User Tools

Site Tools


doc:howto:vpn.openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.openvpn [2014/03/01 20:19]
zxdavb
doc:howto:vpn.openvpn [2015/09/02 02:21] (current)
JeffKletsky [References and examples] YouTube video no longer available
Line 1: Line 1:
-====== ​Basic OpenVPN ​Server ​Setup Guide ======  +====== OpenVPN Setup Guide for Beginners ​======  
-This is a guide to setting up OpenVPN on a server and a client where, in this instance, both are running ​OpenWRT. What follows has been tested on trunk (currently BB, b39757), but will likely work on the latest stable branch (currently AAb39408).+This is a beginner'​s ​guide to setting up OpenVPN on a server and a client where, in this instance, both are running ​OpenWrt ​(although the OpenVPN client could easily be running ​on another OSsuch as Windows or Linux).
  
-Note that all of the '​work'​ here is accomplished via non-interactive commands (that you should cut-and-paste)andthere are no files to edit.+For non-beginners or real-world tunnels[[doc/​howto/​vpn.server.openvpn.tun]] may be a better place to start.
  
-{{:​meta:​icons:​tango:​48px-cleanup.svg.png?​nolink&​20x20}} This how-to has had BIG rewrite.  ​If requiredyou can find the old version here: [[http://​wiki.openwrt.org/​doc/​howto/​vpn.openvpn?​rev=1390780026]]+The primary goal of this HOWTO is to get working OpenVPN tunnel; the strategy used by this HOWTO is to keep it simple.  ​Because of thatthis is a very basic OpenVPN tunnel configuration that will not suit most people'​s needs without further configuration. However, once the basic tunnel is working, additional recipes for other use-cases can be found at [[doc/​howto/​vpn.server.openvpn.tun]].
  
-===== Overview ​of the Process ===== +For an overview ​of all VPN-related articles ​(including other VPN technologies), see [[doc/​howto/​vpn.overview]].
-On the OpenVPN server ​(and on similarly, on clients), installing and (more importantly) configuring an OpenVPN tunnel consists of the following:​ +
-  - Creating and distributing the PKI certificates and their keys to the server and the clients +
-  - Configuring the network (i.edevices, interfaces, and firewall) +
-  - Configuring and Starting the VPN listener+
  
-=== Use Case === +===== Use Case (the beginner'​s configuration) ===== 
-The user (i.e. client) wants to access the LAN on the other side of the server without ​being 'snooped' (e.g. via a public ​WiFi network)and/or the user wants to access ​the Internet ​via the server (e.g. to punch through a company firewall and thereby bypass it's restrictions).+The user wants a client to access ​their OpenWrt router without ​the possibility ​of being snooped. ​That is, the user can already access the router, but over a public network, ​such as the Internet. ​ 
  
-This article ​will be based upon TUN (routing)for TAP (bridging), you will find information elsewhere in this Wiki.+The end result ​will be a private connection directly between the OpenVPN client and server. Mostly, it is as if the two end-points are on the same subnet ​(but not on the same subnet as your router'​s LAN)
 + 
 +To facilitate configuration/​testing,​ this HOWTO permits two distinct scenarios ​for this use-case: 
 +  * Scenario 0: the OpenVPN client can ping the OpenWrt router via the router'​s LAN interface. Specifically,​ they are on the same subnet ​(e.g. the client is a DHCP client of the OpenWrt router)
 +  * Scenario 1: the OpenVPN client can ping the OpenWrt router via the router'​s WAN interface. Specificallythey are **not** on the same subnet (e.g. they are separated by the Internet). 
 + 
 +Scenario 0 takes out much of the complexity of real-world configurations,​ such as the vagaries of the Internet, or your OpenWrt firewall configuration. Scenario 0 allows ​you to easily implement an OpenVPN tunnel, which can then be switched to Scenario 1, which itself is the basis for most real-world OpenVPN configurations. You can either start with Scenario 0, and switch to Scenario 1 when you've got it working, or start directly with Scenario 1 and switch back to Scenario 0 for troubleshooting.
  
