Differences

This shows you the differences between two versions of the page.

doc:howto:vpn.openvpn [2014/03/01 20:19]
zxdavb
doc:howto:vpn.openvpn [2014/06/24 00:01] (current)
zxdavb
Line 1: Line 1:
-====== Basic OpenVPN Server Setup Guide ======  +====== OpenVPN Setup Guide for Beginners ======  
-This is a guide to setting up OpenVPN on a server and a client where, in this instance, both are running OpenWRT. What follows has been tested on trunk (currently BB, b39757), but will likely work on the latest stable branch (currently AA, b39408).+This is a //beginner's// guide to setting up OpenVPN on a server and a client (and a PKI) where, in this instance, both are running OpenWrt (although the OpenVPN client could easily be running on another OS, such as Windows, or *nix).
-Note that all of the 'work' here is accomplished via non-interactive commands (that you should cut-and-paste), andthere are no files to edit.+This is a //very basic// OpenVPN tunnel and its configuration will not suit everyone's needs.  However, once the tunnel is working, then it can be further 'tuned' for specific use-cases.  The strategy is to keep it simple, and get the OpenVPN tunnel working before adding the complexity required for 'real-world' scenarios.
-{{:meta:icons:tango:48px-cleanup.svg.png?nolink&20x20}} This how-to has had a BIG rewriteIf required, you can find the old version here: [[http://wiki.openwrt.org/doc/howto/vpn.openvpn?rev=1390780026]]+Once the basic tunnel is working, then additional 'recipes' for other use-cases can be found at [[doc/howto/vpn.server.openvpn.tun]].  Such use-cases might include: TAP, multiple-VPN routers, VPN-over-SOCKS, etc. 
 + 
 +| For non-beginners, [[doc/howto/vpn.server.openvpn.tun]] may be a better place to start. | 
 + 
 +What follows has been tested on trunk (currently BB, b39757), but will likely work on the latest stable branch (currently AA, b39408)It is based upon OpenVPN v2.3, but will likely work with v2.2.   
 + 
 +Note that all of the 'work' here is accomplished via non-interactive commands (that you should cut-and-paste to minimise transcription errors), and there are no files to edit. 
 + 
 +| For an overview of all VPN-related articles in the OpenWrt wiki, see [[doc/howto/vpn.overview]] |
===== Overview of the Process ===== ===== Overview of the Process =====
-On the OpenVPN server (and on similarly, on clients), installing and (more importantly) configuring an OpenVPN tunnel consists of the following:+Installing and (more importantly) configuring an OpenVPN tunnel consists of the following process:
  - Creating and distributing the PKI certificates and their keys to the server and the clients   - Creating and distributing the PKI certificates and their keys to the server and the clients
  - Configuring the network (i.e. devices, interfaces, and firewall)   - Configuring the network (i.e. devices, interfaces, and firewall)
-  - Configuring and Starting the VPN listener+  - Configuring, starting and testing the VPN tunnel
-=== Use Case === +==== Use Case (the beginner's configuration) ==== 
-The user (i.e. client) wants to access the LAN on the other side of the server without being 'snooped' (e.g. via a public WiFi network), and/or the user wants to access the Internet via the server (e.g. to punch through a company firewall and thereby bypass it's restrictions).+The user (here, from an OpenWrt client) wants to access their OpenWrt router without being 'snooped'. That is, the user can already access the router, but over a public network, such as the Internet (different subnets), or a Wifi Hotspot (same subnet).
-This article will be based upon TUN (routing); for TAP (bridging), you will find information elsewhere in this Wiki.+| **Terminology**: The OpenVPN **server** is //listening// for a request to negotiate a VPN tunnel. The OpenVPN **client** //initiates// the negotiation for that VPN tunnel. |
-===== Prerequisites ===== +To facilitate configuration/testing, this guide permits two distinct scenarios
-So to make it easier for you, this How-To assumes+  * **Scenario 1**: the client can 'ping' the server via the server's WAN interface (and preferably using a public DNS FQDN).  Specifically, they are //not// in the same subnet (e.g. they are separated by the Internet). 
-  - the client and the server are (vanilla-build) OpenWRT routers (look elsewhere for help Linux/Windows/etc.; it wont be too hard for clients+  * **Scenario 2**: the client is a DHCP client of the server, and can therefore 'ping' the server via it's LAN interface.  Specifically, they //are// in the same subnet.
-  - the client can ''ping'' the server though its WAN interface, and that they are not in the same subnet+
-The OpenVPN client (i.e. the system who //initiates// the negotiation for the VPN tunnel) must be able to ''ping'' (using IPv4) the OpenVPN server (who responds to such requests) via it's WAN interface (and preferably using a public DNS FQDN)In this case, it is assumed that the client, as well as the server (a.k.a. router) are both running OpenWRT (although *nix & Windows clients are also covered).+In most use-cases, **Scenario 1** would be the case, but **Scenario 2** allows for other use-cases, such creating an OpenVPN tunnel at home (which then can be switched to a Scenario 1 configuration and tested further).  
 + 
 +===== Prerequisites ===== 
 +This HOWTO: 
 +  - //requires// that the client can ''ping'' the server  
 +  - //requires// the OpenVPN server is an OpenWRT routers (look elsewhere for help with OpenVPN servers running on Linux/Windows/etc.
 + - //assumes// the Open client is an OpenWRT routers (but could easily be based upon Linux/Windows/etc.) 
 +  - uses TUN (routing, recommended) rather than for TAP (bridging)
==== Part 1/1 - Installing the OpenVPN packages ==== ==== Part 1/1 - Installing the OpenVPN packages ====
:!: Before executing Step 1, you should check which specific version of OpenWRT you have.  See the notes below for more information. :!: Before executing Step 1, you should check which specific version of OpenWRT you have.  See the notes below for more information.
-  - On both the client and the server, install the OpenVPN package:<code>+  - On both the client and the server, install the OpenVPN package:<code c>
  opkg update; opkg install openvpn-openssl  ## or: opkg install openvpn   opkg update; opkg install openvpn-openssl  ## or: opkg install openvpn
</code> </code>
Which package you should install will be indicated by which version of OpenWRT you have (check via: ''cat /etc/banner''): Which package you should install will be indicated by which version of OpenWRT you have (check via: ''cat /etc/banner''):
-  * on **Barrier Breaker**: there are three versions of OpenVPN that you can choose from, including: ''openvpn-openssl'' (recommended) or ''openvpn-polarssl'', which //might not// work with the following scripts (it should be obvious why you should not use ''openvpn-nossl'').+  * on **Barrier Breaker**: there are three versions of OpenVPN that you can choose from, including: ''openvpn-openssl'' (used here), ''openvpn-polarssl'' (warning: polarssl //might not// work with the following scripts), or ''openvpn-nossl'' (it should be obvious why you should not use that one).
  * on **Attitude Adjustment**: there is only one version of OpenVPN that you can install, ''openvpn'' (which uses OpenSSL)   * on **Attitude Adjustment**: there is only one version of OpenVPN that you can install, ''openvpn'' (which uses OpenSSL)
-===== Creating the Client and Server Certificates =====+===== Creating the Client and Server PKI Certificates =====
Easy-RSA is a simple PKI that was spun off from OpenVPN as a separate project.  With OpenVPN, there does exist a means of creating client/server certificates that does not require a PKI (known as static keys), but Easy-RSA is used here as it is a simple enough method, and using a proper PKI is //much// better practice. Easy-RSA is a simple PKI that was spun off from OpenVPN as a separate project.  With OpenVPN, there does exist a means of creating client/server certificates that does not require a PKI (known as static keys), but Easy-RSA is used here as it is a simple enough method, and using a proper PKI is //much// better practice.
-==== Part 1/2 - Create the Certification Authority and the Client/Server Certificates ==== +==== Part 1/2 - Create the CA and the Certificates ==== 
-:!: Before executing Step 3, you may (or may not) need to execute Step 2.  See notes below for more information. +  - On the OpenVPN Server, install the Easy-RSA package:<code c>
-  - On the OpenVPN Server, install the Easy-RSA package:<code>+
  opkg update; opkg install openvpn-easy-rsa   opkg update; opkg install openvpn-easy-rsa
</code> </code>
-  - If running **Attitude Adjustment** (specifically, version 2.2.2-2 of the Easy-RSA package), then you must 'tweak' the PKI configuration to prevent problems:<code>+  - If running **Attitude Adjustment** (specifically, version 2.2.2-2 of the Easy-RSA package), then you must 'tweak' the PKI configuration to prevent problems later on (this step 'comments-out' the relevant code):<code c>
  sed -i '/KEY_CN/ s:^export:# &:' /etc/easy-rsa/vars  ## do not set the KEY_CN environment variable   sed -i '/KEY_CN/ s:^export:# &:' /etc/easy-rsa/vars  ## do not set the KEY_CN environment variable
</code> </code>
-  - Establish the shell variables, and start with a clean slate (you may get warnings about ''./clean-all'', which you can ignore):<code>+  - Establish the shell variables, and start with a clean slate (you may get warnings about ''./clean-all'', which you can ignore):<code c>
  source /etc/easy-rsa/vars   source /etc/easy-rsa/vars
  clean-all   clean-all
</code> </code>
-  - Create the Certification Authority, Server, and Client certificates:<code>+  - Create the Certification Authority, Server, and Client certificates:<code c>
  pkitool --initca            ## equivalent to the 'build-ca' script   pkitool --initca            ## equivalent to the 'build-ca' script
  pkitool --server my-server  ## equivalent to the 'build-key-server' script   pkitool --server my-server  ## equivalent to the 'build-key-server' script
  pkitool          my-client  ## equivalent to the 'build-key' script   pkitool          my-client  ## equivalent to the 'build-key' script
</code> </code>
-  - Finally, create the Diffie Hellman parameters (left until last because it can take a long time):<code>+  - Finally, create the Diffie Hellman parameters (left until last because it can take a long time):<code c>
  build-dh                    ## this script will 'take a long time'   build-dh                    ## this script will 'take a long time'
</code> </code>
If you get an error message ''TXT_DB error number 2'', then check that the CommonName variable is not set: that is, ''set | grep KEY_CN'' must return no results.  The failure is because subsequent certificates have the same identifier as first (the server's).  If required, execute ''unset KEY_CN'', and start again from Step 2. If you get an error message ''TXT_DB error number 2'', then check that the CommonName variable is not set: that is, ''set | grep KEY_CN'' must return no results.  The failure is because subsequent certificates have the same identifier as first (the server's).  If required, execute ''unset KEY_CN'', and start again from Step 2.
