User Tools

Site Tools


doc:howto:vpn.client.openvpn.tun

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.client.openvpn.tun [2013/10/28 08:27]
lorema
doc:howto:vpn.client.openvpn.tun [2016/04/19 21:42] (current)
grumbler_eburg [Create OpenVPN configuration]
Line 1: Line 1:
 +====== OpenVPN client with TUN (Layer 3) device ​ ======
 +| :!: There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. ​ Some are better than others, and others are an out-of-date muddled mess.  For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with [[doc/​howto/​vpn.openvpn]] instead of this page. It is not that the other pages aren't worth reading; it is just that (IMHO) [[doc/​howto/​vpn.openvpn]] is a better place to start (it has been rewritten from scratch just a few weeks ago).  Maybe you could improve it further rather than edit this page? :!: |
 +
 +In this instance, this page covers issues not raised in [[doc/​howto/​vpn.openvpn]]. ​ However, if you're new to OpenVPN, then it might still be a useful place to visit.
 +
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] |
 +
 +This document walks through setting up the following example configuration:​
 +
 +             ​+-[OpenWrt router]-------+
 +             ​| ​                       |
 +             ​| ​ +[LAN]-------------+ ​ |
 +    you   ​---+--| IP: 192.168.1.1 ​ |  |
 +             ​| ​ +------------------+ ​ |
 +             ​| ​                       |
 +             ​| ​ +[OpenVPN client 1]+  |   ​+-[OpenVPN server 1]----+
 +             ​| ​ |                  |  |   | Public IP: 66.77.88.9 |   /
 +             ​| ​ | Iface: tun0      |--+---| Tunnel IP: 10.2.1.1 ​  |---- { 128.39.x.x
 +             ​| ​ | IP: 10.2.1.6 ​    ​| ​ |   ​+-----------------------+ ​  ​\ ​
 +             ​| ​ +------------------+ ​ |
 +             ​| ​                       |   ​+-[OpenVPN server 1]----+
 +             ​| ​ +[OpenVPN client 2]+  |   | Public IP: 22.33.44.9 |   /
 +             ​| ​ | Iface: tun1      |--+---| Tunnel IP: 10.66.88.1 |---- { some other network
 +             ​| ​ | IP: 10.66.88.102 |  |   ​+-----------------------+ ​  ​\ ​
 +             ​| ​ +------------------+ ​ |
 +             ​| ​                       |
 +             ​+------------------------+
 +
 +===== Create OpenVPN configuration =====
 +| :!: This section describes configuring OpenVPN through LuCI.  The LuCI module for OpenVPN no longer exists; this needs to be re-written for plain uci.  Or, perhaps you'd like to update the LuCI module? :!: |
 +
 +Go into Luci 192.168.1.1
 +Services → OpenVpn
 +
 +Client configuration for a routed multi-client VPN → add
 +The further steps can vary depending on the Server Configuration ​
 +
 +nobind ​  x
 +
 +comp_lzo x 
 +
 +proto    udp
 +
 +client ​  x
 +
 +remote ​  ​66.77.88.9
 +
 +ca upload your ca file
 +
 +cert upload your cert file
 +
 +key upload your key file
 +
 +
 +→ Save
 +
 +the same for the second client.
 +
 +Now you can start the clients with the Start/Stop button
 +If the configuration ok, Luci shows Startet yes (prozessid 32165)
 +If you it again want to check on the console ​ type ifconfig
 +<​code>​
 +...
 +tun0      Link encap:​UNSPEC ​ HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
 +          inet addr:​10.2.1.6 ​ P-t-P:​10.2.1.5 ​ Mask:​255.255.255.255
 +...
 +tun1      Link encap:​UNSPEC ​ HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
 +          inet addr:​10.66.88.102 ​ P-t-P:​10.66.88.101 ​ Mask:​255.255.255.255
 +...
 +</​code>​
 +
 +test your the tunnel
 +
 +ping 10.2.1.6
 +
 +ping 10.2.1.1
 +
 +ping 128.39.1.1
 +
 +Are the tests ok configure the firewall so that the clients in your network can come through the tunnel. ​
 +
 +The result in configfiles ​
 +
 +**/​etc/​config/​network**
 +
 +<​code>​
 +config interface '​loopback'​
 + option ifname '​lo'​
 + option proto '​static'​
 + option ipaddr '​127.0.0.1'​
 + option netmask '​255.0.0.0'​
 +
 +config interface '​lan'​
