User Tools

Site Tools


doc:howto:vpn.openvpn
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.openvpn [2016/10/02 17:05]
hbogert [Configure the network on the OpenWrt client]
doc:howto:vpn.openvpn [2018/01/30 00:07] (current)
numbers warned about weak ciphers and provided link to newer howto
Line 1: Line 1:
 +<WRAP centeralign><​wrap danger>​This HOWTO will leave your VPN using several ciphers that are weak and exploitable as per the SWEET32 attack. [[openvpn-streamlined-server-setup|OpenVPN Server HowTo (Streamlined)]] is a more modern alternative.</​wrap></​WRAP>​
 +
 ====== OpenVPN Setup Guide for Beginners ====== ​ ====== OpenVPN Setup Guide for Beginners ====== ​
-This is a beginner'​s guide to setting up OpenVPN on a server and a client where, in this instance, both are running ​OpenWrt ​(although the OpenVPN client could easily be running on another OS, such as Windows or Linux).+This is a beginner'​s guide to setting up an OpenVPN ​connection ​on OpenWrt.
  
-For non-beginners or real-world tunnels, [[doc/​howto/​vpn.server.openvpn.tun]] may be better place to start.+The primary goal of this HOWTO is to get working OpenVPN tunnel and establish a basic platform for further customization. Most users will require further configuration tailored ​to their individual needs.
  
-The primary goal of this HOWTO is to get a working OpenVPN tunnel; the strategy used by this HOWTO is to keep it simple. ​ Because of that, this is a very basic OpenVPN tunnel configuration that will not suit most people'​s needs without ​further configuration. However, once the basic tunnel is working, additional recipes for other use-cases ​can be found at [[doc/​howto/​vpn.server.openvpn.tun]].+Links to pages guiding ​further configuration can be found under the [[#other considerations|Other Considerations]] section of this guide.
  
 For an overview of all VPN-related articles (including other VPN technologies),​ see [[doc/​howto/​vpn.overview]]. For an overview of all VPN-related articles (including other VPN technologies),​ see [[doc/​howto/​vpn.overview]].
  
 ===== Use Case (the beginner'​s configuration) ===== ===== Use Case (the beginner'​s configuration) =====
-The user wants a client to access their OpenWrt router without the possibility of being snooped. That is, the user can already access the router, but over a public network, such as the Internet. ​ +The user wants a client to access their OpenWrt router without the possibility of being snooped. That is, the user can already access the router, but over a public network, such as the Internet. ​The end result will be a private connection directly between the OpenVPN client and server. Mostly, it is as if the two end-points are on the same subnet (but not on the same subnet as your router'​s LAN).
  
-The end result will be a private connection directly between ​the OpenVPN ​client and server. ​Mostlyit is as if the two end-points are on the same subnet ​(but not on the same subnet as your router's LAN).+This HOWTO offers instructions on three OpenVPN distinct configurations:​ 
 +  * Default (TUN) Server: ​The simplest type of OpenVPN server to configure, clients are exclusively managed by OpenVPN and can be assigned IP addresses by the OpenVPN server ​under their own distinct subnet. 
 +  * Server-Bridge (TAP) Server: Also called an ethernet-bridgethis configuration creates a virtual ethernet cable between the server and client. This means that clients will be treated by the router ​as if they were plugged into it like any other computer. They will be assigned an IP address by the network'​s DHCP server ​(most commonly ​the router ​itself)
 +  * Client: OpenVPN will act as a client and connect to a remote server.
  
