After days of testing and trying to make everything work and after receiving missing piece of the puzzle from R&D and azslow3 I can finaly present the OpenVPN package.
When running on the eTrayz it can turn him into a VPN server to which you can connect to and access your home network just as if you were phisicaly present in that network.
Using it is actualy quite simple. You have a server using a server certificates and you have client(s) using own certificates but based on server certificates, to connect to it. Just don't get scared on seeing this instructions. I explain in longer way to make more sense. I did all the hard work for you already .
Actualy there are two ways to connect. One is by already mentioned certificates and second one is by using a static key. Default usage after installing the package is by using static keys. It is made just after the installation automaticly and its quite a fast process. But you can only use one client, while with certificates you can have more then one.
All the configuration files is stored in folder:
Main configuration files are with sufix .conf:
openvpn.conf - file that is used when you start the OpenVPN process
openvpn.conf.certificates - configuration file that uses certificates
openvpn.conf.static - configuration file that uses static key
By default openvpn.conf file is just a copy of openvpn.conf.static file, that is for using static key. If you want to use certificates you need to create server and client keys, but more about this later.
After installing, everything should be prepared on the eTrayz to start OpenVPN with static keys. So just start the process.
Next step is to configure OpenVPN client. I will write it for Windows client, since I have no OSX computers. But there are also clients for OSX such as tunnelblick. For windows client download OpenVPN 2.1.1 windows installer from here (openvpn-2.1.1-install.exe):
<!-- m -->http://openvpn.net/i.../downloads.html<!-- m -->
Install it with all default settings. It also installs a nice GUI interface for easy connecting to our server.
What we need now is to copy all the premade configurations that I already setup for etrayz connection and proper routing. All the certificates and static keys are automaticly copied to a non public location:
Copy all the files from that folder to OpenVPN client folder at location:
For static key connection you only need files Static keys.ovpn and static.key. If/after you create server and client certificates you can copy them too to the client. GUI will then show you both options to connect with.
!!! MANUAL EDIT !!!
Edit the .ovpn files and look for line:
remote YOURETRAYZDDNS 1194
Replace YOURETRAYZDDNS with your remote DDNS or external WAN IP to your eTrayz. As you can see it runs on port 1194 so make sure its opened on your router and forwarded to your eTrayz (TCP+UDP).
Once this is done just start OpenVPN GUI. You will see new icon in tray. Right click on it, select Static Keys connection and click connect. It usualy takes 10-20 seconds and if ports are forwarded you will successfuly connect and get IP asigned in the 10.8.0.0 network (usualy 10.8.0.2 for static and 10.8.0.6 for first client for certificate connection).
You can ping your VPN/eTrayz by pinging 10.8.0.1 or your LAN eTrayz IP. BUT!!! YOU WILL NOT BE ABLE TO PING ANY OTHER COMPUTERS IN YOUR HOME NETWORK. I'll deal with this later in this manual.
!!! USING CERTIFICATES !!!
If you want to have more then one client and of course make things even more secure you can use certificates. It takes quite a lot of command line commands to do this. But again I made things easier. You still need SSH connection but I minimized the commands to only two. One for making server keys and another to make client keys.
So login to your eTrayz via SSH and type this command to first make server keys:
Making basic keys is fast but it can take a lot of time to make DH file. Just let it run. It can take 5-30 minutes to finish. Once done we will make client keys. I by default name them client1, client2,... You can use diffrent naming but you need to edit the configure files. Lets make client1 keys:
And we are done. All the keys needed now for setting up the client are again stored into folder:
Files needed are ca.crt, client1.crt and client1.key. Copy them to client /config folder. If you named client diffrently then you need to change file Certificates.ovpn:
# using certificates ca ca.crt cert client??.crt key client??.key
You also need to switch openvpn.conf file (from static to certificates) in /home/epkg/etc/openvpn folder. Just copy file openvpn.conf.certificates over openvpn.conf with SSH command:
cp /home/epkg/etc/openvpn/openvpn.conf.certificates /home/epkg/etc/openvpn/openvpn.conf
No need to change anything inside it. It uses the server keys, that we made before, automaticly. Start server, and client from GUI but this time choose Certificates from the OpenVPN GUI.
!!! FIXING ROUTING !!!
If you have firmware 1.0.5 then all you need to do is type this:
modprobe ip_tables modprobe ipt_MASQUERADE iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
For older firmwares (I urge you to upgrade to 1.0.5!!!):
This is something that I banged my head with and it prevented me to release this package before. The whole point in VPN is to have ability to see ALL the computers inside the network eTrayz is running in. With default setting I could only access eTrayz and nothing else. Here is my theory and sample network settings:
eTrayz local network: 192.168.0.0
eTrayz local IP: 192.168.0.25
eTrayz VPN IP: 10.8.0.1
My router IP: 192.168.0.10
Client network: 192.168.21.0
Client local IP: 192.168.21.100
VPN appointed IP: 10.8.0.6
So. When connected I am able to ping VPN server (eTrayz) with IP 10.8.0.1 or with IP 192.168.0.25. But I was unable to ping my router with IP 192.168.0.10. After a lot of google searches and testing with vpeter we figured out that the ping package is received by router and returned but he returns it to IP 10.8.0.6 which of course he doesn't know where it is since his network is 192.168.0.0.
So only solution that I figured out was to tell my router, which all devices in my network use as gateway, to send all the packages for network 10.8.0.0 to eTrayz and let OpenVPN with tun adapter handle it. And it worked!
My router is Linksys WRT54GL with Tomato firmware. Here is the change that I needed:
So for network 10.8.0.0 use gateway 192.168.0.25 (my eTrayz IP).
So... This is it. Any questions, ask. Any better solutions, please share. Any brave that tested this, post feedback.
This post has been edited by TheHijacker: 08 October 2010 - 19:53
Reason for edit: Changes because of new epkg structure