User Tools

Site Tools


doc:howto:openvpn-streamlined-server-setup

OpenVPN Server HowTo (Streamlined)

To prevent discombobulation, please follow the format already in place within this Wiki when editing
(incl. the Table of Contents)

Introduction

Encryption

Easy-RSA does not create secure enough certs & has too many limitations, therefore OpenSSL should be utilized directly via an openssl.cnf

Prerequisites

openssl.cnf

Prerequisites

Commands are executed from within /etc/ssl/ OpenVPN Prerequisites

  1. Install Packages:
    1. opkg update ; opkg install openvpn-openssl luci-app-openvpn openssl-util

  2. Download openssl.cnf:
    1. Save as /etc/ssl/openssl.cnf

  3. Navaigate to SSL directory & create required directories
    1. cd /etc/ssl ; mkdir -p ca/csr crl openvpn/clients

  4. Create Serial file
    1. echo 00 > serial
      • Maintains the serial for the most recent cert in order to know what serial to next assign
        • Serial is in hex, not dec[imal] format

  5. Create CRLnumber file
    1. echo 00 > crl/crlnumber
      • CRL should be generated, but will only be utilized once a cert is revoked

  6. Create Index file
    1. touch index
      • Maintains an index of all certs issued [lines 644 - 689]
        • Keeps track of certs issued; extremely important if one has revoked a cert

  7. Create Rand file
    1. touch rand
      • Utilized for random characters & is queried by OpenSSL during key creation

Files & Folders

File & Folder Locations

  1. Config Locations:
    • Firewall: /etc/config/firewall
    • Network: /etc/config/network
    • OpenSSL: /etc/ssl/openssl.cnf
    • OpenVPN: /etc/config/openvpn

  2. Folder Locations:
    • OpenVPN
      • CA & ICA Certs: /etc/ssl/ca/
        • CSR: /etc/ssl/ca/csr/
        • CRL: /etc/ssl/crl/
      • Client Certs: /etc/ssl/openvpn/clients/
      • Server Certs: /etc/ssl/openvpn/

Extensions

Certificate Extensions

  1. .csr:
    • certificate request

  2. .key:
    • private key
      • 4All key files, except for a server's, should be encrypted with a passphrase

  3. .crt:
    • signed certificate

  4. .p12:
    • PKCS12 certificate
      • Contains the CA.crt or concatenated ICA-CA.crt, Certificate.crt, and CertificateKey.key

OpenSSL

Synopsis

Cookbook Wiki Section Synopsis

  • These tabs contain critical information one will likely find helpful while going through the steps in this wiki
    • Tabs 2 - 3 contain informational & reference links to the main man pages
    • Tabs 4 - 7 cover the definitions of KUs, EKUs, KEAs, & EC KEAs

keyUsage

keyUsage

  1. digitalSignature
    1. Certificate may be used to apply a digital signature
      1. Digital signatures are often used for entity authentication & data origin authentication with integrity

  2. nonRepudiation
    1. Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services
      1. This prevents the signing entity from falsely denying some action

  3. keyEncipherment
    1. Certificate may be used to encrypt a symmetric key which is then transferred to the target
      1. Target decrypts key, subsequently using it to encrypt & decrypt data between the entities

  4. dataEncipherment
    1. Certificate may be used to encrypt & decrypt actual application data

  5. keyAgreement
    1. Certificate enables use of a key agreement protocol to establish a symmetric key with a target
    2. Symmetric key may then be used to encrypt & decrypt data sent between the entities

  6. keyCertSign
    1. CA ONLY
      1. Subject public key is used to verify signatures on certificates
      2. This extension must only be used for CA certificates

  7. cRLSign
    1. CA ONLY
      1. Subject public key is to verify signatures on revocation information, such as a CRL
      2. This extension must only be used for CA certificates

  8. encipherOnly
    1. KU keyAgreement is required
    2. Public key used only for enciphering data while performing key agreement

  9. decipherOnly
    1. KU keyAgreement is required
    2. Public key used only for deciphering data while performing key agreement

extendedKeyUsage

OID repository extendedKeyUsage

  1. serverAuth
    1. All VPN servers should be signed with this EKU present
      1. SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against
      2. This supersedes nscertype options (ns in nscertype stands for NetScape [browser])

  2. clientAuth
    1. All VPN clients must be signed with this EKU present
      1. SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only

  3. codeSigning
    1. Code Signing

  4. emailProtection
    1. Email Protection via S/MIME, allows you to send and receive encrypted emails

  5. timeStamping
    1. Trusted Timestamping

  6. OCSPSigning
    1. OCSP Signing

  7. ipsecIKE
    1. IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8]
      1. Research needs to be performed to determine if this EKU should also no longer be utilized
      2. clientAuth can be utilized in a IPSec VPN client cert

  8. ipsecEndSystem, ipsecTunnel, & ipsecUser
    1. SHOULD NOT BE UTILIZED
      1. Assigned in 1999, the semantics of these values were never clearly defined
      2. RFC 4945: The use of these three EKU values is obsolete and explicitly deprecated by this specification [5.1.3.12]

  9. msCodeInd
    1. Microsoft Individual Code Signing (authenticode)

  10. msCodeCom
    1. Microsoft Commerical Code Signing (authenticode)

  11. mcCTLSign
    1. Microsoft Trust List Signing

  12. msEFS
    1. Microsoft Encrypted File System Signing

Key Exchange

Key Exchange

  1. RSA
    1. Key exchange occurs via encryption of a random value
      1. Client chooses a random value via the server public key
      2. Server public key must be an RSA key
      3. Server certificate must utilize KU keyAgreement

