User Tools

Site Tools


doc:howto:vpn.openvpn

This is an old revision of the document!


FIXME: Please read vpn.overview and see this old articles on this matter: http://wiki.openwrt.org/?do=search&id=vpn and help migrate them. There is also an article in the inbox: vpn.howto

Easy OpenVPN server setup guide

OpenVPN sets up an encrypted tunnel between two endpoints on two hosts that allows traffic to flow from one network to an other. The assignment of IP addresses of the endpoints, the routing of the tunnel, the network layer used for routing, authentication and many other parameters can be configured to suit specific needs.

This guide sets up a bridged ethernet tunnel (level 2) using two tap devices. This means that the client endpoint becomes part of the server-side network. The endpoint is assigned an IP address from a private IP pool that is then bridged with the server side LAN. See this guide for more.

This guide uses the built in configuration system of OpenWrt as opposed to writing the configuration files manually, this should make it easier to setup OpenVPN using this guide.

Installation

  1. Install the openvpn and easy-rsa packages:
    opkg update
    opkg install openvpn openvpn-easy-rsa
    Or if you prefer configure openvpn via GUI:
    opkg install luci-app-openvpn

:!: on trunk install openvpn-polarssl or openvpn-openssl. Do not install openvpn-nossl.

  1. edit the /etc/easy-rsa/vars file and modify the default location area
    vi /etc/easy-rsa/vars
    at bottom, change to suit:
    export KEY_COUNTRY="US"
    export KEY_PROVINCE="TX"
    export KEY_CITY="Houston"
    export KEY_ORG="My Cool Place"

It is very likely that the default variable assignments in easy-rsa need to be corrected. For example: My openssl config file was named "openssl-1.0.0.cnf", so I had to set KEY_CONFIG as follows:

export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"

Build your certificates

:!: For security reasons it is recommended to build encryption key on a normal PC and copy them to the router afterwards.

  1. Prime your cert database
    clean-all
    build-ca
    build-dh

NOTE: if these do not work, you may need to modify the scripts. To find their location type:

which clean-all
They should be in /usr/sbin. Then edit the file using vi. For me, build-ca was looking for pkitool in the wrong place.

  1. Create the server key
    build-key-server server
  2. Create as many client keys for each person who will connect.
    Normal Keys:
    build-key Jimmy
    build-key Sara
    build-key Soandso
    ...
    PKCS12 Format (combines the key and ca certificate in one file)
    build-key-pkcs12 Jimmy
    build-key-pkcs12 Sara
    build-key-pkcs12 Soandso
    ...
  3. Copy the important files to the /etc/openvpn directory, so that they are duplicated
    cd /etc/easy-rsa/keys
    cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/
  4. Use winscp and copy ca.crt and the client crt/key files off the router and onto the machines that will be connecting. In case of PKCS #12, you only need to copy the *.p12 file. If winscp cannot connect, please read sshfs.server.

Bridge your router

  1. Open a web browser to Luci
  2. Browse to the Network → Interfaces → LAN tab
  3. Click on the Physical Settings tab
  4. In the interface area, check the tap0 adapter:

    WARNING: You may need to setup your openvpn config first and run the openvpn daemon at least once for tap0 to appear in the list.
  5. Click on Save & Apply

Modify your firewall

  1. open the firewall file

vi /etc/config/firewall

  1. towards the bottom append:
    config 'rule'
            option 'target' 'ACCEPT'
            option 'dest_port' '1194'
            option 'src' 'wan'
            option 'proto' 'tcpudp'
            option 'family' 'ipv4'
  2. restart the network filter (iptables):

/etc/init.d/firewall restart

Restrict your DHCP leases

Your openvpn server will be cooperating with the dhcp server on your router. In order to prevent a collision on which addresses are handed out, we must limit the range.

  1. open the dhcp config file
    vi /etc/config/dhcp
  2. The "lan" section should look like:
    config 'dhcp' 'lan'
            option 'interface' 'lan'
            option 'ignore' '0'
            option 'start' '50'
            option 'limit' '150'
    This will reserve addresses 192.168.1.50 to 192.168.199 for your local LAN clients.
  3. Restart dnsmasq
    /etc/init.d/dnsmasq restart

Create the server configuration

Shortcut: If you have installed the openvpn-luci application, setting up this configuration is a breeze. Choose the example configuration named "Server configuration for an ethernet bridge". Be sure to use the appropriate ip pool range when using the luci tool so that it does not conflict with the reservation made in the previous step.