 ===== Prerequisites ===== ===== Prerequisites =====
-So to make it easier for you, this How-To assumes: +This HOWTO requires that the OpenVPN ​server ​is an OpenWrt router running OpenWrt 14.07 Barrier Breaker.
-  - the client and the server ​are (vanilla-build) OpenWRT routers (look elsewhere for help Linux/​Windows/​etc.; it wont be too hard for clients) +
-  - the client can ''​ping''​ the server though its WAN interface, and that they are not in the same subnet+
  
-The OpenVPN client (i.e. the system who //​initiates//​ the negotiation for the VPN tunnel) must be able to ''​ping''​ (using IPv4) the OpenVPN server (who responds to such requests) via it's WAN interface (and preferably using a public DNS FQDN). ​ In this case, it is assumed that the client, as well as the server (a.k.a. router) are both running OpenWRT (although *nix & Windows clients are also covered).+===== Install ​the required software ===== 
 +<​code>​ 
 +opkg update 
 +opkg install openvpn-openssl openvpn-easy-rsa 
 +</code>
  
-==== Part 1/1 - Installing ​the OpenVPN packages ​==== +===== Create ​the certificates ===== 
-:!: Before executing Step 1, you should check which specific version of OpenWRT you have.  See the notes below for more information. +<​code>​ 
-  - On both the client and the server, install the OpenVPN package:<​code>​ +build-ca 
-  opkg update; opkg install openvpn-openssl ​ ## or: opkg install openvpn+build-dh 
 +build-key-server my-server 
 +build-key-pkcs12 my-client
 </​code>​ </​code>​
  
-Which package you should install will be indicated by which version of OpenWRT you have (check via: ''​cat ​/etc/banner''​):​ +The above creates a server certificate named //my-server// and a client certificate named //my-client//You can create multiple client certificates by running ​''​build-key-pkcs12'' ​multiple times and specifying different names.
-  * on **Barrier Breaker**: there are three versions of OpenVPN that you can choose from, including: ''​openvpn-openssl''​ (recommended) or ''​openvpn-polarssl'',​ which //might not// work with the following scripts (it should be obvious why you should not use ''​openvpn-nossl''​). +
-  * on **Attitude Adjustment**:​ there is only one version of OpenVPN that you can install, ​''​openvpn'' ​(which uses OpenSSL)+
  
 +You can create a new set of certificates by running ''​clean-all''​ and then the above commands again.ls
  
-===== Creating the Client and Server Certificates ===== 
-Easy-RSA is a simple PKI that was spun off from OpenVPN as a separate project. ​ With OpenVPN, there does exist a means of creating client/​server certificates that does not require a PKI (known as static keys), but Easy-RSA is used here as it is a simple enough method, and using a proper PKI is //much// better practice. 
  
