|Alt-F-0.1RC1 OpenVPN||Cam1878||10/16/11 1:14 PM|
I'm trying to use the openvpn package that is included in the RC1
release. I have made the configuration files and keys on a linux VM
but I do not know how to start the vpn server on my DNS-323.
I can telnet and SSH to the box but I do not know which commands to
use to set up the openvpn server or load the .conf files (also where
to save them on my NAS).
I have tried looking on the forum but none of the threads are recent
and don't apply to the recent release.
Can anyone provide a step-by-step method of getting it to work?
|Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||10/17/11 7:14 AM|
I can't help you with openvpn setup, as I never used it. I only made
the functional checks recommended in the INSTALL file.
I would like to provide full openvpn configuration support on Alt-F,
with your help.
But we will do that on a second stage, if you agree.
First you have to make sure that your certificates and configuration
Start creating the place where certificates and configuration files
and copy the certificates and configuration file to there.
Load the kernel driver:
perhaps openvpn loads it for you, You have to figure out this latter.
Now start openvpn with the correct options. I don't know what to use,
you have to follow a tutorial.
openvpn --config /etc/openvpn/yourconfigfile --other needed
Test it's working, and when everything it fine, let's automate it's
Alt-F working. Do the following:
ln -sf /usr/sbin/rcscript /sbin/rcopenvpn
and create a file /etc/init.d/S41openvpn with the following content
OPENVPN_OPTS="--config /etc/openvpn/yourconfigfile --other needed
. $(dirname $0)/common
case "$1" in
start) start $NAME -- $OPENVPN_OPTS
stop) stop $NAME ;;
status) status $NAME ;;
reload) reload $NAME ;; # can openvpn re-read configuration
restart) restart $NAME ;;
*) usage $0 "start|stop|status|restart|reload" ;;
There are other initscripts in the /etc/init.d directory, you might
have to look at then.
What other service, if any, has to be running for openvpn to work?
And that's all (for now)
You can now use and verify the commands
rcopenvpn reload # after configuration file changes
also, in Services->Network an openvpn entry shall appear
Did it work?
Can you share the configuration and how it was created? Posting the
original and the modified files is important.
The samples and easy-rsa directory is located in /usr/share/openvpn/,
can it be used to create certificates in the box? How to use them?
(Start first with certificates created on another linux box, where
openvpn is known to work.)
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/17/11 8:58 AM|
I followed the openvpn how-to found here:
(I'm not an expert on openvpn, I'm learning this as I go)
I used the DNS-323 to create the keys because it already contained the
easy-rsa folder and all of the files to do it. (I had done it using a
ubuntu VM on my PC, but they result in identical files)
I used the default server.conf file found in the sample folder since I
haven't modified it yet.
did not return any sort of error
#openvpn --config /etc/openvpn/server.conf
generated the following:
Mon Oct 17 10:30:07 2011 OpenVPN 2.2.1 arm-linux [SSL] [LZO2] [EPOLL]
[eurephia] built on Oct 12 2011
Mon Oct 17 10:30:07 2011 NOTE: your local LAN uses the extremely
common subnet address 192.168.0.x or 192.168.1.x. Be aware that this
might create routing conflicts if you connect to the VPN server from
public locations such as internet cafes that use the same subnet.
Mon Oct 17 10:30:07 2011 NOTE: OpenVPN 2.1 requires '--script-security
2' or higher to call user-defined scripts or executables
Mon Oct 17 10:30:07 2011 Diffie-Hellman initialized with 1024 bit key
Mon Oct 17 10:30:07 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0
Mon Oct 17 10:30:07 2011 Socket Buffers: R=[108544->131072] S=[108544-
Mon Oct 17 10:30:07 2011 ROUTE default_gateway=192.168.0.1
Mon Oct 17 10:30:07 2011 Note: Cannot open TUN/TAP dev /dev/net/tun:
No such file or directory (errno=2)
Mon Oct 17 10:30:07 2011 /sbin/ifconfig 10.8.0.1 pointopoint 10.8.0.2
mtu 1500 ifconfig: SIOCSIFADDR: No such device
Mon Oct 17 10:30:07 2011 Linux ifconfig failed: external program
exited with error status: 1
Mon Oct 17 10:30:07 2011 Exiting
Your guess is as good as mine when it comes to which files are
From a bit of googling SIOCSIFADDR, it is to do with a network
interface being missing in the ifconfig file, I assume this is because
the TUN interface was not initialized because the TAP/TUN files are
There is a similar problem here: http://openvpn.net/archive/openvpn-users/2007-05/msg00304.html
The TAP/TUN was not run due to a permission error then that error
I would like to have a TAP (bridging) VPN, but I'll try to get the
default working first, then I'll change the .conf file.
