User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.openvpn [2014/03/01 20:19]
doc:howto:vpn.openvpn [2015/10/25 10:29] (current)
risk [Configure the network on the OpenWrt server]
Line 1: Line 1:
-====== ​Basic OpenVPN ​Server ​Setup Guide ======  +====== OpenVPN Setup Guide for Beginners ​======  
-This is a guide to setting up OpenVPN on a server and a client where, in this instance, both are running ​OpenWRT. What follows has been tested on trunk (currently BB, b39757), but will likely work on the latest stable branch (currently AAb39408).+This is a beginner'​s ​guide to setting up OpenVPN on a server and a client where, in this instance, both are running ​OpenWrt ​(although the OpenVPN client could easily be running ​on another OSsuch as Windows or Linux).
-Note that all of the '​work'​ here is accomplished via non-interactive commands (that you should cut-and-paste)andthere are no files to edit.+For non-beginners or real-world tunnels[[doc/​howto/​vpn.server.openvpn.tun]] may be a better place to start.
-{{:​meta:​icons:​tango:​48px-cleanup.svg.png?​nolink&​20x20}} This how-to has had BIG rewrite.  ​If requiredyou can find the old version here: [[http://​​doc/​howto/​vpn.openvpn?​rev=1390780026]]+The primary goal of this HOWTO is to get working OpenVPN tunnel; the strategy used by this HOWTO is to keep it simple.  ​Because of thatthis is a very basic OpenVPN tunnel configuration that will not suit most people'​s needs without further configuration. However, once the basic tunnel is working, additional recipes for other use-cases can be found at [[doc/​howto/​vpn.server.openvpn.tun]].
-===== Overview ​of the Process ===== +For an overview ​of all VPN-related articles ​(including other VPN technologies), see [[doc/​howto/​vpn.overview]].
-On the OpenVPN server ​(and on similarly, on clients), installing and (more importantly) configuring an OpenVPN tunnel consists of the following:​ +
-  - Creating and distributing the PKI certificates and their keys to the server and the clients +
-  - Configuring the network (i.edevices, interfaces, and firewall) +
-  - Configuring and Starting the VPN listener+
-=== Use Case === +===== Use Case (the beginner'​s configuration) ===== 
-The user (i.e. client) wants to access the LAN on the other side of the server without ​being 'snooped' (e.g. via a public ​WiFi network)and/or the user wants to access ​the Internet ​via the server (e.g. to punch through a company firewall and thereby bypass it's restrictions).+The user wants a client to access ​their OpenWrt router without ​the possibility ​of being snooped. ​That is, the user can already access the router, but over a public network, ​such as the Internet. ​ 
-This article ​will be based upon TUN (routing)for TAP (bridging), you will find information elsewhere in this Wiki.+The end result ​will be a private connection directly between the OpenVPN client and server. Mostly, it is as if the two end-points are on the same subnet ​(but not on the same subnet as your router'​s LAN)
 +To facilitate configuration/​testing,​ this HOWTO permits two distinct scenarios ​for this use-case: 
 +  * Scenario 0: the OpenVPN client can ping the OpenWrt router via the router'​s LAN interface. Specifically,​ they are on the same subnet ​(e.g. the client is a DHCP client of the OpenWrt router)
 +  * Scenario 1: the OpenVPN client can ping the OpenWrt router via the router'​s WAN interface. Specificallythey are **not** on the same subnet (e.g. they are separated by the Internet). 
 +Scenario 0 takes out much of the complexity of real-world configurations,​ such as the vagaries of the Internet, or your OpenWrt firewall configuration. Scenario 0 allows ​you to easily implement an OpenVPN tunnel, which can then be switched to Scenario 1, which itself is the basis for most real-world OpenVPN configurations. You can either start with Scenario 0, and switch to Scenario 1 when you've got it working, or start directly with Scenario 1 and switch back to Scenario 0 for troubleshooting.
