Posted: Tue May 29, 2007 3:32 Post subject: OpenVPN Web Config
I would like to see a bit more functionality in the OpenVPN configuration through the web page. With the following changes, it should be possible to cover about 90% of the "common" OpenVPN setup without requiring drastic code changes. The ones I can think top of my head are:
OpenVPN Server-bridge setup from remote (allows client to act as though they are connected locally)
OpenVPN-to-OpenVPN setup (either Server-bridge or Server and Client setup between DD-WRT)
OpenVPN Client setup (what's provided right now, but with better options)
Basic OpenVPN Server setup (using --server)
Custom OpenVPN setup (using advanced command line with --config)
OpenVPN
Configure OpenVPN:
Disabled
Basic OpenVPN Client (--client)
Basic OpenVPN Server-Bridge (--server-bridge)
Basic OpenVPN Server (--server)
Advanced OpenVPN Config
Client: (enabled only with Client)
Server IP/Address: [ ] (--remote)
Server-Bridge: (enabled only with Server-Bridge)
Note: The IP Address Range must not conflict with your DHCP Address Range
Client IP Address Range: xx.xx.xx.[ ]-xx.xx.xx.[ ]
Enable VPN Client-to-Client packet: [x] (--client-to-client)
Server: (enabled only with Server)
Note: The Network Address and Netmask should be similar to 10.20.30.0/255.255.255.0, not an IP address - OpenVPN automatically configures the device IP address.
OpenVPN Network Address: [ ].[ ].[ ].[ ]
OpenVPN Netmask: [ ].[ ].[ ].[ ]
Enable VPN Client-to-Client packet: [x] (--client-to-client)
Tunnel Device: (disable drop-down if server-bridge is used and use TAP bridge as default)
TAP (bridge to br0, openvpn --mktun --dev tap0 && brctl addif br0 tap0 && --dev tap0)
TAP (do not bridge, openvpn --mktun --dev tap0 && --dev tap0)
TUN (openvpn --mktun --dev tun0 && --dev tun0)
Use LZO Compression:
Adaptive (default, --comp-lzo)
Force On (--comp-lzo --comp-noadapt)
Force Off
Certificates:
CA Root Cert: [ ]
DH Param (Required for Server): [ ]
Local Public Cert: [ ]
Local Private Key: [ ]
Enforce Remote Certificate Type:
Ignore Type (Strongly discouraged!)
Server Certificate (DD-WRT is Client, --ns-cert-type server)
Client Certificate (DD-WRT is Server, --ns-cert-type client)
Additional Options:
[ ] (pass on command-line, so you can do --verb or --config without fiddling with parsing existing config files)
This would allow for most config of OpenVPN without requiring nvram parsing and such. The whole config could be chained at the command line, like:
openvpn --config keyfile.cfg --server-bridge 192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.249 --fast-io --port 1149 --dev tap0 --comp-lzo --verb 3 --config /tmp/custom.cfg
The only problem I can forsee is the push "" and escaping "'s, but maybe it's not required. I think this would go a long way to provide a easy OpenVPN configuration for most users.
Posted: Sun Jul 06, 2008 18:03 Post subject: Seconded
I think this is an excellent suggestion. Getting a basic config with static certs is, apparently, not too hard. But getting something working with full authentication is much harder.
It takes a lot of time and quite some networking knowledge to get a certificate-based VPN up and running. _________________ Q: How do I do ...? A: Read the tutorials or Search forums
Joined: 07 Jun 2006 Posts: 1488 Location: the Netherlands
Posted: Tue Jul 08, 2008 12:03 Post subject:
A problem might be the storage of the certificates. Since all that text might clog the nvram.
Besides that, it would help alot of people i guess _________________ Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N
Donater
Last edited by cyberde on Tue Jul 08, 2008 12:59; edited 1 time in total
Not quite: the nvram can easily store the certificates on newer devices. For older models, we can always implement workarounds (i.e. if first character in the cert textbox is a "/", treat the text there as a path-to-certificate-file; if the leading char is a "-" then treat the rest of the text as a certificate).
Hell, I'd be willing to help out with the OpenVPN scripts. Testing, scripting - count me in _________________ Q: How do I do ...? A: Read the tutorials or Search forums