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/17/11 9:14 AM|
I followed the solution here: http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi
To create the TUN files.
I re-ran the openvpn --config and had a new error. I currently have
the dh1024.pem file in the same directory as the server.conf file and
the server keys. I'll post again if I figure out what is wrong.
# openvpn --config /etc/openvpn/server.conf
Mon Oct 17 11:08:41 2011 OpenVPN 2.2.1 arm-linux [SSL] [LZO2] [EPOLL]
[eurephia] built on Oct 12 2011Mon Oct 17 11:08:41 2011 NOTE: your local LAN uses the extremely
common subnet address 192.168.0.x or 192.168.1.x. Be aware that thisMon Oct 17 11:08:41 2011 NOTE: OpenVPN 2.1 requires '--script-security
2' or higher to call user-defined scripts or executablesMon Oct 17 11:08:42 2011 Cannot open dh1024.pem for DH parameters:
error:02001002:system library:fopen:No such file or directory: error:
2006D080:BIO routines:BIO_new_file:no such file
Mon Oct 17 11:08:42 2011 Exiting
|Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||10/17/11 9:25 AM|
On Monday, October 17, 2011 16:58:33 Cam1878 wrote:
but /dev/tun exists
> Mon Oct 17 10:30:07 2011 /sbin/ifconfig 10.8.0.1 pointopoint 10.8.0.2
this must be because of the missing /dev/net/tun
perhaps you should use "-dev-node node"?
I notice just now that "--help" is not available on the shipped binary, I will
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/17/11 10:02 AM|
I managed to solve the TUN problem in my earlier post. I think I may
have figured out the DH parameter problem but I'm no longer at my
computer. I'll try to keep working later today on it.
Once I followed the 4 commands on this page:
The error for opening TUN/TAP and the SIOCIFADDR was solved.
You are correct though, /dev/net/tun was missing.
The server.conf file sets whether the vpn is TUN or TAP. I have it set
to TUN currently
I am sure if it was set to TAP, it would have gotten the same error
looking in /dev/net/tap, so it is also probably missing.
|Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||10/17/11 10:53 AM|
On Monday, October 17, 2011 17:14:13 Cam1878 wrote:
You might then want to use "--cd /etc/openvpn", because files are there?
> Cannot open dh1024.pem for DH parameters:
This option is useful when you are running OpenVPN in --daemon
|Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||10/17/11 11:02 AM|
On Monday, October 17, 2011 17:14:13 Cam1878 wrote:
> I followed the solution here:
That's OK as long as you remember it latter :)
But you should refrain from changing things that can be configured using
I know, I'm picky ;-)
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/17/11 2:06 PM|
I modified server.conf to solve the DH parameter problem.
I editted "dh dh1024.pem" to "dh /etc/openvpn/dh1024.pem" to include
the filepath to where I had already saved the files.