  2. DH_RSA
    1. Key exchange occurs via a static Diffie-Hellman key
      1. Server public key must be a Diffie-Hellman key
      2. Diffie-Hellman key must have been issued by a CA
      3. CA must be using an RSA key signing key

  3. DH_DSA
    1. Like DH_RSA, except CA used a DSA key in lieu of RSA

  4. DHE_RSA
    1. Key exchange occurs via an ephemeral Diffie-Hellman
      1. Server dynamically generates & signs a DH public key, sending it to the client
      2. Server Public Key must be an RSA key
      3. Server certificate must utilize KU digitalSignature

  5. DHE_DSA
    1. Like DHE_RSA, except CA used a DSA key in lieu of RSA

EC Key Exchange

Elliptic-Curve Key Exchange

  1. ECDH_ECDSA
    1. Like DH_DSA, but with elliptic curves
      1. Server public key must be an ECDH key
      2. Server certificate must be issued by a CA utilizing an ECDSA public key

  2. ECDH_RSA
    1. Like ECDH_ECDSA, except CA used an RSA key

  3. ECDHE_ECDSA
    1. Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key
      1. Equivalent to DHE_DSS, but with elliptic curves for both the Diffie-Hellman & signature

  4. ECDHE_RSA
    1. Like ECDHE_ECDSA, except Server public key is an RSA key
      1. Server public key signs the ephemeral EC Diffie-Hellman key

CA Creation

Prerequisites

/etc/ssl/openssl.cnf CA OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

  1. Certificate Authorities [Line 177]
    1. Main
      1. Line 183: DNS.1 = Router.1
        • Change Router.1 to what you'd like the name of your Certificate Authority to be

  2. Certificate Authority Clients [Line 205]
    1. Servers
      • Lines: 198 - 220
    2. Clients
      • Lines: 222 - 226

Commands

Commands are executed from within /etc/ssl/ CA OpenSSL Commands

  1. Generate CA
    openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/OpenWrt-CA.key.pem -out ca/OpenWrt-CA.crt.pem -config ./openssl.cnf -extensions v3_ca_main
    • Key passphrase should be a 20 character minimum, containing at least: 2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols

  2. Generate CA CRL
    openssl ca -gencrl -keyfile ca/OpenWrt-CA.key.pem -cert ca/OpenWrt-CA.crt.pem -out crl/OpenWrt-CA.crl.pem -config ./openssl.cnf
  3. Convert CA CRL → DER CRL
    openssl crl -inform PEM -in crl/OpenWrt-CA.crl.pem -outform DER -out crl/OpenWrt-CA.crl

ICA Creation

Prerequisites

/etc/ssl/openssl.cnf ICA OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

  1. Certificate Authorities [Line 177]
    1. Router 2
      1. Line 188: DNS.1 = Router.2
        • Change Router.2 to what you'd like the name of your Intermediate CA to be

  2. Intermediate Certificate Authority Clients [Line 229]
    1. Servers
      • Lines: 235 - 251
    2. Clients
      • Lines: 253 - 261:

Commands

Commands are executed from within /etc/ssl/ ICA OpenSSL Commands

  1. Generate Intermediate CA CSR
    openssl req -out ca/csr/OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/OpenVPN-ICA.key -config ./openssl.cnf -extensions v3_ica_router2
    • Key passphrase should be a 20 character minimum, containing at least: 2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols

  2. Create & Sign ICA with CA
    openssl x509 -req -sha512 -days 3650 -in ca/csr/OpenVPN-ICA.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out ca/OpenVPN-ICA.crt.pem -extfile ./openssl.cnf -extensions v3_ica_router2
  3. Generate ICA CRL
    openssl ca -gencrl -keyfile ca/OpenVPN-ICA.key -cert ca/OpenVPN-ICA.crt.pem -out crl/OpenVPN-ICA.crl.pem -config ./openssl.cnf
  4. Convert ICA CRL → DER CRL
    openssl crl -inform PEM -in crl/OpenVPN-ICA.crl.pem -outform DER -out crl/OpenVPN-ICA.crl
  5. Concatenate ICA → CA Chain
    cat ca/OpenVPN-ICA.crt.pem ca/OpenWrt-CA.crt.pem > ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem

Index File

Info

/etc/ssl/index Index Info

  • If wishing to maintain the index file automatically, openssl ca must be used to sign certs
    • openssl ca is not used in this wiki as it requires additional steps & adds unneeded complexity

Index

/etc/ssl/index Index File

Manually maintaining the index file consists of inputting 1 cert entry per line in the following format

  • Entering certificate information into the index file takes ~30s per cert
  • Copy & paste DN from the output of: openssl x509 -in certificate.crt -text -noout

V    261231235959Z            0a    unknown    /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com
1    2----------->    3->     4->   5----->    6--------------------------------------------------------------------------------------------------->

  1. Status of Certificate
    1. V [Valid]
    2. R [Revoked]
    3. E [Expired]

  2. Expiration Date
    1. Format: YYMMDDHHMMSS followed by Z
      • 2026.12.31 @ 23:59:59

  3. Revocation Date
    1. Format: YYMMDDHHMMSSZ,reason
      1. Valid reasons are:
        1. keyCompromise
        2. CACompromise
        3. affiliationChanged
        4. superseded
        5. cessationOfOperation
        6. certificateHold
        7. privilegeWithdrawn
        8. AACompromise
    2. Empty if not revoked
      • Certain distros were erroring out without a whitespace for 3 in the index file, which is why it's there

