User Tools

Site Tools


doc:howto:vpn.openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.openvpn [2014/03/01 20:19]
zxdavb
doc:howto:vpn.openvpn [2015/04/23 16:57] (current)
tt
Line 1: Line 1:
-====== ​Basic OpenVPN ​Server ​Setup Guide ======  +====== OpenVPN Setup Guide for Beginners ​======  
-This is a guide to setting up OpenVPN on a server and a client where, in this instance, both are running ​OpenWRT. What follows has been tested on trunk (currently BB, b39757), but will likely work on the latest stable branch (currently AAb39408).+This is a beginner'​s ​guide to setting up OpenVPN on a server and a client where, in this instance, both are running ​OpenWrt ​(although the OpenVPN client could easily be running ​on another OSsuch as Windows or Linux).
  
-Note that all of the '​work'​ here is accomplished via non-interactive commands (that you should cut-and-paste)andthere are no files to edit.+For non-beginners or real-world tunnels[[doc/​howto/​vpn.server.openvpn.tun]] may be a better place to start.
  
-{{:​meta:​icons:​tango:​48px-cleanup.svg.png?​nolink&​20x20}} This how-to has had BIG rewrite.  ​If requiredyou can find the old version here: [[http://​wiki.openwrt.org/​doc/​howto/​vpn.openvpn?​rev=1390780026]]+The primary goal of this HOWTO is to get working OpenVPN tunnel; the strategy used by this HOWTO is to keep it simple.  ​Because of thatthis is a very basic OpenVPN tunnel configuration that will not suit most people'​s needs without further configuration. However, once the basic tunnel is working, additional recipes for other use-cases can be found at [[doc/​howto/​vpn.server.openvpn.tun]].
  
-===== Overview ​of the Process ===== +For an overview ​of all VPN-related articles ​(including other VPN technologies), see [[doc/​howto/​vpn.overview]].
-On the OpenVPN server ​(and on similarly, on clients), installing and (more importantly) configuring an OpenVPN tunnel consists of the following:​ +
-  - Creating and distributing the PKI certificates and their keys to the server and the clients +
-  - Configuring the network (i.edevices, interfaces, and firewall) +
-  - Configuring and Starting the VPN listener+
  
-=== Use Case === +===== Use Case (the beginner'​s configuration) ===== 
-The user (i.e. client) wants to access the LAN on the other side of the server without ​being 'snooped' (e.g. via a public ​WiFi network)and/or the user wants to access ​the Internet ​via the server (e.g. to punch through a company firewall and thereby bypass it's restrictions).+The user wants a client to access ​their OpenWrt router without ​the possibility ​of being snooped. ​That is, the user can already access the router, but over a public network, ​such as the Internet. ​ 
  
-This article ​will be based upon TUN (routing)for TAP (bridging), you will find information elsewhere in this Wiki.+The end result ​will be a private connection directly between the OpenVPN client and server. Mostly, it is as if the two end-points are on the same subnet ​(but not on the same subnet as your router'​s LAN)
 + 
 +To facilitate configuration/​testing,​ this HOWTO permits two distinct scenarios ​for this use-case: 
 +  * Scenario 0: the OpenVPN client can ping the OpenWrt router via the router'​s LAN interface. Specifically,​ they are on the same subnet ​(e.g. the client is a DHCP client of the OpenWrt router)
 +  * Scenario 1: the OpenVPN client can ping the OpenWrt router via the router'​s WAN interface. Specificallythey are **not** on the same subnet (e.g. they are separated by the Internet). 
 + 
 +Scenario 0 takes out much of the complexity of real-world configurations,​ such as the vagaries of the Internet, or your OpenWrt firewall configuration. Scenario 0 allows ​you to easily implement an OpenVPN tunnel, which can then be switched to Scenario 1, which itself is the basis for most real-world OpenVPN configurations. You can either start with Scenario 0, and switch to Scenario 1 when you've got it working, or start directly with Scenario 1 and switch back to Scenario 0 for troubleshooting.
  
