User Tools

Site Tools


doc:howto:vpn.openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.openvpn [2014/03/01 20:19]
zxdavb
doc:howto:vpn.openvpn [2016/12/04 19:27] (current)
ExaltedVanguard [Configure OpenVPN]
Line 1: Line 1:
 +====== OpenVPN Setup Guide for Beginners ====== ​
 +This is a beginner'​s guide to setting up an OpenVPN connection on OpenWrt.
  
 +The primary goal of this HOWTO is to get a working OpenVPN tunnel and establish a basic platform for further customization. Most users will require further configuration tailored to their individual needs.
 +
 +Links to pages guiding further configuration can be found under the [[#other considerations|Other Considerations]] section of this guide.
 +
 +For an overview of all VPN-related articles (including other VPN technologies),​ see [[doc/​howto/​vpn.overview]].
 +
 +===== Use Case (the beginner'​s configuration) =====
 +The user wants a client to access their OpenWrt router without the possibility of being snooped. That is, the user can already access the router, but over a public network, such as the Internet. The end result will be a private connection directly between the OpenVPN client and server. Mostly, it is as if the two end-points are on the same subnet (but not on the same subnet as your router'​s LAN).
 +
 +This HOWTO offers instructions on three OpenVPN distinct configurations:​
 +  * Default (TUN) Server: The simplest type of OpenVPN server to configure, clients are exclusively managed by OpenVPN and can be assigned IP addresses by the OpenVPN server under their own distinct subnet.
 +  * Server-Bridge (TAP) Server: Also called an ethernet-bridge,​ this configuration creates a virtual ethernet cable between the server and client. This means that clients will be treated by the router as if they were plugged into it like any other computer. They will be assigned an IP address by the network'​s DHCP server (most commonly the router itself).
 +  * Client: OpenVPN will act as a client and connect to a remote server.
 +
 +It should be noted that using a TAP adapter is not a synonym for server-bridging,​ however a TAP adapter is required for server-bridging,​ whereas TUN is almost always superior if not bridging. For the sake of simplicity, we will use these terms interchangeably,​ since comparing the terms "​server"​ and "​server-bridge"​ could cause confusion. TUN will be used to refer to a traditional server and TAP will refer to a server-bridge configuration.
 +
 +While it is possible to configure OpenVPN on OpenWRT using a remote connection (through SSH, for example), it is recommended that testing is performed locally with the Default (TUN) Server, as this will simplify any troubleshooting. If using a TAP server, it is better to test with a remote connection if possible since a server-bridge connection will use the same subnet and your client will be assigned two IP addresses on the same network (which may or may not cause connectivity issues).
 +
 +A TUN server has less overhead, and will only send traffic destined for the client, where a TAP server is less efficient and will send broadcast packets to the clients.
 +
 +A TUN server can use the same subnet as the local network'​s DHCP server if desired, but it should assign addresses outside of the DHCP server'​s range, or IP conflicts may occur (two clients assigned the same IP, one by DHCP and the other by OpenVPN).
 +
 +A TUN server is easier to set up security for, since clients can be on a separate subnet that is easily firewalled. Since these clients are not sent broadcast data, a malicious client would be able to access less data on the network.
 +
 +A TAP server integrates clients into the network in a more seamless manner, and can simplify the process for setting up a variety of network applications. However, such integration may come at the price of security. Please note that regardless of method chosen, setting up proper firewall rules is essential for proper security, and is far more important than the discrimination between TUN and TAP servers.
 +
 +:!: If using a TAP server, it is highly recommended that you change your DHCP subnet to something other than 192.168.**0**.XXX or 192.168.**1**.XXX. These are very common and will cause routing conflicts and connectivity issues if you attempt to connect from a client attached to a router utilizing the same subnet. This can generally be accomplished by changing the IP address of the OpenWRT/​OpenVPN router to something like 192.168.**7**.1
 +===== Prerequisites =====
 +This HOWTO requires that the OpenVPN server is an OpenWrt router running OpenWrt 15.05 Chaos Calmer.
