Linksys AC Series Router Configuration Tips for OpenWRT: Difference between revisions
m →OpenVPN |
|||
| Line 2,843: | Line 2,843: | ||
REMEMBER (It will make sense later, and is worth pointing out at the beginning):Certificates are a requirement of encrypted communication for OpenVPN. That part of OpenVPN is made possible by OpenSSL. Two things to remember are these; | REMEMBER (It will make sense later, and is worth pointing out at the beginning):Certificates are a requirement of encrypted communication for OpenVPN. That part of OpenVPN is made possible by OpenSSL. Two things to remember are these; | ||
* The /etc/openvpn/openvpn-ssl.cnf file contains a major flaw as it delivered by OpenWRT in the software package. There is a directive line (default_md = md5) that will not work with the version of OpenVPN provided by OpenWRT (it's actually been that way for several versions. The directive instructs OpenSSL to produce certificates using a method that has been deemed comprimised. The line should instead read: default_md = sha256 | *The /etc/openvpn/openvpn-ssl.cnf file contains a major flaw as it delivered by OpenWRT in the software package. There is a directive line (default_md = md5) that will not work with the version of OpenVPN provided by OpenWRT (it's actually been that way for several versions. The directive instructs OpenSSL to produce certificates using a method that has been deemed comprimised. The line should instead read: default_md = sha256 | ||
* There's also a frustrating issue that comes up with a newly created certificate that won't work until the next day. Solution? Set the time of the router to a day or so in the past. Now that can be an adventure because it can't be done via the LuCI GUI. It can of course be done via the command line or Webmin. | *There's also a frustrating issue that comes up with a newly created certificate that won't work until the next day. Solution? Set the time of the router to a day or so in the past. Now that can be an adventure because it can't be done via the LuCI GUI. It can of course be done via the command line or Webmin. | ||
The LuCI interface provides a nice interface for keeping track of OpenVPN Server and Client configuration, plus editing and enabling and disabling a specific Server or Client configuration file. OpenVPN for OpenWRT operates as it did for CentOS 6 where a single "OpenVPN Service" would "spawn" multiple instances of the OpenVPN binary / executable depending on how many Server and Client configuration files there are. CentOS 7 and newer has it configured such that each instance of an OpenVPN Server and / or Client configuration file requires a separate service. | The LuCI interface provides a nice interface for keeping track of OpenVPN Server and Client configuration, plus editing and enabling and disabling a specific Server or Client configuration file. OpenVPN for OpenWRT operates as it did for CentOS 6 where a single "OpenVPN Service" would "spawn" multiple instances of the OpenVPN binary / executable depending on how many Server and Client configuration files there are. CentOS 7 and newer has it configured such that each instance of an OpenVPN Server and / or Client configuration file requires a separate service. | ||
| Line 2,900: | Line 2,900: | ||
dh /etc/openvpn/keys/WhatEverPath/dh2048.pem | dh /etc/openvpn/keys/WhatEverPath/dh2048.pem | ||
</syntaxhighlight>In the above configuration file, it is assumed that keys have already been generated (see below section for using Webmin to generate certificates). The above storage location for keys is just an example that can be customized to any directory. | </syntaxhighlight>In the above configuration file, it is assumed that keys have already been generated (see below section for using Webmin to generate certificates). The above storage location for keys is just an example that can be customized to any directory. | ||
===== PID File (if needed) ===== | |||
If there's a situation where a PID file is needed to keep track of OpenVPN functionality, thankfully OpenWRT has not included that in their init.d configuration. But it can be added. Below is what needs to be added to the /etc/init.d/openvpn file;<syntaxhighlight lang="text"> | |||
...in the "openvpn_add_instance" section, add the line in between ---> <----. The rest of the surrounding code for that single line is already there and is just put here for reference. An obviously don't include the ---> or <--- "arrows"; | |||
openvpn_add_instance() { | |||
local name="$1" | |||
local dir="$2" | |||
local conf="$3" | |||
procd_open_instance "$name" | |||
procd_set_param command "$PROG" \ | |||
--syslog "openvpn($name)" \ | |||
--status "/var/run/openvpn.$name.status" \ | |||
--cd "$dir" \ | |||
---> --writepid "/var/run/openvpn.$name.pid" \ <---- | |||
--config "$conf" | |||
procd_set_param file "$dir/$conf" | |||
procd_set_param term_timeout 15 | |||
procd_set_param respawn | |||
procd_append_param respawn 3600 | |||
procd_append_param respawn 5 | |||
procd_append_param respawn -1 | |||
procd_close_instance | |||
} | |||
...and at the bottom of the file, add the following (it removes the PID file after the OpenVPN service / daemon is stopped; | |||
stop_service() | |||
{ | |||
rm /var/run/openvpn.* | |||
} | |||
</syntaxhighlight> | |||
=====Firewall===== | =====Firewall===== | ||