OpenVPN - Site-to-Site Bridged VPN Between Two Routers

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 20:01, 23 November 2008 (edit)
Strfr (Talk | contribs)

← Previous diff
Revision as of 07:05, 5 June 2009 (edit) (undo)
Ausimus1 (Talk | contribs)
(Removing all content from page)
Next diff →
Line 1: Line 1:
-The following details the procedure for establishing a site-to-site bridged VPN between two Linksys WRT54GL routers. Other routers should work just as easily, but other routers have not been tested by the author. To understand more about bridged VPNs, you can read [http://openvpn.net/bridge.html Ethernet Bridging on www.openvpn.net]. 
-Also, this document utilizes public key authentication rather than static key authentication. Static key authentication should work just as easily (possibly easier), but the author has not tried to establish a site-to-site VPN using static key authentication.<br /><br /> 
- 
-=== Procedure Summary === 
-# Obtain a Linksys WRT54GL router 
-# Install the OpenVPN version of DD-WRT on both routers. NOTE: Use v23 sp3 or greater if you want to connect multiple clients to one server simultaneously. Single client to server works fine with sp2. 
-# Generate the necessary keys for public key authentication 
-# Configure a router as the server 
-# Configure the other router as the client 
-# Test the VPN 
- 
-=== Obtain a Linksys WRT54GL Router === 
-The author has experienced flawless performance from the two Linksys WRT54GL routers he has used to establish a site-to-site VPN. Although other routers will likely work equally well, if you obtain Linksys WRT54GL routers to set up a site-to-site VPN, you can have a high level of confidence that you will be successful. 
- 
-=== Install DD-WRT onto Your Routers=== 
-# Download the latest stable release of the OpenVPN version of DD-WRT from [http://www.dd-wrt.com/dd-wrtv2/downloads.php DD-WRT]. At the time this was written, the file you need to download is dd-wrt.v23_vpn_generic.bin. --[[User:Teccs|Teccs]] 08:05, 4 Jun 2007 (CEST) For WRT54GL v1.1 router, I use dd-wrt.v23_vpn_wrt54g.bin. This is sp3. 
-# For each router, follow the [[Installation#Flashing|instructions for flashing the routers]] with the .bin file you downloaded. Both routers need to be flashed with the same file. 
- 
-=== Generate Keys for Authentication === 
-# Download OpenVPN from [http://openvpn.net/download.html HERE] onto the computer that you are going to use to communicate with (i.e., configure) the routers. 
-# Follow these instructions to [http://openvpn.net/howto.html#install install OpenVPN onto your computer]. 
-# Follow these instructions to [http://openvpn.net/howto.html#pki generate keys for authentication]. (Note: when generating the client key, create only one key and name it client, rather than client1.) 
- 
-=== Configure the Server Router === 
-''Basic Setup'' 
-# Log onto the first router, which will be our server router, using the GUI. 
-# Go to Setup > Basic Setup. 
-# Set the Local IP Address of the first router to 192.168.1.1 with a Subnet Mask of 255.255.255.0. (Of course, you are not required to use the network address 192.168.1.0. You can use any network address you like, but this tutorial will assume you are using this network.) 
-# Make sure DHCP server is enabled. 
-# Set the Start IP Address to 100. 
-# Set Maximum DHCP Users to 50. 
-# Set the Time Zone. (The time zone you select is not important to the success of this tutorial, but setting the '''same''' time zone on both routers '''is''' important.) 
-# Click Save Settings. 
