OpenVPN-Setup


I want to share my experience creating a vpn server on openpli 4.0


tested on openvpn version 2.3.2 mipsel-oe-linux-gnu release date feb 3, 2016.

First of all, install openvpn


opkg install openvpn

Next, we will create files ca.crt, server.crt, server.key, same files for clients, client.crt, client.key, following this link (I've been guided to the link by littlesat, thanks):


https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide

I saw that doing openvpn --help on box command line, all files have to be .pem extension. Let's to convert the files.

Follow this guide,

https://blog.didierstevens.com/2015/03/30/howto-make-your-own-cert-with-openssl-on-windows/

up to finish these three last steps:

set RANDFILE=c:\demo\.rnd
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
c:\OpenSSL-Win32\bin\openssl.exe

Now, in this mode, you can convert .key file to .pem for server files, to put in stb at /etc/openvpn/

$ openssl> rsa -in filename.key -out filename.key.pem -outform PEM

The ca.crt and server.crt file, we have to open the certificate in windows OS and select details tab> copy file> convert to binary DER x509 and select destination folder to save.

Then we convert the ca.cer and server.cer files to .pem file:

OpenSSL>x509 -inform DER -in filename.cer -outform PEM -out filename.pem

All these conversions to .pem extension are based on openvpn --help binnary information of our instalation of openvpn in our STB, maybe it's not necessary (see at the end of this wiki)*

dh2048.pem, we have to locate at openvpn config directory too, /etc/openvpn

I add two extra .pem files to the directory 01.pem and 02.pem, they have been generated on the files creation, they contains key info, I dont know if there is duplicity of information. These two files are optional.

Lets to put the server config file parameters /etc/openvpn/server.conf


local 192.168.xxx.xxx (local network IP)
server 10.8.0.0 255.255.255.0 (for example)
tls-server
proto udp
port 443 (sample port) 1194 default
dev tun
ca ca.pem
dh dh2048.pem
cert server.crt.pem
key server.key.pem
extra-certs 01.pem #optional
extra-certs 02.pem #optional
ifconfig-pool-persist ipp.txt
comp-lzo
float
ping-timer-rem
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
keepalive 10 120

Client profile *.ovpn (tested on android openvpn app).


client
dev tun
proto udp
remote 'hostname(NOIP) or Public IP' 443 (sample port) 1194 default
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca /file_path/ca.crt
cert /file_path/client.crt
key /file_path/client.key
ns-cert-type server
cipher bf-cbc
comp-lzo
verb 3
mute 20

The port we are going to use to vnp connection have to be opened on main router, of course, and you can forward to other different external port as you know

*All files converted to .pem format is to run TLS server

If we don't want to run in TLS server mode, we can replace all .pem files for original certificate files except the dh2048.pem file, dh file keep in same .pem format, and remove the line 'tls-server' editing server.conf in /etc/openvpn.

Changing 'cipher'


If we don't indicate the cipher on server.conf file, the client only can use the bf-cbc cipher. I am using now cipher AES-256-CBC just adding this line to server.conf and changing cipher at openvnp client profile *.ovpn file:
cipher AES-256-CBC
It's also interesting add this file on both sides too, server/client profiles:
auth SHA256
There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki