OPENVPN Server configuration

Being able to tunnel back into the house is a very useful thing to be able to do. I use the NSLU as both a VPN Client to connect to other networks and as a VPN Server. Both of these can simultaneously.

Make sure you have the openvpn package installed

ipkg install openvpn

The openvpn configuration files live here

cd /opt/etc/openvpn

First up we need to generate a bunch of software keys

mkdir server-keys
cd server-keys
 
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
touch demoCA/index.txt
echo "01" >> demoCA/serial
 
openssl req -nodes -new -x509 -days 1825 -keyout ca.key -out ca.crt
openssl req -nodes -new -keyout server.key -out server.csr
openssl ca -cert ca.crt -keyfile ca.key -out server.crt -in server.csr
openssl req -nodes -new -keyout client.key -out client.csr
openssl ca -cert ca.crt -keyfile ca.key -out client.crt -in client.csr
openssl dhparam -out dh.pem 1024
openvpn --genkey --secret shared.key
chmod 600 server.key

Now to combine these into a single PKCS12 file.

# Combine client keys into a pkcs12 file
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out dbzoo-cert.p12

Now we create the /opt/etc/openvpn/openvpn-server.conf configuration file. I have opted to tunnel using TCP over 443 as I know this can be used behind even the most restrictive firewall that only has ports 80 and 443 open. However if you can use port 1194 and UDP do so as your performance will be better.

#Begin openvpn-server.conf
dev tun
#port 1194
#proto udp
port 443
proto tcp

ca server-keys/ca.crt
cert server-keys/server.crt
key server-keys/server.key # This file should be kept secret
dh server-keys/dh.pem

#Make sure this is your tunnel address pool
server 10.0.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#This is the route to push to the client, add more if necessary
push "route 192.168.1.0 255.255.255.0"
#push "dhcp-option DNS 192.168.1.77"
keepalive 10 120
cipher BF-CBC #Blowfish encryption
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 6
mute 20
up ./openvpn-server.up

Setup the IPTABLES to allow this tunnel to be used

#!/bin/sh
WLAN=$1
iptables -I INPUT -i $WLAN -j ACCEPT
iptables -I FORWARD -i $WLAN -j ACCEPT
iptables -I FORWARD -o $WLAN -j ACCEPT
iptables -I OUTPUT -o $WLAN -j ACCEPT

The startup script is /opt/etc/init.d/S20openvpn make sure that your .CONF file is correctly accessed.

As multi clients can use the same PKCS12 certificate we include the option –duplicate-cn

#!/bin/sh
#
# Startup script for openvpn as standalone server
#
 
# Make sure IP forwarding is enabled
echo 1 > /proc/sys/net/ipv4/ip_forward
 
# Make sure these are loaded
insmod ip_tables >/dev/null
insmod iptable_filter >/dev/null
insmod ip_conntrack >/dev/null
insmod iptable_nat >/dev/null
insmod ipt_state >/dev/null
insmod ipt_MASQUERADE >/dev/null
 
# Clear all chains (we only use IPTABLES for VPN so this is ok)
iptables -F
iptables -F -t nat
 
# Make device if not present (not devfs)
if ( [ ! -c /dev/net/tun ] ) then
  # Make /dev/net directory if needed
  if ( [ ! -d /dev/net ] ) then
        mkdir -m 755 /dev/net
  fi
  mknod /dev/net/tun c 10 200
fi
 
# Make sure the tunnel driver is loaded
if ( !(lsmod | grep -q "^tun") ); then
        insmod /opt/lib/modules/tun.o
fi
 
# I you want a standalone server (not xinetd), comment out the return statement below
#return 0
 
## This is for standalone servers only!!!!
# Kill old server if still there
if [ -n "`pidof openvpn`" ]; then
    /bin/killall openvpn 2>/dev/null
fi
 
# Start afresh - add as many daemons as you want
 
# Start OPENVPN SERVER
/opt/sbin/openvpn --daemon --cd /opt/etc/openvpn --config openvpn-server.conf --duplicate-cn

To access your tunnel your going to need to setup a few things.

For windows you can get the software http://openvpn.se/ and once installed you will need to copy a few files into the C:\Program Files\OpenVPN\config directory.

I use home.dbzoo.com as a CNAME for dbzoo.dyndns.com which my router will keep up to date for me. If you don't have your own domain you can substitute any DYNDNS name in here.

dbzoo-home.ovpn

########################################
# OpenVPN Client Configuration
# DBZOO home network
client
dev tun
proto tcp
remote home.dbzoo.com 443
nobind

persist-tun
persist-key
keepalive 1 10

pkcs12 dbzoo-cert.p12
comp-lzo

verb 6
mute 5

# To get through a company firewall these options will be useful.
#http-proxy proxyserver 8080
#http-proxy-retry
#http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1

And you need to copy in the PKCS12 file that we created on the server.

Thats it !