#!/bin/sh export DATE="8.5.2010";SCRIPT=${0#/rom} export TITLE="Admin: OpenVPN" . ${SCRIPT%/*}/cgi-bin-pre.sh cat<Admin: OpenVPN EOF unset CFG case ${QUERY_STRING#[2-9]} in "") CFG=$QUERY_STRING ;;esac QUERY_STRING=${QUERY_STRING#[1-9]} case $REQUEST_METHOD in POST) read QUERY_STRING ;;esac case $QUERY_STRING in "") #Speedups ff_ovpn_count="$(nvram get ff_ovpn_count)" ff_ovpn_mode="$(nvram get ff_ovpn_mode${CFG})" ff_ovpn_cli="$(nvram get ff_ovpn_cli${CFG})" ff_ovpn_tap="$(nvram get ff_ovpn_tap${CFG})" ff_ovpn_gw="$(nvram get ff_ovpn_gw${CFG})" ff_ovpn_dns="$(nvram get ff_ovpn_dns${CFG})" ff_ovpn_nat="$(nvram get ff_ovpn_nat${CFG})" ff_ovpn_policy="$(nvram get ff_ovpn_policy${CFG})" ff_ovpn_range="$(nvram get ff_ovpn_range${CFG})" ff_ovpn_remote="$(nvram get ff_ovpn_remote${CFG})" ff_ovpn_port="$(nvram get ff_ovpn_port${CFG})" ff_ovpn_tcp="$(nvram get ff_ovpn_tcp${CFG})" ff_ovpn_lzo="$(nvram get ff_ovpn_lzo${CFG})" ff_ovpn_ca_crt="$(nvram get ff_ovpn_ca_crt${CFG})" ff_ovpn_crt_key="$(nvram get ff_ovpn_crt_key${CFG})" ff_ovpn_dh="$(nvram get ff_ovpn_dh${CFG})" ff_ovpn_psk="$(nvram get ff_ovpn_psk${CFG})" ;;*) IFS=\&;set $QUERY_STRING;unset IFS;eval $* case $post_genkey_ovpn in "");;*) unset QUERY_STRING ff_ovpn_ca_crt="$(unescape $ff_ovpn_ca_crt)" ff_ovpn_crt_key="$(unescape $ff_ovpn_crt_key)" ff_ovpn_dh="$(unescape $ff_ovpn_dh)" ff_ovpn_psk=$(openvpn --genkey --secret /tmp/openvpn-psk.$$;sed '/^#/d' /tmp/openvpn-psk.$$;rm -f /tmp/openvpn-psk.$$) ff_ovpn_range="$(unescape $ff_ovpn_range)" ff_ovpn_remote="$(unescape $ff_ovpn_remote)" ff_ovpn_port="$(unescape $ff_ovpn_port)" ;;esac ;;esac SSL=no openvpn --version 2>&1|grep -q '\[SSL\]' && SSL=yes case $QUERY_STRING in "") cat<
Connection Mode: EOF case $SSL in yes) cat< EOF ;;*) cat< EOF ;;esac cat<
Operation Role:ServerClient
Device: Tunnel (tun) Bridge (tap)
Internet for Clients:Unchanged / Not via TunnelRedirect via Tunnel
DNS for Clients:Unchanged / Not via TunnelRedirect via Tunnel
Tunnel with NAT:Disabled Enabled
Tunnel for OLSR only:Standard RoutingPolicy Routing
Tunnel IP Range:  (192.168.255.240/28 if empty)
Remote Station (IP or DNS-Name):  (Mandatory if client)
Port Number  (1194 if empty)
Protocol: UDP TCP
LZO Compression:Disabled Enabled EOF case $SSL in yes) cat<
 
CA Certificate (ca.crt):
Certificate (*.crt) &
Key (*.key):
Diffie Hellman Parameters:
Shared Key:
EOF ;;esac #SSL case $CFG in "") cat<
OpenVPN Configurations: (2-4: additional OpenVPN tunnels) EOF ;;esac cat<
 
  EOF case $CFG in "")if pidof openvpn >&-;then cat< EOF else cat< EOF fi;;esac cat< 
EOF case $ff_ovpn_ca_crt in "")if [ ! -f /www/cgi-bin/openvpn-easyrsa.sh ];then cat<Tip: Install the "freifunk-openvpn-easyrsa-en" package to generate keys for a server in mode "MULTI". EOF fi;;esac case ${CFG} in "") cat<Example 1: Internet for Clients in Mesh

To route Internet access for OpenVPN clients via an OpenVPN server in the mesh, you can switch on the Internet for Clients option on the server. After the OpenVPN connection is established, the default route for the client will be changed accordingly. This works fine, as long as the client has it's own Internet access or if the client is, for example, a PC connected via Ethernet to a Freifunk router.

On a PC with OLSR or on a Freifunk router and if a foreign Internet gateway via the Freifunk network is used, things are a bit more complex. The changed default route will automatically trigger the "Internet here!" announcement resp. the changed default route will prevent third parties from accessing the Internet. If you want to operate the OpenVPN client on the Freifunk router and redirect the router's Internet access via the OpenVPN tunnel, you need to switch on the Policy Routing option on the OLSR page.

Tip: For an OpenVPN server in the mesh, the Policy Routing option on the OLSR page may work as well. Only people with a valid OpenVPN key can use the Internet gateway.

Example 2: Internet Gateway in Other Country

If you offer Internet access within a Freifunk network, you may want to redirect Internet access via an OpenVPN gateway in a foreign country. You can place a Freifunk router in the foreign country, rent a server (e.g. XEN based Linux VPS with "iptables -j SNAT" are available from \$7,--/month in the USA), or you have OpenVPN access provider account.

Typically, you receive the IP address of the server, a CA certificate, a client certificate and a client key. Change the Connection Mode to "MULTI", the Operation Role to "Client", and the Device to "Tunnel (tun)". Configure the Remote Station and copy the contents of the CA certificate file into the CA Certificate input field. Copy the contents of the client certificate and the client key directly one after the other into the Certificate & Key input field. Click the Apply button. Re-open this page and click the Start OpenVPN button.

Tip: The Tunnel for OLSR only option deterimes, that only the OLSR mesh based internet traffic is routed via the tunnel.

Example 3: Connect two Mesh Networks

To interconnect two OLSR mesh networks via Internet, you can use an OpenVPN tunnel (device: "tun"). One side is the server (default for tunnel IP: 192.168.255.240), the other side is the client (default for tunnel IP: 192.168.255.241). The connection is secured via a pre-shared key (PSK). For this, click the Generate button. After this, copy the input field contents to the other side. Add the "tun0" device to the /etc/local.olsr.conf file. Example for the server side:

Interface "tun0"
{
IP4Broadcast 192.168.255.241 # unicast to client tunnel IP
}

Tip: The tunnel interface needs to be added to the OLSR configuration manually, even if the tunnel is configured with IP addresses from the OLSR IP range.

Example 4: Connection to the Company

To give multiple clients access e.g. to a company LAN, you can use a bridge (tap) in mode MULTI. Configure a subrange of the LAN adresses in the Tunnel IP Range setting. Example: if the LAN interface of the server is configured with 192.168.1.1/24, a Tunnel IP Range of 192.168.1.240/28 gives up to 13 clients concurrent access (241 for the server, 242-254 for clients). In most use cases, it is not necessary to redirect Internet access for clients via the company LAN.

Tip: In stubborn cases (e.g. you are sitting in another company with a restrictive Internet access policy) you can configure the server for the Protocol "TCP". With this, it is possible to change the OpenVPN client configuration to use an indirect connection via a web proxy.

Additional Configuration Hints

  • EOF case $SSL in yes) cat<PTP connection mode can be used for a connection between one server and one client. For this, the same key is configured on the client and the server.
  • The MULTI connection mode can be used for a connection between one server and multiple clients. The server and all clients will get the same CA certificate. Every client and the server will need their own keys and their own certificates. The server additionally needs the "Diffie Hellman" parameters. To generate keys and certificates, you typically run the "easy-rsa" scripts available in the OpenVPN source package on a PC. Alternatively, install the "freifunk-openvpn-easyrsa-en" package. Generated keys are distinguished by the "Common Name" information field. All other key parameters are informal. Additionally, the date/time on the server and the client needs to match, otherwise initiating a connection will fail with "TLS Error: Unroutable control packet".
  • The input field Certificate & Key holds a pair of a certificate and a key. Paste both files including the "------BEGIN" and "------END" markers into this input field. Lines before or behind those markers can be omitted. In the server role, this setting holds the server pair, in the client role the client pair.
  • This user interface does not support keys with passwords. To remove the password from a key, run the "openssl rsa -in pass.key -out nopass.key" command on a PC.
  • EOF ;;esac #SSL cat<
  • The tunnel device in mode "Bridge (tap)" will automatically be added to the LAN bridge (br0) if the tunnel device uses an IP address from the LAN. This is true for the OpenVPN server and for connected clients.
  • The OpenSSL library occupies much flash memory. Fot that reason, a "freifunk-openvpn-nossl" package is available which only supports an un-encrypted connection in the PTP connection mode. Without encryption you should configure the remote station's IP or DNS-Name for security reasons.
  • The "route-nopull" option is omitted from the OpenVPN config file for clients only if policy routing on the OLSR page is active, if a default route with metric=0 exists or if the tunnel default route is valid only for mesh users (Option: Tunnel for OLSR only).
  • Include additional parameters to the /etc/local.ovpn and /etc/local-client.ovpn files.
EOF ;;esac #CFG ;;*) DIRTY= case $post_start_ovpn in "");;*) DIRTY=start ;;esac case $post_stop_ovpn in "");;*) DIRTY=stop ;;esac case $post_ovpn in "");;*) VARS="ff_ovpn_count ff_ovpn_mode ff_ovpn_cli ff_ovpn_tap ff_ovpn_gw ff_ovpn_dns ff_ovpn_nat ff_ovpn_policy ff_ovpn_range ff_ovpn_remote ff_ovpn_port ff_ovpn_tcp ff_ovpn_lzo" case $SSL in yes) VARS="$VARS ff_ovpn_ca_crt ff_ovpn_crt_key ff_ovpn_dh ff_ovpn_psk" ;;esac for V in $VARS; do eval C=\"\$$V\" C="$(unescape $C)" case "$(nvram get $V${CFG})" in "$C");;*) DIRTY=1 nvram set $V${CFG}="$C" ;;esac done ;;esac case $DIRTY in "") cat<No settings are changed. EOF ;;1) nvram commit>&- 2>&- cat< The changed settings are committed. The settings are active after the next Restart. EOF ;;*) echo -n '
'
/etc/init.d/S91openvpn $DIRTY
mark=$(logread|sed -n '$s/(.*//p')
case $DIRTY in start)
cat<'
;;esac
;;esac

. ${SCRIPT%/*}/cgi-bin-post.sh