 ===== Prerequisites ===== ===== Prerequisites =====
-So to make it easier for you, this How-To assumes: +This HOWTO requires that the OpenVPN ​server ​is an OpenWrt router running OpenWrt 15.05 Chaos Calmer.
-  - the client and the server ​are (vanilla-build) OpenWRT routers (look elsewhere for help Linux/​Windows/​etc.; it wont be too hard for clients) +
-  - the client can ''​ping''​ the server though its WAN interface, and that they are not in the same subnet+
-The OpenVPN client (i.e. the system who //​initiates//​ the negotiation for the VPN tunnel) must be able to ''​ping''​ (using IPv4) the OpenVPN server (who responds to such requests) via it's WAN interface (and preferably using a public DNS FQDN). ​ In this case, it is assumed that the client, as well as the server (a.k.a. router) are both running OpenWRT (although *nix & Windows clients are also covered).+===== Install ​the required software ===== 
 +opkg update 
 +opkg install openvpn-openssl openvpn-easy-rsa 
-==== Part 1/1 - Installing ​the OpenVPN packages ​==== +===== Create ​the certificates ===== 
-:!: Before executing Step 1, you should check which specific version of OpenWRT you have.  See the notes below for more information. +<​code>​ 
-  - On both the client and the server, install the OpenVPN package:<​code>​ +build-ca 
-  opkg update; opkg install openvpn-openssl ​ ## or: opkg install openvpn+build-dh 
 +build-key-server my-server 
 +build-key-pkcs12 my-client
 </​code>​ </​code>​
-Which package you should install will be indicated by which version of OpenWRT you have (check via: ''​cat ​/etc/banner''​):​ +The above creates a server certificate named //my-server// and a client certificate named //my-client//You can create multiple client certificates by running ​''​build-key-pkcs12'' ​multiple times and specifying different names.
-  * on **Barrier Breaker**: there are three versions of OpenVPN that you can choose from, including: ''​openvpn-openssl''​ (recommended) or ''​openvpn-polarssl'',​ which //might not// work with the following scripts (it should be obvious why you should not use ''​openvpn-nossl''​). +
-  * on **Attitude Adjustment**:​ there is only one version of OpenVPN that you can install, ​''​openvpn'' ​(which uses OpenSSL)+
 +You can create a new set of certificates by running ''​clean-all''​ and then the above commands
-===== Creating the Client and Server Certificates ===== 
-Easy-RSA is a simple PKI that was spun off from OpenVPN as a separate project. ​ With OpenVPN, there does exist a means of creating client/​server certificates that does not require a PKI (known as static keys), but Easy-RSA is used here as it is a simple enough method, and using a proper PKI is //much// better practice. 
-==== Part 1/2 - Create the Certification Authority and the Client/​Server Certificates ​==== +===== Distribute ​the certificates ===== 
-:!: Before executing Step 3, you may (or may not) need to execute Step 2.  See notes below for more information. +<​code>​ 
-   - On the OpenVPN Server, install the Easy-RSA package:<​code>​ +cp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh2048.pem /etc/openvpn 
-  opkg update; opkg install ​openvpn-easy-rsa+scp /etc/easy-rsa/​keys/​ca.crt /etc/easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn
 </​code>​ </​code>​
-   ​- ​If running **Attitude Adjustment** (specificallyversion 2.2.2-2 of the Easy-RSA package), then you must '​tweak' ​the PKI configuration to prevent problems:<​code>​ + 
-  sed -i '/​KEY_CN/​ s:^export:# &:'​ /​etc/​easy-rsa/​vars ​ ## do not set the KEY_CN environment variable+The above assumes that you can connect to the client from the server, that the client has a SSH server and that you can login as root. If you can'ttransfer the client certificate some other way, such as using an USB stick. 
