NSLU2-Linux
view · edit · print · history

HowTo.SetUpOpenVPNServer History

Hide minor edits - Show changes to markup

January 20, 2011, at 02:44 PM by t-bon3 -- removed superfluous comments
Changed lines 158-160 from:

or SXXopenvpn? if an S24 exists (i did S20) --max

to:
December 11, 2010, at 03:50 PM by RobHam -- Details of Openvpn tun mode return route added for LAN side computers.
Changed lines 201-207 from:

The OpenVPN server can also be easily configured to run in Tap mode. (Note - a description of the differences/advantages/disadvantages between Tun and Tap modes can be found at the OpenVPN web site).

Firstly it is recommended that the OpenVPN server and matching client should be configured and tested in Tun mode using the instruction above.

In Tun mode, the server and client configuration files will have the following two entries

Tun Server

to:

The default openvpn config file included in the ipk will allow you connect to the openvpn server in tun mode using a static key. If you need to connect to other computers/boxes on your internal LAN network then you will need to set up a return route so that data packets sent from these computers and destined for the external openvpn client can be redirected through the openvpn gateway.

The easiest way is to add the return route into your LAN router/gateway box. Most routers allow for the addition of a number of LAN side static routes.

Assuming your internal LAN subnet is 192.168.1.0, your NSLU2 IP (or other NAS device) which is running the openvpn server program is 192.168.1.77 and your openvpn gateway IP subnet is 10.1.0.0 then add the following return route to your router :-

Changed lines 210-211 from:

dev tun ifconfig 10.1.0.1 10.1.0.2

to:

Destination IP 10.1.0.0 Subnet 255.255.255.0 Gateway IP 192.168.1.77

Changed lines 216-217 from:

Tun Client

to:

Alternatively if your router does not support the addition of static routes then you can add the return route individualy to each LAN computer using the following route command.

Changed lines 221-222 from:

dev tun ifconfig 10.1.0.2 10.1.0.1

to:

route add -net 10.1.0.0/24 gw 192.168.1.77

Changed lines 225-228 from:

To establish a tunnel using Tap mode just change the two configuration files too

Tap Server

to:

Include the above script in a small batch file that loads at boot time. Note that you do not need to add the return route to the openvpn server, it is created when the program loads.

RobHam Dec 2010


The OpenVPN server can also be easily configured to run in Tap mode. (Note - a description of the differences/advantages/disadvantages between Tun and Tap modes can be found at the OpenVPN web site).

Firstly it is recommended that the OpenVPN server and matching client should be configured and tested in Tun mode using the instruction above.

In Tun mode, the server and client configuration files will have the following two entries

Tun Server

Changed lines 242-243 from:

dev tap ifconfig 10.1.0.1 255.255.255.0

to:

dev tun ifconfig 10.1.0.1 10.1.0.2

Changed line 247 from:

Tap Client

to:

Tun Client

Changed lines 251-252 from:

dev tap ifconfig 10.1.0.2 255.255.255.0

to:

dev tun ifconfig 10.1.0.2 10.1.0.1

Changed lines 257-258 from:

The main benefit of the Tap driver is the ability to create a bridge to the ether port. To install the bridge-utils package, bridge kernel module and load the module use :-

to:

To establish a tunnel using Tap mode just change the two configuration files too

Tap Server

Changed lines 263-265 from:

ipkg install bridge-utils ipkg -force-depends install kernel-module-bridge insmod bridge

to:

dev tap ifconfig 10.1.0.1 255.255.255.0

Added lines 268-288:

Tap Client (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
dev tap
ifconfig 10.1.0.2 255.255.255.0
 

(:tableend:)

The main benefit of the Tap driver is the ability to create a bridge to the ether port. To install the bridge-utils package, bridge kernel module and load the module use :-

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
ipkg install bridge-utils
ipkg -force-depends install kernel-module-bridge
insmod bridge
 

(:tableend:)

September 07, 2008, at 09:11 PM by Marcelo Vianna -- Comments of files needed to be copied to the server as well as the security implications
Deleted line 83:
September 07, 2008, at 09:07 PM by Marcelo Vianna -- Comments on key files needed to be copied to the server and security implications.
Changed lines 85-86 from:

**note**: copying ca.key and the 0x.pem files are not actually necessary (copying ca.key in indeed NOT recommended due to secure reasons - just keep it safe somewhere else as recommended on http://openvpn.net/index.php/documentation/howto.html)

to:

**NOTE**: copying ca.key and the 0?.pem files are not actually necessary (copying ca.key in indeed NOT recommended due to secure reasons - just keep it safe somewhere else as recommended on http://openvpn.net/index.php/documentation/howto.html).

