User Tools

Site Tools


doc:howto:vpn.openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.openvpn [2014/03/01 20:19]
zxdavb
doc:howto:vpn.openvpn [2014/11/30 17:15] (current)
zxdavb
Line 1: Line 1:
-====== ​Basic OpenVPN ​Server ​Setup Guide ======  +====== OpenVPN Setup Guide for Beginners ​======  
-This is a guide to setting up OpenVPN on a server and a client where, in this instance, both are running ​OpenWRT. What follows has been tested on trunk (currently BB, b39757), but will likely work on the latest stable branch (currently AAb39408).+This is a //​beginner'​s// ​guide to setting up OpenVPN on a server and a client ​(and a PKI) where, in this instance, both are running ​OpenWrt ​(although ​the OpenVPN client could easily be running on another OSsuch as Windows, or *nix).  Because it's a beginner'​s guide, this HOWTO is quite long & wordy.
  
-Note that all of the '​work'​ here is accomplished via non-interactive commands (that you should cut-and-paste)andthere are no files to edit.+| For non-beginners[[doc/​howto/​vpn.server.openvpn.tun]] may be a better place to start|
  
-{{:​meta:​icons:​tango:​48px-cleanup.svg.png?​nolink&​20x20}} This how-to has had BIG rewrite.  ​If requiredyou can find the old version here: [[http://wiki.openwrt.org/doc/howto/vpn.openvpn?​rev=1390780026]]+The primary goal of this HOWTO is to get working OpenVPN tunnel; the strategy used by this HOWTO is to keep it simple.  ​Because of thatthis is a //very basic// OpenVPN tunnel configuration that will not suit most people'​s needs without further configuration 
  
-===== Overview of the Process ===== +However, once the basic tunnel is workingthen additional '​recipes'​ for other use-cases can be found at [[doc/​howto/​vpn.server.openvpn.tun]] (sorrythat wiki page is a WIP) Such use-cases might include: TAP, multiple-VPN routers, VPN-over-SOCKS,​ etc.
-On the OpenVPN server (and on similarlyon clients), installing and (more importantly) configuring an OpenVPN tunnel consists of the following:​ +
-  ​Creating and distributing the PKI certificates and their keys to the server ​and the clients +
-  - Configuring the network (i.edevicesinterfaces, and firewall) +
-  ​- ​Configuring and Starting the VPN listener+
  
-=== Use Case === +| For real-world tunnels, [[doc/​howto/​vpn.server.openvpn.tun]] may be better place to start|
-The user (i.e. client) wants to access the LAN on the other side of the server ​without being '​snooped'​ (e.gvia public WiFi network), and/or the user wants to access the Internet via the server (e.g. to punch through a company firewall and thereby bypass it's restrictions).+
  
-This article ​will be based upon TUN (routing); for TAP (bridging), you will find information elsewhere ​in this Wiki.+Note that all of the '​work'​ here is accomplished via non-interactive commands (that you should cut-and-paste to minimize transcription errors), and there are no files to edit.  It requires console access to your OpenWrt router (usually via SSH) rather than via LuCI. 
 + 
 +What follows has been tested on trunk (currently BB, b39757), but will likely work on the latest stable branch (currently AA, b39408). ​ It is based upon OpenVPN v2.3, but will likely work with v2.2.   
 + 
 +For an overview of //all// VPN-related articles ​(including other VPN technologiesin the OpenWrt wiki, see [[doc/​howto/​vpn.overview]]. 
 + 
 + 
 + 
 +===== Use Case (the beginner'​s configuration===== 
 +The user wants a client to access their OpenWrt router without the possibility of being '​snooped'​. ​ That isthe user can already access the router, but (say) over a '​public'​ network, such as the Internet (different subnets), or a Wifi Hotspot (same subnet). ​  
 + 
 +The end result ​will be a private connection directly between the OpenVPN client and server. ​ Mostly, it is as if the two end-points are in the same subnet (but not the same subnet as your router'​s LAN). 
 + 
 +DIAGRAM: [client]-- {Private Tunnel} --[OpenWrt router] 
 + 
 +| **Terminology**:​ The OpenVPN **server** is //​listening//​ for a request to negotiate a VPN tunnel. ​ The OpenVPN **client** //​initiates//​ the negotiation for that VPN tunnel. | 
 + 
 +To facilitate configuration/​testing, ​this guide permits two distinct flavors of this use-case: 
 +  * **Scenario 0**: the OpenVPN client can '​ping'​ the OpenWrt router via the router'​s **LAN** interface ​Specifically,​ they //are// in the same subnet (e.g. the client is a DHCP client of the OpenWrt router). 
 +  * **Scenario 1**: the OpenVPN client can '​ping'​ the OpenWrt router via the router'​s **WAN** interface (and preferably using a public DNS FQDN). ​ Specifically,​ they are //not// in the same subnet (e.g. they are separated by the Internet). 
 + 
 +| **Scenario 0** takes out much of the complexity of '​real-world'​ configurations,​ such as the vagaries of the Internet, or your OpenWrt firewall configuration. |  
 + 
 +DIAGRAM s0: {Internet} --WAN iface-||firewall||-[OpenWrt router]-LAN iface-- {LAN} --[client] 
 + 
 +DIAGRAM s1: [client]-- {Internet} --WAN iface-||firewall||-[OpenWrt router]-LAN iface-- {LAN} 
 + 
 +**Scenario 0** allows you to most easily implement an OpenVPN tunnel (i.e. at home), which can then (relatively easily) be switched to **Scenario 1**, which itself is the //basis// of most '​real-world'​ OpenVPN tunnel configurations. ​ You can either start with **Scenario 0**, and switch to **Scenario 1** when you've got it working, or start directly with **Scenario 1** (and switch back to **Scenario 0** for troubleshooting). 
 + 
 +==== Overview of the process ==== 
 +Installing and (more importantly) configuring an OpenVPN tunnel consists of the following process: 
 +  - Creating and distributing the PKI certificates and their keys to the server and the clients 
 +  - Configuring the network (i.e. devices, interfaces, and firewall) 
 +  - Configuring,​ starting and testing the VPN tunnel
  