 +
 +===== Install the required software =====
 +<​code>​
 +opkg update
 +opkg install openvpn-openssl openvpn-easy-rsa
 +</​code>​
 +
 +===== Create the certificates =====
 +If you are creating an OpenVPN server (either type), you must create security certificates using the instructions below. If you are using OpenVPN as a client, the required certificates should have been provided with your configuration details.
 +<​code>​
 +build-ca
 +build-dh
 +build-key-server my-server
 +build-key-pkcs12 my-client
 +</​code>​
 +
 +The above creates a server certificate named //​my-server//​ and a client certificate named //​my-client//​. You can create multiple client certificates by running ''​build-key-pkcs12''​ multiple times and specifying different names.
 +
 +You can create a new set of certificates by running ''​clean-all''​ and then the above commands again.ls
 +
 +
 +===== Distribute the certificates =====
 +Copy your server keys to the /​etc/​openvpn directory so that they don't get overwritten.
 +<​code>​
 +cp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh2048.pem /​etc/​openvpn
 +</​code>​
 +Copy the client keys to your SSH machine so you can distribute it to your intended client. This is just a reference for ease of use - these keys can be distributed in whatever way is most convenient (i.e. USB drive).
 +<​code>​
 +scp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn
 +</​code>​
 +
 +===== Configure the network on the OpenWrt router =====
 +<tabbox Traditional (TUN) Server>
 +
 +  - Create the VPN interface (named vpn0):<​code bash>
 +uci set network.vpn0=interface
 +uci set network.vpn0.ifname=tun0
 +uci set network.vpn0.proto=none
 +uci set network.vpn0.auto=1
 +</​code>​
 +  - Allow incoming client connections by opening the server port (default 1194) in our firewall:<​code bash>
 +uci set firewall.Allow_OpenVPN_Inbound=rule
 +uci set firewall.Allow_OpenVPN_Inbound.target=ACCEPT
 +uci set firewall.Allow_OpenVPN_Inbound.src=*
 +uci set firewall.Allow_OpenVPN_Inbound.proto=udp
 +uci set firewall.Allow_OpenVPN_Inbound.dest_port=1194
 +</​code>​
 +  - Create firewall zone (named vpn) for the new vpn0 network. By default, it will allow both incoming and outgoing connections being created within the VPN tunnel. Edit the defaults as required. This does not (yet) allow clients to access the LAN or WAN networks, but allows clients to communicate with services on the router and may allow connections between VPN clients if your OpenVPN server configuration allows:<​code bash>
 +uci set firewall.vpn=zone
 +uci set firewall.vpn.name=vpn
 +uci set firewall.vpn.network=vpn0
 +uci set firewall.vpn.input=ACCEPT
 +uci set firewall.vpn.forward=REJECT
 +uci set firewall.vpn.output=ACCEPT
 +uci set firewall.vpn.masq=1
 +</​code>​
 +  - (Optional) If you plan to allow clients to connect to computers within your LAN, you'll need to allow traffic to be forwarded between the vpn firewall zone and the lan firewall zone:<​code bash>
 +uci set firewall.vpn_forwarding_lan_in=forwarding
 +uci set firewall.vpn_forwarding_lan_in.src=vpn
 +uci set firewall.vpn_forwarding_lan_in.dest=lan
 +</​code>​And you'll probably want to allow your LAN computers to be able to initiate connections with the clients, too.<​code bash>
 +uci set firewall.vpn_forwarding_lan_out=forwarding
 +uci set firewall.vpn_forwarding_lan_out.src=lan
 +uci set firewall.vpn_forwarding_lan_out.dest=vpn
 +</​code>​
 +  - (Optional) Similarly, if you plan to allow clients to connect the internet (WAN) through the tunnel, you must allow traffic to be forwarded between the vpn firewall zone and the wan firewall zone:<​code bash>