 +===== Configure ​the network on the OpenWrt server ===== 
 +  ​Create ​the VPN interface(if not running server-bridge)<​code ​bash
 +uci set network.vpn0=interface 
 +uci set network.vpn0.ifname=tun0 
 +uci set network.vpn0.proto=none 
 +uci set
 </​code>​ </​code>​
-   Establish the shell variables, and start with a clean slate (you may get warnings about ''​./​clean-all'',​ which you can ignore):<​code>​ +  ​Add interface to bridge:!: skip unless going for server-bridge config<​code ​bash
-  ​source /​etc/​easy-rsa/​vars +uci set network.lan.ifname="​$(uci get network.lan.ifname) tap_myvpn"​
-  clean-all+
 </​code>​ </​code>​
-   Create the Certification Authority, Server, and Client certificates:<​code>​ +  ​Allow inbound VPN traffic:<​code ​bash
-  ​pkitool ​--initca ​           ## equivalent to the 'build-ca' script +uci add firewall rule 
-  ​pkitool ​--server my-server ​ ## equivalent to the '​build-key-server'​ script +uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound 
-  ​pkitool ​         my-client ​ ## equivalent to the 'build-key' script+uci set firewall.@rule[-1].target=ACCEPT 
 +uci set firewall.@rule[-1].src=* 
 +uci set firewall.@rule[-1].proto=udp 
 +uci set firewall.@rule[-1].dest_port=1194
 </​code>​ </​code>​
-   Finally, create the Diffie Hellman parameters ​(left until last because it can take a long time):<​code>​ +  ​Allow OpenVPN tunnel utilization: ​(not needed when bridging using tap)<​code ​bash
-  build-dh                    ## this script will 'take a long time'+uci add firewall zone 
 +uci set firewall.@zone[-1].name=vpn 
 +uci set firewall.@zone[-1].input=ACCEPT 
 +uci set firewall.@zone[-1].forward=ACCEPT 
 +uci set firewall.@zone[-1].output=ACCEPT 
 +uci set firewall.@zone[-1].network=vpn0 
 +uci add firewall forwarding 
 +uci set firewall.@forwarding[-1].src='vpn' 
 +uci set firewall.@forwarding[-1].dest='​wan'​ 
 +  - Commit the changes:<​code bash> 
 +uci commit network 
 +/​etc/​init.d/​network reload 
 +uci commit firewall 
 +/​etc/​init.d/​firewall reload
 </​code>​ </​code>​
-If you get an error message ''​TXT_DB error number 2'',​ then check that the CommonName variable is not set: that is, ''​set | grep KEY_CN''​ must return no results. ​ The failure is because subsequent certificates have the same identifier as first (the server'​s). ​ If required, execute ''​unset KEY_CN'',​ and start again from Step 2.  
-=== Troubleshooting ​=== +===== Configure the network on the OpenWrt client ===== 
-You can confirm everything is OK so far via: ''​ls $KEY_DIR'';​ there should be ''​index.txt''​ and ''​serial'', ​the Diffie-Hellman files, and three pairs of ''​.crt''/''​.key''​ files (plus some other files) +Do the same as on the OpenWrt server above except skip step 2.