-To facilitate configuration/​testingthis HOWTO permits two distinct scenarios ​for this use-case: +It should be noted that using a TAP adapter is not a synonym for server-bridginghowever a TAP adapter is required ​for server-bridgingwhereas TUN is almost always superior if not bridgingFor the sake of simplicitywe will use these terms interchangeably,​ since comparing ​the terms "​server"​ and "​server-bridge"​ could cause confusionTUN will be used to refer to a traditional server and TAP will refer to a server-bridge configuration.
-  * Scenario 0: the OpenVPN client can ping the OpenWrt router via the router'​s LAN interface. Specificallythey are on the same subnet (e.g. the client is a DHCP client ​of the OpenWrt router). +
-  * Scenario 1: the OpenVPN client can ping the OpenWrt router via the router'​s WAN interface. Specificallythey are **not** on the same subnet (e.g. they are separated by the Internet).+
  
-Scenario 0 takes out much of the complexity of real-world configurations,​ such as the vagaries of the Internet, or your OpenWrt firewall configuration. Scenario 0 allows you to easily implement an OpenVPN ​tunnelwhich can then be switched to Scenario 1which itself ​is the basis for most real-world OpenVPN configurationsYou can either start with Scenario 0and switch ​to Scenario 1 when you've got it working, or start directly ​with Scenario 1 and switch back to Scenario 0 for troubleshooting.+While it is possible ​to configure ​OpenVPN ​on OpenWrt using a remote connection (through SSHfor example)it is recommended that testing is performed locally with the Default (TUN) Server, as this will simplify any troubleshootingIf using a TAP serverit is better ​to test with a remote connection if possible since a server-bridge connection will use the same subnet ​and your client will be assigned two IP addresses on the same network (which may or may not cause connectivity issues).
  
 +A TUN server has less overhead, and will only send traffic destined for the client, where a TAP server is less efficient and will send broadcast packets to the clients.
 +
 +A TUN server can use the same subnet as the local network'​s DHCP server if desired, but it should assign addresses outside of the DHCP server'​s range, or IP conflicts may occur (two clients assigned the same IP, one by DHCP and the other by OpenVPN).
 +
 +A TUN server is easier to set up security for, since clients can be on a separate subnet that is easily firewalled. Since these clients are not sent broadcast data, a malicious client would be able to access less data on the network.
 +
 +A TAP server integrates clients into the network in a more seamless manner, and can simplify the process for setting up a variety of network applications. However, such integration may come at the price of security. Please note that regardless of method chosen, setting up proper firewall rules is essential for proper security, and is far more important than the discrimination between TUN and TAP servers.
 +
 +:!: If using a TAP server, it is highly recommended that you change your DHCP subnet to something other than 192.168.**0**.XXX or 192.168.**1**.XXX. These are very common and will cause routing conflicts and connectivity issues if you attempt to connect from a client attached to a router utilizing the same subnet. This can generally be accomplished by changing the IP address of the OpenWrt/​OpenVPN router to something like 192.168.**7**.1
 ===== Prerequisites ===== ===== Prerequisites =====
 This HOWTO requires that the OpenVPN server is an OpenWrt router running OpenWrt 15.05 Chaos Calmer. This HOWTO requires that the OpenVPN server is an OpenWrt router running OpenWrt 15.05 Chaos Calmer.
Line 27: Line 39:
 opkg install openvpn-openssl openvpn-easy-rsa opkg install openvpn-openssl openvpn-easy-rsa
 </​code>​ </​code>​
 +:!: Note that although the **easy-rsa** package uses the latest version of openssl, its bash scripts are from 2013 (execute: ''​opkg list | grep easy-rsa''​);​ this may not be '​secure'​ enough for you (for example, 2048-bit keys were considered unbreakable in 2013). For this reason, you may want to consider the alternative means of creating the client/​server certificates,​ below (just know that using easy-rsa is a lot '​easier'​).
  
 ===== Create the certificates ===== ===== Create the certificates =====
 +If you are creating an OpenVPN server (either type), you must create security certificates using the instructions below. If you are using OpenVPN as a client, the required certificates should have been provided with your configuration details.
 +
 +Each of these methods create a server certificate named //​my-server//​ and a client certificate named //​my-client//​. The first two methods are roughly the same, the third method is arguably more '​secure',​ but is also somewhat more complicated (and thus prone to mistakes). I suggest you get your tunnel working using easy-rsa scripts first, then try the most '​secure'​ method after that.
 +
 +<tabbox Using easy-rsa scripts (easiest)>​
 <​code>​ <​code>​
 build-ca build-ca
Line 38: Line 56:
 The above creates a server certificate named //​my-server//​ and a client certificate named //​my-client//​. You can create multiple client certificates by running ''​build-key-pkcs12''​ multiple times and specifying different names. The above creates a server certificate named //​my-server//​ and a client certificate named //​my-client//​. You can create multiple client certificates by running ''​build-key-pkcs12''​ multiple times and specifying different names.
  
