GP3.2 OpenVPN (en): Unterschied zwischen den Versionen

Aus Gemini-Wiki
Zur Navigation springen Zur Suche springen
K
Zeile 1: Zeile 1:
 
[[Kategorie:Index]]
 
[[Kategorie:Index]]
[[Kategorie:FAQ und Anleitungen]]
+
[[Kategorie:FAQ and instructions]]  
[[Kategorie:Grundlagen]]
+
[[Kategorie:Basis knowledge]]  
 
{|width="40%"
 
{|width="40%"
 
  |[[Bild:deutsch.png]] - [[GP3.2 OpenVPN|in Deutsch]]
 
  |[[Bild:deutsch.png]] - [[GP3.2 OpenVPN|in Deutsch]]
Zeile 8: Zeile 8:
 
{|width=99%
 
{|width=99%
 
<div style="margin: 0; margin-right:10px; border: 1px solid #dfdfdf; padding: 1em 1em 1em;  background-color:#F8F8FF; align:right;">[[Bild:Artikel_Hinweis.png|right|40px|The Gemini Project]]
 
<div style="margin: 0; margin-right:10px; border: 1px solid #dfdfdf; padding: 1em 1em 1em;  background-color:#F8F8FF; align:right;">[[Bild:Artikel_Hinweis.png|right|40px|The Gemini Project]]
=== UNDER CONSTRUCTION -Configure OpenVPN Server and client ===
+
=== Configure OpenVPN Server and client ===
 
</div>
 
</div>
 
|-
 
|-
Zeile 18: Zeile 18:
 
After installing the '''geminiopenvpn''' Plugin you have an [http://en.wikipedia.org/wiki/OpenVPN OpenVPN] Server or Client which is easy to configure. The plugin uses [http://en.wikipedia.org/wiki/Public_key_certificate certificates] (Server-Multi-Client). The connection on the OpenVPN Server is made over an encrypted [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS] connection.  
 
After installing the '''geminiopenvpn''' Plugin you have an [http://en.wikipedia.org/wiki/OpenVPN OpenVPN] Server or Client which is easy to configure. The plugin uses [http://en.wikipedia.org/wiki/Public_key_certificate certificates] (Server-Multi-Client). The connection on the OpenVPN Server is made over an encrypted [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS] connection.  
  
For connections the OpenVPN Server Plugin creates a virtual network interface (tap0), which is connected over a network bridge (br0) with the internal network adapter (eth0) of the Dreambox. One or more OpenVPN clients get an IP adress of the internal network and can access all availiable services without additional routing.  
+
For connections the OpenVPN Server Plugin creates a virtual network interface (tap0), which is connected over a network bridge (br0) with the internal network adapter (eth0) of the Dreambox. One or more OpenVPN clients get an IP address of the internal network and can access all available services without additional routing.  
  
 
The mode used by OpenVPN is [http://en.wikipedia.org/wiki/OpenVPN#Bridging Bridging]. With this mode the [http://en.wikipedia.org/wiki/Broadcast Broadcasts] are forwarded without any problem.  Same for network protocols like IPv4, IPv6, Netalk, IPX, ...
 
The mode used by OpenVPN is [http://en.wikipedia.org/wiki/OpenVPN#Bridging Bridging]. With this mode the [http://en.wikipedia.org/wiki/Broadcast Broadcasts] are forwarded without any problem.  Same for network protocols like IPv4, IPv6, Netalk, IPX, ...
Zeile 36: Zeile 36:
  
 
Back to [[#top | table of contents]]
 
Back to [[#top | table of contents]]
 +
  
 
= OpenVPN Server =
 
= OpenVPN Server =
Zeile 48: Zeile 49:
  
 
== Create Root Certificate ==
 
== Create Root Certificate ==
[[Bild:GP3 OpenVPN root Zertifikat.png|thumb|none|root Zertifikat - Skin Beispiel: gp-skin-dmconcinnity-mod|480px]]
+
[[Bild:GP3 OpenVPN root Zertifikat.png|thumb|none|root certificate - Skin example: gp-skin-dmconcinnity-mod|480px]]
  
 
Now we create the keys and certificates for the [http://en.wikipedia.org/wiki/Zertifizierungsstelle Certificate Authority] (CA). Open the '''OpenVPN Server''' Plugin and push the '''[green]''' button for certificates.
 