-==== Part 1/2 - Create the Certification Authority and the Client/​Server Certificates ​==== +===== Distribute ​the certificates ===== 
-:!: Before executing Step 3, you may (or may not) need to execute Step 2.  See notes below for more information. +<​code>​ 
-   - On the OpenVPN Server, install the Easy-RSA package:<​code>​ +cp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh1024.pem /etc/openvpn 
-  opkg update; opkg install ​openvpn-easy-rsa+scp /etc/easy-rsa/​keys/​ca.crt /etc/easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn
 </​code>​ </​code>​
-   ​- ​If running **Attitude Adjustment** (specificallyversion 2.2.2-2 of the Easy-RSA package), then you must '​tweak' ​the PKI configuration to prevent problems:<​code>​ + 
-  sed -i '/​KEY_CN/​ s:^export:# &:'​ /​etc/​easy-rsa/​vars ​ ## do not set the KEY_CN environment variable+The above assumes that you can connect to the client from the server, that the client has a SSH server and that you can login as root. If you can't, transfer the client certificate some other waysuch as using an USB stick. 
 + 
 +===== Configure ​the network on the OpenWrt server ===== 
 +  ​Create ​the VPN interface:<​code ​bash
 +uci set network.vpn0=interface 
 +uci set network.vpn0.ifname=tun0 
 +uci set network.vpn0.proto=none 
 +uci set network.vpn0.auto=1
 </​code>​ </​code>​
-   Establish the shell variables, and start with a clean slate (you may get warnings about ''​./​clean-all'',​ which you can ignore):<​code>​ +  ​Allow inbound VPN traffic:<​code ​bash
-  ​source /etc/easy-rsa/vars +uci add firewall rule 
-  clean-all+uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound 
 +uci set firewall.@rule[-1].target=ACCEPT 
 +uci set firewall.@rule[-1].src=* 
 +uci set firewall.@rule[-1].proto=udp 
 +uci set firewall.@rule[-1].dest_port=1194
 </​code>​ </​code>​
-   Create the Certification Authority, Server, and Client certificates:<​code>​ +  ​Allow OpenVPN tunnel utilization:<​code ​bash
-  ​pkitool ​--initca ​           ## equivalent to the 'build-ca' script +uci add firewall zone 
-  ​pkitool ​--server my-server ​ ## equivalent to the 'build-key-server' ​script +uci set firewall.@zone[-1].name=vpn 
-  ​pkitool ​         my-client ​ ## equivalent to the 'build-key' ​script+uci set firewall.@zone[-1].input=ACCEPT 
 +uci set firewall.@zone[-1].forward=ACCEPT 
 +uci set firewall.@zone[-1].output=ACCEPT 
 +uci set firewall.@zone[-1].network=vpn0 
 +uci add firewall forwarding 
 +uci set firewall.@forwarding[-1].src='vpn
 +uci set firewall.@forwarding[-1].dest='wan'
 </​code>​ </​code>​
-   Finally, create ​the Diffie Hellman parameters (left until last because it can take a long time):<​code>​ +  ​Commit ​the changes:<​code ​bash
-  ​build-dh ​                   ## this script will 'take a long time'+uci commit network 
 +/​etc/​init.d/​network reload 
 +uci commit firewall 
 +/​etc/​init.d/​firewall reload
 </​code>​ </​code>​
-If you get an error message ''​TXT_DB error number 2'',​ then check that the CommonName variable is not set: that is, ''​set | grep KEY_CN''​ must return no results. ​ The failure is because subsequent certificates have the same identifier as first (the server'​s). ​ If required, execute ''​unset KEY_CN'',​ and start again from Step 2.  
  
-=== Troubleshooting ​=== +===== Configure the network on the OpenWrt client ===== 
-You can confirm everything is OK so far via: ''​ls $KEY_DIR'';​ there should be ''​index.txt''​ and ''​serial'', ​the Diffie-Hellman files, and three pairs of ''​.crt''/''​.key''​ files (plus some other files) +Do the same as on the OpenWrt server above except skip step 2.
  
-If required, you can start from scratch (i.edestroy the old PKI, and create a completely new one) by re-starting this process from Step 3.  If you've copied any certificates elsewhere, be sure to delete them: don't mix up these distinct sets of certificates/keys, they just happen to have the same filenames!+===== Configure the OpenVPN server ===== 
 +<​code>​ 
 +echo > /​etc/​config/​openvpn 
 +uci set openvpn.myvpn=openvpn 
 +uci set openvpn.myvpn.enabled=1 
 +uci set openvpn.myvpn.dev=tun 
 +uci set openvpn.myvpn.port=1194 
 +uci set openvpn.myvpn.proto=udp 
 +uci set openvpn.myvpn.log=/​tmp/​openvpn.log 
 +uci set openvpn.myvpn.verb=3 
 +uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt 
 +uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-server.crt 
 +uci set openvpn.myvpn.key=/​etc/​openvpn/​my-server.key 
 +uci set openvpn.myvpn.server='10.8.0.0 255.255.255.0' 
 +uci set openvpn.myvpn.dh=/etc/​openvpn/​dh1024.pem 
 +uci commit openvpn 
 +/​etc/​init.d/​openvpn enable 
 +/​etc/​init.d/​openvpn start 
 +</​code>​
  
