Page 1 of 1
[newbie/2.0.9] Checking that OpenVPN is OK?
Posted: Fri Jan 07, 2011 3:55 pm
by Winfried
Hello
I've never used a VPN before and this is my first attempt at adding OpenVPN to an appliance running uClinux on a Blackfin CPU. The goal is to use an OpenVPN link to tunnel SIP traffic through locked-down firewalls.
According to the documentation, adding OpenVPN first requires patching the kernel source before generating a new image.
After rebooting with that new image, the next step is compiling an OpenVPN.
I have a couple of questions:
1. After rebooting with the new, OpenVPN-included image, how can I check that the kernel bits that deal with OpenVPN are OK? Some items under /dev? Some commands I can try to check?
2. Since a package is also needed, am I correct in assuming that an OpenVPN server also requires userland programs?
Thank you.
Re: [newbie/2.0.9] Checking that OpenVPN is OK?
Posted: Fri Jan 07, 2011 4:15 pm
by gladiatr72
Hello,
The purpose of recompiling your kernel probably has to do with including the tun/tap module. (see
http://www.kernel.org/pub/linux/kernel/ ... tuntap.txt). If you are running some variety of udev or devfs, you'll see the node /dev/net/tun (10,200), otherwise, you'll need to create the device node yourself. As far as a command-line interface with the tun module, you'll only have such a beast if you have a relatively new version of iproute2. Apparently there was a patch that provides a command subtree called "tuntap", so if you get something besides 'Object "tuntap" is unknown, try "ip tuntap help"'. From there you would be able to use the ip utility to create unattached tun and tap devices. This version of iproute2 hasn't been included in any distros that I've encountered (so far), so don't be surprised if you receive the aforementioned error.
OpenVPN exists entirely in user land, so until you have done the c;m;m-i dance, you won't find anything openvpn specific on your device.
-Stephen
Re: [newbie/2.0.9] Checking that OpenVPN is OK?
Posted: Sat Jan 08, 2011 7:17 pm
by Winfried
Thanks Stephen for the infos. After patching, rebuidling, and rebooting the new OpenVPN-capable uClinux kernel, there is indeed a /dev/net/tun character device. Next, I successfully compiled and installed the OpenVPN package, which only contains /bin/openvpn.
I'm reading through some
online documentation, and I was wondering what to put as the client's remote address since it's dynamically set by the local DHCP server in the wifi hotspot?
Code: Select all
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
Thank you.
Re: [newbie/2.0.9] Checking that OpenVPN is OK?
Posted: Mon Jan 10, 2011 3:14 am
by gladiatr72
Actually, for the client configuration, you'll want to use the no-bind option. It is possible to have serve additional vpn connections from an openvpn instance that is also a client, but in this situation, you'll want to just avoid opening the port.
-Stephen
Re: [newbie/2.0.9] Checking that OpenVPN is OK?
Posted: Mon Jan 10, 2011 5:32 pm
by Winfried
Thanks Stephen for the info.
I went through "Beginning OpenVPN 2.0.9" this afternoon, and Chapter 14 deals with how to connect to an OpenVPN server from a client connected to a public network.
To get started, I'd like to use a shared key instead of the whole enchillada (certificates + RSA keys). My ADSL router currently uses 192.168.0.0/24, and can only use 192.168/16 networks. Since this is a very common network number, I'll have to renumber my LAN so it's less likely to clash with public WLAN's through which the clients will connect.
I have a few questions:
1. The uCLinux appliance on which I installed OpenVPN only has /dev/net/tun: Can I just use this instead of TAP to connect to the appliance from a Windows host? The book says somewhere that Windows only supports TAP.
2. If anyone has a working example to do what I need (ie. TUN, shared key, Windows client connected to wifi hotspot), I'm interested
Thanks for any help.