{"id":2073,"date":"2013-10-26T12:13:00","date_gmt":"2013-10-26T10:13:00","guid":{"rendered":"http:\/\/blog.wenzlaff.de\/?p=2073"},"modified":"2021-11-22T17:15:59","modified_gmt":"2021-11-22T16:15:59","slug":"wie-kann-openvpn-auf-einem-wr-703n-unter-openwrt-eingerichtet-werden","status":"publish","type":"post","link":"http:\/\/blog.wenzlaff.de\/?p=2073","title":{"rendered":"Wie kann OpenVPN auf einem WR-703N unter OpenWrt eingerichtet werden?"},"content":{"rendered":"

Nach dieser guten Anleitung wie folgt vorgehen.
\n
\nopkg update
\nopkg install openvpn openvpn-easy-rsa openssh-sftp-server
\n<\/code><\/p>\n

Zertifikate erstellen:<\/p>\n

Optional die
\nvi \/etc\/easy-rsa\/vars<\/strong>
\nf\u00fcr default vorbelegungen anpassen:<\/p>\n

export KEY_COUNTRY=\"DE\"
\nexport KEY_PROVINCE=\"Niedersachsen\"
\nexport KEY_CITY=\"Langenhagen\"
\nexport KEY_ORG=\"TWSoft\"
\nexport KEY_EMAIL=\"mail@email.de\"
\nexport KEY_EMAIL=mail@email.de
\n# Der KEY_CN mus EINDEUTIG und EINMALIG sien
\nexport KEY_CN=server.email.de
\nexport KEY_NAME=server.email.de
\nexport KEY_OU=TWSoft
\nexport PKCS11_MODULE_PATH=changeme
\nexport PKCS11_PIN=1234<\/code><\/p>\n

In das \/etc\/easy-rsa<\/strong> Verzeichnis wechseln.
\n.\/clean-all<\/code>
\nausf\u00fchren. L\u00f6scht das ganze \/etc\/easy-rsa\/keys<\/strong> Verzeichnis<\/p>\n

build-ca<\/code><\/p>\n

Erzeugt diese Fragen:
\nCountry Name (2 letter code) [DE]:
\nState or Province Name (full name) [DE]:Langenhagen
\nLocality Name (eg, city) [Langenhagen]:
\nOrganization Name (eg, company) [TWSoft]:
\nOrganizational Unit Name (eg, section) [TWSoft]:
\nCommon Name (eg, your name or your server’s hostname) [EINDEUTIG.wenzlaff.de] www.wenzlaff.de
\nName [server.wenzlaff.de]:www.wenzlaff.de
\nEmail Address [mail@email.de]:<\/p>\n

Erstellt in \/etc\/easy-rsa\/keys<\/strong> die Dateien:
\nca.key
\nca.crt<\/strong><\/p>\n

Dann
\nbuild-dh<\/strong>
\nund ein paar Minuten warten bis in \/etc\/easy-rsa\/keys<\/strong> die
\ndh1024.pem<\/strong>
\nerzeugt wurde.<\/p>\n

Jetzt noch die Server Key erzeugen mit:
\nbuild-key-server server<\/code><\/p>\n

Und einige Fragen beantworten:
\nCountry Name (2 letter code) [DE]:
\nState or Province Name (full name) [DE]:Hannover
\nLocality Name (eg, city) [Langenhagen]:
\nOrganization Name (eg, company) [TWSoft]:
\nOrganizational Unit Name (eg, section) [TWSoft]:
\nCommon Name (eg, your name or your server’s hostname) [server]:
\nName [server.wenzlaff.de]:
\nEmail Address [mail@email.de]:<\/p>\n