-==== Part 2/2 - Distribute the Certificates to the Clients and Servers ​==== +===== Configure ​the OpenWrt client ===== 
-:!: Before executing Step 3, you'll have to find a way achieving Step 2 (discussed only briefly here) See the notes below for more information+<​code>​ 
-   - On the server, copy the server certificate to where OpenVPN needs it to be (''​$KEY_DIR''​ is a variable ​set by ''​source ​/etc/easy-rsa/​vars''​):<​code>​ +echo > /​etc/​config/​openvpn 
-  cd $KEY_DIR +uci set openvpn.myvpn=openvpn 
-  mkdir -p /​etc/​openvpn +uci set openvpn.myvpn.enabled=1 
-  cp ca.crt my-server.* dh*.pem  ​/​etc/​openvpn/ ​    ## the server ​files+uci set openvpn.myvpn.dev=tun 
 +uci set openvpn.myvpn.proto=udp 
 +uci set openvpn.myvpn.log=/tmp/openvpn.log ​               ​ 
 +uci set openvpn.myvpn.verb=3 
 +uci set openvpn.myvpn.ca=/​etc/​openvpn/ca.crt 
 +uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-client.crt 
 +uci set openvpn.myvpn.key=/​etc/​openvpn/​my-client.key 
 +uci set openvpn.myvpn.client=1 
 +uci set openvpn.myvpn.remote_cert_tls=server 
 +uci set openvpn.myvpn.remote="​SERVER_IP_ADDRESS 1194"​ 
 +uci commit openvpn 
 +/​etc/​init.d/​openvpn start
 </​code>​ </​code>​
-   - Next, you'll need to copy the client certificate from the server to the client (//e.g. via a USB stick//). 
-   - On the client, copy the server certificate to where OpenVPN needs it to be, example:<​code>​ 
-  cp ca.crt my-client.* ​         /​etc/​openvpn/ ​    ## the client files 
-</​code>​ 
-=== Discussion === 
-For security reasons, you need to think long and hard about where you backup your PKI files, and especially the .key files: 
-  * ''​ca.key''​ should be moved to a place that is not accessible from the Internet (it is only needed when '​doing'​ CA stuff) ​ 
-  * the other ''​.key''​ files should be kept '​private',​ that is, stored only on the '​owning'​ system 
-  * //all// ''​.key''​ files should not be distributed in an insecure manner - it is well known that copying .key files across the Internet is a leading cause of male-pattern baldness! ​ 
  
-===== Configuring the Network Infrastructure ​=====+===== Configure other clients ​===== 
 +Create the following OpenVPN client configuration file, save it with an ''​.ovpn''​ extension and give it to your client:
  
-==== Part 1/2 Server Configuration (on OpenWRT) ==== +<​code>​ 
-This is the configuration of the OpenVPN **server** only.  +dev tun 
-   - On both the client and the server, create the vpn interface (note that the tun0 device does not yet exist):<​code>​ +proto udp
-  uci set network.vpn=interface +
-  uci set network.vpn.ifname=tun0 +
-  uci set network.vpn.proto=none+
  
