Differences

This shows you the differences between two versions of the page.

doc:howto:vpn.client.openvpn.tap [2013/10/28 08:28]
lorema
doc:howto:vpn.client.openvpn.tap [2014/01/05 22:40] (current)
sup Modified the page to use UCI and added details on firewall configuration
Line 1: Line 1:
====== Using Openwrt as OpenVPN client with tap device  ====== ====== Using Openwrt as OpenVPN client with tap device  ======
| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/howto/vpn.overview]] | | For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/howto/vpn.overview]] |
- 
-This is just a quick and dirty guide, because there was nothing on this topic yet.  
===== Installation ===== ===== Installation =====
Line 11: Line 9:
</code> </code>
-===== Starting/Configuring the client ===== +===== Configuring the client =====
-Put the client config(ovpn file and key/cert files) somewhere in /root. (In this guide we assume that it's +
-a configuration with tap device, ''dev tap'' should be defined in the opvn config file, if the corresponding +
-server is configured for tun, this isn't the right guide for you)+
-Run openvpn like this +<code> 
-<code>openvpn --config myvpnconfig.ovpn</code>+config 'openvpn' 'name_of_the_connection' 
 + option 'client' '1' 
 + option 'remote' 'ip.address.of.server' 
 + option 'port' '1194' 
 + option 'proto' 'tcp' 
 + option 'dev' 'tap0' 
 + option 'ca' '/path/to/ca.crt' 
 + option 'cert' '/path/to/client.crt' 
 + option 'key' '/path/to/client.key' 
 + option 'comp_lzo' '1' 
 + option 'keepalive' '10 120' 
 + option 'status' '/tmp/openvpn.status' 
 + option 'persist-key' '1' 
 + option 'persist-tun' '1' 
 + option 'verb' '7' 
 + option 'mute' '20' 
 + option 'nobind' '1' 
 +</code> 
 + 
 +Note that using TCP is more reliable but somewhat slower. 
 + 
 +===== Starting and enabling OpenVPN ===== 
 +Either run OṕenVPN only once: 
 +<code> 
 +/etc/init.d/openvpn start 
 +</code> 
 + 
 +Or make it start at boot: 
 +<code> 
 +/etc/init.d/openvpn enable 
 +</code>
If your internet connection works and everything in your config is correct (which you usually get from your VPN provider), If your internet connection works and everything in your config is correct (which you usually get from your VPN provider),
Line 23: Line 48:
<code>Initialization Sequence Completed</code> <code>Initialization Sequence Completed</code>
-Now you should be able to access the internet from your router and your IP address to the outside world will be the one of the VPN server, but what we really want is to transparently forward the openvpn connection 
-to the router clients. 
-To do that you need this command: 
-<code>iptables -t nat -A POSTROUTING -o tap+ -j SNAT --to-source 10.xx.x.xx</code> 
-10.xx.x.xx needs to be replaced with your address in the VPN. 
-Run: 
-<code>ifconfig tap0</code> 
-and look for `inet address` to get the correct one. 
-Now the router clients should reach the internet again, but everything will be routed through the VPN.+===== Routing traffic over NAT =====
-As always, if you want to have this available on reboot, you can put a few lines into /etc/rc.local before exit 0, ie.:+To actually access the resources behind the VPN server, first create a new interface in /etc/config/network:
<code> <code>
-iptables -t nat -A POSTROUTING -o tap+ -j SNAT --to-source 10.xx.x.xx +config interface 'VPN_client' 
-openvpn --config /root/myvpnconfig.ovpn & + option proto 'none' 
-exit 0+ option ifname 'tap0'
</code> </code>
 +
 +And then modify your /etc/config/firewall:
 +<code>
 +config zone
 + option name 'VPN_client'
 + option masq '1'
 + option input 'ACCEPT'
 + option forward 'REJECT'
 + option output 'ACCEPT'
 + option network 'VPN_client'
 +
 +config forwarding
 + option dest 'VPN_client'
 + option src 'lan'
 +</code>
 +
 +After restarting your firewall and network, your router should allow access its clients resources behind the VPN server over NAT.
 +
 +===== Routing client traffic transparently =====
 +
 +If you want transparent routing and clients accesible from the server, modify your /etc/config/network as above and put this into your /etc/config/firewall:
 +<code>
 +config zone
 + option name 'VPN_client'
 + option input 'ACCEPT'
 + option forward 'REJECT'
 + option output 'ACCEPT'
 + option network 'VPN_client'
 +
 +config forwarding
 + option dest 'lan'
 + option src 'VPN_client'
 +
 +config forwarding
 + option dest 'VPN_client'
 + option src 'lan'
 +</code>
 +
 +Your server will have to be configured to route traffic to your LAN subnet over its VPN interface in this case.

Back to top

doc/howto/vpn.client.openvpn.tap.1382945295.txt.bz2 · Last modified: 2013/10/28 08:28 by lorema