Well I finally picked up a NSLU2 by Linksys. Have to say I am pretty impressed so far. A little device that fits in my hand just replaced 2 of my boxes at home. One for my fileserver and one for my openvpn server. Maybe at a later date I will go about how to flash it with unslung. But it is pretty easy so this doc is just for me to remember how I set up my openvpn.

So first thing is first go buy the NSLU2 and download unslung and flash it.
http://www.nslu2-linux.org/

Now you have it flashed. I put on a few packages first to allow me to work with it a bit better.
OpenSSH
Vim
Bash
Grep

Ok Now we are ready.
SSH to your NSLU2. If you have not set your password yet the default password is “uNSLUng”

Install OpenVPN:
ipkg update;ipkg -force-depends install openvpn

Create Tun:
mkdir /dev/net
mknod /dev/net/tun c 10 200

Install Tun:
insmod tun

Enable Routing:
echo 1 > /proc/sys/net/ipv4/ip_forward

Now its time to generate our certs. I just downloaded openvpn on to my machine to create them. Goes much faster this way
You can download the current openvpn version here.
http://openvpn.net/
Also more details on this process can be found here.
http://openvpn.net/howto.html#pki

CD into the easy-rsa directory and edit the vars file with your information.

. ./vars
./clean-all
./build-ca

Now that the CA is up, we can build the keys for the server.

./build-key-server server

Now we have to build our client certs. I will only be buildling it for one client. I also use password protected certs.

./build-key-pass client1

Note: If you wanted other clients repeat the step with client2(or whatever you like). Remember to always use a unique common name for each client.

Generate Diffie Hellman parameters.
./build-dh

Now we need to create a direcotry on the NSLU2 to copy our keys to.
mkdir -p /opt/etc/openvpn/keys

You can copy these files to the NSLU2, may be a bit different for you:
ca.crt, ca.key, dh1024.pem, server.crt, server.key, 01.pem, 02.pem, 03.pem, and 04.pem

Now lets create a server.conf on the NSLU2 and write our conf file.
You can get a sample conf file from the previous download. I will just touch on the main things I change below.

I use TCP so I can proxy:
# TCP or UDP server?
proto tcp
;proto udp

Choose a cipher of your choice. Must be the same on the client.
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

Make sure it switches to priv nobody.
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody

Thats pretty much it for the server side.

For the client side. Its pretty much straight forward.Just make sure you have the right certs.
ca.crt
client1.crt
client1.key

Now back to the NSLU2.

For a while I have been trying to get MASQUERADE in iptables to work. But since the module is not in the ipkg repository and it is not enbaled in the kernel, this was not working. If you view the comment below Cooper did get this working and wrote a how-to for this. Since he wanted MASQUERADE for something a bit different I will document how I did it. I wanted it so I can hit other boxes behind the VPN. Without having to creat SSH tunnels (Which is what I was doing).
Here is Cooper’s doc on the NSLU site.

http://www.nslu2-linux.org/wiki/HowTo/EnableIPMasquerading

Now, for what I did for MASQUERADE.

First, I install the MASQUERADE modules, I used pre-compiled ones since I’m lazy. You can compile them yourself if you like, Cooper’s doc shows you how. Below is a link to pre-compiled ones.

http://www.defector.de/docs/nslu2-ipmasq.htm

Now you can install these.

ipkg-cl install kernel-module-ipt-masquerade_2.4.22.l2.3r63-r7_nslu2.ipk
ipkg-cl install kernel-module-ipt-state_2.4.22.l2.3r63-r7_nslu2.ipk

Now lets install the modules.

insmod ip_tables
insmod iptable_filter
insmod ip_conntrack
insmod iptable_nat
insmod ipt_state
insmod ipt_MASQUERADE

If some modules cannot be found, I may have forgot to document these when I was messing around with different modules.
You can easily find and install them. I actually don’t think you even need ipt_state or iptable_filter but I put them in there anyways to have a more full blown iptables.(in case of future work)

example:
ipkg list |grep conntrack

Now lets get all this stuff to run on reboot.


Create /opt/etc/init.d/S24openvpn and make it +x.

###################################################
#!/bin/sh
 
<strong> if [ -n "`pidof openvpn`" ]; then
/bin/killall openvpn 2&gt;/dev/null
fi</strong>
 
<strong> # load kernel modules
/sbin/insmod tun
/sbin/insmod ip_tables
/sbin/insmod iptable_filter
/sbin/insmod ip_conntrack
/sbin/insmod iptable_nat
/sbin/insmod ipt_state
/sbin/insmod ipt_MASQUERADE</strong>
 
<strong> # enable IP forwarding
echo 1 &gt; /proc/sys/net/ipv4/ip_forward</strong>
 
<strong> # set iptables rule
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ixp0 -j MASQUERADE</strong>
 
<strong> # Startup VPN tunnel in daemon mode
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf
###################################################

Now you are all set! Test it out !

Thanks to everyone!