|There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. Some are better than others, and others are an out-of-date muddled mess. For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with vpn.openvpn instead of this page. It is not that the other pages aren't worth reading; it is just that (IMHO) vpn.openvpn is a better place to start (it has been rewritten from scratch just a few weeks ago). Maybe you could improve it further rather than edit this page?|
In this instance, this page has several issues (as at May 2014), including being 2 years out of date. It also advocates TAP rather than TUN where TUN would, in most cases, be preferable. If you definitely want TAP rather than TUN, then vpn.openvpn might still be a useful place to visit.
|For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit vpn.overview|
config 'openvpn' 'name_of_the_connection' option 'client' '1' option 'remote' 'ip.address.of.server' option 'port' '1194' option 'proto' 'tcp' option 'dev' 'tap0' option 'ca' '/path/to/ca.crt' option 'cert' '/path/to/client.crt' option 'key' '/path/to/client.key' option 'comp_lzo' '1' option 'keepalive' '10 120' option 'status' '/tmp/openvpn.status' option 'persist-key' '1' option 'persist-tun' '1' option 'verb' '7' option 'mute' '20' option 'nobind' '1'
Note that using TCP is more reliable but somewhat slower.
Either run OṕenVPN only once:
Or make it start at boot:
If your internet connection works and everything in your config is correct (which you usually get from your VPN provider), you should see something like:
Initialization Sequence Completed
To actually access the resources behind the VPN server, first create a new interface in /etc/config/network:
config interface 'VPN_client' option proto 'none' option ifname 'tap0'
And then modify your /etc/config/firewall:
config zone option name 'VPN_client' option masq '1' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' option network 'VPN_client' config forwarding option dest 'VPN_client' option src 'lan'
After restarting your firewall and network, your router should allow access its clients resources behind the VPN server over NAT.
If you want transparent routing and clients accesible from the server, modify your /etc/config/network as above and put this into your /etc/config/firewall:
config zone option name 'VPN_client' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' option network 'VPN_client' config forwarding option dest 'lan' option src 'VPN_client' config forwarding option dest 'VPN_client' option src 'lan'
Your server will have to be configured to route traffic to your LAN subnet over its VPN interface in this case.