 +uci set firewall.vpn_forwarding_wan=forwarding
 +uci set firewall.vpn_forwarding_wan.src=vpn
 +uci set firewall.vpn_forwarding_wan.dest=wan
 +</​code>​
 +  - Commit the changes:<​code bash>
 +uci commit network
 +/​etc/​init.d/​network reload
 +uci commit firewall
 +/​etc/​init.d/​firewall reload
 +</​code>​
 +
 +<tabbox Server-Bridge (TAP) Server>
 +  - Create the VPN interface (named vpn0): <code bash>
 +uci set network.vpn0=interface
 +uci set network.vpn0.ifname=tap0
 +uci set network.vpn0.proto=none
 +uci set network.vpn0.auto=1
 +</​code>​
 +  - Add interface to LAN bridge: <code bash>
 +uci set network.lan.ifname="​$(uci get network.lan.ifname) tap0"
 +</​code>​
 +  - Allow incoming client connections by opening the server port (default 1194) in our firewall:<​code bash>
 +uci set firewall.Allow_OpenVPN_Inbound=rule
 +uci set firewall.Allow_OpenVPN_Inbound.target=ACCEPT
 +uci set firewall.Allow_OpenVPN_Inbound.src=*
 +uci set firewall.Allow_OpenVPN_Inbound.proto=udp
 +uci set firewall.Allow_OpenVPN_Inbound.dest_port=1194
 +</​code>​
 +  - Commit the changes:<​code bash>
 +uci commit network
 +/​etc/​init.d/​network reload
 +uci commit firewall
 +/​etc/​init.d/​firewall reload
 +</​code>​
 +
 +<tabbox Client>
 +
 +  - Create the VPN interface (named vpn0): <code bash>
 +uci set network.vpn0=interface
 +uci set network.vpn0.ifname=tun0
 +uci set network.vpn0.proto=none
 +uci set network.vpn0.auto=1
 +</​code>​
 +  - Create firewall zone (named vpn) for new vpn0 network. By default, it will allow both incoming and outgoing connections being created within the VPN tunnel. Edit the defaults as required. This does not (yet) allow clients to access the LAN or WAN networks, but allows clients to communicate with services on the router and may allow connections between VPN clients if your OpenVPN server configuration allows. :!: If you are planning to use your OpenVPN client as a second (or replacement) WAN adapter, it's recommended that you reject incoming traffic by default:<​code bash>
 +uci set firewall.vpn=zone
 +uci set firewall.vpn.name=vpn
 +uci set firewall.vpn.network=vpn0
 +uci set firewall.vpn.input=ACCEPT #REJECT if using as WAN replacement
 +uci set firewall.vpn.forward=REJECT
 +uci set firewall.vpn.output=ACCEPT
 +uci set firewall.vpn.masq=1
 +</​code>​
 +  - (Optional) If you plan to allow clients behind the VPN sesrver to connect to computers within your LAN, you'll need to allow traffic to be forwarded between the vpn firewall zone and the lan firewall zone:<​code bash>
 +uci set firewall.vpn_forwarding_lan_in=forwarding
 +uci set firewall.vpn_forwarding_lan_in.src=vpn
 +uci set firewall.vpn_forwarding_lan_in.dest=lan
 +</​code>​And if you want to initiate connections to clients (or the internet) behind the VPN server, you'll need to allow traffic to be forwarded that direction as well.<​code bash>
 +uci set firewall.vpn_forwarding_lan_out=forwarding
 +uci set firewall.vpn_forwarding_lan_out.src=lan
 +uci set firewall.vpn_forwarding_lan_out.dest=vpn
 +</​code>​
 +  - Commit the changes:<​code bash>
 +uci commit network
 +/​etc/​init.d/​network reload
 +uci commit firewall
 +/​etc/​init.d/​firewall reload
 +</​code>​
 +
 +</​tabbox>​
 +
 +===== Configure OpenVPN =====
 +OpenVPN can be configured either by using OpenWRT'​s UCI interface, or via traditional OpenVPN configuration (*.conf) files. OpenVPN will automatically attempt to load all *.conf files placed in the /​etc/​openvpn folder.
