||<tablestyle="float:right;"> '''Table of content'''<<TableOfContents>> ||
= What is it about =
The following text describes how to set up an ''Virtual Private Network'' (VPN) using the kernel-space program [[http://openvpn.net|openvpn]]. It claims to be the superior approach compared to IPSec (read [[http://www.sans.org/rr/whitepapers/vpns/1459.php|more]]).

The !LinkSys [[http://openwrt.org|OpenWRT]] router can be easily turned into a linux device - e.g. by using the distribution [[http://downloads.openwrt.org/whiterussian/|White Russian]]. This also contains some packages to ease the setup of a openvpn server or client.

This article focuses on the required packages and the necessary steps for creating certificates and setting up connections.

----

= Preparation =
 1. install a linux based distribution (e.g. ''white russian'')
 1. take care, that you have around 1MB free space available
 1. run {{{
ipkg install openvpn
ipkg install openvpn-easy-rsa
}}}

= Basic configuration =
 * your ''/etc/openvpn/server.conf'' should contain at least the following settings: {{{
local VPN_SERVER_IP
port 443
tls-server
dh dh2048.pem
dev tun
proto udp
user nobody
group nogroup
chroot /var/tmp/openvpn
persist-key
persist-tun
ca ca.crt
cert SERVERNAME.crt
key SERVERNAME.key
ns-cert-type server
}}}

= Prepare certificate database =
 * walk through ''/etc/easy-rsa/vars'' and set (especially) the following options:
  * ''KEY_CONFIG=$EASY_RSA/openssl.cnf''
  * ''KEY_DIR=$EASY_RSA/keys'' (beware: this directory will get overridden, later)
  * ''KEY_SIZE=2048''
  * ''KEY_COUNTRY''
  * ''KEY_PROVINCE''
  * ''KEY_CITY''
  * ''KEY_ORG''
  * ''KEY_EMAIL''
 * ''cd /usr/sbin''
 * ''./clean-all''
 * ''./build-ca''
 * ''./build-key-server SERVERNAME''
 * ''./build-dh''
Now the key directory (''/etc/easy-rsa/keys) is filled with the database of your new shiny certificate authority and the key of the openvpn server.

= Create client certificates =
On the openWRT run the following for each client: {{{
./build-key CLIENTNAME
}}}
Beware, that the ''Common Name'' (CN) of all these certificates _must_ be different - otherwise they can never be in this VPN at the same time.

Copy the resulting certificate and key files from ''/etc/easy-rsa/'' the client.

= Client configuration =

= Network routing =