NSLU2-Linux
- FAQ: Frequently Asked Questions
- Donations
- Downloads
- Trac Bug Tracker
- Package Search Engine
- All Recent Wiki Changes
General
- HowTo Recipes
- Cool Peripherals
- Cool Applications
- Information Pages
- Ideas and Wish List
- Slug Success Stories
- Slug-Related Articles
- Project Mailing Lists
- Project IRC Channels
- Donations and Sponsors
- NSLU2-Linux Photo Gallery
OS/Firmware Projects
- NSLU2-Linux Development
- How Do I Get Involved?
- Unslung Firmware
- Debian Installation
- SlugOS Firmware
- OpenSlug Firmware
- SlugOS/LE Firmware
- OpenWrt Firmware
- Angstrom Firmware
- UcSlugC Firmware
- GentooSlug Firmware
- UpSlug Upload Tool
- Puppy Topfield Access
Firmware Targets
Optware
Optware Targets
Other Hardware
Wiki Resources
Sponsored Links
hosting by:
OpenVPN server setup
This is a brief howto about the steps required to get OpenVPN up and running on an Unslung NSLU2 in Tun Mode.
The OpenVPN 2.0 HOWTO is an excellent reference for this process: http://openvpn.net/howto.html.
1. Install OpenVPN software on the NSLU2
# ipkg -force-depends install openvpn
Installing openvpn (2.0_rc17-3) to root...
Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openvpn_2.0_rc17-3_armeb.ipk
Installing openssl (0.9.7d-3) to root...
Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openssl_0.9.7d-3_armeb.ipk
Installing lzo (1.08-2) to root...
Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/lzo_1.08-2_armeb.ipk
Installing kernel-module-tun (2.4.22.l2.3r29-r2) to root...
Downloading http://ipkg.nslu2-linux.org/feeds/unslung/oe/kernel-module-tun_2.4.22.l2.3r29-r2_nslu2.ipk
Configuring kernel-module-tun
Configuring lzo
Configuring openssl
Configuring openvpn
Collected errors:
Warning: Cannot satisfy the following dependencies for openvpn:
update-modules kernel-image-2.4.22-xfs
|
**note**: The dependencies warning can be disregarded.
2. Configure the NSLU2 box for OpenVPN support
Create the TUN device node:
# mkdir /dev/net # mknod /dev/net/tun c 10 200 |
Load the TUN/TAP kernel module:
# insmod tun Using /lib/modules/2.4.22-xfs/kernel/drivers/net/tun.o |
Enable routing:
# echo 1 > /proc/sys/net/ipv4/ip_forward |
3. Follow the directions in the OpenVPN 2.0 HOWTO to for instructions on generating certificates and keys for the OpenVPN server and client(s) at http://openvpn.net/howto.html#pki
**note**: Since the OpenVPN ipk for the NSLU2 is a bare-bones distribution, I did this work on an existing Red Hat Linux server.
**note**: If you wish to do this on your nslu2, download the latest source package from http://openvpn.net/download.html (get the *.tar.gz package) and extract it into a temporary folder using tar -zxvf <downloaded file name> and copy the easy-rsa/2.0/ folder to your openvpn folder and rename it easy-rsa. You can then run all the key preparation commands on your slug.
- I got the "./clean-all" to run by running ". ./clean-all" (I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). Also need to run "ipkg install openssl" to get ". ./build-ca" to work.
4. Create directory /opt/etc/openvpn/easy-rsa/keysCopy on the NSLU2 and copy the server key files there.
# mkdir -p /opt/etc/openvpn/easy-rsa/keys |
**note**: In my case, I copied ca.crt, ca.key, dh1024.pem, server.crt, server.key, 01.pem, 02.pem, 03.pem, and 04.pem to /opt/etc/openvpn/easy-rsa/keys.
**NOTE**: copying ca.key and the 0?.pem files are not actually necessary (copying ca.key in indeed NOT recommended due to secure reasons - just keep it safe somewhere else as recommended on http://openvpn.net/index.php/documentation/howto.html).
5. Follow the directions in the OpenVPN 2.0 HOWTO to create configuration files for server and client(s)on http://openvpn.net/howto.html#config
NOTE ----ETHERNET BRIDGING------------------------------------------
under the mssii platform i built the bridge module in a host platform, but it didn't work. It install correctly in my mssii, but won't load. My solution to was to build a whole kernel image(under a different name) with the CONFIG_BRIDGE=y and CONFIG_LLC2=y (built-in). and i upgraded my kernel-image through ipkg.