Now we create the keys and certificates for the [http://en.wikipedia.org/wiki/Zertifizierungsstelle Certificate Authority] (CA). Open the '''OpenVPN Server''' Plugin and push the '''[green]''' button for certificates.
Zeile 59: Zeile 60:
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
| width="70px" | '''Password'''
 
| width="70px" | '''Password'''
| width="600px" | Enter a Password. Memorize the password, you will need the password for creating Server and Client certificates or for blocking a certifikate.
+
| width="600px" | Enter a Password. Memorize the password, you will need the password for creating Server and Client certificates or for blocking a certificate.
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
| width="70px" | '''valid for x years'''
 
| width="70px" | '''valid for x years'''
Zeile 78: Zeile 79:
  
 
Save the settings with the '''[green]''' button. The corresponding files will be created and saved in the directory /etc/ssl/openvpn.
 
Save the settings with the '''[green]''' button. The corresponding files will be created and saved in the directory /etc/ssl/openvpn.
 +
  
 
Back to [[#top | table of contents]]
 
Back to [[#top | table of contents]]
Zeile 83: Zeile 85:
  
 
== Create Server Certificate ==
 
== Create Server Certificate ==
[[Bild:GP3 OpenVPN Server Zertifikat.png|thumb|none|Server Zertifikat|480px]]
+
[[Bild:GP3 OpenVPN Server Zertifikat.png|thumb|none|Server certificate|480px]]
  
 
Open the '''OpenVPN Server''' Plugin and push the '''[green]''' button for certificates. Push again the '''[green]''' button and choose as type the setting '''Server''' and change the settings as described in the list.
 
Open the '''OpenVPN Server''' Plugin and push the '''[green]''' button for certificates. Push again the '''[green]''' button and choose as type the setting '''Server''' and change the settings as described in the list.
Zeile 104: Zeile 106:
  
 
== Create Client Certificate(s) ==
 
== Create Client Certificate(s) ==
[[Bild:GP3 OpenVPN Klient Zertifikat.png|thumb|none|Klient Zertifikat|480px]]
+
[[Bild:GP3 OpenVPN Klient Zertifikat.png|thumb|none|Client certificate|480px]]
  
 
Open the '''OpenVPN Server''' Plugin and push the '''[green]''' button for certificates. Push again the '''[green]''' button and choose as type the setting '''Client''' and change the settings as described in the list.
 
Open the '''OpenVPN Server''' Plugin and push the '''[green]''' button for certificates. Push again the '''[green]''' button and choose as type the setting '''Client''' and change the settings as described in the list.
Zeile 122: Zeile 124:
 
Save the settings with the '''[green]''' button to create the certificates. You will be prompted to enter the password (which was entered while creating the '''root certificate'''). When a wrong password is entered the following error message is displayed: '''can't generate certificate'''.
 
Save the settings with the '''[green]''' button to create the certificates. You will be prompted to enter the password (which was entered while creating the '''root certificate'''). When a wrong password is entered the following error message is displayed: '''can't generate certificate'''.
  
When the correct password is entered the cleint certificate, key and config file can be found in the following directory:
+
When the correct password is entered the client certificate, key and configuration file can be found in the following directory:
  
 
  /etc/ssl/openvpn
 
  /etc/ssl/openvpn
Zeile 139: Zeile 141:
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
| width="70px" | '''7020hd.ovpn'''
 
| width="70px" | '''7020hd.ovpn'''
| width="600px" | Config file for the client.  
+
| width="600px" | Configuration file for the client.  
 
If multiple certificates for multiple clients are created, every name needs to be  '''different'''.
 
