Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Hi Audrey,
Glad you got it working and thanks for confirmation that the echo command works - still haven't got around to testing that myself!
Haydn.
Offline
HaydnH, any plans to recompile OpenVPN using 2.1_rc7 code base?
Offline
Unfortunately I have no time do compile all the Beta's as well as releases unless there is a specific reason for doing so (i.e: something broken in last release). Hopefully I'll have more time soon.
Haydn.
Offline
does anybody have any openvpn config files (ie client & server) that they can share - preferably where the dns323 is behind a router and where the client connects using a dyndns address? I have tried the examples on the openvpn website and have not managed to get it working consistently yet, I keep getting
"WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.8.0.2 10.8.0.1', remote='ifconfig 10.8.0.1 10.8.0.2'"
thanks
lu
Offline
Here are some basic config files to get you started. Note that you'd need to generate appropriate server and client keys in order to get this to work.
server.conf
local <your DNS-323 IP>
port <your DNS-323 port> #forward this port on your router
proto udp
;dev tap
dev tun0
tls-server
tls-auth ta.key 0 # server
# root certificates
ca etc/ca.crt
dh etc/dh1024.pem
# server certificates
cert etc/dns323.crt
key etc/dns323.key # server
server 10.10.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
push "dhcp-option DNS 10.0.0.1"
# direct all traffic through VPN
;push "redirect-gateway"
;ifconfig-pool-persist ip.lst
# allow clients to be able to "see" each other.
client-to-client
# allow multiple clients to connect
duplicate-cn
keepalive 10 120
# extra security
;cipher BF-CBC # Blowfish
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# enable compression on the VPN link.
comp-lzo
max-clients 10
persist-key
persist-tun
;verb 3
;status openvpn-status.log
client.ovpn
remote <DNS-323 IP or ddns address> <port #>
dev tun
;dev tap
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
# server security
tls-client
tls-auth ta.key 1
# mute repated wireless packets
mute-replay-warnings
# connection keys
ca keys/ca.crt
# unique client keys
cert keys/client.crt
key keys/client.key
# ensure connection to a server
ns-cert-type server
# cryptographic cipher.
;cipher AES-128-CBC
# enable compression
comp-lzo
;verb 3
Last edited by andrey (2008-06-18 20:14:09)
Offline
Thanks for these. Do you have an example which uses a simple static key? I want to get as simple an example as possible working before I use certificates (also the compiled version HaydnH made available doesn't contain what is necessary to build the certificates, ... or does it? I think the same is true of the optware openvpn package - ie I can't find build-key / build-key-server etc). I modified your example, thus:
local 192.168.1.2
port 1194
proto udp
dev tun0
server 10.10.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
push "dhcp-option DNS 10.0.0.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
secret static.key
but openvpn won't run - it complains "Options error: --server and --secret cannot be used together (you must use SSL/TLS keys)"
thanks
lu
Offline
lu,
You're correct, HaydnH doesn't contain necessary files to compile certificate keys. I would suggest installing "etch" debian for that. However, I'm not sure how efficient VPN will without any security so to speak.
If you'd like to eliminate certificates, simply comment them out from configuration that I posted earlier.
Offline
andrey wrote:
If you'd like to eliminate certificates, simply comment them out from configuration that I posted earlier.
I removed them entirely (as per my repost of your config), but what do I do about the "server 10.10.0.0 255.255.255.0" line - that is what openvpn is complaining about as I have added "secret static.key" in place of the certificate entries?
thanks
lu
Offline
you shouldn't have "secret static.key" option enabled since you haven't compiled the keys, comment it out.
Offline
Hi, noob here.
How would you generate the keys mentioned here? Also, the key mentions etc/ca.rt and etc/key. Does that mean that I need to put the keys there once I am able to generate it?
Thanks.
Offline
Sinobato,
To generate keys you would need to install debian "etch" (see my post above or Wiki), install OpenVPN there using 'apt get install openvpn', generate keys that way and copy them into your working OpenVPN folder. Perhaps that's not the simplest way, but it works.
-- Andrey
Offline
Andrey,
I have another box with Ubuntu x86 installed. Can I use it and install OpenVPN and generate the keys there, and just copy the keys to my DNS-323 OpenVPN folder? That way, I don't have to install Debian on the NAS?
Offline
about the keys - I have generated the key by
./openvpn --genkey --secret static.key
(as per openvpn documentation)
then copied the key to both the client & server, so afaik the entry to the key in the config is ok, but then that still leaves the problem of the "server 10.10.0.0 255.255.255.0" line.
thanks
lu
Offline
@luusac: You can't use a server parameter and a static key at the same time. They are mutually exclusive.
@andrey: Are you sure the push-route and push-dhcp commands are being processed? The reason I ask is that there is no "pull" in your client config file. From OpenVPN 2.0.x Manual:
--push option
Push a config file option back to the client for remote execution. Note that option must be enclosed in double quotes (""). The client must specify --pull in its config file.
(emphasis added)
The reason I ask is that I am trying to view the rest of my network. VPN works, but I can only see the DNS-323, and nothing else. I've executed the echo ip forwarding command, and verified it is set correctly with cat. Still no luck.
