Differences
This shows you the differences between the selected revision and the current version of the page.
openvpn 2011/09/21 17:14 | openvpn 2011/09/20 23:31 current | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | openvpn config information is here | ||
- | http://openvpn.net/index.php/open-source/documentation/howto.html | ||
- | **read it!** | ||
- | |||
- | also look at the forum post http://forum.dsmg600.info/t1495-Compiled-Working%3A-OpenVPN.html | ||
- | |||
- | here is a quick guide for funpkg (YMMV) | ||
- | |||
- | ==server== | ||
- | get funpkg openvpn package from http://ffp.wolf-u.li/additional/net-misc/ | ||
- | <code>wget http://ffp.wolf-u.li/additional/net-misc/openvpn-2.2.1-2.tgz</code> | ||
- | install package on your NAS | ||
- | <code>funpkg -i openvpn-2.2.1-2.tgz</code> | ||
- | create certificates and keys on a fast computer with //openvpn// installed, I did this on my ubuntu 11.04 box | ||
- | <code>cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ~/openvpn_certificates | ||
- | cd ~/openvpn_certificates</code> | ||
- | edit the //./vars// file to your liking and load the variables | ||
- | <code>. ./vars</code> | ||
- | clean data | ||
- | <code>./clean-all</code> | ||
- | build certificate authority | ||
- | <code>./build-ca</code> | ||
- | now build the key for the server (your NAS) (and sign certificate) | ||
- | <code>./build-key-server server</code> | ||
- | and for a client (and sign certificate) | ||
- | <code>./build-key client</code> | ||
- | and for another client | ||
- | <code>./build-key phone</code> | ||
- | build [[http://www.rsa.com/rsalabs/node.asp?id=2248|diffie-hellman]] parameters | ||
- | <code>./build-dh</code> | ||
- | now you have all the files you need in // ~/openvpn_certificates/keys // | ||
- | |||
- | copy the following files to the NAS and put for example in // /ffp/etc/openvpn // | ||
- | <code>ca.crt ca.key dh1024.pem server.key</code> | ||
- | now create a openvpn config file, for example // /ffp/etc/openvpn.conf // | ||
- | <code> | ||
- | port 1194 | ||
- | proto udp | ||
- | dev tun | ||
- | |||
- | ca /ffp/etc/openvpn/ca.crt | ||
- | cert /ffp/etc/openvpn/server.crt | ||
- | key /ffp/etc/openvpn/server.key # This file should be kept secret | ||
- | dh /ffp/etc/openvpn/dh1024.pem | ||
- | |||
- | # openvpn server will be on 10.8.0.1 | ||
- | server 10.8.0.0 255.255.255.0 | ||
- | |||
- | ifconfig-pool-persist ipp.txt | ||
- | status openvpn-status.log | ||
- | |||
- | keepalive 10 120 | ||
- | comp-lzo | ||
- | persist-key | ||
- | persist-tun | ||
- | |||
- | verb 3 | ||
- | </code> | ||
- | for more info on configuring openvpn look at | ||
- | http://openvpn.net/index.php/open-source/documentation/howto.html#server | ||
- | |||
- | for the openvpn server to work, the //tun.ko// kernel module must be loaded, unfortunately there is a small error in the funpkg package so | ||
- | <code>mv /ffp/lib/modules/kernel/2.6.12.6-arm1/tun.ko /ffp/lib/modules/kernel/2.6.12.6-arm1/drivers/net/tun.ko</code> | ||
- | |||
- | now try the openvpn server | ||
- | <code>sh /ffp/start/openvpn.sh debug</code> | ||
- | if it works | ||
- | <code>ctrl+c | ||
- | sh /ffp/start/openvpn.sh start</code> | ||
- | |||
- | if you want to start openvpn at funpkg startup | ||
- | <code> chmod 755 /ffp/start/openvpn.sh</code> | ||
- | |||
- | ==client== | ||
- | |||
- | configuring the client will not be described here in detail but you need the following files from //~/openvpn_certificates/keys// on your openvpn client | ||
- | <code>ca.crt client.crt client.key</code> | ||
- | //my// client configuration looks like this | ||
- | <code> | ||
- | client | ||
- | dev tun | ||
- | proto udp | ||
- | remote [server ip or hostname] 1194 | ||
- | resolv-retry infinite | ||
- | nobind | ||
- | user nobody | ||
- | group nogroup | ||
- | persist-key | ||
- | persist-tun | ||
- | ca ~/openvpn/ca.crt | ||
- | cert ~/openvpn/client.crt | ||
- | key ~/openvpn/client.key | ||
- | comp-lzo | ||
- | </code> | ||
- | again, for detailed information look at http://openvpn.net/index.php/open-source/documentation/howto.html#client | ||
- | |||
- | if you want you reach your NAS from outside your network, do not forget to forward port 1194 in your router (or whichever port you have chosen) | ||
- | |||
- | if everything goes allright when connected, your NAS will be reachable at 10.8.0.1 test it for example by | ||
- | <code>ping 10.8.0.1</code> | ||
- | |||
- | note: if you are already connected to a //10.8.0.*// network, routing will be messed up, it could be convenient to chose a bit more obscure address for your vpn, for example //10.161.80.*// | ||