Please enter the following ‚extra‘ attributes
\nto be sent with your certificate request
\nA challenge password []:1234
\nAn optional company name []:TWSoft
\nUsing configuration from \/etc\/easy-rsa\/openssl-1.0.0.cnf
\nCheck that the request matches the signature
\nSignature ok
\nThe Subject’s Distinguished Name is as follows
\ncountryName :PRINTABLE:’DE‘
\nstateOrProvinceName :PRINTABLE:’Hannover‘
\nlocalityName :PRINTABLE:’Langenhagen‘
\norganizationName :PRINTABLE:’TWSoft‘
\norganizationalUnitName:PRINTABLE:’TWSoft‘
\ncommonName :PRINTABLE:’server‘
\nname :PRINTABLE:’server.wenzlaff.de‘
\nemailAddress :IA5STRING:’mail@email.de‘
\nCertificate is to be certified until Oct 2 18:00:57 2023 GMT (3650 days)
\nSign the certificate? [y\/n]:y<\/p>\n

1 out of 1 certificate requests certified, commit? [y\/n]y
\nWrite out database with 1 new entries
\nData Base Updated<\/p>\n

Nun gibt es in \/etc\/easy-rsa\/keys<\/strong> auch die
\nserver.crt
\nserver.csr
\nserver.key<\/strong><\/p>\n

Alle erzeugten Key in eine .p12 Datei packen mit:<\/p>\n

build-key-pkcs12 thomas<\/code><\/p>\n

Und wieder die gewohnten Fragen beantworten:<\/p>\n

Country Name (2 letter code) [DE]:
\nState or Province Name (full name) [DE]:Hannover
\nLocality Name (eg, city) [Langenhagen]:
\nOrganization Name (eg, company) [TWSoft]:
\nOrganizational Unit Name (eg, section) [TWSoft]:
\nCommon Name (eg, your name or your server’s hostname) [thomas]:
\nName [server.wenzlaff.de]:
\nEmail Address [email@mail.de]:<\/p>\n

Please enter the following ‚extra‘ attributes
\nto be sent with your certificate request
\nA challenge password []:4567
\nAn optional company name []:TWSoft
\nUsing configuration from \/etc\/easy-rsa\/openssl-1.0.0.cnf<\/strong>
\nCheck that the request matches the signature
\nSignature ok
\nThe Subject’s Distinguished Name is as follows
\ncountryName :PRINTABLE:’DE‘
\nstateOrProvinceName :PRINTABLE:’Hannover‘
\nlocalityName :PRINTABLE:’Langenhagen‘
\norganizationName :PRINTABLE:’TWSoft‘
\norganizationalUnitName:PRINTABLE:’TWSoft‘
\ncommonName :PRINTABLE:’thomas‘
\nname :PRINTABLE:’server.wenzlaff.de‘
\nemailAddress :IA5STRING:’mail@email.de‘
\nCertificate is to be certified until Oct 2 17:59:08 2023 GMT (3650 days)
\nSign the certificate? [y\/n]:y<\/p>\n

1 out of 1 certificate requests certified, commit? [y\/n]y
\nWrite out database with 1 new entries
\nData Base Updated
\nEnter Export Password: 0000
\nVerifying – Enter Export Password: 0000<\/p>\n

So jetzt sind auch in \/etc\/easy-rsa\/keys<\/strong> die
\nthomas.csr
\nthomas.crt
\nthomas.key
\nthomas.p12<\/strong>
\nDateien f\u00fcr den Client erstellt worden.<\/p>\n

Jetzt m\u00fcssen die Keys noch auf den Server und den Client verteilt werden.<\/p>\n

cd \/etc\/easy-rsa\/keys
\ncp ca.crt ca.key dh1024.pem server.crt server.key \/etc\/openvpn\/<\/code><\/p>\n

Hier noch eine kleine Zuordungstabelle, welche Zertifikate wo hinkommen:
\n
\nDateiname \t Speicherort \tBeschreibung \t geheim
\nca.crt \t Server + Clients \tRoot CA Zertifikat \tNein
\nca.key \t im Safe :) \t Root CA Schl\u00fcssel \tJa
\ndh{Wert}.pem \t Server \t Diffie Hellman \t Nein
\nserver.crt \t Server \t Server Zertifikat \tNein
\nserver.key \t Server \t Server Schl\u00fcssel \tJa
\nvpnclient01.crt Client 1 \t Client 1 Zertifikat \tNein
\nvpnclient01.key Client 1 \t Client 1 Schl\u00fcssel \tJa
\n<\/code><\/p>\n