 +
 +Users familiar with OpenVPN will likely prefer to use configuration files, and this option is likely simpler to manage for those planning to run multiple OpenVPN instances.
 +
 +For the sake of simplicity and consistency,​ the remainder of this guide will use the OpenWRT UCI interface to configure OpenVPN, as detailed below. Of note, the [[#routing traffic|Routing Traffic section]] contains instructions applying to the UCI interface (users utilizing configuration files will need to modify those instructions).
 +
 +<tabbox Traditional (TUN) Server>
 +
 +<​code=bash>​
 +echo > /​etc/​config/​openvpn # clear the openvpn uci config
 +uci set openvpn.myvpn=openvpn
 +uci set openvpn.myvpn.enabled=1
 +uci set openvpn.myvpn.verb=3
 +uci set openvpn.myvpn.port=1194
 +uci set openvpn.myvpn.proto=udp
 +uci set openvpn.myvpn.dev=tun
 +uci set openvpn.myvpn.server='​10.8.0.0 255.255.255.0'​
 +uci set openvpn.myvpn.keepalive='​10 120'
 +uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt
 +uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-server.crt
 +uci set openvpn.myvpn.key=/​etc/​openvpn/​my-server.key
 +uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh2048.pem
 +uci commit openvpn
 +</​code>​
 +
 +<tabbox Server-Bridge (TAP) Server>
 +
 +<​code=bash>​
 +echo > /​etc/​config/​openvpn # clear the openvpn uci config
 +uci set openvpn.myvpn=openvpn
 +uci set openvpn.myvpn.enabled=1
 +uci set openvpn.myvpn.verb=3
 +uci set openvpn.myvpn.proto=udp
 +uci set openvpn.myvpn.port=1194
 +uci set openvpn.myvpn.dev=tap
 +uci set openvpn.myvpn.mode=server
 +uci set openvpn.myvpn.tls_server=1
 +uci add_list openvpn.myvpn.push='​route-gateway dhcp'
 +uci set openvpn.myvpn.keepalive='​10 120'
 +uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt
 +uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-server.crt
 +uci set openvpn.myvpn.key=/​etc/​openvpn/​my-server.key
 +uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh2048.pem
 +uci commit openvpn
 +</​code>​
 +
 +<tabbox Client>
 +Configuration of a client connection will be highly dependent upon the settings of the server. Featured below is a very simple example which will likely require customization.
 +<​code=bash>​
 +echo > /​etc/​config/​openvpn # clear the openvpn uci config
 +uci set openvpn.myvpn=openvpn
 +uci set openvpn.myvpn.enabled=1
 +uci set openvpn.myvpn.dev=tun
 +uci set openvpn.myvpn.proto=udp
 +uci set openvpn.myvpn.verb=3
 +uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt
 +uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-client.crt
 +uci set openvpn.myvpn.key=/​etc/​openvpn/​my-client.key
 +uci set openvpn.myvpn.client=1
 +uci set openvpn.myvpn.remote_cert_tls=server
 +uci set openvpn.myvpn.remote="​SERVER_IP_ADDRESS 1194"
 +uci commit openvpn
 +</​code>​If your server requires password authentication,​ you can accomplish this by using:<​code bash>
 +uci set openvpn.myvpn.auth_user_pass=/​path/​to/​password.txt
 +</​code>​Where password.txt is a plain-text file containing the username on the first line and the password on the second line. This file, since it contains login information,​ should be saved in an appropriately secure location.