-If required, you can start from scratch (i.edestroy the old PKI, and create a completely new one) by re-starting this process from Step 3.  If you've copied any certificates elsewhere, be sure to delete them: don't mix up these distinct sets of certificates/keys, they just happen to have the same filenames!+===== Configure the OpenVPN server ===== 
 +echo > /​etc/​config/​openvpn 
 +uci set openvpn.myvpn=openvpn 
 +uci set openvpn.myvpn.enabled=1 
 +uci set 
 +uci set openvpn.myvpn.port=1194 
 +uci set openvpn.myvpn.proto=udp 
 +uci set openvpn.myvpn.verb=3 
 +uci set​etc/​openvpn/​ca.crt 
 +uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-server.crt 
 +uci set openvpn.myvpn.key=/​etc/​openvpn/​my-server.key 
 +uci set openvpn.myvpn.server='' 
 +uci set openvpn.myvpn.dh=/etc/​openvpn/​dh2048.pem 
 +uci commit openvpn 
 +/​etc/​init.d/​openvpn enable 
 +/​etc/​init.d/​openvpn start 
-==== Part 2/2 - Distribute ​the Certificates to the Clients and Servers ​==== +===== Configure ​the OpenVPN server (ethernet bridge) ===== 
-:!: Before executing Step 3you'll have to find a way achieving Step 2 (discussed only briefly here). ​ See the notes below for more information+:!: new and untested!!!! doesn't work, the interface is created, but not added to bridge 
-   - On the server, copy the server certificate to where OpenVPN needs it to be (''​$KEY_DIR''​ is a variable ​set by ''​source ​/etc/easy-rsa/vars''​):<​code>​ +<​code=bash>​ 
-  cd $KEY_DIR +echo > /​etc/​config/​openvpn # clear the openvpn uci config 
-  mkdir -p /​etc/​openvpn +uci set openvpn.myvpn=openvpn 
-  cp ca.crt my-server.dh*.pem  /​etc/​openvpn/ ​    ## the server files+uci set openvpn.myvpn.enabled=1 
 +uci set openvpn.myvpn.verb=3 
 +uci set openvpn.myvpn.mode=server 
 +uci set openvpn.myvpn.tls_server=1 
 +uci set 
 +uci set openvpn.myvpn.persist_tun=1 
 +uci set openvpn.myvpn.port=1194 
 +uci set openvpn.myvpn.proto=udp 
 +uci set openvpn.myvpn.push='route-gateway dhcp' 
 +uci set 
 +uci set openvpn.myvpn.cert=/​etc/​openvpn/my-server.crt 
 +uci set openvpn.myvpn.key=/​etc/​openvpn/​my-server.key 
 +uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh2048.pem 
 +uci commit openvpn 
 +/etc/init.d/​openvpn ​enable 
 +/etc/​init.d/​openvpn start
 </​code>​ </​code>​
-   - Next, you'll need to copy the client ​certificate from the server to the client (//e.gvia a USB stick//)+===== Configure ​the OpenWrt ​client ​===== 
-   - On the client, copy the server certificate to where OpenVPN needs it to be, example:<​code>​ +<​code=bash>​ 
-  ​cp ​ca.crt my-client.*          ​/​etc/​openvpn/ ​    ## the client ​files+echo > /etc/config/​openvpn 
 +uci set openvpn.myvpn=openvpn 
 +uci set openvpn.myvpn.enabled=1 
 +uci set 
 +uci set openvpn.myvpn.proto=udp 
 +uci set openvpn.myvpn.verb=3 
 +uci set​etc/​openvpn/​ca.crt 
 +uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-client.crt 
 +uci set openvpn.myvpn.key=/​etc/​openvpn/​my-client.key 
 +uci set openvpn.myvpn.client=1 
 +uci set openvpn.myvpn.remote_cert_tls=server 
 +uci set openvpn.myvpn.remote="​SERVER_IP_ADDRESS 1194"​ 
 +uci commit openvpn 
 +/​etc/​init.d/​openvpn start
 </​code>​ </​code>​
-=== Discussion === 
-For security reasons, you need to think long and hard about where you backup your PKI files, and especially the .key files: 
-  * ''​ca.key''​ should be moved to a place that is not accessible from the Internet (it is only needed when '​doing'​ CA stuff) ​ 
