WRT54G: OpenVPN

From ReceptiveIT
Jump to: navigation, search

This is a first rough draft of the procedure for turning an off-the-shelf Linksys WRT54G into an OpenVPN client

  • Download X-Wrt Kamikaze with OpenVPN - The url at time of writing was http://downloads.x-wrt.org/xwrt/kamikaze/8.09.2/brcm-2.4/openvpn/openwrt-wrt54g-squashfs.bin
  • Flash router with newly downloaded firmware
  • Set root password
  • Set up LAN network and apply changes
  • Set up WAN internet connection
  • Enable Boot Wait
  • Set wait time to 5 seconds
  • Set hostname
  • Set timezone
  • Allow SSH from internet (optional)
  • Add OpenVPN config
  • Disable OpenVPN config from web interface
  • scp the client.crt, client.key and ca.crt to /etc/openvpn
  • Add the following script to /etc/openvpn/client.conf
#
# Client
#

client
dev tun
proto udp
remote fqdn.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
cipher aes-128-cbc
comp-lzo
verb 3
  • edit /etc/config/openvpn and change
config openvpn custom_config

       # Set to 1 to enable this instance:
       option enable 0

       # Include OpenVPN configuration
       option config /etc/openvpn/my-vpn.conf

to

config openvpn custom_config

       # Set to 1 to enable this instance:
       option enable 1

       # Include OpenVPN configuration
       option config /etc/openvpn/client.conf
  • Add the following to /etc/firewall.user
iptables        -A forwarding_rule -o tun0 -j ACCEPT
iptables        -A forwarding_rule -i tun0 -j ACCEPT
  • Restart firewall (/etc/init.d/firewall restart)
  • don't forget, that for the server at the other side to be able to talk to the subnet behind your openwrt54g, you will need to do the following
  • add the following to the server.conf
route 192.168.65.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
  • create a client side config for your wrt54g with the filename being the same as the certificate name. For example, if the certificates DN is firewall then you will want to create a file called /etc/openvpn/ccd/firewall containing the following
iroute 192.168.65.0 255.255.255.0

Status script with LED control

#!/bin/sh

OPENVPN_PID="/var/run/openvpn-custom_config.pid"
VPN_IFACE="tun0"
LED="/proc/diag/led/ses_white"
SLEEP="2"

while true
do
 #
 # Am I Running?
 #
 if [ -f "${OPENVPN_PID}" ]; then

   # The file exists so read the PID
   # to see if it is still running
   MYPID=`head -n 1 "${OPENVPN_PID}"`
     
   TEST_RUNNING=`ps | awk '{ print $1 }' | grep ${MYPID}`
       
   if [ -z "${TEST_RUNNING}" ]; then
     # The process is not running
     # Echo current PID into lock file
     echo "Not running"
     echo 0 > ${LED}
   else
     echo "OpenVPN is running [${MYPID}]"
     
     #
     # Is the VPN interface up?
     #
     
     OUT=`ifconfig ${VPN_IFACE}`
     ERR=$?
     echo "Error: $ERR"
     if [ "$ERR" -eq 0 ]
     then
       echo "Interface up [${VPN_IFACE}]"
       echo 1 > ${LED}
     else
       echo "Interface down [${VPN_IFACE}]"
       echo f > ${LED}
     fi
     echo hello
     sleep 1
   fi
 else
   echo "Not running"
   echo 0 > ${LED}
 fi
 
 #
 # Lets sleep for a second
 #
 sleep ${SLEEP}
done

Upgrading firmware

Troubleshooting

Invalid image type. Please use only .trx files Image check 'platform_check_image' failed.

Solution: dd bs=32 skip=1 if=original.bin of=original.trx