  4. Serial number (hex format)
    1. 0a is hex for 10
      1. Windows:
        • Calculator has programmer feature which can convert dec ↔ hex
      2. Linux/BSD
        • cli hex → dec: printf '%d\n' 0x0a returns 10
        • cli dec → hex: printf '%x\n' 10 returns 0a

  5. Certificate Filename or Literal String
    1. Certificate Filename or Literal String unknown

  6. Distinguished Name

Server Cert

Prerequisites

/etc/ssl/openssl.cnf Server Cert OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

SubjectAltNames Profile

  1. Intermediate Certificate Authority Clients (Line 229)
    1. Change the server's SAN IP from 10.0.1.1 to match your VPN Server IP
      1. Line 250: IP.1 = 10.0.1.1

    2. Change the SAN DNS from your.ddns.com to match your own DDNS and/or FQDN
      1. Line 251: DNS.1 = your.ddns.com
        • For each additional DNS or FQDN, add a new line in sequential order (i.e. DNS.2, DNS.3, etc.)
Commands

Commands are executed from within /etc/ssl/ Server Cert OpenSSL Commands

  1. Generate VPN Server CSR
    openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_openvpn_server -nodes
    • -nodes creates a signing key without encryption
      • For server certs only, as a passphrase prevents the server from starting/restarting without manual intervention

  2. Create & Sign Cert with CA
    openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-server.csr -CA ca/OpenVPN-ICA.crt.pem -CAkey ca/OpenVPN-ICA.key -CAserial ./serial -out certs/vpn-server.crt.pem -extfile ./openssl.cnf -extensions v3_openvpn_server
  3. Export to PKCS12
    openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_CA-Chain.crt.pem
    • Do not encrypt this PKCS12

    • ICA is still used to sign the certs it issues
      • ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust
        • Chain of Trust hierarchy: CA → Intermediate CA → Client

Client Certs

Do not use the same Common Name (CN) on more than one certificate

Prerequisites

/etc/ssl/openssl.cnf Client Cert OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

SubjectAltNames Profile

  1. Intermediate Certificate Authority Clients (Line 229)
    1. Change the SAN DNS from VPNserver-Client1-Device-Hostname to match client username
      1. Line 255: DNS.1 = VPN-<username>-Hostname
        • This makes configuring CCD more convenient

    2. Change the SAN email from user1@email.com to user's email
      1. Line 256 email.1 = user1@email.com
Commands

Commands are executed from within /etc/ssl/ Client Cert OpenSSL Commands

  1. Generate VPN Client Certs
    openssl req -out ca/csr/vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/clients/vpn-client1-<username>-<hostname>.key.pem -config ./openssl.cnf -extensions v3_vpn2_user1
    • Key passphrase should be a 20 character minimum, containing at least: 2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols

  2. Sign Cert with CA
    openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-client1.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key -CAserial ./serial -out openvpn/clients/vpn-client1-<username>-<hostname>.crt.pem -extfile ./openssl.cnf -extensions v3_vpn2_user1
  3. Export to PKCS12
    openssl pkcs12 -export -out openvpn/clients/vpn-client1.p12 -inkey openvpn/clients/vpn-client1.key.pem -in openvpn/clients/vpn-client1.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem

Diffie-Hellman Key

  1. Generate DH Key (executed from /etc/ssl/)
    openssl dhparam -out openvpn/dh2048.pem 2048
    • Generating DH keys takes substantial amounts of time

    • You may wish to generate 3072bit and 4096bit DH keys as well
      • Generating multiple DH keys at once takes substantially less time due to the rand file

    • OpenVPN will add support for EC [Elliptic Curve] ciphers in v2.4
      • For EC, the Diffie-Hellman key must be generated with a value greater than the encryption key
        • For example, if you generate 2048bit cert keys, your dh.pem must exceed that value

TLS-Auth Key

  1. Generate TLS-Auth key (executed from /etc/ssl/)
    openvpn --genkey --secret openvpn/tls-auth.key
    • This ensures Perfect Forward Secrecy is maintained when utilizing a SSL cipher

    • tls-auth requires a static Pre-Shared Key, generated in advance, and shared among all clients
      • This requires incoming packets to have a valid signature generated using the PSK key
        • If key is changed, it must be changed on all clients at the same time (no support for rollover)

Import & Backup

GnuPG is a great tool to manage CAs and client certificates GnuPG

Backup

/etc/sysupgrade.conf Backup

Create a backup:

  1. Apply correct permissions:
    chmod 600 /etc/ssl/ca/* /etc/ssl/ca/csr/* /etc/ssl/crl/* /etc/ssl/openvpn/* /etc/ssl/openvpn/clients/* ; chmod 644 /etc/ssl/ca/*.crt* /etc/ssl/openvpn/*.crt* /etc/ssl/openvpn/clients/*.crt* /etc/ssl/crl/*.crl
  2. Utilize GnuPG to encrypt a copy of /etc/ssl/
    1. Create separate encryption tars for:
      • /etc/ssl/ca/
      • /etc/ssl/openvpn/
      • /etc/ssl/openvpn/clients/

    2. After creating encrypted backups:
      1. Copy p12s to their respective clients
      2. Securely erase unencrypted client, CA, & ICA keys and PKCS12s, overwriting freespace at least 5x

  3. Add directories & files to /etc/sysupgrade.conf
    1. vi /etc/sysupgrade.conf
      1. Add:
        • /etc/config/
        • /etc/openvpn/
        • /etc/ssl/
        • /etc/firewall.user
        • /etc/sysupgrade.conf
    2. # LuCI: System - Backup/Flash Firmware - Configuration
       