-  * the other ''​.key''​ files should be kept '​private',​ that is, stored only on the '​owning'​ system 
-  * //all// ''​.key''​ files should not be distributed in an insecure manner - it is well known that copying .key files across the Internet is a leading cause of male-pattern baldness! ​ 
-===== Configuring the Network Infrastructure ​=====+===== Configure other clients ​===== 
 +Create the following OpenVPN client configuration file, save it with an ''​.ovpn''​ extension and give it to your client:
-==== Part 1/2 Server Configuration (on OpenWRT) ==== +<​code>​ 
-This is the configuration of the OpenVPN **server** only.  +dev tun 
-   - On both the client and the server, create the vpn interface (note that the tun0 device does not yet exist):<​code>​ +proto udp
-  uci set network.vpn=interface +
-  uci set network.vpn.ifname=tun0 +
-  uci set network.vpn.proto=none+
-  uci commit network; /etc/init.d/network reload +log openvpn.log 
-</​code>​ +verb 3
-   - Allow OpenVPN tunnel negotiation (i.e. allow a tunnel to be //​created//​):<​code>​ +
-  uci add firewall ​ rule +
-  uci set firewall.@rule[-1].name=Allow-Inbound-OpenVPN +
-  uci set firewall.@rule[-1].target=ACCEPT +
-  uci set firewall.@rule[-1].src=wan +
-  uci set firewall.@rule[-1].family=ipv4 +
-  uci set firewall.@rule[-1].proto=udp +
-  uci set firewall.@rule[-1].dest_port=1194 +
-</​code>​ +
-   - Allow OpenVPN tunnel traffic (i.e. allow a tunnel to be //​used//​):<​code>​ +
-  uci add firewall ​ zone +
-  uci set firewall.@zone[-1].name=vpn +
-  uci set firewall.@zone[-1].input=ACCEPT +
-  uci set firewall.@zone[-1].forward=REJECT +
-  uci set firewall.@zone[-1].output=ACCEPT +
-  uci set firewall.@zone[-1].network=vpn +
-</​code>​ +
-   - Allow the client to access the OpenVPN server'​s LAN via the VPN (optional):<​code>​ +
-  uci add firewall forwarding +
-  uci set firewall.@forwarding[-1].src=vpn +
-  uci set firewall.@forwarding[-1].dest=wan +
-</​code>​ +
-   - Allow the client to access the OpenVPN server'​s WAN via the VPN (optional):<​code>​ +
-  uci add firewall forwarding +
-  uci set firewall.@forwarding[-1].src=vpn +
-  uci set firewall.@forwarding[-1].dest=wan +
-</​code>​ +
-   - Finally, commit the changes:<​code>​ +
-  uci commit firewall; /​etc/​init.d/​firewall reload +
-</​code>​ +
-=== Discussion === +
-Note that Step 4 and 5 overrule the ''​REJECT''​ in Step 3. You may want only Step 4, or Only Step 5, or maybe both. That is,  +
-  * Step 3 will allow the VPN client(s) to access the OpenVPN server itself +
-  * Step 4 will allow the VPN client(s) to access networks via the OpenVPN server'​s LAN interfaces +
-  * Step 5 will allow the VPN client(s) to access networks via the OpenVPN server'​s WAN interfaces+
-Execute: ''​uci show firewall | grep zone | grep -E "​(net|name)"''​ to see the networks of each zone.+ca /​etc/​openvpn/​ca.crt 
 +cert /​etc/​openvpn/​my-client.crt 
 +key /​etc/​openvpn/​my-client.key
-==== Part 2/2 Client Configuration ==== +client 
-There shouldn'​t be much to do.  Most clients allow outbound (client-instigated) tunnels.  ​+remote-cert-tls server 
 +remote SERVER_IP_ADDRESS 1194 
-However, you need to think about which Route tables, and which DNS server ​to use.  More later.+===== Configure other clients (bridge)===== 
 +Create the following OpenVPN client configuration filesave it with an ''​.ovpn''​ extension ​and give it to your client:
