jonathan.is/writing/2009-09-27-openssh.md

---
title: openssh and openwrt
---

Success! Unrestricted, encrypted internet access from my laptop to a linksys
wrt54g running openwrt. The OpenSSH documentation and irc channel bot were
especially helpful - follow them for generating the keys, and use a
configuration like the one below if you want all your internet traffic routed
through a tunnel. The firewall.user I would not copy directly, since it is
overly open. Since I have almost no clue to how IPTables works, any help on
simplifying it would be appreciated.

client.conf:

    client
    dev tun
    proto udp
    pull # new for 2.1

    remote fayth.ath.cx 1194
    nobind

    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/fayth.crt
    key /etc/openvpn/keys/fayth.key
    dh /etc/openvpn/keys/dh2048.pem

    comp-lzo
    verb 3

server.conf:

    ### connection
    port 1194 
    proto udp
    dev tun
    client-to-client

    # security
    user nobody
    group nobody

    ### keys
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key
    dh /etc/openvpn/keys/dh2048.pem

    ### routing
    server 10.8.0.0 255.255.255.0
    ### make sure to include def1
    push "redirect-gateway def1"
    push "dhcp-option DNS 10.8.0.1"

    ### logging
    comp-lzo
    keepalive 10 120
    status /tmp/openvpn.status

/etc/firewall.user:

    iptables -I FORWARD -j ACCEPT

    ### OpenVPN
    iptables -A OUTPUT  -o tun+ -j ACCEPT
    iptables -A INPUT   -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A FORWARD -o tun+ -j ACCEPT
    iptables -I OUTPUT  -o tun+ -j ACCEPT
    iptables -I INPUT   -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -o tun+ -j ACCEPT
    iptables -I FORWARD -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE