User Tools

Site Tools


doc:howto:vpn.client.openvpn.tun

OpenVPN client with TUN (Layer 3) device

:!: There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. Some are better than others, and others are an out-of-date muddled mess. For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with vpn.openvpn instead of this page. It is not that the other pages aren't worth reading; it is just that (IMHO) vpn.openvpn is a better place to start (it has been rewritten from scratch just a few weeks ago). Maybe you could improve it further rather than edit this page? :!:

In this instance, this page covers issues not raised in vpn.openvpn. However, if you're new to OpenVPN, then it might still be a useful place to visit.

For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit vpn.overview

This document walks through setting up the following example configuration:

           +-[OpenWrt router]-------+
           |                        |
           |  +[LAN]-------------+  |
  you   ---+--| IP: 192.168.1.1  |  |
           |  +------------------+  |
           |                        |
           |  +[OpenVPN client 1]+  |   +-[OpenVPN server 1]----+
           |  |                  |  |   | Public IP: 66.77.88.9 |   /
           |  | Iface: tun0      |--+---| Tunnel IP: 10.2.1.1   |---- { 128.39.x.x
           |  | IP: 10.2.1.6     |  |   +-----------------------+   \ 
           |  +------------------+  |
           |                        |   +-[OpenVPN server 1]----+
           |  +[OpenVPN client 2]+  |   | Public IP: 22.33.44.9 |   /
           |  | Iface: tun1      |--+---| Tunnel IP: 10.66.88.1 |---- { some other network
           |  | IP: 10.66.88.102 |  |   +-----------------------+   \ 
           |  +------------------+  |
           |                        |
           +------------------------+

Create OpenVPN configuration

:!: This section describes configuring OpenVPN through LuCI. The LuCI module for OpenVPN no longer exists; this needs to be re-written for plain uci. Or, perhaps you'd like to update the LuCI module? :!:

Go into Luci 192.168.1.1 Services → OpenVpn

Client configuration for a routed multi-client VPN → add The further steps can vary depending on the Server Configuration

nobind x

comp_lzo x

proto udp

client x

remote 66.77.88.9

ca upload your ca file

cert upload your cert file

key upload your key file

→ Save

the same for the second client.

Now you can start the clients with the Start/Stop button If the configuration ok, Luci shows Startet yes (prozessid 32165) If you it again want to check on the console type ifconfig

...
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.2.1.6  P-t-P:10.2.1.5  Mask:255.255.255.255
...
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.66.88.102  P-t-P:10.66.88.101  Mask:255.255.255.255
...

test your the tunnel

ping 10.2.1.6

ping 10.2.1.1

ping 128.39.1.1

Are the tests ok configure the firewall so that the clients in your network can come through the tunnel.

The result in configfiles

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ifname 'eth0'
	option stp '1'

config interface 'vpn'
	option ifname 'tun0'
	option defaultroute '0'
	option peerdns '0'
	option proto 'none'

config interface 'vpn2'
	option proto 'none'
	option ifname 'tun1'
	option auto '1'
	option proto 'none'

/etc/config/openvpn

config openvpn 'client_tun_0'
	option enabled '1'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_tun '1'
	option persist_key '1'
	option ca '/lib/uci/upload/cbid.openvpn.client_tun_0.ca'
	option key '/lib/uci/upload/cbid.openvpn.client_tun_0.key'
	option cert '/lib/uci/upload/cbid.openvpn.client_tun_0.cert'
	option comp_lzo 'yes'
	option verb '3'
	option float '1'
	option pull '1'
	option remote 'remoteadress 1194'
	option tls_client '1'
	option enable '1'

config openvpn 'client_tun_1'
	option enabled '1'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_tun '1'
	option persist_key '1'
	option comp_lzo '1'
	option verb '3'
	option float '1'
	option pull '1'
	option remote '1.2.3.4 10194'
	option tls_client '1'
	option ca '/lib/uci/upload/cbid.openvpn.client_tun_1.ca'
	option cert '/lib/uci/upload/cbid.openvpn.client_tun_1.cert'
	option key '/lib/uci/upload/cbid.openvpn.client_tun_1.key'
	option enable '1'

Modify your firewall

In LuCI go Network → Interfaces

Create new Interfaces

Add new interface → vpn → Protocol = Unmanaged on Tab Physical Settings click Ehternet Adapter: tun0 and Save

Add new interface → vpn2 → Protocol = Unmanaged on Tab Physical Settings click Ehternet Adapter: tun1 and Save

Now the Firewall go to Network → Firewall → General Settings

Zones Add

Name: VPN

Input: accept

Output: accept

Forward: accept

Masquerading: x

Covered networks: vpn = x , vpn2=x

Inter-Zone Forwarding

Allow forward to destination zones: lan=x

Allow forward from source zones: lan=x

The result of firewall config

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'lan'

config zone
	option name 'wan'
	option network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option network 'vpn vpn2'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config forwarding
	option src 'vpn'
	option dest 'lan'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'vpn'
	option src 'lan'

doc/howto/vpn.client.openvpn.tun.txt · Last modified: 2015/01/27 23:33 by lukeshu