OpenVPN server setup

This is a brief howto about the steps required to get OpenVPN up and running on an Unslung NSLU2 in Tun Mode.

The OpenVPN 2.0 HOWTO is an excellent reference for this process: http://openvpn.net/howto.html.

1. Install OpenVPN software on the NSLU2

 
 # ipkg -force-depends install openvpn
 Installing openvpn (2.0_rc17-3) to root...
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openvpn_2.0_rc17-3_armeb.ipk
 Installing openssl (0.9.7d-3) to root...
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openssl_0.9.7d-3_armeb.ipk
 Installing lzo (1.08-2) to root...
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/lzo_1.08-2_armeb.ipk
 Installing kernel-module-tun (2.4.22.l2.3r29-r2) to root... 
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/oe/kernel-module-tun_2.4.22.l2.3r29-r2_nslu2.ipk
 Configuring kernel-module-tun
 Configuring lzo
 Configuring openssl
 Configuring openvpn
 Collected errors:
 Warning: Cannot satisfy the following dependencies for openvpn:
          update-modules kernel-image-2.4.22-xfs

**note**: The dependencies warning can be disregarded.

2. Configure the NSLU2 box for OpenVPN support

Create the TUN device node:

 
 # mkdir /dev/net
 # mknod /dev/net/tun c 10 200

Load the TUN/TAP kernel module:

 
 # insmod tun
 Using /lib/modules/2.4.22-xfs/kernel/drivers/net/tun.o

Enable routing:

 
 # echo 1 > /proc/sys/net/ipv4/ip_forward

3. Follow the directions in the OpenVPN 2.0 HOWTO to for instructions on generating certificates and keys for the OpenVPN server and client(s) at http://openvpn.net/howto.html#pki

**note**: Since the OpenVPN ipk for the NSLU2 is a bare-bones distribution, I did this work on an existing Red Hat Linux server.

**note**: If you wish to do this on your nslu2, download the latest source package from http://openvpn.net/download.html (get the *.tar.gz package) and extract it into a temporary folder using tar -zxvf <downloaded file name> and copy the easy-rsa/2.0/ folder to your openvpn folder and rename it easy-rsa. You can then run all the key preparation commands on your slug.

• I got the "./clean-all" to run by running ". ./clean-all" (I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). Also need to run "ipkg install openssl" to get ". ./build-ca" to work.

4. Create directory /opt/etc/openvpn/easy-rsa/keysCopy on the NSLU2 and copy the server key files there.

 
 # mkdir -p /opt/etc/openvpn/easy-rsa/keys

**note**: In my case, I copied ca.crt, ca.key, dh1024.pem, server.crt, server.key, 01.pem, 02.pem, 03.pem, and 04.pem to /opt/etc/openvpn/easy-rsa/keys. **NOTE**: copying ca.key and the 0?.pem files are not actually necessary (copying ca.key in indeed NOT recommended due to secure reasons - just keep it safe somewhere else as recommended on http://openvpn.net/index.php/documentation/howto.html).

5. Follow the directions in the OpenVPN 2.0 HOWTO to create configuration files for server and client(s)on http://openvpn.net/howto.html#config

under the mssii platform i built the bridge module in a host platform, but it didn't work. It install correctly in my mssii, but won't load. My solution to was to build a whole kernel image(under a different name) with the CONFIG_BRIDGE=y and CONFIG_LLC2=y (built-in). and i upgraded my kernel-image through ipkg.

6. Start the OpenVPN server process from the command line to test connectivity in accordance with the OpenVPN 2.0 HOWTO reference at http://openvpn.net/howto.html#start

 
 # /opt/sbin/openvpn /opt/etc/openvpn/server.conf
 Mon Aug  8 11:21:08 2005 OpenVPN 2.0_rc17 armv5b-softfloat-linux [SSL] [LZO] built on Jul 27 2005
 Mon Aug  8 11:21:08 2005 WARNING: --keepalive option is missing from server config
 Mon Aug  8 11:21:09 2005 Diffie-Hellman initialized with 1024 bit key
 Mon Aug  8 11:21:09 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
 Mon Aug  8 11:21:09 2005 TUN/TAP device tun0 opened
 Mon Aug  8 11:21:09 2005 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
 Mon Aug  8 11:21:09 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
 Mon Aug  8 11:21:09 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
 Mon Aug  8 11:21:09 2005 GID set to nobody Mon Aug  8 11:21:09 2005 UID set to nobody
 Mon Aug  8 11:21:09 2005 UDPv4 link local (bound): [undef]:1194
 Mon Aug  8 11:21:09 2005 UDPv4 link remote: [undef]
 Mon Aug  8 11:21:09 2005 MULTI: multi_init called, r=256 v=256
 Mon Aug  8 11:21:09 2005 IFCONFIG POOL: base=10.8.0.4 size=62
 Mon Aug  8 11:21:09 2005 IFCONFIG POOL LIST Mon Aug  8 11:21:09 2005 client1,10.8.0.4
 Mon Aug  8 11:21:09 2005 Initialization Sequence Completed

**note**: If using iptables firewall add:

     "$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1194 -j ACCEPT"

under "# udp_inbound chain" to enable the initialization Add the following to allow ping etc.:

1. openVpn

$IPT -A INPUT -i tun+ -j ACCEPT $IPT -A OUTPUT -o tun+ -j ACCEPT

1. $IPT -A FORWARD -i tun+ -j ACCEPT

$IPT -A INPUT -i tap+ -j ACCEPT

1. $IPT -A OUTPUT -o tap+ -j ACCEPT
2. $IPT -A FORWARD -i tap+ -j ACCEPT

7. Once everything is working properly, configure /opt/etc/init.d/S24openvpn to automatically start the OpenVPN server processes at boot time.

 
 #!/bin/sh

 if [ -n "`pidof openvpn`" ]; then 
    /bin/killall openvpn 2>/dev/null
 fi

 # load TUN/TAP kernel module
 /sbin/insmod tun

 # enable IP forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward

 # Startup VPN tunnel in daemon mode
 /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
  --log-append /var/log/openvpn.log \
  --config server.conf 
 

-- Steve

Don't forget to chmod +x /opt/etc/init.d/S24openvpn -- Jelle or SXXopenvpn? if an S24 exists (i did S20) --max

And don't forget to set the right shell in openvpn.up, which defaults to /bin/bash. Better is #!/bin/sh, or if installed #!/opt/bin/bash -- Caplink811

I had to do a "chmod 666 /dev/net/tun" to get it to work in my system (Unslung-6.8-beta-firmware) (tnx blaster8) -- FB[i]

Trurl, 2007.09.04: I also did:

 - "chmod +x /opt/etc/openvpn/server.up"
 - add "ifconfig 10.1.0.2 10.1.0.1" line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9);
   notice that addresses are in different order than in a server config,
 - add "tls-client" line in client.ovpn
 - uncomment "comp-lzo" line in both server and client configs

For users wishing to use the Xinetd program to start the Openvpn on demand, a working script for the /opt/etc/xined.d/openvpn file is :-

 
service openvpn_1
{
        type            = UNLISTED
        port            = 1194
        socket_type     = dgram
        protocol        = udp
        wait            = yes
        user            = root
        server          = /opt/sbin/openvpn
        server_args     = --cd /opt/etc/openvpn --config openvpn.conf --inetd
        disable         = no
}
 

RobHam

The OpenVPN server can also be easily configured to run in Tap mode. (Note - a description of the differences/advantages/disadvantages between Tun and Tap modes can be found at the OpenVPN web site).

Firstly it is recommended that the OpenVPN server and matching client should be configured and tested in Tun mode using the instruction above.

In Tun mode, the server and client configuration files will have the following two entries

Tun Server

 
dev tun
ifconfig 10.1.0.1 10.1.0.2
 

Tun Client

 
dev tun
ifconfig 10.1.0.2 10.1.0.1
 

To establish a tunnel using Tap mode just change the two configuration files too

Tap Server

 
dev tap
ifconfig 10.1.0.1 255.255.255.0
 

Tap Client

 
dev tap
ifconfig 10.1.0.2 255.255.255.0
 

The main benefit of the Tap driver is the ability to create a bridge to the ether port. To install the bridge-utils package, bridge kernel module and load the module use :-

 
ipkg install bridge-utils
ipkg -force-depends install kernel-module-bridge
insmod bridge
 

Instructions for setting up the Bridge can be found by using Internet search engines such as Google.

RobHam Nov 2007 - Modified Jan 2008