Openvpn

OpenVPN is a VPN (Virtual Private Network) system. ASUS provides a PPTP type VPN server in the GUI but there can be some networking/security issues with it & so I prefer OpenVPN.

Unfortunately, the ASUS supplied kernel doesn't include a "tun" module (at least as of version 3.0.0.4.364), so we need to make one first.

Building a TUN module

<Raw brain dump - needs tidying.>

  1. download the GPL sources & unpack
  2. Add a config_base_dsl-n56u like the config_base one but with “CONFIG_TUN=m”
  3. Take hw_nat, spectrum out of the Makefile in src/router/Makefile (seemed to be missing files from original tarball)
  4. fixup the tun.c from the released source to a better version (vanilla 2.6.22.19), one that compiles!
    1. E.g. from the one in https://code.google.com/p/wl500g/downloads/detail?name=linux-2.6.22.19.tar.bz2&can=1&q=
  5. Go into release/src-ra and make dsl-n55u
  6. Grab the tun.ko when you have it & copy to device
  7. insmod it & lsmod to check it loaded to be sure all's OK

… Or nick the one I've attached as a File to this wiki page - see bottom "Files" link - which should work for 3.0.0.4.364 and likely a few other firmware relases.

Installing OpenVPN

To install it from Optware get a command line on the router and enter:

ipkg install openvpn

Now you need to enable automatically insmod'ing the new tun.ko module every reboot by altering the startup script file.

  1. The ASUS scripts don't create a directory at /opt/lib/modules, but that seems a good place to store the module - create the directory and copy the "tun.ko" file there.
  2. Edit the file /opt/etc/init.d/S20openvpn to change the module loading line "insmod /opt/lib/modules/tun.o" to load …."tun.ko" (they changed the filename extension for kernel modules from "o" to "ko" between Linux 2.4 and 2.6).

Configuring OpenVPN

There are lots of sample scripts & guides on the Internet, and sample confs shipped with the package, so I won't go into great detail, however:

  • The S20openvpn script installs the kernel module, but doesn't actually start any OpenVPN instances by default. You are expected to edit the script or other systems (xinetd) further to automate running openvpn.
  • ASUS have made a group "nobody" but it doesn't work - comment out any "group nobody" or "group nogroup" directives you see recommended in example conf files.
    • … but "user nobody" works fine.
  • Look for any warnings in the system log, available at http://router.asus.com/Main_LogStatus_Content.asp
  • Make sure any secret key files are chmod 0600'ed to avoid some warnings
  • The iptables firewall makes it difficult to listen out for incoming traffic when trying to make the router act as a server. I use the below to enable listening for incoming UDP traffic on port 1194 (the default/assigned one for OpenVPN servers):
iptables -t nat -I PREROUTING -i ppp0 -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -i ppp0 -p udp --dport 1194 -j ACCEPT
  • Similarly, allowing the "tun0" network adaptor to be accessed by others from the local network requires more work:
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT

I'm not experienced with iptables incantations, so am prepared for someone else to point out some security issues or better ways of doing the above - please let me know!

Example S20openvpn modification

See the below as something that works to create one outgoing and one incoming point-to-point link:

Delete the return statement and example openvpn daemon call, then add just before the EOF marker:

# Open up firewalls
if iptables-save | grep -qF "tun+"
then
  echo "Already setup iptables"
else
  iptables -t nat -I PREROUTING -i ppp0 -p udp --dport 1194 -j ACCEPT
  iptables -I INPUT -i ppp0 -p udp --dport 1194 -j ACCEPT
  iptables -I INPUT -i tun+ -j ACCEPT
  iptables -I FORWARD -i tun+ -j ACCEPT
fi

# Bridge to remote VPN server
/opt/sbin/openvpn --cd /opt/etc/openvpn --config client.conf

# Allow remote client to connect back to me
/opt/sbin/openvpn --cd /opt/etc/openvpn --config server.conf

# [EOF]
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License