Once I ran openvpn --config it returned this:
Mon Oct 17 14:46:55 2011 OpenVPN 2.2.1 arm-linux [SSL] [LZO2] [EPOLL]
[eurephia] built on Oct 12 2011Mon Oct 17 14:46:55 2011 NOTE: your local LAN uses the extremely
common subnet address 192.168.0.x or 192.168.1.x. Be aware that thisMon Oct 17 14:46:55 2011 NOTE: OpenVPN 2.1 requires '--script-security
2' or higher to call user-defined scripts or executablesMon Oct 17 14:46:56 2011 Diffie-Hellman initialized with 1024 bit key
Mon Oct 17 14:46:56 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0
ET:0 EL:0 ]
Mon Oct 17 14:46:56 2011 Socket Buffers: R=[108544->131072] S=[108544-
Mon Oct 17 14:46:56 2011 ROUTE default_gateway=192.168.0.1
Mon Oct 17 14:46:56 2011 TUN/TAP device tun0 opened
Mon Oct 17 14:46:56 2011 TUN/TAP TX queue length set to 100
Mon Oct 17 14:46:56 2011 /sbin/ifconfig tun0 10.8.0.1 pointopoint
10.8.0.2 mtu 1500
Mon Oct 17 14:46:56 2011 /sbin/route add -net 10.8.0.0 netmask
255.255.255.0 gw 10.8.0.2
Mon Oct 17 14:46:56 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42
EB:135 ET:0 EL:0 AF:3/1 ]
Mon Oct 17 14:46:56 2011 UDPv4 link local (bound): [undef]:1194
Mon Oct 17 14:46:56 2011 UDPv4 link remote: [undef]
Mon Oct 17 14:46:56 2011 MULTI: multi_init called, r=256 v=256
Mon Oct 17 14:46:56 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Mon Oct 17 14:46:56 2011 IFCONFIG POOL LIST
Mon Oct 17 14:46:56 2011 Initialization Sequence Completed
So it seems to have initialized, I have yet to try to connect anything
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/18/11 12:05 PM|
After a bit of configuring on the client side of things, I managed to
connect to it perfectly.
It assigned me an IP and I was able to ping the server as well as
telnet to the device.
I'm going to try to change things around to set up network discovery
so I can use it as a network server as if it were on the same subnet.
Once it says initialization sequence completed you can just close the
SSH or telnet client and the vpn is running. I haven't set it up as a
daemon yet though.
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/18/11 12:29 PM|
I just looked in the files and noticed that /dev/tun or /dev/tap does
I'm going to have to include the commands from here:
http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi in the
|Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN||Joao Cardoso||10/18/11 1:22 PM|
They will be created as soon as you 'modprobe tun'. /dev/tun will be created by the tun kernel module, that is a tap/tun driver.
If it is absolutely necessary (i.e., the default can't be used throught the conf file) we can create /dev/net/tun and /dev/net/tap by using /etc/mdev.conf. I will take care of it, after you submit your initscript.
On Oct 18, 2011 8:29 PM, "Cam1878" <cameron...@gmail.com> wrote:
|Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN||Joao Cardoso||10/18/11 1:26 PM|
To have the box dhcp server to be used, or other dhcp server in the box network, and be able to smb/nfs browse the box network, the simplest is to use vpn in bridged mode.
Is that what you are doing now?
On Oct 18, 2011 8:05 PM, "Cam1878" <cameron...@gmail.com> wrote:
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/18/11 4:04 PM|
Here is a step-by-step of what I did and the contents for server.conf
It is somewhat of a crude method of avoiding the tun & tap error,
you'll see it in the modified S41openvpn file. I'm sure you can modify
things to make it more polished and efficient.
1. Follow OpenVPN How-to: "Setting up your own Certificate Authority
(CA) and generating certificates and keys for an OpenVPN server and
/Alt-F/usr/share/openvpn/easy-rsa/2.0 #Directory for creating keys
By now you should have:
2. mkdir /Alt-F/openvpn #Directory for .conf, .key, and .crt files
3. Copy .crt and .key files and sample server.conf to /Alt-F/openvpn:
/Alt-F/usr/share/openvpn/sample-config-files #server.conf is found
/Alt-F/usr/share/openvpn/easy-rsa/2.0 #ca.crt and server.key is
(Copy all client files to clients as needed - see How-to "Key Files"
chart for details)
4. Modify server.conf to (most are default values):
###### server.conf #######
local 192.168.0.XXX #Whichever IP the router is forwarding to
dev tap #Or "dev tun" depending on mode you want
ca /Alt-F/openvpn/ca.crt #IMPORTANT: direct to location of your .crt
and .key files
cert /Alt-F/openvpn/server.cert #SAME AS ABOVE
key /Alt-F/openvpn/server.key #SAME AS ABOVE
dh /Alt-F/openvpn/dh1024.pem #SAME AS ABOVE
server 10.8.0.0 255.255.255.0
keepalive 10 120
5. Copy S41openvpn file to /etc/init.d (contents shown below)
###### S41openvpn #######
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
mknod /dev/net/tap c 10 200
chmod 600 /dev/net/tun
chmod 600 /dev/net/tap
. $(dirname $0)/commonstart) initTunAndTap; start $NAME -- $OPENVPN_OPTS ;;
stop) stop $NAME ;;restart) restart $NAME ;;
6. rcopenvpn start #Should result in something similar to below
Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO]
[EPOLL] built on Feb 5 2005
Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0
ET:0 EL:0 ]
Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint
10.8.0.2 mtu 1500
Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask
255.255.255.0 gw 10.8.0.2
Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42
EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef]
Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb 6 20:46:38 2005 Initialization Sequence Completed
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/18/11 4:10 PM|
Also, openvpn shows up in the services -> network list now.