If multiple certificates for multiple clients are created, every name needs to be  '''different'''.
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#F0F0F0"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#F0F0F0"
Zeile 145: Zeile 147:
 
| width="600px" | The Root Certificate.
 
| width="600px" | The Root Certificate.
 
|}
 
|}
 +
 +
 +
Back to [[#top | table of contents]]
 +
  
 
== Overview of the configuration ==
 
== Overview of the configuration ==
[[Bild:GP3 OpenVPN Konfigurationsübersicht.png|thumb|none|Konfigurationsübersicht|480px]]
+
[[Bild:GP3 OpenVPN Konfigurationsübersicht.png|thumb|none|Overview of the configuration|480px]]
  
 
The created configurations can be displayed with the '''[green]''' button (certificates) in the  OpenVPN Server Plugin.  The example shows the configuration for a root certificate, Server settings and the configuration of two clients, with the names htc and 7020hd.  
 
The created configurations can be displayed with the '''[green]''' button (certificates) in the  OpenVPN Server Plugin.  The example shows the configuration for a root certificate, Server settings and the configuration of two clients, with the names htc and 7020hd.  
Zeile 153: Zeile 159:
  
 
Back to [[#top | table of contents]]
 
Back to [[#top | table of contents]]
 +
  
 
== Settings ==
 
== Settings ==
[[Bild:GP3 OpenVPN Einstellungen.png|thumb|none|OpenVPN Einstellungen|480px]]
+
[[Bild:GP3 OpenVPN Einstellungen.png|thumb|none|OpenVPN settings|480px]]
  
 
Open the '''OpenVPN Server''' Plugin in the BluePanel under the daemons. Now we check first the settings, before starting the OpenVPN Server. Push the '''[blue]''' button and choose the point '''[Settings]'''. Use the following list for the descriptions and modify if requires. The network settings should be taken from the Dreambox and should '''only''' be changed in rare occasions.
 
Open the '''OpenVPN Server''' Plugin in the BluePanel under the daemons. Now we check first the settings, before starting the OpenVPN Server. Push the '''[blue]''' button and choose the point '''[Settings]'''. Use the following list for the descriptions and modify if requires. The network settings should be taken from the Dreambox and should '''only''' be changed in rare occasions.
Zeile 167: Zeile 174:
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
| width="70px" | '''first client IP'''
 
| width="70px" | '''first client IP'''
| width="600px" | From this IP adress on the IP's are assigned to the clients. '''Attention''' make sure this range is not overlapping with the dhcp server of the network!
+
| width="600px" | From this IP address on the IP's are assigned to the clients. '''Attention''' make sure this range is not overlapping with the dhcp server of the network!
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#F0F0F0"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#F0F0F0"
 
| width="70px" | '''IP eth0'''
 
| width="70px" | '''IP eth0'''
| width="600px" | The IP Adress of the Dreambox for the lan interface (eth0). This adress is only used for the network bridge (br0).  
+
| width="600px" | The IP Adress of the Dreambox for the lan interface (eth0). This address is only used for the network bridge (br0).  
  
Keep in mind the local network card has no IP adress in this mode, don't panic when checking the network adapter with '''ifconfig'''.
+
Keep in mind the local network card has no IP address in this mode, don't panic when checking the network adapter with '''ifconfig'''.
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#F0F0F0"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#F0F0F0"
 
| width="70px" | '''Netzmaske eth0'''
 
| width="70px" | '''Netzmaske eth0'''
Zeile 178: Zeile 185:
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#F0F0F0"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#F0F0F0"
 
| width="70px" | '''Broadcast eth0'''
 
| width="70px" | '''Broadcast eth0'''
| width="600px" | Enter the broadcast adress of the local network.
+
| width="600px" | Enter the broadcast address of the local network.
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#F0F0F0"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#F0F0F0"
 
| width="70px" | '''IP Router Gateway'''
 
| width="70px" | '''IP Router Gateway'''
| width="600px" | Enter the IP adress of the routers.
+
| width="600px" | Enter the IP address of the routers.
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
| width="70px" | '''Log File'''
 
| width="70px" | '''Log File'''
Zeile 187: Zeile 194:
 
|}
 
|}
  
Save the settings with the '''[green]''' button. After saving the settings the OpenVPN Server is started automatically. The OpenVPN Server will also be started automatically after restarting the Dreambox, when a config file and certificates are available.
+
Save the settings with the '''[green]''' button. After saving the settings the OpenVPN Server is started automatically. The OpenVPN Server will also be started automatically after restarting the Dreambox, when a configuration file and certificates are available.
  
{{Hinweis|'''Restart the Dreambox'''<br/>The OpenVPN Server will also be started '''automatically''' after restarting the Dreambox, when a config file and certificates are available.}}
+
{{Hinweis|'''Restart the Dreambox'''<br/>The OpenVPN Server will also be started '''automatically''' after restarting the Dreambox, when a configuration file and certificates are available.}}
  
  
Zeile 195: Zeile 202:
  
 
== OpenVPN Log File ==
 
== OpenVPN Log File ==
[[Bild:GP3 OpenVPN Logdatei.png|thumb|none|OpenVPN Server starten|620px]]
+
[[Bild:GP3 OpenVPN Logdatei.png|thumb|none|Log file|620px]]
  
Informations about the status of the OpenVPN server can be displayed with the '''[red]''' button (Log file). The example shows the OpenVPN server was started succesfull with two connected clients.
+
Informations about the status of the OpenVPN server can be displayed with the '''[red]''' button (Log file). The example shows the OpenVPN server was started successful with two connected clients.
  
 
The log file can also be displayed in the terminal with the following command:
 
The log file can also be displayed in the terminal with the following command:
Zeile 205: Zeile 212:
  
 
Back to [[#top | table of contents]]
 
Back to [[#top | table of contents]]
 +
  
 
== Overview of connections ==
 
== Overview of connections ==
[[Bild:GP3 OpenVPN Verbindungsübersicht.png|thumb|none|Aktive Verbindungen|480px]]
+
[[Bild:GP3 OpenVPN Verbindungsübersicht.png|thumb|none|Active connections|480px]]
  
 
The OpenVPN Server Plugin controls regularly if clients are connected and shows the connections as in the image '''Active connections'''. In this example two clients are connected, with the name htc and 7020hd.
 
The OpenVPN Server Plugin controls regularly if clients are connected and shows the connections as in the image '''Active connections'''. In this example two clients are connected, with the name htc and 7020hd.
Zeile 213: Zeile 221:
  
 
Back to [[#top | table of contents]]
 
Back to [[#top | table of contents]]
 +
  
 
== Block certificate(s) ==
 
== Block certificate(s) ==
[[Bild:GP3 OpenVPN Klient sperren.png|thumb|none|Zertifikat abgelaufen|480px]]
+
[[Bild:GP3 OpenVPN Klient sperren.png|thumb|none|Expired certificate|480px]]
 
 
Certificates can be blocked, when you want to deny access from a client. Blocking is done over the '''[red]''' button, when the menu of the certificates is opened. Blocked client certificates are displayed as '''expired'''. For blockin the correct passwort (which was used for creating the root certificate) needs to be entered.
 
  
 +
Certificates can be blocked, when you want to deny access from a client. Blocking is done over the '''[red]''' button, when the menu of the certificates is opened. Blocked client certificates are displayed as '''expired'''. For blocking the correct password (which was used for creating the root certificate) needs to be entered.
  
 
{{Achtung|1='''Blocking certificates'''<br/>blocked certificates can '''not''' be reactivated. They need to be '''recreated'''!}}
 
{{Achtung|1='''Blocking certificates'''<br/>blocked certificates can '''not''' be reactivated. They need to be '''recreated'''!}}
Zeile 224: Zeile 232:
  
 
Back to [[#top | table of contents]]
 
Back to [[#top | table of contents]]
 +
  
 
== OpenVPN Server - Menu button ==
 
== OpenVPN Server - Menu button ==
[[Bild:GP3 OpenVPN Server starten.png|thumb|none|OpenVPN Server starten|300px]]
+
[[Bild:GP3 OpenVPN Server starten.png|thumb|none|Menu button|300px]]
  
 
Open the OpenVPN Server Plugin and push the '''[blue]''' button of the remote control. The functions are described in the following list.
 
