User Tools

Site Tools


doc:howto:vpn.openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.openvpn [2014/08/20 23:40]
zxdavb
doc:howto:vpn.openvpn [2015/03/19 04:17] (current)
simguru Reformatted comments
Line 1: Line 1:
 ====== OpenVPN Setup Guide for Beginners ====== ​ ====== OpenVPN Setup Guide for Beginners ====== ​
-This is a //​beginner'​s//​ guide to setting up OpenVPN on a server and a client (and a PKI) where, in this instance, both are running OpenWrt (although the OpenVPN client could easily be running on another OS, such as Windows, or *nix). ​ Because ​of that, this HOWTO is quite long & wordy.+This is a //​beginner'​s//​ guide to setting up OpenVPN on a server and a client (and a PKI) where, in this instance, both are running OpenWrt (although the OpenVPN client could easily be running on another OS, such as Windows, or *nix). ​ Because ​it's a beginner'​s guide, this HOWTO is quite long & wordy.
  
 | For non-beginners,​ [[doc/​howto/​vpn.server.openvpn.tun]] may be a better place to start. | | For non-beginners,​ [[doc/​howto/​vpn.server.openvpn.tun]] may be a better place to start. |
  
-The primary goal of this HOWTO is purely ​to create ​a working OpenVPN tunnel.  However, once the tunnel //is// working, then it can be further '​tuned'​ for specific use-cases. ​ The strategy ​here is to keep it simple, and get the OpenVPN tunnel working before adding the complexity required for '​real-world'​ use-cases.  Because of that, this is a //very basic// OpenVPN tunnel configuration that may not suit most people'​s needs.  ​+The primary goal of this HOWTO is to get a working OpenVPN tunnelthe strategy ​used by this HOWTO is to keep it simple. ​ Because of that, this is a //very basic// OpenVPN tunnel configuration that will not suit most people'​s needs without further configuration.  ​
  
 However, once the basic tunnel is working, then additional '​recipes'​ for other use-cases can be found at [[doc/​howto/​vpn.server.openvpn.tun]] (sorry, that wiki page is a WIP).  Such use-cases might include: TAP, multiple-VPN routers, VPN-over-SOCKS,​ etc. However, once the basic tunnel is working, then additional '​recipes'​ for other use-cases can be found at [[doc/​howto/​vpn.server.openvpn.tun]] (sorry, that wiki page is a WIP).  Such use-cases might include: TAP, multiple-VPN routers, VPN-over-SOCKS,​ etc.
Line 56: Line 56:
 :!: Before executing Step 1, you should check which specific version of OpenWRT you have.  See the notes below for more information. :!: Before executing Step 1, you should check which specific version of OpenWRT you have.  See the notes below for more information.
   - On both the client and the server, install the OpenVPN package:<​code c>   - On both the client and the server, install the OpenVPN package:<​code c>
-  opkg update; opkg install openvpn-openssl ​ ## or: opkg install openvpn+  opkg update; opkg install openvpn-openssl ​ ## or, if using AA instead of BB: opkg install openvpn
 </​code>​ </​code>​
  
Line 302: Line 302:
  
