This is an old revision of the document!
|: Please read vpn.overview and see this old articles on this matter: http://wiki.openwrt.org/?do=search&id=vpn and help migrate them. There is also an article in the inbox: vpn.howto|
OpenVPN sets up an encrypted tunnel between two endpoints on two hosts that allows traffic to flow from one network to an other. The assignment of IP addresses of the endpoints, the routing of the tunnel, the network layer used for routing, authentication and many other parameters can be configured to suit specific needs.
This guide sets up a bridged ethernet tunnel (level 2) using two tap devices. This means that the client endpoint becomes part of the server-side network. The endpoint is assigned an IP address from a private IP pool that is then bridged with the server side LAN. See this guide for more.
This guide uses the built in configuration system of OpenWrt as opposed to writing the configuration files manually, this should make it easier to setup OpenVPN using this guide.
opkg update opkg install openvpn openvpn-easy-rsaOr if you prefer configure openvpn via GUI:
opkg install luci-app-openvpn
on trunk install openvpn-polarssl or openvpn-openssl. Do not install openvpn-nossl.
vi /etc/easy-rsa/varsat bottom, change to suit:
export KEY_COUNTRY="US" export KEY_PROVINCE="TX" export KEY_CITY="Houston" export KEY_ORG="My Cool Place"
It is very likely that the default variable assignments in easy-rsa need to be corrected. For example: My openssl config file was named "openssl-1.0.0.cnf", so I had to set KEY_CONFIG as follows:
For security reasons it is recommended to build encryption key on a normal PC and copy them to the router afterwards.
clean-all build-ca build-dh
NOTE: if these do not work, you may need to modify the scripts. To find their location type:
which clean-allThey should be in /usr/sbin. Then edit the file using vi. For me, build-ca was looking for pkitool in the wrong place.
build-key Jimmy build-key Sara build-key Soandso ...PKCS12 Format (combines the key and ca certificate in one file)
build-key-pkcs12 Jimmy build-key-pkcs12 Sara build-key-pkcs12 Soandso ...
cd /etc/easy-rsa/keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/
config 'rule' option 'target' 'ACCEPT' option 'dest_port' '1194' option 'src' 'wan' option 'proto' 'tcpudp' option 'family' 'ipv4'
Your openvpn server will be cooperating with the dhcp server on your router. In order to prevent a collision on which addresses are handed out, we must limit the range.
config 'dhcp' 'lan' option 'interface' 'lan' option 'ignore' '0' option 'start' '50' option 'limit' '150'This will reserve addresses 192.168.1.50 to 192.168.199 for your local LAN clients.
Shortcut: If you have installed the openvpn-luci application, setting up this configuration is a breeze. Choose the example configuration named "Server configuration for an ethernet bridge". Be sure to use the appropriate ip pool range when using the luci tool so that it does not conflict with the reservation made in the previous step.
config 'openvpn' 'lan' option 'enable' '1' option 'port' '1194' option 'proto' 'udp' option 'dev' 'tap0' option 'ca' '/etc/openvpn/ca.crt' option 'cert' '/etc/openvpn/server.crt' option 'key' '/etc/openvpn/server.key' option 'dh' '/etc/openvpn/dh1024.pem' option 'ifconfig_pool_persist' '/tmp/ipp.txt' option 'keepalive' '10 120' option 'comp_lzo' '1' option 'persist_key' '1' option 'persist_tun' '1' option 'status' '/tmp/openvpn-status.log' option 'verb' '3' option 'server_bridge' '192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.219'Note that addresses 192.168.1.200 to 192.168.219 are reserved for your VPN clients
Your domain controller requires a static ip, or you may opt to assign it a permanent ip based on its mac address in dnsmasq.
For this example assume:
option 'local' '/mydomain.local/' option 'domain' 'mydomain.local' option 'server' '/mydomain.local/192.168.1.5'
list 'push' 'dhcp-option DOMAIN mydomain.local' list 'push' 'dhcp-option DNS 192.168.1.1'
This will allow you to ping/connect using the host "MACHINENAME.mydomain.local"
In your favorite text editor on the client machine that will be connecting, paste:
client tls-client dev tap proto udp remote <server address> 1194 # Change to your router's External IP resolv-retry infinite nobind persist-tun persist-key ca ca.crt cert Jimmy.crt key Jimmy.key dh dh1024.pem #pkcs12 Jimmy.p12 # Remove comment if you use PKCS #12 format and comment out 4 lines above comp-lzo verb 3
Make sure to try and mirror ALL the server options client-side, whatever client you're using, as some of them (namely lzo compression) can have adverse effects if they're not present in BOTH configurations.
Save the file as
This setup allows me to connect from the road using a Windows 7 netbook to my home network using OpenVpn. My primary home router is running OpenWrt trunk and OpenVpn. Since the vpn connection is bridged to my home network I can browse the network for network devices as if I'm at home and not worry about routing. My home router's address is 192.168.1.1. The VPN client (my netbook) will get a DHCP address of 192.168.1.242 from OpenVpn running on the router.
Start by opening the firewall port 1194 and generating the security certificates as described above.
config 'interface' 'lan' option 'type' 'bridge' option 'proto' 'static' option 'ipaddr' '192.168.1.1' option 'netmask' '255.255.255.0' option 'ifname' 'eth1 tap0' <<------------- add tap0 to lan to create the bridge
server-bridge 192.168.1.23 255.255.255.0 192.168.1.242 192.168.1.250 # The above line will put the OpenVpn server at 192.168.1.23 and # create a DHCP pool for clients of 192.168.1.242 to 250. proto udp dev tap ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem # ns-cert-type server comp-lzo verb 3 ifconfig-pool-persist /mnt/USB1/OpenWrt/ipp.txt keepalive 10 120 persist-key persist-tun status /mnt/USB1/OpenWrt/openvpn.log
client remote robrobinette.com 1194 # my website and port 1194 (standard port for OpenVpn) proto udp dev tap nobind ca ca.crt cert client1.crt key client1.key comp-lzo verb 3 keepalive 10 120 resolv-retry infinite mute-replay-warnings mute 20Start the OpenVpn client in a command window or better yet use the OpenVpn GUI for Windows.
openvpn /etc/config/openvpn &I couldn't get the init.d script to run and use my configuration so I disabled the openvpn init.d script and instead used the above start command.
* Make sure you are trying to connect to the VPN server from the outside - i.e. use 3G connection, go to a different building etc. Using another vpn (that routes all your traffic) does not seem to help. If you do not do this, a good configuration might not work at all.
* If unsure how various parameters are parsed to openvpn, you can find out PID with ps and then look up the parameters with
tr '\0' ' ' < /proc/PID/cmdline
(Replace PID with a number)
* Attention: The logfile (if not in system log) doesn't limit its disk space - check periodically that you have enough free disk space for other applications (my log on level 6 needed less than a week to fill the whole disk space of a TP-Link 1043)