-=== Troubleshooting === +=== Testing & troubleshooting your configuration === 
-You can confirm everything is OK so far via: ''ls $KEY_DIR''; there should be ''index.txt'' and ''serial'', the Diffie-Hellman files, and three pairs of ''.crt''/''.key'' files (plus some other files).  +You can confirm everything is OK so far via: **''ls $KEY_DIR''**; there should be ''index.txt'' and ''serial'', the Diffie-Hellman files, and three pairs of ''.crt''/''.key'' files (plus some other files). 
-If required, you can start from scratch (i.e. destroy the old PKI, and create a completely new one) by re-starting this process from Step 3.  If you've copied any certificates elsewhere, be sure to delete them: don't mix up these distinct sets of certificates/keys, they just happen to have the same filenames!+If required, you can start from scratch (i.e. destroy the old PKI, and create a completely new one) by re-starting this process from Step 2:!: If you've copied any of the earlier certificates elsewhere, be sure to delete them.  Be warned that it would be easy these (new) certificate/key sets with older sets, since they just happen to have the same filenames!
-==== Part 2/2 - Distribute the Certificates to the Clients and Servers ====+==== Part 2/2 - Distribute the Certificates ====
:!: Before executing Step 3, you'll have to find a way achieving Step 2 (discussed only briefly here).  See the notes below for more information. :!: Before executing Step 3, you'll have to find a way achieving Step 2 (discussed only briefly here).  See the notes below for more information.
-  - On the server, copy the server certificate to where OpenVPN needs it to be (''$KEY_DIR'' is a variable set by ''source /etc/easy-rsa/vars''):<code>+  - On the server, copy the server certificate to where OpenVPN needs it to be (''$KEY_DIR'' is a variable set by ''source /etc/easy-rsa/vars''):<code c>
  cd $KEY_DIR   cd $KEY_DIR
  mkdir -p /etc/openvpn   mkdir -p /etc/openvpn
-  cp ca.crt my-server.* dh*.pem  /etc/openvpn/    ## the server files+  cp ca.crt my-server.* dh*.pem  /etc/openvpn/    ## the server files (note: dh*.pem is required)
</code> </code>
  - Next, you'll need to copy the client certificate from the server to the client (//e.g. via a USB stick//).   - Next, you'll need to copy the client certificate from the server to the client (//e.g. via a USB stick//).
-  - On the client, copy the server certificate to where OpenVPN needs it to be, example:<code> +  - On the client, copy the server certificate to where OpenVPN needs it to be, example:<code c
-  cp ca.crt my-client.*          /etc/openvpn/    ## the client files+  cp ca.crt my-client.*          /etc/openvpn/    ## the client files (note: dh*.pem is not used)
</code> </code>
=== Discussion === === Discussion ===
Line 80: Line 93:
  * ''ca.key'' should be moved to a place that is not accessible from the Internet (it is only needed when 'doing' CA stuff)   * ''ca.key'' should be moved to a place that is not accessible from the Internet (it is only needed when 'doing' CA stuff)
  * the other ''.key'' files should be kept 'private', that is, stored only on the 'owning' system   * the other ''.key'' files should be kept 'private', that is, stored only on the 'owning' system
-  * //all// ''.key'' files should not be distributed in an insecure manner - it is well known that copying .key files across the Internet is a leading cause of male-pattern baldness! +  * //all// ''.key'' files should //never// be distributed in an insecure manner - it is well known that copying .key files across the Internet is a leading cause of male-pattern baldness!
===== Configuring the Network Infrastructure ===== ===== Configuring the Network Infrastructure =====
 +Before you start this, ensure that the client can ping the server.
-==== Part 1/2 Server Configuration (on OpenWRT) ====+Also, you need to know if the client and server are on the same subnet (e.g. two laptops communicating over a public wifi network). 
 + 
 +==== Part 1/2 Configure the Network on the Server ====
This is the configuration of the OpenVPN **server** only. This is the configuration of the OpenVPN **server** only.