I tested starting it from the browser and it works, mine now starts on
|Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN||Joao Cardoso||10/18/11 4:50 PM|
I'm certain that I will need your help to create a GUI.
There are however some problems with your approach. You should not use the /Alt-F path in any circunstance.
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/18/11 4:55 PM|
I had actually just finished moving everything to /etc/openvpn as I
read the message. Everything is located there now.
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/18/11 6:34 PM|
I modified the server.conf file to use
server-bridge 192.168.0.1 255.255.255.0 192.168.0.XXX 192.168.0.YYY
server 10.8.0.0 255.255.255.0
Now the connected clients have IP's in the same subnet as my network.
It must be noted that the IP pool between XXX and YYY must be out of
the range of the DHCP server's IP pool.
I have yet to create an actual bridge between tap0 and eth0 though.
Once that is made the clients should be able to see the other side of
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/18/11 6:48 PM|
Is the package "bridge-utils" included in Alt-F?
I found the download link from linuxfoundation.org and it redirected
I don't know how to compile package files to install them on the
It's needed by the bridge-start script mentioned on this page:
From what it seems like, that script will need to be run at
initialization each time the NAS boots or the first time openvpn
|Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||10/19/11 7:23 AM|
Not at the time you wrote :-)
I have now compiled and tested it (but it is not yet available at the
The problem is the 'bridge' kernel module, needed by the bridge-utils
I compiled the kernel module and updated the kernel-modules package
(not yet available at the feed), but the RC1 kernel refuses to load
I have to see what is happening, but initial tests show that the RC1
kernel will not be able to use it, I will have to release RC2.
For now you will have to use the routed mode.
There is one think that I would like to have, user/pass only
authentication. From the HOWTO it seems to be possible, and I think it
is convenient, as you might not always have the client certificate
I was thinking to have three authentication methods: certificate only
(one certificate per client), certificate and user/pass (one
certificate for all clients), and user/pass only. What do you think
>That's pretty simple, I only hope that 'iptables' is not needed.
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/19/11 9:08 AM|
1. Certificate and key only will work as that is what I'm using
2. Certificate and user/pass is possible according to the how-to, it
doesn't seem too hard to set up
3. It is possible to use only user/pass, but according to the how to,
ca.crt will still be needed because the client needs to authenticate
the server when it connects.
From the How-to: "Note that client-cert-not-required will not obviate
the need for a server certificate, so a client connecting to a server
which uses client-cert-not-required may remove the cert and key
directives from the client configuration file, but not the ca
directive, because it is necessary for the client to verify the server
If you want you can enable this option, but you will still need a
specific file to connect.
I haven't found a way to disable the dual-authentication (client
authenticates server as well) feature.
|Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||10/19/11 9:49 AM|
On Wednesday, October 19, 2011 17:08:05 Cam1878 wrote:
Have you tried to use a commercial VPN client to connect? Being limited to the
You see, I might be using a friend's laptop, with MS-W on it :-(
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/19/11 10:20 AM|
I'm not sure if you're able to use other clients, you'd have to google
it to find out.
If you want something more generic I know there were some threads on
the forum about trying to get a PPTP vpn server running.
This is the one they were trying to use: http://poptop.sourceforge.net/
It's an open source linux pptp server.
