Openwrt configuration example with 2 OpenVpn Tunnel
Router Openwrt ip 192.168.1.1
OpenVpn Client 1 tun0 Tunnel IP 10.2.1.6 Clients behind the tunnel 128.39.x.x
OpenVpn Client 2 tun1 Tunnel IP 10.66.88.102
OpenVpn Server 1 IP 66.77.88.9 TunnelIP 10.2.1.1
OpenVpn Server 2 IP 22.33.44.9 TunnelIP 10.66.88.1
Installation
- Install the openvpn package:
opkg update opkg install openvpnOr if you prefer configure openvpn via GUI:
opkg update opkg install openvpn luci-app-openvpn
Create OpenVPN configuration
Go into Luci 192.168.1.1 Services → OpenVpn
Client configuration for a routed multi-client VPN → add The further steps can vary depending on the Server Configuration
nobind x
comp_lzo x
proto udp
client x
remote 66.77.88.9
ca upload your ca file
cert upload your cert file
key upload your key file
→ Save
the same for the second client.
Now you can start the clients with the Start/Stop button If the configuration ok, Luci shows Startet yes (prozessid 32165) If you it again want to check on the console type ifconfig
snip
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.2.1.6 P-t-P:10.2.1.5 Mask:255.255.255.255
snip
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.66.88.102 P-t-P:10.66.88.101 Mask:255.255.255.255
snip
test your the tunnel
ping 10.2.1.6
ping 10.2.1.1
ping 128.39.1.1
Are the tests ok configure the firewall so that the clients in your network can come through the tunnel.
The result in configfiles
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option _orig_ifname 'eth0 wlan0 wlan0-1 tun0 tun1'
option _orig_bridge 'true'
option ifname 'eth0'
option stp '1'
config interface 'vpn'
option ifname 'tun0'
option defaultroute '0'
option peerdns '0'
option proto 'none'
config interface 'vpn2'
option proto 'none'
option ifname 'tun1'
option auto '1'
option proto 'none'
/etc/config/openvpn
config openvpn 'client_tun_0'
option enabled '1'
option client '1'
option dev 'tun'
option proto 'udp'
option resolv_retry 'infinite'
option nobind '1'
option persist_tun '1'
option persist_key '1'
option ca '/lib/uci/upload/cbid.openvpn.client_tun_0.ca'
option key '/lib/uci/upload/cbid.openvpn.client_tun_0.key'
option cert '/lib/uci/upload/cbid.openvpn.client_tun_0.cert'
option comp_lzo '1'
option verb '3'
option float '1'
option pull '1'
option remote 'remoteadress 1194'
option tls_client '1'
option enable '1'
config openvpn 'client_tun_1'
option enabled '1'
option client '1'
option dev 'tun'
option proto 'udp'
option resolv_retry 'infinite'
option nobind '1'
option persist_tun '1'
option persist_key '1'
option comp_lzo '1'
option verb '3'
option float '1'
option pull '1'
option remote '1.2.3.4 10194'
option tls_client '1'
option ca '/lib/uci/upload/cbid.openvpn.client_tun_1.ca'
option cert '/lib/uci/upload/cbid.openvpn.client_tun_1.cert'
option key '/lib/uci/upload/cbid.openvpn.client_tun_1.key'
option enable '1'
Modify your firewall
in Luci go Network → Interfaces
Create new Interfaces
Add new interface → vpn → Protocol = Unmanaged on Tab Physical Settings click Ehternet Adapter: tun0 and Save
Add new interface → vpn2 → Protocol = Unmanaged on Tab Physical Settings click Ehternet Adapter: tun1 and Save
Now the Firewall go to Network → Firewall → General Settings
Zones Add
Name: VPN
Input: accept
Output: accept
Forward: accept
Masquerading: x
Covered networks: vpn = x , vpn2=x
Inter-Zone Forwarding
Allow forward to destination zones: lan=x
Allow forward from source zones: lan=x
The result of firewall config
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'lan'
config zone
option name 'wan'
option network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'vpn vpn2'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config forwarding
option src 'vpn'
option dest 'lan'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'vpn'
option src 'lan'
doc/howto/vpn.client.openvpn.tun.txt · Last modified: 2012/03/07 12:46 by darkwin