- 
-''Startup Script'' 
-# Go to Administration > Commands 
-# Paste the following into the Command Shell box: 
-<pre> 
-cd /tmp 
-openvpn --mktun --dev tap0 
-brctl addif br0 tap0 
-ifconfig tap0 0.0.0.0 promisc up 
- 
-echo " 
-# Tunnel options 
-mode server # Set OpenVPN major mode 
-proto udp # Setup the protocol (server) 
-port 1194 # TCP/UDP port number 
-dev tap0 # TUN/TAP virtual network device 
-keepalive 15 60 # Simplify the expression of --ping  
-daemon # Become a daemon after all initialization 
-verb 3 # Set output verbosity to n  
-comp-lzo # Use fast LZO compression  
- 
-# OpenVPN server mode options 
-client-to-client # tells OpenVPN to internally route client-to-client traffic  
-duplicate-cn # Allow multiple clients with the same common name 
- 
-# TLS Mode Options 
-tls-server # Enable TLS and assume server role during TLS handshake  
-ca ca.crt # Certificate authority (CA) file 
-dh dh1024.pem # File containing Diffie Hellman parameters  
-cert server.crt # Local peer's signed certificate 
-key server.key # Local peer's private key  
-" > openvpn.conf 
- 
-echo " 
------BEGIN CERTIFICATE----- 
-INSERT YOUR ca.crt HERE 
------END CERTIFICATE----- 
-" > ca.crt 
-echo " 
------BEGIN RSA PRIVATE KEY----- 
-INSERT YOUR server.key HERE 
------END RSA PRIVATE KEY----- 
-" > server.key 
-chmod 600 server.key 
-echo " 
------BEGIN CERTIFICATE----- 
-INSERT YOUR server.crt HERE 
------END CERTIFICATE----- 
-" > server.crt 
-echo " 
------BEGIN DH PARAMETERS----- 
-INSERT YOUR dh1024.pem HERE 
------END DH PARAMETERS----- 
-" > dh1024.pem 
- 
-sleep 5 
-ln -s /usr/sbin/openvpn /tmp/myvpn 
-/tmp/myvpn --config openvpn.conf 
- 
-route add -net 192.168.1.0/24 dev br0 
-</pre> 
- 
-# Replace the "INSERT YOUR [FILE] HERE" text with the appropriate text from the .crt or .key files you generated during the Generate Keys for Authentication step. 
-# Click Save Startup 
-# Paste the following into the Command Shell box: 
-<pre> 
-/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT 
-</pre> 
-# Click Save Firewall 
-# Reboot the router 
- 
-=== Configure the Client Router === 
-''Basic Setup'' 
-# Log onto the second router, which will be our client router, using the GUI. 
-# Go to Setup > Basic Setup. 
-# Set the Local IP Address of the second router to 192.168.1.254 with a Subnet Mask of 255.255.255.0. (Of course, if you used a different network address and subnet mask when setting up the server router, use that same address and mask for this router.) 
-# Make sure DHCP server is enabled. 
-# Set the Start IP Address to 50. NOTE: All the IP addresses of the client LAN and the server LAN must all be unique. You can't have 192.168.1.100 on the client LAN and 192.168.1.100 on the server LAN. In this case, all would be 192.168.1.x. Router IP addresses must also be different but must be 192.168.1.x as well. If you have multiple routers as simultaneous clients, all client's LAN IP addresses must be unique in the same way. Watch out that your DHCP assignments cannot create duplicate addresses. 
-# Set Maximum DHCP Users to 50. 
-# Set the Time Zone to the same time zone you set on the first (server) router. 
-# Click Save Settings. 