-You can create a new set of certificates by running ''​clean-all''​ and then the above commands again.ls+You can create a new set of certificates by running ''​clean-all''​ and then the above commands again.
  
 +<tabbox Using pkitool from easy-rsa>​
 +<​code>​
 +pkitool --initca ​                     ## equivalent to the '​build-ca'​ script
 +pkitool --server my-server ​           ## equivalent to the '​build-key-server'​ script
 +pkitool ​         my-client ​           ## equivalent to the '​build-key'​ script (*not build-key-pkcs12)
 +openssl dhparam -out dh2048.pem 2048  ## equivalent to the '​build-dh'​ script
 +</​code>​
 +
 +You can wipe everything and start again by running ''​clean-all''​.
 +
 +<tabbox Using openssl commands (most secure)>
 +<​code>###​ Step 1: Create the PKI directory tree
 +  PKI_DIR="/​etc/​openvpn/​ssl"​
 +# rm -r ${PKI_DIR} ​ ## ir required, remove the folder, and start again
 +
 +  mkdir -p ${PKI_DIR}
 +# chown -R root:root ${PKI_DIR}
 +  chmod -R 0600 ${PKI_DIR}
 +
 +  cd ${PKI_DIR} ## popd ${PKI_DIR}
 +  ​
 +  touch index.txt; echo 1000 > serial
 +  mkdir newcerts # certs crl csr private
 +# chmod 0700 private
 +  ​
 +  ​
 +### Step 2: Start with a clean configuration,​ and establish the basic variables
 +  cp /​etc/​ssl/​openssl.cnf ${PKI_DIR}
 +  PKI_CNF=${PKI_DIR}/​openssl.cnf
 +  ​
 +  sed -i '/​^dir/ ​  ​s:​=.*:​= /​etc/​openvpn/​ssl:' ​                     ${PKI_CNF}
 +  sed -i '/​.*Name/​ s:= match:= optional:' ​                   ${PKI_CNF}
 +
 +  sed -i '/​organizationName_default/ ​   s:= .*:= WWW Ltd.:' ​ ${PKI_CNF}
 +  sed -i '/​stateOrProvinceName_default/​ s:= .*:= London:' ​   ${PKI_CNF}
 +  sed -i '/​countryName_default/ ​        s:= .*:= GB:' ​       ${PKI_CNF}
 +  ​
 +  sed -i '/​default_days/ ​  ​s:​=.*:​= 3650:' ​                   ${PKI_CNF} ## default usu.: -days 365 
 +  sed -i '/​default_bits/ ​  ​s:​=.*:​= 4096:' ​                   ${PKI_CNF} ## default usu.: -newkey rsa:2048
 +# sed -i '/​default_md/ ​    ​s:​=.*:​= default:' ​                ​${PKI_CNF} ## default usu.: sha256
 +
 +
 +cat >> ${PKI_CNF} <<"​EOF"​
 +###############################################################################​
 +### Check via: openssl x509 -text -noout -in *.crt | grep 509 -A 1
 +[ my-server ] 
 +#  X509v3 Key Usage: ​         Digital Signature, Key Encipherment
 +#  X509v3 Extended Key Usage: TLS Web Server Authentication
 +  keyUsage = digitalSignature,​ keyEncipherment
 +  extendedKeyUsage = serverAuth
 +
 +[ my-client ] 
 +#  X509v3 Key Usage: ​         Digital Signature
 +#  X509v3 Extended Key Usage: TLS Web Client Authentication
 +  keyUsage = digitalSignature
 +  extendedKeyUsage = clientAuth
 +
 +EOF
 +  ​
 +  ​
 +### Step 3a: Create the CA, Server, and Client certificates (*without* using easy-rsa):
 +# pkitool --initca ​           ## equivalent to the '​build-ca'​ script
 +  openssl req -batch -nodes -new -keyout "​ca.key"​ -out "​ca.crt"​ -x509 -config ${PKI_CNF} ​ ## x509 (self-signed) for the CA
 +
