I finally got around to documenting my WRT54G/OpenWrt OpenVPN server and a notebook Win2K OpenVPN client in one spot. Lacking is key generation. I think I used about every security option there is, though.
I don't have a full understanding of cert and key files - but client keys were all generated the same time as the server and each end should have the minimum files required. I generated more keys than I'll ever use long ago using Win2K commandline easy-rsa in version 2.0.5. I understand new key file formats may be used now and the GUI is much easier to use.
This particular configuration has been used for over a year with much success and remained virtually identical on RC4/5/6/0.9. I recall user and group 'nobody' and 'nogroup' may have been an issue on RC4(?) OpenVPN itself started at 2.0.5 which is what I still run on the Win2K notebook.
From hotspots and hotels anywhere in the world my Win2K notebook can connect and behave as if it were plugged into my LAN including internet access out my LAN gateway. It uses my LAN DNS server, too. If you don't have a LAN DNS server I think you should be able to push your ISPs DNS the same way. I wanted nothing, including DNS, to be public and I watched it several times to be sure *everything* was through the tunnel and added a note about TAP networking order in Win2K to accomplish this.
This is a BRIDGED configuration. If you just want to connect to the OpenVPN server and not become an IP on an existing LAN then this configuration is not for you.
Linux clients and Windows servers should be very similar.
I like to convey important things rather than "do this" HowTo format. For example, you can use chmod or WinSCP to set x permissions for the startup file /etc/init.d/S70openvpnserver.
I've munged most filenames to generic ones and carefully altered addresses (these are not my real LAN addresses). I hope there are no errors. My goal is to get this down for any discussions.
First, the WRT54G Server...
*** OpenVPN Server on OpenWrt 0.9
OpenVPN 2.0.8-1
Webif response when installing...
Installing openvpn (2.0.8-1) to root...
Downloading http://downloads.openwrt.org/whiterussian/packages/openvpn_2.0.8-1_mipsel.ipk
Installing kmod-tun (2.4.30-brcm-5) to root...
Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-tun_2.4.30-brcm-5_mipsel.ipk
Installing libopenssl (0.9.8d-1) to root...
Downloading http://downloads.openwrt.org/whiterussian/packages/libopenssl_0.9.8d-1_mipsel.ipk
Installing liblzo (2.02-1) to root...
Downloading http://downloads.openwrt.org/whiterussian/packages/liblzo_2.02-1_mipsel.ipk
Configuring kmod-tun
Configuring liblzo
Configuring libopenssl
Configuring openvpn
Successfully terminated.
Server configuration file
LAN is currently 192.168.34.0/24
OpenVPN clients will be assigned 192.168.34.21-25
Existing LAN gateway is 192.168.34.1
Existing LAN DNS server is 192.168.34.55
/tmp/log/openvpn.log very helpful
/etc/openvpn/server.conf
daemon
port (MyOpenVPNPort)
proto udp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server01.crt
key /etc/openvpn/keys/server01.key
dh /etc/openvpn/keys/dh1024.pem
server-bridge 192.168.34.1 255.255.255.0 192.168.34.21 192.168.34.25
push "route 192.168.34.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 192.168.34.55"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher BF-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
max-clients 5
log-append /tmp/log/openvpn.log
verb 4
All keys generated on Win2K per: http://openvpn.net/howto.html
All files set rw------- to avoid security/permissions warnings
/etc/openvpn/keys/server01.crt
/etc/openvpn/keys/server01.key
/etc/openvpn/keys/ca.crt
/etc/openvpn/keys/ca.key
/etc/openvpn/keys/dh1024.pem
/etc/openvpn/keys/ta.key
Startup set rwxr-xr-x
Creates tap0, adds it to the bridge and brings it up
The '&' may be redundant since config has option 'daemon'
Run manually for debugging
/etc/init.d/S70openvpnserver
#!/bin/sh
# OpenVPN Startup
killall -q openvpn
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 up
openvpn /etc/openvpn/server.conf &
As a simple AP on my LAN (no WAN configured):
Forward UDP port (MyOpenVPNPort) to the WRT54G's LAN address at the main router.
If this WRT54G is the main router:
The WAN firewall must be set to 'accept' UDP (MyOpenVPNPort)
Now for the Win2K client...
*** OpenVPN Client on Win2K - version is 2.0.5 with GUI
TAP interface created per HowTo
All keys generated on Win2K per: http://openvpn.net/howto.html
C:\Program Files\OpenVPN\keys\ca.crt
C:\Program Files\OpenVPN\keys\notebook.crt
C:\Program Files\OpenVPN\keys\notebook.key
C:\Program Files\OpenVPN\keys\ta.key
Config file
C:\Program Files\OpenVPN\config\client.ovpn
client
dev tap
proto udp
remote (MyPublicAddress) (MyOpenVPNPort)
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\keys\\notebook.crt"
key "C:\\Program Files\\OpenVPN\\keys\\notebook.key"
ns-cert-type server
tls-auth "C:\\Program Files\\OpenVPN\\keys\\ta.key" 1
cipher BF-CBC
comp-lzo
verb 3
It is important when connecting via public hotspot to place TAP interface as top priority.
This forces remote DNS from the LAN to be used and not the local DNS.
This is in Win2K Networking Properties: Advanced -> Advanced Settings under "Connections".
The client CANNOT connect successfully when already on the LAN.
All Comments Welcomed.
(Last edited by Bill_MI on 25 Feb 2007, 23:39)