Open the OpenVPN Server Plugin and push the '''[blue]''' button of the remote control. The functions are described in the following list.
Zeile 235: Zeile 244:
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
| width="70px" | '''start / stop openvpn'''
 
| width="70px" | '''start / stop openvpn'''
| width="600px" | With this entry you can stop/start the OpenVPN Serven manually.
+
| width="600px" | With this entry you can stop/start the OpenVPN server manually.
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
| width="70px" | '''show 'Routes''''
 
| width="70px" | '''show 'Routes''''
| width="600px" | Shows [http://en.wikipedia.org/wiki/Routing Routing] informations of the netzwork bridge (br0).
+
| width="600px" | Shows [http://en.wikipedia.org/wiki/Routing Routing] informations of the network bridge (br0).
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
|- style="text-align:center; margin:1em 1em 1em 0; background:#FFFFFF"
 
| width="70px" | '''Settings'''
 
| width="70px" | '''Settings'''
| width="600px" | Settings for the OpenVPN Server.  
+
| width="600px" | Settings for the OpenVPN server.  
 
|}
 
|}
  
  
 
Back to [[#top | table of contents]]
 
Back to [[#top | table of contents]]
 +
  
 
== Delete certificates ==
 
== Delete certificates ==
Zeile 255: Zeile 265:
  
 
Back to [[#top | table of contents]]
 
Back to [[#top | table of contents]]
 +
  
 
= OpenVPN Client =
 
= OpenVPN Client =
Zeile 267: Zeile 278:
 
  /etc/openvpn
 
  /etc/openvpn
  
Once mor the list of the required 4 filesfor the OpenVPN client. The xxx stands for the name which was given for the client.
+
Once more the list of the required 4 files for the OpenVPN client. The xxx stands for the name which was given for the client.
  
 
* xxx-cert.pem  
 
* xxx-cert.pem  
Zeile 278: Zeile 289:
  
  
=== Edit config file ===
+
=== Edit configuration file ===
  
Before setting up a connection the config file (*.ovpn) needs to be edited. The line '''remote''' needs to be completed with the IP adress or the host adress and the correct port. the config could be similar to the example, when the access uses the host name webaccess.dyndns.tv via port 1194.
+
Before setting up a connection the configuration file (*.ovpn) needs to be edited. The line '''remote''' needs to be completed with the IP address or the host address and the correct port. the configuration could be similar to the example, when the access uses the host name webaccess.dyndns.tv via port 1194.
  
 
  .
 
  .
Zeile 297: Zeile 308:
  
 
Back to [[#top | table of contents]]
 
Back to [[#top | table of contents]]
 +
  
 
=== Make connection ===
 
=== Make connection ===
[[Bild:GP3 OpenVPN Klient Dreambox.png|thumb|none|Dreambox Client - Skin Beispiel: gp-skin-swan-black|480px]]
+
[[Bild:GP3 OpenVPN Klient Dreambox.png|thumb|none|Dreambox Client - Skin example: gp-skin-swan-black|480px]]
  
Open the '''OpenVPN Client''' Plugin in the BluePanel under Daemons. In the Plugin a line (not connected) appears, when the config files were copied in the correct directory (/etc/openvpn).  
+
Open the '''OpenVPN Client''' Plugin in the BluePanel under Daemons. In the Plugin a line (not connected) appears, when the configuration files were copied in the correct directory (/etc/openvpn).  
  
Start the connection with the OpenVPN Server with the '''[OK]''' button. If everything starts the status '''connectd''' is displayed in the OpenVPN Client Plugin. Disconnecting is possible by pressing the '''[OK]''' button again.
+
Start the connection with the OpenVPN Server with the '''[OK]''' button. If everything starts the status '''connected''' is displayed in the OpenVPN Client Plugin. Disconnecting is possible by pressing the '''[OK]''' button again.
  