 +# pkitool --server my-server ​ ## equivalent to the '​build-key-server'​ script
 +  openssl req -batch -nodes -new -keyout "​my-server.key"​ -out "​my-server.csr"​ -subj "/​CN=my-server"​ -config ${PKI_CNF}
 +  openssl ca  -batch -keyfile "​ca.key"​ -cert "​ca.crt"​ -in "​my-server.csr"​ -out "​my-server.crt"​ -config ${PKI_CNF} -extensions my-server
 +  ​
 +# pkitool ​         my-client ​ ## equivalent to the '​build-key'​ script
 +  openssl req -batch -nodes -new -keyout "​my-client.key"​ -out "​my-client.csr"​ -subj "/​CN=my-client"​ -config ${PKI_CNF}
 +  openssl ca  -batch -keyfile "​ca.key"​ -cert "​ca.crt"​ -in "​my-client.csr"​ -out "​my-client.crt"​ -config ${PKI_CNF} -extensions my-client ​    
 +
 +  chmod 0600 "​ca.key"​
 +  chmod 0600 "​my-server.key"​
 +  chmod 0600 "​my-client.key"​
 + 
 +
 +### Step 3b: Create the Diffie-Hellman parameters (will take a long time - you may want to go get a meal!):
 +  openssl dhparam -out dh2048.pem 2048     ## equivalent to the '​build-dh'​ script
 +
 +
 +### Step 4: Keep the PKI even if performing a sysupgrade, check with: sysupgrade -l | grep rsa
 +# echo ${PKI_DIR}/​* ​    > /​lib/​upgrade/​keep.d/​my-pki
 +  ​
 +  ​
 +### Step 5: Create the client'​s .ovpn file
 +###
 +
 +  OVPN_FILE="/​etc/​openvpn/​uk-tunnel0.ovpn"​
 +
 +tee /​etc/​openvpn/​uk-tunnel0.ovpn >/​dev/​null <<​EOF2
 +  client ​    ## implies pull, tls-client
 +  dev tun
 +# proto udp  ## udp is the default
 +  fast-io
 +  remote ${MY_PUBLIC_FQDN} 1194
 +  remote-cert-tls server
 +  nobind
 +  persist-key
 +  persist-tun
 +  comp-lzo no
 +  verb 3
 +EOF2
 +
 +echo '<​ca>' ​   >> ${OVPN_FILE}
 +cat            >> ${OVPN_FILE} < ca.crt ​       ​
 +echo '</​ca>' ​  >>​ ${OVPN_FILE}
 +
 +echo '<​cert>' ​ >> ${OVPN_FILE}
 +cat            >> ${OVPN_FILE} < my-client.crt ​
 +echo '</​cert>'​ >> ${OVPN_FILE}
 +
 +echo '<​key>' ​  >>​ ${OVPN_FILE}
 +cat            >> ${OVPN_FILE} < my-client.key ​
 +echo '</​key>' ​ >> ${OVPN_FILE}
 +
 +
 +### Step 5: Copy the client certificate from the server to the client (e.g. via a USB stick, or using the scp utility).
 +#  ssh -y root@192.168.1.234 'mkdir -p /​etc/​openvpn'​
 +#  scp ${OVPN_FILE} root@192.168.1.234:/​etc/​openvpn
 +</​code>​
 +</​tabbox>​
  
 ===== Distribute the certificates ===== ===== Distribute the certificates =====
 +Copy your server keys to the /​etc/​openvpn directory so that they don't get overwritten.
 +
 +<tabbox Using easy-rsa Scripts>
 <​code>​ <​code>​
 cp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh2048.pem /​etc/​openvpn cp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh2048.pem /​etc/​openvpn
 +</​code>​
 +Copy the client keys to your SSH machine so you can distribute it to your intended client. This is just a reference for ease of use - these keys can be distributed in whatever way is most convenient (i.e. USB drive).
 +<​code>​
 scp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn scp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn
 </​code>​ </​code>​
 +<tabbox Using OpenSSL Commands> ​
  