With that it would just be user/pass, and then you could use the built-
in windows or any other pptp client to connect. I know android devices
have integrated clients as well.
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/19/11 10:36 AM|
The easiest solution would be to use something like this:
And run the openvpn client off of a USB drive.
I would advise to use certificate and user/pass otherwise if anyone
managed to get a hold of your drive, they could log in to your network.
|Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||10/20/11 11:53 AM|
Problem solved. Well, hacked...
Meanwhile I start looking for possible performance issues.
Everybody knows that ssh file transfer is slow, because of the SSL
encryption used by ssh.
What not everybody knows is that our little box has a hardware crypto
engine on it. Unused!
For the cryptsetup package, that encrypts physical partitions, I was
able to use the hw crypto engine, with a not so-so significative
performance improvement, "only" twice faster (but still 3-4 times
slower than a non-encrypted partition)
So, why not to use the hw crypto with SSL, benefiting both ssh and
Well, it is working, with some 23X performance improvement (on certain
No hardware acceleration:
type 16 bytes 64 bytes 256 bytes 1024
bytes 8192 bytes
aes-256 cbc 3058.84k 3380.65k 3508.31k 3550.09k
aes-128-cbc 3281.25k 4232.38k 4645.72k 4772.39k
With hardware acceleration:
type 16 bytes 64 bytes 256 bytes 1024
bytes 8192 bytes
aes-256 cbc 2973.93k 3384.96k 3510.27k 3538.26k
aes-128-cbc 12210.67k 28837.12k 25379.35k 49702.84k
The hw does not accelerate aes-256, but for aes-128 we have a 23 fold
speed improvement! Even for small block sizes, the improvement is
almost 4 times.
The next challenge is to see if I can fit this in the available flash
memory space. I doubt.
Or "release" a snapshoot meanwhile, if you want to keep exploring
(helping me with) openvpn
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/20/11 3:08 PM|
Do you think there is any chance of including the pptp server in it as
well as an alternative to openvpn?
I've got a galaxy tab 10.1 that I am trying to connect but I can't get
openvpn to work on it (i'm getting the tun/tap error but the fix I had
doesn't work on android).
I was able to make a pptp connection to my laptop though.
If both openvpn and pptp were running it would allow a user/pass only
connection as well. I would say its one of the most common types of
vpns, it would probably be worthwhile.
However we should keep trying to get openvpn working first before
another task is added on.
Also as a side question,
Do you know an alternate way of avoiding the tun/tap error? I'd really
like to try to fix it on my android
On Oct 20, 2:53 pm, Joao Cardoso <whoami.jc...@gmail.com> wrote:
> On Oct 19, 3:23 pm, Joao Cardoso <whoami.jc...@gmail.com> wrote:
> > On Oct 19, 2:48 am, Cam1878 <cameron.tetf...@gmail.com> wrote:
> > > Is the package "bridge-utils" included in Alt-F?
> > Not at the time you wrote :-)
> > I have now compiled and tested it (but it is not yet available at the
> > feed).
> > The problem is the 'bridge' kernel module, needed by the bridge-utils
> > package.
> > I compiled the kernel module and updated the kernel-modules package
> > (not yet available at the feed), but the RC1 kernel refuses to load
> > it.
> Problem solved. Well, hacked...
> Meanwhile I start looking for possible performance issues.
> Everybody knows that ssh file transfer is slow, because of the SSL
> encryption used by ssh.
> What not everybody knows is that our little box has a hardware crypto
> engine on it. Unused!
> For the cryptsetup package, that encrypts physical partitions, I was
> able to use the hw crypto engine, with a not so-so significative
> performance improvement, "only" twice faster (but still 3-4 times
> slower than a non-encrypted partition)
> So, why not to use the hw crypto with SSL, benefiting both ssh and
> Well, it is working, with some 23X performance improvement (on certain
> No hardware acceleration:
> type 16 bytes 64 bytes 256 bytes 1024
> bytes 8192 bytes
> aes-256 cbc 3058.84k 3380.65k 3508.31k 3550.09k
> aes-128-cbc 3281.25k 4232.38k 4645.72k 4772.39k
> With hardware acceleration:
> type 16 bytes 64 bytes 256 bytes 1024
> bytes 8192 bytes
> aes-256 cbc 2973.93k 3384.96k 3510.27k 3538.26k
> aes-128-cbc 12210.67k 28837.12k 25379.35k 49702.84k
> The hw does not accelerate aes-256, but for aes-128 we have a 23 fold
> speed improvement! Even for small block sizes, the improvement is
> almost 4 times.
