OPENVPN Server configuration
Being able to tunnel back into the house is a very useful thing to be able to do. I use the NSLU as both a VPN Client to connect to other networks and as a VPN Server. Both of these can simultaneously.
Make sure you have the openvpn package installed
ipkg install openvpn
The openvpn configuration files live here
cd /opt/etc/openvpn
First up we need to generate a bunch of software keys
mkdir server-keys cd server-keys mkdir demoCA mkdir demoCA/newcerts mkdir demoCA/private touch demoCA/index.txt echo "01" >> demoCA/serial openssl req -nodes -new -x509 -days 1825 -keyout ca.key -out ca.crt openssl req -nodes -new -keyout server.key -out server.csr openssl ca -cert ca.crt -keyfile ca.key -out server.crt -in server.csr openssl req -nodes -new -keyout client.key -out client.csr openssl ca -cert ca.crt -keyfile ca.key -out client.crt -in client.csr openssl dhparam -out dh.pem 1024 openvpn --genkey --secret shared.key chmod 600 server.key
Now to combine these into a single PKCS12 file.
# Combine client keys into a pkcs12 file openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out dbzoo-cert.p12
Now we create the /opt/etc/openvpn/openvpn-server.conf configuration file. I have opted to tunnel using TCP over 443 as I know this can be used behind even the most restrictive firewall that only has ports 80 and 443 open. However if you can use port 1194 and UDP do so as your performance will be better.
#Begin openvpn-server.conf dev tun #port 1194 #proto udp port 443 proto tcp ca server-keys/ca.crt cert server-keys/server.crt key server-keys/server.key # This file should be kept secret dh server-keys/dh.pem #Make sure this is your tunnel address pool server 10.0.1.0 255.255.255.0 ifconfig-pool-persist ipp.txt #This is the route to push to the client, add more if necessary push "route 192.168.1.0 255.255.255.0" #push "dhcp-option DNS 192.168.1.77" keepalive 10 120 cipher BF-CBC #Blowfish encryption comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log verb 6 mute 20 up ./openvpn-server.up
Setup the IPTABLES to allow this tunnel to be used
#!/bin/sh WLAN=$1 iptables -I INPUT -i $WLAN -j ACCEPT iptables -I FORWARD -i $WLAN -j ACCEPT iptables -I FORWARD -o $WLAN -j ACCEPT iptables -I OUTPUT -o $WLAN -j ACCEPT
Server startup
The startup script is /opt/etc/init.d/S20openvpn make sure that your .CONF file is correctly accessed.
As multi clients can use the same PKCS12 certificate we include the option –duplicate-cn
#!/bin/sh # # Startup script for openvpn as standalone server # # Make sure IP forwarding is enabled echo 1 > /proc/sys/net/ipv4/ip_forward # Make sure these are loaded insmod ip_tables >/dev/null insmod iptable_filter >/dev/null insmod ip_conntrack >/dev/null insmod iptable_nat >/dev/null insmod ipt_state >/dev/null insmod ipt_MASQUERADE >/dev/null # Clear all chains (we only use IPTABLES for VPN so this is ok) iptables -F iptables -F -t nat # Make device if not present (not devfs) if ( [ ! -c /dev/net/tun ] ) then # Make /dev/net directory if needed if ( [ ! -d /dev/net ] ) then mkdir -m 755 /dev/net fi mknod /dev/net/tun c 10 200 fi # Make sure the tunnel driver is loaded if ( !(lsmod | grep -q "^tun") ); then insmod /opt/lib/modules/tun.o fi # I you want a standalone server (not xinetd), comment out the return statement below #return 0 ## This is for standalone servers only!!!! # Kill old server if still there if [ -n "`pidof openvpn`" ]; then /bin/killall openvpn 2>/dev/null fi # Start afresh - add as many daemons as you want # Start OPENVPN SERVER /opt/sbin/openvpn --daemon --cd /opt/etc/openvpn --config openvpn-server.conf --duplicate-cn
Client access
To access your tunnel your going to need to setup a few things.
For windows you can get the software http://openvpn.se/ and once installed you will need to copy a few files into the C:\Program Files\OpenVPN\config directory.
I use home.dbzoo.com as a CNAME for dbzoo.dyndns.com which my router will keep up to date for me. If you don't have your own domain you can substitute any DYNDNS name in here.
dbzoo-home.ovpn
######################################## # OpenVPN Client Configuration # DBZOO home network client dev tun proto tcp remote home.dbzoo.com 443 nobind persist-tun persist-key keepalive 1 10 pkcs12 dbzoo-cert.p12 comp-lzo verb 6 mute 5 # To get through a company firewall these options will be useful. #http-proxy proxyserver 8080 #http-proxy-retry #http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1
And you need to copy in the PKCS12 file that we created on the server.
Thats it !