2010年2月23日 星期二

OpenVPN

Kernel config

Device Drivers --->
[*] Network device support --->
<M> Universal TUN/TAP device driver support


Ethernet Bridging
http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html


  1. Start from server.conf or client.conf /usr/share/doc/openvpn/examples/sample-config-files/, and copy the script bridge-star and bridge-stop from http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html#linuxscript
    server.conf and bridge-start
    diff --git a/bridge-start b/bridge-start
    index bfbbdc5..b77510a 100755
    --- a/bridge-start
    +++ b/bridge-start
    @@ -15,9 +15,9 @@ tap="tap0"
    # Define physical ethernet interface to be bridged
    # with TAP interface(s) above.
    eth="eth0"
    -eth_ip="192.168.8.4"
    -eth_netmask="255.255.255.0"
    -eth_broadcast="192.168.8.255"
    +eth_ip="10.1.1.23"
    +eth_netmask="255.0.0.0"
    +eth_broadcast="10.255.255.255"

    for t in $tap; do
    openvpn --mktun --dev $t
    diff --git a/server.conf b/server.conf
    index a439520..6aa3cb2 100644
    --- a/server.conf
    +++ b/server.conf
    @@ -49,8 +49,8 @@ proto udp
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    -;dev tap
    -dev tun
    +dev tap0
    +;dev tun

    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel if you
    @@ -93,7 +93,7 @@ dh dh1024.pem
    # Each client will be able to reach the server
    # on 10.8.0.1. Comment this line out if you are
    # ethernet bridging. See the man page for more info.
    -server 10.8.0.0 255.255.255.0
    +;server 10.8.0.0 255.255.255.0

    # Maintain a record of client <-> virtual IP address
    # associations in this file. If OpenVPN goes down or
    @@ -112,7 +112,7 @@ ifconfig-pool-persist ipp.txt
    # (start=10.8.0.50 end=10.8.0.100) to allocate
    # to connecting clients. Leave this line commented
    # out unless you are ethernet bridging.
    -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
    +server-bridge 10.1.1.23 255.0.0.0 10.1.101.100 10.1.101.200

    # Configure server mode for ethernet bridging
    # using a DHCP-proxy, where clients talk

    client.conf
    diff --git a/rootfs/root/client.conf b/rootfs/root/client.conf
    index a5f5074..ee47af9 100644
    --- a/rootfs/root/client.conf
    +++ b/rootfs/root/client.conf
    @@ -20,8 +20,8 @@ client
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    -;dev tap
    -dev tun
    +dev tap
    +;dev tun

    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel
    @@ -39,7 +39,7 @@ proto udp
    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    -remote my-server-1 1194
    +remote 172.20.20.1 1194
    ;remote my-server-2 1194

    # Choose a random host from the remote
  2. Generate certificate and keys
    cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
    source ./vars #info in var could be changed if needed
    ./clean-all # rm ./key/
    ./build-ca # generate CA certificate ./key/ca.*
    ./build-key-server server # generate server key
    ./build-dh #generate Diffie Hellman parameters
    openvpn --genkey --secret keys/ta.key # generate tls-auth key
    ./build-key client # generate client key
  3. goto /usr/share/doc/openvpn/examples/easy-rsa/2.0/key, and run
    Start Server:
    bridge-start; openvpn path/to/your/server.conf

    Stop Server:
    killall openvpn; bridge-stop;

    Start Client
    openvpn path/to/your/client.conf


Server Side
Fri Feb 26 17:44:25 2010 OpenVPN 2.1_rc19 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13 2009
Fri Feb 26 17:44:25 2010 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Fri Feb 26 17:44:25 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Feb 26 17:44:25 2010 Diffie-Hellman initialized with 1024 bit key
Fri Feb 26 17:44:25 2010 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Fri Feb 26 17:44:25 2010 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Feb 26 17:44:25 2010 TUN/TAP device tap0 opened
Fri Feb 26 17:44:25 2010 TUN/TAP TX queue length set to 100
Fri Feb 26 17:44:25 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Feb 26 17:44:25 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]
Fri Feb 26 17:44:25 2010 UDPv4 link local (bound): [undef]:1194
Fri Feb 26 17:44:25 2010 UDPv4 link remote: [undef]
Fri Feb 26 17:44:25 2010 MULTI: multi_init called, r=256 v=256
Fri Feb 26 17:44:25 2010 IFCONFIG POOL: base=10.8.0.50 size=51
Fri Feb 26 17:44:25 2010 IFCONFIG POOL LIST
Fri Feb 26 17:44:25 2010 Initialization Sequence Completed



