Openvpn client on embedded devices

By William | Published: March 24, 2009

As a kind of proof of concept I setup a Linksys router running the Openwrt firmware as a portable hardware openvpn client to connect to the AlwaysVPN service. I used the router as a wireless client, meaning I did not connect to a wired network to gain internet access. The final test was to connect a SIP IP phone to one of the LAN ports of the router and then place a phone call.

The following is a very basic overview of what needs to be done to duplicate this kind of setup.

  1. Flash a router with the latest Openwrt firmware (I used Kamikaze 8.09)
  2. Install the openvpn, empty and ntpclient packages
  3. Configure the router as a wireless client, adding a wifi interface with DHCP.
  4. Add a VPN interface using tap0 as the phisical interface (I used openvpn with tap not tun)
  5. configure the firewall rules to allow traffic on the VPN interface and add MASQ to enable NAT.
  6. using SCP/SSH create a /etc/openvpn directory and add your config files.
  7. Create a /etc/init.d/openvpn-client file with the following (edit as needed):

    #!/bin/sh /etc/rc.common
    START=95
    start () {
    logger -t "openvpn" "starting openvpn-client"
    empty -f -i in -o out openvpn --daemon --config /etc/openvpn/VPN_config_file.conf
    empty -w -i out -o in "Username:" "username\n"
    empty -w -i out -o in "assword:" "password\n"
    }
    stop () {
    logger -t "openvpn" "stopping openvpn-client"
    killall openvpn
    killall empty
    sleep 3
    }
  8. Do a chmod a+x /etc/init.d/openvpn-client and enable it
  9. Make sure the NTP client is working
  10. Disable DHCP server on VPN and WIFI interfaces
  11. Add DHCP option 6 with dns servers of your vpn provider on the LAN interface. Otherwise dns requests will pass through the router to your ISPs DNS servers.
  12. apply settings and reboot

Some additional notes:

empty was used to pass the username and password to openvpn without having to recompile openvpn with save-password support. If your server only uses key authentication this is not required.

This writeup was done from memory so some details may be missing. I’ve had bad experiences with using SIP over wifi in the passed so I was very surprised at how well the voip call worked over the openvpn wifi tunnel.

This entry was posted in Computer hardware, Computer software, HowTo and tagged , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

2 Comments

  1. Jay
    Posted April 9, 2009 at 4:10 am | Permalink

    I would love to get this working on my router ! I have a Linksys WRT54GL currently running DD-WRT v24VPN but that looks like it will not support user/pass but instead only key auth. For my AlwaysVPN account i however need user/pass.

    I can flash the KamiKaze 8.09 on it but am stuck on the “empty” package which i need to install. Googling for a term like “empty” just gets me way too many hits. Can you point me in the right direction ???

    FYI, i am trying to get this working so i can use my xbox to access the net using a US IP ;-)

    Thanks !

  2. William
    Posted April 9, 2009 at 6:52 am | Permalink

    You can probably use DD-WRT too I just don’t know if they have the empty package.

    You need to update the package list and then install the empty package. I think it might be under Administration (or Advanced) and then Software.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>