Home

ipcop, openvpn and dd-wrt

This is a pretty specific recipe: Setting up an ipcop as an openvpn server, and using dd-wrt as a client in a branch office or other remote location.

Install Zerina's openvpn package for ipcop

We'll assume you have ipcop installed, this is reasonably basic, and may be different depending on your network etc. First off, enable ssh on the ipcop. Download the openvpn/ipcop package from http://www.vpnforum.de/zerina/?q=download. Save this somewhere, then scp it to the ipcop. Once its copied, untar and install - job done!

scp -P222 ZERINA-0.9.5b-Installer.tar.gz root@ip.cop.ip.addy:/root/
ssh -p222 root@ip.cop.ip.addy
# mkdir zerina
# cd zerina
# tar zxvf ../ZERINA-*.tar.gz
#./install

Once this is done, open the ipcop web gui to configure it all. Go to VPN>OPENVPN and tick the box to enable openvpn for whatever external connection you want openvpn to listen on (in most cases, RED). Next, click on the button to create new root/host certificates. This will create server certificates for the vpn (I have not played with it, but you can use an existing CA to do this as well).

Next, we'll need some client certificates. While it is possible to use a single certificate for multiple clients, its not a good idea. With each one having their own certificate you can easily revoke them and close access if needed. Since we are setting up branch offices, this is an easy and quick way to do things, but if you have a lot of clients that need to connect, it may be a better idea to have a "custom" openvpn setup (yes, you can also edit the openvpn config on the ipcop) so you can more easily script the creation of client certificates.

Under the "Client status and control" section, click ADD, then select Host-to-Net Virtual Private Network (RoadWarrior) and ADD again. This presents us with a form to fill in: The only things you need to fill in are "Name" and "User's Full Name or System Hostname" - the rest is optional.

In this case, don's set a password for the pkcs12 file - as we are using it in the dd-wrt, it cant ask for a password each time it starts... (If you are making certs for individuals, make sure you DO give a passphrase, the client will then prompt for this each time it connects)

Once that is saved, the new client is added to the list, and we can start setting up the dd-wrt router.

Set up openvpn on the dd-wrt router

Once the ipcop setup is done, we need the certificates for the client setup. Next to the client, click the little disk icon to download the PKCS12 file, and save this to your linux box. (If you dont have a linux box, you can putty into the ipcop and use openssl there) We now need to convert this into separate server, client and key files (ca, crt, key) for use with the dd-wrt openvpn setup. (You could also just use the .p12 file by setting up openvpn with a custom dd-wrt startup script, but then you need somewhere to save the file - if you did the SD card mod then you are sorted, otherwise just use the dd-wrt gui method).

Convert .p12 to key, crt and ca

Theres probably a much easier way to do this, please leave a comment if you know one! Openssl can convert the key into the formats we need now:

openssl pkcs12 -clcerts -nokeys -in somebranch.p12 -out somebranch.crt

This should ask for a password, if you didnt set one in the client setup, just press enter, it should respond with MAC verified OK. We now have the client certificate in a separate file.

 openssl pkcs12 -cacerts -nokeys -in somebranch.p12 -out somebranch.ca

This should output the server certificate. Same as before, if its a blank password just press enter.

 openssl pkcs12 -nocerts -in somebranch.p12 -out somebranch.key

This will ask for a PEM passphrase, and wont let you leave it blank, so just put something simple in for now. We will remove it in the next step.

 openssl rsa -in somebranch.key -out somebranch.nokey

This will output a "passwordless" key to somebranch.nokey - be careful now! Anyone with this can connect to your network without being bothered for even a password...

Configure openvpn in dd-wrt

Open up the dd-wrt web gui and log in, then go to ADMINISTRATION>SERVICES. Tick enable on "OpenVPN Client" and more options should appear, if not, save and then go back to the page. If you dont see the OpenVPN Client section at all, then you probably have the "std" version of dd-wrt, you need the "vpn" version to do this, you can easily change to the vpn version by downloading the correct image for your router and reflashing via the "Firmware Upgrade" section in the gui. All the defaults should be fine, heres what to fill in:

Server IP/Name: the ip or fqdn of the ipcop's RED (or whatever you chose) interface
Port: Leave at default 1194 unless you changed the ipcop
TUN MTU: Default 1500 is fine
TUN MTU extra: Default 32 is fine
TCP MSS: Default 1450 is fine
Use LZO: I enabled this, but didnt notice a huge difference, YMMV
Tunnel Proto: UDP
Public Server Cert: The contents of the .ca file we just made (only from -----BEGIN... to ...END------ is needed)
Public Client Cert: Same as above, just use the .crt file
Private Client Key: Same as above again, with .nokey file

Click "Save Settings" and it should start and fire up. You should now be able to access behind the ipcop from any client connected to the wrt router.

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Furl
  • Facebook
  • Google
  • Yahoo
  • Technorati
  • Icerocket