While you are away from home it is sometime needed to access some files on the home file server. To protect it it is not directly available from the web. We will see here how to create a secure connexion to connect from the web on your OpenWRT box to be able be like at home.
Installation of OpenVPN
For this we will install an OpenVPN server that will allow us to create
a Virtual Private Network. Just install the
openvpn package with the web
interface or the help of
opkg on command line.
To work, OpenVPN need several keys and certificates. To handle it, OpenVPN
community provide a set of script to easily create all what is needed. It is
easy-rsa. You can install the
openvpn-easy-rsa package on
your OpenWRT box or download easy-rsa from the web on your unix computer to save place on
Keys and certificates creation
Go inside the easy-rsa folder (
/etc/easy-rsa/ on OpenWRT). First edit vars
file inside easy-rsa to fit your requirements:
export KEY_COUNTRY="FR" export KEY_PROVINCE="FR" export KEY_CITY="Paris" export KEY_ORG="At Home"
Then creates the keys that are needed to signed all the key and certificates generated:
./clean-all ./build-ca ./build-dh
Create the server key and certificate:
Copy on the OpenVPN folder of the OpenWRT box the server files that where
generated in the
cp ca.crt ca.key dh1024.pem my_servername_.crt my_server_name.key /etc/openvpn/
ca.crtis the Certificate Authority (CA) certificate. The corresponding key is used to sign all the certificates and keys and it all to check the validity of provided certificate.
dh1024.pemcontains the Diffie-Hellman parameters for the server side of an SSL/TLS connection.
my_server_name.keyis the key used by the server to decrypt the messages from the client.
my_server_name.crtis the certificate that the server provide to the client to allow it to crypt the conection. It is signed by the CA to prove that it is coming from the server.
Then for each user create the corresponding key and certificate:
./build-key user1 ./build-key user2
Give to each user the generated files: ca.crt, user_name.key user.name.crt. They are the only needed files for them
Open the correct port in your firewall
You must open the 1194 port in the firewall to all the OpenVPN connection from
the WAN. You can do it through the web interface or by editing the
config 'rule' option 'target' 'ACCEPT' option 'dest_port' '1194' option 'src' 'wan' option 'proto' 'tcpudp' option 'family' 'ipv4'
Do not forget to reload the firewall rules if you modify it on command line:
The configuration of OpenVPN is set in
config 'openvpn' 'lan' option 'enable' '1' option 'port' '1194' option 'proto' 'udp' option 'dev' 'tap0' option 'ca' '/etc/openvpn/ca.crt' option 'cert' '/etc/openvpn/server.crt' option 'key' '/etc/openvpn/server.key' option 'dh' '/etc/openvpn/dh1024.pem' option 'ifconfig_pool_persist' '/tmp/ipp.txt' option 'keepalive' '10 120' option 'comp_lzo' '1' option 'persist_key' '1' option 'persist_tun' '1' option 'status' '/tmp/openvpn-status.log' option 'verb' '3' option 'server_bridge' '192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.219'
This configuration will allow the client to be part of the network handled by the OpenWRT box. It will grab a IP i the range 192.168.1.200 to 192.168.1.219.
To prevent that a local client to have an IP in that range we can modify the
/etc/config/dhcp file to restrict the attribution of the IP in an non
overlapping range. Modify the lan section of that file like following:
config 'dhcp' 'lan' option 'interface' 'lan' option 'ignore' '0' option 'start' '50' option 'limit' '150'
The local client will only have an IP in the range of 192.168.1.50 to 192.168.1.150.
dnsmasq to take it into account:
You can start the server with the following command:
To have it start automaticaly when the OpenWT box starts just run the following command:
Bridging of the interfaces
To be able to link the OpenVPN tunnel, we need to bridge the interfaces. It an
be done in the web interface or in the
/etc/config/network file. In the
lan section add
tap0 to the
config 'interface' 'lan' option 'type' 'bridge' option 'proto' 'static' option 'ipaddr' '192.168.1.1' option 'netmask' '255.255.255.0' option '_orig_ifname' 'eth0.0 wl0' option '_orig_bridge' 'true' option 'ifname' 'eth0.0 tap0'
Now that the OpenVPN server is running we just have to connect to it. In addition to the personal key and certificate and of the CA certificate the user will need also a configuration file. They should look like the following:
# OpenVPN on bridge OpenWRT client tls-client # Which device to use dev tap # Which protocol proto udp # The OpenWRT external address remote x.x.x.x 1194 resolv-retry infinite nobind persist-tun persist-key # The different used keys ca ca.crt cert user1.crt key user1.key # Use compression comp-lzo ; verb 3
Now you should be able to connect to your home network from the web.