Difference between revisions of "OpenVPN-Setup"

From OpenPLi Wiki
Jump to: navigation, search
(Autobackup)
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This is an experimental setup, using the command line, so please report any error or problems here in the [https://forums.openpli.org/topic/47406-build-a-server-vpn-with-openvpn-create-certificate-files-configure-client-side/#entry650397<span style="color:SteelBlue">Forum</span>]
+
=='''Settopbox'''==
 +
Although you can install OpenVPN on your Enigma2 box it is <u>not to be recommended</u>. You should use a router for that (WiFi router or NAS) or a custom router firmware. So use something that's being updated regularly and has a large community, as safety is much higher when you have the latest security updates.
 +
 
 +
 
 +
=='''Setup'''==
 +
This is an experimental setup from the forum and you must be familiar using the command line, so please report any error or problems in this [https://forums.openpli.org/topic/47406-build-a-server-vpn-with-openvpn-create-certificate-files-configure-client-side/#entry650397<span style="color:SteelBlue">thread</span>] on the forum.
  
 
* Install openvpn using the command line  
 
* Install openvpn using the command line  
Line 14: Line 19:
 
  c:\OpenSSL-Win32\bin\openssl.exe
 
  c:\OpenSSL-Win32\bin\openssl.exe
  
* Now, in this mode, you can convert .crt and .key files to .pem for server files, and put these files in your stb\receiver at  
+
* Now, in this mode, you can convert .crt and .key files to .pem for server files, and put these files in your stb\receiver at /etc/openvpn/
 
 
/etc/openvpn/
 
  
 
  $ openssl> x509 -in filename.crt -inform DER -out filename.crt.pem -outform PEM
 
  $ openssl> x509 -in filename.crt -inform DER -out filename.crt.pem -outform PEM
 
  $ openssl> rsa -in filename.key -out filename.key.pem -outform PEM
 
  $ openssl> rsa -in filename.key -out filename.key.pem -outform PEM
  
The ca.cert file, he have to open the certificate in windows OS and select details tab> copy file>convert to binary DER x509 and select destination folder to save.
+
The ca.cert file, we have to open the certificate in windows OS and select details tab> copy file>convert to binary DER x509 and select destination folder to save.
  
 
   
 
   
Line 29: Line 32:
 
OpenSSL>x509 -inform DER -in ca.cer -outform PEM -out ca.pem
 
OpenSSL>x509 -inform DER -in ca.cer -outform PEM -out ca.pem
  
All these conversions to .pem extension is based on openvpn --help binnary information of our instalation of openvpn in our STB, maybe it's not necessary.
+
All these conversions to .pem extension is based on openvpn --help binary information of our installation of openvpn in our STB, maybe it's not necessary.
  
 
   
 
   
Line 37: Line 40:
 
   
 
   
  
I add two extra .pem files to the directory 01.pem and 02.pem, they have been generated on the files creation, they contains key info, I dont know if there is duplicity of information.
+
I add two extra .pem files to the directory 01.pem and 02.pem, they have been generated on the files creation, they contains key info, I don't know if there is duplicity of information.
  
 
   
 
   
Line 43: Line 46:
 
Lets to put the server config file parameters /etc/openvpn/server.conf
 
Lets to put the server config file parameters /etc/openvpn/server.conf
  
local 192.168.xxx.xxx (local network IP)
+
local 192.168.xxx.xxx (local network IP)
server 10.8.0.0 255.255.255.0 (for example)
+
server 10.8.0.0 255.255.255.0 (for example)
tls-server
+
tls-server
proto udp
+
proto udp
port 443 (sample port)
+
port 443 (sample port)
dev tun
+
dev tun
ca ca.pem
+
ca ca.pem
dh dh2048.pem
+
dh dh2048.pem
cert server.crt.pem
+
cert server.crt.pem
key server.key.pem
+
key server.key.pem
extra-certs 01.pem
+
extra-certs 01.pem
extra-certs 02.pem
+
extra-certs 02.pem
ifconfig-pool-persist ipp.txt
+
ifconfig-pool-persist ipp.txt
comp-lzo
+
comp-lzo
float
+
float
ping-timer-rem
+
ping-timer-rem
persist-key
+
persist-key
persist-tun
+
persist-tun
status openvpn-status.log
+
status openvpn-status.log
log openvpn.log
+
log openvpn.log
verb 3
+
verb 3
keepalive 10 120
+
keepalive 10 120
  
 
Client profile *.ovpn (tested on android openvpn app).
 
Client profile *.ovpn (tested on android openvpn app).
  
client
+
client
dev tun
+
dev tun
proto udp
+
proto udp
remote 'hostname(NOIP) or Public IP' 443 (sample port)
+
remote 'hostname(NOIP) or Public IP' 443 (sample port)
resolv-retry infinite
+
resolv-retry infinite
nobind
+
nobind
persist-key
+
persist-key
persist-tun
+
persist-tun
mute-replay-warnings
+
mute-replay-warnings
ca /file_path/ca.crt
+
ca /file_path/ca.crt
cert /file_path/client.crt
+
cert /file_path/client.crt
key /file_path/client.key
+
key /file_path/client.key
ns-cert-type server
+
ns-cert-type server
cipher bf-cbc
+
cipher bf-cbc
comp-lzo
+
comp-lzo
verb 3
+
verb 3
mute 20
+
mute 20
  
The port we are going to use to vnp connection have to be opened, of course, and you can forward to other external different port as you know.
+
The port we are going to use to vpn connection have to be opened, of course, and you can forward to other external different port as you know.
  
   
+
=='''Autobackup'''==
 +
If you use a version older than 8.2-release, you need to add the OpenVPN configuration directory to [[Backup/AutoBackup | <span style="color:SteelBlue">AutoBackup</span>]].
 +
To do so, add
 +
 
 +
  /etc/openvpn
  
Happy VPN connection.
+
to [[Backup/AutoBackup | <span style="color:SteelBlue">AutoBackup</span>]].

Latest revision as of 19:55, 23 August 2022

Settopbox

Although you can install OpenVPN on your Enigma2 box it is not to be recommended. You should use a router for that (WiFi router or NAS) or a custom router firmware. So use something that's being updated regularly and has a large community, as safety is much higher when you have the latest security updates.


Setup

This is an experimental setup from the forum and you must be familiar using the command line, so please report any error or problems in this thread on the forum.

  • Install openvpn using the command line
opkg install openvpn
  • Create files ca.crt, server.crt, server.key, same files for clients, client.crt, client.key, following this link


  • All files have to be .pem extension, so convert the files, please follow this guide up to finish this three last steps:
set RANDFILE=c:\demo\.rnd
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
c:\OpenSSL-Win32\bin\openssl.exe
  • Now, in this mode, you can convert .crt and .key files to .pem for server files, and put these files in your stb\receiver at /etc/openvpn/
$ openssl> x509 -in filename.crt -inform DER -out filename.crt.pem -outform PEM
$ openssl> rsa -in filename.key -out filename.key.pem -outform PEM

The ca.cert file, we have to open the certificate in windows OS and select details tab> copy file>convert to binary DER x509 and select destination folder to save.


Then we convert the ca.cer file to .pem file:

OpenSSL>x509 -inform DER -in ca.cer -outform PEM -out ca.pem

All these conversions to .pem extension is based on openvpn --help binary information of our installation of openvpn in our STB, maybe it's not necessary.


dh2048.pem have to locate at openvpn config directory too, /etc/openvpn


I add two extra .pem files to the directory 01.pem and 02.pem, they have been generated on the files creation, they contains key info, I don't know if there is duplicity of information.


Lets to put the server config file parameters /etc/openvpn/server.conf

local 192.168.xxx.xxx (local network IP)
server 10.8.0.0 255.255.255.0 (for example)
tls-server
proto udp
port 443 (sample port)
dev tun
ca ca.pem
dh dh2048.pem
cert server.crt.pem
key server.key.pem
extra-certs 01.pem
extra-certs 02.pem
ifconfig-pool-persist ipp.txt
comp-lzo
float
ping-timer-rem
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
keepalive 10 120

Client profile *.ovpn (tested on android openvpn app).

client
dev tun
proto udp
remote 'hostname(NOIP) or Public IP' 443 (sample port)
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca /file_path/ca.crt
cert /file_path/client.crt
key /file_path/client.key
ns-cert-type server
cipher bf-cbc
comp-lzo
verb 3
mute 20

The port we are going to use to vpn connection have to be opened, of course, and you can forward to other external different port as you know.

Autobackup

If you use a version older than 8.2-release, you need to add the OpenVPN configuration directory to AutoBackup. To do so, add

/etc/openvpn

to AutoBackup.