OpenVPN

[deenm]

Someone have tested "open vpn" on wl500g ?
http://openvpn.sourceforge.net
If yes and working, how to please.
Thanks

[tomilius]

I'm not taking credit for this--I didn't do it--but it's there in the Unslung repository, and it works. It's a bit tedious to configure if you don't already know how, but it does work. You need to get tun.o for the WL-500g and do this:

Code:

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
insmod /opt/drivers/tun.o

... assuming you put tun.o in /opt/drivers. It works! It requires openvpn, though--not "automatically compatible" or built-in to Windows XP, though openvpn is available for XP.

You can get tun.o here: http://puma.spojovaci.net/~jaha2x/wl...vers/net/tun.o

And I've "mirrored" it here:
http://nochances.net/files/wl-500g/tun.o

So yeah. There's an OpenVPN 2.0 HOWTO out there to help you with stuff, and you'll need the OpenVPN source to get the easy-rsa folder or whatever it's called. You'll also need to modify the scripts which use "test" because they don't work...

For example, build-key has this:
if test $# -ne 1; then

Change it to this:
if [ "$#" -ne 1 ]; then

And this:
if test $KEY_DIR; then

Change it to this:
if [ "$KEY_DIR" ]; then

If somebody else interested could post all of the other simple modifications which anyone with basic script knowledge could make it would be great, but I don't really have time to explain all of the modifications right now. I... think anyone knowledgeable to care about VPNs will be able to get this going anyway.

Don't forget to allow all traffic on the port you choose with iptables... That's very important.

Thanks, whoever put this package up!

[Oleg]

I hope, that test, as well as tun.o would be included in the next firmware.

[tomilius]

I hope ethertap.o (http://puma.spojovaci.net/~jaha2x/wl...net/ethertap.o) is included as well for those of us who want VPN clients to be able to join the network as it is (cool!)

[mctiew]

I hope ethertap.o (http://puma.spojovaci.net/~jaha2x/wl...net/ethertap.o) is included as well for those of us who want VPN clients to be able to join the network as it is (cool!)

Ethertap.o is an old driver. The tun.o alone is able to provide tun and tap devices. For the purpose of openvpn and other applications, ethertap.o is not necessary.

Cheers.

[tomilius]

Thank you very much for that response... I was just scratching my head for an hour or so wondering why it didn't work. I'm new to all of this VPN stuff.

UPDATE: Got it working. Yay. Thanks to OpenVPN, remote users can log on to the network as though they were "right there," on the same subnet (with bridging configuration and such).

[Pirat]

Hi!

I've installet and configured openVPN and can connect from PC to ROUTER.
BUT: ping, telnet, ftp, ... work from Router->PC but not from PC->Router.
I testet from different clients, but same result.
All test are "internal" (LAN+WLAN).

Any ideas, tips, ...?
PS: I post the startscript lather, cause now I'm @work an WL is @home.

[tomilius]

Configure iptables for the tun/tap interface. Give it the same rules as br0 (ALLOW for INPUT, FORWARD, OUTPUT, or whatever you choose).

[Pirat]

Here is the "VPN-Part" of my startscript:

Code:

#------openVPN------
echo `date` "openVPN" >> /tmp/harddisk/log/start_hdd_prg.log
echo `date` "--erstelle VPN-Device" >> /tmp/harddisk/log/start_hdd_prg.log
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
insmod /opt/drivers/tun.o

echo `date` "--starte openVPN für PCKIG54" >> /tmp/harddisk/log/start_hdd_prg.log
/opt/sbin/openvpn --config /opt/etc/openvpn/PCKIG54.conf &
echo `date` "--starte openVPN für Neubauer" >> /tmp/harddisk/log/start_hdd_prg.log
/opt/sbin/openvpn --config /opt/etc/openvpn/neubauer.conf &

echo `date` "--öffne Firewall für PCKIG54" >> /tmp/harddisk/log/start_hdd_prg.log
iptables -A INPUT -p udp --sport 5253 -j ACCEPT
iptables -A OUTPUT -p udp --dport 5253 -j ACCEPT
echo `date` "--öffne Firewall für Neubauer" >> /tmp/harddisk/log/start_hdd_prg.log
iptables -A INPUT -p udp --sport 5252 -j ACCEPT
iptables -A OUTPUT -p udp --dport 5252 -j ACCEPT

I use UDP-Port 5253+5252

[tomilius]

There's still a problem. See, tun (tun0) is an interface in itself. You've allowed all traffic on the VPN port so that such a connection may be established, but from there it's treated as though the devices are all connected via the tun0 interface, for which you've set no specific rules. You probably have iptables generically set up so all RELATED and ESTABLISHED connections are allowed and so that all OUTPUT is allowed. That explains why you can ping from the router to tun0's devices (VPN). However, you still must set rules for the tun0 interface, like this to allow all:

Code:

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -o tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT

Whether or not you want the forward rules depends (extra parameters are required to give the VPN access to the internal LAN anyway unless you put it on the same subnet and use tap, I believe) and the OUTPUT rule seems unnecessary for your setup.

[Pirat]

HI!

I've tryed this:
1. start like script (see prev. post)
2. iptables like yor post
3. connect vpn
4. ping from router to pc -> work
5. ping from pc to router -> didn't work

[tomilius]

And you're sure you're using the correct tun0 IP address for the router when pinging (check ifconfig tun0; VPNsubnet.1)? Also, try the rules with -I instead of -A, just in case. Make sure tun0 is actually the interface you should be using, too, by just typing "ifconfig."

[Pirat]

-I works!!!!!!!! Thx!!!!
putting iptables ..... in post-firewall and it works also after reboot!!

[tomilius]

Yay! Congrats.

[Pirat]

Yay! Congrats.

congrats to YOU!!!!! Thx very much!