          # Directories #
      #---------------------------------------------------
      /etc/config/
      /etc/openvpn/
      /etc/ssl/
       
          # Files #
      #---------------------------------------------------
      /etc/firewall.user
      /etc/sysupgrade.conf

Linux/BSD

Linux & BSD

If utilizing Linux/BSD:

  • Due to the sheer number of distros, and differing means of handling certificate authorities, please google:
    1. <your distro name> install certificate authority
    2. <your distro name> install intermediate certificate authority

Windows

Windows PEM Association.reg

If utilizing Windows:

  1. Download PEM Association.reg, then import into registry (Right ClickMerge)
    • This causes Windows to associate the .pem extension as a valid certificate extension

  2. Add your CA cert to the Trusted Root Certification Authorities (user must have Administrator privileges)
    1. Right click on OpenWrt-CA.crt.pem:
      1. Install CertificateLocal MachinePlace all certificates in the following storeBrowseTrusted Root Certification Authorities

  3. Add your ICA cert to the Intermediate Certification Authorities (user must have Administrator privileges)
    1. Right click on OpenVPN-ICA.crt.pem:
      1. Install CertificateLocal MachinePlace all certificates in the following storeBrowseIntermediate Certification Authorities

Network

Interface Creation

  1. Create VPN interface
    uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none
    1. You can replace network.vpn0 with network.<name>
      1. If you choose to do so, vpn will need to be updated accordingly in Firewall Rules

    2. You can replace ifname=tun0 with ifname=<name>
      1. If you choose to do so, option dev tun0 will need to be updated accordingly in VPN Server Config

  2. Commit changes
    uci commit network ; /etc/init.d/network reload

Configure DDNS

DDNS Wiki

Applies to connections from WAN

  1. A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs
    1. DDNS:
      • Dynamic Domain Name Service providers provide the user with a dynamically updated DNS name for their public IP
      • Purchasing occurs as a service subscription fee from DDNS providers
    2. FQDN
      • Fully Qualified Domain Name is a URL (google.com is a FQDN)
      • Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA (Internet Assigned Numbers Authority)

  2. Most users will likely configure DDNS

Firewall

Create Rules

A non-standard port (not 1194) should be utilized for the VPN

Information

/etc/config/firewall Firewall Info

  1. Traffic rules should be placed in the following order
    1. Firewall.User Script
    2. Redirect Rules
    3. Router Network Default
    4. VPN Network Default
    5. VPN InterZone Forwarding
    6. VPN Traffic Rules

  2. Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes
    1. Allowing both prevents having to edit the firewall every time troubleshooting is needed

  3. SSL VPNs should always use UDP
    1. Except under the following two scenarios
      1. When troubleshooting
        OR
      2. When packet loss is high

  4. A port >1025 but <10000 should be utilized for the VPN
    1. If using a custom port, update VPN Server & VPN Client configs accordingly
      1. If needing to bypass a strict firewall in front of the router, utilize port 443 [HTTPS]

Rules

/etc/config/firewall Firewall Rules

The following rules are required:

  1. vi /etc/config/firewall

    #::: Traffic Rules :::#
    # LuCI: Network - Firewall - Traffic Rules
     
     
    #::: Defaults :::#
    # LuCI: Network - Firewall
    #------------------------------------------------
     
    #::: Firewall.User Rules :::#
    # LuCI: Network - Firewall - Custom Rules
    config include
        option  path            '/etc/firewall.user'
     
    # Default OpenWrt Rule #
    config defaults
        option  input           'ACCEPT'
        option  output          'ACCEPT'
        option  forward         'DROP'
        option  syn_flood       1
        option  drop_invalid    1
     
     
    # Allow initial VPN connection #
    #------------------------------------------------
    # LuCI: From any host in any zone To any router
    # IP at port 5000 on this device (Accept Input) 
    config rule
        option  target          'ACCEPT'
        option  family          'ipv4'
        option  proto           'tcp udp'
        option  src             '*'
        option  dest_port       5000
        option  name            'Allow Forwarded VPN Request -> <device>'
     
    # Once Assigned VPN IP, Allow Inbound -> LAN #
    #------------------------------------------------
    # LuCI: From IP range 10.1.0.0/28 in any zone To IP
    # range 192.168.1.0/28 on this device (Accept Input)
    config rule
        option  target          'ACCEPT'
        option  family          'ipv4'
        option  proto           'tcp udp'
        option  src             '*'
        option  src_ip          '10.1.0.0/28'
        option  dest_ip         '192.168.1.0/26'
        option  name            'Allow VPN0 -> LAN'
     
    # Once Assigned VPN IP, Allow Forwarded -> LAN #
    #------------------------------------------------
    # LuCI: From IP range 10.1.0.0/28 in any zone To IP
    # range 192.168.1.0/28  on this device (Accept Forward)
    config rule
        option  target          'ACCEPT'
        option  proto           'tcp udp'
        option  family          'ipv4'
        option  src             '*'
        option  src_ip          '10.1.0.0/28'
        option  dest            '*'
        option  dest_ip         '192.168.1.0/26'
        option  name            'Allow Forwarded VPN0 -> LAN'
     
    # Allow Outbound ICMP Traffic from VPN #
    #------------------------------------------------
    # LuCI: ICMP From IP range 10.1.0.0/28 in any 
    # zone To any host in lan (Accept Forward)
    config rule
        option  target          'ACCEPT'
        option  proto           'icmp'
        option  src             '*'
        option  src_ip          '10.1.0.0/28'
        option  dest            'lan'
        option  name            'Allow VPN0 (ICMP) -> LAN'
     