Client Side
Fri Feb 26 20:46:55 2010 OpenVPN 2.1_rc18 arm-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Feb 26 2010
Fri Feb 26 20:46:55 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Feb 26 20:46:55 2010 LZO compression initialized
Fri Feb 26 20:46:55 2010 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Feb 26 20:46:55 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Feb 26 20:46:55 2010 Local Options hash (VER=V4): 'd79ca330'
Fri Feb 26 20:46:55 2010 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Feb 26 20:46:55 2010 Socket Buffers: R=[112640->131072] S=[112640->131072]
Fri Feb 26 20:46:55 2010 UDPv4 link local: [undef]
Fri Feb 26 20:46:55 2010 UDPv4 link remote: 172.20.20.1:1194
Fri Feb 26 20:46:55 2010 TLS: Initial packet from 172.20.20.1:1194, sid=ac8f4fc8 695625be
Fri Feb 26 20:46:55 2010 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Fri Feb 26 20:46:55 2010 VERIFY OK: nsCertType=SERVER
Fri Feb 26 20:46:55 2010 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
Fri Feb 26 20:46:55 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 26 20:46:55 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 26 20:46:55 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 26 20:46:55 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 26 20:46:55 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Feb 26 20:46:55 2010 [server] Peer Connection Initiated with 172.20.20.1:1194
Fri Feb 26 20:46:57 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Feb 26 20:46:57 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.1.1.23,ping 10,ping-restart 120,ifconfig 10.1.101.100 255.0.0.0'
Fri Feb 26 20:46:57 2010 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 26 20:46:57 2010 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 26 20:46:57 2010 OPTIONS IMPORT: route-related options modified
Fri Feb 26 20:46:57 2010 TUN/TAP device tap0 opened
Fri Feb 26 20:46:57 2010 TUN/TAP TX queue length set to 100



Client connect failed with

Wed Dec 31 17:15:16 1969 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 31 17:15:16 1969 Re-using SSL/TLS context
Wed Dec 31 17:15:16 1969 Control Channel MTU parms [ L:1573 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 31 17:15:16 1969 Data Channel MTU parms [ L:1573 D:1450 EF:41 EB:4 ET:32 EL:0 ]
Wed Dec 31 17:15:16 1969 Local Options hash (VER=V4): '2c50bd2c'
Wed Dec 31 17:15:16 1969 Expected Remote Options hash (VER=V4): '0ddbb6e3'
Wed Dec 31 17:15:16 1969 Socket Buffers: R=[112640->131072] S=[112640->131072]
Wed Dec 31 17:15:16 1969 UDPv4 link local: [undef]
Wed Dec 31 17:15:16 1969 UDPv4 link remote: 172.20.20.1:1194
Wed Dec 31 17:15:16 1969 TLS: Initial packet from 172.20.20.1:1194, sid=ca5eb197 b60ea9fa
Wed Dec 31 17:15:16 1969 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Wed Dec 31 17:15:16 1969 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Dec 31 17:15:16 1969 TLS Error: TLS object -> incoming plaintext read error
Wed Dec 31 17:15:16 1969 TLS Error: TLS handshake failed
Wed Dec 31 17:15:16 1969 TCP/UDP: Closing socket
Wed Dec 31 17:15:16 1969 SIGUSR1[soft,tls-error] received, process restarting
Wed Dec 31 17:15:16 1969 Restart pause, 2 second(s)

Re: [Openvpn-users] Help with OpenVPN & DD-WRT
http://openvpn.net/archive/openvpn-users/2006-08/msg00091.html
- check the current time on the DD-WRT
- use openssl to check the contents of the certificate
openssl -in certfile.pem -noout -text
In my case, it is the time of my device is not set properly.


Community Software Overview
http://openvpn.net/index.php/open-source.html

OpenVPN - Downloads
http://openvpn.net/index.php/open-source/downloads.html

HOWTO
http://openvpn.net/index.php/open-source/documentation/howto.html

Determining whether to use a routed or bridged VPN
http://openvpn.net/index.php/open-source/documentation/howto.html#vpntype

OpenVPN 建置方案
http://www.study-area.org/tips/openvpn.html

[wiki] OpenVPN
http://en.wikipedia.org/wiki/OpenVPN

使用 OpenVPN 建置 VPN
http://www.cdchen.idv.tw/node/963

使用 OpenVPN
http://macblog2.blogspot.com/2005/06/openvpn.html

OpenVPN GUI for Windows
http://openvpn.se/

沒有留言: