installation and configuration of OpenVPN Server with OpenWRT White Russian

configuration of the OpenVPN server

Begin with installing OpenVPN:
ipkg install openvpn

Copy the following files to the router:
/etc/openvpn/openvpnServer.conf
/etc/init.d/S95Openvpn

Edit the file openvpnServer.conf; change ###########IPdesServerImVPNNetz########### into the ip the server should have in the vpn network. If you uncomment #client-to-client computers connected to the VPN may establish connections to each other.

configuration of OpenVPN Server

To prevent our firewall from blocking incoming OpenVPN connections we need to add some rules to our firewall. Open the firewall config file:
vi /etc/firewall.user
Press i,
move the cursor to the end of the file and insert the following lines:
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

Press escape,

:wq

creating the certificates

For creating the certificates it's important that the system time is right. We ensured this by configuring the ntpclient.
We need to create some directories and files:
mkdir /etc/openvpn/certs
cd /etc/openvpn/certs
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
touch demoCA/index.txt
echo "01" >> demoCA/serial

We need 2 certificates which everyone receives, 1 specifically for the server and 1 for each client.

Lets do the first 3 certificates like this:
openssl req -nodes -new -x509 -days 1825 -keyout ca.key -out ca.crt;
openssl dhparam -out dh.pem 1024;
openssl req -nodes -new -keyout server.key -out server.csr;
openssl ca -cert ca.crt -keyfile ca.key -out server.crt -in server.csr;

In the process of these commands the router demands some information. The only information that does matter is the name, respectively.

The next 2 commands have to be used for each client: openssl req -nodes -new -keyout NameOfTheClient.key -out NameOfTheClient.csr;
openssl ca -cert ca.crt -keyfile ca.key -out NameOfTheClient.crt -in NameOfTheClient.csr;

Now your computer asks you for further information. Just give him the name of the client. The rest can be ignored by pressing enter.

distributing the certificates

Security requires that each computer only gets the necessary files and NOT all of them!
The server needs following files which can be found in /etc/openvpn/certs :
server.key
server.csr
server.crt
dh.pem
ca.key
ca.crt
NameOfTheClient.csr
NameOfTheClient.crt

The remaining files should be deleted after having been delivered to the other computers.

The clients need:
ca.crt
dh.pem
NameOfTheClient.crt
NameOfTheClient.key

Those files need to be placed in the directory specified in the client config file. With linux for example in /etc/openvpn/certs . With windows it's easy to place them in the same directory where openvpn.exe is located.

configuration of the clients

Linux Client

Copy the files to your clients:
openvpnLinuxClient.conf
/etc/init.d/Openvpn

make the init file executable:
chmod +x /etc/init.d/Openvpn

Windows Client

Copy the files:
PfadZurKonfigurationvonOpenVPN\openvpnWindowsClient.conf
Autostart\openvpn.bat
Autostart\pingVpn.bat

necessary changes in the clients configurations

Edit the file /etc/openvpn/openvpnLinuxClient.conf
EuerDynDnsHostname here you write the dyndnshostname of your router running OpenVPN. If you are configuring a computer in your local network write the ip of the router in your local network.

ClientIP here you write in the ip address of your computer which should be in the VPN serverd by your router. The first 3 numbers must correspond to the first three numbers of the ip which your router has in the VPN
ClientName the name you gave the client while creating the certificates.

The VPN is ready after rebooting the router. Now we setup an application using OpenVPN: installing asterisk