    # Allow Outbound Ping Requests from VPN #
    #------------------------------------------------
    # LuCI: ICMP with type echo-request From IP range
    # 10.1.0.0/28 in any zone To any host in wan (Accept Forward)
    config rule
        option  target          'ACCEPT'
        option  proto           'icmp'
        list    icmp_type       'echo-request'
        option  src             '*'
        option  src_ip          '10.1.0.0/28'
        option  dest            'wan'
        option  name            'Allow VPN0 (ICMP 8) -> <device> '
     
     
    #::: Zones :::#
    # LuCI: Network - Firewall - Zones
    #------------------------------------------------
     
    # LAN #
    config zone
        option  name            'lan'
        option  network         'lan'
        option  input           'ACCEPT'
        option  output          'ACCEPT'
        option  forward         'DROP'
     
    # VPN #
    config zone
        option  name            'vpn'
        option  network         'vpn0'
        option  input           'ACCEPT'
        option  output          'ACCEPT'
        option  forward         'ACCEPT'
     
    # WAN #
    config zone
        option  name            'wan'
        option  network         'wan wan6'
        option  input           'DROP'
        option  output          'ACCEPT'
        option  forward         'DROP'
        option  masq            1
        option  mtu_fix         1
     
     
    #::: InterZone Forwarding :::#
    # LuCI: Network -> Firewall -> Zones -
    # VPN - Edit - Inter-Zone Forwarding
    #------------------------------------------------
     
    # LAN to VPN #    
    config forwarding
        option  dest            'vpn'
        option  src             'lan'
     
    # LAN to WAN #
    config forwarding
        option  dest            'wan'
        option  src             'lan'
     
    # VPN to LAN #    
    config forwarding
        option  dest            'lan'
        option  src             'vpn'

  2. Commit changes
    /etc/init.d/firewall restart

Logging

firewall.user Script Netfilter Log

/etc/firewall.user

The following rules are required:

  1. vi /etc/firewall.user

    #::: Traffic Rules :::#
    # LuCI: Network - Firewall - Custom Rules
     
      # These rules make the assumption the default port of 1194 is not used for the VPN
        # Port 5000 is being used arbitrarily for the VPN port
     
     
        # Establish Custom Zones #
    #---------------------------------------------------
    iptables    -N  LOG-VPN
    iptables    -N  Rate_Limit
     
        # Establish Rate Limit #
    #---------------------------------------------------
    iptables    -A  Rate_Limit  -p  tcp     --dport     5000                                -j  LOG-VPN
    iptables    -A  Rate_Limit  -p  udp     --dport     5000                                -j  LOG-VPN
    iptables    -A  Rate_Limit  -p  tcp                                                     -j  REJECT      --reject-with   tcp-reset
    iptables    -A  Rate_Limit  -p  udp                                                     -j  REJECT      --reject-with   icmp-port-unreachable
    iptables    -A  Rate_Limit  !   -p      ICMP                                            -j  LOG         --log-prefix    "<[[--- Connection DROPPED ---]]>: "
    iptables    -A  Rate_Limit                                                              -j  DROP
     
        # Apply Rate Limit #
    #---------------------------------------------------
    iptables    -I  INPUT       -p  tcp     --dport     5000    -m  state   --state NEW     -j  Rate_Limit
    iptables    -I  INPUT       -p  udp     --dport     5000    -m  state   --state NEW     -j  Rate_Limit
     
        # Log VPN Traffic #
    #---------------------------------------------------
    iptables    -A  LOG-VPN                                                                 -j  LOG         --log-prefix    "<[[---  VPN Traffic ---]]> : "         --log-level 4
    iptables    -A  LOG-VPN                                                                 -j  ACCEPT

  2. Commit changes
    /etc/init.d/firewall restart
  3. Please also see:

VPN Server

Config

It's strongly encouraged to read through the OpenVPN HowTo & Man Page

Information

/etc/config/openvpn OpenVPN Information

  • This specific configuration has been designed to give the best performance possible, via MTU & Buffer Tuning recommendations
    • DNS primary & secondary are OpenDNS'
    • NTP is garnished from NIST (time-c) and can be updated to your NTP server of choice
      • NTP should be specified, but doesn't need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds

  • CCD directives (under Client Config) are commented out, as one will need to read the OpenVPN HowTo to understand how it's used
    • CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used

  • Two or more servers can be run from this config file
    • To add additional servers, copy & paste first config directly below itself, with a blank line separating the two

  • The OpenVPN HowTo & Man Page provide every possible option for the Server & Client Configs

  • OpenVPN 2.4 added TLS Elliptic-Curve [EC] support
    • EC ciphers are faster & more efficient to process than SSL ciphers, resulting in higher throughput & less load
    • OpenVPN on OpenWrt only supports a maximum of 256 characters for option tls_cipher
      • Ciphers are listed in a hierarchical, chronological order of most secure & efficient to least efficient
      • Disabled ciphers are specified at the end with an ! in front of the cipher

  • Ciphers must match the capabilities of the server & clients
    • Available TLS ciphers: openssl –show-tls or openssl ciphers -V | grep TLS
    • Available SSL ciphers: openssl ciphers -V | grep SSL
      • For Windows client: openssl ciphers -V | findstr /R SSL

Config

/etc/config/openvpn OpenVPN Server Config

  1. Create config:
    echo > /etc/config/openvpn ; vi /etc/config/openvpn
    1. Paste the following & edit accordingly

      config openvpn 'VPNserver'
          option  enabled             1
       
          # Protocol #
      #------------------------------------------------
          option  dev                 'tun'
          option  dev                 'tun0'
          option  topology            'subnet'
          option  proto               'udp'
          option  port                5000
       
