NSLU2-Linux
view · edit · print · history

OpenVPN Tap Mode

Preface: This was done using 4.8 Beta SlugOS/BE, Kernel 2.6.21.7

We will be setting up OpenVPN in Tap Mode which will allow us to establish a virtual Ethernet connection. This comes in very hand when you have windows/samba shares to get to and if you also want to get to other boxes on the network.

Install Kernel Modules

 
 # ipkg install kernel-module-bridge
 # ipkg install bridge-utils
 # ipkg install kernel-module-tun

Load Kernel Modules

 
 # echo 1 > /proc/sys/net/ipv4/ip_forward
 # update-modules
 # modprobe bridge
 # modprobe tun

 **Note** You may need to copy the bridge module to the correct folder
 
 # echo 1 > /proc/sys/net/ipv4/ip_forward
 # cp /lib/modules/2.6.21.7/kernel/net/bridge/bridge.ko /lib/modules/2.6.21.7/kernel/drivers/net/
 # update-modules
 # modprobe bridge

Install OpenVPN and Friends

 
 # ipkg install openssl
 # ipkg install liblzo1
 # ipkg install openvpn

Generating Certificates

Download Generation Tools

 **Note** Find Latest Version http://openvpn.net/index.php/downloads.html
 
 # cd ~
 # wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
 # mkdir OpenVPN_sandbox
 # tar -zxvf openvpn-2.0.9.tar.gz -C OpenVPN_sandbox

Create Keys

 **Note** You will need at least two very strong keys and one more for when you want to connect to the VPN. I recommend using https://www.grc.com/passwords.htm(approve sites) to get some sick passwords.
 
 # cd OpenVPN_sandbox/openvpn-2.0.9/easy-rsa/2.0
 # . ./vars
 # . ./clean-all
 # . ./build-ca
 # . ./build-key-server server
 # . ./build-key-pass client1
 # . ./build-dh
 # cd keys
 # mkdir server
 # mkdir clients
 # cp ca.crt server
 # cp ca.crt clients
 # cp ca.key server
 # cp dh1024.pem server
 # cp server.crt server
 # cp server.key server
 # cp client1.crt clients
 # cp client1.key clients

Create Config Files

server.conf

 
port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/keys/server/ca.crt
cert /etc/openvpn/easy-rsa/keys/server/server.crt
key /etc/openvpn/easy-rsa/keys/server/server.key
dh /etc/openvpn/easy-rsa/keys/server/dh1024.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server-bridge 192.168.1.77 255.255.255.0 192.168.1.250 192.168.1.254
push "dhcp-option WINS 192.168.1.77"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

client.conf (*.ovpn)

 
client
dev tap
proto udp
remote YOUR-SERVER-NAME-HERE 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client1.crt"
key "C:\\Program Files\\OpenVPN\\config\\client1.key"
comp-lzo
verb 3

Bridge-Startup Script "/etc/openvpn/bridge-scripts/bridge-start"

 
#!/bin/sh

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.77"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
eth_default_gateway="192.168.1.99"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_default_gateway

VPN Startup Script "/etc/openvpn/startup"

 
#!/bin/sh

if [ -n "`pidof openvpn`" ]; then
  /bin/killall openvpn 2>/dev/null
fi

# load TUN/TAP kernel module
/sbin/modprobe tun
/sbin/modprobe bridge

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Startup VPN tunnel in daemon mode
/etc/openvpn/bridge-scripts/./bridge-start
/etc/init.d/openvpn start

view · edit · print · history · Last edited by Lajasha.
Originally by Lajasha.
Page last modified on March 19, 2008, at 04:50 AM