-===== Configuring the OpenVPN Infrastructure ===== +<​code>​ 
-This is essentially the same as for a OpenWRT server.+dev tap 
 +proto udp
-==== Part 1/2 - Configure and Start the Server ==== +log openvpn.log 
-:!: Before you execute Step 3, you should understand the requirements of your specific use-case (i.e. your network configuration). ​ See the notes below for more information. +verb 3
-   - Clear the default OpenVPN configuration,​ and create a new OpenVPN configuration called '​myvpn'​ (it could be called anything). ​ Ensure that, in particular, the last three lines (the ca, cert, and key parameters) do not produce an error:<​code>​ +
-  echo > /​etc/​config/​openvpn+
-  uci set openvpn.myvpn=openvpn +ca /etc/openvpn/ca.crt 
-  uci set openvpn.myvpn.enabled=1 +cert /etc/openvpn/my-client.crt 
-  uci set +key /etc/openvpn/my-client.key
-  uci set openvpn.myvpn.persist_tun=1 +
-  uci set openvpn.myvpn.persist_key=1 +
-  uci set openvpn.myvpn.proto=udp +
-  uci set openvpn.myvpn.comp_lzo=yes+
-  uci set openvpn.myvpn.verb=3 +client 
-  uci set openvpn.myvpn.log=/​tmp/​openvpn.log +remote-cert-tls server 
-  uci set openvpn.myvpn.status=/​tmp/​openvpn-status.log +remote SERVER_IP_ADDRESS 1194
- +
-  uci set​etc/​openvpn/​ca.crt +
-  uci set openvpn.myvpn.cert=`ls /​etc/​openvpn/​my-*.crt` ​    ## NB: these are back-quotes +
-  uci set openvpn.myvpn.key=`ls /​etc/​openvpn/​my-*.key` ​     ## NB: these are back-quotes+
 </​code>​ </​code>​
-  - To that, add the //​server-specific//​ parameters. Ensure that, in particular, the last line (the dh parameter) does not produce an error:<​code>​ 
-  uci set openvpn.myvpn.server='​' ​    ## NB: these are single quotes 
-  uci set openvpn.myvpn.port=1194 
-  uci set openvpn.myvpn.ifconfig_pool_persist=/​tmp/​openvpn-ipp.txt 
-  uci set openvpn.myvpn.keepalive='​10 120' ​                 ## NB: these are single quotes 
-  uci set openvpn.myvpn.dh=`ls ​/etc/openvpn/dh*.pem`        ## NB: these are back-quotes+===== Test the tunnel ===== 
 +  - The tunnel should have made a change to the client'​s route table (so you can access the tunnel end-point, should be<​code bash> 
 +  cat /tmp/openvpn.log | grep "route add" 
 +     ... 
 +  route
 </​code>​ </​code>​
-  - And finally, ​the tricky bit (read :!: below //before// you execute this command):<​code>​ +  - You should be able to ping the tunnel end-point ​(i.e. the OpenVPN server):<​code ​bash
-  ​uci add_list openvpn.myvpn.push='​redirect-gateway def1' ​  ## NB: these are single quotes+  ​traceroute
 </​code>​ </​code>​
-  - Commit ​the configuration,​ enable and start the OpenVPN daemon:<​code>​ +  - You should still be able to ping hosts on the Internet via your default gateway:<​code ​bash
-  ​uci commit openvpn; /etc/init.d/openvpn enable+  ​traceroute
 </​code>​ </​code>​
-:!: If the OpenVPN Client and Server and on the same subnet, then you must add the **local** flag.  Use instead: ''​uci add_list openvpn.myvpn.push='​redirect-gateway def1 local'''​ +  - You should be able to ping hosts on the Internet ​via the tunnel:<​code ​bash
- +  ​route add -net netmask gateway 
-:!: If your OpenVPN Client is not to route all it's traffic ​via the serevr (and therefor continue to use it's existing default gateway), then you should not use the **redirect-gateway** option at all. +  ​route 
- +     ... 