-  - On both the client and the server, create the vpn interface (note that the tun0 device does not yet exist):<code> +  - Create the VPN interface (note that the tun0 device does not yet exist):<code c
-  uci set network.vpn=interface +  uci set network.vpn0=interface 
-  uci set network.vpn.ifname=tun0 +  uci set network.vpn0.ifname=tun0 
-  uci set network.vpn.proto=none+  uci set network.vpn0.proto=none
  uci commit network; /etc/init.d/network reload   uci commit network; /etc/init.d/network reload
</code> </code>
-  - Allow OpenVPN tunnel negotiation (i.e. allow a tunnel to be //created//):<code>+  - Allow OpenVPN tunnel negotiation (i.e. accept inbound traffic and thereby allow a tunnel to be //created//):<code c>
  uci add firewall  rule   uci add firewall  rule
-  uci set firewall.@rule[-1].name=Allow-Inbound-OpenVPN+  uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound
  uci set firewall.@rule[-1].target=ACCEPT   uci set firewall.@rule[-1].target=ACCEPT
-  uci set firewall.@rule[-1].src=wan +  uci set firewall.@rule[-1].src=*
-  uci set firewall.@rule[-1].family=ipv4+
  uci set firewall.@rule[-1].proto=udp   uci set firewall.@rule[-1].proto=udp
  uci set firewall.@rule[-1].dest_port=1194   uci set firewall.@rule[-1].dest_port=1194
</code> </code>
-  - Allow OpenVPN tunnel traffic (i.e. allow a tunnel to be //used//):<code>+  - Allow OpenVPN tunnel utilization (i.e. allow a tunnel to be //used//):<code c>
  uci add firewall  zone   uci add firewall  zone
  uci set firewall.@zone[-1].name=vpn   uci set firewall.@zone[-1].name=vpn
  uci set firewall.@zone[-1].input=ACCEPT   uci set firewall.@zone[-1].input=ACCEPT
-  uci set firewall.@zone[-1].forward=REJECT+  uci set firewall.@zone[-1].forward=ACCEPT
  uci set firewall.@zone[-1].output=ACCEPT   uci set firewall.@zone[-1].output=ACCEPT
-  uci set firewall.@zone[-1].network=vpn+  uci set firewall.@zone[-1].network=vpn0
</code> </code>
-  - Allow the client to access the OpenVPN server's LAN via the VPN (optional):<code> +  - Finally, commit the changes:<code c>
-  uci add firewall forwarding +
-  uci set firewall.@forwarding[-1].src=vpn +
-  uci set firewall.@forwarding[-1].dest=wan +
-</code> +
-  - Allow the client to access the OpenVPN server's WAN via the VPN (optional):<code> +
-  uci add firewall forwarding +
-  uci set firewall.@forwarding[-1].src=vpn +
-  uci set firewall.@forwarding[-1].dest=wan +
-</code> +
-  - Finally, commit the changes:<code>+
  uci commit firewall; /etc/init.d/firewall reload   uci commit firewall; /etc/init.d/firewall reload
</code> </code>
-=== Discussion === 
-Note that Step 4 and 5 overrule the ''REJECT'' in Step 3. You may want only Step 4, or Only Step 5, or maybe both. That is,  
-  * Step 3 will allow the VPN client(s) to access the OpenVPN server itself 
-  * Step 4 will allow the VPN client(s) to access networks via the OpenVPN server's LAN interfaces 
-  * Step 5 will allow the VPN client(s) to access networks via the OpenVPN server's WAN interfaces 
-Execute: ''uci show firewall | grep zone | grep -E &quot;(net|name)"'' to see the networks of each zone.+=== Testing &amp; troubleshooting your configuration === 
 +There's not much you can do now, but later, when it comes time to test communication between the client and the server (either before or after the OpenVPN tunnel is established), you //could// disable the server's firewall altogether to see if it's the reason why you're having problems (see below).
-==== Part 2/2 Client Configuration ==== +Execute: ''uci show network | grep ifname'' to see the interface of each network (e.g. 3gwan network via usb0 interface)Execute: ''uci show firewall | grep zone | grep -E "(net|name)"'' to see the networks of each zone (e.g. wan/3gwan networks in wan zone).
-There shouldn't be much to doMost clients allow outbound (client-instigated) tunnels. +
-However, you need to think about which Route tables, and which DNS server to use.  More later.+==== Part 2/2 Configure the Network on the Client ==== 
 +This is how to configure the network on an OpenVPN **client** running on OpenWrt.  This process consists of essentially the same sequence of steps as for the OpenVPN server, above. 
 + 
 +:!: Note that Step 3 is not required on a client. 
 + 
 +This is how to configure the network on an OpenVPN client: 
 +  - Create the VPN interface (this is the same as for the server). 
 + - //Don't do this step on a client// - most OSs allow outbound (client-instigated) tunnels.   
 +  - Allow OpenVPN tunnel utilization (this is the same as for the server). 
 +  - Finally, commit the changes (this is the same as for the server). 
 + 
 +=== Testing & troubleshooting your configuration === 
 +More later...
===== Configuring the OpenVPN Infrastructure ===== ===== Configuring the OpenVPN Infrastructure =====
-This is essentially the same as for a OpenWRT server.+This process consists of four steps that are essentially the same on both an OpenWrt-based OpenVPN clients and servers.  Non-OpenWRT-based clients (generally) require OpenVPN configuration files. 
