Table of Contents

OpenVPN & OpenWRT How-to

OpenVPN

FIXME

Installation

root@linksys:~# ipkg install liblzo_1.08-1_mipsel.ipk 
Installing liblzo (1.08-1) to root...
Configuring liblzo
Successfully terminated.
root@linksys:~# ipkg install kmod-tun_2.4.30-1_mipsel.ipk 
Installing kmod-tun (2.4.30-1) to root...
Configuring kmod-tun
Successfully terminated.
root@linksys:~# ipkg install openvpn_2.0.2-1_mipsel.ipk 
Installing openvpn (2.0.2-1) to root...
Configuring openvpn
Successfully terminated.
:: Chargment du module tun (utilisé pour les tunnels SSL)
# insmod tun
:: Création d'un répertoire pour les fichiers de configuration OpenVPN
# mkdir /etc/openvpn

Pour cela, il faut récupérer les fichiers loopback-server et loopback-client fournis avec le code source d'OpenVPN, ainsi que les clefs et paramètres DH utilisés par OpenVPN. Dans mon cas, j'ai mis tout ce beau monde dans le répertoire /etc/openvpn et j'ai apporté les modifications nécessaires aux deux fichiers loopback-server et loopback-client :

root@linksys:/etc/openvpn# vi /etc/openvpn/loopback-server 
 
rport 16001                                                                                  
lport 16000                                                                                  
proto tcp-server                                                                             
remote localhost                                                                             
local localhost                                                                              
dev null                                                                                     
verb 3          
reneg-sec 10    
tls-server      
dh dh1024.pem   
ca tmp-ca.crt   
key server.key 
cert server.crt
cipher DES-EDE3-CBC
ping 1             
inactive 120       
 
root@linksys:/etc/openvpn# vi loopback-client 
 
rport 16000                                                                                  
lport 16001                                                                                  
proto tcp-client                                                                             
remote localhost                                                                             
local localhost                                                                              
dev null                                                                                     
verb 3                                                                                       
reneg-sec 10                                                                                 
tls-client      
ca tmp-ca.crt   
key client.key  
cert client.crt 
cipher DES-EDE3-CBC
ping 1             
inactive 120  
:: Processus serveur
# openvpn --config /etc/openvpn/loopback-server
:: Processus client
# openvpn --config /etc/openvpn/loopback-client
:: Processus serveur
root@linksys:/etc/openvpn# openvpn --config /etc/openvpn/loopback-server
Sun Nov  6 10:52:08 2005 OpenVPN 2.0.2 mipsel-linux [SSL] [LZO] [EPOLL] built on Sep 14 2005
Sun Nov  6 10:52:08 2005 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Nov  6 10:52:08 2005 Diffie-Hellman initialized with 1024 bit key
Sun Nov  6 10:52:08 2005 WARNING: file 'server.key' is group or others accessible
Sun Nov  6 10:52:08 2005 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sun Nov  6 10:52:08 2005 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Sun Nov  6 10:52:08 2005 Local Options hash (VER=V4): 'f5e1a1cf'
Sun Nov  6 10:52:08 2005 Expected Remote Options hash (VER=V4): '9c1bb212'
Sun Nov  6 10:52:08 2005 Listening for incoming TCP connection on 127.0.0.1:16000
Sun Nov  6 10:52:13 2005 TCP connection established with 127.0.0.1:2173
Sun Nov  6 10:52:13 2005 TCPv4_SERVER link local (bound): 127.0.0.1:16000
Sun Nov  6 10:52:13 2005 TCPv4_SERVER link remote: 127.0.0.1:2173
Sun Nov  6 10:52:13 2005 TLS: Initial packet from 127.0.0.1:2173, sid=9013cecb d4911a68
Sun Nov  6 10:52:15 2005 VERIFY OK: depth=1, /C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
Sun Nov  6 10:52:15 2005 VERIFY OK: depth=0, /C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me@myhost.mydomain
Sun Nov  6 10:52:15 2005 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Sun Nov  6 10:52:15 2005 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov  6 10:52:15 2005 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Sun Nov  6 10:52:15 2005 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov  6 10:52:15 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
(...)
 
:: Processus client
root@linksys:/etc/openvpn# openvpn --config /etc/openvpn/loopback-client 
Sun Nov  6 10:55:52 2005 OpenVPN 2.0.2 mipsel-linux [SSL] [LZO] [EPOLL] built on Sep 14 2005
Sun Nov  6 10:55:52 2005 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Nov  6 10:55:52 2005 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Nov  6 10:55:52 2005 WARNING: file 'client.key' is group or others accessible
Sun Nov  6 10:55:52 2005 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sun Nov  6 10:55:52 2005 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Sun Nov  6 10:55:52 2005 Local Options hash (VER=V4): '9c1bb212'
Sun Nov  6 10:55:52 2005 Expected Remote Options hash (VER=V4): 'f5e1a1cf'
Sun Nov  6 10:55:52 2005 Attempting to establish TCP connection with 127.0.0.1:16000
Sun Nov  6 10:55:52 2005 TCP connection established with 127.0.0.1:16000
Sun Nov  6 10:55:52 2005 TCPv4_CLIENT link local: 127.0.0.1
Sun Nov  6 10:55:52 2005 TCPv4_CLIENT link remote: 127.0.0.1:16000
Sun Nov  6 10:55:53 2005 TLS: Initial packet from 127.0.0.1:16000, sid=80a32378 4339b898
Sun Nov  6 10:55:53 2005 VERIFY OK: depth=1, /C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
Sun Nov  6 10:55:53 2005 VERIFY OK: depth=0, /C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain
Sun Nov  6 10:55:54 2005 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Sun Nov  6 10:55:54 2005 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov  6 10:55:54 2005 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Sun Nov  6 10:55:54 2005 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov  6 10:55:54 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Nov  6 10:55:54 2005 [Test-Server] Peer Connection Initiated with 127.0.0.1:16000
Sun Nov  6 10:55:56 2005 Initialization Sequence Completed
Sun Nov  6 10:56:04 2005 TLS: soft reset sec=0 bytes=945/0 pkts=18/0
Sun Nov  6 10:56:05 2005 VERIFY OK: depth=1, /C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
Sun Nov  6 10:56:05 2005 VERIFY OK: depth=0, /C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain
Sun Nov  6 10:56:06 2005 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Sun Nov  6 10:56:06 2005 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov  6 10:56:06 2005 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Sun Nov  6 10:56:06 2005 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov  6 10:56:06 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Nov  6 10:56:16 2005 TLS: soft reset sec=0 bytes=945/0 pkts=18/0
Sun Nov  6 10:56:17 2005 VERIFY OK: depth=1, /C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
Sun Nov  6 10:56:17 2005 VERIFY OK: depth=0, /C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain
Sun Nov  6 10:56:18 2005 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Sun Nov  6 10:56:18 2005 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov  6 10:56:18 2005 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Sun Nov  6 10:56:18 2005 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov  6 10:56:18 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Nov  6 10:56:28 2005 TLS: soft reset sec=0 bytes=945/0 pkts=18/0
(...)
TLS Error: Unroutable control packet received from 127.0.0.1:16000 (si=3 op=P_ACK_V1)

Dans ce cas précis, une règle IPtable interdisait tout dialogue en UDP.

VERIFY ERROR: depth=1, error=certificate is not yet valid: (...)

Dans celui-ci, la date système était fixée au O1/01/1970.