6. Start the OpenVPN server process from the command line to test connectivity in accordance with the OpenVPN 2.0 HOWTO reference at http://openvpn.net/howto.html#start
# /opt/sbin/openvpn /opt/etc/openvpn/server.conf Mon Aug 8 11:21:08 2005 OpenVPN 2.0_rc17 armv5b-softfloat-linux [SSL] [LZO] built on Jul 27 2005 Mon Aug 8 11:21:08 2005 WARNING: --keepalive option is missing from server config Mon Aug 8 11:21:09 2005 Diffie-Hellman initialized with 1024 bit key Mon Aug 8 11:21:09 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Aug 8 11:21:09 2005 TUN/TAP device tun0 opened Mon Aug 8 11:21:09 2005 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Mon Aug 8 11:21:09 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Mon Aug 8 11:21:09 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ] Mon Aug 8 11:21:09 2005 GID set to nobody Mon Aug 8 11:21:09 2005 UID set to nobody Mon Aug 8 11:21:09 2005 UDPv4 link local (bound): [undef]:1194 Mon Aug 8 11:21:09 2005 UDPv4 link remote: [undef] Mon Aug 8 11:21:09 2005 MULTI: multi_init called, r=256 v=256 Mon Aug 8 11:21:09 2005 IFCONFIG POOL: base=10.8.0.4 size=62 Mon Aug 8 11:21:09 2005 IFCONFIG POOL LIST Mon Aug 8 11:21:09 2005 client1,10.8.0.4 Mon Aug 8 11:21:09 2005 Initialization Sequence Completed |
**note**: If using iptables firewall add:
"$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1194 -j ACCEPT"
under "# udp_inbound chain" to enable the initialization Add the following to allow ping etc.:
- openVpn
$IPT -A INPUT -i tun+ -j ACCEPT $IPT -A OUTPUT -o tun+ -j ACCEPT
- $IPT -A FORWARD -i tun+ -j ACCEPT
$IPT -A INPUT -i tap+ -j ACCEPT
- $IPT -A OUTPUT -o tap+ -j ACCEPT
- $IPT -A FORWARD -i tap+ -j ACCEPT
7. Once everything is working properly, configure /opt/etc/init.d/S24openvpn to automatically start the OpenVPN server processes at boot time.
#!/bin/sh
if [ -n "`pidof openvpn`" ]; then
/bin/killall openvpn 2>/dev/null
fi
# load TUN/TAP kernel module
/sbin/insmod tun
# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Startup VPN tunnel in daemon mode
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf
|
-- Steve
Don't forget to chmod +x /opt/etc/init.d/S24openvpn -- Jelle
And don't forget to set the right shell in openvpn.up, which defaults to /bin/bash. Better is #!/bin/sh, or if installed #!/opt/bin/bash -- Caplink811
I had to do a "chmod 666 /dev/net/tun" to get it to work in my system (Unslung-6.8-beta-firmware) (tnx blaster8) -- FB[i]
Trurl, 2007.09.04: I also did:
- "chmod +x /opt/etc/openvpn/server.up" - add "ifconfig 10.1.0.2 10.1.0.1" line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9); notice that addresses are in different order than in a server config, - add "tls-client" line in client.ovpn - uncomment "comp-lzo" line in both server and client configs
For users wishing to use the Xinetd program to start the Openvpn on demand, a working script for the /opt/etc/xined.d/openvpn file is :-
service openvpn_1
{
type = UNLISTED
port = 1194
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /opt/sbin/openvpn
server_args = --cd /opt/etc/openvpn --config openvpn.conf --inetd
disable = no
}
|
RobHam
The default openvpn config file included in the ipk will allow you connect to the openvpn server in tun mode using a static key. If you need to connect to other computers/boxes on your internal LAN network then you will need to set up a return route so that data packets sent from these computers and destined for the external openvpn client can be redirected through the openvpn gateway.
The easiest way is to add the return route into your LAN router/gateway box. Most routers allow for the addition of a number of LAN side static routes.
Assuming your internal LAN subnet is 192.168.1.0, your NSLU2 IP (or other NAS device) which is running the openvpn server program is 192.168.1.77 and your openvpn gateway IP subnet is 10.1.0.0 then add the following return route to your router :-
Destination IP 10.1.0.0 Subnet 255.255.255.0 Gateway IP 192.168.1.77 |
Alternatively if your router does not support the addition of static routes then you can add the return route individualy to each LAN computer using the following route command.
route add -net 10.1.0.0/24 gw 192.168.1.77 |
Include the above script in a small batch file that loads at boot time. Note that you do not need to add the return route to the openvpn server, it is created when the program loads.
RobHam Dec 2010
The OpenVPN server can also be easily configured to run in Tap mode. (Note - a description of the differences/advantages/disadvantages between Tun and Tap modes can be found at the OpenVPN web site).
Firstly it is recommended that the OpenVPN server and matching client should be configured and tested in Tun mode using the instruction above.
In Tun mode, the server and client configuration files will have the following two entries
Tun Server
dev tun ifconfig 10.1.0.1 10.1.0.2 |
Tun Client
dev tun ifconfig 10.1.0.2 10.1.0.1 |
To establish a tunnel using Tap mode just change the two configuration files too
Tap Server
dev tap ifconfig 10.1.0.1 255.255.255.0 |
Tap Client
dev tap ifconfig 10.1.0.2 255.255.255.0 |
The main benefit of the Tap driver is the ability to create a bridge to the ether port. To install the bridge-utils package, bridge kernel module and load the module use :-
ipkg install bridge-utils ipkg -force-depends install kernel-module-bridge insmod bridge |
Instructions for setting up the Bridge can be found by using Internet search engines such as Google.
RobHam Nov 2007 - Modified Jan 2008
Based on work by RobHam, Marcelo Vianna, zouzou, Trurl, maxfantuznet, FBi, mwester, metamind, MattMcNeill, caplink811, Jelle, polarisdb, and ingeba.
Originally by polarisdb.