September 07, 2008, at 09:03 PM by Marcelo Vianna -- Comments on key files needed on the server (as well as the security implications)
Changed lines 85-86 from:
to:

**note**: copying ca.key and the 0x.pem files are not actually necessary (copying ca.key in indeed NOT recommended due to secure reasons - just keep it safe somewhere else as recommended on http://openvpn.net/index.php/documentation/howto.html)

June 16, 2008, at 07:48 AM by zouzou --
Changed line 87 from:
  • NOTE ----BRIDGING******
to:

NOTE ----ETHERNET BRIDGING------------------------------------------
Changed lines 89-90 from:
to:

June 16, 2008, at 07:46 AM by zouzou --
Changed lines 87-88 from:
to:
  • NOTE ----BRIDGING******

under the mssii platform i built the bridge module in a host platform, but it didn't work. It install correctly in my mssii, but won't load. My solution to was to build a whole kernel image(under a different name) with the CONFIG_BRIDGE=y and CONFIG_LLC2=y (built-in). and i upgraded my kernel-image through ipkg.

February 07, 2008, at 10:31 PM by RobHam -- Installation of bridge kernel module added
Changed lines 245-249 from:

The main benefit of the Tap driver is the ability to create a bridge to the ether port.

RobHam Nov 2007

to:

The main benefit of the Tap driver is the ability to create a bridge to the ether port. To install the bridge-utils package, bridge kernel module and load the module use :-

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
ipkg install bridge-utils
ipkg -force-depends install kernel-module-bridge
insmod bridge
 

(:tableend:)

Instructions for setting up the Bridge can be found by using Internet search engines such as Google.

RobHam Nov 2007 - Modified Jan 2008

November 26, 2007, at 09:42 PM by RobHam -- Expanded to include details of the Tap configuration
Changed lines 245-247 from:

The main benefit of the Tap driver is the ability to create a bridge to the ether port. Unfortunately the necessary Bridge Kernel Module is currently not included in the Optware feeds for Unslung5.5 firmware.

to:

The main benefit of the Tap driver is the ability to create a bridge to the ether port.

November 26, 2007, at 09:42 PM by RobHam -- Expanded to include details of the Tap configuration
Changed lines 245-247 from:

The main benefit of the Tap driver is the ability to create a bridge to the ether port. Unfortunately the necessary Bridge Kernel Module is currently not included in the Optware feeds for Unslung firmware.

to:

The main benefit of the Tap driver is the ability to create a bridge to the ether port. Unfortunately the necessary Bridge Kernel Module is currently not included in the Optware feeds for Unslung5.5 firmware.

November 26, 2007, at 07:57 PM by RobHam -- Expanded to include details of the Tap configuration
Changed line 231 from:

ifconfig 10.1.0.1 255.0.0.0

to:

ifconfig 10.1.0.1 255.255.255.0

Changed line 240 from:

ifconfig 10.1.0.2 255.0.0.0

to:

ifconfig 10.1.0.2 255.255.255.0

November 26, 2007, at 07:23 PM by RobHam -- Expanded to include details of the Tap configuration
Changed lines 203-204 from:

In Tun mode, the server and client configuration files will have the following two entries.

to:

In Tun mode, the server and client configuration files will have the following two entries

Changed lines 224-225 from:

To establish a tunnel using Tap mode just change the two configuration files to.

to:

To establish a tunnel using Tap mode just change the two configuration files too

November 26, 2007, at 07:21 PM by RobHam -- Expanded to include details of the Tap configuration
Changed lines 3-4 from:

This is a brief howto about the steps required to get OpenVPN up and running on an Unslung-5.5 NSLU2.

to:

This is a brief howto about the steps required to get OpenVPN up and running on an Unslung NSLU2 in Tun Mode.

Changed lines 197-249 from:
to:

The OpenVPN server can also be easily configured to run in Tap mode. (Note - a description of the differences/advantages/disadvantages between Tun and Tap modes can be found at the OpenVPN web site).

Firstly it is recommended that the OpenVPN server and matching client should be configured and tested in Tun mode using the instruction above.

In Tun mode, the server and client configuration files will have the following two entries.

