This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
computing:vpnserver-wndr3800 [2024/01/07 19:08] – oemb1905 | computing:vpnserver-wndr3800 [2024/02/17 19:40] (current) – removed oemb1905 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ------------------------------------------- | ||
- | * **vpnserver-wndr3800** | ||
- | * **Jonathan Haack** | ||
- | * **Haack' | ||
- | * **netcmnd@jonathanhaack.com** | ||
- | ------------------------------------------- | ||
- | |||
- | // | ||
- | |||
- | ------------------------------------------- | ||
- | |||
- | This tutorial is for flashing a Netgear WNDR3800 router with openwrt and then building a vpn server on it with openvpn. | ||
- | |||
- | [[http:// | ||
- | |||
- | It is probably best to stop network manager; after that, assign a local ip address (on the same subnet as the router) to your network interface. | ||
- | |||
- | sudo systemctl stop network-manager | ||
- | ip a a 192.168.1.105/ | ||
- | |||
- | Put a paperclip in the reset button while device is off. Keeping the paperclick depressed in the reset button gently, turn the device on, keeping the paperclip in and depressed until there is a flashing green light. | ||
- | | ||
- | ping 192.168.1.1 | ||
- | sudo ethtool < | ||
- | |||
- | In the past, you would get a " | ||
- | |||
- | curl -T ~/ | ||
- | |||
- | After that, wait at least 5-10 minutes before attempting to log in to the device. In fact, before I log in, I prefer to shell into the router, update, install, and then upgrade all packages first. | ||
- | |||
- | ssh root@192.168.1.1 | ||
- | opkg update | ||
- | opkg install gzip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump curl luci-ssl | ||
- | opkg list-upgradable | ||
- | opkg upgrade < | ||
- | | ||
- | Before I get any further, I like to set up https. | ||
- | | ||
- | nano / | ||
- | / | ||
- | |||
- | Now, let's create custom config directories for openvpn and easy-rsa so they behave better when we are faced with upgrading packages on the router. | ||
- | | ||
- | mkdir / | ||
- | mv / | ||
- | cd /etc/ | ||
- | ln -s config/ | ||
- | | ||
- | Now, let's enter the parameters on the vars file which determines how the openvpn server will be built, and also drives the default parameters for your client keys. I suggest editing the expiration date and the organization parameters (minimally). | ||
- | | ||
- | nano / | ||
- | | ||
- | Now, let's rename the original config file, and then create two custom configuration files as follows: | ||
- | | ||
- | mv / | ||
- | touch / | ||
- | touch / | ||
- | | ||
- | Examples of this .conf file can be found [[https:// | ||
- | | ||
- | ##/ | ||
- | package openvpn | ||
- | config openvpn < | ||
- | option enabled 1 | ||
- | option config / | ||
- | |||
- | In the second configuration file, do something like this. Remember to change all the < | ||
- | |||
- | float | ||
- | port 1194 | ||
- | proto udp | ||
- | dev tun | ||
- | cipher AES-256-CBC | ||
- | tls-version-min 1.2 | ||
- | tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384: | ||
- | dh | ||
- | ca | ||
- | key easy-rsa/ | ||
- | cert easy-rsa/ | ||
- | ifconfig-pool-persist / | ||
- | client-config-dir clients | ||
- | status / | ||
- | mode server | ||
- | tls-server | ||
- | topology subnet | ||
- | push " | ||
- | ifconfig < | ||
- | route-gateway < | ||
- | push " | ||
- | ifconfig-pool < | ||
- | push "route < | ||
- | |||
- | Once those configuration files are built, you can now create the certificate authority, the diffie-hellman key, and certificate/ | ||
- | | ||
- | cd / | ||
- | easyrsa --batch init-pki | ||
- | easyrsa --batch gen-dh | ||
- | easyrsa --batch build-ca nopass | ||
- | easyrsa --batch build-server-full < | ||
- | |||
- | Make sure that the name that you enter for < | ||
- | |||
- | sudo openssl dhparam -out / | ||
- | scp / | ||
- | |||
- | After this, it is now time to create your keypair and ca. You do that as follows: | ||
- | |||
- | easyrsa --batch build-client-full < | ||
- | | ||
- | It is now time to scp the key, certificate, | ||
- | |||
- | scp / | ||
- | | ||
- | Obviously, I am using an example home subnet here (10.10.10.0), | ||
- | | ||
- | cd ~ | ||
- | mkdir vpn-connection | ||
- | cd vpn-connection | ||
- | mv ~/ca.crt ~/ | ||
- | sudo chmod 600 server.key | ||
- | touch connect-to-vpn.ovpn | ||
- | sudo chmod 640 server.crt ca.crt connect-to-vpn.ovpn | ||
- | nano connect-to-vpn.ovpn | ||
- | | ||
- | In the config file, enter something like this: | ||
- | | ||
- | nobind | ||
- | float | ||
- | cipher AES-256-CBC | ||
- | dev tun | ||
- | remote < | ||
- | client | ||
- | tls-exit | ||
- | ca ca.crt | ||
- | cert < | ||
- | key < | ||
- | remote-cert-tls server | ||
- | mute 5 | ||
- | resolv-retry infinite | ||
- | # | ||
- | keepalive 10 60 | ||
- | ping-timer-rem | ||
- | persist-tun | ||
- | persist-key | ||
- | # | ||
- | |||
- | Now that your client workstation is ready to test the connection, we need to return to setting up the server. | ||
- | |||
- | / | ||
- | ps | grep openvpn | ||
- | 1314 root 3896 S / | ||
- | 31296 root 1356 S grep openvpn | ||
- | |||
- | This is the output you want, showing that the service is running. If you do not get this, then run openvpn against the configuration files on the router and/or check the logs to determine your error. | ||
- | |||
- | openvpn / | ||
- | |||
- | Now that the service is running, let's log in to the router and adjust the settings a bit. In your web browser, visit 192.168.1.1, | ||
- | |||
- | {{ : | ||
- | |||
- | It is now time to test the vpn server //from your client workstation//: | ||
- | |||
- | cd ~/ | ||
- | sudo openvpn connect-to-vpn.ovpn | ||
- | | ||
- | Since you did not suppress standard output, you should get the following the message, " | ||
- | |||
- | * [[https:// | ||
- | * [[https:// | ||
- | |||
- | -- -- -- -- -- | ||
- | |||
- | Thanks to Jason Schaefer and Geoff Chesshire from [[http:// | ||
- | |||
- | --- // |