Server Konfigurieren vi \/etc\/config\/openvpn<\/strong>
\n
\nconfig 'openvpn' 'lan'
\n option 'enable' '1'
\n option 'port' '1194'
\n option 'proto' 'udp'
\n option 'dev' 'tap0'
\n option 'ca' '\/etc\/openvpn\/ca.crt'
\n option 'cert' '\/etc\/openvpn\/server.crt'
\n option 'key' '\/etc\/openvpn\/server.key'
\n option 'dh' '\/etc\/openvpn\/dh1024.pem'
\n option 'ifconfig_pool_persist' '\/tmp\/ipp.txt'
\n option 'keepalive' '10 120'
\n option 'comp_lzo' '1'
\n option 'persist_key' '1'
\n option 'persist_tun' '1'
\n option 'status' '\/tmp\/openvpn-status.log'
\n option 'verb' '3'
\n option 'server_bridge' '192.168.2.123 255.255.255.0 192.168.2.122 192.168.2.111'
\n option 'push' 'redirect-gateway def1'
\n list 'push' 'dhcp-option DNS 192.168.2.123'
\n<\/code><\/p>\n

Server Starten mit:
\n\/etc\/init.d\/openvpn start<\/strong>
\nund:
\n\/etc\/init.d\/openvpn stop<\/strong>
\nRestart
\n\/etc\/init.d\/openvpn restart<\/strong><\/p>\n

Und f\u00fcr Autostart einmal oder \u00fcber Luci:
\n\/etc\/init.d\/openvpn enable<\/strong><\/p>\n

Nur wenn der VPN-Server l\u00e4uft, ist \u00fcber Luci das tap0<\/strong> Device erreichbar.<\/p>\n

Im Firewall vi \/etc\/config\/firewall<\/strong> den Port 1194 freischalten:<\/p>\n

config 'rule'
\n option 'target' 'ACCEPT'
\n option 'dest_port' '1194'
\n option 'src' 'wan'
\n option 'proto' 'tcpudp'
\n option 'family' 'ipv4'<\/code><\/p>\n

\/etc\/init.d\/firewall restart<\/strong><\/p>\n

Adressbereich setzen vi \/etc\/config\/dhcp<\/strong><\/p>\n

config dhcp lan
\n option interface lan
\n option ignore 0
\n option start 150 # von .150 bis .199 = 49 Adressen
\n option limit 49
\n option leasetime 12h<\/code><\/p>\n

reboot<\/strong><\/p>\n

IPhone Client Konfiguration.
\nDaf\u00fcr brauchen wir eine OpenWrt.ovpn Datei. Die m\u00fcssen wir uns aus den Zertifikaten und Key zusammenbauen:<\/p>\n

# TW OpenWrt Configuration f\u00fcr xxx.no-ip.org IP:
\nremote xx.xxx.xxx.xxx 1194
\nclient
\ntls-client
\ndev tun # tap geht nicht mit OpenVpn App 1.01 build 88<\/strong>
\nproto udp
\nremote-cert-tls server
\nresolv-retry infinite
\nnobind
\npersist-tun
\npersist-key
\npkcs12 thomas.p12
\ncomp-lzo
\nverb 3<\/p>\n

# hier die Zertifikate von ca.crt, thomas.crt, thomas.key<\/strong> einf\u00fcgen:
\n
\n—–BEGIN CERTIFICATE—–
\nMIIEBDCCA22gAwIBAgIJAgg\/WZdmAp
\n…
\n+6VIFdXmjy19eZQJzEJFxO5+iqZ6EZhs
\n—–END CERTIFICATE—–
\n<\/ca>
\n
\n—–BEGIN CERTIFICATE—–
\nMIIEQDCCA6mgAwIBAgIBAjANB
\n…
\njGlI9+MUzx3nHhhU1W1F3s4zeeS3TFmjb7xhori4J7JZugOS
\n—–END CERTIFICATE—–
\n<\/cert>
\n
\n—–BEGIN PRIVATE KEY—–
\ngYBxm4LOI4uFPgBmS\/9zjEZ1TGyE
\n…
\nJUe0BUfOhe4x
\n—–END PRIVATE KEY—–
\n<\/key><\/p>\n

