Table of Contents

OPENVPN Server configuration

Being able to tunnel back into the house is a very useful thing to be able to do. I use the NSLU as both a VPN Client to connect to other networks and as a VPN Server. Both of these can simultaneously.

Make sure you have the openvpn package installed

ipkg install openvpn

The openvpn configuration files live here

cd /opt/etc/openvpn

First up we need to generate a bunch of software keys

mkdir server-keys
cd server-keys
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
touch demoCA/index.txt
echo "01" >> demoCA/serial
openssl req -nodes -new -x509 -days 1825 -keyout ca.key -out ca.crt
openssl req -nodes -new -keyout server.key -out server.csr
openssl ca -cert ca.crt -keyfile ca.key -out server.crt -in server.csr
openssl req -nodes -new -keyout client.key -out client.csr
openssl ca -cert ca.crt -keyfile ca.key -out client.crt -in client.csr
openssl dhparam -out dh.pem 1024
openvpn --genkey --secret shared.key
chmod 600 server.key

Now to combine these into a single PKCS12 file.

# Combine client keys into a pkcs12 file
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out dbzoo-cert.p12

Now we create the /opt/etc/openvpn/openvpn-server.conf configuration file. I have opted to tunnel using TCP over 443 as I know this can be used behind even the most restrictive firewall that only has ports 80 and 443 open. However if you can use port 1194 and UDP do so as your performance will be better.

#Begin openvpn-server.conf
dev tun
#port 1194
#proto udp
port 443
proto tcp

ca server-keys/ca.crt
cert server-keys/server.crt
key server-keys/server.key # This file should be kept secret
dh server-keys/dh.pem

#Make sure this is your tunnel address pool
ifconfig-pool-persist ipp.txt
#This is the route to push to the client, add more if necessary
push "route"
#push "dhcp-option DNS"
keepalive 10 120
cipher BF-CBC #Blowfish encryption
user nobody
group nobody
status openvpn-status.log
verb 6
mute 20
up ./openvpn-server.up

Setup the IPTABLES to allow this tunnel to be used

iptables -I INPUT -i $WLAN -j ACCEPT
iptables -I FORWARD -i $WLAN -j ACCEPT
iptables -I FORWARD -o $WLAN -j ACCEPT
iptables -I OUTPUT -o $WLAN -j ACCEPT

Server startup

The startup script is /opt/etc/init.d/S20openvpn make sure that your .CONF file is correctly accessed.

As multi clients can use the same PKCS12 certificate we include the option –duplicate-cn

# Startup script for openvpn as standalone server
# Make sure IP forwarding is enabled
echo 1 > /proc/sys/net/ipv4/ip_forward
# Make sure these are loaded
insmod ip_tables >/dev/null
insmod iptable_filter >/dev/null
insmod ip_conntrack >/dev/null
insmod iptable_nat >/dev/null
insmod ipt_state >/dev/null
insmod ipt_MASQUERADE >/dev/null
# Clear all chains (we only use IPTABLES for VPN so this is ok)
iptables -F
iptables -F -t nat
# Make device if not present (not devfs)
if ( [ ! -c /dev/net/tun ] ) then
  # Make /dev/net directory if needed
  if ( [ ! -d /dev/net ] ) then
        mkdir -m 755 /dev/net
  mknod /dev/net/tun c 10 200
# Make sure the tunnel driver is loaded
if ( !(lsmod | grep -q "^tun") ); then
        insmod /opt/lib/modules/tun.o
# I you want a standalone server (not xinetd), comment out the return statement below
#return 0
## This is for standalone servers only!!!!
# Kill old server if still there
if [ -n "`pidof openvpn`" ]; then
    /bin/killall openvpn 2>/dev/null
# Start afresh - add as many daemons as you want
/opt/sbin/openvpn --daemon --cd /opt/etc/openvpn --config openvpn-server.conf --duplicate-cn

Client access

To access your tunnel your going to need to setup a few things.

For windows you can get the software and once installed you will need to copy a few files into the C:\Program Files\OpenVPN\config directory.

I use as a CNAME for which my router will keep up to date for me. If you don't have your own domain you can substitute any DYNDNS name in here.


# OpenVPN Client Configuration
# DBZOO home network
dev tun
proto tcp
remote 443

keepalive 1 10

pkcs12 dbzoo-cert.p12

verb 6
mute 5

# To get through a company firewall these options will be useful.
#http-proxy proxyserver 8080
#http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1

And you need to copy in the PKCS12 file that we created on the server.

Thats it !