I installed openvpn on my WRT54GL and noticed that it dropped some files in the
root (/) directory. At least one of these files is updated every minute while
openvpn is running. I decided to reorganize the files and I have updated the
sample data in the config file accordingly. The diff for this change is below.
** Since this is my first patch, please review and let me know if I got
anything wrong - particularly the change to the Makefile that creates the
/etc/openvpn directory.
Basically, I changed the sample to use absolute paths and suggested putting the
cert, key and some other config-like files in /etc/openvpn and the log and
connection tracking files in /tmp. It probably would be cleaner to have
openvpn start in the /etc/openvpn directory so that relative paths can be used,
but I suspect that would break existing installations. Finally, I added a line
in the Makefile to create /etc/openvpn during install (please check this - I
have no idea if I did it right!)
Index: net/openvpn/files/openvpn.config
===================================================================
--- net/openvpn/files/openvpn.config (revision 16829)
+++ net/openvpn/files/openvpn.config (working copy)
@@ -70,17 +70,17 @@
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
- option ca ca.crt
- option cert server.crt
+ option ca /etc/openvpn/ca.crt
+ option cert /etc/openvpn/server.crt
# This file should be kept secret:
- option key server.key
+ option key /etc/openvpn/server.key
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
- option dh dh1024.pem
+ option dh /etc/openvpn/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
@@ -96,7 +96,7 @@
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
- option ifconfig_pool_persist ipp.txt
+ option ifconfig_pool_persist /tmp/ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
@@ -131,7 +131,7 @@
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
-# option client_config_dir ccd
+# option client_config_dir /etc/openvpn/ccd
# list route "192.168.40.128 255.255.255.248"
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
@@ -143,7 +143,7 @@
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
-# option client_config_dir ccd
+# option client_config_dir /etc/openvpn/ccd
# list route "10.9.0.0 255.255.255.252"
# list route "192.168.100.0 255.255.255.0"
# Then add this line to ccd/Thelonious:
@@ -159,7 +159,7 @@
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
-# option learn_address ./script
+# option learn_address /etc/openvpn/script
# If enabled, this directive will configure
# all clients to redirect their default
@@ -226,7 +226,7 @@
# The second parameter should be '0'
# on the server and '1' on the clients.
# This file is secret:
-# option tls_auth "ta.key 0"
+# option tls_auth "/etc/openvpn/ta.key 0"
# Select a cryptographic cipher.
# This config item must be copied to
@@ -257,7 +257,7 @@
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
- option status openvpn-status.log
+ option status /tmp/openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
@@ -266,8 +266,8 @@
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
-# option log openvpn.log
-# option log_append openvpn.log
+# option log /tmp/openvpn.log
+# option log_append /tmp/openvpn.log
# Set the appropriate level of log
# file verbosity.
@@ -360,9 +360,9 @@
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
- option ca ca.crt
- option cert client.crt
- option key client.key
+ option ca /etc/openvpn/ca.crt
+ option cert /etc/openvpn/client.crt
+ option key /etc/openvpn/client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
@@ -379,7 +379,7 @@
# If a tls_auth key is used on the server
# then every client must also have the key.
-# option tls_auth "ta.key 1"
+# option tls_auth "/etc/openvpn/ta.key 1"
# Select a cryptographic cipher.
# If the cipher option is used on the server
Index: net/openvpn/Makefile
===================================================================
--- net/openvpn/Makefile (revision 16829)
+++ net/openvpn/Makefile (working copy)
@@ -72,6 +72,7 @@
$(INSTALL_BIN) files/$(PKG_NAME).init $(1)/etc/init.d/$(PKG_NAME)
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) files/$(PKG_NAME).config $(1)/etc/config/$(PKG_NAME)
+ $(INSTALL_DIR) $(1)/etc/openvpn
endef
define Package/openvpn-easy-rsa/install
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