 + 
 +These configurations have been intentionally kept simple; they are the minimal required to get an effective OpenVPN tunnel.  Do not add options until you get the tunnel to work.  For your own benefit, do not bother with **persist_XXX**, or **comp_lzo** at this stage. 
 + 
 +:!: The UCI system is very good, but has it's little quirks.  Be aware that OpenVPN options either require a underscore, or a dash according to whether they are to the left or the right of the '=' sign.  See the **comp-lzo** option, below (do //not// execute these commands): 
 +<code c>uci set openvpn.test.comp_lzo=adaptive 
 +uci set openvpn.test.push='comp-lzo=adaptive' 
 +</code>
==== Part 1/2 - Configure and Start the Server ==== ==== Part 1/2 - Configure and Start the Server ====
-:!: Before you execute Step 3, you should understand the requirements of your specific use-case (i.e. your network configuration).  See the notes below for more information. +This is how to configure and start the OpenVPN Server running on OpenWrt
-  - Clear the default OpenVPN configuration, and create a new OpenVPN configuration called 'myvpn' (it could be called anything)Ensure that, in particular, the last three lines (the ca, cert, and key parameters) do not produce an error:<code> +
-  echo > /etc/config/openvpn+
-  uci set openvpn.myvpn=openvpn+  - Clear the existing OpenVPN configuration, and create a new configuration called (in this case) 'myvpn' (NB: this step is the same for the OpenWrt OpenVPN client as well).  Ensure that, in particular, the last three lines (the ca, cert, and key options) do not produce an error (such as "No such file or directory"):<code c> 
 +  echo > /etc/config/openvpn                                ## Clear the existing configuration 
 + 
 +  uci set openvpn.myvpn=openvpn                             ## This tunnel is called 'myvpn'
  uci set openvpn.myvpn.enabled=1   uci set openvpn.myvpn.enabled=1
-  uci set openvpn.myvpn.dev=tun + 
-  uci set openvpn.myvpn.persist_tun=1 +  uci set openvpn.myvpn.dev=tun                             ## This is the basic tunnel configuration
-  uci set openvpn.myvpn.persist_key=1+
  uci set openvpn.myvpn.proto=udp   uci set openvpn.myvpn.proto=udp
-  uci set openvpn.myvpn.comp_lzo=yes 
 +  uci set openvpn.myvpn.log=/tmp/openvpn.log                ## These options produce a useful log file
  uci set openvpn.myvpn.verb=3   uci set openvpn.myvpn.verb=3
-  uci set openvpn.myvpn.log=/tmp/openvpn.log 
-  uci set openvpn.myvpn.status=/tmp/openvpn-status.log 
-  uci set openvpn.myvpn.ca=/etc/openvpn/ca.crt+  uci set openvpn.myvpn.ca=/etc/openvpn/ca.crt             ## These options are required for tunnel negotiation
  uci set openvpn.myvpn.cert=`ls /etc/openvpn/my-*.crt`    ## NB: these are back-quotes   uci set openvpn.myvpn.cert=`ls /etc/openvpn/my-*.crt`    ## NB: these are back-quotes
  uci set openvpn.myvpn.key=`ls /etc/openvpn/my-*.key`      ## NB: these are back-quotes   uci set openvpn.myvpn.key=`ls /etc/openvpn/my-*.key`      ## NB: these are back-quotes
</code> </code>
-  - To that, add the //server-specific// parameters. Ensure that, in particular, the last line (the dh parameter) does not produce an error:<code>+  - To that, add the //server-specific// options. Ensure that, in particular, the last line (the dh option) does not produce an error:<code c>
  uci set openvpn.myvpn.server='10.8.0.0 255.255.255.0'    ## NB: these are single quotes   uci set openvpn.myvpn.server='10.8.0.0 255.255.255.0'    ## NB: these are single quotes
  uci set openvpn.myvpn.port=1194   uci set openvpn.myvpn.port=1194
-  uci set openvpn.myvpn.ifconfig_pool_persist=/tmp/openvpn-ipp.txt+
  uci set openvpn.myvpn.keepalive='10 120'                  ## NB: these are single quotes   uci set openvpn.myvpn.keepalive='10 120'                  ## NB: these are single quotes
  uci set openvpn.myvpn.dh=`ls /etc/openvpn/dh*.pem`        ## NB: these are back-quotes   uci set openvpn.myvpn.dh=`ls /etc/openvpn/dh*.pem`        ## NB: these are back-quotes
</code> </code>
-  - And finally, the tricky bit (read :!: below //before// you execute this command):<code> +  - And finally, the tricky //server-specific// option (this will be changed later):<code c
-  uci add_list openvpn.myvpn.push='redirect-gateway def1'   ## NB: these are single quotes+  uci set openvpn.myvpn.push=''                             ## NB: these are single quotes
</code> </code>
-  - Commit the configuration, enable and start the OpenVPN daemon:<code>+  - Commit the configuration, and enable OpenVPN:<code c>
  uci commit openvpn; /etc/init.d/openvpn enable   uci commit openvpn; /etc/init.d/openvpn enable
</code> </code>
-:!: If the OpenVPN Client and Server and on the same subnet, then you must add the **local** flag.  Use instead: ''uci add_list openvpn.myvpn.push='redirect-gateway def1 local''' 
-:!: If your OpenVPN Client is not to route all it's traffic via the serevr (and therefor continue to use it's existing default gateway), then you should not use the **redirect-gateway** option at all.+=== Testing & troubleshooting the configuration === 
 +Now you can start the OpenVPN server and check the listener. 
