OpenVPN on OpenWRT

Router VPN

Why? Mostly, it's something I've sort of been doing through SSH for years. It would be nice to be able to access free wireless Internet somewhere and be able to tap securely into my network and bring up VNC, RDP, stream MythTV, access my email with real clients (although I do have SquirrelMail AND horde-imp installed), etc. Geek stuff ;). And there is a great free (both in price and standard) implementation: OpenVPN. After listening to the Security Now Podcasts, where Steve Gibson eventually suggested Hamachi and OpenVPN as great VPN solutions, I decided on the latter due to the ability to even propagate non-routable protocols and network broadcasts.

After much reading and prepping myself, I opened several tabs in Firefox and went for it. I made sure to wait for a "quiet" time on Myth, so the disappearance of my two myth backends that are attached via wireless wouldn't cause any recordings to be skipped. I kludged together information from this howto with information from this howto. I should point out, that weeks ago, I turned on the "boot_wait" option in my WRT54GSv2. The OpenWRT Howto has links to forums that describe how to do this. I used the method of writing a tiny HTML that uses the "ping.asp" page to run code. The firmware load worked, mostly, after I got my timing right on pushing the replacement firmware with the router reboot. The router was in a different room than where the laptop had to be to utilize a wired connection to Port 1. I finally got it to work uploading settings into the router's webpage, then Alt-Tabbing to my atftp connection. Moments later, I was able to telnet into my router.

The rest of the router configuration is straight-forward from this point (until getting to OpenVPN) using the documents mentioned. I installed the ntpclient, password protected it to enable ssh instead of telnet, then installed "nas" to provide me with WPA authentication. There is a great password generator at Steve Gibson's site. It took me many tries and many flights up and down the stairs with my USB drive containing different versions of the passwords. I believe that "nas" in OpenWRT doesn't support hexadecimal WPA passphrases. I also believe that wpa_supplicant (Linux WPA client) doesn't support some of the symbols you'll get using the full printable ASCII passwords. To be mostly compatible, use the non-symbol ASCII passphrase.

For OpenVPN, after some putzing around, I ended up using the Howto from CAcert, changing cert filenames and IP addresses to match my configuration. At this point, I am leaving my wireless to be protected solely by WPA. I read in some forums there is a noticeable loss of bandwidth using OpenVPN for your local connections. I am about at the limit ususally to stream Myth, so I didn't want to cut into that. I already have scripts that fire off VLC to transcode and stream my Myth programs so that they will fit through my DSL upload bandwidth. The same config file from Linux worked in Windows, just remove the "log" entries as the OpenVPN GUI logs connections itself. I had to change the access-control.txt file to include more than just the /emailAddress flag. Maybe CAcert is generating their client certs differently now.

The resultant OpenVPN is what is referred to as "Routed". By upgrading / changing to use "Bridged", then you can receive non-routable protocols such IPX and the NetBEUI form of Windows File sharing. If I decide to get into that form of VPN, I'll weigh in here.

Until next time, keep on geekin' baby!