giovedì 17 gennaio 2008

Internet Gateway: OpenVPN & OpenWRT on Asus WL-500G Premium

Italian Introduction: a causa di pressioni esterne :) mi trovo a scrivere questa guida in inglese. E' il riassuto "senza respirare" di passaggi da compiere per avere il sistema funzionante, passo per passo, senza spiegazioni estensive ma completo (a patto di utilizzare la stessa configurazione hardware/software). Here we come!

This is a step-by-step "no breathing" (no deep explanations) guide how to setup a OpenVPN gateway using OpenWRT (Kamikaze) on Asus WL-500G Premium, to bypass proxy/nat carrier restrictions. Many parts of this guide will link you to the official OpenWRT wiki or other external web sites: there's no reason to copy&past something when someone else already did the job.

Hardware Used:

Netgear DG834G (ADSL Router)
Asus WL-500G Premium (Router - OpenVPN Server)
HTC Touch Cruise P3650 (PocketPC running Windows Mobile 6)
PC running Windows XP PRO SP2 (it is used to flash the Asus firmware and as terminal client, freely to use any other OS)

Software Used:

OpenVPN 2.09 (Kamizake ipkg package)
OpenVPN 2.09 (Windows Mobile porting)
Putty running on Windows XP (free SSH client)

IP used (these may be be adjusted to reflect your setup):

OpenVPN Server (Asus):
ADSL Router/Gateway (Netgear):
OpenVPN Client(s):
Carrier Proxy (Vodafone IT):

ADSL Router (Netgear) Setup (it's just a port forwarding and you'll not touch it anymore):

Forward the port 443 (the one we gonna use for our OpenVPN) to the OpenVPN Server (Asus) IP:
Save the setup and exit

OpenWRT installation on Asus WL-500G Premium :

The router, out of the box, comes with the IP Address of: so you have to adjust your client PC IP to connect to it (eg: Default Gateway:, or just use the DHCP (the Asus has it enabled by default). So connect the router directly to your client PC.
The first step is optional but i suggest you to do so, backup the original firmware of your router, instructions here (3.1):

then download the latest Kamikaze (be sure it is supported by your router) release to your local PC, i've used this:

put your router into update mode:

- pull out the power cord;
- press the reset button with a pen (don't get confused with the other small red button, the reset button is actually black and placed inside a hole, so you need a pen to press it) ;
- and while it is pressed plug the power cord it;
- release the button after some seconds and you'll see the power led stars flashing.

Use now the official Asus Firmware Restoration utility to flash your router (you'll find it on the CD that comes with your router). I assume you are using windows (since that utility won't work on any other OS), otherwise follow the link above and flash it using one of the other methods.
The router will reboot itself. IMPORTANT: don't turn it off while flashing or you'll brik it, if the router won't reboot itself wait AT LEAST 10 minutes before pull the power cord.

Now you are able to telnet to the router at his IP address:, the first root login will have no password, so set it:

root@OpenWrt:~# passwd mypassword

after that you'll get disconnected, because from now on you cannot use telnet anymore, you must SSH! So SSH to it back with Putty and login as "root" / "mypassword".
You are now into your new fresh router OS, so as first thing change his IP address to match your LAN subnet:

root@OpenWrt:~# uci set network.lan.ipaddr=""
root@OpenWrt:~# uci set network.lan.gateway=""
root@OpenWrt:~# uci set network.lan.netmask=""

root@OpenWrt:~# uci commit

you will get disconnected after this, if not just reboot your router (issue the command: reboot), since you changed your router IP address and it won't be on the PC subnet anymore. Now adjust again your PC IP address (or just update the DHCP): IP: Default Gateway: (ADSL Router), unplug the Asus from your local PC and connect it to an ethernet port of your ADSL Router using one of his LAN ports (use one of the LAN 1-4 ports *NOT* the WAN port!), SSH back to your new router IP: Login again as root/mypassword and check that the internet connection is working:

root@OpenWrt:~# ping

Actually we have the WiFi disabled, i left it disabled since my ADSL Router already provides WiFi connectivity. Also the WAN interface (and the DHCP service provided) is ignored from now on, because it not used with this configuration.

Now start to install the required packages, first update the packages list:

root@OpenWrt:~# ipkg update

then (optional) install a more confortable text editor (yeah i'm not enough geek to use Vi :) ):

root@OpenWrt:~# ipkg install nano

and OpenVPN:

root@OpenWrt:~# ipkg install openvpn

Now it's time to configure everything on the server. You'll find detailed instructions here:

create your OpenVPN folder and move into it:

root@OpenWrt:~# mkdir /etc/openvpn

and create your bridge startup script:

root@OpenWrt:~# nano /etc/openvpn/startupscript

with this content:

# OpenVPN Bridge Config File
# Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge
# Taken from
# Define Bridge Interface
# Preexisting on OpenWRT
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".

case "$1" in
# Make sure module is loaded
insmod tun
# Build tap devices
for t in $tap; do
openvpn --mktun --dev $t
# Add TAP interfaces to OpenWRT bridge
for t in $tap; do
brctl addif $br $t
#Configure bridged interfaces
for t in $tap; do
ifconfig $t promisc up
for t in $tap; do
ifconfig $t down
for t in $tap; do
brctl delif $br $t
for t in $tap; do
openvpn --rmtun --dev $t
rmmod tun
echo "$0 {updown}"

exit and save (CTRL+X, y). Look at the label br="br-lan", this is different than the script provided at the link above and it is the bridge interface of your router. Then make it executable:

root@OpenWrt:~# chmod +x /etc/openvpn/startupscript

Now edit your OpenVPN server config file:

root@OpenWrt:~# nano /etc/openvpn/server.ovpn

with this content:

proto tcp
port 443
dev tap0
secret /etc/openvpn/secret.key
push "dhcp-option DNS"
keepalive 10 180
push "keepalive 10 180"
max-clients 3

exit and save. Now we gonna create a static key (i strongly suggest you to use proper certificates and keys later, there are detailed instruction available on the how to generate server certificates/keys and individual client keys), move to the openvpn folder and create it:

root@OpenWrt:~# cd /etc/openvpn
root@OpenWrt:~# openvpn --genkey --secret secret.key

We are almost done with the server, check that the configuration works:

root@OpenWrt:~# /etc/openvpn/startupscript
root@OpenWrt:~# openvpn /etc/openvpn/server.ovpn

If everything has been setup properly you will have the OpenVPN server running and waiting for a connection, otherwise it will exit with a error code (and it's time to check what's went wrong).
Now we can stop it manually with CTRL-C.

The next step is to configure the client on PocketPC, the time ncpt clint on the server and make it working h24 with (hoping) no maintanance... so stay tuned ( be continued...).

5 commenti:

Anonimo ha detto...

Thanx fot the explenation!! When will you explain how to connect the mobile device? Regards Mark.

Anonimo ha detto...

What about the ppc config? Thanks

alex smith ha detto...

Many providers have unternet connection breakdownd. But not vpn

♥♥♥♥♥ Jennifer™® ♥♥♥♥♥ ha detto...

your blog is good good good......

Pierow ha detto...

Doesn't work for me:

root@OpenWrt2:/etc/openvpn# openvpn /etc/openvpn/server.ovpn
Options error: --server-bridge and --secret cannot be used together (you must use SSL/TLS keys)
Use --help for more information.