 +  - Start OpenVPN, and confirm that there is an OpenVPN  daemon and a TUN:<code c> 
 +  /etc/init.d/openvpn start; sleep 3 
 +  ps -w | grep openvpn 
 +  ifconfig | grep tun0 
 +</code> 
 +  - If the OpenVPN server is working OK, then you would expect there to be a result from (this is only for a server):<code c> 
 +  netstat -an | grep 1194 
 +</code> 
 + 
 +If things go wrong (now or later), then for troubleshooting: 
 +  - A good place to start is the log file:<code c> 
 +  cat /tmp/openvpn.log 
 +</code> 
 + 
 +==== Part 2/2 - Configure the (OpenWrt) Client ==== 
 +This is how to configure and start an OpenVPN **client** running on OpenWrt.  This process consists of essentially the same sequence of steps as for the OpenVPN server, above. 
 + 
 +:!: Before you execute Step 3, you need to know the IP address, or FQDN (//VPN_SERVER_ID//, below) that the client will use to access the server. 
 + 
 +First, create a variable with the IP address (//XXX.XXX.XXX.XXX//, below) or FQDN and test that you can get a ping response.:<code c> 
 +  set VPN_SERVER_ID="XXX.XXX.XXX.XXX" 
 +  ping -c 4 ${VPN_SERVER_ID} 
 +</code> 
 + 
 +If that works, then you can configure the client, as below. 
 +  - Clear the default OpenVPN configuration, and create a new configuration called 'myvpn' (as for the server, above). 
 +  - To that, add the //client-specific// parameters (this is different from above):<code c> 
 +  uci set openvpn.myvpn.client=1 
 +  uci set openvpn.myvpn.remote_cert_tls=server 
 +</code> 
 +  - The client also has a tricky bit (read :!: above //before// you execute this command):<code c> 
 +  uci set openvpn.myvpn.remote='${VPN_SERVER_ID} 1194'    ## NB: these are single quotes 
 +</code> 
 +  - Commit the configuration, and enable OpenVPN (as for a server, above):<code c> 
 +uci commit openvpn 
 +</code>
=== Testing & troubleshooting your configuration === === Testing & troubleshooting your configuration ===
-  - Ensure OpenVPN is //not// running, and confirm that there is no OpenVPN daemon and no TUN:<code> +That's it for the client!  Now you can start the OpenVPN client and check the tunnel.  
-  /etc/init.d/openvpn stop +  - Before starting the tunnel, you should (again) be able to ping the server from the client:<code c
-  sleep 3 +  ping -c 4 $(uci -P/var/state get openvpn.myvpn.remote | awk '{print $1;}')
-  ps | grep openvpn +
-  ifconfig | grep tun0+
</code> </code>
-  - Start OpenVPN, and confirm that there is an OpenVPN  daemon and a TUN:<code> +  - Start OpenVPN, and confirm that there is an OpenVPN  daemon and a TUN:<code c
-  /etc/init.d/openvpn start +  /etc/init.d/openvpn start; sleep 3
-  sleep 3+
  ps | grep openvpn   ps | grep openvpn
  ifconfig | grep tun0   ifconfig | grep tun0
</code> </code>
-  - If you need to troubleshoot, a good place to start is the log file:<code>+ 
 +Testing the tunnel: 
 +  - The tunnel should have made a change to the client's route table (so you can access the tunnel end-point, should be 10.8.0.1):<code c> 
 +  cat /tmp/openvpn.log | grep 'route add' 
 +    ... 
 +  route 
 +</code> 
 +  - You should be able to ping the tunnel end-point (i.e. the OpenVPN server):<code c> 
 +  traceroute 10.8.0.1 
 +</code> 
 +  - You should still be able to ping hosts on the Internet via your default gateway:<code c> 
 +  traceroute 8.8.8.8 
 +</code> 
 +  - You should be able to ping hosts on the Internet via the tunnel:<code c> 
 +  route add -net 8.8.4.4 netmask 255.255.255.255 gateway 10.8.0.5 
 +  route 
 +    ... 
 +  traceroute 8.8.4.4 
 +</code> 
 + 
 +In particular, look at hops 1 and 2 of the **traceroute**; hop 1 should be one of the gateways from your route table.  If hop 2 of **traceroute 8.8.4.4** is the IP address of VPN_SERVER_ID, then the tunnel is working.  
 + 
 +:-D Congratulations! Now look to 'tune' the OpenVPN tunnel for a specific use-case. 
