Openwrt configuration example with 2 OpenVpn Tunnel

:!: There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. Some are better than others, and others are an out-of-date muddled mess. For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with vpn.openvpn instead of this wiki. :!:

It is not that the other wikis aren't worth reading; it is just that (IMHO) vpn.openvpn is a better place to start (it has been rewritten from scratch just a few weeks ago). Maybe you could improve it further rather than edit this wiki?

In this instance, this wiki covers issues not raised in vpn.openvpn. However, if your new to OpenVPN, then it might still be a useful place to visit.

For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit vpn.overview

Router Openwrt ip 192.168.1.1

OpenVpn Client 1 tun0 Tunnel IP 10.2.1.6 Clients behind the tunnel 128.39.x.x

OpenVpn Client 2 tun1 Tunnel IP 10.66.88.102

OpenVpn Server 1 IP 66.77.88.9 TunnelIP 10.2.1.1

OpenVpn Server 2 IP 22.33.44.9 TunnelIP 10.66.88.1

Installation

  1. Install the openvpn package:

opkg update
opkg install openvpn
Or if you prefer configure openvpn via GUI:
opkg update
opkg install openvpn luci-app-openvpn

Create OpenVPN configuration

Go into Luci 192.168.1.1 Services → OpenVpn

Client configuration for a routed multi-client VPN → add The further steps can vary depending on the Server Configuration

nobind x

comp_lzo x

proto udp

client x

remote 66.77.88.9

ca upload your ca file

cert upload your cert file

key upload your key file

→ Save

the same for the second client.

Now you can start the clients with the Start/Stop button If the configuration ok, Luci shows Startet yes (prozessid 32165) If you it again want to check on the console type ifconfig

  snip
  tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
            inet addr:10.2.1.6  P-t-P:10.2.1.5  Mask:255.255.255.255
  snip
  tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:10.66.88.102  P-t-P:10.66.88.101  Mask:255.255.255.255
  snip

test your the tunnel

ping 10.2.1.6

ping 10.2.1.1

ping 128.39.1.1

Are the tests ok configure the firewall so that the clients in your network can come through the tunnel.

The result in configfiles

/etc/config/network

config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config interface 'lan' option type 'bridge' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ifname 'eth0' option stp '1' config interface 'vpn' option ifname 'tun0' option defaultroute '0' option peerdns '0' option proto 'none' config interface 'vpn2' option proto 'none' option ifname 'tun1' option auto '1' option proto 'none'

/etc/config/openvpn

config openvpn 'client_tun_0' option enabled '1' option client '1' option dev 'tun' option proto 'udp' option resolv_retry 'infinite' option nobind '1' option persist_tun '1' option persist_key '1' option ca '/lib/uci/upload/cbid.openvpn.client_tun_0.ca' option key '/lib/uci/upload/cbid.openvpn.client_tun_0.key' option cert '/lib/uci/upload/cbid.openvpn.client_tun_0.cert' option comp_lzo 'yes' option verb '3' option float '1' option pull '1' option remote 'remoteadress 1194' option tls_client '1' option enable '1' config openvpn 'client_tun_1' option enabled '1' option client '1' option dev 'tun' option proto 'udp' option resolv_retry 'infinite' option nobind '1' option persist_tun '1' option persist_key '1' option comp_lzo '1' option verb '3' option float '1' option pull '1' option remote '1.2.3.4 10194' option tls_client '1' option ca '/lib/uci/upload/cbid.openvpn.client_tun_1.ca' option cert '/lib/uci/upload/cbid.openvpn.client_tun_1.cert' option key '/lib/uci/upload/cbid.openvpn.client_tun_1.key' option enable '1'

Modify your firewall

in Luci go Network → Interfaces

Create new Interfaces

Add new interface → vpn → Protocol = Unmanaged on Tab Physical Settings click Ehternet Adapter: tun0 and Save

Add new interface → vpn2 → Protocol = Unmanaged on Tab Physical Settings click Ehternet Adapter: tun1 and Save

Now the Firewall go to Network → Firewall → General Settings

Zones Add

Name: VPN

Input: accept

Output: accept

Forward: accept

Masquerading: x

Covered networks: vpn = x , vpn2=x

Inter-Zone Forwarding

Allow forward to destination zones: lan=x

Allow forward from source zones: lan=x

The result of firewall config

/etc/config/firewall

config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' option network 'lan' config zone option name 'wan' option network 'wan' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config zone option name 'vpn' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' option masq '1' option network 'vpn vpn2' config forwarding option src 'lan' option dest 'wan' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config forwarding option src 'vpn' option dest 'lan' config include option path '/etc/firewall.user' config forwarding option dest 'vpn' option src 'lan'

Back to top

doc/howto/vpn.client.openvpn.tun.txt · Last modified: 2014/10/21 09:06 by wifly