> The next challenge is to see if I can fit this in the available flash
> memory space. I doubt.
> > I have to see what is happening, but initial tests show that the RC1
> > kernel will not be able to use it, I will have to release RC2.
> Or "release" a snapshoot meanwhile, if you want to keep exploring
> (helping me with) openvpn
|unk...@googlegroups.com||10/21/11 6:09 AM||<This message has been deleted.>|
|Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||10/21/11 8:45 AM|
On Friday, October 21, 2011 14:09:55 Cam1878 wrote:
> Wow...it really shows the benefits of having hardware acceleration.
> I tried the OpenVPN portable and it works fine, I just put a portable
> encryption program on my USB drive to secure the .conf, .crt, and .key
> Did you get a chance to look at the pptp server? Or would it be too
> much work for this release?
No, I haven't, still busy integrating cryptodev, kernel modules and openssl;
There is a difference between a demo prototype, glued together with wires and
Looks like you have to "root" your android first. I haven't done it yet to
> I tried looking at how the GUI works for some of the other services
Design a layout based on common needs would be possible:
-routing radiobutton | bridged radiobutton
and so on. Complete but not overwhelming. Ah, and write the help page :-)
I'm sure it will not be as simple and complete as I would like, it takes too
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/21/11 9:03 AM|
It is rooted.
I managed to get around the tun/tap error by doing insmod tun.ko
But now I have another error saying "Linux ifconfig failed: external
program fork failed" do you happen to know what that would mean?
Google wasn't very helpful
Oh well, I'll probably figure it out eventually.
As for the GUI, when the CA, server, and client keys are made, it runs
through a script setting parameters, I don't know how you would want
show that on the webpage, it isn't as simple as just running a file.
The buttons for certificate/user-pass/others will have to edit
different lines in the .conf file, but that should be possible.
Another option is to have the ability of the webpage having a link to
"download" the client files and config to whoever is viewing it.
Otherwise it needs to be manually transferred.
There also needs to be options like setting the IP pool for the server
|Re: Alt-F-0.1RC1 OpenVPN||Cam1878||10/26/11 10:02 AM|
> No, I haven't, still busy integrating cryptodev, kernel modules and openssl;Any ETA on an update or new release that includes the above packages?
I'd like to try testing out some of them.
|Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||10/26/11 11:04 AM|
The Crypto Hardware Accelerator was a flop.
After installing Cryptodev and updating to openssl-1.0, so that all
ssl-enabled apps could use the crypto engine, it turns out that there
is a bug that avoids its usage on some cyphers/digests.
alg: hash: Test 6 failed for mv-hmac-sha1
So, the hardware crypto engine and ssl infrastructure is ready and
working, but can't be used with confidence.
Fortunately enough software can still be used as a fallback, so I will
restart openvpn work after finishing some open issues.
I will announce the snapshot and accompanying packages ASAP.
|Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||4/13/12 8:30 AM|
Have you done any progress on openVPN, now that the bridge package and kernel module are available for RC2?
|Re: Alt-F-0.1RC1 OpenVPN||didier belin||10/13/12 1:15 PM|
openvpn works and with bridge it seems to work also. More tests on monday.
|Re: Alt-F-0.1RC1 OpenVPN||didier belin||12/12/12 5:29 AM|
bridge version works fine since 2 months.
No time for make scripts to run openvpn at startup time.
But if someone wants my configuration files...
|Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||12/12/12 4:38 PM|
please do. But please explain your setup, as there are several possible setups.
|Re: Alt-F-0.1RC1 OpenVPN||didier belin||1/2/13 2:59 PM|
Sorry, I see your msg only now. I'll post my configuration with comments this WE.
|Re: Alt-F-0.1RC1 OpenVPN||medoc||10/15/13 11:19 AM|
what is the status of this?
