What is it about

The following text describes how to set up an Virtual Private Network (VPN) using the kernel-space program openvpn. It claims to be the superior approach compared to IPSec (read more).

The LinkSys OpenWRT router can be easily turned into a linux device - e.g. by using the distribution White Russian. This also contains some packages to ease the setup of a openvpn server or client.

This article focuses on the required packages and the necessary steps for creating certificates and setting up connections.

Preparation

install a linux based distribution (e.g. white russian)
take care, that you have around 1MB free space available

run

ipkg install openvpn
ipkg install openvpn-easy-rsa

Basic configuration

your /etc/openvpn/server.conf should contain at least the following settings:

local VPN_SERVER_IP
port 443
tls-server
dh dh2048.pem
dev tun
proto udp
user nobody
group nogroup
chroot /var/tmp/openvpn
persist-key
persist-tun
ca ca.crt
cert SERVERNAME.crt
key SERVERNAME.key
ns-cert-type server

Prepare certificate database

walk through /etc/easy-rsa/vars and set (especially) the following options:
- KEY_CONFIG=$EASY_RSA/openssl.cnf
- KEY_DIR=$EASY_RSA/keys (beware: this directory will get overridden, later)
- KEY_SIZE=2048
- KEY_COUNTRY
- KEY_PROVINCE
- KEY_CITY
- KEY_ORG
- KEY_EMAIL
cd /usr/sbin
./clean-all
./build-ca
./build-key-server SERVERNAME
./build-dh

Now the key directory (/etc/easy-rsa/keys) is filled with the database of your new shiny certificate authority and the key of the openvpn server.

Create client certificates

On the openWRT run the following for each client:
./build-key CLIENTNAME

Beware, that the Common Name (CN) of all these certificates _must_ be different - otherwise they can never be in this VPN at the same time.

Copy the resulting certificate and key files from /etc/easy-rsa/ the client.

Client configuration

Network routing

-  ⇤ ← Revision 1 vom 2007-02-25 01:05:18 → 
  Größe: 2362
  Autor: lars
  Kommentar: start of openVPN on openWRT
+   ← Revision 2 vom 2012-06-13 21:26:24 → ⇥
  Größe: 2370
  Autor: anonym
  Kommentar: converted to 1.6 markup
-Gelöschter Text ist auf diese Art markiert.
+Hinzugefügter Text ist auf diese Art markiert.
 Zeile 1:
-||<tablestyle="float:right;"> '''Table of content'''[[TableOfContents]] ||
+||<tablestyle="float:right;"> '''Table of content'''<<TableOfContents>> ||
 Zeile 3:
-The following text describes how to set up an ''Virtual Private Network'' (VPN) using the kernel-space program [http://openvpn.net openvpn]. It claims to be the superior approach compared to IPSec (read [http://www.sans.org/rr/whitepapers/vpns/1459.php more]).
+The following text describes how to set up an ''Virtual Private Network'' (VPN) using the kernel-space program [[http://openvpn.net|openvpn]]. It claims to be the superior approach compared to IPSec (read [[http://www.sans.org/rr/whitepapers/vpns/1459.php|more]]).
 Zeile 5:
-The !LinkSys [http://openwrt.org OpenWRT] router can be easily turned into a linux device - e.g. by using the distribution [http://downloads.openwrt.org/whiterussian/ White Russian]. This also contains some packages to ease the setup of a openvpn server or client.
+The !LinkSys [[http://openwrt.org|OpenWRT]] router can be easily turned into a linux device - e.g. by using the distribution [[http://downloads.openwrt.org/whiterussian/|White Russian]]. This also contains some packages to ease the setup of a openvpn server or client.