 + 
 +However, if things go wrong (now or later), then for troubleshooting: 
 +  - A good place to start is the log file:<code c>
  cat /tmp/openvpn.log   cat /tmp/openvpn.log
 +</code>
 +  - In addition, you //could// try (temporarily) turning off the firewall //on the OpenVPN server// (i.e. execute the following command on the server, and not the client):<code c>
 +  /etc/init.d/firewall stop
 +  ...
 +  /etc/init.d/firewall start
</code> </code>
-==== Part 2/2 - Configure and Start the OpenWRT-based client ==== +:!: Don't forget to restart your firewall after you have finished troubleshooting (or just reboot). 
-:!: Before you execute Step 3, you need to know the IP address, or FQDN that the client will use to access the server. + 
- - Clear the default OpenVPN configuration, and create a new openvpn configuration 'myvpn' (as for the server). +===== Routing All Traffic Through the Tunnel ===== 
- - To that, add the //client-specific// parameters (this is different):<code> +If the OpenVPN server can access the Internet, then the client has the //option// of routing //all// IP traffic via the tunnel rather than through it's local gateway.  If the tunnel is merely provide access to other subnets (e.g. to access a server at home from work), but Internet access is to remain as-is, then this is not your answerInstead, see XXX. 
-  uci set openvpn.myvpn.client=1 + 
-  uci set openvpn.myvpn.resolv_retry=infinite +Before you do this, you should know whether your network is **Scenario 1** (client and server in different subnets), or **Scenario 2** (client and server in the same subnet).   
-  uci set openvpn.myvpn.nobind=1 + 
-  uci set openvpn.myvpn.remote_cert_tls=server+In **Scenario 1**, the client and server are in different subnets: 
 +  - On the OpenVPN server, execute the following<code c
 +  uci set openvpn.myvpn.push='redirect-gateway def1'        ## NB: these are single quotes 
 +  uci commit openvpn; /etc/init.d/openvpn restart
</code> </code>
-  - The client also has a tricky bit (read :!: below //before// you execute this command):<code> +  - On the OpenVPN client, execute the following:<code c
-  uci set openvpn.myvpn.remote='$VPN_SERVER_PUBLIC_ADDRESS 1194'+  /etc/init.d/openvpn restart 
 +  traceroute 8.8.8.8
</code> </code>
-  - Commit the configuration, enable and start the OpenVPN daemon (as for a server). 
-You can troubleshoot as for a server.+Alternatively, in **Scenario 2**, the client and server are in the same subnet (useful for creating/testing an OpenVPN tunnel at home): 
 +  - On the OpenVPN server, execute the following:<code c> 
 +  uci set openvpn.myvpn.push='redirect-gateway def1 local'  ## NB: these are single quotes 
 +  uci commit openvpn; /etc/init.d/openvpn restart 
 +</code> 
 +  - On the OpenVPN client, execute the following:<code c> 
 +  /etc/init.d/openvpn restart 
 +  traceroute 8.8.8.8   
 +</code>
 +:!: If your OpenVPN client is not to route all it's traffic via the server (and therefore continue to use it's existing default gateway), then you should not push the **redirect-gateway** option at all.
-==== Create a client configuration for Other OSs ==== +Once this is working, head to [[doc/howto/vpn.server.openvpn.tun]] for more OpenVPN 'recipes'. 
-In your favorite text editor on the client machine that will be connecting, paste (needs testing)+ 
-<code> +=== Testing & troubleshooting your configuration === 
-client +Test as above.   
-dev tun+ 
 + 
 +===== Configuring OpenVPN for Other OSs ===== 
 +Below is a copy of an OpenVPN configuration file that is identical to that created above for OpenWrt OpenVPN clients. 
 + 
 +==== Create an OpenVPN client configuration file ==== 
 +In your favorite text editor on the client machine that will be connecting, paste the following. Save the file as **client.ovpn**: 
 + 
 +<code text>dev tun
proto udp proto udp
-remote XXXXXXXX 1194 + 
-resolv-retry infinite +log openvpn.log 
-nobind +verb 3 
-persist-key +
-persist-tun+
ca ca.crt ca ca.crt
-cert my-client.crt +cert MY-CLIENT.crt 
-key my-client.key +key MY-CLIENT.key 
-comp-lzo+ 
 +client 
 +remote_cert_tls server 
 + 
 +remote VPN_SERVER_ID 1194
</code> </code>
-:!: Make sure to try and mirror **ALL** the server options client-side, whatever client you're using, as some of them (namely lzo compression) can have adverse effects if they're not present in **BOTH** configurations.+:!: Make sure to try and mirror ALL the server options client-side, whatever client you're using, as some of them (//especially// LZO compression) can have adverse effects if they're not present in BOTH configurations.
-Save the file as ''client.ovpn''+===== Completed OpenVPN Configuration ===== 
 +Below is a copy a the final OpenVPN configuration as produced by this beginner's guide (HOWTO).  Note that some of these settings are very implementation-specific.