 ===== Prerequisites ===== ===== Prerequisites =====
-So to make it easier for you, this How-To assumes: +This HOWTO requires that the OpenVPN ​server ​is an OpenWrt router running OpenWrt 14.07 Barrier Breaker.
-  - the client and the server ​are (vanilla-build) OpenWRT routers (look elsewhere for help Linux/​Windows/​etc.; it wont be too hard for clients) +
-  - the client can ''​ping''​ the server though its WAN interface, and that they are not in the same subnet+
  
-The OpenVPN client (i.e. the system who //​initiates//​ the negotiation for the VPN tunnel) must be able to ''​ping''​ (using IPv4) the OpenVPN server (who responds to such requests) via it's WAN interface (and preferably using a public DNS FQDN). ​ In this case, it is assumed that the client, as well as the server (a.k.a. router) are both running OpenWRT (although *nix & Windows clients are also covered).+===== Install ​the required software ===== 
 +<​code>​ 
 +opkg update 
 +opkg install openvpn-openssl openvpn-easy-rsa 
 +</code>
  
-==== Part 1/1 - Installing ​the OpenVPN packages ​==== +===== Create ​the certificates ===== 
-:!: Before executing Step 1, you should check which specific version of OpenWRT you have.  See the notes below for more information. +<​code>​ 
-  - On both the client and the server, install the OpenVPN package:<​code>​ +build-ca 
-  opkg update; opkg install openvpn-openssl ​ ## or: opkg install openvpn+build-dh 
 +build-key-server my-server 
 +build-key-pkcs12 my-client
 </​code>​ </​code>​
  
-Which package you should install will be indicated by which version of OpenWRT you have (check via: ''​cat ​/etc/banner''​):​ +The above creates a server certificate named //my-server// and a client certificate named //my-client//You can create multiple client certificates by running ​''​build-key-pkcs12'' ​multiple times and specifying different names.
-  * on **Barrier Breaker**: there are three versions of OpenVPN that you can choose from, including: ''​openvpn-openssl''​ (recommended) or ''​openvpn-polarssl'',​ which //might not// work with the following scripts (it should be obvious why you should not use ''​openvpn-nossl''​). +
-  * on **Attitude Adjustment**:​ there is only one version of OpenVPN that you can install, ​''​openvpn'' ​(which uses OpenSSL)+
  
 +You can create a new set of certificates by running ''​clean-all''​ and then the above commands again.
  
-===== Creating ​the Client and Server Certificates ​===== +===== Distribute ​the certificates ​===== 
-Easy-RSA is a simple PKI that was spun off from OpenVPN as a separate project With OpenVPN, there does exist a means of creating ​client/​server ​certificates ​that does not require ​PKI (known ​as static keys)but Easy-RSA is used here as it is a simple enough methodand using a proper PKI is //much// better practice.+<​code>​ 
 +cp /etc/easy-rsa/keys/ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh2048.pem /​etc/​openvpn 
 +scp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:​/etc/​openvpn 
 +</​code>​ 
 + 
 +The above assumes that you can connect to the client from the serverthat the client has SSH server and that you can login as root. If you can'ttransfer the client certificate some other waysuch as using an USB stick.
  