I have managed to set up tun mode (TAP is not available via iOS:() and connect to the server remotely.
I was not able however to set up the network in a way that I reach the LAN from outside.
I use the default 10.... virtual IP for the VPN and 192.168.1. network for the LAN.
Can someone explain how to set up routing between the two in order to reach the internal network - not just the NAS - from outside?
|Re: Alt-F-0.1RC1 OpenVPN||Michael Mell||2/24/14 1:43 AM|
just wanted to mention that I got this working too. Using version 0.1RC3
It did need a little twittling, since apparently the tun-device is not created by OpenVPN as it should be. To get around this I used the instructions in the link given by Cam1878: http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi
So supposing you have a working OpenVPN config file (which I had confirmed previously with a PC), the steps are (this is basically just a summary of the things mentioned in this thread):
1) install the Alt-F openvpn package
2) load the tun module: >> modprobe tun
3) create the tunnel device (from link above):
>> mkdir -p /dev/net
>> ls /dev/net # confirm it's working (see link)
>> mknod /dev/net/tun c 10 200
>> chmod 600 /dev/net/tun
4) start OpenVPN:
>> openvpn --config client.conf
If the tun-device is not created manually, then OpenVPN will initialize fine (given a correct config), but will fail when creating the tun-device with the message:
Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
ifconfig: SIOCSIFADDR: No such device
Linux ifconfig failed: external program exited with error status: 1
It would be nice, if we could work out, why OpenVPN can't create the tun-device by itself, as it usually should.
|Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||2/24/14 8:20 AM|
Can you please add the following line to the end of /etc/mdev.conf
and see if the devices are created at 'modprobe' time?
Does it also works for the 'tap' mode of operation, or a /dev/net/tap device has to be explicitly created?
I still think that 'modprobe' should be performed by openvpn itself...
|Re: Alt-F-0.1RC1 OpenVPN||Michael Mell||2/26/14 5:21 AM|
So it took a while. But I can confirm that modifying /etc/mdev.conf as you stated and redoing modprobe solves it.
Now OpenVPN is able to create the tun as well as the tap devices, when initializing a connection.
Only question now is how to 'modprobe tun' by default and have OpenVPN run at start-up (and daemon mode to keep it alive), so that the connection is setup by default after restarting.
Edit: Forgot to mention. In my limited testing it solves it also solves it for tap devices (I usually only use tun).
|Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||2/26/14 9:16 AM|
Please try the attached initscript. In order for it to be persistent across reboots you must have Alt-F packages installed, 'ipkg' itself is enough.
Uncompress the file and put it under /etc/init.d/ and "openvpn" should appear under Services->Network. The script assumes that keys reside in /etc/openvpn. Is that sensible or customary? I don't know.
Also, in /etc/openvpn/server.conf you must add /etc/openvpn/ to the relevant keys:
At "stop" time 'modprobe -r' is executed, which is not failsafe, but I don't like to have unnecessary modules loaded.
|Re: Alt-F-0.1RC1 OpenVPN||Michael Mell||3/3/14 2:01 AM|
Ok. So I finally got around to trying this.
In principle the script works, but it's not optimal, since you make it hard-wired to the config file-name 'server.conf'.
In my case I am running openvpn on my NAS as the client of another server and aptly named the config-file 'client.conf'. I changed your script and remove the checks for the keys and then it worked nicely.
It gets problematic, if you have multiple config files, which can be the case if the NAS is a client and a server or a client to multiple VPNs.
I looked at the init-script of Raspbian on the Raspberry and they run openpvn for all config-files: /etc/openvpn/*.conf, which is perhaps what this script should also do. It would also require removing the checks for the config-files in /etc/openvpn/, which also aren't ideal, if for example you have server and client configs at the same time and would have the keys nicely separated in /etc/openvpn/server_keys and /etc/openvpn/client_keys.
But for the time being this script works perfectly for me. Just bringing in suggestions... :)
Thanks for all your hard work. Alt-F is really, really nice!
|Re: Alt-F-0.1RC1 OpenVPN||João Cardoso||3/6/14 11:21 AM|
Thanks. The attached script should cover all your suggestions.