- 
-''Startup Script'' 
-# Go to Administration > Commands 
-# Paste the following into the Command Shell box: 
-<pre> 
-cd /tmp 
-ln -s /usr/sbin/openvpn /tmp/myvpn 
-./myvpn --mktun --dev tap0 
-brctl addif br0 tap0 
-ifconfig tap0 0.0.0.0 promisc up 
-sleep 5 
- 
-echo " 
-client 
-daemon 
-dev tap0 
-proto udp 
-remote xxx.xxx.xxx.xxx 1194 
-resolv-retry infinite 
-nobind 
-persist-key 
-persist-tun 
-ca ca.crt 
-cert client.crt 
-key client.key 
-ns-cert-type server 
-comp-lzo 
-verb 3 
-" > /tmp/client.conf 
- 
-echo " 
------BEGIN CERTIFICATE----- 
-INSERT YOUR ca.crt HERE 
------END CERTIFICATE----- 
-" > /tmp/ca.crt 
- 
-echo " 
------BEGIN RSA PRIVATE KEY----- 
-INSERT YOUR client.key HERE 
------END RSA PRIVATE KEY----- 
-" > /tmp/client.key 
-chmod 600 /tmp/client.key 
- 
-echo " 
------BEGIN CERTIFICATE----- 
-INSERT YOUR client.crt HERE 
------END CERTIFICATE----- 
-" > /tmp/client.crt 
- 
-./myvpn --config client.conf 
- 
-route add -net 192.168.1.0/24 dev br0 
- 
-</pre> 
- 
-'''UPD from hryamzik:''' 
-This script didn't work for me. I've composed the folowing: 
-<pre> 
-cd /tmp 
-ln -s /usr/sbin/openvpn /tmp/myvpn 
-./myvpn --mktun --dev tap0 
-brctl addif br0 tap0 
-ifconfig tap0 promisc 
- 
-cat <<EOF> /tmp/up.sh 
-/sbin/ifconfig tap0 0.0.0.0 
-EOF 
- 
-chmod +x /tmp/up.sh 
- 
-echo " 
-daemon # Become a daemon after all initialization 
-client 
-dev tap0 
-proto udp 
-remote domain.comt 1194 
-resolv-retry infinite 
-nobind 
-persist-key 
-persist-tun 
-ca ca.crt 
-cert client.crt 
-key client.key 
-comp-lzo 
-verb 3 
-mssfix 1200 
-up \"/tmp/up.sh\" 
-" > client.conf 
- 
-echo " 
------BEGIN CERTIFICATE----- 
- 
------END CERTIFICATE----- 
-" > ca.crt 
-echo " 
------BEGIN RSA PRIVATE KEY----- 
- 
------END RSA PRIVATE KEY----- 
-" > /tmp/client.key 
-chmod 600 /tmp/client.key 
- 
-echo " 
------BEGIN CERTIFICATE----- 
- 
------END CERTIFICATE----- 
-" > /tmp/client.crt 
- 
-./myvpn --config client.conf  
- 
-route add -net 192.168.1.0/24 dev br0 
-</pre> 
- 
-Be carefull with "route add", I had some problems with it when used wrong values. 
-I did '''not''' updated iptables. 
- 
-'''End of upd by hryamzik.''' 
- 
-'''Start of upd by strfr''' 
- 
-The original script above the hryamzik's one works for me well on Asus WL-500GP v1.0 with mega build 10949M NEWD Eko, I have not tried the hryamzik's one. 
- 
-'''End of upd by strfr''' 
- 
-# Replace the "INSERT YOUR [FILE] HERE" text with the appropriate text from the .crt or .key files you generated during the Generate Keys for Authentication step. 
-# Replace the xxx.xxx.xxx.xxx text with the public IP address (or DNS name) of your first (server) router. (Note: if your Internet Service Provider gives your routers dynamic IP addresses (and they probably do), you might want to look into Dynamic DNS services such as [http://www.dyndns.com DynDNS] or [http://www.no-ip.com No-IP.com]. You can start to learn more about dynamic DNS by looking at the help from Setup > DDNS in the DD-WRT GUI.) 
-# Click Save Startup 
-# Reboot the router (i.e., In the GUI, click Administration > Management and click Reboot Router at the bottom) 
- 
-=== Test the VPN === 
-If all is well, and a VPN has been established between your two routers, you should be able to ping hosts behind either router. 
- 
-=== Caveats and Tips === 
-Make sure that your router has sufficient memory for the above. Usually, this means having >4MB of flash memory. I bricked a Buffalo WBR-54G trying to fit the script into it. 
- 
-The entire process is facilitated by having SSH or telnet access to the router's command prompt. It allows you to directly test the various options and incantations to see if they work. 

Revision as of 07:05, 5 June 2009