 +
 +Depending on the server you are connecting to, it may be prudent to use OpenVPN'​s route-nopull option to prevent the server from altering routes on your router (and potentially redirecting traffic inappropriately). This will require you to add the routes manually (advanced) by specifying them in the client config or by using a route-up/​down scripts. The route-nopull option can be added using the following:<​code bash>
 +uci set openvpn.myvpn.route_nopull=1
 +</​code>​
 +</​tabbox>​
 +Now that you have finished your basic configuration,​ start up OpenVPN:<​code bash>
 +/​etc/​init.d/​openvpn enable
 +/​etc/​init.d/​openvpn start</​code>​
 +===== Configure Clients For Your Server =====
 +Create the following OpenVPN client configuration file, save it with an ''​.ovpn''​ extension in the Windows or ''​.conf''​ in the *nix and give it to your client:
 +
 +<tabbox Traditional (TUN) Client>
 +
 +<​code>​
 +dev tun
 +proto udp
 +
 +log openvpn.log
 +verb 3
 +
 +ca /​etc/​openvpn/​ca.crt
 +cert /​etc/​openvpn/​my-client.crt
 +key /​etc/​openvpn/​my-client.key
 +
 +client
 +remote-cert-tls server
 +remote SERVER_IP_ADDRESS 1194
 +</​code>​
 +
 +<tabbox Server-Bridge (TAP) Client>
 +
 +<​code>​
 +dev tap
 +proto udp
 +
 +log openvpn.log
 +verb 3
 +
 +ca /​etc/​openvpn/​ca.crt
 +cert /​etc/​openvpn/​my-client.crt
 +key /​etc/​openvpn/​my-client.key
 +
 +client
 +remote-cert-tls server
 +remote SERVER_IP_ADDRESS 1194
 +</​code>​
 +
 +</​tabbox>​
 +
 +
 +===== Test the tunnel =====
 +Congratulations! Your OpenVPN server or client should now be operational. If you are creating a server traffic might not be sent over it yet since we have not yet created routes to direct client connections through the tunnel. Before configuring our server to send routes to clients, we should verify that clients can connect to the server, and then ensure they can send traffic through it by pinging the server through the tunnel.
 +
 +If you created a server, you should now connect to it using an OpenVPN client compatible with your operating system. Exact instructions on how to use your client will vary by operating system, but it is generally a straightforward process of loading the [[#​configure_clients_for_your_server|configuration file]] and [[#​distribute_the_certificates|client keys]] made previously in the guide. Please refer to the official documentation/​manual for directions specific to your operating system'​s client.
 +
 +If you created a client connection on OpenWrt instead of a server, then you should verify connectivity to the external server.
 +<tabbox Traditional (TUN) Server>
 +
 +Ping the server using:<​code bash>
 +traceroute 10.8.0.1
 +</​code>​Aside from traffic directed to the OpenVPN server, no traffic will be sent over the server until routes are created. Using traceroute on an internet address should show traffic leaving through the client'​s default gateway.<​code bash>
 +traceroute 8.8.8.8 #Google-DNS server
 +</​code>​
 +
 +After verifying that the connection is working, you'll want to configure your server to push routes to the clients.
 +
 +<tabbox Server-Bridge (TAP) Server>
 +Traffic within the local subnet (192.168.7.XXX) will be routed through the VPN without any further configuration. Other traffic will be sent through the default gateway. Ping a client using:<​code bash>
 +traceroute 192.168.7.100 #Example IP. Change to match your local subnet.
 +</​code>​
 +
 +If you only require intranet access and do not want to route normal internet (WAN) traffic through your VPN, your configuration is now complete!
 +
 +<tabbox Client>
 +Unless the OpenVPN option route-nopull was specified by the client, routes pushed by the server should be in place. If route-nopull was used, only the server will be accessible. Using traceroute on any address with a route pushed by the server should result in that traffic being sent through the VPN, while other addresses should be sent through the default gateway.
 +
 +The OpenVPN gateway can generally be found on *nix systems using:<​code bash>
 +ifconfig tun0
 +</​code>​
 +And you can then test it using:<​code bash>
 +traceroute 10.8.0.1 #Arbitrary example IP
 +</​code>​
 +
 +If you are not using route-nopull,​ then your configuration should now be complete!
 +
 +</​tabbox>​
 +
 +===== Routing Traffic =====
 +Routes are what tell clients where to look for an IP address (or subnet). By having our server push routes to clients, we can direct their traffic through the VPN. If we don't push the route, then the client will send traffic through their normal gateway instead.
