Wlan Router als VPN Gateway mit OpenWrt und OpenSSL

(Diese Seite ist noch nicht fertig!)

Router mit OpenWrt flashen l

vorher Flash-Größe prüfen mindestens 4 MB nötig -> dann Version "Barrier Breaker" verwenden.

wenn größer geht auch "Chaos Calmer" (das Image ist zu groß für weitere Installationen):

opkg install openvpn-polarssl

Bei passwortgeschützten keys erst auf VPN-Server Passwort entfernen:

openssl rsa -in www.key -out new.key

Gateway mit tcp, tap und Masquerade

(alle Clients dahinter erscheinen intern unter IP des Gateways, Ihre Ips sind aus beliebigem Netz).

clientxy.key + clientxy.crt + ca.crt vom VPN-Server nach /etc/config/openvpn/* kopieren

(siehe Notizen wf)

in /etc/openvpn/client.conf anlegen:

Diese conf ist auch für einzelne Clients zu gebrauchen (Änderungen siehe conf, für Windows muss sie "client.ovpn" heißen.

############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. dev tap ;dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. #In Windows aktivieren und Namen anpassen: #dev-node "LAN-Verbindung 2" # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. proto tcp ;proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. ;remote my-server-2 11940

VPN-Server IP und Port anpassen: remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nogroup # Try to preserve some state across restarts. persist-key für Einzelclient aktivieren #persist-tun für Einzelclient deaktivieren Dies leitet alle Daten statt über Standard-Gateway durch Tunnel redirect-gateway def1

# If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca /etc/config/openvpn/ca.crt Namen anpassen, ggf. Pfad mitgeben cert /etc/config/openvpn/client.crt key /etc/config/openvpn/client.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 5 # Silence repeating messages ;mute 20 route-method exe route-delay 2

Interface konfigurieren

in /etc/config/network:

config interface 'vpn'         option ifname 'tun0'         option proto 'none'

in /etc/config/firewall ergänzen:

config zone         option name             vpn         list   network          'vpn'         option input            REJECT         option output           ACCEPT         option forward          REJECT         option masq             1

Dort Forwarding ändern von wan auf VPN-Tunnel:

statt: config forwarding         option src              lan         option dest             wan

geändert: config forwarding         option src              lan         option dest             vpn

In /etc/config/openvpn ändern, damit diese Datei geladen wird:

config openvpn custom_config #Set 1 to enable ... option enabled 1

openssl rsa -in www.key -out new.key

Mit "openvpn /etc/config/openvpn" kann jetzt openvpn gestartet werden.

Hier fehlt noch autostart:

Transparent

(wenn extern Teilnetz von Intern müssen alle internen Geräte Route zum Subnetz haben)

Network config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fdc8:af3f:707d::/48' config interface 'lan' option force_link '1' option type 'bridge' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ip6assign '60' option _orig_ifname 'eth0 radio0.network1' option _orig_bridge 'true' option ifname 'eth0' config interface 'wan' option ifname 'eth1' option proto 'dhcp' config interface 'wan6' option ifname 'eth1' option proto 'dhcpv6' config switch option name 'switch0' option reset '1' option enable_vlan '1' config switch_vlan option device 'switch0' option vlan '1' option ports '0 1 2 3 4' config interface 'vpn' option ifname 'tap0' option proto 'none'

firewall: config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' option network ' ' config zone option name 'wan' option output 'ACCEPT' option masq '1' option mtu_fix '1' option input 'REJECT' option forward 'ACCEPT' option network 'wan6' config zone option name 'vpn' option forward 'ACCEPT' option masq '1' option mtu_fix '1' option input 'ACCEPT' option output 'ACCEPT' option network 'lan vpn' config forwarding option src 'vpn ' option dest 'lan' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-IGMP' option src 'wan' option proto 'igmp' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-MLD' option src 'wan' option proto 'icmp' option src_ip 'fe80::/10' list icmp_type '130/0' list icmp_type '131/0' list icmp_type '132/0' list icmp_type '143/0' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config include option path '/etc/firewall.user' config rule option src 'wan' option dest 'lan' option proto 'esp' option target 'ACCEPT' config rule option src 'wan' option dest 'lan' option dest_port '500' option proto 'udp' option target 'ACCEPT' config forwarding option dest 'vpn' option src 'lan' #config forwarding # option dest 'vpn' # option src 'wan' config forwarding option dest 'lan' option src 'vpn' #config forwarding # option dest 'wan' # option src 'vpn'

Google Sites

Report abuse