 ===== Prerequisites ===== ===== Prerequisites =====
-So to make it easier for you, this How-To assumes+This HOWTO
-  - the client ​and the server ​are (vanilla-build) OpenWRT ​routers ​(look elsewhere for help Linux/Windows/etc.; it wont be too hard for clients+  - //​requires//​ that the client ​can ''​ping'' ​the server (via either it's WAN or LAN interface) 
-  - the client ​can ''​ping''​ the server though its WAN interfaceand that they are not in the same subnet+  ​//​requires//​ the OpenVPN server (listeneris an OpenWRT ​router ​(look elsewhere for help with OpenVPN servers running on LinuxWindowsetc.) 
 +  - //​prefers// ​the OpenVPN ​client ​is an OpenWRT router (but could easily be based upon LinuxWindows, etc.) 
 +  - //​requires//​ TUN (routing, recommended) rather than for TAP (bridging)
  
-The OpenVPN client (i.e. the system who //​initiates//​ the negotiation for the VPN tunnel) must be able to ''​ping''​ (using IPv4) the OpenVPN server (who responds to such requests) via it's WAN interface (and preferably using a public DNS FQDN). ​ In this case, it is assumed that the client, as well as the server (a.k.a. router) are both running OpenWRT (although *nix & Windows clients are also covered). 
  
 ==== Part 1/1 - Installing the OpenVPN packages ==== ==== Part 1/1 - Installing the OpenVPN packages ====
 :!: Before executing Step 1, you should check which specific version of OpenWRT you have.  See the notes below for more information. :!: Before executing Step 1, you should check which specific version of OpenWRT you have.  See the notes below for more information.
-  - On both the client and the server, install the OpenVPN package:<​code>​ +  - On both the client and the server, install the OpenVPN package:<​code ​c
-  opkg update; opkg install openvpn-openssl ​ ## or: opkg install openvpn+  opkg update; opkg install openvpn-openssl ​ ## or, if using AA instead of BB: opkg install openvpn
 </​code>​ </​code>​
  
 Which package you should install will be indicated by which version of OpenWRT you have (check via: ''​cat /​etc/​banner''​):​ Which package you should install will be indicated by which version of OpenWRT you have (check via: ''​cat /​etc/​banner''​):​
-  * on **Barrier Breaker**: there are three versions of OpenVPN that you can choose from, including: ''​openvpn-openssl''​ (recommendedor ''​openvpn-polarssl''​, which //might not// work with the following scripts (it should be obvious why you should not use ''​openvpn-nossl''​).+  * on **Barrier Breaker**: there are three versions of OpenVPN that you can choose from, including: ''​openvpn-openssl''​ (used here)''​openvpn-polarssl'' ​(warning: polarssl ​//might not// work with the following scripts), or ''​openvpn-nossl'' ​(it should be obvious why you should not use that one).
   * on **Attitude Adjustment**:​ there is only one version of OpenVPN that you can install, ''​openvpn''​ (which uses OpenSSL)   * on **Attitude Adjustment**:​ there is only one version of OpenVPN that you can install, ''​openvpn''​ (which uses OpenSSL)
  
  
-===== Creating the Client and Server Certificates =====+===== Creating the Client and Server ​PKI Certificates =====
 Easy-RSA is a simple PKI that was spun off from OpenVPN as a separate project. ​ With OpenVPN, there does exist a means of creating client/​server certificates that does not require a PKI (known as static keys), but Easy-RSA is used here as it is a simple enough method, and using a proper PKI is //much// better practice. Easy-RSA is a simple PKI that was spun off from OpenVPN as a separate project. ​ With OpenVPN, there does exist a means of creating client/​server certificates that does not require a PKI (known as static keys), but Easy-RSA is used here as it is a simple enough method, and using a proper PKI is //much// better practice.
  
-==== Part 1/2 - Create the Certification Authority ​and the Client/​Server ​Certificates ==== +==== Part 1/2 - Create the CA and the Certificates ==== 
-:!: Before executing Step 3you may (or may notneed to execute Step 2.  See notes below for more information+We will create a certificate for the OpenVPN server (named as ''​my-server''​)and for the //first// OpenVPN client ​(named as ''​my-client''​). 
-   - On the OpenVPN Server, install the Easy-RSA package:<​code>​+ 
 +   - On the OpenVPN Server, install the Easy-RSA package:<​code ​c>
   opkg update; opkg install openvpn-easy-rsa   opkg update; opkg install openvpn-easy-rsa
 </​code>​ </​code>​
-   - If running **Attitude Adjustment** (specifically,​ version 2.2.2-2 of the Easy-RSA package), then you must '​tweak'​ the PKI configuration to prevent problems:<​code>​+   - If running **Attitude Adjustment** (specifically,​ version 2.2.2-2 of the Easy-RSA package), then you must '​tweak'​ the PKI configuration to prevent problems ​later on (this step '​comments-out'​ the relevant code):<​code ​c>
   sed -i '/​KEY_CN/​ s:^export:# &:'​ /​etc/​easy-rsa/​vars ​ ## do not set the KEY_CN environment variable   sed -i '/​KEY_CN/​ s:^export:# &:'​ /​etc/​easy-rsa/​vars ​ ## do not set the KEY_CN environment variable
 </​code>​ </​code>​
-   - Establish the shell variables, and start with a clean slate (you may get warnings about ''​./​clean-all'',​ which you can ignore):<​code>​+   - Establish the shell variables, and start with a clean slate (you may get warnings about ''​./​clean-all'',​ which you can ignore):<​code ​c>
   source /​etc/​easy-rsa/​vars   source /​etc/​easy-rsa/​vars
   clean-all   clean-all
 </​code>​ </​code>​
-   - Create the Certification Authority, Server, and Client certificates:<​code>​+   - Create the Certification Authority, Server, and Client certificates:<​code ​c>
   pkitool --initca ​           ## equivalent to the '​build-ca'​ script   pkitool --initca ​           ## equivalent to the '​build-ca'​ script
   pkitool --server my-server ​ ## equivalent to the '​build-key-server'​ script   pkitool --server my-server ​ ## equivalent to the '​build-key-server'​ script
   pkitool ​         my-client ​ ## equivalent to the '​build-key'​ script   pkitool ​         my-client ​ ## equivalent to the '​build-key'​ script
 </​code>​ </​code>​
-   - Finally, create the Diffie Hellman parameters (left until last because it can take a long time):<​code>​+   - Finally, create the Diffie Hellman parameters (left until last because it can take a long time):<​code ​c>
   build-dh ​                   ## this script will 'take a long time'   build-dh ​                   ## this script will 'take a long time'
 </​code>​ </​code>​
 If you get an error message ''​TXT_DB error number 2'',​ then check that the CommonName variable is not set: that is, ''​set | grep KEY_CN''​ must return no results. ​ The failure is because subsequent certificates have the same identifier as first (the server'​s). ​ If required, execute ''​unset KEY_CN'',​ and start again from Step 2.  If you get an error message ''​TXT_DB error number 2'',​ then check that the CommonName variable is not set: that is, ''​set | grep KEY_CN''​ must return no results. ​ The failure is because subsequent certificates have the same identifier as first (the server'​s). ​ If required, execute ''​unset KEY_CN'',​ and start again from Step 2. 
  
