maemo.org - Talk - View Single Post

rrwright	2007-09-13 , 01:31
Posts: 17 \| Thanked: 1 time \| Joined on Jul 2007	#10

Originally Posted by DragonsLee

Hey could you post how you setup your router. I have the same one with DD-wrt V23 SP2 VPN firmware installed. I would like to get the vpn working with the N800.

Under the "Administration" tab, go to "Commands". Put in something like the following and click "Save Startup":

openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "-----BEGIN CERTIFICATE-----
....................
-----END CERTIFICATE-----" > /tmp/server.crt
echo "-----BEGIN RSA PRIVATE KEY-----
....................
-----END RSA PRIVATE KEY-----" > /tmp/server.key
echo "-----BEGIN CERTIFICATE-----
....................
-----END CERTIFICATE-----" > /tmp/CA.crt
echo "-----BEGIN DH PARAMETERS-----
....................
-----END DH PARAMETERS-----" > /tmp/dh2048.pem
echo "server-bridge 172.31.1.1 255.255.255.0 172.31.1.21 172.31.1.29
port 1194
dev tap0
client-to-client
push \"ping 30\"
push \"ping-restart 130\"
push \"mute 20\"
push \"persist-key\"
push \"persist-tun\"
dh /tmp/dh2048.pem
ca /tmp/CA.crt
cert /tmp/server.crt
key /tmp/server.key
verb 3
keepalive 30 130
float
mute 10
comp-lzo
persist-key
persist-tun" > /tmp/openvpn.conf
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config /tmp/openvpn.conf &

You will of course put your own information in there for the public key, private key, CA certificate, and Diffie-Hellman parameters in place of the "....................". Just cut and paste out of your cert/key files and past the text in. You will also need to change any of the particulars in that config file to fit your own setup--things like setting your own IPs/netmask in the "server-bridge" section and whatever. The "172.31.1.1" address refers to my router throughout. You can also add and delete other options if you want.

If you're paying attention, this method echos all the important information (certificates, keys, config files) into new files each time the router boots. This is because there is no good place to save the actual files on the router--no persistent memory that's accessible. The last little bit about creating a symlink and running your VPN process from the symlink is to address a problem that DD-WRT has (or used to have?) where the process would mysteriously hang.

Then after you've done that, you need to configure the router's firewall to accept packets on port 1194 (unless you changed the port for some reason, of course). Put the following into the same box on that page (now empty) and click "Save Firewall":

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

After that, you're done. Reboot the router and you should have a live OpenVPN server. If you don't know how to create certificate/key pairs, CA certs/keys or DH params, then read the man page for openssl. You can even install openssl on your N800 and do all this without a full-size computer. But if you have a desktop handy, there are good programs for managing your Certificate Authorities, as that can get messy if you have more than just a few clients connecting.

Also, keep in mind that the "redirect-gateway def1" option is something that goes in the client config file, not on the server side. The server doesn't care if you're routing your internet traffic through it or not--at least as far as the openvpn config file goes.

Alright, to forstall another question asking for it, here's an example client config file that I have on my N800:

remote (your public IP or domain name here)
ns-cert-type server
client
dev tap
ca /etc/openvpn/CA.crt
cert /etc/openvpn/n800.crt
key /etc/openvpn/n800.key
float
log /var/log/openvpn.log
status /var/log/openvpn-status.log
comp-lzo
route-gateway 172.31.1.1
redirect-gateway def1 # (this is optional and is used when you want all your traffic to go through the VPN.)

Ok, that's all for now. I hope it all works for you.

Ryan Wright

Last edited by rrwright; 2007-09-13 at 01:45.

Quote & Reply |