Tun Server (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
dev tun
ifconfig 10.1.0.1 10.1.0.2
 

(:tableend:)

Tun Client (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
dev tun
ifconfig 10.1.0.2 10.1.0.1
 

(:tableend:)

To establish a tunnel using Tap mode just change the two configuration files to.

Tap Server (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
dev tap
ifconfig 10.1.0.1 255.0.0.0
 

(:tableend:)

Tap Client (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
dev tap
ifconfig 10.1.0.2 255.0.0.0
 

(:tableend:)

The main benefit of the Tap driver is the ability to create a bridge to the ether port. Unfortunately the necessary Bridge Kernel Module is currently not included in the Optware feeds for Unslung firmware.

RobHam Nov 2007

September 04, 2007, at 12:17 PM by Trurl --
Changed lines 166-172 from:

- "chmod +x /opt/etc/openvpn/server.up" - add "ifconfig 10.1.0.2 10.1.0.1" line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9);

  notice that addresses are in different order than in a server config,

- add "tls-client" line in client.ovpn - uncomment "comp-lzo" line in both server and client configs

to:
 - "chmod +x /opt/etc/openvpn/server.up"
 - add "ifconfig 10.1.0.2 10.1.0.1" line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9);
   notice that addresses are in different order than in a server config,
 - add "tls-client" line in client.ovpn
 - uncomment "comp-lzo" line in both server and client configs
September 04, 2007, at 10:50 AM by Trurl --
Changed lines 166-171 from:
 - "chmod +x /opt/etc/openvpn/server.up"
 - add "ifconfig 10.1.0.2 10.1.0.1" line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9); notice that addresses are in different order than in a server config,
 - add "tls-client" line in client.ovpn
 - uncomment "comp-lzo" line in both server and client configs
to:

- "chmod +x /opt/etc/openvpn/server.up" - add "ifconfig 10.1.0.2 10.1.0.1" line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9);

  notice that addresses are in different order than in a server config,

- add "tls-client" line in client.ovpn - uncomment "comp-lzo" line in both server and client configs

September 04, 2007, at 10:48 AM by Trurl --
Changed lines 165-169 from:

Trurl, 2007.09.04: I had also to do:

 - chmod +x /opt/etc/openvpn/server.up
 - add ifconfig 10.1.0.1 10.1.0.2 line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9)
to:

Trurl, 2007.09.04: I also did:

 - "chmod +x /opt/etc/openvpn/server.up"
 - add "ifconfig 10.1.0.2 10.1.0.1" line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9); notice that addresses are in different order than in a server config,
 - add "tls-client" line in client.ovpn
 - uncomment "comp-lzo" line in both server and client configs
September 04, 2007, at 06:23 AM by Trurl --
Changed lines 165-169 from:

Trurl: I had also to do:

 chmod +x /opt/etc/openvpn/server.up
 add ifconfig 10.1.0.1 10.1.0.2 line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9)
to:

Trurl, 2007.09.04: I had also to do:

 - chmod +x /opt/etc/openvpn/server.up
 - add ifconfig 10.1.0.1 10.1.0.2 line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9)
September 04, 2007, at 06:21 AM by Trurl --
Added lines 164-169:

Trurl: I had also to do:

 chmod +x /opt/etc/openvpn/server.up
 add ifconfig 10.1.0.1 10.1.0.2 line in client.ovpn on the client side (WinXP?, OpenVPN? 2.0.9)
March 07, 2007, at 10:19 PM by maxfantuznet -- massimiliano, openvpn multiservers user
Changed lines 88-90 from:

**note**: I created /opt/etc/openvpn/server.conf on my NSLU2.

to:
Changed lines 156-158 from:
to:

or SXXopenvpn? if an S24 exists (i did S20) --max

Changed lines 162-163 from:

-- FB[i]

to:

-- FB[i]