-=== Troubleshooting ​=== +=== Potential traps and pitfalls ​=== 
-You can confirm everything is OK so far via''​ls $KEY_DIR'';​ there should be ''​index.txt''​ and ''​serial''​the Diffie-Hellman files, and three pairs of ''​.crt''​/''​.key''​ files (plus some other files).  +:!: If you want more than one OpenVPN (concurrent) clientthen you will need to create multiple client certificates, and each should have a different name ( (e.g. 'my-client01''my-client02', etc.).
  
-If required, you can start from scratch (i.e. destroy ​the old PKI, and create a completely new one) by re-starting this process from Step 3 If you've copied any certificates elsewhere, be sure to delete them: don't mix up these distinct sets of certificates/keys, they just happen to have the same filenames!+=== Testing & troubleshooting your configuration === 
 +You can confirm everything is OK so far via: **''​ls $KEY_DIR''​**;​ there should be ''​index.txt''​ and ''​serial'', ​the Diffie-Hellman files, and three pairs of ''​.crt''/​''​.key''​ files (plus some other files).  ​
  
-==== Part 2/2 - Distribute the Certificates ​to the Clients and Servers ​====+If required, you can start from scratch (i.e. destroy the old PKI, and create a completely new one) by re-starting this process from Step 2.  :!: If you've copied any of the earlier certificates elsewhere, be sure to delete them.  Be warned that it would be relatively easy to confuse these (new) certificate/​key sets with older sets, since they just happen to have the same filenames! 
 + 
 +==== Part 2/2 - Distribute the Certificates ====
 :!: Before executing Step 3, you'll have to find a way achieving Step 2 (discussed only briefly here). ​ See the notes below for more information. :!: Before executing Step 3, you'll have to find a way achieving Step 2 (discussed only briefly here). ​ See the notes below for more information.
-   - On the server, copy the server certificate to where OpenVPN needs it to be (''​$KEY_DIR''​ is a variable set by ''​source /​etc/​easy-rsa/​vars''​):<​code>​+   - On the server, copy the server certificate to where OpenVPN needs it to be (''​$KEY_DIR''​ is a variable set by ''​source /​etc/​easy-rsa/​vars''​):<​code ​c>
   cd $KEY_DIR   cd $KEY_DIR
   mkdir -p /​etc/​openvpn   mkdir -p /​etc/​openvpn
-  cp ca.crt my-server.* dh*.pem ​ /​etc/​openvpn/ ​    ## the server files+  cp ca.crt my-server.* dh*.pem ​ /​etc/​openvpn/ ​    ## the server files (note: dh*.pem is required)
 </​code>​ </​code>​
-   - Next, you'll need to copy the client certificate from the server to the client (//e.g. via a USB stick//). +   - Next, you'll need to copy the client certificate from the server to the client (e.g. via a USB stick, or using the ''​scp''​ utility). 
-   - On the client, copy the server certificate to where OpenVPN needs it to be, example:<​code>​ +   - On the client, copy the server certificate to where OpenVPN needs it to be, example:<​code ​c
-  cp ca.crt my-client.* ​         /​etc/​openvpn/ ​    ## the client files+  cp ca.crt my-client.* ​         /​etc/​openvpn/ ​    ## the client files (note: dh*.pem is not used)
 </​code>​ </​code>​
 === Discussion === === Discussion ===
 For security reasons, you need to think long and hard about where you backup your PKI files, and especially the .key files: For security reasons, you need to think long and hard about where you backup your PKI files, and especially the .key files:
-  * ''​ca.key''​ should be moved to a place that is not accessible from the Internet ​(it is only needed when '​doing'​ CA stuff) ​+  * ''​ca.key''​ should be moved to a place that is not accessible from the Internetit needed ​only when '​doing'​ CA stuff, such as creating certificates (but not using those certificates
   * the other ''​.key''​ files should be kept '​private',​ that is, stored only on the '​owning'​ system   * the other ''​.key''​ files should be kept '​private',​ that is, stored only on the '​owning'​ system
-  * //all// ''​.key''​ files should ​not be distributed in an insecure manner - it is well known that copying .key files across the Internet is a leading cause of male-pattern baldness! ​+  * //all// ''​.key''​ files should ​//​never// ​be distributed in an insecure manner - it is well known that copying .key files across the Internet is a leading cause of male-pattern baldness! ​
  