-  uci commit network; ​/etc/init.d/network reload+log openvpn.log 
 +verb 3 
 + 
 +ca /etc/openvpn/ca.crt 
 +cert /etc/​openvpn/​my-client.crt 
 +key /​etc/​openvpn/​my-client.key 
 + 
 +client 
 +remote-cert-tls server 
 +remote SERVER_IP_ADDRESS 1194
 </​code>​ </​code>​
-   - Allow OpenVPN tunnel negotiation (i.e. allow a tunnel to be //​created//​):<​code>​ + 
-  uci add firewall ​ rule +===== Test the tunnel ===== 
-  uci set firewall.@rule[-1].name=Allow-Inbound-OpenVPN +  - The tunnel ​should have made a change to the client'​s route table (so you can access the tunnel end-point, should be 10.8.0.1):<​code ​bash
-  uci set firewall.@rule[-1].target=ACCEPT +  ​cat /​tmp/​openvpn.log | grep "​route ​add" 
-  uci set firewall.@rule[-1].src=wan +     ​... 
-  uci set firewall.@rule[-1].family=ipv4 +  ​route
-  uci set firewall.@rule[-1].proto=udp +
-  ​uci set firewall.@rule[-1].dest_port=1194 +
-</​code>​ +
-   - Allow OpenVPN ​tunnel ​traffic ​(i.eallow a tunnel to be //used//):<​code>​ +
-  ​uci add firewall ​ zone +
-  uci set firewall.@zone[-1].name=vpn +
-  uci set firewall.@zone[-1].input=ACCEPT +
-  ​uci set firewall.@zone[-1].forward=REJECT +
-  uci set firewall.@zone[-1].output=ACCEPT +
-  uci set firewall.@zone[-1].network=vpn+
 </​code>​ </​code>​
-   Allow the client ​to access ​the OpenVPN server's LAN via the VPN (optional):<​code>​ +  ​You should be able to ping the tunnel end-point (i.e. the OpenVPN server):<​code ​bash
-  ​uci add firewall forwarding +  ​traceroute 10.8.0.1
-  uci set firewall.@forwarding[-1].src=vpn +
-  uci set firewall.@forwarding[-1].dest=wan+
 </​code>​ </​code>​
-   Allow the client ​to access ​the OpenVPN server'​s WAN via the VPN (optional):<​code>​ +  ​You should still be able to ping hosts on the Internet ​via your default gateway:<​code ​bash
-  ​uci add firewall forwarding +  ​traceroute 8.8.8.8
-  uci set firewall.@forwarding[-1].src=vpn +
-  uci set firewall.@forwarding[-1].dest=wan+
 </​code>​ </​code>​
-   Finally, commit ​the changes:<​code>​ +  ​You should be able to ping hosts on the Internet via the tunnel:<​code ​bash
-  ​uci commit firewall; /etc/init.d/firewall reload+  ​route add -net 8.8.8.8 netmask 255.255.255.255 gateway 10.8.0.5 
 +  route 
 +     ... 
 +  traceroute 8.8.8.8
 </​code>​ </​code>​
-=== Discussion === 
-Note that Step 4 and 5 overrule the ''​REJECT''​ in Step 3. You may want only Step 4, or Only Step 5, or maybe both. That is,  
-  * Step 3 will allow the VPN client(s) to access the OpenVPN server itself 
-  * Step 4 will allow the VPN client(s) to access networks via the OpenVPN server'​s LAN interfaces 
-  * Step 5 will allow the VPN client(s) to access networks via the OpenVPN server'​s WAN interfaces 
  
-Execute: ''​uci show firewall | grep zone | grep -E "​(net|name)"''​ to see the networks ​of each zone.+In particular, look at hops 1 and 2 of the **traceroute**;​ hop 1 should be one of the gateways from your route table. ​ If hop 2 of **traceroute 8.8.8.8** is the IP address of VPN_SERVER_ID,​ then the tunnel is working
  
-==== Part 2/2 Client Configuration ==== +:-D Congratulations! Now look to '​tune'​ the OpenVPN tunnel for a specific use-case.
-There shouldn'​t be much to do.  Most clients allow outbound (client-instigated) tunnels +
  
-Howeveryou need to think about which Route tables, and which DNS server ​to use.  More later.+===== Route Only Local LAN Client Traffic Through the Tunnel ===== 
 +If all that is needed is to allow clients access to the local subnet (e.g., to access a server at home from work), and to leave Internet access as-is, all one needs to do is advertise the local subnet and configure the firewall to allow traffic throughFirst, to advertise the route:
  
