User Tools

Site Tools


doc:howto:vpn.client.openvpn.tap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.client.openvpn.tap [2012/10/29 16:03]
zend
doc:howto:vpn.client.openvpn.tap [2015/01/27 23:34] (current)
lukeshu change title
Line 1: Line 1:
 +====== OpenVPN client with TAP (Layer 2) device ​ ======
 +| :!: There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. ​ Some are better than others, and others are an out-of-date muddled mess.  For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with [[doc/​howto/​vpn.openvpn]] instead of this page. It is not that the other pages aren't worth reading; it is just that (IMHO) [[doc/​howto/​vpn.openvpn]] is a better place to start (it has been rewritten from scratch just a few weeks ago).  Maybe you could improve it further rather than edit this page? :!: |
  
 +In this instance, this page has several issues (as at May 2014), including being 2 years out of date. It also advocates TAP rather than TUN where TUN would, in most cases, be preferable. ​ If you definitely want TAP rather than TUN, then [[doc/​howto/​vpn.openvpn]] might still be a useful place to visit.
 +
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] |
 +
 +===== Configuring the client =====
 +
 +<​code>​
 +config '​openvpn'​ '​name_of_the_connection'​
 + option '​client'​ '​1'​
 + option '​remote'​ '​ip.address.of.server'​
 + option '​port'​ '​1194'​
 + option '​proto'​ '​tcp'​
 + option '​dev'​ '​tap0'​
 + option '​ca'​ '/​path/​to/​ca.crt'​
 + option '​cert'​ '/​path/​to/​client.crt'​
 + option '​key'​ '/​path/​to/​client.key'​
 + option '​comp_lzo'​ '​1'​
 + option '​keepalive'​ '10 120'
 + option '​status'​ '/​tmp/​openvpn.status'​
 + option '​persist-key'​ '​1'​
 + option '​persist-tun'​ '​1'​
 + option '​verb'​ '​7'​
 + option '​mute'​ '​20'​
 + option '​nobind'​ '​1'​
 +</​code>​
 +
 +Note that using TCP is more reliable but somewhat slower.
 +
 +===== Starting and enabling OpenVPN =====
 +Either run OṕenVPN only once:
 +<​code>​
 +/​etc/​init.d/​openvpn start
 +</​code>​
 +
 +Or make it start at boot:
 +<​code>​
 +/​etc/​init.d/​openvpn enable
 +</​code>​
 +
 +If your internet connection works and everything in your config is correct (which you usually get from your VPN provider),
 +you should see something like:
 +<​code>​Initialization Sequence Completed</​code>​
 +
 +
 +===== Routing traffic over NAT =====
 +
 +To actually access the resources behind the VPN server, first create a new interface in /​etc/​config/​network:​
 +<​code>​
 +config interface '​VPN_client'​
 + option proto '​none'​
 + option ifname '​tap0'​
 +</​code>​
 +
 +And then modify your /​etc/​config/​firewall:​
 +<​code>​
 +config zone
 + option name '​VPN_client'​
 + option masq '​1'​
 + option input '​ACCEPT'​
 + option forward '​REJECT'​
 + option output '​ACCEPT'​
 + option network '​VPN_client'​
 +
 +config forwarding
 + option dest '​VPN_client'​
 + option src '​lan'​
 +</​code>​
 +
 +After restarting your firewall and network, your router should allow access its clients resources behind the VPN server over NAT.
 +
 +===== Routing client traffic transparently =====
 +
 +If you want transparent routing and clients accesible from the server, modify your /​etc/​config/​network as above and put this into your /​etc/​config/​firewall:​
 +<​code>​
 +config zone
 + option name '​VPN_client'​
 + option input '​ACCEPT'​
 + option forward '​REJECT'​
 + option output '​ACCEPT'​
 + option network '​VPN_client'​
 +
 +config forwarding
 + option dest '​lan'​
 + option src '​VPN_client'​
 +
 +config forwarding
 + option dest '​VPN_client'​
 + option src '​lan'​
 +</​code>​
 +
 +Your server will have to be configured to route traffic to your LAN subnet over its VPN interface in this case.