
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 192.168.1.0 255.255.255.0"
    duplicate-cn
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    __EOF__
    
    tar -cvzf ${CKDIR}/vpnkeys${VSNM}.tar.gz ${VKDIR}/ca.crt ${VKDIR}/client0?.crt ${VKDIR}/client0?.key
    
    cd ${INITD} && [ ! -f old.${INITF} ] && mv ${INITF} old.${INITF}
    cat > ${INITF} << __EOF__
    #!/bin/sh
    #
    # Startup script for openvpn as standalone server
    #
    PREFIX="/opt"
    PORT=${PORT}
    NAME=openvpn
    PFILE="/opt/var/run/vpnserver${VSNM}.pid"
    OPTS="--daemon --cd /opt/etc/openvpn --log-append /opt/var/log/openvpn.log --config ${CONFF} --writepid \${PFILE}"
    
    # Make sure IP forwarding is enabled
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # Make device if not present (not devfs)
    if ( [ ! -c /dev/net/tun ] ) then
      # Make /dev/net directory if needed
      if ( [ ! -d /dev/net ] ) then
            mkdir -m 755 /dev/net
      fi
      mknod /dev/net/tun c 10 200
    fi
    
    # Make sure the tunnel driver is loaded
    if ( !(lsmod | grep -q "^tun") ); then
            insmod tun
    fi
    
    if [ -z "\$1" ] ; then
        case \`echo "\$0" | sed 's:^.*/\(.*\):\1:g'\` in
            S??*) rc="start" ;;
            K??*) rc="stop" ;;
            *) rc="usage" ;;
        esac
    else
        rc="\$1"
    fi
    
    case "\$rc" in
        start)
            echo "Starting: \$NAME"
            \${PREFIX}/sbin/\${NAME} \$OPTS
            iptables -I INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
            ;;
        stop)
            if [ -f \${PFILE} ] ; then
              kill \`cat \${PFILE}\` >/dev/null 2>&1
              rm -f \${PFILE}
              iptables -D INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
            else
              killall "\$NAME"
            fi
            ;;
        restart)
            "\$0" stop
            sleep 1
            "\$0" start
            ;;
        *)
            echo "Usage: \$0 (start|stop|restart|usage)"
            ;;
    esac
    
    __EOF__
    
    [ -n "$2" ] && TUNIF="tun+"
    if [ -z "`sed -n 's/-i '${TUNIF}' -j ACCEPT/&/p' /usr/local/sbin/post-firewall`" ]; then
    cat >> /usr/local/sbin/post-firewall << __EOF__
    iptables -I INPUT -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -o ${TUNIF} -j ACCEPT
    iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
    __EOF__
    iptables -I INPUT -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -i ${TUNIF} -j ACCEPT
    iptables -I FORWARD -o ${TUNIF} -j ACCEPT
    iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
     flashfs save && flashfs commit && flashfs enable
    fi
    
    chmod u+x ${INITF}
    ${STARTS} start
    The script will ask how many client keys should be generated (max 9) and typical questions for the keys like your location etc. Answer as you wish but you have to answer with y (yes) to the sign the certificate and commit questions.

    There are the following typical options for the server port for OpenVPN:
    1194 or 443 or 563
    While 1194 is the well known port for OpenVPN, some restrictive firewalls don't allow this port so you may need to use 563 that's typically allowed (and also the script uses) or 443 (https port). If you plan to use port 443, it means that you cannot use it with the lighttpd which is not nice.

    If you wish to use some other port start the script with the port ./install.sh <port>.
    If you plan to start multiple server instances not only have to give different port but also different number or names to them like ./install.sh <port> <number/name>.

