Tips & Tricks Blog
Notes, ideas and general comments on anything related to high-tech.

June 4, 2009

Notes on WRT54 as VPN Client and Gateway to Remote Network

Filed under: Networks — Tags: , ,

This note is for a setup that allows using Linksys WRT54 router for VPNing into remote network and providing multiple PCs on your home network access to that remote network in similar fashion as they access Internet (through NAT). It is assumed that the VPN server is already available on the remote network and the ”openvpn” client can be used to connect to that server. The WRT54 router is assumed to be connected to the local network  and not used for WAN/Internet access.

Full-time VPN Access to Remote Network from Home
The standard Tomato distribution as of today does not include openvpn, so a modded version is required (download from here):
http://www.tomatomod.de/TomatoMod_1.19.1464-OnlyEssentials.7z

The script below has to be updated to include correct addresses, VPN parameters, certificates and the private key.
Then it can be put into the “Firewall” script textbox under the “Administration->Scripts” in tomato menu.

The iptables commands for DNS_ADDRESS settings are not necessary, but might be useful for making the
router mimic the remote network DNS. The local DNS then can be set up to forward DNS requests for the remote
network domain directly to the router on the local network.

insmod tun.o
cd /tmp
ln -s /usr/sbin/openvpn /tmp/vpn
./vpn --mktun --dev tap0
ifconfig tap0 up
sleep 5
iptables -t nat -A POSTROUTING -s A.B.C.D/MASK -o tap0 -j MASQUERADE
iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to DNS_ADDRESS
iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to DNS_ADDRESS
echo "
================== use your config here ======================
client
dev tap0
remote VPN.SERVER.IP
resolv-retry infinite
tls-client
persist-key
persist-tun
ca ca.crt
cert cl.crt
key cl.key
ns-cert-type server
comp-lzo
verb 3
================ end use your config here =====================
" > /tmp/cl.conf
echo "
-----BEGIN CERTIFICATE-----
Cut&paste the CA or server certificate here.
-----END CERTIFICATE-----
" > /tmp/ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
Cut&paste client private key here.
In order to decrypt it first use (for RSA):
> openssl rsa -in key.pem
-----END RSA PRIVATE KEY-----
" > /tmp/cl.key
chmod 600 /tmp/cl.key
echo "
-----BEGIN CERTIFICATE-----
Cut&paste client certificate here.
-----END CERTIFICATE-----
" > /tmp/cl.crt
./vpn --config cl.conf &

2 Comments »

  1. Do you have a spam issue on this blog; I also am a blogger, and I was
    wondering your situation; many of us have developed
    some nice procedures and we are looking to swap strategies with others, be sure to shoot me an email
    if interested.

    Comment by bypasscaptcha — July 5, 2012 @ 7:29 pm

  2. No SPAM problems after tweaking the standard captcha to be a bit harder to bypass using software.

    Comment by den — October 16, 2012 @ 2:24 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

Security Code:



Home

OkOb.net Tips & Tricks Blog
Powered by WordPress