⇤ ← Revision 1 vom 2007-02-25 01:05:18
2362
Kommentar: start of openVPN on openWRT
|
← Revision 2 vom 2012-06-13 21:26:24 ⇥
2370
converted to 1.6 markup
|
Gelöschter Text ist auf diese Art markiert. | Hinzugefügter Text ist auf diese Art markiert. |
Zeile 1: | Zeile 1: |
||<tablestyle="float:right;"> '''Table of content'''[[TableOfContents]] || | ||<tablestyle="float:right;"> '''Table of content'''<<TableOfContents>> || |
Zeile 3: | Zeile 3: |
The following text describes how to set up an ''Virtual Private Network'' (VPN) using the kernel-space program [http://openvpn.net openvpn]. It claims to be the superior approach compared to IPSec (read [http://www.sans.org/rr/whitepapers/vpns/1459.php more]). | The following text describes how to set up an ''Virtual Private Network'' (VPN) using the kernel-space program [[http://openvpn.net|openvpn]]. It claims to be the superior approach compared to IPSec (read [[http://www.sans.org/rr/whitepapers/vpns/1459.php|more]]). |
Zeile 5: | Zeile 5: |
The !LinkSys [http://openwrt.org OpenWRT] router can be easily turned into a linux device - e.g. by using the distribution [http://downloads.openwrt.org/whiterussian/ White Russian]. This also contains some packages to ease the setup of a openvpn server or client. | The !LinkSys [[http://openwrt.org|OpenWRT]] router can be easily turned into a linux device - e.g. by using the distribution [[http://downloads.openwrt.org/whiterussian/|White Russian]]. This also contains some packages to ease the setup of a openvpn server or client. |
Table of content |
What is it about
The following text describes how to set up an Virtual Private Network (VPN) using the kernel-space program openvpn. It claims to be the superior approach compared to IPSec (read more).
The LinkSys OpenWRT router can be easily turned into a linux device - e.g. by using the distribution White Russian. This also contains some packages to ease the setup of a openvpn server or client.
This article focuses on the required packages and the necessary steps for creating certificates and setting up connections.
Preparation
install a linux based distribution (e.g. white russian)
- take care, that you have around 1MB free space available
run
ipkg install openvpn ipkg install openvpn-easy-rsa
Basic configuration
your /etc/openvpn/server.conf should contain at least the following settings:
local VPN_SERVER_IP port 443 tls-server dh dh2048.pem dev tun proto udp user nobody group nogroup chroot /var/tmp/openvpn persist-key persist-tun ca ca.crt cert SERVERNAME.crt key SERVERNAME.key ns-cert-type server
Prepare certificate database
walk through /etc/easy-rsa/vars and set (especially) the following options:
KEY_CONFIG=$EASY_RSA/openssl.cnf
KEY_DIR=$EASY_RSA/keys (beware: this directory will get overridden, later)
KEY_SIZE=2048
KEY_COUNTRY
KEY_PROVINCE
KEY_CITY
KEY_ORG
KEY_EMAIL
cd /usr/sbin
./clean-all
./build-ca
./build-key-server SERVERNAME
./build-dh
Now the key directory (/etc/easy-rsa/keys) is filled with the database of your new shiny certificate authority and the key of the openvpn server.
On the openWRT run the following for each client: Beware, that the Copy the resulting certificate and key files from
Create client certificates
./build-key CLIENTNAME
Client configuration
Network routing