no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | nslu:openvpnserver [2009/11/27 17:54] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== OPENVPN Server configuration ====== | ||
+ | Being able to tunnel back into the house is a very useful thing to be able to do. I use the NSLU as both a VPN Client to connect to other networks and as a VPN Server. | ||
+ | |||
+ | Make sure you have the openvpn package installed | ||
+ | <code shell> | ||
+ | ipkg install openvpn | ||
+ | </ | ||
+ | |||
+ | The openvpn configuration files live here | ||
+ | < | ||
+ | cd / | ||
+ | </ | ||
+ | |||
+ | First up we need to generate a bunch of software keys | ||
+ | * http:// | ||
+ | <code shell> | ||
+ | mkdir server-keys | ||
+ | cd server-keys | ||
+ | |||
+ | mkdir demoCA | ||
+ | mkdir demoCA/ | ||
+ | mkdir demoCA/ | ||
+ | touch demoCA/ | ||
+ | echo " | ||
+ | |||
+ | openssl req -nodes -new -x509 -days 1825 -keyout ca.key -out ca.crt | ||
+ | openssl req -nodes -new -keyout server.key -out server.csr | ||
+ | openssl ca -cert ca.crt -keyfile ca.key -out server.crt -in server.csr | ||
+ | openssl req -nodes -new -keyout client.key -out client.csr | ||
+ | openssl ca -cert ca.crt -keyfile ca.key -out client.crt -in client.csr | ||
+ | openssl dhparam -out dh.pem 1024 | ||
+ | openvpn --genkey --secret shared.key | ||
+ | chmod 600 server.key | ||
+ | </ | ||
+ | |||
+ | Now to combine these into a single PKCS12 file. | ||
+ | * http:// | ||
+ | <code shell> | ||
+ | # Combine client keys into a pkcs12 file | ||
+ | openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out dbzoo-cert.p12 | ||
+ | </ | ||
+ | |||
+ | Now we create the / | ||
+ | |||
+ | < | ||
+ | #Begin openvpn-server.conf | ||
+ | dev tun | ||
+ | #port 1194 | ||
+ | #proto udp | ||
+ | port 443 | ||
+ | proto tcp | ||
+ | |||
+ | ca server-keys/ | ||
+ | cert server-keys/ | ||
+ | key server-keys/ | ||
+ | dh server-keys/ | ||
+ | |||
+ | #Make sure this is your tunnel address pool | ||
+ | server 10.0.1.0 255.255.255.0 | ||
+ | ifconfig-pool-persist ipp.txt | ||
+ | #This is the route to push to the client, add more if necessary | ||
+ | push "route 192.168.1.0 255.255.255.0" | ||
+ | #push " | ||
+ | keepalive 10 120 | ||
+ | cipher BF-CBC #Blowfish encryption | ||
+ | comp-lzo | ||
+ | user nobody | ||
+ | group nobody | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | status openvpn-status.log | ||
+ | verb 6 | ||
+ | mute 20 | ||
+ | up ./ | ||
+ | </ | ||
+ | |||
+ | Setup the IPTABLES to allow this tunnel to be used | ||
+ | < | ||
+ | #!/bin/sh | ||
+ | WLAN=$1 | ||
+ | iptables -I INPUT -i $WLAN -j ACCEPT | ||
+ | iptables -I FORWARD -i $WLAN -j ACCEPT | ||
+ | iptables -I FORWARD -o $WLAN -j ACCEPT | ||
+ | iptables -I OUTPUT -o $WLAN -j ACCEPT | ||
+ | </ | ||
+ | |||
+ | ===== Server startup ===== | ||
+ | The startup script is / | ||
+ | |||
+ | As multi clients can use the same PKCS12 certificate we include the option **--duplicate-cn** | ||
+ | |||
+ | <code bash> | ||
+ | #!/bin/sh | ||
+ | # | ||
+ | # Startup script for openvpn as standalone server | ||
+ | # | ||
+ | |||
+ | # Make sure IP forwarding is enabled | ||
+ | echo 1 > / | ||
+ | |||
+ | # Make sure these are loaded | ||
+ | insmod ip_tables >/ | ||
+ | insmod iptable_filter >/ | ||
+ | insmod ip_conntrack >/ | ||
+ | insmod iptable_nat >/ | ||
+ | insmod ipt_state >/ | ||
+ | insmod ipt_MASQUERADE >/ | ||
+ | |||
+ | # Clear all chains (we only use IPTABLES for VPN so this is ok) | ||
+ | iptables -F | ||
+ | iptables -F -t nat | ||
+ | |||
+ | # Make device if not present (not devfs) | ||
+ | if ( [ ! -c / | ||
+ | # Make /dev/net directory if needed | ||
+ | if ( [ ! -d /dev/net ] ) then | ||
+ | mkdir -m 755 /dev/net | ||
+ | fi | ||
+ | mknod / | ||
+ | fi | ||
+ | |||
+ | # Make sure the tunnel driver is loaded | ||
+ | if ( !(lsmod | grep -q " | ||
+ | insmod / | ||
+ | fi | ||
+ | |||
+ | # I you want a standalone server (not xinetd), comment out the return statement below | ||
+ | #return 0 | ||
+ | |||
+ | ## This is for standalone servers only!!!! | ||
+ | # Kill old server if still there | ||
+ | if [ -n " | ||
+ | / | ||
+ | fi | ||
+ | |||
+ | # Start afresh - add as many daemons as you want | ||
+ | |||
+ | # Start OPENVPN SERVER | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ===== Client access ===== | ||
+ | |||
+ | To access your tunnel your going to need to setup a few things. | ||
+ | |||
+ | For windows you can get the software http:// | ||
+ | |||
+ | I use home.dbzoo.com as a CNAME for dbzoo.dyndns.com which my router will keep up to date for me. If you don't have your own domain you can substitute any DYNDNS name in here. | ||
+ | |||
+ | dbzoo-home.ovpn | ||
+ | < | ||
+ | ######################################## | ||
+ | # OpenVPN Client Configuration | ||
+ | # DBZOO home network | ||
+ | client | ||
+ | dev tun | ||
+ | proto tcp | ||
+ | remote home.dbzoo.com 443 | ||
+ | nobind | ||
+ | |||
+ | persist-tun | ||
+ | persist-key | ||
+ | keepalive 1 10 | ||
+ | |||
+ | pkcs12 dbzoo-cert.p12 | ||
+ | comp-lzo | ||
+ | |||
+ | verb 6 | ||
+ | mute 5 | ||
+ | |||
+ | # To get through a company firewall these options will be useful. | ||
+ | #http-proxy proxyserver 8080 | ||
+ | # | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | And you need to copy in the PKCS12 file that we created on the server. | ||
+ | |||
+ | **Thats it !** |