 ===== Configuring the Network Infrastructure ===== ===== Configuring the Network Infrastructure =====
 +Before you start this, you //must// confirm that the client can ''​ping''​ the OpenWrt router.
 +
 +Also, you need to know if the OpenVPN client and server are:
 + * (**Scenario 0**) on the same subnet (i.e. ''​ping''​ via the router'​s LAN port)
 + * (**Scenario 1**) either side of the Internet (i.e. ''​ping''​ via the router'​s WAN port)
  
-==== Part 1/2 Server Configuration (on OpenWRT) ​====+==== Part 1/2 Configure the Network ​on the Server ​====
 This is the configuration of the OpenVPN **server** only.  This is the configuration of the OpenVPN **server** only. 
-   ​- ​On both the client and the server, create the vpn interface (note that the tun0 device does not yet exist):<​code>​ +   ​- ​Create ​the VPN interface (note that the tun0 device does not yet exist):<​code ​c
-  uci set network.vpn=interface +  uci set network.vpn0=interface 
-  uci set network.vpn.ifname=tun0 +  uci set network.vpn0.ifname=tun0 
-  uci set network.vpn.proto=none+  uci set network.vpn0.proto=none
  
   uci commit network; /​etc/​init.d/​network reload   uci commit network; /​etc/​init.d/​network reload
 </​code>​ </​code>​
-   - Allow OpenVPN tunnel negotiation (i.e. allow a tunnel to be //​created//​):<​code>​+   - Allow OpenVPN tunnel negotiation (i.e. accept inbound traffic and thereby ​allow a tunnel to be //​created//​):<​code ​c>
   uci add firewall ​ rule   uci add firewall ​ rule
-  uci set firewall.@rule[-1].name=Allow-Inbound-OpenVPN+  uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound
   uci set firewall.@rule[-1].target=ACCEPT   uci set firewall.@rule[-1].target=ACCEPT
-  uci set firewall.@rule[-1].src=wan +  uci set firewall.@rule[-1].src=*
-  uci set firewall.@rule[-1].family=ipv4+
   uci set firewall.@rule[-1].proto=udp   uci set firewall.@rule[-1].proto=udp
   uci set firewall.@rule[-1].dest_port=1194   uci set firewall.@rule[-1].dest_port=1194
 </​code>​ </​code>​
-   - Allow OpenVPN tunnel ​traffic ​(i.e. allow a tunnel to be //​used//​):<​code>​+   - Allow OpenVPN tunnel ​utilization ​(i.e. allow a tunnel to be //​used//​):<​code ​c>
   uci add firewall ​ zone   uci add firewall ​ zone
   uci set firewall.@zone[-1].name=vpn   uci set firewall.@zone[-1].name=vpn
   uci set firewall.@zone[-1].input=ACCEPT   uci set firewall.@zone[-1].input=ACCEPT
-  uci set firewall.@zone[-1].forward=REJECT+  uci set firewall.@zone[-1].forward=ACCEPT
   uci set firewall.@zone[-1].output=ACCEPT   uci set firewall.@zone[-1].output=ACCEPT
-  uci set firewall.@zone[-1].network=vpn+  uci set firewall.@zone[-1].network=vpn0
 </​code>​ </​code>​
-   - Allow the client to access the OpenVPN server'​s LAN via the VPN (optional):<​code>​ +   - Finally, commit the changes:<​code ​c>
-  uci add firewall forwarding +
-  uci set firewall.@forwarding[-1].src=vpn +
-  uci set firewall.@forwarding[-1].dest=wan +
-</​code>​ +
-   - Allow the client to access the OpenVPN server'​s WAN via the VPN (optional):<​code>​ +
-  uci add firewall forwarding +
-  uci set firewall.@forwarding[-1].src=vpn +
-  uci set firewall.@forwarding[-1].dest=wan +
-</​code>​ +
-   - Finally, commit the changes:<​code>​+
   uci commit firewall; /​etc/​init.d/​firewall reload   uci commit firewall; /​etc/​init.d/​firewall reload
 </​code>​ </​code>​
-=== Discussion === 
-Note that Step 4 and 5 overrule the ''​REJECT''​ in Step 3. You may want only Step 4, or Only Step 5, or maybe both. That is,  
-  * Step 3 will allow the VPN client(s) to access the OpenVPN server itself 
-  * Step 4 will allow the VPN client(s) to access networks via the OpenVPN server'​s LAN interfaces 
-  * Step 5 will allow the VPN client(s) to access networks via the OpenVPN server'​s WAN interfaces 
  
-Execute: ​''uci show firewall | grep zone | grep -E "(net|name)"'​' to see the networks of each zone.+=== Testing & troubleshooting your configuration === 
 +There's not much you can do now, but later, when it comes time to test communication between the client and the server ​(either before or after the OpenVPN tunnel is established), you //could// disable the server's firewall altogether ​to see if it'​s ​the reason why you're having problems (see below).
  
-==== Part 2/2 Client Configuration ==== +Execute: ''​uci show network | grep ifname'​' to see the interface of each network (e.g. 3gwan network via usb0 interface).  ​Execute: ''​uci show firewall | grep zone | grep -E "​(net|name)"''​ to see the networks of each zone (e.g. wan/3gwan networks in wan zone).
-There shouldn't be much to do.  ​Most clients allow outbound (client-instigatedtunnels +
  
-However, you need to think about which Route tables, and which DNS server to use.  More later.+==== Part 2/2 Configure the Network on the Client ==== 
 +This is how to configure the network on an OpenVPN **client** running on OpenWrt. ​ This process consists of essentially the same sequence of steps as for the OpenVPN ​server, above. 
 + 
 +:!: Note that Step 3 is not required on a client. 
 + 
 +This is how to configure the network on an OpenVPN client: 
 +  - Create the VPN interface (this is the same as for the server). 
 +  - //​Don'​t do this step on a client// - most OSs allow outbound (client-instigated) tunnels. ​  
 +  - Allow OpenVPN tunnel utilization (this is the same as for the server). 
 +  - Finally, commit the changes (this is the same as for the server). 
 + 
 +=== Testing & troubleshooting your configuration === 
 +More later...
  
