[Berlin-wireless] IP/MAC-Whitelist im Gateway-Paket
Sven-Ola Tücke
sven-ola
Mo Jan 8 23:17:24 CET 2007
Hi,
ja - war auch mein Eindruck. Wer mal ein bisschen mit OpenVPN herumspielen
will, hier ist quasi ein Howto zum Nachmachen im Anhang. Session auf einem
Linux-PC, einem WRT und einem Windoof mit OpenVPN + OpenVPN-GUI, letztere
muss als Admin gestartet werden sonst nix Routen-Setzen.
Damit die Default-Route wirklich "frei" ist, muss man natuerlich auch noch
eine solche mit Policy-Routing "nur-fuer-dieses-Geraet" setzen (passiert
in /etc/init.d/S90openvpn).
To be debugged.
// Sven-Ola
Am Montag, 8. Januar 2007 18:36 schrieb Public Dump:
> Für ein ~300kbit DSL Anschluß reicht die CPU Power noch.
[Tofuzapp]
-------------- nächster Teil --------------
sven-ola at pcnote:~$ ssh root at 104.198.65.65
root at 104.198.65.65's password:
BusyBox v1.01 (2006.11.17-01:01+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
( ).-----.-----.-----.) ) ) ).----.) )
( - )) _ ) -__) )) ) ) )) _)) _)
(_______)) __)_____)__)__))________))__) )____)
)__) F R E I F U N K F I R M W A R E
root at sven-ola-gs:~# ipkg update
Downloading http://styx.commando.de/sven-ola/ipkg/packages/Packages ...
Connecting to styx.commando.de[212.91.225.42]:80
Packages 100% |**************************************************************| 73234 00:00 ETA
Done.
Updated list of available packages in /usr/lib/ipkg/lists/freifunk
Downloading http://downloads.openwrt.org/whiterussian/packages/Packages ...
Connecting to downloads.openwrt.org[195.56.146.238]:80
Packages 100% |**************************************************************| 138 KB 00:00 ETA
Done.
Updated list of available packages in /usr/lib/ipkg/lists/whiterussian
Downloading http://downloads.openwrt.org/whiterussian/packages/non-free/Packages ...
Connecting to downloads.openwrt.org[195.56.146.238]:80
Packages 100% |**************************************************************| 568 00:00 ETA
Done.
Updated list of available packages in /usr/lib/ipkg/lists/non-free
root at sven-ola-gs:~# ipkg install openvpn-ssl-nolzo
Downloading http://styx.commando.de/sven-ola/ipkg/packages/busybox-awk_1.0.1_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
busybox-awk_1.0.1_mi 100% |**************************************************************| 22517 00:00 ETA
Done.
Unpacking busybox-awk...Done.
Configuring busybox-awk...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/busybox-crontab_1.0.1_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
busybox-crontab_1.0. 100% |**************************************************************| 6344 00:00 ETA
Done.
Unpacking busybox-crontab...Done.
Configuring busybox-crontab...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/freifunk-iptables-missing_1.4.5_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
freifunk-iptables-mi 100% |**************************************************************| 9703 00:00 ETA
Done.
Unpacking freifunk-iptables-missing...Done.
Configuring freifunk-iptables-missing...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/freifunk-openwrt-compat_1.4.5_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
freifunk-openwrt-com 100% |**************************************************************| 96580 00:00 ETA
Done.
Unpacking freifunk-openwrt-compat...Done.
Configuring freifunk-openwrt-compat...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/kmod-tun_2.4.30-brcm_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
kmod-tun_2.4.30-brcm 100% |**************************************************************| 4893 00:00 ETA
Done.
Unpacking kmod-tun...Done.
Configuring kmod-tun...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/libssl_0.9.7f_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
libssl_0.9.7f_mipsel 100% |**************************************************************| 471 KB 00:00 ETA
Done.
Unpacking libssl...Done.
Configuring libssl...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/openvpn-ssl-nolzo_2.0.5_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
openvpn-ssl-nolzo_2. 100% |**************************************************************| 160 KB 00:00 ETA
Done.
Unpacking openvpn-ssl-nolzo...Done.
Configuring openvpn-ssl-nolzo...Done.
root at sven-ola-gs:~# cd /etc
root at sven-ola-gs:/etc# mkdir -p openvpn/keys
root at sven-ola-gs:/etc# exit
Connection to 104.198.65.65 closed.
sven-ola at pcnote:~$ tar xzf /usr/src/cross/download/openwrt/openvpn-2.0.5.tar.gz
sven-ola at pcnote:~$ cd openvpn-2.0.5/easy-rsa/
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ edit vars
Processing '/etc/joe/editrc'...done
Processing '/etc/joe/editrc'...done
File vars saved.
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ tail vars
export KEY_SIZE=1024
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=DE
export KEY_PROVINCE=Ostzone
export KEY_CITY=Berlin
export KEY_ORG="Freifunk"
export KEY_EMAIL="me at myhost.mydomain"
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ . vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /home/sven-ola/openvpn-2.0.5/easy-rsa/keys
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./clean-all
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./build-ca
Generating a 1024 bit RSA private key
.++++++
......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Ostzone]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [Freifunk]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:CA
Email Address [me at myhost.mydomain]:
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./build-key-server server
Generating a 1024 bit RSA private key
.....++++++
..++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Ostzone]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [Freifunk]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Geizhals
Email Address [me at myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/sven-ola/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :PRINTABLE:'Ostzone'
localityName :PRINTABLE:'Berlin'
organizationName :PRINTABLE:'Freifunk'
commonName :PRINTABLE:'Geizhals'
emailAddress :IA5STRING:'me at myhost.mydomain'
Certificate is to be certified until Jan 5 19:57:36 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./build-key schnorrer1
Generating a 1024 bit RSA private key
..................++++++
......................................................++++++
writing new private key to 'schnorrer1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Ostzone]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [Freifunk]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:schnorrer1
Email Address [me at myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/sven-ola/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :PRINTABLE:'Ostzone'
localityName :PRINTABLE:'Berlin'
organizationName :PRINTABLE:'Freifunk'
commonName :PRINTABLE:'schnorrer1'
emailAddress :IA5STRING:'me at myhost.mydomain'
Certificate is to be certified until Jan 5 19:58:05 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./build-key schnorrer2
Generating a 1024 bit RSA private key
.....++++++
.................++++++
writing new private key to 'schnorrer2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Ostzone]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [Freifunk]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:schnorrer2
Email Address [me at myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/sven-ola/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :PRINTABLE:'Ostzone'
localityName :PRINTABLE:'Berlin'
organizationName :PRINTABLE:'Freifunk'
commonName :PRINTABLE:'schnorrer2'
emailAddress :IA5STRING:'me at myhost.mydomain'
Certificate is to be certified until Jan 5 19:58:16 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
........+....................................................................................+................................+............................................................................................................+........................+...............+..............+.+.................................................+...........+...........................................+..............................................................................................................................+................................................................+........+........................+...................+.........+...+..................+.......+......................................+.............+............+............+.+.....................................................................+........+..........................................+............................................................................................+.................................+......+........+....................+...........................................................................+............................................+...+......................................................................................................................+...+..........................+.................................+.....+.................+.....................................................................................................................................................+.................+............................+................+......................................+.............+...........................................+.....................................................................................+............................+.........+..............................+..............+.............................................................................+.....................................+.........+...................++*++*++*
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ scp keys/* root at 104.198.65.65:/etc/openvpn/keys
root at 104.198.65.65's password:
01.pem 100% 3586 3.5KB/s 00:00
02.pem 100% 3488 3.4KB/s 00:00
03.pem 100% 3488 3.4KB/s 00:00
ca.crt 100% 1184 1.2KB/s 00:00
ca.key 100% 891 0.9KB/s 00:00
dh1024.pem 100% 245 0.2KB/s 00:00
index.txt 100% 304 0.3KB/s 00:00
index.txt.attr 100% 20 0.0KB/s 00:00
index.txt.attr.old 100% 20 0.0KB/s 00:00
index.txt.old 100% 202 0.2KB/s 00:00
schnorrer1.crt 100% 3488 3.4KB/s 00:00
schnorrer1.csr 100% 676 0.7KB/s 00:00
schnorrer1.key 100% 887 0.9KB/s 00:00
schnorrer2.crt 100% 3488 3.4KB/s 00:00
schnorrer2.csr 100% 676 0.7KB/s 00:00
schnorrer2.key 100% 891 0.9KB/s 00:00
serial 100% 3 0.0KB/s 00:00
serial.old 100% 3 0.0KB/s 00:00
server.crt 100% 3586 3.5KB/s 00:00
server.csr 100% 676 0.7KB/s 00:00
server.key 100% 887 0.9KB/s 00:00
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ cd
sven-ola at pcnote:~$ edit server.conf
Processing '/etc/joe/editrc'...done
Processing '/etc/joe/editrc'...done
File server.conf saved.
sven-ola at pcnote:~$ cat server.conf
port 1194
proto udp
dev tun0
push "redirect-gateway local def1"
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh1024.pem
server 192.168.2.0 255.255.255.240
ifconfig-pool-persist /var/run/openvpn-ipp.txt
keepalive 10 120
persist-key
persist-tun
status /var/run/openvpn-status.log
sven-ola at pcnote:~$ cat S90openvpn
#!/bin/sh
# Set the default gw manually, e.g. nvram set openvpn_gate=1.2.3.4 commit
defgw=$(nvram get openvpn_gate)
case $1 in
start)
iptables -I INPUT -s 192.168.2.0/28 -j ACCEPT
iptables -I OUTPUT -d 192.168.2.0/28 -j ACCEPT
iptables -I FORWARD -s 192.168.2.0/28 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/28 -j MASQUERADE
if ! ip rule ls 2>&-|grep -q 222 2>&-; then
ip rule add iif lo table 222
fi
ip route flush table 222
ip route list proto kernel|while read l;do
set $l
ip route add throw $1 table 222
done
ip route add default via $defgw table 222
ip route del default
${0%/*}/openvpn start
;;
stop)
iptables -D INPUT -s 192.168.2.0/28 -j ACCEPT
iptables -D OUTPUT -d 192.168.2.0/28 -j ACCEPT
iptables -D FORWARD -s 192.168.2.0/28 -j ACCEPT
