Daily Archives: August 28, 2009

openvpn server on a linksys-wrt54gl

First, install dd-wrt (the vpn edition) on the router.

Next, install openvpn on a “real” computer to get access to the openvpn tools. With the tools build the keys:

In Debian do it like this

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/

#edit vars to reflect reality, then
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-key client2   # Etc, for other clients
./build-dh

Add the certs and keys in the web.interface like this:

Public Server Cert                   > ca.crt
Certificate Revoke List (CRL) > (blank)
Public Client Cert                    > server.crt
Private Client Key                    > server.key
DH PEM                                  > dh1024.pem
OpenVPN Config                     > (see below)
OpenVPN TLS Auth                > (blank)

This is for the server config file and will give the vpn-network addresses in the 192.168.66.0 scope (and expects that the LAN IP is in the 192.168.1.0 scope):

push “route 192.168.1.0 255.255.255.0”
server 192.168.66.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

Next, tweak iptables (Administration->Commands->Firewall):

# Replace 1194 with your OpenVPN port number:
iptables -I INPUT 1 -p tcp –dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT

# Replace 192.168.66.0/24 with your OpenVPN server subnet, this must match the scope from vpnconfig:
iptables -I FORWARD 1 –source 192.168.66.0/24 -j ACCEPT

# These next two lines may or may not be necessary.
# I did not need them, but others did.
# Thus, include them so that this works for more people:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

That should be it for the server. Next up is the client-config-file.

remote <IP or host> 1194

client
remote-cert-tls server
dev tun0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float

ca ca.crt
cert client1.crt
key client1.key

The float option is necessary for a routed openvpn.

EDIT:

When pasting stuff in the webinterface on the router, make sure your browser doesn’t fuck up the EOL’s!