Table of content |
What is it about
The following text describes how to set up an Virtual Private Network (VPN) using the kernel-space program openvpn. It claims to be the superior approach compared to IPSec (read more).
The LinkSys OpenWRT router can be easily turned into a linux device - e.g. by using the distribution White Russian. This also contains some packages to ease the setup of a openvpn server or client.
This article focuses on the required packages and the necessary steps for creating certificates and setting up connections.
Preparation
install a linux based distribution (e.g. white russian)
- take care, that you have around 1MB free space available
run
ipkg install openvpn ipkg install openvpn-easy-rsa
Basic configuration
your /etc/openvpn/server.conf should contain at least the following settings:
local VPN_SERVER_IP port 443 tls-server dh dh2048.pem dev tun proto udp user nobody group nogroup chroot /var/tmp/openvpn persist-key persist-tun ca ca.crt cert SERVERNAME.crt key SERVERNAME.key ns-cert-type server
Prepare certificate database
walk through /etc/easy-rsa/vars and set (especially) the following options:
KEY_CONFIG=$EASY_RSA/openssl.cnf
KEY_DIR=$EASY_RSA/keys (beware: this directory will get overridden, later)
KEY_SIZE=2048
KEY_COUNTRY
KEY_PROVINCE
KEY_CITY
KEY_ORG
KEY_EMAIL
cd /usr/sbin
./clean-all
./build-ca
./build-key-server SERVERNAME
./build-dh
Now the key directory (/etc/easy-rsa/keys) is filled with the database of your new shiny certificate authority and the key of the openvpn server.
On the openWRT run the following for each client: Beware, that the Copy the resulting certificate and key files from
Create client certificates
./build-key CLIENTNAME
Client configuration
Network routing