After installing the geminiopenvpn Plugin you have an OpenVPN Server or Client which is easy to configure. The plugin uses certificates (Server-Multi-Client). The connection on the OpenVPN Server is made over an encrypted TLS connection.

For connections the OpenVPN Server Plugin creates a virtual network interface (tap0), which is connected over a network bridge (br0) with the internal network adapter (eth0) of the Dreambox. One or more OpenVPN clients get an IP adress of the internal network and can access all availiable services without additional routing.

The mode used by OpenVPN is Bridging. With this mode the Broadcasts are forwarded without any problem. Same for network protocols like IPv4, IPv6, Netalk, IPX, ...

Requirements for using OpenVPN

• OE2.0 image with GP3.2 Plugin.
• OpenVPN Plugin must be installed, configured and started.
• The OpenVPN Server supports only a cabled network (no Wlan).
• Portforwarding on the router to the Dreambox (Port 1194/UDP).
• For reaching the Server you need to know your WAN IP, or use a DDNS Service (e.g. No-IP).
• For access you need to create certificates for each client.
• OpenVPN needs to be installed on clients. Protocols like IPSec, IKE, PPTP, or L2TP are not supported.
• Server Lan and Client Lan must be different.

Back to table of contents

OpenVPN Server

Install the OpenVPN Plugin via BluePanel and configure the Server as described. After rebooting you find the OpenVPN Server (and client) in the BluePanel. It's also possible to install the plguin over the console with the following command:

opkg update && opkg install geminiopenvpn

Back to table of contents

Create Root Certificate

root Zertifikat - Skin Beispiel: gp-skin-dmconcinnity-mod

Now we create the keys and certificates for the Certificate Authority (CA). Open the OpenVPN Server Plugin and push the [green] button for certificates.

Choose root-certificate and change the settings as described in the list. For all parameters only letters and numbers can be used.

Save the settings with the [green] button. The corresponding files will be created and saved in the directory /etc/ssl/openvpn.

Back to table of contents

Create Server Certificate

Server Zertifikat

Open the OpenVPN Server Plugin and push the [green] button for certificates. Push again the [green] button and choose as type the setting Server and change the settings as described in the list.

Save the settings with the [green] button to create the certificates. You will be prompted to enter the password (which was entered while creating the root certificate). When a wrong password is entered the following error message is displayed: can't generate certificate.

When the correct password is entered the certificates, keys and the Diffie-Hellman parameters are created. This can take some minutes (up to 30 min), the status is displayed in the plugin. The plugin can be closed while the creation is in progress, the process continues in background.

Back to table of contents

Create Client Certificate(s)

Klient Zertifikat

Open the OpenVPN Server Plugin and push the [green] button for certificates. Push again the [green] button and choose as type the setting Client and change the settings as described in the list.

Save the settings with the [green] button to create the certificates. You will be prompted to enter the password (which was entered while creating the root certificate). When a wrong password is entered the following error message is displayed: can't generate certificate.

When the correct password is entered the cleint certificate, key and config file can be found in the following directory:

/etc/ssl/openvpn

These files (three files for each client) will be used later on the OpenVPN clients to set up a connection with the server. The needed files look like follows, e.g. if the entered name was 7020hd. In addition to the three files every client needs the Root Certificate (vpn-ca.pem).

Overview of the configuration

The created configurations can be displayed with the [green] button (certificates) in the OpenVPN Server Plugin. The example shows the configuration for a root certificate, Server settings and the configuration of two clients, with the names htc and 7020hd.

Back to table of contents

Settings

OpenVPN Einstellungen

Open the OpenVPN Server Plugin in the BluePanel under the daemons. Now we check first the settings, before starting the OpenVPN Server. Push the [blue] button and choose the point [Settings]. Use the following list for the descriptions and modify if requires. The network settings should be taken from the Dreambox and should only be changed in rare occasions.

Save the settings with the [green] button. After saving the settings the OpenVPN Server is started automatically. The OpenVPN Server will also be started automatically after restarting the Dreambox, when a config file and certificates are available.

Restart the Dreambox The OpenVPN Server will also be started automatically after restarting the Dreambox, when a config file and certificates are available.

