Home 
Articles
Fun with La Fonera
6 OpenVPN on La Fonera
Previous
1
2
3
4
5
6
A
Next
OpenVPN is a full-featured open source VPN (Virtual Private Network). To set up an OpenVPN server Fonera you need:
- A Fonera router....
- Fonera firmware with jh patch version 0.2 or higher
- An ssh client like PuTTY.
- Something to copy files from La Fonera to you VPN clients like WinSCP
- OpenVPN client software. On windows I use OpenVPN GUI for Windows
- Have a fixed IP on the WAN interface of your Fonera and open port 1194 from your internet router to this IP.
Generating certificates and keys
First thing to do is to generate some certificates and keys so only authenticated clients can login to your network.
Run the following command to set some evironmental variables:
Optionally edit /etc/easy-rsa/vars before running to set your own default parameters.
Next run clean-all to be really sure that old keys and certificates are removed:
Then build the certificate authority (CA) certificate and key:
A certificate and private key for the server also has to be generated:
Be sure that you enter "server" as Common Name and answer with "y" twice, once to sign the certificate and once to commit. Please note that you do not need to fill in a password or company name.
For each client you have to generate a unique key and certificate:
Be sure that you enter a unique name as Common Name for each client and again answer with "y" twice, once to sign the certificate and once to commit. Please note that you do not need to fill in a password or company name.
Last file to generate is the Diffie Hellman parameter file
This will take a long time (approx 1 hour and 10 minutes), so get some coffee...
Setting up the bridge
You can either run a routed or bridged VPN. I choose to deliver the jh patch with a bridged VPN configured as default. A bridged VPN really makes the client part of the server network. A routed VPN requires extra configuration on the firewall. Read more about it on http://openvpn.net
The jh patch comes with a bridge script (/etc/init.d/bridge). This script allows you to start and stop the bridge. It also set the IP addres of the WAN interface to a fixed IP.
In the bridge script, set eth_ip, eth_netmask, eth_broadcast and eth_gateway to the appropriate values:
Then test the bridge by running:
Your ssh connection will now freeze or disconnect. Try and (re)connect to the ip address you just configured.
If that fails reboot your Fonera by unplugging it. Rebooting will bring back the original network configuration. Check the changes you made in /etc/init.d/bridge and try again.
Next check your bridge which should show you that bridge br0 is bridging eth0 and tap0:
If you are sure the bridge script is working fine rename it to automatically run it at boot time.
Editing the server configuration file
Edit the OpenVPN config file:
Your most likely want to change the line with the ip address openvpn should listen on and the line which starts with server-bridge. Please make sure that the ip address ranges of openVPN do not overlap the dhcp server in your network.
You can now start the OpenVPN server:
Or, to get some output use:
Don't forget to configure your internet router to route incoming connection on port 1194 to the Fonera. Now you are ready to test your VPN.
Client configuration
Download and install OpenVPN GUI for Windows on a client. client.ovpn is an example config file. Also copy ca.crt and the client crt and key file from /etc/easy-rsa/keys/ on your Fonera to the client.
I use WinSCP to copy files from my Fonera to a windows system.
A final touch
If everything works you can rename /etc/init.d/openvpn to make it start up at boot time.
Previous
1
2
3
4
5
6
A
Next
Articles
Fun with La Fonera
6 OpenVPN on La FoneraFun with La Fonera
6 OpenVPN on La Fonera
OpenVPN is a full-featured open source VPN (Virtual Private Network). To set up an OpenVPN server Fonera you need:
- A Fonera router....
- Fonera firmware with jh patch version 0.2 or higher
- An ssh client like PuTTY.
- Something to copy files from La Fonera to you VPN clients like WinSCP
- OpenVPN client software. On windows I use OpenVPN GUI for Windows
- Have a fixed IP on the WAN interface of your Fonera and open port 1194 from your internet router to this IP.
Generating certificates and keys
First thing to do is to generate some certificates and keys so only authenticated clients can login to your network.
Run the following command to set some evironmental variables:
| # /etc/easy-rsa/vars |
Next run clean-all to be really sure that old keys and certificates are removed:
| # clean-all |
Then build the certificate authority (CA) certificate and key:
| # build-ca |
A certificate and private key for the server also has to be generated:
| # build-key-server server |
For each client you have to generate a unique key and certificate:
| # build-key client1 |
Last file to generate is the Diffie Hellman parameter file
| # build-dh |
Setting up the bridge
You can either run a routed or bridged VPN. I choose to deliver the jh patch with a bridged VPN configured as default. A bridged VPN really makes the client part of the server network. A routed VPN requires extra configuration on the firewall. Read more about it on http://openvpn.net
The jh patch comes with a bridge script (/etc/init.d/bridge). This script allows you to start and stop the bridge. It also set the IP addres of the WAN interface to a fixed IP.
In the bridge script, set eth_ip, eth_netmask, eth_broadcast and eth_gateway to the appropriate values:
| # vi /etc/init.d/bridge |
Then test the bridge by running:
| # /etc/init.d/bridge start |
If that fails reboot your Fonera by unplugging it. Rebooting will bring back the original network configuration. Check the changes you made in /etc/init.d/bridge and try again.
Next check your bridge which should show you that bridge br0 is bridging eth0 and tap0:
| # brctl show
bridge name bridge id STP enabled interfaces br0 8000.00188482f850 no eth0 tap0 |
If you are sure the bridge script is working fine rename it to automatically run it at boot time.
| # cd /etc/init.d/
# mv bridge S41bridge |
Editing the server configuration file
Edit the OpenVPN config file:
| # vi /etc/openvpn/server.conf |
You can now start the OpenVPN server:
| # /etc/init.d/openvpn start |
| # openvpn --config /etc/openvpn/server.conf |
Don't forget to configure your internet router to route incoming connection on port 1194 to the Fonera. Now you are ready to test your VPN.
Client configuration
Download and install OpenVPN GUI for Windows on a client. client.ovpn is an example config file. Also copy ca.crt and the client crt and key file from /etc/easy-rsa/keys/ on your Fonera to the client.
I use WinSCP to copy files from my Fonera to a windows system.
A final touch
If everything works you can rename /etc/init.d/openvpn to make it start up at boot time.
| # cd /etc/init.d/
# mv openvpn S50openvpn |