February 02, 2007, at 08:38 PM by RobHam -- Xinetd section added
Changed line 14 from:
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openvpn_2.0_rc17-3_armeb.ipk
to:
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openvpn_2.0_rc17-3_armeb.ipk
Changed line 16 from:
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openssl_0.9.7d-3_armeb.ipk
to:
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openssl_0.9.7d-3_armeb.ipk
Changed line 18 from:
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/lzo_1.08-2_armeb.ipk
to:
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/lzo_1.08-2_armeb.ipk
Changed line 20 from:
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/oe/kernel-module-tun_2.4.22.l2.3r29-r2_nslu2.ipk
to:
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/oe/kernel-module-tun_2.4.22.l2.3r29-r2_nslu2.ipk
Changed line 98 from:
 Mon Aug  8 11:21:08 2005 OpenVPN 2.0_rc17 armv5b-softfloat-linux [SSL] [LZO] built on Jul 27 2005
to:
 Mon Aug  8 11:21:08 2005 OpenVPN? 2.0_rc17 armv5b-softfloat-linux [SSL] [LZO] built on Jul 27 2005
Changed lines 107-108 from:
 Mon Aug  8 11:21:09 2005 UDPv4 link local (bound): [undef]:1194
 Mon Aug  8 11:21:09 2005 UDPv4 link remote: [undef]
to:
 Mon Aug  8 11:21:09 2005 UDPv4? link local (bound): [undef]:1194
 Mon Aug  8 11:21:09 2005 UDPv4? link remote: [undef]
Changed lines 149-150 from:
 /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
  --log-append /var/log/openvpn.log \
to:
 /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon   --log-append /var/log/openvpn.log \
February 02, 2007, at 08:35 PM by RobHam -- Xinetd section added
Added line 11:
 [=
Added line 28:

=]

Added line 38:
 [=
Added line 41:

=]

Added line 49:
 [=
Added line 52:

=]

Added line 59:
 [=
Added line 61:

=]

Added line 78:
 [=
Added line 80:

=]

Added line 96:
 [=
Added line 113:

=]

Changed line 135 from:
 ###################################################
to:
 [=
Changed line 152 from:
 ###################################################
to:
 =]
Changed lines 162-188 from:

-- FB[i]

to:

-- FB[i]


For users wishing to use the Xinetd program to start the Openvpn on demand, a working script for the /opt/etc/xined.d/openvpn file is :-

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
service openvpn_1
{
        type            = UNLISTED
        port            = 1194
        socket_type     = dgram
        protocol        = udp
        wait            = yes
        user            = root
        server          = /opt/sbin/openvpn
        server_args     = --cd /opt/etc/openvpn --config openvpn.conf --inetd
        disable         = no
}
 

(:tableend:)

RobHam

September 03, 2006, at 09:01 PM by FBi --
Changed lines 147-150 from:

And don't forget to set the right shell in openvpn.up, which defaults to /bin/bash. Better is #!/bin/sh, or if installed #!/opt/bin/bash -- Caplink811

to:

And don't forget to set the right shell in openvpn.up, which defaults to /bin/bash. Better is #!/bin/sh, or if installed #!/opt/bin/bash -- Caplink811

I had to do a "chmod 666 /dev/net/tun" to get it to work in my system (Unslung-6.8-beta-firmware) (tnx blaster8) -- FB[i]

September 01, 2006, at 03:06 AM by mwester -- Fixed width problem in formatting
Changed lines 63-65 from:
              ** I got the "./clean-all" to run by running ". ./clean-all" (I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). Also need to run "ipkg install openssl" to get ". ./build-ca" to work.
to:
  • I got the "./clean-all" to run by running ". ./clean-all" (I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). Also need to run "ipkg install openssl" to get ". ./build-ca" to work.
July 13, 2006, at 10:47 PM by metamind --
Changed lines 107-110 from:

(currently working on firewall settings to get tap service to work)

to:

Add the following to allow ping etc.:

  1. openVpn

$IPT -A INPUT -i tun+ -j ACCEPT $IPT -A OUTPUT -o tun+ -j ACCEPT

  1. $IPT -A FORWARD -i tun+ -j ACCEPT

$IPT -A INPUT -i tap+ -j ACCEPT

  1. $IPT -A OUTPUT -o tap+ -j ACCEPT
  2. $IPT -A FORWARD -i tap+ -j ACCEPT
July 11, 2006, at 09:00 AM by metamind -- server firewalll settings
Changed lines 104-105 from:
to:

**note**: If using iptables firewall add:

     "$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1194 -j ACCEPT"

under "# udp_inbound chain" to enable the initialization (currently working on firewall settings to get tap service to work)