Back to table of contents

OpenVPN Log File

OpenVPN Server starten

Informations about the status of the OpenVPN server can be displayed with the [red] button (Log file). The example shows the OpenVPN server was started succesfull with two connected clients.

The log file can also be displayed in the terminal with the following command:

cat /var/log/openvpn.log

Back to table of contents

Overview of connections

The OpenVPN Server Plugin controls regularly if clients are connected and shows the connections as in the image Active connections. In this example two clients are connected, with the name htc and 7020hd.

Back to table of contents

Block certificate(s)

Zertifikat abgelaufen

Certificates can be blocked, when you want to deny access from a client. Blocking is done over the [red] button, when the menu of the certificates is opened. Blocked client certificates are displayed as expired. For blockin the correct passwort (which was used for creating the root certificate) needs to be entered.

Blocking certificates blocked certificates can not be reactivated. They need to be recreated!

Back to table of contents

OpenVPN Server - Menu button

OpenVPN Server starten

Open the OpenVPN Server Plugin and push the [blue] button of the remote control. The functions are described in the following list.

Back to table of contents

Delete certificates

Certificates can not be deleted in the OpenVPN Server Plugin. The files need to be deleted manually in the directory:

/etc/openvpn/ssl

Back to table of contents

OpenVPN Client

There are many different OpenVPN Frontends, for different operation systems, to connect with a OpenVPN Server. The following points describe the configuration of the OpenVPN client on a Dreambox (with the GP3.2 Plugin) and an Android based Smartphone.

Dreambox as client

When configuring the OpenVPN clients you need to copy the 4 files created on the server before in the directory of the client:

/etc/openvpn

Once mor the list of the required 4 filesfor the OpenVPN client. The xxx stands for the name which was given for the client.

• xxx-cert.pem
• xxx.pem
• xxx.ovpn
• vpn-ca.pem

Back to table of contents

Edit config file

Before setting up a connection the config file (*.ovpn) needs to be edited. The line remote needs to be completed with the IP adress or the host adress and the correct port. the config could be similar to the example, when the access uses the host name webaccess.dyndns.tv via port 1194.

.
.
# example 'remote foobar.org 1194'
# example 'remote 97.123.100.236 1194'
remote webaccess.dyndns.tv 1194

resolv-retry infinite
nobind
persist-key
persist-tun
.
.

Back to table of contents

Make connection

Dreambox Client - Skin Beispiel: gp-skin-swan-black

Open the OpenVPN Client Plugin in the BluePanel under Daemons. In the Plugin a line (not connected) appears, when the config files were copied in the correct directory (/etc/openvpn).

Start the connection with the OpenVPN Server with the [OK] button. If everything starts the status connectd is displayed in the OpenVPN Client Plugin. Disconnecting is possible by pressing the [OK] button again.

Connection after reboot The connection is restored automatically after a reboot of the Dreambox, if a config file (*.ovpn) is availiable in /etc/openvpn.

Back to table of contents

Android Smartphone als Klient

Beispiel - OpenVPN settings Android

Das Bild zeigt ein Beispiel von einem Android basierenden Smartphone, welches mit der Dreambox verbunden ist. Als App wird OpenVPN settings eingesetzt, um die Verbindung zum Server zu starten. Beachtet, dass das Gerät gerootet sein muss, um OpenVPN zu nutzen. Weiters wird der tun/tap Treiber, die Busybox und OpenVPN benötigt. Bei vielen Custom-Roms sind diese Abhängigkeiten schon in der Firmware integriert.

Die Konfigurationsdatei (*.opvn) muss korrekt angepasst werden mit dem Remoteserver und dem entsprechenden Port ergänzt werden. Kopiert anschliessend die Klient Dateien auf die SD-Karte, z.B. in einen erstellten Ordner openvpn. Jetzt müsst ihr nur noch die OpenVPN settings App anpassen (z.B. Pfad zu Konfiguration, Zertifikaten) und der Tunnel auf den OpenVPN Server kann gestartet werden.

Zurück zum Inhaltsverzeichnis

Support thread

If you need help with OpenVPN, follow the link ;)

geminiopenvpn

Back to overview: Gemini-Wiki:English Portal or Mainpage