          # Routes # 
      #------------------------------------------------
          option  server              '10.1.0.0 255.255.255.240'
          option  ifconfig            '10.1.0.1 255.255.255.240'        
       
          # Client Config # 
      #------------------------------------------------
          #   option  ccd_exclusive           1
          #   option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
          #   option  client_config_dir       '/etc/openvpn/clients/'
       
          # Pushed Routes # 
      #------------------------------------------------
          list    push                'route 192.168.1.0 255.255.255.0'
          list    push                'dhcp-option    DNS 192.168.1.1'
          list    push                'dhcp-option    WINS 192.168.1.1'
          list    push                'dhcp-option    DNS 208.67.222.123'
          list    push                'dhcp-option    DNS 208.67.220.123'
          list    push                'dhcp-option    NTP 129.6.15.30'
       
          # Encryption # 
      #------------------------------------------------
          # Diffie-Hellman:
          option  dh                  '/etc/ssl/openvpn/dh2048.pem'
       
          # PKCS12:
          option  pkcs12              '/etc/ssl/openvpn/vpn-server.p12'
       
          # SSL:
          option  cipher              AES-256-CBC
          option  auth                'SHA512'
          option  tls_auth            '/etc/ssl/openvpn/tls-auth.key 0'
       
          # TLS:
          option  tls_server          1
          option  tls_version_min     1.2
          option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
       
          # Logging # 
      #------------------------------------------------
          option  log_append          '/tmp/openvpn.log'
          option  status              '/tmp/openvpn-status.log'
          option  verb                4
       
          # Connection Options # 
      #------------------------------------------------
          option  keepalive           '10 120'
          option  comp_lzo            'yes'
       
          # Connection Reliability # 
      #------------------------------------------------
          option  client_to_client    1
          option  persist_key         1
          option  persist_tun         1
       
          # Connection Speed # 
      #------------------------------------------------
          option  sndbuf              393216
          option  rcvbuf              393216
          option  fragment            0
          option  mssfix              0
          option  tun_mtu             48000
       
          # Pushed Buffers # 
      #------------------------------------------------
          list    push                'sndbuf 393216'
          list    push                'rcvbuf 393216'
       
          # Permissions # 
      #------------------------------------------------
          option  user                'nobody'
          option  group               'nogroup'
       
       
          # chroot #
      #------------------------------------------------
          # chroot should be utilized in case the VPN is ever exploited; however, most commercial
          # routers don't have internal flash storage large enough to support it.  An OpenVPN 
          # chroot would be ~11MB in size.
       
              # Modify if chroot is configured #
          #--------------------------------------------
              # option  ccd_exclusive             1
              # option  ifconfig_pool_persist     /var/chroot-openvpn/etc/openvpn/clients/ipp.txt
              # option  client_config_dir         /var/chroot-openvpn/etc/openvpn/clients
       
              # option  cipher                    AES-256-CBC
              # option  dh                        /var/chroot-openvpn/etc/ssl/openvpn/dh2048.pem
              # option  pkcs12                    /var/chroot-openvpn/etc/ssl/openvpn/vpn-server.p12
              # option  tls_auth                  '/var/chroot-openvpn/etc/ssl/openvpn/tls-auth.key 0'
  2. Commit changes
    /etc/init.d/openvpn enable ; /etc/init.d/openvpn start ; sleep 2 ; cat /tmp/openvpn.log

CCD

/etc/openvpn/clients OpenVPN Server CCD Config

  1. Enable CCD within Server config:
    1. vi /etc/config/openvpn
         option  ccd_exclusive           1
         option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
         option  client_config_dir       '/etc/openvpn/clients/'
      • ccd_exclusive: enables CCD
      • client_config_dir: Directory housing CCD client files
      • ifconfig_pool_persist: File containing common names from client files, followed by static IP for device

  2. Configure CCD files
    1. For each VPN client, a file must be created which exactly mirrors the common name of each client cert
      1. File should contain an ifconfig command pushing a static IP to the client
        1. Client Certificate CN: John Doe (OpenWrt VPNserver Client)
          1. Client File: /etc/openvpn/clients/John Doe (OpenWrt VPNserver Client)
            1. File Output: ifconfig-push 10.1.0.6 255.255.255.240

  3. Configure IPP file
    1. One per line, each VPN client's CN needs to be specified, followed by their static IP
      1. IPP File: /etc/openvpn/clients/ipp.txt
        1. File Output: John Doe (OpenWrt VPNserver Client),10.1.0.6

  4. Start/Restart OpenVPN
    1. Connect with each client to test
      /etc/init.d/openvpn stop ; /etc/init.d/openvpn start ; tail -f /tmp/openvpn.log

Log Output

CCD Disabled

/tmp/openvpn.log Log Output w/o CCD Enabled

root@OpenWrt ~ # cat /tmp/openvpn.log
Thu Oct 20 13:35:00 2016 us=668816 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key
Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication: using '/etc/ssl/openvpn/tls-auth.key' as a OpenVPN static key file
Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:00 2016 us=705387 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Thu Oct 20 13:35:00 2016 us=705489 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes
Thu Oct 20 13:35:00 2016 us=705535 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Thu Oct 20 13:35:00 2016 us=705589 Socket Buffers: R=[87380->327680] S=[16384->327680]
Thu Oct 20 13:35:00 2016 us=706121 TUN/TAP device tun0 opened
Thu Oct 20 13:35:00 2016 us=706200 TUN/TAP TX queue length set to 100
Thu Oct 20 13:35:00 2016 us=706254 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 20 13:35:00 2016 us=706327 /sbin/ip link set dev tun0 up mtu 48000
Thu Oct 20 13:35:00 2016 us=708260 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15
Thu Oct 20 13:35:00 2016 us=713288 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Oct 20 13:35:00 2016 us=713438 GID set to nogroup
Thu Oct 20 13:35:00 2016 us=713500 UID set to nobody
Thu Oct 20 13:35:00 2016 us=713746 Listening for incoming TCP connection on [undef]
Thu Oct 20 13:35:00 2016 us=713811 TCPv4_SERVER link local (bound): [undef]
Thu Oct 20 13:35:00 2016 us=713857 TCPv4_SERVER link remote: [undef]
Thu Oct 20 13:35:00 2016 us=713922 MULTI: multi_init called, r=256 v=256
Thu Oct 20 13:35:00 2016 us=714000 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Thu Oct 20 13:35:00 2016 us=714070 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Oct 20 13:35:00 2016 us=714678 Initialization Sequence Completed

CCD Enabled

/tmp/openvpn.log Log Output w/ CCD Enabled

root@OpenWrt ~ # cat /tmp/openvpn.log
Thu Oct 20 13:35:30 2016 us=653309 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key
Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication: using '/etc/ssl/openvpn/tls-auth.key' as a OpenVPN static key file
Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:30 2016 us=706722 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Thu Oct 20 13:35:30 2016 us=706760 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes
Thu Oct 20 13:35:30 2016 us=706804 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Thu Oct 20 13:35:30 2016 us=706857 Socket Buffers: R=[87380->327680] S=[16384->327680]
Thu Oct 20 13:35:30 2016 us=707392 TUN/TAP device tun0 opened
Thu Oct 20 13:35:30 2016 us=707465 TUN/TAP TX queue length set to 100
Thu Oct 20 13:35:30 2016 us=707517 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 20 13:35:30 2016 us=707587 /sbin/ip link set dev tun0 up mtu 48000
Thu Oct 20 13:35:30 2016 us=709190 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15
Thu Oct 20 13:35:30 2016 us=714514 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Oct 20 13:35:30 2016 us=714630 GID set to nogroup
Thu Oct 20 13:35:30 2016 us=714680 UID set to nobody
Thu Oct 20 13:35:30 2016 us=714859 Listening for incoming TCP connection on [undef]
Thu Oct 20 13:35:30 2016 us=714908 TCPv4_SERVER link local (bound): [undef]
Thu Oct 20 13:35:30 2016 us=714945 TCPv4_SERVER link remote: [undef]
Thu Oct 20 13:35:30 2016 us=714986 MULTI: multi_init called, r=256 v=256
Thu Oct 20 13:35:30 2016 us=715050 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(), in='vpn-client1-foobar1-device1,10.1.0.5', TODO: IPv6
Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set()
Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(), in='John Doe (OpenWrt VPNserver Client),10.1.0.6', TODO: IPv6
Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set()
Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST
Thu Oct 20 13:35:30 2016 us=715287 vpn-client1-foobar1-device1,10.1.0.5
Thu Oct 20 13:35:30 2016 us=715331 John Doe (OpenWrt VPNserver Client),10.1.0.6
Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed

Clients

Server's TLS-Auth key goes within the inline XML space

Android

Information

OpenVPN for Android Android Client Information

For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure
It's imperative, for the security of the VPN, to ensure the certificate key is encrypted as specified under Client Certs

  • OpenVPN for Android is the best app for VPNs on Android

  • PKCS12 certs are installed into the Android Keychain
    • As a security feature, a warning toast will always appear in the notification area due to user installed certs
      • This toast can be removed if you have a rooted device by following Toast Removal tutorial

    • Another option is to include all certs & keys via inline XML within the client config file
      • Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs

  • If you choose to reference the tlsauth.key, instead of utilizing inline XML
    1. Remove:
          # Encryption #
      #------------------------------------------------
      key-direction 1
       
      <tls-auth>
      -----BEGIN OpenVPN Static key V1-----
      #PASTED-KEY-INLINE-HERE#
      -----END OpenVPN Static key V1-----
      </tls-auth>
    2. Add:
          # Encryption #
      #------------------------------------------------
      tls-auth    '/path/to/tlsauth.key' 1
  • Some Android devices are not able to convert PKCS12 certs to x509 certs
    • If your device is affected, you will need to reference your individual certs in your Server Config
      1. Add:
            # Encryption #
        #------------------------------------------------
        ca      '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem'
        cert    '/sdcard/openvpn/vpn-client1.crt.pem'
        key     '/sdcard/openvpn/vpn-client1.key.pem'

Config

/sdcard/OpenVPN/OpenWrt/VPNserver.ovpn Android Client Config

    # Config Type #
#------------------------------------------------
client
 
    # Connection  #
#------------------------------------------------
dev tun
proto udp
remote your.ddns.com 5000
 
    # Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000
 
    # Reliability #
#------------------------------------------------
float
nobind
comp-lzo
 
persist-key
persist-tun
resolv-retry infinite
 
    # Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-256-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
remote-cert-eku 'TLS Web Server Authentication'
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
 
    # Logging #
#------------------------------------------------
verb 5

Inline XML

Referencing certs via Inline XML

  1. Remove:
        # Encryption #
    #------------------------------------------------
    ca        '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem'
    cert      '/sdcard/openvpn/vpn-client1.crt.pem'
    key       '/sdcard/openvpn/vpn-client1.key.pem'
    tls-auth  '/path/to/tlsauth.key' 1
  2. Add:
        # Encryption #
    #------------------------------------------------
     
    # --- TLS --- #
    key-direction 1
     
    <ca>
    #PASTE-CA-CERT-INLINE-HERE#
    </ca>
     
    <cert>
    #PASTE-VPN-SERVER-CERT-INLINE-HERE#
    </cert>
     
    <key>
    #PASTE-VPN-SERVER-KEY-INLINE-HERE#
    </key>
     
    <tls-auth>
    -----BEGIN OpenVPN Static key V1-----
    #PASTE-KEY-INLINE-HERE#
    -----END OpenVPN Static key V1-----
    </tls-auth>

Toast Removal

CAcert Wiki PDF Certificate Warning Toast Removal

If /system/etc/security/cacerts.bks exists on your device, refer to CAcert wiki, then continue

  1. Method 1:
    1. Add certificate to Android Keychain
      1. Settings –> Security –> Install from Storage

    2. Move certificate from userland to system trusted
      1. Android < 5.0:
        1. Move new file
          1. From: /data/misc/keychain/cacertsadded/
          2. To: /system/etc/security/cacerts/

      2. Android > 5.0:
        1. Move new file
          1. From: /data/misc/user/0/cacerts-added/
          2. To: /system/etc/security/cacerts/

  2. Method 2:
    1. Save certificate with .pem extension

    2. Garnish subject of certificate:
      1. openssl x509 -inform PEM -subject_hash -in 0b112a89.0
        1. Should be similar to: 0b112a89

    3. Save certificate as text:
      1. openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt

    4. Swap PEM section and text:
      1. —–BEGIN CERTIFICATE—– must be at top of file

    5. Rename file: 0b112a89.0
      1. Replace with subject from step b

    6. Copy file to: /system/etc/security/cacerts/

    7. Set permissions:
      1. chmod 644 0b112a89.0

    8. Certificate should be listed under:
      1. Settings –> Security –> Trusted Credentials - System
        1. If it's still under User:
          1. Disable/Re-Enable certificate in Android Settings
            1. This creates a file in /data/misc/keychain/cacertsadded/
          2. Move that file to /system/etc/security/cacerts/
          3. Delete original file from step f

BSD/Linux

Information

OpenVPN Client BSD/Linux Client Information

  • Due to the sheer number of distros & variances from one to the other, only the client config is being provided

Config

/etc/openvpn/VPNserver.conf Linux/BSD Client Config

# Config Type #
#------------------------------------------------
client
 
# Connection  #
#------------------------------------------------
dev tun
proto udp
remote your.ddns.com 5000
 
# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000
 
# Reliability #
#------------------------------------------------
float
nobind
comp-lzo
 
persist-key
persist-tun
resolv-retry infinite
 
    # Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-256-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
pkcs12 '/etc/ssl/openvpn/vpn-client1.p12'
remote-cert-eku 'TLS Web Server Authentication'
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
 
# Logging #
#------------------------------------------------
verb 5

Windows

Information

OpenVPN Client Windows Client Information

  • If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced
    • You must use double backslashes for the path: C:\\Path\\to\\PKCS.p12

Config

C:\Program Files\OpenVPN\config\OpenWrt\VPNserver.ovpn Windows Client Config

# Config Type #
#------------------------------------------------
client
 
# Connection  #
#------------------------------------------------
dev tun
proto udp
remote your.ddns.com 5000
 
# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000
 
# Reliability #
#------------------------------------------------
float
nobind
comp-lzo
 
persist-key
persist-tun
resolv-retry infinite
 
    # Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-256-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
pkcs12 vpn-client1.p12
remote-cert-eku "TLS Web Server Authentication"
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
 
# Logging #
#------------------------------------------------
verb 5



Optional

Redirect Gateway (Same Subnet)

It's recommended to read Gateway Redirect prior to continuing Gateway Redirect

Firewall Config

/etc/config/firewall LAN Zone & InterZone Forwarding

  1. Add:
    #::: Zones :::#
    # LuCI: Network - Firewall - Zones
     
    # Add: LAN Masquerade #
    #------------------------------------------------
    config zone
        option  name            'lan'
        option  network         'lan'
        option  input           'ACCEPT'
        option  output          'ACCEPT'
        option  forward         'DROP'
        option  masq            1
  2. Add:
    #::: InterZone Forwarding :::#
    # LuCI: Network -> Firewall -> Zones -> VPN - 
    # Edit - Inter-Zone Forwarding
     
    # Allow Forwarding VPN -> WAN #
    #------------------------------------------------
    config forwarding
        option  dest            'wan'
        option  src             'vpn'
  3. Commit changes
    /etc/init.d/firewall restart

Server Config

/etc/config/openvpn Pushed Routes

  1. Remove:
        list    push                'dhcp-option        DNS 208.67.222.123'
        list    push                'dhcp-option        DNS 208.67.220.123'
  2. Add:
        list    push                'redirect-gateway   def1 local'
        list    push                'dhcp-option        DNS 10.1.0.1'
  3. Commit changes
    /etc/init.d/openvpn restart


VPN Wikis

Questions

  • Please take the time to read
    • If you refuse to help yourself, don't expect someone else to help you

  • The answer to any question about an OpenVPN Client or Server configuration is contained within the VPN Wiki or OpenSSL sections
    • If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the OpenWrt or OpenVPN forums

  • Please do not publish questions directly to this Wiki, as:
    • Most importantly, it's not monitored for questions
    • It clutters the Wiki, possibly making it more difficult for others to navigate
doc/howto/openvpn-streamlined-server-setup.txt · Last modified: 2017/09/15 16:25 by JW0914