-===== Configuring the OpenVPN Infrastructure ===== +<code bash> 
-This is essentially the same as for a OpenWRT server.+uci set openvpn.myvpn.push='route 192.168.1.0 255.255.255.0'​ 
 +uci commit openvpn 
 +/etc/init.d/openvpn restart 
 +</​code>​
  
-==== Part 1/2 - Configure and Start the Server ==== +In this example the subnet is 192.168.1.0/24Adjust ​your configuration ​accordingly ​for your LANNow, the firewall has to be enabled to allow traffic from the VPN clients to the local LAN. To allow itedit **/​etc/​config/​firewall**:
-:!: Before you execute Step 3, you should understand the requirements of your specific use-case (i.e. your network ​configuration).  See the notes below for more information. +
-   - Clear the default OpenVPN configuration,​ and create a new OpenVPN configuration called '​myvpn'​ (it could be called anything). ​ Ensure that, in particular, ​the last three lines (the cacert, and key parameters) do not produce an error:<​code>​ +
-  echo > /​etc/​config/​openvpn+
  
-  uci set openvpn.myvpn=openvpn +<​code>​ 
-  uci set openvpn.myvpn.enabled=1 +## NB: this zone should have already been created in the previous setup step; just add the masq option as noted below 
-  uci set openvpn.myvpn.dev=tun +config zone 
-  uci set openvpn.myvpn.persist_tun=1 + option name '​vpn'​ 
-  uci set openvpn.myvpn.persist_key=+ option masq '1' ## NB: this option was added to enable forwarding out of the VPN zone 
-  uci set openvpn.myvpn.proto=udp + option input '​ACCEPT'​ 
-  uci set openvpn.myvpn.comp_lzo=yes + option forward '​ACCEPT'​ 
- + option output '​ACCEPT'​ 
-  uci set openvpn.myvpn.verb=3 + option network '​vpn0'​
-  uci set openvpn.myvpn.log=/​tmp/​openvpn.log +
-  uci set openvpn.myvpn.status=/​tmp/​openvpn-status.log+
  
-  uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt +## NB : this section was added 
-  uci set openvpn.myvpn.cert=`ls /​etc/​openvpn/​my-*.crt` ​    ## NB: these are back-quotes +config forwarding 
-  uci set openvpn.myvpn.key=`ls /​etc/​openvpn/​my-*.key` ​     ## NB: these are back-quotes+ option src '​vpn'​ 
 + option dest '​lan'​
 </​code>​ </​code>​
-  - To that, add the //​server-specific//​ parameters. Ensure that, in particular, the last line (the dh parameter) does not produce an error:<​code>​ 
-  uci set openvpn.myvpn.server='​10.8.0.0 255.255.255.0' ​    ## NB: these are single quotes 
-  uci set openvpn.myvpn.port=1194 
-  uci set openvpn.myvpn.ifconfig_pool_persist=/​tmp/​openvpn-ipp.txt 
-  uci set openvpn.myvpn.keepalive='​10 120' ​                 ## NB: these are single quotes 
  
-  uci set openvpn.myvpn.dh=`ls ​/etc/openvpn/dh*.pem` ​       ## NB: these are back-quotes+After editing the firewall changes, enable them by executing:​ 
 +<code bash> 
 +/etc/init.d/firewall reload
 </​code>​ </​code>​
-  - And finally, the tricky bit (read :!: below //before// you execute this command):<​code>​ 
-  uci add_list openvpn.myvpn.push='​redirect-gateway def1' ​  ## NB: these are single quotes 
-</​code>​ 
-  - Commit the configuration,​ enable and start the OpenVPN daemon:<​code>​ 
-  uci commit openvpn; /​etc/​init.d/​openvpn enable 
-</​code>​ 
-:!: If the OpenVPN Client and Server and on the same subnet, then you must add the **local** flag.  Use instead: ''​uci add_list openvpn.myvpn.push='​redirect-gateway def1 local'''​ 
  