-==== Part 1/2 - Create ​the Certification Authority and the Client/​Server Certificates ​==== +===== Configure ​the network on the OpenWrt server ===== 
-:!: Before executing Step 3, you may (or may not) need to execute Step 2.  See notes below for more information. +  - Create ​the VPN interface:<​code ​bash
-   On the OpenVPN Server, install the Easy-RSA package:<​code>​ +uci set network.vpn0=interface 
-  opkg update; opkg install openvpn-easy-rsa+uci set network.vpn0.ifname=tun0 
 +uci set network.vpn0.proto=none
 </​code>​ </​code>​
-   If running **Attitude Adjustment** (specifically,​ version 2.2.2-2 of the Easy-RSA package), then you must '​tweak'​ the PKI configuration to prevent problems:<​code>​ +  ​Allow inbound VPN traffic:<​code ​bash
-  ​sed ​-i '/​KEY_CN/​ s:^export:# &:'​ /etc/easy-rsa/​vars ​ ## do not set the KEY_CN environment variable+uci add firewall rule 
 +uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound 
 +uci set firewall.@rule[-1].target=ACCEPT 
 +uci set firewall.@rule[-1].src=* 
 +uci set firewall.@rule[-1].proto=udp 
 +uci set firewall.@rule[-1].dest_port=1194
 </​code>​ </​code>​
-   Establish the shell variables, and start with a clean slate (you may get warnings about ''​./​clean-all'',​ which you can ignore):<​code>​ +  ​Allow OpenVPN tunnel utilization:<​code ​bash
-  ​source /etc/easy-rsa/vars +uci add firewall zone 
-  clean-all+uci set firewall.@zone[-1].name=vpn 
 +uci set firewall.@zone[-1].input=ACCEPT 
 +uci set firewall.@zone[-1].forward=ACCEPT 
 +uci set firewall.@zone[-1].output=ACCEPT 
 +uci set firewall.@zone[-1].network=vpn0 
 +uci add firewall forwarding 
 +uci set firewall.@forwarding[-1].src='​vpn'​ 
 +uci set firewall.@forwarding[-1].dest='​wan'​
 </​code>​ </​code>​
-   Create ​the Certification Authority, Server, and Client certificates:<​code>​ +  ​Commit ​the changes:<​code ​bash
-  ​pkitool --initca ​           ## equivalent to the '​build-ca'​ script +uci commit network 
-  ​pkitool --server my-server ​ ## equivalent to the '​build-key-server'​ script +/​etc/​init.d/​network reload 
-  ​pkitool ​         my-client ​ ## equivalent to the '​build-key'​ script+uci commit firewall 
 +/​etc/​init.d/​firewall reload
 </​code>​ </​code>​
-   - Finally, create the Diffie Hellman parameters (left until last because it can take a long time):<​code>​ 
-  build-dh ​                   ## this script will 'take a long time' 
-</​code>​ 
-If you get an error message ''​TXT_DB error number 2'',​ then check that the CommonName variable is not set: that is, ''​set | grep KEY_CN''​ must return no results. ​ The failure is because subsequent certificates have the same identifier as first (the server'​s). ​ If required, execute ''​unset KEY_CN'',​ and start again from Step 2.  
  
-=== Troubleshooting ​=== +===== Configure the network on the OpenWrt client ===== 
-You can confirm everything is OK so far via: ''​ls $KEY_DIR'';​ there should be ''​index.txt''​ and ''​serial'', ​the Diffie-Hellman files, and three pairs of ''​.crt''/''​.key''​ files (plus some other files) +Do the same as on the OpenWrt server above except skip step 2.
  
-If required, you can start from scratch (i.edestroy the old PKI, and create a completely new one) by re-starting this process from Step 3.  If you've copied any certificates elsewhere, be sure to delete them: don't mix up these distinct sets of certificates/keys, they just happen to have the same filenames!+===== Configure the OpenVPN server ===== 
 +<​code>​ 
 +echo > /​etc/​config/​openvpn 
 +uci set openvpn.myvpn=openvpn 
 +uci set openvpn.myvpn.enabled=1 
 +uci set openvpn.myvpn.dev=tun 
 +uci set openvpn.myvpn.port=1194 
 +uci set openvpn.myvpn.proto=udp 
 +uci set openvpn.myvpn.log=/​tmp/​openvpn.log 
 +uci set openvpn.myvpn.verb=3 
 +uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt 
 +uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-server.crt 
 +uci set openvpn.myvpn.key=/​etc/​openvpn/​my-server.key 
 +uci set openvpn.myvpn.server='10.8.0.0 255.255.255.0' 
 +uci set openvpn.myvpn.dh=/etc/​openvpn/​dh2048.pem 
 +uci commit openvpn 
 +/​etc/​init.d/​openvpn enable 
 +/​etc/​init.d/​openvpn start 
 +</​code>​
  
