Netgear DG834PN + OpenVPN + Android...

[streetster]

... I think my head is going to implode.

Is this possible?

I've got the DGTeam firmware installed which has an option to enable OpenVPN. Under android I need to install certificates and all sorts of jazz, which leads me to believe I need to also have these certificates/etc setup on my router.

So... I've downloading/installed/ran the commands to generate the key/crt/etc files on my PC (dont have openssl, dont have ipkg to install it on the router). Copied them across to the router... used the default server.conf file that OpenVPN give you, tweaked the paths for the crt/key/etc files... Managed to install the client1 certificate on my phone, so now all that's left is the configuration of OpenVPN on my router.

When I try to start I get nothing. I've enabled the logs, and the error I get is:

Code:

Mon Apr 11 20:45:33 2011 us=288327 OpenVPN 2.1.1 router
Mon Apr 11 20:45:33 2011 us=568327 Diffie-Hellman initialized with 1024 bit key
Mon Apr 11 20:45:33 2011 us=598327 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 11 20:45:33 2011 us=603327 TUN/TAP device tun0 opened
Mon Apr 11 20:45:33 2011 us=603327 TUN/TAP TX queue length set to 100
Mon Apr 11 20:45:33 2011 us=603327 /sbin tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Mon Apr 11 20:45:33 2011 us=613327 Linux ifconfig failed: could not execute external program
Mon Apr 11 20:45:33 2011 us=613327 Exiting

well the line '/sbin tun0' seems to be a bit of a hint... as it seems to want to run /sbin/ifconfig but fails miserably to do so.

I am wondering if OpenVPN is trying to use 'which' in order to find ifconfig (which isnt installed, I dont have ipkg to install it, and I cant spot a MIPs version online {please point me at a repository if anyone knows!}).

I was tempted to setup a symbolic link from /sbin to /sbin/ifconfig however I am thinking that is a terrible idea, and if OpenVPN wants to run anything else it will screw up.

If I'm overcomplicating matters then please point me in the direction of something simpler... If it's possible to 'skip' the router and use a linux box to act as the OpenVPN server then this would work for me too, I just thought that as the router has OpenVPN:

Code:

# openvpn --version
OpenVPN 2.1.1 router
Originally developed by James Yonan
Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>

.. it would make sense to use it.



[e!]

Ok, not much progress, but doesnt look like tun0 is going to work, but the router already has a tap0 which I've tried instead, openvpn still bombs out complaining that ifconfig failed, but if I run the command myself it comes back ok:

Code:

# openvpn --config /etc/openvpn.conf.new ; tail -f /tmp/openvpn.log
Mon Apr 11 21:33:07 2011 us=345464 OpenVPN 2.1.1 router
Mon Apr 11 21:33:07 2011 us=620464 Diffie-Hellman initialized with 1024 bit key
Mon Apr 11 21:33:07 2011 us=645464 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 11 21:33:07 2011 us=650464 TUN/TAP device tap0 opened
Mon Apr 11 21:33:07 2011 us=650464 TUN/TAP TX queue length set to 100
Mon Apr 11 21:33:07 2011 us=650464 /sbin tap0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Mon Apr 11 21:33:07 2011 us=660464 Linux ifconfig failed: could not execute external program
Mon Apr 11 21:33:07 2011 us=660464 Exiting

# /sbin/ifconfig tap0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255

I'll keep struggling onwards...

[e!!]

Using the --ipconfig-noexec parameter it's not bombing out, not really working either, will do some more investigating, think I need to run a few ifconfig/route commands before I start.. but I have no idea what they are:

Code:

# openvpn --config /etc/openvpn.conf.new --ifconfig-noexec --daemon; tail -f /tmp/openvpn.log
Mon Apr 11 21:45:07 2011 us=725268 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 11 21:45:07 2011 us=725268 TUN/TAP device tap0 opened
Mon Apr 11 21:45:07 2011 us=725268 TUN/TAP TX queue length set to 100
Mon Apr 11 21:45:07 2011 us=730268 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Apr 11 21:45:07 2011 us=735268 GID set to nobody
Mon Apr 11 21:45:07 2011 us=735268 UID set to nobody
Mon Apr 11 21:45:07 2011 us=735268 Socket Buffers: R=[32767->65534] S=[32767->65534]
Mon Apr 11 21:45:07 2011 us=735268 MULTI: multi_init called, r=256 v=256
Mon Apr 11 21:45:07 2011 us=740268 IFCONFIG POOL: base=10.8.0.2 size=253
Mon Apr 11 21:45:07 2011 us=740268 Initialization Sequence Completed

[streetster]

Well... looks like the built-in OpenVPN that requires certificates and everything is just too much for my router to handle...

So, using the pre-shared key (secret.key) method + OpenVPN off the market + a bit of help I've got there!

Server Config [/etc/openvpn.conf]:

Code:

port 1194
proto udp
comp-lzo
secret /tmp/etc/ssh/openvpn.key
cipher DES-EDE3-CBC
tun-mtu 1458
keepalive 14400 86400
dev tap0
daemon
persist-tun
persist-key
script-security 2
verb 1
mute 10
mute-replay-warnings

Client Config [/sdcard/openvpn/openvpn.conf]:

Code:

remote my-server-name-here.dyndns.org
port 1194
dev tap0
secret /sdcard/openvpn/secret.key
proto udp
comp-lzo 
cipher DES-EDE3-CBC
verb 5
log /sdcard/openvpn.log
script-security 2

Once it's connected tap0 doesnt come up properly so firing up the terminal and doing:

Code:

 $ su
 # ifconfig tap0 192.168.1.95 broadcast 192.168.1.1 netmask 255.255.255.0

means I can now access my LAN on my phone.

Simple eh?

Hopefully I can work out a way to skip having to run ifconfig, or will just stick it in a script to run when the connection is up.

[dirky]

Mon Apr 11 21:33:07 2011 us=650464 /sbin tap0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255

that looks wrong, it should be /sbin/ifconfig tap0 xxxx

Edit: doh 2nd post

edit2: add 'daemon' into the client.conf

also disable the logging (verb5), otherwise it will nack your sdcard

[dirky]

I've only really used it on the command line for and supply the ifconfig lines like:

openvpn --port 1195 --remote 1.1.1.1 --dev tun --ifconfig 10.1.1.1 10.1.1.1.2 --daemon --secret psk.key

dunno if that helps

[streetster]

The logging was there to help me work out what is going on, but yeh once I'm entirely happy I'll remove that line...

found an app called 'gscript' which lets me create a shortcut to a script... if I just create a simple shell script and execute it via the terminal I get 'permission denied' despite the file being executable and me being root. very odd.

the trouble with tun is that my router has the tap0 device setup already, and my efforts to use tun failed miserably (1st post in the thread).. switching to tap has made things much easier.

[e!] I was still having issues - looks like I was using toolbox rather than busybox ifconfig, so have made a change similar to here... and after a reboot it's working...

1. Open OpenVPN, enable, and start tunel [sic]
2. run gScript to set ifconfig
3. done!