Server config:
dev tun ifconfig 10.8.0.1 10.8.0.2 secret static.key # Use compression on the VPN link comp-lzo # Make the link more resistent to connection failures keepalive 10 60 ping-timer-rem persist-tun persist-key
Client config:
remote ip.add.censored.here 1194 dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key # Use compression on the VPN link comp-lzo # Make the link more resistent to connection failures keepalive 10 60 ping-timer-rem persist-tun persist-key # Allow client to reach entire server subnet ;route 192.168.0.0 255.255.255.0 ;route add -net 192.168.0.2 netmask 255.255.255.0 gw 10.8.0.1 ;route 10.8.0.0 255.255.255.0 192.168.0.2
(note the 3 of many failed route params)
Any suggestions?
Last edited by halfsoul (2008-10-12 16:14:00)
Offline
maybe useful:
openvpn portable
http://sourceforge.net/projects/ovpnp
Offline
mastervol wrote:
maybe useful:
openvpn portable
http://sourceforge.net/projects/ovpnp
What is the advantage of this over the normal OpenVPN GUI? I couldn't get very much info from the short sourceforge description.
Offline
I have built openvpn but it did not build the kernel module.
Do I have to recompile the kernel and upgrade the one in my dns-313?
I hawe no clue how to config the kernel on it it's not a PC.
or is the kernel config extractable from the old kernel?
(I tried downloading the package here but it tells me invalid module format)
Last edited by eak (2008-11-05 18:55:59)
Offline
halfsoul wrote:
mastervol wrote:
maybe useful:
openvpn portable
http://sourceforge.net/projects/ovpnpWhat is the advantage of this over the normal OpenVPN GUI? I couldn't get very much info from the short sourceforge description.
you don't have to install openvpn portable.
my guess is you have to install openvpn gui in order to use it.
Last edited by mastervol (2008-12-30 19:38:08)
Offline
Hey all,
I've been trying to get this working on my DNS-321 all day but to no avail. After downloading and extracting the tarball, I simply cannot run openvpn: I always get the error message
./openvpn: ./openvpn: cannot execute binary file
"file ./openvpn" shows me:
./openvpn: ELF 32-bit LSB executable, ARM, version 1, dynamically linked (uses shared libs), stripped
Any ideas why I can't get this to execute?
I've thus far successfully setup Transmission, Subversion, vsftpd, lighttpd...this is the only one i can't seem to crack...
Last edited by metal450 (2009-05-02 05:28:41)
Offline
it could be that it won't work on the 321 having been compiled for the 323. It may be a library issue... You could try compiling it yourself on the 321.
Offline
>>it could be that it won't work on the 321 having been compiled for the 323.
Hmm, I'd thought of that, but seems somehow unlikely as every other binary i've tried that was compiled for the 323 worked perfectly...
>>It may be a library issue...
I'd think this is the most likely issue, although I'm not really experienced enough in Linux to figure out the issue - I haven't programmed on linux since college, 10 years ago... Do you (or anyone) by chance know of any way i could determine this, i.e. get more specific error message, etc?
>>You could try compiling it yourself on the 321.
I'd thought of that also, and tried to figure out if i could "easily" compile just by installing gcc and make, but the following thread scared me a little bit: seems like getting a build environment setup on this thing is damn complex. Am i wrong? (http://dns323.kood.org/howto:crosscompile)
Offline
(Or, if anyone who's successfully built OpenVPN for this device might be able to give me a quick rundown on how, i'd be MUCH appreciative )
Offline
metal450 wrote:
I'd think this is the most likely issue, although I'm not really experienced enough in Linux to figure out the issue - I haven't programmed on linux since college, 10 years ago... Do you (or anyone) by chance know of any way i could determine this, i.e. get more specific error message, etc?
strace ./openvpn
?
metal450 wrote:
>>You could try compiling it yourself on the 321.
I'd thought of that also, and tried to figure out if i could "easily" compile just by installing gcc and make, but the following thread scared me a little bit: seems like getting a build environment setup on
this thing is damn complex. Am i wrong? (http://dns323.kood.org/howto:crosscompile)
The page you refer to is about *cross* compiling - i.e. compiling on one platform to execute on another platform - e.g. compile source on an x86 machine (PC) to produce an executable that will run on the arm (321) architecture. What you can do as an alternative, is compile natively - i.e. compile on the machine that you want to run the software on (321)
You would need to install more than gcc and make, but I think it is straigthforward enough - search the forums to deturmine what you need. I haven't done it myself, but I think Fonz provides all of the packages that you need for native compilation (you need to download them and install them under ffp).
Last edited by luusac (2009-05-03 05:41:51)
Offline
luusac wrote:
strace ./openvpn
?
it says execve("./openvpn", ["./openvpn"], [/* 18 vars */]) = -1 ENOENT (No such file or directory)
...Which is obviously weird, but about on par with this error in general. Calling "./openvpn" results in "./openvpn: No such file or directory", and "bash ./openvpn" says "cannot execute binary file".
luusac wrote:
The page you refer to is about *cross* compiling - i.e. compiling on one platform to execute on another platform.
Aha!! Thanx for the tip...I'll look into this too (if u have no other ideas regarding the above!)
Offline
Got it to compile! Thanx for the tip...it was way simpler than I expected
Basically, all I had to do was install the required packages (http://www.shadowandy.net/2008/08/addin … ns-323.htm), run ./configure, and make!
Offline