This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
computing:vpnserver [2018/05/17 15:38] – created oemb1905 | computing:vpnserver [2023/05/21 19:57] (current) – removed oemb1905 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ------------------------------------------- | ||
- | # | ||
- | ------------------------------------------- | ||
- | In this tutorial, you will create a vpn server on a WNDR3800 router running openWRT. | ||
- | |||
- | https:// | ||
- | | ||
- | Get on the proper subnet, and stop the network-manager from hijacking connection. | ||
- | |||
- | sudo systemctl stop network-manager | ||
- | ip a a 192.168.1.105/ | ||
- | |||
- | Put a paperclip in the reset button while device is off. Keeping it in, turn the device on, wait for flashing green. | ||
- | | ||
- | ping 192.168.1.1 | ||
- | |||
- | If you cannot successfully ping the router, then re-add your interface to the proper sub net and try again. | ||
- | |||
- | curl -T ~/ | ||
- | |||
- | Now that we have openWRT on the router, we should enable https for the web admin panel. | ||
- | |||
- | opkg update | ||
- | opkg install luci-ssl | ||
- | nano / | ||
- | |||
- | In the config file, comment out the port 80 lines to prohibit using the router with https. | ||
- | | ||
- | / | ||
- | |||
- | Now that we have https, we can begin to set up the vpn server on the WNDR. Using the template files in the directory openvpnconfig, | ||
- | |||
- | scp -r openvpnconfig root@[openwrt]:/ | ||
- | ssh root@[openwrt] | ||
- | |||
- | Simplified instructions, | ||
- | |||
- | wget https:// | ||
- | |||
- | opkg update | ||
- | opkg install zip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump | ||
- | |||
- | mv / | ||
- | mv / | ||
- | cd /etc/ | ||
- | ln -s config/ | ||
- | nano / | ||
- | nano / | ||
- | nano / | ||
- | |||
- | build-ca | ||
- | build-dh [takes a long time] | ||
- | build-key-server server | ||
- | |||
- | You can alternately choose to build the dh key on the **// | ||
- | |||
- | sudo openssl dhparam -out / | ||
- | scp / | ||
- | |||
- | You can now use the script contained in the template directory that you zipped earlier to create your client keys and config file; you are back on the **// | ||
- | |||
- | / | ||
- | | ||
- | Or, if you did not use the template directory and the script, then change the vars file each time you need a key with the parameters that you desire, and then build the key, crt, and ca manually: | ||
- | | ||
- | nano / | ||
- | pkitool [username] | ||
- | |||
- | If you chose not to use the template and script, then on each client you will need to create a config file with something like the following parameters; adjust these parameters as needed: | ||
- | | ||
- | nano / | ||
- | | ||
- | nobind | ||
- | float | ||
- | comp-lzo | ||
- | cipher AES-256-CBC | ||
- | dev tun | ||
- | remote xx.xx.xx.xx 1194 udp | ||
- | client | ||
- | tls-exit | ||
- | ca ca.crt | ||
- | cert < | ||
- | key < | ||
- | remote-cert-tls server | ||
- | mute 5 | ||
- | resolv-retry infinite | ||
- | # | ||
- | keepalive 10 60 | ||
- | ping-timer-rem | ||
- | persist-tun | ||
- | persist-key | ||
- | # | ||
- | |||
- | You are now ready to set up the interfaces and firewall zones for the router using the web panel. | ||
- | |||
- | / | ||
- | ps | grep openvpn | ||
- | 1314 root 3896 S / | ||
- | 31296 root 1356 S grep openvpn | ||
- | |||
- | If you did not get this output, then you should debug your configuration by running openvpn against your server configuration as follows, and use the output it provides to determine what you did wrong. | ||
- | |||
- | openvpn / | ||
- | |||
- | Now that the service is running and you have a client config, you can use the openWRT web page to create an interface and a firewall zone. Go to interfaces, add interface and name it VPN, select tun0 (unmanaged). | ||
- | |||
- | {{ : | ||
- | {{ : | ||
- | {{ : | ||
- | {{ : | ||
- | {{ : | ||
- | |||
- | Now that you have a client configuration file set up, and the interfaces and firewall zones set up, you can install openvpn on your host; and be aware of how to execute the client - server handshake, thus initiating the openvpn connection. | ||
- | |||
- | sudo apt install openvpn | ||
- | cd ~/ | ||
- | sudo openvpn clientconfigname.ovpn | ||
- | |||
- | To enable TLS and separately to enable a strong cipher, use these settings on the server configuration. | ||
- | |||
- | / | ||
- | tls-version-min 1.2 | ||
- | tls-cipher | ||
- | cipher AES-256-CBC | ||
- | |||
- | Key permissions | ||
- | |||
- | 640 for everything except the private key and 600 for that ... |