An dieser Stelle habe ich gemerkt, das der OpenVPN 1.01 build 88 Client f\u00fcr das iPhone, kein TAP unterst\u00fctzt<\/strong>.
\nDie von mir oben gew\u00fcnschte Bridge \u00fcber TAP-Device (virtuelle Netzwerkkarte, ethernet Adapter) ist also nicht<\/strong> m\u00f6glich.<\/p>\n

Also umkonfigurieren so das zumindestenst ein OpenVPN TUN l\u00e4uft.
\nAlso ist kein Layer 2 Tunnel mit dieser App und dem iPhone m\u00f6glich. Schade! <\/strong><\/p>\n

vi \/etc\/config\/openvpn<\/strong><\/p>\n

config 'openvpn' 'lan'
\n option 'enable' '1'
\n option 'port' '1194'
\n option 'proto' 'udp'
\n option 'dev' 'tun'
\n option 'ca' '\/etc\/openvpn\/ca.crt'
\n option 'cert' '\/etc\/openvpn\/server.crt'
\n option 'key' '\/etc\/openvpn\/server.key'
\n option 'dh' '\/etc\/openvpn\/dh1024.pem'
\n option 'ifconfig_pool_persist' '\/tmp\/ipp.txt'
\n option 'keepalive' '10 120'
\n option 'comp_lzo' '1'
\n option 'persist_key' '1'
\n option 'persist_tun' '1'
\n option 'status' '\/var\/log\/openvpn-status.log'
\n option 'verb' '3'
\n option 'server' '10.0.0.0 255.255.255.0'
\n list 'push' 'redirect-gateway def1'
\n list 'push' 'dhcp-option DOMAIN lan'
\n list 'push' 'dhcp-option DNS 192.168.2.1'<\/code><\/p>\n

vi \/etc\/config\/firewall<\/strong><\/p>\n

config 'include'
\noption 'path' '\/etc\/firewall.user' config 'rule'
\noption 'target' 'ACCEPT' option 'name' 'VPN'
\noption 'src' 'wan'
\noption 'proto' 'udp'
\noption 'dest_port' '1194'<\/code><\/p>\n

vi \/etc\/firewall.user<\/strong>
\niptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
\niptables -A input_wan -p udp --dport 1194 -j ACCEPT
\niptables -I INPUT -i tun+ -j ACCEPT
\niptables -I FORWARD -i tun+ -j ACCEPT
\niptables -I OUTPUT -o tun+ -j ACCEPT
\niptables -I FORWARD -o tun+ -j ACCEPT<\/code><\/p>\n

Connect im iPhone l\u00e4uft schon mal.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Nach dieser guten Anleitung wie folgt vorgehen. opkg update opkg install openvpn openvpn-easy-rsa openssh-sftp-server Zertifikate erstellen: Optional die vi \/etc\/easy-rsa\/vars f\u00fcr default vorbelegungen anpassen: export KEY_COUNTRY=“DE“ export KEY_PROVINCE=“Niedersachsen“ export KEY_CITY=“Langenhagen“ export KEY_ORG=“TWSoft“ export KEY_EMAIL=“mail@email.de“ export KEY_EMAIL=mail@email.de # Der KEY_CN mus EINDEUTIG und EINMALIG sien export KEY_CN=server.email.de export KEY_NAME=server.email.de export KEY_OU=TWSoft export PKCS11_MODULE_PATH=changeme export PKCS11_PIN=1234 In … <\/p>\n

\u201eWie kann OpenVPN auf einem WR-703N unter OpenWrt eingerichtet werden?\u201c <\/span>weiterlesen<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[808,695],"tags":[690,2184,752,988,678,694],"class_list":["post-2073","post","type-post","status-publish","format-standard","hentry","category-linux-2","category-tp-wr703n","tag-703n","tag-anleitung","tag-einrichten","tag-openvpn","tag-openwrt","tag-wr-703n"],"_links":{"self":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/2073","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2073"}],"version-history":[{"count":0,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/2073\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2073"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2073"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}