-==== Part 2/2 - Distribute the Certificates to the Clients and Servers ​==== +===== Configure ​the OpenWrt client ===== 
-:!: Before executing Step 3, you'll have to find a way achieving Step 2 (discussed only briefly here) See the notes below for more information+<​code>​ 
-   - On the server, copy the server certificate to where OpenVPN needs it to be (''​$KEY_DIR''​ is a variable ​set by ''​source ​/etc/easy-rsa/​vars''​):<​code>​ +echo > /​etc/​config/​openvpn 
-  cd $KEY_DIR +uci set openvpn.myvpn=openvpn 
-  mkdir -p /​etc/​openvpn +uci set openvpn.myvpn.enabled=1 
-  cp ca.crt my-server.* dh*.pem  ​/​etc/​openvpn/ ​    ## the server ​files+uci set openvpn.myvpn.dev=tun 
 +uci set openvpn.myvpn.proto=udp 
 +uci set openvpn.myvpn.log=/tmp/openvpn.log ​               ​ 
 +uci set openvpn.myvpn.verb=3 
 +uci set openvpn.myvpn.ca=/​etc/​openvpn/ca.crt 
 +uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-client.crt 
 +uci set openvpn.myvpn.key=/​etc/​openvpn/​my-client.key 
 +uci set openvpn.myvpn.client=1 
 +uci set openvpn.myvpn.remote_cert_tls=server 
 +uci set openvpn.myvpn.remote="​SERVER_IP_ADDRESS 1194"​ 
 +uci commit openvpn 
 +/​etc/​init.d/​openvpn start
 </​code>​ </​code>​
-   - Next, you'll need to copy the client certificate from the server to the client (//e.g. via a USB stick//). 
-   - On the client, copy the server certificate to where OpenVPN needs it to be, example:<​code>​ 
-  cp ca.crt my-client.* ​         /​etc/​openvpn/ ​    ## the client files 
-</​code>​ 
-=== Discussion === 
-For security reasons, you need to think long and hard about where you backup your PKI files, and especially the .key files: 
-  * ''​ca.key''​ should be moved to a place that is not accessible from the Internet (it is only needed when '​doing'​ CA stuff) ​ 
-  * the other ''​.key''​ files should be kept '​private',​ that is, stored only on the '​owning'​ system 
-  * //all// ''​.key''​ files should not be distributed in an insecure manner - it is well known that copying .key files across the Internet is a leading cause of male-pattern baldness! ​ 
  
-===== Configuring the Network Infrastructure ​=====+===== Configure other clients ​===== 
 +Create the following OpenVPN client configuration file, save it with an ''​.ovpn''​ extension and give it to your client:
  
-==== Part 1/2 Server Configuration (on OpenWRT) ==== +<​code>​ 
-This is the configuration of the OpenVPN **server** only.  +dev tun 
-   - On both the client and the server, create the vpn interface (note that the tun0 device does not yet exist):<​code>​ +proto udp
-  uci set network.vpn=interface +
-  uci set network.vpn.ifname=tun0 +
-  uci set network.vpn.proto=none+
  
