Differences

This shows you the differences between two versions of the page.

Link to this comparison view

nslu:openvpnserver [2009/11/27 17:54] (current)
Line 1: Line 1:
 +====== OPENVPN Server configuration ======
  
 +Being able to tunnel back into the house is a very useful thing to be able to do.  I use the NSLU as both a VPN Client to connect to other networks and as a VPN Server. ​ Both of these can simultaneously.
 +
 +Make sure you have the openvpn package installed
 +<code shell>
 +ipkg install openvpn
 +</​code>​
 +
 +The openvpn configuration files live here
 +<​code>​
 +cd /​opt/​etc/​openvpn
 +</​code>​
 +
 +First up we need to generate a bunch of software keys
 +  * http://​wiki.openwrt.org/​OpenVPNTunHowTo
 +<code shell>
 +mkdir server-keys
 +cd server-keys
 +
 +mkdir demoCA
 +mkdir demoCA/​newcerts
 +mkdir demoCA/​private
 +touch demoCA/​index.txt
 +echo "​01"​ >> demoCA/​serial
 +
 +openssl req -nodes -new -x509 -days 1825 -keyout ca.key -out ca.crt
 +openssl req -nodes -new -keyout server.key -out server.csr
 +openssl ca -cert ca.crt -keyfile ca.key -out server.crt -in server.csr
 +openssl req -nodes -new -keyout client.key -out client.csr
 +openssl ca -cert ca.crt -keyfile ca.key -out client.crt -in client.csr
 +openssl dhparam -out dh.pem 1024
 +openvpn --genkey --secret shared.key
 +chmod 600 server.key
 +</​code>​
 +
 +Now to combine these into a single PKCS12 file.
 +  * http://​www.flatmtn.com/​article/​creating-pkcs12-certificates
 +<code shell>
 +# Combine client keys into a pkcs12 file
 +openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out dbzoo-cert.p12
 +</​code>​
 +
 +Now we create the /​opt/​etc/​openvpn/​openvpn-server.conf configuration file.  I have opted to tunnel using TCP over 443 as I know this can be used behind even the most restrictive firewall that only has ports 80 and 443 open.  However if you can use port 1194 and UDP do so as your performance will be better.
 +
 +<​code>​
 +#Begin openvpn-server.conf
 +dev tun
 +#port 1194
 +#proto udp
 +port 443
 +proto tcp
 +
 +ca server-keys/​ca.crt
 +cert server-keys/​server.crt
 +key server-keys/​server.key # This file should be kept secret
 +dh server-keys/​dh.pem
 +
 +#Make sure this is your tunnel address pool
 +server 10.0.1.0 255.255.255.0
 +ifconfig-pool-persist ipp.txt
 +#This is the route to push to the client, add more if necessary
 +push "route 192.168.1.0 255.255.255.0"​
 +#push "​dhcp-option DNS 192.168.1.77"​
 +keepalive 10 120
 +cipher BF-CBC #Blowfish encryption
 +comp-lzo
 +user nobody
 +group nobody
 +persist-key
 +persist-tun
 +status openvpn-status.log
 +verb 6
 +mute 20
 +up ./​openvpn-server.up
 +</​code>​
 +
 +Setup the IPTABLES to allow this tunnel to be used
 +<​code>​
 +#!/bin/sh
 +WLAN=$1
 +iptables -I INPUT -i $WLAN -j ACCEPT
 +iptables -I FORWARD -i $WLAN -j ACCEPT
 +iptables -I FORWARD -o $WLAN -j ACCEPT
 +iptables -I OUTPUT -o $WLAN -j ACCEPT
 +</​code>​
 +
 +===== Server startup =====
 +The startup script is /​opt/​etc/​init.d/​S20openvpn make sure that your .CONF file is correctly accessed.
 +
 +As multi clients can use the same PKCS12 certificate we include the option **--duplicate-cn**
 +
 +<code bash>
 +#!/bin/sh
 +#
 +# Startup script for openvpn as standalone server
 +#
 +
 +# Make sure IP forwarding is enabled
 +echo 1 > /​proc/​sys/​net/​ipv4/​ip_forward
 +
 +# Make sure these are loaded
 +insmod ip_tables >/​dev/​null
 +insmod iptable_filter >/​dev/​null
 +insmod ip_conntrack >/​dev/​null
 +insmod iptable_nat >/​dev/​null
 +insmod ipt_state >/​dev/​null
 +insmod ipt_MASQUERADE >/​dev/​null
 +
 +# Clear all chains (we only use IPTABLES for VPN so this is ok)
 +iptables -F
 +iptables -F -t nat
 +
 +# Make device if not present (not devfs)
 +if ( [ ! -c /​dev/​net/​tun ] ) then
 +  # Make /dev/net directory if needed
 +  if ( [ ! -d /dev/net ] ) then
 +        mkdir -m 755 /dev/net
 +  fi
 +  mknod /​dev/​net/​tun c 10 200
 +fi
 +
 +# Make sure the tunnel driver is loaded
 +if ( !(lsmod | grep -q "​^tun"​) ); then
 +        insmod /​opt/​lib/​modules/​tun.o
 +fi
 +
 +# I you want a standalone server (not xinetd), comment out the return statement below
 +#return 0
 +
 +## This is for standalone servers only!!!!
 +# Kill old server if still there
 +if [ -n "​`pidof openvpn`"​ ]; then
 +    /​bin/​killall openvpn 2>/​dev/​null
 +fi
 +
 +# Start afresh - add as many daemons as you want
 +
 +# Start OPENVPN SERVER
 +/​opt/​sbin/​openvpn --daemon --cd /​opt/​etc/​openvpn --config openvpn-server.conf --duplicate-cn
 +</​code>​
 +
 +===== Client access =====
 +
 +To access your tunnel your going to need to setup a few things.
 +
 +For windows you can get the software http://​openvpn.se/​ and once installed you will need to copy a few files into the **C:​\Program Files\OpenVPN\config** directory.
 +
 +I use home.dbzoo.com as a CNAME for dbzoo.dyndns.com which my router will keep up to date for me.  If you don't have your own domain you can substitute any DYNDNS name in here.
 +
 +dbzoo-home.ovpn
 +<​code>​
 +########################################​
 +# OpenVPN Client Configuration
 +# DBZOO home network
 +client
 +dev tun
 +proto tcp
 +remote home.dbzoo.com 443
 +nobind
 +
 +persist-tun
 +persist-key
 +keepalive 1 10
 +
 +pkcs12 dbzoo-cert.p12
 +comp-lzo
 +
 +verb 6
 +mute 5
 +
 +# To get through a company firewall these options will be useful.
 +#http-proxy proxyserver 8080
 +#​http-proxy-retry
 +#​http-proxy-option AGENT Mozilla/​5.0+(Windows;​+U;​+Windows+NT+5.0;​+en-GB;​+rv:​1.7.6)+Gecko/​20050226+Firefox/​1.0.1
 +</​code>​
 +
 +And you need to copy in the PKCS12 file that we created on the server.
 +
 +**Thats it !**