July 10, 2006, at 11:01 PM by metamind --
Changed lines 63-65 from:
              I tried this and spent about an hour trying to get the commands to run. I got the "./clean-all" to run (I think) by running ". ./clean-all" (by this stage I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). However ". ./build-ca" errored with "openssl: No such file or directory". I will try doing this on windows.
to:
              ** I got the "./clean-all" to run by running ". ./clean-all" (I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). Also need to run "ipkg install openssl" to get ". ./build-ca" to work.
July 10, 2006, at 10:41 PM by metamind --
Changed lines 63-66 from:
  -  I tried this and spent about an hour trying to get the commands to run. I got the "./clean-all" to run (I think) by running ". ./clean-all" (by this stage I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). However ". ./build-ca" errored with "openssl: No such file or directory". I will try doing this on windows.
to:
              I tried this and spent about an hour trying to get the commands to run. I got the "./clean-all" to run (I think) by running ". ./clean-all" (by this stage I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). However ". ./build-ca" errored with "openssl: No such file or directory". I will try doing this on windows.
July 10, 2006, at 10:40 PM by metamind -- Trouble generating certificates on the slug
Changed lines 64-66 from:
to:
  -  I tried this and spent about an hour trying to get the commands to run. I got the "./clean-all" to run (I think) by running ". ./clean-all" (by this stage I had set all permissions to rwx on the executing folder and parents. I had also added the executing folder to the path. That may also be necessary). However ". ./build-ca" errored with "openssl: No such file or directory". I will try doing this on windows.
November 13, 2005, at 12:21 PM by MattMcNeill -- Building the keys on your slug
Changed lines 62-64 from:
to:

**note**: If you wish to do this on your nslu2, download the latest source package from http://openvpn.net/download.html (get the *.tar.gz package) and extract it into a temporary folder using tar -zxvf <downloaded file name> and copy the easy-rsa/2.0/ folder to your openvpn folder and rename it easy-rsa. You can then run all the key preparation commands on your slug.

October 11, 2005, at 04:10 PM by caplink811 --
Added line 130:
October 11, 2005, at 04:09 PM by caplink811 -- add a hint
Changed lines 129-130 from:

Don't forget to chmod +x /opt/etc/init.d/S24openvpn -- Jelle

to:

Don't forget to chmod +x /opt/etc/init.d/S24openvpn -- Jelle And don't forget to set the right shell in openvpn.up, which defaults to /bin/bash. Better is #!/bin/sh, or if installed #!/opt/bin/bash -- Caplink811

October 01, 2005, at 10:36 PM by Jelle -- chmod +x init.d/***
Added lines 128-129:

Don't forget to chmod +x /opt/etc/init.d/S24openvpn -- Jelle

August 10, 2005, at 07:55 PM by polarisdb --
Changed lines 70-72 from:

**note**: In my case, I copied ca.crt, ca.key, dh1024.pem, server.crt, and server.key to /opt/etc/openvpn/easy-rsa/keys.

to:

**note**: In my case, I copied ca.crt, ca.key, dh1024.pem, server.crt, server.key, 01.pem, 02.pem, 03.pem, and 04.pem to /opt/etc/openvpn/easy-rsa/keys.

August 08, 2005, at 05:27 PM by ingeba -- Fixed up fonts and backslashes
Changed lines 70-72 from:

**note**: In my case, I copied ca.crt, ca.key, dh1024.pem, server.crt, and server.key to /opt/etc/openvpn/easy-rsa/keys.

to:

**note**: In my case, I copied ca.crt, ca.key, dh1024.pem, server.crt, and server.key to /opt/etc/openvpn/easy-rsa/keys.

Changed lines 121-122 from:
 /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon 
--log-append /var/log/openvpn.log \\
to:
 /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
  --log-append /var/log/openvpn.log \
August 08, 2005, at 05:24 PM by ingeba -- First howto entry based on notes from Steve
Added lines 1-127:

OpenVPN server setup

This is a brief howto about the steps required to get OpenVPN up and running on an Unslung-5.5 NSLU2.

The OpenVPN 2.0 HOWTO is an excellent reference for this process: http://openvpn.net/howto.html.

1. Install OpenVPN software on the NSLU2

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # ipkg -force-depends install openvpn
 Installing openvpn (2.0_rc17-3) to root...
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openvpn_2.0_rc17-3_armeb.ipk
 Installing openssl (0.9.7d-3) to root...
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/openssl_0.9.7d-3_armeb.ipk
 Installing lzo (1.08-2) to root...
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/cross/lzo_1.08-2_armeb.ipk
 Installing kernel-module-tun (2.4.22.l2.3r29-r2) to root... 
 Downloading http://ipkg.nslu2-linux.org/feeds/unslung/oe/kernel-module-tun_2.4.22.l2.3r29-r2_nslu2.ipk
 Configuring kernel-module-tun
 Configuring lzo
 Configuring openssl
 Configuring openvpn
 Collected errors:
 Warning: Cannot satisfy the following dependencies for openvpn:
          update-modules kernel-image-2.4.22-xfs

(:tableend:) **note**: The dependencies warning can be disregarded.