 + option type '​bridge'​
 + option proto '​static'​
 + option ipaddr '​192.168.1.1'​
 + option netmask '​255.255.255.0'​
 + option ifname '​eth0'​
 + option stp '​1'​
 +
 +config interface '​vpn'​
 + option ifname '​tun0'​
 + option defaultroute '​0'​
 + option peerdns '​0'​
 + option proto '​none'​
 +
 +config interface '​vpn2'​
 + option proto '​none'​
 + option ifname '​tun1'​
 + option auto '​1'​
 + option proto '​none'​
 +</​code>​
 +
 +**/​etc/​config/​openvpn**
 +
 +<​code>​
 +config openvpn '​client_tun_0'​
 + option enabled '​1'​
 + option client '​1'​
 + option dev '​tun'​
 + option proto '​udp'​
 + option resolv_retry '​infinite'​
 + option nobind '​1'​
 + option persist_tun '​1'​
 + option persist_key '​1'​
 + option ca '/​lib/​uci/​upload/​cbid.openvpn.client_tun_0.ca'​
 + option key '/​lib/​uci/​upload/​cbid.openvpn.client_tun_0.key'​
 + option cert '/​lib/​uci/​upload/​cbid.openvpn.client_tun_0.cert'​
 + option comp_lzo '​yes'​
 + option verb '​3'​
 + option float '​1'​
 + option pull '​1'​
 + option remote '​remoteadress 1194'
 + option tls_client '​1'​
 + option enable '​1'​
 +
 +config openvpn '​client_tun_1'​
 + option enabled '​1'​
 + option client '​1'​
 + option dev '​tun'​
 + option proto '​udp'​
 + option resolv_retry '​infinite'​
 + option nobind '​1'​
 + option persist_tun '​1'​
 + option persist_key '​1'​
 + option comp_lzo '​1'​
 + option verb '​3'​
 + option float '​1'​
 + option pull '​1'​
 + option remote '​1.2.3.4 10194'
 + option tls_client '​1'​
 + option ca '/​lib/​uci/​upload/​cbid.openvpn.client_tun_1.ca'​
 + option cert '/​lib/​uci/​upload/​cbid.openvpn.client_tun_1.cert'​
 + option key '/​lib/​uci/​upload/​cbid.openvpn.client_tun_1.key'​
 + option enable '​1'​
 +</​code>​
 +
 +**Warning.**
 +The name of the config "​section"​ should contain characters set [0-9a-zA-Z_]. Parser will skips line like
 +<​code>​config openvpn '​client-tun-1'</​code>​
 +===== Modify your firewall =====
 +
 +In LuCI go Network → Interfaces
 +
 +Create new Interfaces
 +
 +Add new interface → vpn → Protocol = Unmanaged
 +on Tab Physical Settings click Ehternet Adapter: tun0 and Save
 +
 +Add new interface → vpn2 → Protocol = Unmanaged
 +on Tab Physical Settings click Ehternet Adapter: tun1 and Save
 +
 +
 +Now the Firewall
 +go to Network → Firewall → General Settings
 +
 +Zones Add 
 +
 +Name: VPN
 +
 +Input: accept
 +
 +Output: accept
 +
 +Forward: accept
 +
 +
 +Masquerading:​ x
 +
 +Covered networks: vpn = x , vpn2=x
 +
 +
 +Inter-Zone Forwarding
 +
 +Allow forward to destination zones: ​ lan=x
 +
 +Allow forward from source zones: lan=x
 +
 +
 +The result of firewall config
 +
 +**/​etc/​config/​firewall**
 +
 +<​code>​
 +config defaults
 + option syn_flood '​1'​
 + option input '​ACCEPT'​
 + option output '​ACCEPT'​
 + option forward '​REJECT'​
 +
 +config zone
 + option name '​lan'​
 + option input '​ACCEPT'​
 + option output '​ACCEPT'​
 + option forward '​REJECT'​
 + option network '​lan'​
 +
 +config zone
 + option name '​wan'​
 + option network '​wan'​
 + option input '​REJECT'​
 + option output '​ACCEPT'​
 + option forward '​REJECT'​
 + option masq '​1'​
 + option mtu_fix '​1'​
 +
 +config zone
 + option name '​vpn'​
 + option input '​ACCEPT'​
 + option output '​ACCEPT'​
 + option forward '​ACCEPT'​
 + option masq '​1'​
 + option network 'vpn vpn2'
 +
 +config forwarding
 + option src '​lan'​
 + option dest '​wan'​
 +
 +config rule
 + option name '​Allow-DHCP-Renew'​
 + option src '​wan'​
 + option proto '​udp'​
 + option dest_port '​68'​
 + option target '​ACCEPT'​
 + option family '​ipv4'​
 +
 +config rule
 + option name '​Allow-Ping'​
 + option src '​wan'​
 + option proto '​icmp'​
 + option icmp_type '​echo-request'​
 + option family '​ipv4'​
 + option target '​ACCEPT'​
 +
 +config forwarding
 + option src '​vpn'​
 + option dest '​lan'​
 +
 +config include
 + option path '/​etc/​firewall.user'​
 +
 +config forwarding
 + option dest '​vpn'​
 + option src '​lan'​
 +</​code>​
 +
 +
 +