 ===== Configuring the OpenVPN Infrastructure ===== ===== Configuring the OpenVPN Infrastructure =====
-This is essentially the same as for a OpenWRT ​server.+This process consists of four steps that are essentially the same on both an OpenWrt-based OpenVPN clients and servers. ​ However, non-OpenWRT-based clients usually require OpenVPN configuration files (i.e. they don't have OpenWrt'​s UCI). 
 + 
 +These configurations have been intentionally kept simple; they are the //minimal// required to get an effective OpenVPN tunnel (i.e. the tunnel you get will work, but may not yet be useful). ​ Do not add any options (i.e. any additional complexity) until you have confirmed the tunnel is functioning correctly. ​ For your own benefit, do not bother with **persist_XXX**,​ or **comp_lzo** at this stage. 
 + 
 +:!: I recommend you copy-and-paste these scripts rather than re-type them.
  
 ==== Part 1/2 - Configure and Start the Server ==== ==== Part 1/2 - Configure and Start the Server ====
-:!: Before you execute Step 3, you should understand ​the requirements of your specific use-case (i.e. your network configuration). ​ See the notes below for more information. +This is how to configure and start the OpenVPN ​Server running on OpenWrt.  ​
-   - Clear the default ​OpenVPN ​configuration,​ and create a new OpenVPN configuration called '​myvpn'​ (it could be called anything).  ​Ensure that, in particular, the last three lines (the ca, cert, and key parameters) do not produce an error:<​code>​ +
-  echo > /​etc/​config/​openvpn+
  
-  ​uci set openvpn.myvpn=openvpn+   - Clear the existing OpenVPN configuration,​ and create a new configuration called (in this case) '​myvpn'​ (NB: this step is the same for the OpenWrt OpenVPN client as well). ​ Ensure that, in particular, the last three lines (the ca, cert, and key options) do not produce an error (such as "No such file or directory"​):<​code c> 
 +  echo > /​etc/​config/​openvpn ​                               ## Clear the existing configuration 
 + 
 +  ​uci set openvpn.myvpn=openvpn ​                            ## This tunnel is called '​myvpn'​
   uci set openvpn.myvpn.enabled=1   uci set openvpn.myvpn.enabled=1
-  ​uci set openvpn.myvpn.dev=tun + 
-  uci set openvpn.myvpn.persist_tun=1 +  ​uci set openvpn.myvpn.dev=tun ​                            ## This is the basic tunnel configuration
-  uci set openvpn.myvpn.persist_key=1+
   uci set openvpn.myvpn.proto=udp   uci set openvpn.myvpn.proto=udp
-  uci set openvpn.myvpn.comp_lzo=yes 
  
 +  uci set openvpn.myvpn.log=/​tmp/​openvpn.log ​               ## These options produce a useful log file
   uci set openvpn.myvpn.verb=3   uci set openvpn.myvpn.verb=3
-  uci set openvpn.myvpn.log=/​tmp/​openvpn.log 
-  uci set openvpn.myvpn.status=/​tmp/​openvpn-status.log 
  
-  uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt+  uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt ​             ## These options are required for tunnel negotiation
   uci set openvpn.myvpn.cert=`ls /​etc/​openvpn/​my-*.crt` ​    ## NB: these are back-quotes   uci set openvpn.myvpn.cert=`ls /​etc/​openvpn/​my-*.crt` ​    ## NB: these are back-quotes
   uci set openvpn.myvpn.key=`ls /​etc/​openvpn/​my-*.key` ​     ## NB: these are back-quotes   uci set openvpn.myvpn.key=`ls /​etc/​openvpn/​my-*.key` ​     ## NB: these are back-quotes
 </​code>​ </​code>​
-  - To that, add the //​server-specific// ​parameters. Ensure that, in particular, the last line (the dh parameter) does not produce an error:<​code>​+  - To that, add the //​server-specific// ​options. Ensure that, in particular, the last line (the dh option) does not produce an error:<​code ​c>
   uci set openvpn.myvpn.server='​10.8.0.0 255.255.255.0' ​    ## NB: these are single quotes   uci set openvpn.myvpn.server='​10.8.0.0 255.255.255.0' ​    ## NB: these are single quotes
   uci set openvpn.myvpn.port=1194   uci set openvpn.myvpn.port=1194
-  uci set openvpn.myvpn.ifconfig_pool_persist=/​tmp/​openvpn-ipp.txt+
   uci set openvpn.myvpn.keepalive='​10 120' ​                 ## NB: these are single quotes   uci set openvpn.myvpn.keepalive='​10 120' ​                 ## NB: these are single quotes
  
   uci set openvpn.myvpn.dh=`ls /​etc/​openvpn/​dh*.pem` ​       ## NB: these are back-quotes   uci set openvpn.myvpn.dh=`ls /​etc/​openvpn/​dh*.pem` ​       ## NB: these are back-quotes
 </​code>​ </​code>​
-  - And finally, the tricky ​bit (read :!: below //before// you execute ​this command):<​code>​ +  - And finally, the tricky //server-specific// option (this will be changed later):<​code ​c
-  uci add_list ​openvpn.myvpn.push='​redirect-gateway def1' ​  ​## NB: these are single quotes+  uci set openvpn.myvpn.push='' ​                            ​## NB: these are single quotes
 </​code>​ </​code>​
-  - Commit the configuration, ​enable ​and start the OpenVPN ​daemon:<​code>​+  - Commit the configuration,​ and enable ​OpenVPN:<​code ​c>
   uci commit openvpn; /​etc/​init.d/​openvpn enable   uci commit openvpn; /​etc/​init.d/​openvpn enable
 </​code>​ </​code>​
-:!: If the OpenVPN Client and Server and on the same subnet, then you must add the **local** flag.  Use instead: ''​uci add_list openvpn.myvpn.push='​redirect-gateway def1 local'''​ 
  
-:!: If your OpenVPN Client ​is not to route all it'​s ​traffic via the serevr ​(and therefor continue to use it's existing default gateway), then you should not use the **redirect-gateway** option ​at all.+=== Potential traps and pitfalls === 
 +:!: The UCI system ​is very good, but has it'​s ​little quirks. ​ Be aware that (generallyOpenVPN options either require a underscoreor a dash according to whether they are to the left or the right of the '​='​ sign.  See the **comp-lzo** option, below (do //not// execute these commands):<​code c> 
 +  uci set openvpn.test.comp_lzo=adaptive ​                   ## NB: do not execute these commands 
 +  uci set openvpn.test.push='​comp-lzo=adaptive' ​            ## NB: do not execute these commands 
 +</​code>​
  
-=== Testing & troubleshooting ​your configuration === +=== Testing & troubleshooting ​the configuration === 
-  - Ensure ​OpenVPN ​is //not// running, and confirm that there is no OpenVPN daemon and no TUN:<​code>​ +Now you can start the OpenVPN server and check the listener. 
-  /​etc/​init.d/​openvpn ​stop +  - Start OpenVPN, and confirm that there is an OpenVPN ​ daemon and TUN:<​code ​c
-  ​sleep 3 +  /​etc/​init.d/​openvpn ​start; ​sleep 3 
-  ps | grep openvpn+  ps -w | grep openvpn
   ifconfig | grep tun0   ifconfig | grep tun0
 </​code>​ </​code>​
-  - Start OpenVPN, ​and confirm that there is an OpenVPN ​ daemon and TUN:<​code>​ +  - If the OpenVPN ​server is working OKthen you would expect ​there to be a result from (this is only for server):<​code ​c
-  ​/​etc/​init.d/​openvpn start +  ​netstat -an | grep 1194
-  sleep 3 +
-  ps | grep openvpn +
-  ifconfig ​| grep tun0+
 </​code>​ </​code>​
-  - If you need to troubleshootgood place to start is the log file:<​code>​+ 
 +If things go wrong (now or later)then for troubleshooting:​ 
 +  - A good place to start is the log file:<​code ​c>
   cat /​tmp/​openvpn.log   cat /​tmp/​openvpn.log
 </​code>​ </​code>​
  
-==== Part 2/2 - Configure ​and Start the OpenWRT-based client ​==== + 
-:!: Before you execute Step 3, you need to know the IP address, or FQDN that the client will use to access the server. +==== Part 2/2 - Configure the (OpenWrt) Client ​==== 
-  - Clear the default OpenVPN configuration,​ and create a new openvpn ​configuration '​myvpn'​ (as for the server). +This is how to configure and start an OpenVPN **client** running on OpenWrt. ​ This process consists of essentially the same sequence of steps as for the OpenVPN server, above. 
-  - To that, add the //​client-specific//​ parameters (this is different):<​code>​+ 
 +:!: Before you execute Step 3, you need to know the IP address, or FQDN (//​VPN_SERVER_ID//,​ below) ​that the client will use to access the server
 + 
 +First, create a variable with the IP address (//​XXX.XXX.XXX.XXX//,​ below) or FQDN and test that you can get a ping response.:<​code c> 
 +  set VPN_SERVER_ID="​XXX.XXX.XXX.XXX"​ 
 +  ping -c 4 ${VPN_SERVER_ID} 
 +</​code>​ 
 + 
 +If that works, then you can configure the client, as below
 +  - Clear the default OpenVPN configuration,​ and create a new configuration ​called ​'​myvpn'​ (as for the server, above). 
 +  - To that, add the //​client-specific//​ parameters (this is different ​from above):<​code ​c>
   uci set openvpn.myvpn.client=1   uci set openvpn.myvpn.client=1
-  uci set openvpn.myvpn.resolv_retry=infinite 
-  uci set openvpn.myvpn.nobind=1 
   uci set openvpn.myvpn.remote_cert_tls=server   uci set openvpn.myvpn.remote_cert_tls=server
 </​code>​ </​code>​
-  - The client also has a tricky bit (read :!: below //before// you execute this command):<​code>​ +  - The client also has a tricky bit (read :!: above //before// you execute this command):<​code ​c
-  uci set openvpn.myvpn.remote='​$VPN_SERVER_PUBLIC_ADDRESS ​1194'+  uci set openvpn.myvpn.remote='​${VPN_SERVER_ID} ​1194' ​   ## NB: these are single quotes 
 +</​code>​ 
 +  - Commit the configuration,​ and enable OpenVPN (as for a server, above):<​code c> 
 +uci commit openvpn
 </​code>​ </​code>​
-  - Commit the configuration,​ enable and start the OpenVPN daemon (as for a server). 
  