2. Configure the NSLU2 box for OpenVPN support

Create the TUN device node:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # mkdir /dev/net
 # mknod /dev/net/tun c 10 200

(:tableend:)

Load the TUN/TAP kernel module:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # insmod tun
 Using /lib/modules/2.4.22-xfs/kernel/drivers/net/tun.o

(:tableend:)

Enable routing:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # echo 1 > /proc/sys/net/ipv4/ip_forward

(:tableend:)

3. Follow the directions in the OpenVPN 2.0 HOWTO to for instructions on generating certificates and keys for the OpenVPN server and client(s) at http://openvpn.net/howto.html#pki

**note**: Since the OpenVPN ipk for the NSLU2 is a bare-bones distribution, I did this work on an existing Red Hat Linux server.

4. Create directory /opt/etc/openvpn/easy-rsa/keysCopy on the NSLU2 and copy the server key files there.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # mkdir -p /opt/etc/openvpn/easy-rsa/keys

(:tableend:)

**note**: In my case, I copied ca.crt, ca.key, dh1024.pem, server.crt, and server.key to /opt/etc/openvpn/easy-rsa/keys.

5. Follow the directions in the OpenVPN 2.0 HOWTO to create configuration files for server and client(s)on http://openvpn.net/howto.html#config

**note**: I created /opt/etc/openvpn/server.conf on my NSLU2.

6. Start the OpenVPN server process from the command line to test connectivity in accordance with the OpenVPN 2.0 HOWTO reference at http://openvpn.net/howto.html#start

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 # /opt/sbin/openvpn /opt/etc/openvpn/server.conf
 Mon Aug  8 11:21:08 2005 OpenVPN 2.0_rc17 armv5b-softfloat-linux [SSL] [LZO] built on Jul 27 2005
 Mon Aug  8 11:21:08 2005 WARNING: --keepalive option is missing from server config
 Mon Aug  8 11:21:09 2005 Diffie-Hellman initialized with 1024 bit key
 Mon Aug  8 11:21:09 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
 Mon Aug  8 11:21:09 2005 TUN/TAP device tun0 opened
 Mon Aug  8 11:21:09 2005 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
 Mon Aug  8 11:21:09 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
 Mon Aug  8 11:21:09 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
 Mon Aug  8 11:21:09 2005 GID set to nobody Mon Aug  8 11:21:09 2005 UID set to nobody
 Mon Aug  8 11:21:09 2005 UDPv4 link local (bound): [undef]:1194
 Mon Aug  8 11:21:09 2005 UDPv4 link remote: [undef]
 Mon Aug  8 11:21:09 2005 MULTI: multi_init called, r=256 v=256
 Mon Aug  8 11:21:09 2005 IFCONFIG POOL: base=10.8.0.4 size=62
 Mon Aug  8 11:21:09 2005 IFCONFIG POOL LIST Mon Aug  8 11:21:09 2005 client1,10.8.0.4
 Mon Aug  8 11:21:09 2005 Initialization Sequence Completed

(:tableend:)

7. Once everything is working properly, configure /opt/etc/init.d/S24openvpn to automatically start the OpenVPN server processes at boot time.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 ###################################################
 #!/bin/sh

 if [ -n "`pidof openvpn`" ]; then 
    /bin/killall openvpn 2>/dev/null
 fi

 # load TUN/TAP kernel module
 /sbin/insmod tun

 # enable IP forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward

 # Startup VPN tunnel in daemon mode
 /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon 
--log-append /var/log/openvpn.log
--config server.conf ###################################################

(:tableend:)

-- Steve

August 08, 2005, at 03:54 PM by polarisdb --
Deleted lines 0-1:

This is a brief howto about the steps required to get OpenVPN? up and running on an Unslung-5.5 NSLU2.

August 08, 2005, at 03:50 PM by polarisdb --
Added lines 1-2:

This is a brief howto about the steps required to get OpenVPN? up and running on an Unslung-5.5 NSLU2.

view · edit · print · history · Last edited by t-bon3.
Based on work by RobHam, Marcelo Vianna, zouzou, Trurl, maxfantuznet, FBi, mwester, metamind, MattMcNeill, caplink811, Jelle, polarisdb, and ingeba.
Originally by polarisdb.
Page last modified on January 20, 2011, at 02:44 PM