(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
1 OpenWrt
1.1 OpenVPN
1.1.1 setup
opkg update
opkg install openvpn-openssl openvpn-easy-rsa
export KEY_COUNTRY="CH"
export KEY_PROVINCE="SG"
export KEY_CITY="St. Gall"
export KEY_ORG="Bitbull Tech"
export KEY_EMAIL="crn@bitbull.ch"
export KEY_OU="Office"
export KEY_NAME="work.bitbull.ch"
cd /etc/easy-rsa/
source /etc/easy-rsa/keys
clean-all
pkitool --initca ## equivalent to the 'build-ca' script
pkitool --server fw3 ## equivalent to the 'build-key-server' script
build-dh ## and grab some coffee
cd $KEY_DIR
mkdir -p /etc/openvpn
cp ca.crt fw3.* dh2048.pem /etc/openvpn/
uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci commit network; /etc/init.d/network reload
uci add firewall rule
uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].src=*
uci set firewall.@rule[-1].proto=udp
uci set firewall.@rule[-1].dest_port=1194
uci add firewall zone
uci set firewall.@zone[-1].name=vpn
uci set firewall.@zone[-1].input=ACCEPT
uci set firewall.@zone[-1].forward=ACCEPT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].network=vpn0
uci commit firewall
/etc/init.d/firewall reload
config openvpn 'myvpn'
option enabled '1'
option dev 'tun'
option proto 'udp'
option log '/tmp/openvpn.log'
option verb '3'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/fw3.crt'
option key '/etc/openvpn/fw3.key'
option clr_verify '/etc/easy-rsa/keys/clr.pem'
option server '10.8.0.0 255.255.255.0'
option port '1194'
option keepalive '10 120'
option dh '/etc/openvpn/dh2048.pem'
option comp_lzo 'adaptive'
list push 'route 192.168.11.0 255.255.255.0'
/etc/init.d/openvpn start
sleep 3
ps -w | grep openvpn
ifconfig | grep tun0
netstat -an | grep 1194
cat /tmp/openvpn.log
- /etc/easy-rsa/keys/client-ovpn-create.sh
#!/bin/sh
[ $# -ne 1 ] && exit 1
CONF=$1.ovpn
test -r $CONF && exit 1
echo "client
dev tun
proto udp
remote myvpn.bitbull.ch 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
<ca>
$(cat ca.crt)
</ca>
<cert>
$(cat $1.crt)
</cert>
<key>
$(cat $1.key)
</key>" > $PWD/$CONF
pkitool user1.bitbull.ch ## equivalent to the 'build-key' script
pkitool --pass user2.bitbull.ch ## protect client cert with password
sh client-ovpn-create.sh user1.bitbull.ch
sh client-ovpn-create.sh user2.bitbull.ch
ls -l *.ovpn
1.1.2 revoke client cert
cd /etc/easy-rsa
. vars
revoke-full user1.bitbull.ch
cp /etc/easy-rsa/keys/crl.pem /etc/openvpn/
grep crl /etc/config/openvpn
option crl_verify '/etc/openvpn/crl.pem'
/etc/init.d/openvpn restart