-You can troubleshoot as for server.+=== Testing & troubleshooting your configuration === 
 +That's it for the client! ​ Now you can start the OpenVPN client and check the tunnel.  
 +  - Before starting the tunnel, you should (again) be able to ping the server ​from the client:<​code c> 
 +  ping -c 4 $(uci -P/​var/​state get openvpn.myvpn.remote | awk '​{print $1;​}'​) 
 +</​code>​ 
 +  - Start OpenVPN, and confirm that there is an OpenVPN ​ daemon and a TUN:<​code c> 
 +  /etc/init.d/openvpn start; sleep 3 
 +  ps | grep openvpn 
 +  ifconfig | grep tun0 
 +</​code>​
  
 +Testing the tunnel:
 +  - The tunnel should have made a change to the client'​s route table (so you can access the tunnel end-point, should be 10.8.0.1):<​code c>
 +  cat /​tmp/​openvpn.log | grep 'route add'
 +     ...
 +  route
 +</​code>​
 +  - You should be able to ping the tunnel end-point (i.e. the OpenVPN server):<​code c>
 +  traceroute 10.8.0.1
 +</​code>​
 +  - You should still be able to ping hosts on the Internet via your default gateway:<​code c>
 +  traceroute 8.8.8.8
 +</​code>​
 +  - You should be able to ping hosts on the Internet via the tunnel:<​code c>
 +  route add -net 8.8.4.4 netmask 255.255.255.255 gateway 10.8.0.5
 +  route
 +     ...
 +  traceroute 8.8.4.4
 +</​code>​
  
-==== Create a client configuration for Other OSs ==== +In particular, look at hops 1 and 2 of the **traceroute**;​ hop 1 should be one of the gateways from your route table. ​ If hop 2 of **traceroute 8.8.4.4** is the IP address of VPN_SERVER_ID,​ then the tunnel is working.  
-In your favorite text editor on the client ​machine that will be connectingpaste (needs testing):+ 
 +:-D Congratulations! Now look to '​tune'​ the OpenVPN tunnel for a specific use-case. 
 + 
 +However, if things go wrong (now or later), then for troubleshooting:​ 
 +  - A good place to start is the log file:<​code c> 
 +  cat /​tmp/​openvpn.log 
 +</​code>​ 
 +  - In addition, you //could// try (temporarily) turning off the firewall //on the OpenVPN server// (i.e. execute the following command on the server, and not the client):<​code c> 
 +  /​etc/​init.d/​firewall stop 
 +   ... 
 +  /​etc/​init.d/​firewall start 
 +</​code>​ 
 + 
 +:!: Don't forget to restart your firewall after you have finished troubleshooting (or just reboot). 
 + 
 +===== Routing All Client Traffic Through the Tunnel ===== 
 +If the OpenVPN server can access the Internet, then the client has the //option// of routing //all// its IP traffic via the tunnel rather than through it's local gateway. ​ If the tunnel is merely provide access to other subnets (e.g. to access a server at home from work), but Internet access is to remain as-is, then this is not your answer. ​ Instead, see XXX. 
 + 
 +Before you do this, you should know whether your network is **Scenario 1** (client and server in different subnets), or **Scenario 2** (client and server in the same subnet). ​  
 + 
 +In **Scenario 1**, the client ​and server are in different subnets: 
 +  - On the OpenVPN serverexecute the following<​code c> 
 +  uci set openvpn.myvpn.push='​redirect-gateway def1' ​       ## NB: these are single quotes 
 +  uci commit openvpn; /​etc/​init.d/​openvpn restart 
 +</​code>​ 
 +  - On the OpenVPN client, execute the following:<​code c> 
 +  /​etc/​init.d/​openvpn restart 
 +  traceroute 8.8.8.8 
 +</​code>​ 
 + 
 +Alternatively,​ in **Scenario 2**, the client and server are in the same subnet ​(useful for creating/testing ​an OpenVPN tunnel at home)
 +  - On the OpenVPN server, execute the following:<​code c> 
 +  uci set openvpn.myvpn.push='​redirect-gateway def1 local' ​ ## NB: these are single quotes 
 +  uci commit openvpn; /​etc/​init.d/​openvpn restart 
 +</​code>​ 
 +  - On the OpenVPN client, execute the following:<​code c> 
 +  /​etc/​init.d/​openvpn restart 
 +  traceroute 8.8.8.8 ​  
 +</​code>​ 
 + 
 +:!: If your OpenVPN client is not to route all it's traffic via the server (and therefore continue to use it's existing default gateway), then you should not push the **redirect-gateway** option at all. 
 + 
 +You might need to make OpenWRT route traffic from vpn to wan. Add to /​etc/​config/​firewall:
 <​code>​ <​code>​
-client +config forwarding 
-dev tun+ option src '​vpn'​ 
 + option dest '​wan'​ 
 +</​code>​ 
 +This worked for BB RC2 (uci commands would be better). 
 + 
 +Once this is working, head to [[doc/​howto/​vpn.server.openvpn.tun]] for more OpenVPN '​recipes'​. 
 + 
 +=== Testing & troubleshooting your configuration === 
 +Test as above. ​  
 + 
 + 
 +===== Configuring OpenVPN for Other OSs ===== 
 +Below is a copy of an OpenVPN configuration file that is identical to that created above for OpenWrt OpenVPN clients. 
 + 
 +==== Create an OpenVPN ​client ​configuration file ==== 
 +In your favorite text editor on the client machine that will be connecting, paste the following. Save the file as **client.ovpn**:​ 
 + 
 +<code text>dev tun
 proto udp proto udp
-remote XXXXXXXX 1194 + 
-resolv-retry infinite +log openvpn.log 
-nobind +verb 3 
-persist-key +
-persist-tun+
 ca ca.crt ca ca.crt
-cert my-client.crt +cert MY-CLIENT.crt 
-key my-client.key +key MY-CLIENT.key 
-comp-lzo+ 
 +client 
 +remote_cert_tls server 
 + 
 +remote VPN_SERVER_ID 1194
 </​code>​ </​code>​
  
-:!: Make sure to try and mirror ​**ALL** the server options client-side,​ whatever client you're using, as some of them (namely lzo compression) can have adverse effects if they'​re not present in **BOTH** configurations.+:!: Make sure to try and mirror ALL the server options client-side,​ whatever client you're using, as some of them (//​especially//​ LZO compression) can have adverse effects if they'​re not present in BOTH configurations.
  
-Save the file as ''​client.ovpn''​+===== Completed OpenVPN Configuration ===== 
 +Below is a copy a the final OpenVPN configuration ​as produced by this beginner's guide (HOWTO). ​ Note that some of these settings are very implementation-specific.
  