    You can download the OpenVPN client from http://openvpn.net/index.php/open-source/downloads.html
    Learn more about OpenVPN:
    http://linux.die.net/man/8/openvpn
    http://openvpn.net/index.php/open-so...ion/howto.html

    The generated client keys are copied to /mnt/protected/
    On Windows you need the following keys (taken from the router):
    C:\Program Files\OpenVPN\config\ca.crt
    C:\Program Files\OpenVPN\config\client.crt
    C:\Program Files\OpenVPN\config\client.key


    If you use port 563/443 then you probably have to set the proxy as well in the client to proxy IP and typically 8080 port.
    (Note: if your proxy uses NTLM authentication you have to run as admin openvpn.exe as the GUI has some issue and --config for the .ovpn file containing
    http-proxy yourproxyIP 8080 stdin ntlm; alternatively use cntlm http://cntlm.sourceforge.net/)

    Here are some snapshots from the example run I've made:
    Name:  CAkey.png
Views: 5394
Size:  93.8 KB
    Name:  SKey.png
Views: 4669
Size:  61.5 KB
    Name:  Skeyq.png
Views: 4915
Size:  96.9 KB

    You can download and run the script from here: install.tar.gz

    If you're fine with the default parameters (single server, port: 563), you can paste the following line to your terminal (single line install).
    Code:
    cd /tmp && wget -O install.tar.gz "http://wl500g.info/attachment.php?attachmentid=8371&d=1318414980" && tar xvzf install.tar.gz && ./install.sh
    By default the starter script is
    /opt/etc/init.d/S20openvpn

    The config file is:
    /opt/etc/openvpn/server.conf

    The keys are located in:
    /opt/etc/openvpn/easy-rsa/keys/
    Last edited by ecaddict; 22-10-2011 at 08:09. Reason: fixed /opt/var/log instead of /var/log

  2. #2

    Accessing Samba share and SWAT via OpenVPN

    Accessing Samba share and SWAT (Samba Web Administration Tool) via OpenVPN

    For this you have to change some configuration files. Maybe I'll script it later on but it's really simple.

    /opt/etc/samba/smb.conf
    Make sure that in the [global] section you allow 10.8.0.0 that is you have to have something like this for host allow

    Code:
    hosts allow = 192.168.1. 10.8.0.0/24
    After restarting Samba with either /opt/etc/init.d/S80samba or restarting the router you can access the share.

    Browsing does not work (so you have to know the name of your share), the reasons are beyond the depth of this tutorial.

    So in windows you can use map network drive e.g. for mnt share
    \\10.8.0.1\mnt
    or
    \\192.168.1.1\mnt (especially with Samba3)
    (the second works if route was successfully pushed via OpenVPN client, which e.g. with Windows 7 may require "Run as administrator" for OpenVPN client).

    In Total Commander you can just change to the share e.g. (Samba is not too fast if you don't have a fast network connection it but works)
    cd \\10.8.0.1\mnt

    Accessing SWAT requires some more change, you have to edit the file:
    /opt/etc/xinetd.d/swat

    making sure that it contains 10.8.0.0/24 so it contains a line something like this:
    Code:
    only_from = localhost 192.168.1.0/24 10.8.0.0/24
    After xinetd (/opt/etc/init.d/S10xinetd) or router restart you can access SWAT from your web browser via:
    http://10.8.0.1:901
    or
    http://192.168.1.1:901 (especially with Samba3)
    Last edited by ecaddict; 30-09-2011 at 09:59. Reason: Added Samba/SWAT access

  3. #3
    Hey
    Im trying to install OpenVPN on my asus wl-500gp (v1) with attached usb-hdd but im stuck on generating keys from easy-rsa.
    It's running Oleg 1.9.2.7-10