-The above assumes that you can connect to the client from the server, that the client ​has a SSH server and that you can login as rootIf you can't, transfer the client certificate some other way, such as using an USB stick.+<​code>​ 
 +cp /​etc/​openvpn/​ssl/​ca.crt /​etc/​openvpn/​ssl/​my-server.* /​etc/​openvpn/​ssl/​dh2048.pem /​etc/​openvpn 
 +</​code>​ 
 +Copy the client ​keys to your SSH machine so you can distribute it to your intended clientThis is just a reference for ease of use - these keys can be distributed in whatever ​way is most convenient (i.e. USB drive). 
 +<​code>​ 
 +scp /​etc/​openvpn/​ssl/​ca.crt /​etc/​openvpn/​ssl/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn 
 +</​code>​ 
 +</​tabbox>​
  
-===== Configure the network on the OpenWrt ​server ​===== +===== Configure the network on the OpenWrt ​router ​===== 
-  - Create the VPN interface(if not running server-bridge)<code bash>+<tabbox Traditional (TUN) Server>​ 
 + 
 +  - Create the VPN interface (named vpn0):<code bash>
 uci set network.vpn0=interface uci set network.vpn0=interface
 uci set network.vpn0.ifname=tun0 uci set network.vpn0.ifname=tun0
Line 56: Line 212:
 uci set network.vpn0.auto=1 uci set network.vpn0.auto=1
 </​code>​ </​code>​
-  - Add interface to bridge: ​:!: skip unless going for server-bridge config<code bash> +  - Allow incoming client connections by opening the server port (default 1194) in our firewall:<code bash> 
-uci set network.lan.ifname="$(uci get network.lan.ifname) tap_myvpn"​+uci set firewall.Allow_OpenVPN_Inbound=rule 
 +uci set firewall.Allow_OpenVPN_Inbound.target=ACCEPT 
 +uci set firewall.Allow_OpenVPN_Inbound.src=* 
 +uci set firewall.Allow_OpenVPN_Inbound.proto=udp 
 +uci set firewall.Allow_OpenVPN_Inbound.dest_port=1194 
 +</​code>​ 
 +  - Create firewall zone (named vpn) for the new vpn0 network. By default, it will allow both incoming and outgoing connections being created within the VPN tunnel. Edit the defaults as required. This does not (yet) allow clients to access the LAN or WAN networks, but allows clients to communicate with services on the router and may allow connections between VPN clients if your OpenVPN ​server ​configuration allows:<code bash> 
 +uci set firewall.vpn=zone 
 +uci set firewall.vpn.name=vpn 
 +uci set firewall.vpn.network=vpn0 
 +uci set firewall.vpn.input=ACCEPT 
 +uci set firewall.vpn.forward=REJECT 
 +uci set firewall.vpn.output=ACCEPT 
 +uci set firewall.vpn.masq=1
 </​code>​ </​code>​
-  - Allow inbound VPN traffic:<​code bash> +  - (Optional) If you plan to allow clients to connect to computers within your LAN, you'll need to allow traffic ​to be forwarded between the vpn firewall zone and the lan firewall zone:<code bash> 
-uci add firewall ​rule +uci set firewall.vpn_forwarding_lan_in=forwarding 
-uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound +uci set firewall.vpn_forwarding_lan_in.src=vpn 
-uci set firewall.@rule[-1].target=ACCEPT +uci set firewall.vpn_forwarding_lan_in.dest=lan 
-uci set firewall.@rule[-1].src=* +</​code>​And you'll probably want to allow your LAN computers to be able to initiate connections with the clients, too.<​code bash> 
-uci set firewall.@rule[-1].proto=udp +uci set firewall.vpn_forwarding_lan_out=forwarding 
-uci set firewall.@rule[-1].dest_port=1194+uci set firewall.vpn_forwarding_lan_out.src=lan 
 +uci set firewall.vpn_forwarding_lan_out.dest=vpn
 </​code>​ </​code>​
-  - Allow OpenVPN tunnel utilization: ​(not needed when bridging using tap)<code bash> +  - (OptionalSimilarly, if you plan to allow clients to connect the internet (WAN) through the tunnel, you must allow traffic to be forwarded between the vpn firewall zone and the wan firewall zone:<code bash> 
-uci add firewall zone +uci set firewall.vpn_forwarding_wan=forwarding 
-uci set firewall.@zone[-1].name=vpn +uci set firewall.vpn_forwarding_wan.src=vpn 
-uci set firewall.@zone[-1].input=ACCEPT +uci set firewall.vpn_forwarding_wan.dest=wan
-uci set firewall.@zone[-1].forward=REJECT +
-uci set firewall.@zone[-1].output=ACCEPT +
-uci set firewall.@zone[-1].network=vpn0 +
-uci add firewall ​forwarding +
-uci set firewall.@forwarding[-1].src='vpn' +
-uci set firewall.@forwarding[-1].dest='wan'+
 </​code>​ </​code>​
   - Commit the changes:<​code bash>   - Commit the changes:<​code bash>
Line 85: Line 249:
 </​code>​ </​code>​
  