  1. open the openvpn uci file
    vi /etc/config/openvpn
  2. replace the entire contents with:
    config 'openvpn' 'lan'
            option 'enable' '1'
            option 'port' '1194'
            option 'proto' 'udp'
            option 'dev' 'tap0'
            option 'ca' '/etc/openvpn/ca.crt'
            option 'cert' '/etc/openvpn/server.crt'
            option 'key' '/etc/openvpn/server.key'
            option 'dh' '/etc/openvpn/dh1024.pem'
            option 'ifconfig_pool_persist' '/tmp/ipp.txt'
            option 'keepalive' '10 120'
            option 'comp_lzo' '1'
            option 'persist_key' '1'
            option 'persist_tun' '1'
            option 'status' '/tmp/openvpn-status.log'
            option 'verb' '3'
            option 'server_bridge' '192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.219'
    Note that addresses 192.168.1.200 to 192.168.219 are reserved for your VPN clients

Join your clients to a windows domain

Your domain controller requires a static ip, or you may opt to assign it a permanent ip based on its mac address in dnsmasq.

For this example assume:

  1. The static ip of your domain controller is: 192.168.1.5
  2. The FQDN of the domain you wish to join is "mydomain.local"

Setup:

  1. Instruct dnsmasq to place local clients on your domain and forward host lookups to your domain controller. Within /etc/config/dhcp:
            option 'local' '/mydomain.local/'
            option 'domain' 'mydomain.local'
            option 'server' '/mydomain.local/192.168.1.5'
  2. Append to /etc/config/openvpn:
            list 'push' 'dhcp-option DOMAIN mydomain.local'
            list 'push' 'dhcp-option DNS 192.168.1.1'

This will allow you to ping/connect using the host "MACHINENAME.mydomain.local"

Create a client configuration

In your favorite text editor on the client machine that will be connecting, paste:

client
tls-client
dev tap
proto udp

remote <server address> 1194 # Change to your router's External IP
resolv-retry infinite
nobind

persist-tun
persist-key

ca ca.crt
cert Jimmy.crt
key Jimmy.key
dh dh1024.pem
#pkcs12 Jimmy.p12    # Remove comment if you use PKCS #12 format and comment out 4 lines above

comp-lzo
verb 3

:!: Make sure to try and mirror ALL the server options client-side, whatever client you're using, as some of them (namely lzo compression) can have adverse effects if they're not present in BOTH configurations.

Save the file as client.ovpn

Start it up!

  1. Start the openvpn server!
    /etc/init.d/openvpn start
  2. Enable the openvpn server so that it automatically gets started by init at bootup
    /etc/init.d/openvpn enable

Simple Bridged VPN Configuration

This setup allows me to connect from the road using a Windows 7 netbook to my home network using OpenVpn. My primary home router is running OpenWrt trunk and OpenVpn. Since the vpn connection is bridged to my home network I can browse the network for network devices as if I'm at home and not worry about routing. My home router's address is 192.168.1.1. The VPN client (my netbook) will get a DHCP address of 192.168.1.242 from OpenVpn running on the router.

Start by opening the firewall port 1194 and generating the security certificates as described above.

Edit the OpenWrt Router's /etc/config/network file:

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'
        option 'ifname' 'eth1 tap0' <<------------- add tap0 to lan to create the bridge

Edit the router's /etc/config/openvpn file:

server-bridge 192.168.1.23 255.255.255.0 192.168.1.242 192.168.1.250
# The above line will put the OpenVpn server at 192.168.1.23 and 
# create a DHCP pool for clients of 192.168.1.242 to 250.
proto udp
dev tap
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
# ns-cert-type server
comp-lzo
verb 3
ifconfig-pool-persist /mnt/USB1/OpenWrt/ipp.txt
keepalive 10 120
persist-key
persist-tun
status /mnt/USB1/OpenWrt/openvpn.log

Windows 7 Client Config:

client
remote robrobinette.com 1194 # my website and port 1194 (standard port for OpenVpn)
proto udp
dev tap
nobind
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
keepalive 10 120
resolv-retry infinite
mute-replay-warnings
mute 20
Start the OpenVpn client in a command window or better yet use the OpenVpn GUI for Windows.

Start command placed in LuCi's System/Startup/Local Startup:

openvpn /etc/config/openvpn &
I couldn't get the init.d script to run and use my configuration so I disabled the openvpn init.d script and instead used the above start command.

Troubleshooting

* Make sure you are trying to connect to the VPN server from the outside - i.e. use 3G connection, go to a different building etc. Using another vpn (that routes all your traffic) does not seem to help. If you do not do this, a good configuration might not work at all.

* If unsure how various parameters are parsed to openvpn, you can find out PID with ps and then look up the parameters with tr '\0' ' ' < /proc/PID/cmdline (Replace PID with a number)

* Attention: The logfile (if not in system log) doesn't limit its disk space - check periodically that you have enough free disk space for other applications (my log on level 6 needed less than a week to fill the whole disk space of a TP-Link 1043)

doc/howto/vpn.openvpn.1390780026.txt.bz2 · Last modified: 2014/01/27 00:47 by theoradicus