{{Hinweis|'''Connection after reboot'''<br/>The connection is restored '''automatically''' after a reboot of the Dreambox, if a config file (*.ovpn) is availiable in /etc/openvpn.}}
+
{{Hinweis|'''Connection after reboot'''<br/>The connection is restored '''automatically''' after a reboot of the Dreambox, if a config file (*.ovpn) is available in /etc/openvpn.}}
  
  
 
Back to [[#top | table of contents]]
 
Back to [[#top | table of contents]]
 +
  
 
== Android Smartphone as client ==
 
== Android Smartphone as client ==
[[Bild:GP3 OpenVPN Klient Android.png|thumb|none|Beispiel - OpenVPN settings Android|280px]]
+
[[Bild:GP3 OpenVPN Klient Android.png|thumb|none|Example - OpenVPN settings Android|280px]]
 +
 
 +
The image shows an example of an Android based Smartphone, which is connected with the Dreambox. As App is used [http://code.google.com/p/android-openvpn-settings/ OpenVPN settings] to connect with the Server. Keep in mind the Smartphone needs to be rooted to use OpenVPN. Additional the tun/tap driver, the Busybox and [https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&feature=related_apps#?t=W251bGwsMSwxLDEwOSwiZGUuc2NoYWV1ZmZlbGh1dC5hbmRyb2lkLm9wZW52cG4uaW5zdGFsbGVyIl0. OpenVPN] is required. With many [http://en.wikipedia.org/wiki/Custom-Rom Custom-Roms] these requirements are already integrated in the Firmware.
  
The imageshows an example of an Android based Smartphone, which is connected with the Dreambox. As App is used [http://code.google.com/p/android-openvpn-settings/ OpenVPN settings] to connect with the Server. Keep in mind the Smartphone needs to be rootet to use OpenVPN. Additional the tun/tap driver, the Busybox and [https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&feature=related_apps#?t=W251bGwsMSwxLDEwOSwiZGUuc2NoYWV1ZmZlbGh1dC5hbmRyb2lkLm9wZW52cG4uaW5zdGFsbGVyIl0. OpenVPN] is required. With many [http://en.wikipedia.org/wiki/Custom-Rom Custom-Roms] these requirements are already integrated in the Firmware.
+
The config file (*.opvn) needs to be edited with the correct server and port. Copy the client files on the SD card, e.g. in a directory openvpn. Now you need to adapt the OpenVPN App (e.g. path to the configuration, certificates) and the tunnel on the OpenVPN Server can be started.
  
The config file (*.opvn) needs to be edited with the correct server and port. Copy the client files on the SD card, e.g. in a directory openvpn. Now you need to adapt the OpenVPN App (e.g. path to the config, certificates) and the tunnel on the OpenVPN Server can be started.
 
  
 +
Back to [[#top | table of contents]]
  
Zurück zum [[#top | Inhaltsverzeichnis]]
 
  
 
= Support thread =
 
= Support thread =

Version vom 16. September 2012, 21:07 Uhr

Deutsch.png - in Deutsch English.png - in English
The Gemini Project

Configure OpenVPN Server and client

100px

After installing the geminiopenvpn Plugin you have an OpenVPN Server or Client which is easy to configure. The plugin uses certificates (Server-Multi-Client). The connection on the OpenVPN Server is made over an encrypted TLS connection.

For connections the OpenVPN Server Plugin creates a virtual network interface (tap0), which is connected over a network bridge (br0) with the internal network adapter (eth0) of the Dreambox. One or more OpenVPN clients get an IP address of the internal network and can access all available services without additional routing.

The mode used by OpenVPN is Bridging. With this mode the Broadcasts are forwarded without any problem. Same for network protocols like IPv4, IPv6, Netalk, IPX, ...


Requirements for using OpenVPN

  • OE2.0 image with GP3.2 Plugin.
  • OpenVPN Plugin must be installed, configured and started.
  • The OpenVPN Server supports only a cabled network (no Wlan).
  • Portforwarding on the router to the Dreambox (Port 1194/UDP).
  • For reaching the Server you need to know your WAN IP, or use a DDNS Service (e.g. No-IP).
  • For access you need to create certificates for each client.
  • OpenVPN needs to be installed on clients. Protocols like IPSec, IKE, PPTP, or L2TP are not supported.
  • Server Lan and Client Lan must be different.


Back to table of contents


OpenVPN Server

Install the OpenVPN Plugin via BluePanel and configure the Server as described. After rebooting you find the OpenVPN Server (and client) in the BluePanel. It's also possible to install the plguin over the console with the following command: 

opkg update && opkg install geminiopenvpn


Back to table of contents


Create Root Certificate

root certificate - Skin example: gp-skin-dmconcinnity-mod

Now we create the keys and certificates for the Certificate Authority (CA). Open the OpenVPN Server Plugin and push the [green] button for certificates.