-=== Testing & troubleshooting your configuration === +  ​traceroute
-  - Ensure OpenVPN is //not// running, and confirm that there is no OpenVPN daemon and no TUN:<​code>​ +
-  ​/etc/init.d/openvpn stop +
-  ​sleep 3 +
-  ps | grep openvpn +
-  ​ifconfig | grep tun0 +
-</​code>​ +
-  - Start OpenVPN, and confirm that there is an OpenVPN ​ daemon and a TUN:<​code>​ +
-  /etc/init.d/openvpn start +
-  sleep 3 +
-  ps | grep openvpn +
-  ifconfig | grep tun0 +
-</​code>​ +
-  - If you need to troubleshoot,​ a good place to start is the log file:<​code>​ +
-  cat /​tmp/​openvpn.log+
 </​code>​ </​code>​
-==== Part 2/2 - Configure and Start the OpenWRT-based client ==== +In particularlook at hops 1 and 2 of the **traceroute**;​ hop 1 should be one of the gateways from your route table.  ​If hop 2 of **traceroute** is the IP address of VPN_SERVER_IDthen the tunnel is working
-:!: Before you execute Step 3, you need to know the IP address, or FQDN that the client will use to access the server. +
-  - Clear the default OpenVPN configuration, and create a new openvpn configuration '​myvpn'​ (as for the server). +
-  - To that, add the //​client-specific//​ parameters (this is different):<​code>​ +
-  uci set openvpn.myvpn.client=1 +
-  uci set openvpn.myvpn.resolv_retry=infinite +
-  uci set openvpn.myvpn.nobind=1 +
-  uci set openvpn.myvpn.remote_cert_tls=server +
-</​code>​ +
-  - The client also has a tricky bit (read :!: below //before// you execute this command):<​code>​ +
-  uci set openvpn.myvpn.remote='​$VPN_SERVER_PUBLIC_ADDRESS 1194'​ +
-</​code>​ +
-  - Commit ​the configurationenable and start the OpenVPN daemon (as for a server).+
-You can troubleshoot as for a server.+:-D Congratulations! Now look to '​tune'​ the OpenVPN tunnel ​for a specific use-case.
 +===== Route Only Local LAN Client Traffic Through the Tunnel =====
 +If all that is needed is to allow clients access to the local subnet (e.g., to access a server at home from work), and to leave Internet access as-is, all one needs to do is advertise the local subnet and configure the firewall to allow traffic through. First, to advertise the route:
-==== Create a client configuration for Other OSs ==== +<​code ​bash
-In your favorite text editor on the client machine that will be connecting, paste (needs testing): +uci set openvpn.myvpn.push='​route'​ 
-<​code>​ +uci commit openvpn 
-client +/​etc/​init.d/​openvpn restart
-dev tun +
-proto udp +
-remote XXXXXXXX 1194 +
-resolv-retry infinite +
-nobind +
-persist-key +
-persist-tun +
-ca ca.crt +
-cert my-client.crt +
-key my-client.key +
 </​code>​ </​code>​
-:!: Make sure to try and mirror **ALL** ​the server options client-side,​ whatever client you're usingas some of them (namely lzo compression) can have adverse effects if they'​re not present in **BOTH** configurations.+In this example the subnet is​24. Adjust your configuration accordingly for your LAN. Now, the firewall has to be enabled to allow traffic from the VPN clients to the local LAN. To allow itedit **/​etc/​config/​firewall**:
-Save the file as ''​client.ovpn''​+<​code>​ 
 +## NB: this zone should have already been created in the previous setup step; just add the masq option ​as noted below 
 +config zone 
 + option name '​vpn'​ 
 + option masq '​1'​ ## NB: this option was added to enable forwarding out of the VPN zone 
 + option input '​ACCEPT'​ 
 + option forward '​ACCEPT'​ 
 + option output ​'ACCEPT' 
 + option network ​'vpn0'
 +## NB : this section was added
 +config forwarding
 + option src '​vpn'​
 + option dest '​lan'​
 +After editing the firewall changes, enable them by executing:
 +<code bash>
 +/​etc/​init.d/​firewall reload
 +===== Route All Client Traffic Through the Tunnel =====
 +If the OpenVPN server can access the Internet, then the client has the //option// of routing //all// its IP traffic via the tunnel rather than through it's local gateway. ​ If the tunnel is merely provide access to other subnets (e.g. to access a server at home from work), but Internet access is to remain as-is, then this is not your answer. ​ Instead, see [[doc/​howto/​vpn.openvpn#​Routing Only Local LAN Client Traffic Through the Tunnel]].