-:!: If your OpenVPN ​Client is not to route all it'​s ​traffic via the serevr (and therefor continue to use it'​s ​existing default ​gateway), then you should ​not use the **redirect-gateway** option at all.+===== Route All Client Traffic Through the Tunnel ===== 
 +If the OpenVPN ​server can access the Internet, then the client has the //option// of routing //all// its IP traffic via the tunnel rather than through ​it'​s ​local gateway.  If the tunnel is merely provide access to other subnets (e.g. to access a server at home from work), but Internet access is to remain as-is, then this is not your answer. ​ Instead, see [[doc/​howto/​vpn.openvpn#​Routing Only Local LAN Client Traffic Through ​the Tunnel]].
  
-=== Testing & troubleshooting ​your configuration === +Before you do this, you should know whether ​your network ​is **Scenario 1** (client and server in different subnets)or **Scenario 2** (client ​and server in the same subnet).   
-  - Ensure OpenVPN ​is //not// running, and confirm that there is no OpenVPN daemon and no TUN:<​code>​ + 
-  /etc/init.d/openvpn stop +In **Scenario 1**, the client and server are in different subnets: 
-  sleep 3 +  - On the OpenVPN ​serverexecute the following<​code ​bash> 
-  ps | grep openvpn +  uci set openvpn.myvpn.push='​redirect-gateway def1' ​       ## NB: these are single quotes 
-  ​ifconfig | grep tun0 +  uci commit openvpn 
-</​code>​ +  /​etc/​init.d/​openvpn ​restart
-  - Start OpenVPN, ​and confirm that there is an OpenVPN ​ daemon and a TUN:<​code>​ +
-  /​etc/​init.d/​openvpn ​start +
-  sleep 3 +
-  ps | grep openvpn +
-  ifconfig | grep tun0+
 </​code>​ </​code>​
-  - If you need to troubleshoota good place to start is the log file:<​code>​ +  - On the OpenVPN clientexecute ​the following:<​code ​bash
-  ​cat /tmp/openvpn.log+  /etc/init.d/​openvpn ​restart 
 +  traceroute 8.8.8.8
 </​code>​ </​code>​
  
-==== Part 2/2 - Configure and Start the OpenWRT-based client ==== +Alternatively,​ in **Scenario ​2**, the client ​and server ​are in the same subnet ​(useful ​for creating/​testing an OpenVPN tunnel at home): 
-:!: Before you execute Step 3you need to know the IP address, or FQDN that the client ​will use to access the server+  - On the OpenVPN serverexecute ​the following:<​code ​bash
-  - Clear the default OpenVPN configuration,​ and create a new openvpn configuration '​myvpn' ​(as for the server). +  uci set openvpn.myvpn.push='​redirect-gateway def1 local' ​ ## NB: these are single quotes 
-  - To thatadd the //​client-specific//​ parameters (this is different):<​code>​ +  uci commit ​openvpn; /etc/init.d/openvpn ​restart
-  uci set openvpn.myvpn.client=+
-  uci set openvpn.myvpn.resolv_retry=infinite +
-  uci set openvpn.myvpn.nobind=1 +
-  uci set openvpn.myvpn.remote_cert_tls=server+
 </​code>​ </​code>​
-  - The client ​also has a tricky bit (read :!: below //before// you execute ​this command):<​code>​ +  - On the OpenVPN ​clientexecute ​the following:<​code ​bash
-  ​uci set openvpn.myvpn.remote='​$VPN_SERVER_PUBLIC_ADDRESS 1194'+  ​/​etc/​init.d/​openvpn ​restart 
 +  traceroute 8.8.8.8  ​
 </​code>​ </​code>​
-  - Commit the configuration,​ enable and start the OpenVPN daemon (as for a server). 
  
