Using Openwrt as OpenVPN client with tap device

For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit vpn.overview

Installation

  1. Install the openvpn package:

opkg update
opkg install openvpn

Configuring the client

config 'openvpn' 'name_of_the_connection'
	option 'client' '1'
	option 'remote' 'ip.address.of.server'
	option 'port' '1194'
	option 'proto' 'tcp'
	option 'dev' 'tap0'
	option 'ca' '/path/to/ca.crt'
	option 'cert' '/path/to/client.crt'
	option 'key' '/path/to/client.key'
	option 'comp_lzo' '1'
	option 'keepalive' '10 120'
	option 'status' '/tmp/openvpn.status'
	option 'persist-key' '1'
	option 'persist-tun' '1'
	option 'verb' '7'
	option 'mute' '20'
	option 'nobind' '1'

Note that using TCP is more reliable but somewhat slower.

Starting and enabling OpenVPN

Either run OṕenVPN only once:

/etc/init.d/openvpn start

Or make it start at boot:

/etc/init.d/openvpn enable

If your internet connection works and everything in your config is correct (which you usually get from your VPN provider), you should see something like:

Initialization Sequence Completed

Routing traffic over NAT

To actually access the resources behind the VPN server, first create a new interface in /etc/config/network:

config interface 'VPN_client'
	option proto 'none'
	option ifname 'tap0'

And then modify your /etc/config/firewall:

config zone
	option name 'VPN_client'
	option masq '1'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'VPN_client'

config forwarding
	option dest 'VPN_client'
	option src 'lan'

After restarting your firewall and network, your router should allow access its clients resources behind the VPN server over NAT.

Routing client traffic transparently

If you want transparent routing and clients accesible from the server, modify your /etc/config/network as above and put this into your /etc/config/firewall:

config zone
	option name 'VPN_client'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'VPN_client'

config forwarding
	option dest 'lan'
	option src 'VPN_client'

config forwarding
	option dest 'VPN_client'
	option src 'lan'

Your server will have to be configured to route traffic to your LAN subnet over its VPN interface in this case.

Back to top

doc/howto/vpn.client.openvpn.tap.txt · Last modified: 2014/01/05 22:40 by sup