 +
 +If you are running a client instead of a server, then the server you connected to should have pushed the appropriate routes to you already. Advanced users may wish to alter this behavior.
 +
 +:!: Please be aware that just because a route is not pushed doesn'​t mean the client can't add it themselves and send that traffic through the VPN anyway. That is when your firewall configuration should take effect. A notable example is our TAP configuration,​ which has no firewall rules preventing WAN access since clients are treated the same as any other LAN client.
 +<tabbox Traditional (TUN) Server>
 +
 +In order to route local LAN traffic to the server, ensure you've made the appropriate firewall changes from the network section, and have the server push the route to clients using:<​code bash>
 +uci add_list openvpn.myvpn.push='​route 192.168.1.0 255.255.255.0'​ #Change to match your router'​s subnet
 +</​code>​If you wish to route ALL (internet, WAN, etc) traffic through your VPN (effectively making a proxy), ensure you've made the appropriate firewall changes from the network section and have the server push this route instead:<​code bash>
 +uci add_list openvpn.myvpn.push='​redirect-gateway def1'
 +</​code>​
 +
 +<tabbox Server-Bridge (TAP) Server>
 +
 +Traffic within your LAN network should be routed without any further configuration. If you wish to route all (internet, WAN, etc) traffic through your tunnel, have the server push the route to clients using the following:<​code bash>
 +uci add_list openvpn.myvpn.push='​redirect-gateway def1'
 +</​code>​
 +
 +<tabbox Client>
 +The correct routes should be automatically provided by the server without additional configuration. Depending on your use case, an advanced user may wish to alter this behavior. This can be accomplished by telling the client to ignore routes pushed by the server using route-nopull,​ then adding your own. This will be highly individualized,​ but can be accomplished using this general example:<​code bash>
 +uci set openvpn.myvpn.route_nopull='​1'​
 +uci add_list openvpn.myvpn.route='​123.456.789.0 255.255.255.0'​
 +uci add_list openvpn.myvpn.route='​234.567.891.0 255.255.255.0'​
 +</​code>​Note that using route-nopull will cause errors to appear in the OpenVPN log when it rejects the server'​s pushed routes. This is considered normal behavior.
 +</​tabbox>​
 +
 +===== Other Considerations =====
 +When attempting to add an OpenVPN option which would normally use a hyphen (such as route-nopull),​ OpenWRT'​s UCI system requires you to replace the hyphen with an underscore (route_nopull).
 +
 +  * Various other configuration examples can be found here: [[doc/​howto/​vpn.server.openvpn.tun]]
 +  * The OpenVPN manual can be found here: [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|OpenVPN 2.3 man-page]]
 +
 +===== Troubleshooting =====
 +If something doesn'​t work as expected while following this HOWTO:
 +  * Check that the client can ping the server:<​code bash>​ping SERVER_IP_ADDRESS</​code>​
 +  * Check that the OpenVPN daemon is running:<​code bash>ps | grep "​openvpn"</​code>​
 +  * Check that there is a TUN interface:<​code bash>​ifconfig | grep "​tun"</​code>​
 +  * Check the log:<​code bash>cat /​tmp/​openvpn.log</​code>​
 +  * You can try temporarily disabling the firewall on the OpenVPN server:<​code bash>/​etc/​init.d/​firewall stop</​code>​
 +  * You can clear the OpenVPN configuration and start again from scratch:<​code bash>​echo > /​etc/​config/​openvpn</​code>​
 +
 +===== Asking for help =====
 +You can ask for help on the OpenWrt forum: [[https://​forum.openwrt.org/​]].  ​
 +
 +When asking for help, you should at a minimum include the contents of the following files:
 +<code bash>
 +cat /​tmp/​openvpn.log
 +cat /​etc/​config/​network
 +cat /​etc/​config/​firewall
 +cat /​etc/​config/​openvpn
 +</​code>​