-You can troubleshoot as for a server.+:!: If your OpenVPN client is not to route all it's traffic via the server ​(and therefore continue to use it's existing default gateway), then you should not push the **redirect-gateway** option at all.
  
- +You might need to make OpenWrt route traffic from vpn to wan. Add to /​etc/​config/​firewall:
-==== Create a client configuration for Other OSs ==== +
-In your favorite text editor on the client machine that will be connecting, paste (needs testing):+
 <​code>​ <​code>​
-client +config forwarding 
-dev tun + option src '​vpn'​ 
-proto udp + option dest '​wan'​
-remote XXXXXXXX 1194 +
-resolv-retry infinite +
-nobind +
-persist-key +
-persist-tun +
-ca ca.crt +
-cert my-client.crt +
-key my-client.key +
-comp-lzo+
 </​code>​ </​code>​
 +This worked for BB RC2 (uci commands would be better).
  
-:!: Make sure to try and mirror **ALL** the server ​options client-side,​ whatever client you're using, as some of them (namely lzo compression) can have adverse effects if they're not present in **BOTH** configurations.+Once this is working, head to [[doc/​howto/​vpn.server.openvpn.tun]] for more OpenVPN ​'recipes'.
  
-Save the file as ''​client.ovpn''​+===== Troubleshooting ===== 
 +If something doesn't work as expected while following this HOWTO: 
 +  * Check that the client ​can ping the server:<​code bash>​ping SERVER_IP_ADDRESS</​code>​ 
 +  * Check that the OpenVPN daemon is running:<​code bash>ps | grep "​openvpn"</​code>​ 
 +  * Check that there is a TUN interface:<​code bash>​ifconfig | grep "​tun"</​code>​ 
 +  * Check the log:<​code bash>cat /​tmp/​openvpn.log</​code>​ 
 +  * You can try temporarily disabling the firewall on the OpenVPN server:<​code bash>/​etc/​init.d/​firewall stop</​code>​ 
 +  * You can clear the OpenVPN configuration and start again from scratch:<​code bash>​echo > /​etc/​config/​openvpn</​code>​
  
 +===== Asking for help =====
 +You can ask for help on the OpenWrt forum: [[https://​forum.openwrt.org/​]].  ​
  
 +When asking for help, you should at a minimum include the contents of the following files:
 +<code bash>
 +cat /​tmp/​openvpn.log
 +cat /​etc/​config/​network
 +cat /​etc/​config/​firewall
 +cat /​etc/​config/​openvpn
 +</​code>​
  
 +===== References and examples =====
 +  * [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|OpenVPN 2.3 man-page]]
  
  
 +| FIXME: Integrate any useful information from [[inbox:​vpn.howto]]. |
  
- 
- 
- 
- 
- 
- 
- 
- 
- 
-===== Troubleshooting ===== 
- 
-* Make sure you are trying to connect to the VPN server from the outside - i.e. use 3G connection, go to a different building etc. Using another vpn (that routes all your traffic) does not seem to help. If you do not do this, a good configuration might not work at all. 
- 
-* If unsure how various parameters are parsed to openvpn, you can find out PID with ps and then look up the parameters with ''​tr '​\0'​ ' ' < /​proc/​PID/​cmdline 
-''​ (Replace PID with a number) 
- 
-* Attention: The logfile (if not in system log) doesn'​t limit its disk space - check periodically that you have enough free disk space for other applications (my log on level 6 needed less than a week to fill the whole disk space of a TP-Link 1043) 
- 
-|FIXME: Please read [[vpn.overview]] and see this old articles on this matter: [[http://​wiki.openwrt.org/?​do=search&​id=vpn]] and help **migrate** them. There is also an article in the inbox: [[inbox:​vpn.howto]] | 
  
doc/howto/vpn.openvpn.1393701569.txt.bz2 · Last modified: 2014/03/01 20:19 by zxdavb