-  uci commit network; ​/etc/init.d/network reload+log openvpn.log 
 +verb 3 
 + 
 +ca /etc/openvpn/ca.crt 
 +cert /etc/​openvpn/​my-client.crt 
 +key /​etc/​openvpn/​my-client.key 
 + 
 +client 
 +remote_cert_tls server 
 +remote SERVER_IP_ADDRESS 1194
 </​code>​ </​code>​
-   - Allow OpenVPN tunnel negotiation (i.e. allow a tunnel to be //​created//​):<​code>​ + 
-  uci add firewall ​ rule +===== Test the tunnel ===== 
-  uci set firewall.@rule[-1].name=Allow-Inbound-OpenVPN +  - The tunnel ​should have made a change to the client'​s route table (so you can access the tunnel end-point, should be 10.8.0.1):<​code ​bash
-  uci set firewall.@rule[-1].target=ACCEPT +  ​cat /​tmp/​openvpn.log | grep "​route ​add" 
-  uci set firewall.@rule[-1].src=wan +     ​... 
-  uci set firewall.@rule[-1].family=ipv4 +  ​route
-  uci set firewall.@rule[-1].proto=udp +
-  ​uci set firewall.@rule[-1].dest_port=1194 +
-</​code>​ +
-   - Allow OpenVPN ​tunnel ​traffic ​(i.eallow a tunnel to be //used//):<​code>​ +
-  ​uci add firewall ​ zone +
-  uci set firewall.@zone[-1].name=vpn +
-  uci set firewall.@zone[-1].input=ACCEPT +
-  ​uci set firewall.@zone[-1].forward=REJECT +
-  uci set firewall.@zone[-1].output=ACCEPT +
-  uci set firewall.@zone[-1].network=vpn+
 </​code>​ </​code>​
-   Allow the client ​to access ​the OpenVPN server's LAN via the VPN (optional):<​code>​ +  ​You should be able to ping the tunnel end-point (i.e. the OpenVPN server):<​code ​bash
-  ​uci add firewall forwarding +  ​traceroute 10.8.0.1
-  uci set firewall.@forwarding[-1].src=vpn +
-  uci set firewall.@forwarding[-1].dest=wan+
 </​code>​ </​code>​
-   Allow the client ​to access ​the OpenVPN server'​s WAN via the VPN (optional):<​code>​ +  ​You should still be able to ping hosts on the Internet ​via your default gateway:<​code ​bash
-  ​uci add firewall forwarding +  ​traceroute 8.8.8.8
-  uci set firewall.@forwarding[-1].src=vpn +
-  uci set firewall.@forwarding[-1].dest=wan+
 </​code>​ </​code>​
-   Finally, commit ​the changes:<​code>​ +  ​You should be able to ping hosts on the Internet via the tunnel:<​code ​bash
-  ​uci commit firewall; /etc/init.d/firewall reload+  ​route add -net 8.8.8.8 netmask 255.255.255.255 gateway 10.8.0.5 
 +  route 
 +     ... 
 +  traceroute 8.8.8.8
 </​code>​ </​code>​
-=== Discussion === 
-Note that Step 4 and 5 overrule the ''​REJECT''​ in Step 3. You may want only Step 4, or Only Step 5, or maybe both. That is,  
-  * Step 3 will allow the VPN client(s) to access the OpenVPN server itself 
-  * Step 4 will allow the VPN client(s) to access networks via the OpenVPN server'​s LAN interfaces 
-  * Step 5 will allow the VPN client(s) to access networks via the OpenVPN server'​s WAN interfaces 
  
-Execute: ''​uci show firewall | grep zone | grep -E "​(net|name)"''​ to see the networks ​of each zone.+In particular, look at hops 1 and 2 of the **traceroute**;​ hop 1 should be one of the gateways from your route table. ​ If hop 2 of **traceroute 8.8.8.8** is the IP address of VPN_SERVER_ID,​ then the tunnel is working
  
-==== Part 2/2 Client Configuration ==== +:-D Congratulations! Now look to '​tune'​ the OpenVPN tunnel for a specific use-case.
-There shouldn'​t be much to do.  Most clients allow outbound (client-instigated) tunnels +
  
-Howeveryou need to think about which Route tables, and which DNS server ​to use.  More later.+===== Route Only Local LAN Client Traffic Through the Tunnel ===== 
 +If all that is needed is to allow clients access to the local subnet (e.g., to access a server at home from work), and to leave Internet access as-is, all one needs to do is advertise the local subnet and configure the firewall to allow traffic throughFirst, to advertise the route:
  