 +On OpenWrt, standard-format OpenVPN configuration files are not normally used (although you can do so if you wish).  Instead, these configuration files are dynamically created from **/etc/config/openvpn** by **/etc/init.d/openvpn** during it's startup process.  If OpenVPN is running, then the specific name/location of the OpenVPN-compatible configuration file can be seen with **ps -w | grep openvpn**.  If required, you can copy this file and use it elsewhere!
 +==== Server Configuration ====
 +If you execute **cat /etc/config/openvpn** on an OpenWrt-based OpenVPN client, you 'should' get:<code>
 +config openvpn 'myvpn'
 +        option enabled '1'
 +        option dev  'tun'
 +        option proto 'udp'
 +        option server    '10.8.0.0 255.255.255.0'
 +        option port      '1194'
 +        option keepalive '10 120'
 +        option ca  '/etc/openvpn/ca.crt'
 +        option key  '/etc/openvpn/my-server.key'
 +        option cert '/etc/openvpn/my-server.crt'
 +        option dh  '/etc/openvpn/dh2048.pem'
 +        option log  '/tmp/openvpn.log'
 +        option verb '3'
 +</code>
 +Alternatively, you could execute **uci show openvpn** to see the same configuration, but in UCI format.  It may be easier to make changes via UCI, or by directly editing the OpenWrt configuration file directly.
 +==== Client Configuration (OpenWrt-based clients) ====
 +If you execute **cat /etc/config/openvpn** on an OpenWrt-based OpenVPN client, you 'should' get:<code>
 +config openvpn 'myvpn'
 +        option enabled '1'
 +        option dev  'tun'
 +        option proto 'udp'
 +        option client '1'
 +        option remote '172.27.0.1 1194'
 +        option ca  '/etc/openvpn/ca.crt'
 +        option cert '/etc/openvpn/my-client.crt'
 +        option key  '/etc/openvpn/my-client.key'
 +        option remote_cert_tls 'server'
 +        option log  '/tmp/openvpn.log'
 +        option verb '3'
 +</code>
 +Note that your OpenVPN server will probably have a different IP address (or even a FQDN) to that used here.
 +=== Client Configuration File (standard clients) ===
 +If you execute (the equivalent of) **cat /var/etc/openvpn-myvpn.conf** on any OpenVPN client, you should get:<code>
 +dev tun
 +proto udp
 +client
 +remote 172.27.0.1 1194
 +ca  /etc/openvpn/ca.crt
 +cert /etc/openvpn/my-client.crt
 +key  /etc/openvpn/my-client.key
 +remote-cert-tls server
-===== Troubleshooting =====+log  /tmp/openvpn.log 
 +verb 3 
 +</code>
-* Make sure you are trying to connect to the VPN server from the outside - i.e. use 3G connection, go to a different building etc. Using another vpn (that routes all your traffic) does not seem to help. If you do not do this, a good configuration might not work at all.+===== Other Stuff =====
-* If unsure how various parameters are parsed to openvpn, you can find out PID with ps and then look up the parameters with ''tr '\0' ' ' < /proc/PID/cmdline +==== General guidelines for troubleshooting ====
-'' (Replace PID with a number)+
-* Attention: The logfile (if not in system log) doesn't limit its disk space - check periodically that you have enough free disk space for other applications (my log on level 6 needed less than a week to fill the whole disk space of a TP-Link 1043)+This command is useful: 
 +<code c>ps -w | grep openvpn 
 +</code> 
 + 
 +You should see a *.conf file after ''----config''.  You can then execute this more useful command: 
 +<code c>cat  /var/etc/*.conf 
 +</code> 
 + 
 +* Make sure you are trying to connect to the VPN server from the outside - i.e. use 3G connection, go to a different building etc. Using another vpn (that routes all your traffic) does not seem to help. If you do not do this, a good configuration might not work at all. 
 + 
 +* Attention: The logfile (if not in system log) doesn't limit its disk space - check periodically that you have enough free disk space for other applications (my log on level 6 needed less than a week to fill the whole disk space of a TP-Link 1043).  [the way to fix this is: a) use verb=3, and b) use logrotate]
|FIXME: Please read [[vpn.overview]] and see this old articles on this matter: [[http://wiki.openwrt.org/?do=search&id=vpn]] and help **migrate** them. There is also an article in the inbox: [[inbox:vpn.howto]] | |FIXME: Please read [[vpn.overview]] and see this old articles on this matter: [[http://wiki.openwrt.org/?do=search&id=vpn]] and help **migrate** them. There is also an article in the inbox: [[inbox:vpn.howto]] |
 +==== When truly stuck: asking for help ====
 +
 +In short, hit the OpenWrt forum: [[https://forum.openwrt.org/viewforum.php?id=10]].  At a minimum, you'd be expected to a) create an intelligent request for help, and b) paste a copy of the following files:
 +<code c>cat /tmp/openvpn.log
 +cat /etc/config/network
 +cat /etc/config/firewall
 +cat /etc/config/openvpn
 +</code>
 +
 +==== References ====
 +See: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

Back to top

doc/howto/vpn.openvpn.1393701569.txt.bz2 · Last modified: 2014/03/01 20:19 by zxdavb