    ./install.sh
    Package openssl (0.9.7m-6) installed in root is up to date.
    Package lzo (2.03-1) installed in root is up to date.
    Package net-tools (1.60-6) installed in root is up to date.
    Package easy-rsa (2.0rc1SAN-3) installed in root is up to date.
    Package psmisc (22.13-1) installed in root is up to date.
    Package openvpn (2.2.0-1) installed in root is up to date.
    Nothing to be done
    Several questions will be asked that will be reflected in the keys
    for private use your answer does not matter.
    Save previously generated keys from /opt/share/easy-rsa/keys (if any).
    Type the number of clients you need keys for and press Enter to continue.
    Guess your number of clients well as it takes time both to generate and generate keys again.
    1
    Please source the vars script first (i.e. "source ./vars")
    Make sure you have edited it to reflect your configuration.
    ./install.sh: ./install.sh: 55: source: not found
    Generating CA key
    Please edit the vars script to reflect your configuration,
    then source it with "source ./vars".
    Next, to start with a fresh PKI configuration and to delete any
    previous certificates and keys, run "./clean-all".
    Finally, you can run this tool (pkitool) to build certificates/keys.
    Generating Diffie-Hellman parameters
    Please source the vars script first (i.e. "source ./vars")
    Make sure you have edited it to reflect your configuration.
    Generating Server key
    Please edit the vars script to reflect your configuration,
    then source it with "source ./vars".
    Next, to start with a fresh PKI configuration and to delete any
    previous certificates and keys, run "./clean-all".
    Finally, you can run this tool (pkitool) to build certificates/keys.
    Generating keys for client 1
    Please edit the vars script to reflect your configuration,
    then source it with "source ./vars".
    Next, to start with a fresh PKI configuration and to delete any
    previous certificates and keys, run "./clean-all".
    Finally, you can run this tool (pkitool) to build certificates/keys.
    cannot stat `./keys/server*': No such file or directory
    cannot stat `./keys/ca*': No such file or directory
    cannot stat `./keys/dh1024.pem': No such file or directory
    cannot stat `./keys/client*': No such file or directory
    tar: /opt/etc/openvpn/easy-rsa/keys/client0?.key: No such file or directory
    tar: /opt/etc/openvpn/easy-rsa/keys/client0?.crt: No such file or directory
    tar: /opt/etc/openvpn/easy-rsa/keys/ca.crt: No such file or directory
    tar: Error exit delayed from previous errors
    Starting: openvpn

    easy-rsa vars : /opt/share/easy-rsa
    # easy-rsa parameter settings

    # NOTE: If you installed from an RPM,
    # don't edit this file in place in
    # /usr/share/openvpn/easy-rsa --
    # instead, you should copy the whole
    # easy-rsa directory to another location
    # (such as /etc/openvpn) so that your
    # edits will not be wiped out by a future
    # OpenVPN package upgrade.

    # This variable should point to
    # the top level of the easy-rsa
    # tree.
    export EASY_RSA="/opt/share/easy-rsa"

    #
    # This variable should point to
    # the requested executables
    #
    export OPENSSL="openssl"
    #export PKCS11TOOL="pkcs11-tool" - uncommented as i don't have it, is it even avaliable and required? (README said it can be uncommented)
    export GREP="grep"


    # This variable should point to
    # the openssl.cnf file included
    # with easy-rsa.
    export KEY_CONFIG=`/opt/share/easy_rsa/openssl.cnf` <--- changed this to openssl.cnf from whichopensslcnf (tested both) as README said

    # Edit this variable to point to
    # your soon-to-be-created key
    # directory.
    #
    # WARNING: clean-all will do
    # a rm -rf on this directory
    # so make sure you define
    # it correctly!
    export KEY_DIR="/opt/etc/openvpn/easy_rsa/keys"

    # Issue rm -rf warning
    echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

    # Increase this to 2048 if you
    # are paranoid. This will slow
    # down TLS negotiation performance
    # as well as the one-time DH parms
    # generation process.
    export KEY_SIZE=1024

    # In how many days should the root CA key expire?
    export CA_EXPIRE=3650

    # In how many days should certificates expire?
    export KEY_EXPIRE=3650

    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="SanFrancisco"
    export KEY_ORG="Fort-Funston"
    export KEY_EMAIL="me@myhost.mydomain"
    any idea what is wrong with my config ?

  4. #4
    Quote Originally Posted by seb101 View Post
    Hey
    Im trying to install OpenVPN on my asus wl-500gp (v1) with attached usb-hdd but im stuck on generating keys from easy-rsa.
    It's running Oleg 1.9.2.7-10




    easy-rsa vars : /opt/share/easy-rsa


    any idea what is wrong with my config ?
    replace this line within script:

    source ${RSAVAR}
    with this:

    . ${RSAVAR}
    It worked for me.

