HowTo install OpenVPN server

[Tamadite]

================================================== =======
NOTES:
I do not take any credit for most of the information herein written. I just collected (copy&paste) most the information and adapted it to be executed under an Asus WL-500g device.

This is a simple setup that has a limited scalability -- one client, one server.

This HowTo is oriented to create a VPN connection between an Asus WL-500g device and a Windows XP client.

ASSUMPTIONS:
i.- firmware: Oleg 1.9.2.7-7b
ii.- root file system on the external USB drive
iii.- telnet/ssh deamon installed and active
iv.- nano editor installed

SOURCES:
i.- http://openvpn.net
ii.- http://www.sprayfly.com/wiki/User_talk:Jonolumb
iii.- This forum
================================================== =======

CONFIGURING THE CLIENT (Windows XP)
Download from http://openvpn.se/download.html openvpn-2.0.7-gui-1.0.3-install.exe which will install both OpenVPN and a Windows GUI. Install everything.
During the installation you will be prompted about authentication of drivers to be installed. You should accept it.

Open "network connections" and rename the connection recently created from "Local Area Connection x" to "tun0" (it should have "TAP-Win32 Adapter V8 (coLinux)" as NIC)

Open a dos-prompt window
C:
cd \Program Files\OpenVPN\config
openvpn --genkey --secret static.key

create a txt file called "client.ovpn" and add the following information:
remote myremote.mydomain
dev tun0
ifconfig 10.8.0.2 10.8.0.1
secret static.key
keepalive 10 60

where myremote.mydomain is the WAN ip address or host name of your Asus WL-500g router.


Install OpenVPN package on WL-500g

ipkg -force-depends install openvpn

Check for message:
Warning: Cannot satisfy the following dependencies for openvpn: kernel-module-tun

But warning can be disregarded, tun is already included in Oleg's firmware.


Create the TUN device node
(users report these two lines below are not necessary any longer. They give error messages. See comment #9)

mkdir /dev/net
mknod /dev/net/tun c 10 200


Load the TUN/TAP kernel module

insmod tun


Enable routing

echo 1 > /proc/sys/net/ipv4/ip_forward


Configuring VPN Server

cd /opt/etc/openvpn
nano server.conf
(add following lines)
dev tun0
ifconfig 10.8.0.1 10.8.0.2
secret static.key
(exit editor)
^O ^X


Copy via FTP the file static.key from WinXP client folder C:\Program Files\OpenVPN\config to Asus wl500g directory /opt/etc/openvpn


Add firewall rules

cd /usr/local/sbin
nano post-firewall

#!/bin/sh
#OpenVPN access from WAN
iptables -D INPUT -j DROP
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1194 -j DNAT --to-destination $4:1194
iptables -A INPUT -j DROP

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

(exit editor)
^O ^X

NOTES:
With WL-500gP eth1 shall be changed to vlan1 and $4 to router's LAN gateway (192.168.1.1)


Start OpenVPN server manually
/sbin/insmod tun
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf

If you want to try the OpenVPN server at this point, without making an autostart, you should execute all iptables commands above written by copy&paste them on the Asus wl500g prompt and jump to the next point called "Trying the VPN tunnel".


Autostart
To automatically start the OpenVPN server processes at boot time:

nano /opt/etc/init.d/S24openvpn

#!/bin/sh

if [ -n "`pidof openvpn`" ]; then
/bin/killall openvpn 2>/dev/null
fi

# load TUN/TAP kernel module
/sbin/insmod tun

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Startup VPN tunnel in daemon mode
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf

(exit editor)
^O ^X


Save and Reboot
chmod +x /opt/etc/init.d/S24openvpn
flashfs save
flashfs commit
flashfs enable
reboot


Trying the VPN tunnel
Execute file client.ovpn in Windows XP (C:\Program Files\OpenVPN\config). A DOS window will appear. Pay attention to message "Initialization Sequence Completed". This message indicates that the VPN connection has been established. (Do not close the DOS window! If you close the DOS window you will close the VPN connection)

To test that everything works as it should try to ping 10.8.0.1 from the client (Windows XP) and to ping 10.8.0.2 from Asus WL-500g. You should get ping responses on both cases. If it is so, everything works!


FINAL NOTES
i)If you are running Windows XP/SP2 don't forget to add a rule in your Windows XP firewall to accept traffic on port 1194.
ii) HowTo: Routing all client traffic through VPN tutorial available