OpenVPN Client Configuration

The configuration of OpenVPN on the router is similar in some aspects to the server, however due to a Unified Configuration Interface (UCI) [88] used in OpenWRT the specification of parameters is different. The following steps provide details on configuring OpenVPN running on OpenWRT to connect to the OpenVPN server setup in the previous section.

1. In order to create a secure connection between the router and server the certificates generated on the server (in the beginning of the previous section) must be available on the

pg. 72

router. The following files are needed, the certificate authority certificate which is “ca.crt” and the certificate and key file for the client. To transfer the certificates to the router the certificate files were placed in a temporary directory “tmp” in the WAMP “www” directory. This made them accessible through the apache http server in WAMP. Figure 84 shows the commands to download the certificates onto the router, which was connected via the LAN to the server. First the directory is changed to the “/etc/openvpn” directory which is used to store the configuration, certificate and key files. Next the “wget” command was used to download the files form the WAMP server. Due to the server being on the local network the IP address of the server was used, this may need to be changed based on the network setup.

Figure 84 OpenVPN - Downloading certificates and keys onto WRT54GL router.

2. A configuration file provided by OpenVPN is present in the location “/etc/config/openvpn”, this needs to be edited in order to connect to the server. Editing software called “vi” can be used to edit the configuration using the following command. Details on how to use “vi” can be found at [85].

vi /etc/config/openvpn

3. The configuration file contains two sample configurations, a server configuration and a client configuration. Locate the client configuration by finding the following.

############################################## # Sample client-side OpenVPN 2.0 uci config # # for connecting to multi-client server. # ##############################################

The settings following the lines above need to be altered to configure the client.

a. Both the sample configurations are disabled by default, therefore to use the client configuration it must be enabled by changing enabled from 0 to 1 as following.

option enabled 1

b. The tunnel type needs to be changed to tap from tun to enabled IPv6 support. To do this comment the tun line and uncomment the tap line as shown below.

option dev tap #option dev tun

pg. 73

c. To allow forwarding through a router the TCP protocol must be used by commenting the UDP protocol and uncommenting the TCP protocol as shown below.

option proto tcp #option proto udp

d. The address of the OpenVPN server is set as following

list remote “iots2is.org 1194”

Where “iots2is.org” is the host name of the server and 1194 is port. The port must correspond with the port number set in the server configuration (port 1194 is the default port).

e. To fix problems with fragmentation in windows the following option should be appended to the end of the configuration file.

option mssfix 1000

f. Due to the lack of IPv6 address auto configuration in this version of OpenVPN a script is used to set the IPv6 address of the router. The following line executes a script “up.sh” located in the “/etc/openvpn” directory. This script will be created in future steps.

option up /etc/openvpn/up.sh

g. The following option should be appended in order for the script to have the permission to change the IPv6 address.

option script_secturiy 2

4. A script to change the IPv6 address of the router can be created using “vi” with the following command.

vi /etc/openvpn/up.sh

The following lines can then be added to the script in “vi”

#!/bin/sh

ifconfig add %2 2004::2

The first line indicates that the file is a script, and the second line changes the IPv6 address of the tunnel adapter. The “ifconfig” command on the second line is given three parameters, the first is the command “add”, the second is the name of the network adapter, and the third is the address to add to the network adapter. The name of the tunnel adapter is passed to the script as a parameter, and this parameter is accessed using “%2”, this ensures that the correct adapter is given the IPv6 address as the name of the adapter may change. The IPv6 address given to the router must be unique to the router meaning that the script file on each router must contain a different IPv6 address.

pg. 74

5. The configuration of OpenVPN for the router is now complete and the OpenVPN client service can be started using the following command.

/etc/init.d/openpvn start

The status of the client service can be checked using the “logread” command which will display a log file containing status information from various services including OpenVPN.

6. If the configuration and there is a functional network connection (via the internet or LAN) the router will successfully connect to the server to create a secured VPN connection. Figure 85 shows the output in the status window on the server of a successful connection form OpenVPN running on a router.

Figure 85 OpenVPN - sever status window showing successful router connection.

A common problem that occurs is that the router will rapidly connect and disconnect, which may be due to the router have an incorrect date and time. The WRT54GL does not have a real time clock that can maintain the time after it has been powered off. This means the time has to be set using the internet, which may fail in some cases. If the time is not correctly set the certificates used in OpenVPN will not be valid as they are only valid after the date they are issued for security reasons.

This concludes the setup required to configure the software packages required by the custom developed software to create and integrated IoT platform.