 +On OpenWrt, standard-format OpenVPN configuration files are not normally used (although you can do so if you wish). ​ Instead, these configuration files are dynamically created from **/​etc/​config/​openvpn** by **/​etc/​init.d/​openvpn** during it's startup process. ​ If OpenVPN is running, then the specific name/​location of the OpenVPN-compatible configuration file can be seen with **ps -w | grep openvpn**. ​ If required, you can copy this file and use it elsewhere!
  
 +==== Server Configuration ====
 +If you execute **cat /​etc/​config/​openvpn** on an OpenWrt-based OpenVPN client, you '​should'​ get:<​code>​
 +config openvpn '​myvpn'​
 +        option enabled '​1'​
 +        option dev   '​tun'​
 +        option proto '​udp'​
  
 +        option server ​   '​10.8.0.0 255.255.255.0'​
 +        option port      '​1194'​
 +        option keepalive '10 120'
  
 +        option ca   '/​etc/​openvpn/​ca.crt'​
 +        option key  '/​etc/​openvpn/​my-server.key'​
 +        option cert '/​etc/​openvpn/​my-server.crt'​
 +        option dh   '/​etc/​openvpn/​dh2048.pem'​
  
 +        option log  '/​tmp/​openvpn.log'​
 +        option verb '​3'​
 +</​code>​
  
 +Alternatively,​ you could execute **uci show openvpn** to see the same configuration,​ but in UCI format. ​ It may be easier to make changes via UCI, or by directly editing the OpenWrt configuration file directly.
  
 +==== Client Configuration (OpenWrt-based clients) ====
 +If you execute **cat /​etc/​config/​openvpn** on an OpenWrt-based OpenVPN client, you '​should'​ get:<​code>​
 +config openvpn '​myvpn'​
 +        option enabled '​1'​
 +        option dev   '​tun'​
 +        option proto '​udp'​
  
 +        option client '​1'​
 +        option remote '​172.27.0.1 1194'
  
 +        option ca   '/​etc/​openvpn/​ca.crt'​
 +        option cert '/​etc/​openvpn/​my-client.crt'​
 +        option key  '/​etc/​openvpn/​my-client.key'​
 +        option remote_cert_tls '​server'​
  
 +        option log  '/​tmp/​openvpn.log'​
 +        option verb '​3'​
 +</​code>​
  
 +Note that your OpenVPN server will probably have a different IP address (or even a FQDN) to that used here.
  
 +=== Client Configuration File (standard clients) ===
 +If you execute (the equivalent of) **cat /​var/​etc/​openvpn-myvpn.conf** on any OpenVPN client, you should get:<​code>​
 +dev tun
 +proto udp
  
 +client
 +remote 172.27.0.1 1194
  
 +ca   /​etc/​openvpn/​ca.crt
 +cert /​etc/​openvpn/​my-client.crt
 +key  /​etc/​openvpn/​my-client.key
 +remote-cert-tls server
  
-===== Troubleshooting =====+log  /​tmp/​openvpn.log 
 +verb 3 
 +</​code>​
  
-* Make sure you are trying to connect to the VPN server from the outside - i.e. use 3G connection, go to a different building etc. Using another vpn (that routes all your traffic) does not seem to help. If you do not do this, a good configuration might not work at all.+===== Other Stuff =====
  
-* If unsure how various parameters are parsed to openvpn, you can find out PID with ps and then look up the parameters with ''​tr '​\0'​ ' ' < /​proc/​PID/​cmdline +==== General guidelines for troubleshooting ====
-''​ (Replace PID with a number)+
  
-* Attention: The logfile (if not in system log) doesn'​t limit its disk space - check periodically that you have enough free disk space for other applications (my log on level 6 needed less than a week to fill the whole disk space of a TP-Link 1043)+This command is useful: 
 +<code c>ps -w | grep openvpn 
 +</​code>​ 
 + 
 +You should see a *.conf file after ''​----config''​. ​ You can then execute this more useful command: 
 +<code c>​cat ​ /​var/​etc/​*.conf 
 +</​code>​ 
 + 
 +* Make sure you are trying to connect to the VPN server from the outside - i.e. use 3G connection, go to a different building etc. Using another vpn (that routes all your traffic) does not seem to help. If you do not do this, a good configuration might not work at all. 
 + 
 +* Attention: The logfile (if not in system log) doesn'​t limit its disk space - check periodically that you have enough free disk space for other applications (my log on level 6 needed less than a week to fill the whole disk space of a TP-Link 1043).  [the way to fix this is: a) use verb=3, and b) use logrotate]
  
 |FIXME: Please read [[vpn.overview]] and see this old articles on this matter: [[http://​wiki.openwrt.org/?​do=search&​id=vpn]] and help **migrate** them. There is also an article in the inbox: [[inbox:​vpn.howto]] | |FIXME: Please read [[vpn.overview]] and see this old articles on this matter: [[http://​wiki.openwrt.org/?​do=search&​id=vpn]] and help **migrate** them. There is also an article in the inbox: [[inbox:​vpn.howto]] |
  
 +==== When truly stuck: asking for help ====
 +
 +In short, hit the OpenWrt forum: [[https://​forum.openwrt.org/​viewforum.php?​id=10]].  ​
 +
 +| :!: If you do so, then please use code tags [[https://​forum.openwrt.org/​help.php?​section=bbcode]] (otherwise your post will be TL;DR)! |
 +
 +At a minimum, you'd be expected to a) create an intelligent request for help, and b) paste a copy of the following files:
 +<code c>cat /​tmp/​openvpn.log
 +cat /​etc/​config/​network
 +cat /​etc/​config/​firewall
 +cat /​etc/​config/​openvpn
 +</​code>​
 +
 +==== References ====
 +See: https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage
doc/howto/vpn.openvpn.1393701569.txt.bz2 · Last modified: 2014/03/01 20:19 by zxdavb