-===== Configuring the OpenVPN Infrastructure ===== +<code bash> 
-This is essentially the same as for a OpenWRT server.+uci set openvpn.myvpn.push='route 192.168.1.0 255.255.255.0'​ 
 +uci commit openvpn 
 +/etc/init.d/openvpn restart 
 +</​code>​
  
-==== Part 1/2 - Configure and Start the Server ==== +In this example the subnet is 192.168.1.0/24Adjust ​your configuration ​accordingly ​for your LANNow, the firewall has to be enabled to allow traffic from the VPN clients to the local LAN. To allow itedit **/​etc/​config/​firewall**:
-:!: Before you execute Step 3, you should understand the requirements of your specific use-case (i.e. your network ​configuration).  See the notes below for more information. +
-   - Clear the default OpenVPN configuration,​ and create a new OpenVPN configuration called '​myvpn'​ (it could be called anything). ​ Ensure that, in particular, ​the last three lines (the cacert, and key parameters) do not produce an error:<​code>​ +
-  echo > /​etc/​config/​openvpn+
  
-  uci set openvpn.myvpn=openvpn +<​code>​ 
-  uci set openvpn.myvpn.enabled=1 +## NB: this zone should have already been created in the previous setup step; just add the masq option as noted below 
-  uci set openvpn.myvpn.dev=tun +config zone 
-  uci set openvpn.myvpn.persist_tun=1 + option name '​vpn'​ 
-  uci set openvpn.myvpn.persist_key=+ option masq '1' ## NB: this option was added to enable forwarding out of the VPN zone 
-  uci set openvpn.myvpn.proto=udp + option input '​ACCEPT'​ 
-  uci set openvpn.myvpn.comp_lzo=yes + option forward '​ACCEPT'​ 
- + option output '​ACCEPT'​ 
-  uci set openvpn.myvpn.verb=3 + option network '​vpn0'​
-  uci set openvpn.myvpn.log=/​tmp/​openvpn.log +
-  uci set openvpn.myvpn.status=/​tmp/​openvpn-status.log+
  
-  uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt +## NB : this section was added 
-  uci set openvpn.myvpn.cert=`ls /​etc/​openvpn/​my-*.crt` ​    ## NB: these are back-quotes +config forwarding 
-  uci set openvpn.myvpn.key=`ls /​etc/​openvpn/​my-*.key` ​     ## NB: these are back-quotes+ option src '​vpn'​ 
 + option dest '​lan'​
 </​code>​ </​code>​
-  - To that, add the //​server-specific//​ parameters. Ensure that, in particular, the last line (the dh parameter) does not produce an error:<​code>​ 
-  uci set openvpn.myvpn.server='​10.8.0.0 255.255.255.0' ​    ## NB: these are single quotes 
-  uci set openvpn.myvpn.port=1194 
-  uci set openvpn.myvpn.ifconfig_pool_persist=/​tmp/​openvpn-ipp.txt 
-  uci set openvpn.myvpn.keepalive='​10 120' ​                 ## NB: these are single quotes 
  
-  uci set openvpn.myvpn.dh=`ls ​/etc/openvpn/dh*.pem` ​       ## NB: these are back-quotes+After editing the firewall changes, enable them by executing:​ 
 +<code bash> 
 +/etc/init.d/firewall reload
 </​code>​ </​code>​
-  - And finally, the tricky bit (read :!: below //before// you execute this command):<​code>​ 
-  uci add_list openvpn.myvpn.push='​redirect-gateway def1' ​  ## NB: these are single quotes 
-</​code>​ 
-  - Commit the configuration,​ enable and start the OpenVPN daemon:<​code>​ 
-  uci commit openvpn; /​etc/​init.d/​openvpn enable 
-</​code>​ 
-:!: If the OpenVPN Client and Server and on the same subnet, then you must add the **local** flag.  Use instead: ''​uci add_list openvpn.myvpn.push='​redirect-gateway def1 local'''​ 
  