 :!: Don't forget to restart your firewall after you have finished troubleshooting (or just reboot). :!: Don't forget to restart your firewall after you have finished troubleshooting (or just reboot).
 +
 +===== Creating a Private IPv6 Tunnel =====
 +Since OpenVPN 2.3.//x//, OpenVPN can be used to provision IPv6 traffic through a TUN tunnel. This is useful to access IPv6 resources from a remote IPv4 network. All one needs to do is provision IPv6 through the tunnel and enable forwarding. First, to provision IPv6, suppose your IPv6 subnet is **2001:​aa:​bb:​cc::/​64** and the LAN interface on the OpenWrt router has the IPv6 address **2001:​aa:​bb:​cc::​1/​64**. To provision IPv6:
 +
 +<code c>
 +uci set openvpn.myvpn.server_ipv6='​2001:​aa:​bb:​cc::/​64' ​         ## set the subnet that VPN clients will receive
 +uci add_list openvpn.myvpn.push='​route-ipv6 2001:​aa:​bb:​cc::/​64'​ ## advertise the IPv6 route
 +uci add_list openvpn.myvpn.push='​route-ipv6 2000::/​3' ​          ## route all Internet IPv6 traffic via the VPN
 +uci commit openvpn ​                                             ## save changes
 +/​etc/​init.d/​openvpn restart ​                                    ## restart the OpenVPN daemon
 +</​code>​
 +
 +Provisioning a subnet other than /64 is possible, but is more complicated. See the [[https://​community.openvpn.net/​openvpn/​wiki/​IPv6|OpenVPN wiki]] for more details. The last step is to enable IPv6 forwarding to the Internet. To allow it, edit **/​etc/​config/​firewall**:​
 +
 +<code c>
 +config forwarding
 +        option src '​vpn'​
 +        option dest '​wan'​
 +        option family '​ipv6'​
 +</​code>​
 +
 +After editing the firewall changes, enable them by executing:
 +<code c>
 +/​etc/​init.d/​firewall reload
 +</​code>​
 +
 +===== Routing Only Local LAN Client Traffic Through the Tunnel =====
 +If all that is needed is to allow clients access to the local subnet (e.g., to access a server at home from work), and to leave Internet access as-is, all one needs to do is advertise the local subnet and configure the firewall to allow traffic through. First, to advertise the route:
 +
 +<code c>
 +uci set openvpn.myvpn.push='​route 192.168.1.0 255.255.255.0'​
 +uci commit openvpn
 +/​etc/​init.d/​openvpn restart
 +</​code>​
 +
 +In this example the subnet is 192.168.1.0/​24. Adjust your configuration accordingly for your LAN. Now, the firewall has to be enabled to allow traffic from the VPN clients to the local LAN. To allow it, edit **/​etc/​config/​firewall**:​
 +
 +<code c>
 +## NB: this zone should have already been created in the previous setup step; just add the masq option as noted below
 +config zone
 + option name '​vpn'​
 + option masq '​1'​ ## NB: this option was added to enable forwarding out of the VPN zone
 + option input '​ACCEPT'​
 + option forward '​ACCEPT'​
 + option output '​ACCEPT'​
 + option network '​vpn0'​
 +
 +## NB : this section was added
 +config forwarding
 + option src '​vpn'​
 + option dest '​lan'​
 +</​code>​
 +
 +After editing the firewall changes, enable them by executing:
 +<code c>
 +/​etc/​init.d/​firewall reload
 +</​code>​
  
 ===== Routing All Client Traffic Through the Tunnel ===== ===== Routing All Client Traffic Through the Tunnel =====
-If the OpenVPN server can access the Internet, then the client has the //option// of routing //all// its IP traffic via the tunnel rather than through it's local gateway. ​ If the tunnel is merely provide access to other subnets (e.g. to access a server at home from work), but Internet access is to remain as-is, then this is not your answer. ​ Instead, see XXX.+If the OpenVPN server can access the Internet, then the client has the //option// of routing //all// its IP traffic via the tunnel rather than through it's local gateway. ​ If the tunnel is merely provide access to other subnets (e.g. to access a server at home from work), but Internet access is to remain as-is, then this is not your answer. ​ Instead, see [[doc/​howto/​vpn.openvpn#​Routing Only Local LAN Client Traffic Through the Tunnel]].
  
 Before you do this, you should know whether your network is **Scenario 1** (client and server in different subnets), or **Scenario 2** (client and server in the same subnet).  ​ Before you do this, you should know whether your network is **Scenario 1** (client and server in different subnets), or **Scenario 2** (client and server in the same subnet).  ​
Line 311: Line 368:
   - On the OpenVPN server, execute the following<​code c>   - On the OpenVPN server, execute the following<​code c>
   uci set openvpn.myvpn.push='​redirect-gateway def1' ​       ## NB: these are single quotes   uci set openvpn.myvpn.push='​redirect-gateway def1' ​       ## NB: these are single quotes
-  uci commit openvpn/​etc/​init.d/​openvpn restart+  uci commit openvpn 
 +  ​/​etc/​init.d/​openvpn restart
 </​code>​ </​code>​
   - On the OpenVPN client, execute the following:<​code c>   - On the OpenVPN client, execute the following:<​code c>
Line 466: Line 524:
 ==== References ==== ==== References ====
 See: https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage See: https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage
 +
 +===== Example =====
 +A video demonstration of how OpenVPN 2.3.6 from the repositories can be installed as an OpenVPN Client on OpenWrt 14.07 Barrier Breaker: https://​www.youtube.com/​watch?​v=3lqP1P-OqYA
doc/howto/vpn.openvpn.1408570859.txt.bz2 · Last modified: 2014/08/20 23:40 by zxdavb