Choose root-certificate and change the settings as described in the list. For all parameters only letters and numbers can be used.

Parameter Description
Password Enter a Password. Memorize the password, you will need the password for creating Server and Client certificates or for blocking a certificate.
valid for x years Enter the validity period for the certificate in years.
Project Enter a Project name for the certificate creation.
Country Enter the country.
City Enter the city.
State Enter the state.

Save the settings with the [green] button. The corresponding files will be created and saved in the directory /etc/ssl/openvpn.


Back to table of contents


Create Server Certificate

Server certificate

Open the OpenVPN Server Plugin and push the [green] button for certificates. Push again the [green] button and choose as type the setting Server and change the settings as described in the list.

Parameter Description
valid for x years Enter the validity period for the certificate in years.

Save the settings with the [green] button to create the certificates. You will be prompted to enter the password (which was entered while creating the root certificate). When a wrong password is entered the following error message is displayed: can't generate certificate.

When the correct password is entered the certificates, keys and the Diffie-Hellman parameters are created. This can take some minutes (up to 30 min), the status is displayed in the plugin. The plugin can be closed while the creation is in progress, the process continues in background.


Back to table of contents


Create Client Certificate(s)

Client certificate

Open the OpenVPN Server Plugin and push the [green] button for certificates. Push again the [green] button and choose as type the setting Client and change the settings as described in the list.

Parameters Description
valid for x years Enter the validity period for the certificate in years.
Name: Desired name for the client.

If more client certificates are used, each must have a different name.

Save the settings with the [green] button to create the certificates. You will be prompted to enter the password (which was entered while creating the root certificate). When a wrong password is entered the following error message is displayed: can't generate certificate.

When the correct password is entered the client certificate, key and configuration file can be found in the following directory: 

/etc/ssl/openvpn

These files (three files for each client) will be used later on the OpenVPN clients to set up a connection with the server. The needed files look like follows, e.g. if the entered name was 7020hd. In addition to the three files every client needs the Root Certificate (vpn-ca.pem).

File name Description
7020hd-cert.pem Client Certificate.
7020hd-key.pem Key File.
7020hd.ovpn Configuration file for the client.

If multiple certificates for multiple clients are created, every name needs to be different.

vpn-ca.pem The Root Certificate.


Back to table of contents


Overview of the configuration

Datei:GP3 OpenVPN Konfigurationsübersicht.png
480px

The created configurations can be displayed with the [green] button (certificates) in the OpenVPN Server Plugin. The example shows the configuration for a root certificate, Server settings and the configuration of two clients, with the names htc and 7020hd.


Back to table of contents


Settings

OpenVPN settings

Open the OpenVPN Server Plugin in the BluePanel under the daemons. Now we check first the settings, before starting the OpenVPN Server. Push the [blue] button and choose the point [Settings]. Use the following list for the descriptions and modify if requires. The network settings should be taken from the Dreambox and should only be changed in rare occasions.

Settings Description
Number of clients Amount of clients, which can connect with the OpenVPN Server.
first client IP From this IP address on the IP's are assigned to the clients. Attention make sure this range is not overlapping with the dhcp server of the network!
IP eth0 The IP Adress of the Dreambox for the lan interface (eth0). This address is only used for the network bridge (br0).

Keep in mind the local network card has no IP address in this mode, don't panic when checking the network adapter with ifconfig.

Netzmaske eth0 Enter the subnetmask of the local network.
Broadcast eth0 Enter the broadcast address of the local network.
IP Router Gateway Enter the IP address of the routers.
Log File Enable/disable the log file. When activated the log is in /var/log/openvpn.log

Save the settings with the [green] button. After saving the settings the OpenVPN Server is started automatically. The OpenVPN Server will also be started automatically after restarting the Dreambox, when a configuration file and certificates are available.

Ambox notice.png Restart the Dreambox
The OpenVPN Server will also be started automatically after restarting the Dreambox, when a configuration file and certificates are available.