-:!: If your OpenVPN ​Client is not to route all it'​s ​traffic via the serevr (and therefor continue to use it'​s ​existing default ​gateway), then you should ​not use the **redirect-gateway** option at all.+===== Route All Client Traffic Through the Tunnel ===== 
 +If the OpenVPN ​server can access the Internet, then the client has the //option// of routing //all// its IP traffic via the tunnel rather than through ​it'​s ​local gateway.  If the tunnel is merely provide access to other subnets (e.g. to access a server at home from work), but Internet access is to remain as-is, then this is not your answer. ​ Instead, see [[doc/​howto/​vpn.openvpn#​Routing Only Local LAN Client Traffic Through ​the Tunnel]].
  
-=== Testing & troubleshooting ​your configuration === +Before you do this, you should know whether ​your network ​is **Scenario 1** (client and server in different subnets)or **Scenario 2** (client ​and server in the same subnet).   
-  - Ensure OpenVPN ​is //not// running, and confirm that there is no OpenVPN daemon and no TUN:<​code>​ + 
-  /etc/init.d/openvpn stop +In **Scenario 1**, the client and server are in different subnets: 
-  sleep 3 +  - On the OpenVPN ​serverexecute the following<​code ​bash> 
-  ps | grep openvpn +  uci set openvpn.myvpn.push='​redirect-gateway def1' ​       ## NB: these are single quotes 
-  ​ifconfig | grep tun0 +  uci commit openvpn 
-</​code>​ +  /​etc/​init.d/​openvpn ​restart
-  - Start OpenVPN, ​and confirm that there is an OpenVPN ​ daemon and a TUN:<​code>​ +
-  /​etc/​init.d/​openvpn ​start +
-  sleep 3 +
-  ps | grep openvpn +
-  ifconfig | grep tun0+
 </​code>​ </​code>​
-  - If you need to troubleshoota good place to start is the log file:<​code>​ +  - On the OpenVPN clientexecute ​the following:<​code ​bash
-  ​cat /tmp/openvpn.log+  /etc/init.d/​openvpn ​restart 
 +  traceroute 8.8.8.8
 </​code>​ </​code>​
  
-==== Part 2/2 - Configure and Start the OpenWRT-based client ==== +Alternatively,​ in **Scenario ​2**, the client ​and server ​are in the same subnet ​(useful ​for creating/​testing an OpenVPN tunnel at home): 
-:!: Before you execute Step 3you need to know the IP address, or FQDN that the client ​will use to access the server+  - On the OpenVPN serverexecute ​the following:<​code ​bash
-  - Clear the default OpenVPN configuration,​ and create a new openvpn configuration '​myvpn' ​(as for the server). +  uci set openvpn.myvpn.push='​redirect-gateway def1 local' ​ ## NB: these are single quotes 
-  - To thatadd the //​client-specific//​ parameters (this is different):<​code>​ +  uci commit ​openvpn; /etc/init.d/openvpn ​restart
-  uci set openvpn.myvpn.client=+
-  uci set openvpn.myvpn.resolv_retry=infinite +
-  uci set openvpn.myvpn.nobind=1 +
-  uci set openvpn.myvpn.remote_cert_tls=server+
 </​code>​ </​code>​
-  - The client ​also has a tricky bit (read :!: below //before// you execute ​this command):<​code>​ +  - On the OpenVPN ​clientexecute ​the following:<​code ​bash
-  ​uci set openvpn.myvpn.remote='​$VPN_SERVER_PUBLIC_ADDRESS 1194'+  ​/​etc/​init.d/​openvpn ​restart 
 +  traceroute 8.8.8.8  ​
 </​code>​ </​code>​
-  - Commit the configuration,​ enable and start the OpenVPN daemon (as for a server). 
  
-You can troubleshoot as for a server.+:!: If your OpenVPN client is not to route all it's traffic via the server ​(and therefore continue to use it's existing default gateway), then you should not push the **redirect-gateway** option at all.
  
- +You might need to make OpenWrt route traffic from vpn to wan. Add to /​etc/​config/​firewall:
-==== Create a client configuration for Other OSs ==== +
-In your favorite text editor on the client machine that will be connecting, paste (needs testing):+
 <​code>​ <​code>​
-client +config forwarding 
-dev tun + option src '​vpn'​ 
-proto udp + option dest '​wan'​
-remote XXXXXXXX 1194 +
-resolv-retry infinite +
-nobind +
-persist-key +
-persist-tun +
-ca ca.crt +
-cert my-client.crt +
-key my-client.key +
-comp-lzo+
 </​code>​ </​code>​
 +This worked for BB RC2 (uci commands would be better).
  
-:!: Make sure to try and mirror **ALL** the server ​options client-side,​ whatever client you're using, as some of them (namely lzo compression) can have adverse effects if they'​re not present in **BOTH** configurations. +Once this is working, head to [[doc/​howto/​vpn.server.openvpn.tun]] for more OpenVPN ​'recipes'.
- +
-Save the file as ''​client.ovpn''​ +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
 +If something doesn'​t work as expected while following this HOWTO:
 +  * Check that the client can ping the server:<​code bash>​ping SERVER_IP_ADDRESS</​code>​
 +  * Check that the OpenVPN daemon is running:<​code bash>ps | grep "​openvpn"</​code>​
 +  * Check that there is a TUN interface:<​code bash>​ifconfig | grep "​tun"</​code>​
 +  * Check the log:<​code bash>cat /​tmp/​openvpn.log</​code>​
 +  * You can try temporarily disabling the firewall on the OpenVPN server:<​code bash>/​etc/​init.d/​firewall stop</​code>​
 +  * You can clear the OpenVPN configuration and start again from scratch:<​code bash>​echo > /​etc/​config/​openvpn</​code>​
  
-* Make sure you are trying to connect to the VPN server from the outside - i.e. use 3G connection, go to a different building etc. Using another vpn (that routes all your traffic) does not seem to helpIf you do not do this, a good configuration might not work at all.+===== Asking for help ===== 
 +You can ask for help on the OpenWrt forum: [[https://​forum.openwrt.org/]] 
  
-* If unsure how various parameters are parsed to openvpn, you can find out PID with ps and then look up the parameters with ''​tr '​\0'​ ' ' ​< /proc/PID/cmdline +When asking for help, you should at a minimum include ​the contents of the following files: 
-''​ (Replace PID with a number)+<code bash> 
 +cat /tmp/openvpn.log 
 +cat /etc/​config/​network 
 +cat /​etc/​config/​firewall 
 +cat /​etc/​config/​openvpn 
 +</​code>​
  
-AttentionThe logfile (if not in system log) doesn'​t limit its disk space check periodically that you have enough free disk space for other applications (my log on level 6 needed less than a week to fill the whole disk space of a TP-Link 1043)+===== References and examples ===== 
 +  ​[[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|OpenVPN 2.3 man-page]] 
 +  * [[https://​www.youtube.com/​watch?​v=3lqP1P-OqYA|Configuring OpenWrt 14.07 as an OpenVPN client (Youtube video)]]
  
-|FIXME: ​Please read [[vpn.overview]] and see this old articles on this matter: [[http://​wiki.openwrt.org/?​do=search&​id=vpn]] and help **migrate** them. There is also an article in the inbox: ​[[inbox:​vpn.howto]] |+| FIXME: ​Integrate any useful information from [[inbox:​vpn.howto]]|
  
doc/howto/vpn.openvpn.1393701569.txt.bz2 · Last modified: 2014/03/01 20:19 by zxdavb