-===== Configure ​the network on the OpenWrt ​client ===== +<tabbox Server-Bridge (TAP) Server>​ 
-Do the same as on the OpenWrt ​server above except skip step 3.+  - Create the VPN interface (named vpn0): <code bash> 
 +uci set network.vpn0=interface 
 +uci set network.vpn0.ifname=tap0 
 +uci set network.vpn0.proto=none 
 +uci set network.vpn0.auto=
 +</​code>​ 
 +  - Add interface to LAN bridge: <code bash> 
 +uci set network.lan.ifname="$(uci get network.lan.ifname) tap0"​ 
 +</​code>​ 
 +  - Allow incoming client connections by opening ​the server port (default 1194) in our firewall:<​code bash> 
 +uci set firewall.Allow_OpenVPN_Inbound=rule 
 +uci set firewall.Allow_OpenVPN_Inbound.target=ACCEPT 
 +uci set firewall.Allow_OpenVPN_Inbound.src=* 
 +uci set firewall.Allow_OpenVPN_Inbound.proto=udp 
 +uci set firewall.Allow_OpenVPN_Inbound.dest_port=1194 
 +</​code>​ 
 +  - Commit the changes:<​code bash> 
 +uci commit ​network 
 +/​etc/​init.d/​network reload 
 +uci commit firewall 
 +/​etc/​init.d/​firewall reload 
 +</​code>​ 
 + 
 +<tabbox Client>​ 
 + 
 +  - Create the VPN interface (named vpn0): <code bash> 
 +uci set network.vpn0=interface 
 +uci set network.vpn0.ifname=tun0 
 +uci set network.vpn0.proto=none 
 +uci set network.vpn0.auto=1 
 +</​code>​ 
 +  - Create firewall zone (named vpn) for new vpn0 network. By default, it will allow both incoming and outgoing connections being created within the VPN tunnel. Edit the defaults as required. This does not (yet) allow clients to access the LAN or WAN networks, but allows clients to communicate with services ​on the router and may allow connections between VPN clients if your OpenVPN server configuration allows. :!: If you are planning to use your OpenVPN ​client ​as a second (or replacement) WAN adapter, it's recommended that you reject incoming traffic by default:<​code bash> 
 +uci set firewall.vpn=zone 
 +uci set firewall.vpn.name=vpn 
 +uci set firewall.vpn.network=vpn0 
 +uci set firewall.vpn.input=ACCEPT #REJECT if using as WAN replacement 
 +uci set firewall.vpn.forward=REJECT 
 +uci set firewall.vpn.output=ACCEPT 
 +uci set firewall.vpn.masq=1 
 +</​code>​ 
 +  - (Optional) If you plan to allow clients behind ​the VPN server to connect to computers within your LAN, you'll need to allow traffic to be forwarded between the vpn firewall zone and the lan firewall zone:<​code bash> 
 +uci set firewall.vpn_forwarding_lan_in=forwarding 
 +uci set firewall.vpn_forwarding_lan_in.src=vpn 
 +uci set firewall.vpn_forwarding_lan_in.dest=lan 
 +</​code>​And if you want to initiate connections to clients (or the internet) behind the VPN server, you'll need to allow traffic to be forwarded that direction ​as well.<​code bash> 
 +uci set firewall.vpn_forwarding_lan_out=forwarding 
 +uci set firewall.vpn_forwarding_lan_out.src=lan 
 +uci set firewall.vpn_forwarding_lan_out.dest=vpn 
 +</​code>​ 
 +  - Commit ​the changes:<​code bash> 
 +uci commit network 
 +/​etc/​init.d/​network reload 
 +uci commit firewall 
 +/​etc/​init.d/​firewall reload 
 +</​code>​ 
 + 
 +</​tabbox>​ 
 + 
 +===== Configure OpenVPN ===== 
 +OpenVPN can be configured either by using OpenWrt's UCI interface, or via traditional OpenVPN configuration (*.conf) files. OpenVPN will automatically attempt to load all *.conf files placed in the /​etc/​openvpn folder. 
 + 
 +Users familiar with OpenVPN will likely prefer to use configuration files, and this option is likely simpler to manage for those planning to run multiple OpenVPN instances. 
 + 
 +For the sake of simplicity and consistency,​ the remainder of this guide will use the OpenWrt UCI interface to configure OpenVPN, as detailed below. Of note, the [[#routing traffic|Routing Traffic section]] contains instructions applying to the UCI interface (users utilizing configuration files will need to modify those instructions). 
 + 
 +<tabbox Traditional (TUN) Server>
  