iptables -t nat -D POSTROUTING -s 192.168.2.0/28 -j MASQUERADE
${0%/*}/openvpn stop
;;
esac
sven-ola at pcnote:~$ cat /mnt/windows/Programme/OpenVPN/
bin/ easy-rsa/ log/ sample-config/
config/ INSTALL-win32.txt OpenVPN GUI ReadMe.txt Uninstall.exe
driver/ license.txt openvpn.ico
sven-ola at pcnote:~$ cat /mnt/windows/Programme/OpenVPN/config/freifunk-pki.ovpn
client
dev tun
proto udp
port 1194
remote 104.198.65.105
nobind # use dyn src port locally (not 1194)
persist-key
persist-tun
ca ca.crt
cert schnorrer1.crt
key schnorrer1.key
ns-cert-type server
sven-ola at pcnote:~$ ls /mnt/windows/Programme/OpenVPN/config/
ca.crt freifunk-pki.ovpn schnorrer1.crt schnorrer1.csr schnorrer1.key
sven-ola at pcnote:~$ scp server.conf root at 104.198.65.65:/etc/openvpn
root at 104.198.65.65's password:
server.conf 100% 298 0.3KB/s 00:00
sven-ola at pcnote:~$ scp S90openvpn root at 104.198.65.65:/etc/init.d
root at 104.198.65.65's password:
S90openvpn 100% 902 0.9KB/s 00:00
sven-ola at pcnote:~$ ssh root at 104.198.65.65
root at 104.198.65.65's password:
BusyBox v1.01 (2006.11.17-01:01+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
( ).-----.-----.-----.) ) ) ).----.) )
( - )) _ ) -__) )) ) ) )) _)) _)
(_______)) __)_____)__)__))________))__) )____)
)__) F R E I F U N K F I R M W A R E
root at sven-ola-gs:~# chmod +x /etc/init.d/S90openvpn
root at sven-ola-gs:~# insmod tun
Using /lib/modules/2.4.30/tun.o
root at sven-ola-gs:~# cd /etc/openvpn/
root at sven-ola-gs:/etc/openvpn# openvpn --verb 3 --config server.conf
Mon Jan 8 21:14:33 2007 OpenVPN 2.0.5 mipsel-linux [SSL] [EPOLL] built on Nov 17 2006
Mon Jan 8 21:14:33 2007 Diffie-Hellman initialized with 1024 bit key
Mon Jan 8 21:14:33 2007 TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jan 8 21:14:33 2007 TUN/TAP device tun0 opened
Mon Jan 8 21:14:33 2007 /sbin/ifconfig tun0 192.168.2.1 pointopoint 192.168.2.2 mtu 1500
Mon Jan 8 21:14:33 2007 /sbin/route add -net 192.168.2.0 netmask 255.255.255.240 gw 192.168.2.2
Mon Jan 8 21:14:33 2007 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Mon Jan 8 21:14:33 2007 UDPv4 link local (bound): [undef]:1194
Mon Jan 8 21:14:33 2007 UDPv4 link remote: [undef]
Mon Jan 8 21:14:33 2007 MULTI: multi_init called, r=256 v=256
Mon Jan 8 21:14:33 2007 IFCONFIG POOL: base=192.168.2.4 size=2
Mon Jan 8 21:14:33 2007 IFCONFIG POOL LIST
Mon Jan 8 21:14:33 2007 Initialization Sequence Completed
-------------- nächster Teil --------------
sven-ola at pcnote:~$ ssh root at 104.198.65.65
root at 104.198.65.65's password:
BusyBox v1.01 (2006.11.17-01:01+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
( ).-----.-----.-----.) ) ) ).----.) )
( - )) _ ) -__) )) ) ) )) _)) _)
(_______)) __)_____)__)__))________))__) )____)
)__) F R E I F U N K F I R M W A R E
root at sven-ola-gs:~# ipkg update
Downloading http://styx.commando.de/sven-ola/ipkg/packages/Packages ...
Connecting to styx.commando.de[212.91.225.42]:80
Packages 100% |**************************************************************| 73234 00:00 ETA
Done.
Updated list of available packages in /usr/lib/ipkg/lists/freifunk
Downloading http://downloads.openwrt.org/whiterussian/packages/Packages ...
Connecting to downloads.openwrt.org[195.56.146.238]:80
Packages 100% |**************************************************************| 138 KB 00:00 ETA
Done.
Updated list of available packages in /usr/lib/ipkg/lists/whiterussian
Downloading http://downloads.openwrt.org/whiterussian/packages/non-free/Packages ...
Connecting to downloads.openwrt.org[195.56.146.238]:80
Packages 100% |**************************************************************| 568 00:00 ETA
Done.
Updated list of available packages in /usr/lib/ipkg/lists/non-free
root at sven-ola-gs:~# ipkg install openvpn-ssl-nolzo
Downloading http://styx.commando.de/sven-ola/ipkg/packages/busybox-awk_1.0.1_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
busybox-awk_1.0.1_mi 100% |**************************************************************| 22517 00:00 ETA
Done.
Unpacking busybox-awk...Done.
Configuring busybox-awk...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/busybox-crontab_1.0.1_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
busybox-crontab_1.0. 100% |**************************************************************| 6344 00:00 ETA
Done.
Unpacking busybox-crontab...Done.
Configuring busybox-crontab...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/freifunk-iptables-missing_1.4.5_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
freifunk-iptables-mi 100% |**************************************************************| 9703 00:00 ETA
Done.
Unpacking freifunk-iptables-missing...Done.
Configuring freifunk-iptables-missing...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/freifunk-openwrt-compat_1.4.5_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
freifunk-openwrt-com 100% |**************************************************************| 96580 00:00 ETA
Done.
Unpacking freifunk-openwrt-compat...Done.
Configuring freifunk-openwrt-compat...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/kmod-tun_2.4.30-brcm_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
kmod-tun_2.4.30-brcm 100% |**************************************************************| 4893 00:00 ETA
Done.
Unpacking kmod-tun...Done.
Configuring kmod-tun...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/libssl_0.9.7f_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
libssl_0.9.7f_mipsel 100% |**************************************************************| 471 KB 00:00 ETA
Done.
Unpacking libssl...Done.
Configuring libssl...Done.
Downloading http://styx.commando.de/sven-ola/ipkg/packages/openvpn-ssl-nolzo_2.0.5_mipsel.ipk ...
Connecting to styx.commando.de[212.91.225.42]:80
openvpn-ssl-nolzo_2. 100% |**************************************************************| 160 KB 00:00 ETA
Done.
Unpacking openvpn-ssl-nolzo...Done.
Configuring openvpn-ssl-nolzo...Done.
root at sven-ola-gs:~# cd /etc
root at sven-ola-gs:/etc# mkdir -p openvpn/keys
root at sven-ola-gs:/etc# exit
Connection to 104.198.65.65 closed.
sven-ola at pcnote:~$ tar xzf /usr/src/cross/download/openwrt/openvpn-2.0.5.tar.gz
sven-ola at pcnote:~$ cd openvpn-2.0.5/easy-rsa/
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ edit vars
Processing '/etc/joe/editrc'...done
Processing '/etc/joe/editrc'...done
File vars saved.
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ tail vars
export KEY_SIZE=1024
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=DE
export KEY_PROVINCE=Ostzone
export KEY_CITY=Berlin
export KEY_ORG="Freifunk"
export KEY_EMAIL="me at myhost.mydomain"
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ . vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /home/sven-ola/openvpn-2.0.5/easy-rsa/keys
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./clean-all
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./build-ca
Generating a 1024 bit RSA private key
.++++++
......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Ostzone]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [Freifunk]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:CA
Email Address [me at myhost.mydomain]:
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./build-key-server server
Generating a 1024 bit RSA private key
.....++++++
..++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Ostzone]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [Freifunk]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Geizhals
Email Address [me at myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/sven-ola/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :PRINTABLE:'Ostzone'
localityName :PRINTABLE:'Berlin'
organizationName :PRINTABLE:'Freifunk'
commonName :PRINTABLE:'Geizhals'
emailAddress :IA5STRING:'me at myhost.mydomain'
Certificate is to be certified until Jan 5 19:57:36 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./build-key schnorrer1
Generating a 1024 bit RSA private key
..................++++++
......................................................++++++
writing new private key to 'schnorrer1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Ostzone]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [Freifunk]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:schnorrer1
Email Address [me at myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/sven-ola/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :PRINTABLE:'Ostzone'
localityName :PRINTABLE:'Berlin'
organizationName :PRINTABLE:'Freifunk'
commonName :PRINTABLE:'schnorrer1'
emailAddress :IA5STRING:'me at myhost.mydomain'
Certificate is to be certified until Jan 5 19:58:05 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./build-key schnorrer2
Generating a 1024 bit RSA private key
.....++++++
.................++++++
writing new private key to 'schnorrer2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Ostzone]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [Freifunk]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:schnorrer2
Email Address [me at myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/sven-ola/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :PRINTABLE:'Ostzone'
localityName :PRINTABLE:'Berlin'
organizationName :PRINTABLE:'Freifunk'
commonName :PRINTABLE:'schnorrer2'
emailAddress :IA5STRING:'me at myhost.mydomain'
Certificate is to be certified until Jan 5 19:58:16 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
........+....................................................................................+................................+............................................................................................................+........................+...............+..............+.+.................................................+...........+...........................................+..............................................................................................................................+................................................................+........+........................+...................+.........+...+..................+.......+......................................+.............+............+............+.+.....................................................................+........+..........................................+............................................................................................+.................................+......+........+....................+...........................................................................+............................................+...+......................................................................................................................+...+..........................+.................................+.....+.................+.....................................................................................................................................................+.................+............................+................+......................................+.............+...........................................+.....................................................................................+............................+.........+..............................+..............+.............................................................................+.....................................+.........+...................++*++*++*
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ scp keys/* root at 104.198.65.65:/etc/openvpn/keys
root at 104.198.65.65's password:
01.pem 100% 3586 3.5KB/s 00:00
02.pem 100% 3488 3.4KB/s 00:00
03.pem 100% 3488 3.4KB/s 00:00
ca.crt 100% 1184 1.2KB/s 00:00
ca.key 100% 891 0.9KB/s 00:00
dh1024.pem 100% 245 0.2KB/s 00:00
index.txt 100% 304 0.3KB/s 00:00
index.txt.attr 100% 20 0.0KB/s 00:00
index.txt.attr.old 100% 20 0.0KB/s 00:00
index.txt.old 100% 202 0.2KB/s 00:00
schnorrer1.crt 100% 3488 3.4KB/s 00:00
schnorrer1.csr 100% 676 0.7KB/s 00:00
schnorrer1.key 100% 887 0.9KB/s 00:00
schnorrer2.crt 100% 3488 3.4KB/s 00:00
schnorrer2.csr 100% 676 0.7KB/s 00:00
schnorrer2.key 100% 891 0.9KB/s 00:00
serial 100% 3 0.0KB/s 00:00
