User Tools

Site Tools


doc:howto:vpn.client.openvpn.tap

Using Openwrt as OpenVPN client with TAP device

:!: There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. Some are better than others, and others are an out-of-date muddled mess. For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with vpn.openvpn instead of this wiki. :!:

It is not that the other wikis aren't worth reading; it is just that (IMHO) vpn.openvpn is a better place to start (it has been rewritten from scratch just a few weeks ago). Maybe you could improve it further? In this instance, this wiki has several issues (as at May 2014), including being 2 years out of date. It also advocates TAP rather than TUN where TUN would, in most cases, be preferable. If you definitely want TAP rather than TUN, then vpn.openvpn might still be a useful place to visit.

For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit vpn.overview

Installation

  1. Install the openvpn package:

opkg update
opkg install openvpn

Configuring the client

config 'openvpn' 'name_of_the_connection'
	option 'client' '1'
	option 'remote' 'ip.address.of.server'
	option 'port' '1194'
	option 'proto' 'tcp'
	option 'dev' 'tap0'
	option 'ca' '/path/to/ca.crt'
	option 'cert' '/path/to/client.crt'
	option 'key' '/path/to/client.key'
	option 'comp_lzo' '1'
	option 'keepalive' '10 120'
	option 'status' '/tmp/openvpn.status'
	option 'persist-key' '1'
	option 'persist-tun' '1'
	option 'verb' '7'
	option 'mute' '20'
	option 'nobind' '1'

Note that using TCP is more reliable but somewhat slower.

Starting and enabling OpenVPN

Either run OṕenVPN only once:

/etc/init.d/openvpn start

Or make it start at boot:

/etc/init.d/openvpn enable

If your internet connection works and everything in your config is correct (which you usually get from your VPN provider), you should see something like:

Initialization Sequence Completed

Routing traffic over NAT

To actually access the resources behind the VPN server, first create a new interface in /etc/config/network:

config interface 'VPN_client'
	option proto 'none'
	option ifname 'tap0'

And then modify your /etc/config/firewall:

config zone
	option name 'VPN_client'
	option masq '1'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'VPN_client'

config forwarding
	option dest 'VPN_client'
	option src 'lan'

After restarting your firewall and network, your router should allow access its clients resources behind the VPN server over NAT.

Routing client traffic transparently

If you want transparent routing and clients accesible from the server, modify your /etc/config/network as above and put this into your /etc/config/firewall:

config zone
	option name 'VPN_client'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'VPN_client'

config forwarding
	option dest 'lan'
	option src 'VPN_client'

config forwarding
	option dest 'VPN_client'
	option src 'lan'

Your server will have to be configured to route traffic to your LAN subnet over its VPN interface in this case.

doc/howto/vpn.client.openvpn.tap.txt · Last modified: 2014/05/31 00:20 by zxdavb