Differences

This shows you the differences between two versions of the page.

doc:howto:vpn.client.openvpn.tap [2012/10/29 16:03]
zend
doc:howto:vpn.client.openvpn.tap [2014/05/31 00:20] (current)
zxdavb
Line 1: Line 1:
-====== Using Openwrt as OpenVPN client with tap device  ======+====== Using Openwrt as OpenVPN client with TAP device  ====== 
 +| :!: There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt.  Some are better than others, and others are an out-of-date muddled mess.  For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with [[doc/howto/vpn.openvpn]] instead of this wiki. :!: |
-This is just a quick and dirty guide, because there was nothing on this topic yet. +It is not that the other wikis aren't worth reading; it is just that (IMHO) [[doc/howto/vpn.openvpn]] is a better place to start (it has been rewritten from scratch just a few weeks ago).  Maybe you could improve it further?  In this instance, this wiki has several issues (as at May 2014), including being 2 years out of date. It also advocates TAP rather than TUN where TUN would, in most cases, be preferable.  If you definitely want TAP rather than TUN, then [[doc/howto/vpn.openvpn]] might still be a useful place to visit. 
 + 
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/howto/vpn.overview]] |
===== Installation ===== ===== Installation =====
Line 10: Line 13:
</code> </code>
-===== Starting/Configuring the client ===== +===== Configuring the client =====
-Put the client config(ovpn file and key/cert files) somewhere in /root. (In this guide we assume that it's +
-a configuration with tap device, ''dev tap'' should be defined in the opvn config file, if the corresponding +
-server is configured for tun, this isn't the right guide for you)+
-Run openvpn like this +<code> 
-<code>openvpn --config myvpnconfig.ovpn</code>+config 'openvpn' 'name_of_the_connection' 
 + option 'client' '1' 
 + option 'remote' 'ip.address.of.server' 
 + option 'port' '1194' 
 + option 'proto' 'tcp' 
 + option 'dev' 'tap0' 
 + option 'ca' '/path/to/ca.crt' 
 + option 'cert' '/path/to/client.crt' 
 + option 'key' '/path/to/client.key' 
 + option 'comp_lzo' '1' 
 + option 'keepalive' '10 120' 
 + option 'status' '/tmp/openvpn.status' 
 + option 'persist-key' '1' 
 + option 'persist-tun' '1' 
 + option 'verb' '7' 
 + option 'mute' '20' 
 + option 'nobind' '1' 
 +</code> 
 + 
 +Note that using TCP is more reliable but somewhat slower. 
 + 
 +===== Starting and enabling OpenVPN ===== 
 +Either run OṕenVPN only once: 
 +<code> 
 +/etc/init.d/openvpn start 
 +</code> 
 + 
 +Or make it start at boot: 
 +<code> 
 +/etc/init.d/openvpn enable 
 +</code>
If your internet connection works and everything in your config is correct (which you usually get from your VPN provider), If your internet connection works and everything in your config is correct (which you usually get from your VPN provider),
Line 22: Line 52:
<code>Initialization Sequence Completed</code> <code>Initialization Sequence Completed</code>
-Now you should be able to access the internet from your router and your IP address to the outside world will be the one of the VPN server, but what we really want is to transparently forward the openvpn connection 
-to the router clients. 
-To do that you need this command: 
-<code>iptables -t nat -A POSTROUTING -o tap+ -j SNAT --to-source 10.xx.x.xx</code> 
-10.xx.x.xx needs to be replaced with your address in the VPN. 
-Run: 
-<code>ifconfig tap0</code> 
-and look for `inet address` to get the correct one. 
-Now the router clients should reach the internet again, but everything will be routed through the VPN.+===== Routing traffic over NAT =====
-As always, if you want to have this available on reboot, you can put a few lines into /etc/rc.local before exit 0, ie.:+To actually access the resources behind the VPN server, first create a new interface in /etc/config/network:
<code> <code>
-iptables -t nat -A POSTROUTING -o tap+ -j SNAT --to-source 10.xx.x.xx +config interface 'VPN_client' 
-openvpn --config /root/myvpnconfig.ovpn & + option proto 'none' 
-exit 0+ option ifname 'tap0'
</code> </code>
 +
 +And then modify your /etc/config/firewall:
 +<code>
 +config zone
 + option name 'VPN_client'
 + option masq '1'
 + option input 'ACCEPT'
 + option forward 'REJECT'
 + option output 'ACCEPT'
 + option network 'VPN_client'
 +
 +config forwarding
 + option dest 'VPN_client'
 + option src 'lan'
 +</code>
 +
 +After restarting your firewall and network, your router should allow access its clients resources behind the VPN server over NAT.
 +
 +===== Routing client traffic transparently =====
 +
 +If you want transparent routing and clients accesible from the server, modify your /etc/config/network as above and put this into your /etc/config/firewall:
 +<code>
 +config zone
 + option name 'VPN_client'
 + option input 'ACCEPT'
 + option forward 'REJECT'
 + option output 'ACCEPT'
 + option network 'VPN_client'
 +
 +config forwarding
 + option dest 'lan'
 + option src 'VPN_client'
 +
 +config forwarding
 + option dest 'VPN_client'
 + option src 'lan'
 +</code>
 +
 +Your server will have to be configured to route traffic to your LAN subnet over its VPN interface in this case.

Back to top

doc/howto/vpn.client.openvpn.tap.1351523024.txt.bz2 · Last modified: 2012/10/29 16:03 by zend