serial.old 100% 3 0.0KB/s 00:00
server.crt 100% 3586 3.5KB/s 00:00
server.csr 100% 676 0.7KB/s 00:00
server.key 100% 887 0.9KB/s 00:00
sven-ola at pcnote:~/openvpn-2.0.5/easy-rsa$ cd
sven-ola at pcnote:~$ edit server.conf
Processing '/etc/joe/editrc'...done
Processing '/etc/joe/editrc'...done
File server.conf saved.
sven-ola at pcnote:~$ cat server.conf
port 1194
proto udp
dev tun0
push "redirect-gateway local def1"
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh1024.pem
server 192.168.2.0 255.255.255.240
ifconfig-pool-persist /var/run/openvpn-ipp.txt
keepalive 10 120
persist-key
persist-tun
status /var/run/openvpn-status.log
sven-ola at pcnote:~$ cat S90openvpn
#!/bin/sh
# Set the default gw manually, e.g. nvram set openvpn_gate=1.2.3.4 commit
defgw=$(nvram get openvpn_gate)
case $1 in
start)
iptables -I INPUT -s 192.168.2.0/28 -j ACCEPT
iptables -I OUTPUT -d 192.168.2.0/28 -j ACCEPT
iptables -I FORWARD -s 192.168.2.0/28 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/28 -j MASQUERADE
if ! ip rule ls 2>&-|grep -q 222 2>&-; then
ip rule add iif lo table 222
fi
ip route flush table 222
ip route list proto kernel|while read l;do
set $l
ip route add throw $1 table 222
done
ip route add default via $defgw table 222
ip route del default
${0%/*}/openvpn start
;;
stop)
iptables -D INPUT -s 192.168.2.0/28 -j ACCEPT
iptables -D OUTPUT -d 192.168.2.0/28 -j ACCEPT
iptables -D FORWARD -s 192.168.2.0/28 -j ACCEPT
iptables -t nat -D POSTROUTING -s 192.168.2.0/28 -j MASQUERADE
${0%/*}/openvpn stop
;;
esac
sven-ola at pcnote:~$ cat /mnt/windows/Programme/OpenVPN/
bin/ easy-rsa/ log/ sample-config/
config/ INSTALL-win32.txt OpenVPN GUI ReadMe.txt Uninstall.exe
driver/ license.txt openvpn.ico
sven-ola at pcnote:~$ cat /mnt/windows/Programme/OpenVPN/config/freifunk-pki.ovpn
client
dev tun
proto udp
port 1194
remote 104.198.65.105
nobind # use dyn src port locally (not 1194)
persist-key
persist-tun
ca ca.crt
cert schnorrer1.crt
key schnorrer1.key
ns-cert-type server
sven-ola at pcnote:~$ ls /mnt/windows/Programme/OpenVPN/config/
ca.crt freifunk-pki.ovpn schnorrer1.crt schnorrer1.csr schnorrer1.key
sven-ola at pcnote:~$ scp server.conf root at 104.198.65.65:/etc/openvpn
root at 104.198.65.65's password:
server.conf 100% 298 0.3KB/s 00:00
sven-ola at pcnote:~$ scp S90openvpn root at 104.198.65.65:/etc/init.d
root at 104.198.65.65's password:
S90openvpn 100% 902 0.9KB/s 00:00
sven-ola at pcnote:~$ ssh root at 104.198.65.65
root at 104.198.65.65's password:
BusyBox v1.01 (2006.11.17-01:01+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
( ).-----.-----.-----.) ) ) ).----.) )
( - )) _ ) -__) )) ) ) )) _)) _)
(_______)) __)_____)__)__))________))__) )____)
)__) F R E I F U N K F I R M W A R E
root at sven-ola-gs:~# chmod +x /etc/init.d/S90openvpn
root at sven-ola-gs:~# insmod tun
Using /lib/modules/2.4.30/tun.o
root at sven-ola-gs:~# cd /etc/openvpn/
root at sven-ola-gs:/etc/openvpn# openvpn --verb 3 --config server.conf
Mon Jan 8 21:14:33 2007 OpenVPN 2.0.5 mipsel-linux [SSL] [EPOLL] built on Nov 17 2006
Mon Jan 8 21:14:33 2007 Diffie-Hellman initialized with 1024 bit key
Mon Jan 8 21:14:33 2007 TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jan 8 21:14:33 2007 TUN/TAP device tun0 opened
Mon Jan 8 21:14:33 2007 /sbin/ifconfig tun0 192.168.2.1 pointopoint 192.168.2.2 mtu 1500
Mon Jan 8 21:14:33 2007 /sbin/route add -net 192.168.2.0 netmask 255.255.255.240 gw 192.168.2.2
Mon Jan 8 21:14:33 2007 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Mon Jan 8 21:14:33 2007 UDPv4 link local (bound): [undef]:1194
Mon Jan 8 21:14:33 2007 UDPv4 link remote: [undef]
Mon Jan 8 21:14:33 2007 MULTI: multi_init called, r=256 v=256
Mon Jan 8 21:14:33 2007 IFCONFIG POOL: base=192.168.2.4 size=2
Mon Jan 8 21:14:33 2007 IFCONFIG POOL LIST
Mon Jan 8 21:14:33 2007 Initialization Sequence Completed
-------------- nächster Teil --------------
_______________________________________________
Berlin mailing list
Berlin at olsrexperiment.de
https://www.olsrexperiment.de/cgi-bin/mailman/listinfo/berlin
Mehr Informationen über die Mailingliste Berlin