 +Before you do this, you should know whether your network is **Scenario 1** (client and server in different subnets), or **Scenario 2** (client and server in the same subnet).  ​
 +In **Scenario 1**, the client and server are in different subnets:
 +  - On the OpenVPN server, execute the following<​code bash>
 +  uci set openvpn.myvpn.push='​redirect-gateway def1' ​       ## NB: these are single quotes
 +  uci commit openvpn
 +  /​etc/​init.d/​openvpn restart
 +  - On the OpenVPN client, execute the following:<​code bash>
 +  /​etc/​init.d/​openvpn restart
 +  traceroute
 +Alternatively,​ in **Scenario 2**, the client and server are in the same subnet (useful for creating/​testing an OpenVPN tunnel at home):
 +  - On the OpenVPN server, execute the following:<​code bash>
 +  uci set openvpn.myvpn.push='​redirect-gateway def1 local' ​ ## NB: these are single quotes
 +  uci commit openvpn; /​etc/​init.d/​openvpn restart
 +  - On the OpenVPN client, execute the following:<​code bash>
 +  /​etc/​init.d/​openvpn restart
 +  traceroute  ​
 +:!: If your OpenVPN client is not to route all it's traffic via the server (and therefore continue to use it's existing default gateway), then you should not push the **redirect-gateway** option at all.
 +You might need to make OpenWrt route traffic from vpn to wan. Add to /​etc/​config/​firewall:​
 +config forwarding
 + option src '​vpn'​
 + option dest '​wan'​
 +This worked for BB RC2 (uci commands would be better).
 +Once this is working, head to [[doc/​howto/​vpn.server.openvpn.tun]] for more OpenVPN '​recipes'​.
 +===== Troubleshooting =====
 +If something doesn'​t work as expected while following this HOWTO:
 +  * Check that the client can ping the server:<​code bash>​ping SERVER_IP_ADDRESS</​code>​
 +  * Check that the OpenVPN daemon is running:<​code bash>ps | grep "​openvpn"</​code>​
 +  * Check that there is a TUN interface:<​code bash>​ifconfig | grep "​tun"</​code>​
 +  * Check the log:<​code bash>cat /​tmp/​openvpn.log</​code>​
 +  * You can try temporarily disabling the firewall on the OpenVPN server:<​code bash>/​etc/​init.d/​firewall stop</​code>​
 +  * You can clear the OpenVPN configuration and start again from scratch:<​code bash>​echo > /​etc/​config/​openvpn</​code>​
 +===== Asking for help =====
 +You can ask for help on the OpenWrt forum: [[https://​​]].  ​
 +When asking for help, you should at a minimum include the contents of the following files:
 +<code bash>
 +cat /​tmp/​openvpn.log
 +cat /​etc/​config/​network
 +cat /​etc/​config/​firewall
 +cat /​etc/​config/​openvpn
 +===== References and examples =====
 +  * [[https://​​openvpn/​wiki/​Openvpn23ManPage|OpenVPN 2.3 man-page]]
-===== Troubleshooting ===== +| FIXME: Integrate any useful information ​from [[inbox:vpn.howto]]|
- +
-* Make sure you are trying to connect to the VPN server ​from the outside - i.e. use 3G connection, go to a different building etc. Using another ​vpn (that routes all your traffic) does not seem to helpIf you do not do this, a good configuration might not work at all. +
- +
-* If unsure how various parameters are parsed to openvpn, you can find out PID with ps and then look up the parameters with ''​tr '​\0'​ ' ' < /​proc/​PID/​cmdline +
-''​ (Replace PID with a number) +
- +
-* Attention: The logfile (if not in system log) doesn'​t limit its disk space - check periodically that you have enough free disk space for other applications (my log on level 6 needed less than a week to fill the whole disk space of a TP-Link 1043)+
-|FIXME: Please read [[vpn.overview]] and see this old articles on this matter: [[http://​​do=search&​id=vpn]] and help **migrate** them. There is also an article in the inbox: [[inbox:​vpn.howto]] | 
doc/howto/vpn.openvpn.1393701569.txt.bz2 · Last modified: 2014/03/01 20:19 by zxdavb