  5. #5

    hi thanku for manual

    Thanku for manual, vpn tunnel working, but client connected via vpn to router haven't access to internet, onclient dhcp server 10.8.0.1, dns and gateway the same 10.8.0.1, can't ping any site by name and by ip, on router i can normally ping by names and ip

  6. #6

    OpenVPN problem again

    I am currently on the latest released fw (5066) on my rtn-16. From time to time (twice a month) I got similar error messages in a log:
    May 26 00:00:05 kernel: SQUASHFS error: sb_bread failed reading block 0x6d
    May 26 00:00:05 kernel: SQUASHFS error: Unable to read page, block d13d, size e18d
    May 26 00:05:02 kernel: SQUASHFS error: Unable to read fragment cache entry [5a7be]

    The only help is a hard restart of the router.

    I tried newer fws from 5100 (from wpte's nightly builds - thanks for that ) but got router restarts after starting openvpn. It seems to me that the latest changes in tun (since 5099) caused this. Could somebody confirm that? Is there any solution for that?

  7. #7
    Here is another syslog with more details:

    May 27 04:03:44 kernel: WARNING: at fs/squashfs/uncomp.c:146 sqlzma_un()
    May 27 04:03:44 kernel: Call Trace:
    May 27 04:03:44 kernel: [<80265a88>] dump_stack+0x8/0x34
    May 27 04:03:44 kernel: [<800e64d8>] sqlzma_un+0x140/0x258
    May 27 04:03:44 kernel: [<800e12a8>] squashfs_read_data+0x4d0/0x7fc
    May 27 04:03:44 kernel: [<800e17a8>] squashfs_cache_get+0x1d4/0x350
    May 27 04:03:44 kernel: [<800e5fec>] squashfs_readpage+0x348/0x56c
    May 27 04:03:44 kernel: [<8005967c>] __do_page_cache_readahead+0x25c/0x270
    May 27 04:03:44 kernel: [<80059a00>] do_page_cache_readahead+0x5c/0x7c
    May 27 04:03:44 kernel: [<80052ec8>] filemap_fault+0x2fc/0x46c
    May 27 04:03:44 kernel: [<8005fa9c>] __do_fault.isra.46+0x7c/0x4e8
    May 27 04:03:44 kernel: [<80062e44>] handle_mm_fault+0x10c/0x8e4
    May 27 04:03:44 kernel: [<80012284>] do_page_fault+0x134/0x360
    May 27 04:03:44 kernel: [<800082a0>] ret_from_exception+0x0/0xc
    May 27 04:03:44 kernel: SQUASHFS error: sb_bread failed reading block 0x201
    May 27 04:03:44 kernel: SQUASHFS error: Unable to read fragment cache entry [775bb]

    Might be this error is caused by faulty power source? It's the original one, almost 3 years old.

  8. #8
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    That's a kernel oops.
    Looks like there's a problem with loading the firmware file, or reading from it.

    What firmware do you use, and which version?
    You could try to flash a more recent version or reflash your firmware.

  9. #9
    I have tried newer versions but how you can read in my previous post, there is some problem with openvpn again. And as I already mentioned I am on the latest official release v5066 from the repository. I had already downloaded and reflashed fw a few times (also from your "Nightly" web storage), but it's very hard to analyse this problem because it's occurrence is very rare - once a month.

  10. #10
    I have tested a few more versions and I found that version 5097 is still working correctly with openvpn but 5100 not. Maybe changes in 5099 are the case?

  11. #11
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by oldgringo View Post
    I have tested a few more versions and I found that version 5097 is still working correctly with openvpn but 5100 not. Maybe changes in 5099 are the case?
    Could be, although I find the warning messages you get a bit weird.

    You should report your findings to lly.
    The forum thread: http://wl500g.info/showthread.php?18...rsion&p=260281 (I think lly watches it)

    or add an issue to the google code project: https://code.google.com/p/wl500g/issues/entry

    I mean, if you're sure it's not working after some revisions about there...

    I haven't used openvpn for a long time on my router, so I didn't notice anything.

  12. #12
    I found a reason of this weird problem - chipset overheating. I've mounted big heatsink with small cooler and everything seems to be OK.
    But openvpn in v5099 and newer is still the issue, router is restarting everytime some client connects.

  13. #13
    When I deactivated fastnat then connection became stable.

  14. #14
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by oldgringo View Post
    When I deactivated fastnat then connection became stable.
    Well yes, it should be, otherwise openvpn won't work.

  15. #15
    But up to version r5097 openvpn works also with fastnat set (no matter of value 1 or 2).

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •