The default openvpn config file included in the ipk will allow you connect to the openvpn server in tun mode using a static key. If you need to connect to other computers/boxes on your internal LAN network then you will need to set up a return route so that data packets sent from these computers and destined for the external openvpn client can be redirected through the openvpn gateway.

The easiest way is to add the return route into your LAN router/gateway box. Most routers allow for the addition of a number of LAN side static routes.

Assuming your internal LAN subnet is 192.168.1.0, your NSLU2 IP (or other NAS device) which is running the openvpn server program is 192.168.1.77 and your openvpn gateway IP subnet is 10.1.0.0 then add the following return route to your router :-

Destination IP 10.1.0.0 Subnet 255.255.255.0 Gateway IP 192.168.1.77

Alternatively if your router does not support the addition of static routes then you can add the return route individualy to each LAN computer using the following route command.

route add -net 10.1.0.0/24 gw 192.168.1.77

Include the above script in a small batch file that loads at boot time. Note that you do not need to add the return route to the openvpn server, it is created when the program loads.

RobHam Dec 2010

The OpenVPN server can also be easily configured to run in Tap mode. (Note - a description of the differences/advantages/disadvantages between Tun and Tap modes can be found at the OpenVPN web site).

Firstly it is recommended that the OpenVPN server and matching client should be configured and tested in Tun mode using the instruction above.

In Tun mode, the server and client configuration files will have the following two entries

Tun Server

dev tun ifconfig 10.1.0.1 10.1.0.2

Tun Client

dev tun ifconfig 10.1.0.2 10.1.0.1

To establish a tunnel using Tap mode just change the two configuration files too

Tap Server

dev tap ifconfig 10.1.0.1 255.255.255.0

Tap Client (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
dev tap
ifconfig 10.1.0.2 255.255.255.0
 

(:tableend:)

The main benefit of the Tap driver is the ability to create a bridge to the ether port. To install the bridge-utils package, bridge kernel module and load the module use :-

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
ipkg install bridge-utils
ipkg -force-depends install kernel-module-bridge
insmod bridge
 

(:tableend:)

**NOTE**: copying ca.key and the 0?.pem files are not actually necessary (copying ca.key in indeed NOT recommended due to secure reasons - just keep it safe somewhere else as recommended on http://openvpn.net/index.php/documentation/howto.html).

**note**: copying ca.key and the 0x.pem files are not actually necessary (copying ca.key in indeed NOT recommended due to secure reasons - just keep it safe somewhere else as recommended on http://openvpn.net/index.php/documentation/howto.html)

• NOTE ----BRIDGING******

under the mssii platform i built the bridge module in a host platform, but it didn't work. It install correctly in my mssii, but won't load. My solution to was to build a whole kernel image(under a different name) with the CONFIG_BRIDGE=y and CONFIG_LLC2=y (built-in). and i upgraded my kernel-image through ipkg.

The main benefit of the Tap driver is the ability to create a bridge to the ether port. To install the bridge-utils package, bridge kernel module and load the module use :-

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
ipkg install bridge-utils
ipkg -force-depends install kernel-module-bridge
insmod bridge
 

(:tableend:)

Instructions for setting up the Bridge can be found by using Internet search engines such as Google.

RobHam Nov 2007 - Modified Jan 2008

The main benefit of the Tap driver is the ability to create a bridge to the ether port.

The main benefit of the Tap driver is the ability to create a bridge to the ether port. Unfortunately the necessary Bridge Kernel Module is currently not included in the Optware feeds for Unslung5.5 firmware.

ifconfig 10.1.0.1 255.255.255.0

ifconfig 10.1.0.2 255.255.255.0

In Tun mode, the server and client configuration files will have the following two entries

To establish a tunnel using Tap mode just change the two configuration files too

This is a brief howto about the steps required to get OpenVPN up and running on an Unslung NSLU2 in Tun Mode.

The OpenVPN server can also be easily configured to run in Tap mode. (Note - a description of the differences/advantages/disadvantages between Tun and Tap modes can be found at the OpenVPN web site).

Firstly it is recommended that the OpenVPN server and matching client should be configured and tested in Tun mode using the instruction above.

In Tun mode, the server and client configuration files will have the following two entries.

Tun Server (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
dev tun
ifconfig 10.1.0.1 10.1.0.2
 

(:tableend:)

Tun Client (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
dev tun
ifconfig 10.1.0.2 10.1.0.1
 

(:tableend:)

To establish a tunnel using Tap mode just change the two configuration files to.

Tap Server (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
dev tap
ifconfig 10.1.0.1 255.0.0.0
 

(:tableend:)

Tap Client (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
dev tap
ifconfig 10.1.0.2 255.0.0.0
 

(:tableend:)

The main benefit of the Tap driver is the ability to create a bridge to the ether port. Unfortunately the necessary Bridge Kernel Module is currently not included in the Optware feeds for Unslung firmware.

RobHam Nov 2007

 - "chmod +x /opt/etc/openvpn/server.up"
 - add "ifconfig 10.1.0.2 10.1.0.1" line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9);
   notice that addresses are in different order than in a server config,
 - add "tls-client" line in client.ovpn
 - uncomment "comp-lzo" line in both server and client configs

- "chmod +x /opt/etc/openvpn/server.up" - add "ifconfig 10.1.0.2 10.1.0.1" line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9);

  notice that addresses are in different order than in a server config,

- add "tls-client" line in client.ovpn - uncomment "comp-lzo" line in both server and client configs

Trurl, 2007.09.04: I also did:

 - "chmod +x /opt/etc/openvpn/server.up"
 - add "ifconfig 10.1.0.2 10.1.0.1" line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9); notice that addresses are in different order than in a server config,
 - add "tls-client" line in client.ovpn
 - uncomment "comp-lzo" line in both server and client configs

Trurl, 2007.09.04: I had also to do:

 - chmod +x /opt/etc/openvpn/server.up
 - add ifconfig 10.1.0.1 10.1.0.2 line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9)

Trurl: I had also to do:

 chmod +x /opt/etc/openvpn/server.up
 add ifconfig 10.1.0.1 10.1.0.2 line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9)

or SXXopenvpn? if an S24 exists (i did S20) --max

-- FB[i]

 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openvpn_2.0_rc17-3_armeb.ipk

 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openssl_0.9.7d-3_armeb.ipk

 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/lzo_1.08-2_armeb.ipk

 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/oe/kernel-module-tun_2.4.22.l2.3r29-r2_nslu2.ipk

 Mon Aug  8 11:21:08 2005 OpenVPN? 2.0_rc17 armv5b-softfloat-linux [SSL] [LZO] built on Jul 27 2005

 Mon Aug  8 11:21:09 2005 UDPv4? link local (bound): [undef]:1194
 Mon Aug  8 11:21:09 2005 UDPv4? link remote: [undef]

 /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon   --log-append /var/log/openvpn.log \

 [=

=]

 [=

=]

 [=

=]

 [=

=]

 [=

=]

 [=

=]

 [=

 =]

-- FB[i]

For users wishing to use the Xinetd program to start the Openvpn on demand, a working script for the /opt/etc/xined.d/openvpn file is :-

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
service openvpn_1
{
        type            = UNLISTED
        port            = 1194
        socket_type     = dgram
        protocol        = udp
        wait            = yes
        user            = root
        server          = /opt/sbin/openvpn
        server_args     = --cd /opt/etc/openvpn --config openvpn.conf --inetd
        disable         = no
}
 

(:tableend:)

RobHam

And don't forget to set the right shell in openvpn.up, which defaults to /bin/bash. Better is #!/bin/sh, or if installed #!/opt/bin/bash -- Caplink811

I had to do a "chmod 666 /dev/net/tun" to get it to work in my system (Unslung-6.8-beta-firmware) (tnx blaster8) -- FB[i]

• I got the "./clean-all" to run by running ". ./clean-all" (I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). Also need to run "ipkg install openssl" to get ". ./build-ca" to work.

Add the following to allow ping etc.:

1. openVpn

$IPT -A INPUT -i tun+ -j ACCEPT $IPT -A OUTPUT -o tun+ -j ACCEPT

1. $IPT -A FORWARD -i tun+ -j ACCEPT

$IPT -A INPUT -i tap+ -j ACCEPT

1. $IPT -A OUTPUT -o tap+ -j ACCEPT
2. $IPT -A FORWARD -i tap+ -j ACCEPT

**note**: If using iptables firewall add:

     "$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1194 -j ACCEPT"

under "# udp_inbound chain" to enable the initialization (currently working on firewall settings to get tap service to work)

              ** I got the "./clean-all" to run by running ". ./clean-all" (I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). Also need to run "ipkg install openssl" to get ". ./build-ca" to work.

              I tried this and spent about an hour trying to get the commands to run. I got the "./clean-all" to run (I think) by running ". ./clean-all" (by this stage I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). However ". ./build-ca" errored with "openssl: No such file or directory". I will try doing this on windows.

  -  I tried this and spent about an hour trying to get the commands to run. I got the "./clean-all" to run (I think) by running ". ./clean-all" (by this stage I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). However ". ./build-ca" errored with "openssl: No such file or directory". I will try doing this on windows.

**note**: If you wish to do this on your nslu2, download the latest source package from http://openvpn.net/download.html (get the *.tar.gz package) and extract it into a temporary folder using tar -zxvf <downloaded file name> and copy the easy-rsa/2.0/ folder to your openvpn folder and rename it easy-rsa. You can then run all the key preparation commands on your slug.

Don't forget to chmod +x /opt/etc/init.d/S24openvpn -- Jelle And don't forget to set the right shell in openvpn.up, which defaults to /bin/bash. Better is #!/bin/sh, or if installed #!/opt/bin/bash -- Caplink811

Don't forget to chmod +x /opt/etc/init.d/S24openvpn -- Jelle

**note**: In my case, I copied ca.crt, ca.key, dh1024.pem, server.crt, server.key, 01.pem, 02.pem, 03.pem, and 04.pem to /opt/etc/openvpn/easy-rsa/keys.

**note**: In my case, I copied ca.crt, ca.key, dh1024.pem, server.crt, and server.key to /opt/etc/openvpn/easy-rsa/keys.

 /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
  --log-append /var/log/openvpn.log \

OpenVPN server setup

This is a brief howto about the steps required to get OpenVPN up and running on an Unslung-5.5 NSLU2.

The OpenVPN 2.0 HOWTO is an excellent reference for this process: http://openvpn.net/howto.html.

1. Install OpenVPN software on the NSLU2

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # ipkg -force-depends install openvpn
 Installing openvpn (2.0_rc17-3) to root...
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openvpn_2.0_rc17-3_armeb.ipk
 Installing openssl (0.9.7d-3) to root...
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openssl_0.9.7d-3_armeb.ipk
 Installing lzo (1.08-2) to root...
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/lzo_1.08-2_armeb.ipk
 Installing kernel-module-tun (2.4.22.l2.3r29-r2) to root... 
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/oe/kernel-module-tun_2.4.22.l2.3r29-r2_nslu2.ipk
 Configuring kernel-module-tun
 Configuring lzo
 Configuring openssl
 Configuring openvpn
 Collected errors:
 Warning: Cannot satisfy the following dependencies for openvpn:
          update-modules kernel-image-2.4.22-xfs

(:tableend:) **note**: The dependencies warning can be disregarded.

2. Configure the NSLU2 box for OpenVPN support

Create the TUN device node:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # mkdir /dev/net
 # mknod /dev/net/tun c 10 200

(:tableend:)

Load the TUN/TAP kernel module:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # insmod tun
 Using /lib/modules/2.4.22-xfs/kernel/drivers/net/tun.o

(:tableend:)

Enable routing:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # echo 1 > /proc/sys/net/ipv4/ip_forward

(:tableend:)

3. Follow the directions in the OpenVPN 2.0 HOWTO to for instructions on generating certificates and keys for the OpenVPN server and client(s) at http://openvpn.net/howto.html#pki

**note**: Since the OpenVPN ipk for the NSLU2 is a bare-bones distribution, I did this work on an existing Red Hat Linux server.

4. Create directory /opt/etc/openvpn/easy-rsa/keysCopy on the NSLU2 and copy the server key files there.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # mkdir -p /opt/etc/openvpn/easy-rsa/keys

(:tableend:)

**note**: In my case, I copied ca.crt, ca.key, dh1024.pem, server.crt, and server.key to /opt/etc/openvpn/easy-rsa/keys.

5. Follow the directions in the OpenVPN 2.0 HOWTO to create configuration files for server and client(s)on http://openvpn.net/howto.html#config

**note**: I created /opt/etc/openvpn/server.conf on my NSLU2.

6. Start the OpenVPN server process from the command line to test connectivity in accordance with the OpenVPN 2.0 HOWTO reference at http://openvpn.net/howto.html#start

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # /opt/sbin/openvpn /opt/etc/openvpn/server.conf
 Mon Aug  8 11:21:08 2005 OpenVPN 2.0_rc17 armv5b-softfloat-linux [SSL] [LZO] built on Jul 27 2005
 Mon Aug  8 11:21:08 2005 WARNING: --keepalive option is missing from server config
 Mon Aug  8 11:21:09 2005 Diffie-Hellman initialized with 1024 bit key
 Mon Aug  8 11:21:09 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
 Mon Aug  8 11:21:09 2005 TUN/TAP device tun0 opened
 Mon Aug  8 11:21:09 2005 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
 Mon Aug  8 11:21:09 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
 Mon Aug  8 11:21:09 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
 Mon Aug  8 11:21:09 2005 GID set to nobody Mon Aug  8 11:21:09 2005 UID set to nobody
 Mon Aug  8 11:21:09 2005 UDPv4 link local (bound): [undef]:1194
 Mon Aug  8 11:21:09 2005 UDPv4 link remote: [undef]
 Mon Aug  8 11:21:09 2005 MULTI: multi_init called, r=256 v=256
 Mon Aug  8 11:21:09 2005 IFCONFIG POOL: base=10.8.0.4 size=62
 Mon Aug  8 11:21:09 2005 IFCONFIG POOL LIST Mon Aug  8 11:21:09 2005 client1,10.8.0.4
 Mon Aug  8 11:21:09 2005 Initialization Sequence Completed

(:tableend:)

7. Once everything is working properly, configure /opt/etc/init.d/S24openvpn to automatically start the OpenVPN server processes at boot time.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 ###################################################
 #!/bin/sh

 if [ -n "`pidof openvpn`" ]; then 
    /bin/killall openvpn 2>/dev/null
 fi

 # load TUN/TAP kernel module
 /sbin/insmod tun

 # enable IP forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward

 # Startup VPN tunnel in daemon mode
 /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon 
  --log-append /var/log/openvpn.log 
  --config server.conf 
 ###################################################

(:tableend:)

-- Steve

This is a brief howto about the steps required to get OpenVPN? up and running on an Unslung-5.5 NSLU2.