Back to table of contents

OpenVPN Log File

Log file

Informations about the status of the OpenVPN server can be displayed with the [red] button (Log file). The example shows the OpenVPN server was started successful with two connected clients.

The log file can also be displayed in the terminal with the following command: 

cat /var/log/openvpn.log


Back to table of contents


Overview of connections

Datei:GP3 OpenVPN Verbindungsübersicht.png
480px

The OpenVPN Server Plugin controls regularly if clients are connected and shows the connections as in the image Active connections. In this example two clients are connected, with the name htc and 7020hd.


Back to table of contents


Block certificate(s)

Expired certificate

Certificates can be blocked, when you want to deny access from a client. Blocking is done over the [red] button, when the menu of the certificates is opened. Blocked client certificates are displayed as expired. For blocking the correct password (which was used for creating the root certificate) needs to be entered.

Ambox attention.png Blocking certificates
blocked certificates can not be reactivated. They need to be recreated!


Back to table of contents


OpenVPN Server - Menu button

Menu button

Open the OpenVPN Server Plugin and push the [blue] button of the remote control. The functions are described in the following list.

Menu point Description
start / stop openvpn With this entry you can stop/start the OpenVPN server manually.
show 'Routes' Shows Routing informations of the network bridge (br0).
Settings Settings for the OpenVPN server.


Back to table of contents


Delete certificates

Certificates can not be deleted in the OpenVPN Server Plugin. The files need to be deleted manually in the directory: 

/etc/openvpn/ssl


Back to table of contents


OpenVPN Client

There are many different OpenVPN Frontends, for different operation systems, to connect with a OpenVPN Server. The following points describe the configuration of the OpenVPN client on a Dreambox (with the GP3.2 Plugin) and an Android based Smartphone.


Dreambox as client

When configuring the OpenVPN clients you need to copy the 4 files created on the server before in the directory of the client: 

/etc/openvpn

Once more the list of the required 4 files for the OpenVPN client. The xxx stands for the name which was given for the client.

  • xxx-cert.pem
  • xxx.pem
  • xxx.ovpn
  • vpn-ca.pem


Back to table of contents


Edit configuration file

Before setting up a connection the configuration file (*.ovpn) needs to be edited. The line remote needs to be completed with the IP address or the host address and the correct port. the configuration could be similar to the example, when the access uses the host name webaccess.dyndns.tv via port 1194. 

.
.
# example 'remote foobar.org 1194'
# example 'remote 97.123.100.236 1194'
remote webaccess.dyndns.tv 1194

resolv-retry infinite
nobind
persist-key
persist-tun
.
.


Back to table of contents


Make connection

Dreambox Client - Skin example: gp-skin-swan-black

Open the OpenVPN Client Plugin in the BluePanel under Daemons. In the Plugin a line (not connected) appears, when the configuration files were copied in the correct directory (/etc/openvpn).

Start the connection with the OpenVPN Server with the [OK] button. If everything starts the status connected is displayed in the OpenVPN Client Plugin. Disconnecting is possible by pressing the [OK] button again.

Ambox notice.png Connection after reboot
The connection is restored automatically after a reboot of the Dreambox, if a config file (*.ovpn) is available in /etc/openvpn.


Back to table of contents


Android Smartphone as client

Example - OpenVPN settings Android

The image shows an example of an Android based Smartphone, which is connected with the Dreambox. As App is used OpenVPN settings to connect with the Server. Keep in mind the Smartphone needs to be rooted to use OpenVPN. Additional the tun/tap driver, the Busybox and OpenVPN is required. With many Custom-Roms these requirements are already integrated in the Firmware.

The config file (*.opvn) needs to be edited with the correct server and port. Copy the client files on the SD card, e.g. in a directory openvpn. Now you need to adapt the OpenVPN App (e.g. path to the configuration, certificates) and the tunnel on the OpenVPN Server can be started.


Back to table of contents


Support thread

If you need help with OpenVPN, follow the link ;)

geminiopenvpn


Back to overview: Gemini-Wiki:English Portal or Mainpage

Abgerufen von „http://wiki.blue-panel.com/index.php?title=GP3.2_OpenVPN_(en)&oldid=10068