-===== Configure the OpenVPN server ===== 
 <​code=bash>​ <​code=bash>​
 echo > /​etc/​config/​openvpn # clear the openvpn uci config echo > /​etc/​config/​openvpn # clear the openvpn uci config
Line 98: Line 326:
 uci set openvpn.myvpn.dev=tun uci set openvpn.myvpn.dev=tun
 uci set openvpn.myvpn.server='​10.8.0.0 255.255.255.0'​ uci set openvpn.myvpn.server='​10.8.0.0 255.255.255.0'​
 +uci set openvpn.myvpn.keepalive='​10 120'
 uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt
 uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-server.crt uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-server.crt
Line 103: Line 332:
 uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh2048.pem uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh2048.pem
 uci commit openvpn uci commit openvpn
-/​etc/​init.d/​openvpn enable 
-/​etc/​init.d/​openvpn start 
 </​code>​ </​code>​
  
-===== Configure the OpenVPN server ​(ethernet bridge===== +<tabbox Server-Bridge ​(TAPServer> 
-:!: new and untested, !!!! doesn'​t work, the interface is created, but not added to bridge+
 <​code=bash>​ <​code=bash>​
 echo > /​etc/​config/​openvpn # clear the openvpn uci config echo > /​etc/​config/​openvpn # clear the openvpn uci config
Line 114: Line 341:
 uci set openvpn.myvpn.enabled=1 uci set openvpn.myvpn.enabled=1
 uci set openvpn.myvpn.verb=3 uci set openvpn.myvpn.verb=3
-uci set openvpn.myvpn.port=1194 
 uci set openvpn.myvpn.proto=udp uci set openvpn.myvpn.proto=udp
-uci set openvpn.myvpn.dev=tap_myvpn+uci set openvpn.myvpn.port=1194 
 +uci set openvpn.myvpn.dev=tap
 uci set openvpn.myvpn.mode=server uci set openvpn.myvpn.mode=server
 uci set openvpn.myvpn.tls_server=1 uci set openvpn.myvpn.tls_server=1
-uci set openvpn.myvpn.persist_tun=1 +uci add_list ​openvpn.myvpn.push='​route-gateway dhcp' 
-uci set openvpn.myvpn.push='route-gateway dhcp'+uci set openvpn.myvpn.keepalive='10 120'
 uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt
 uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-server.crt uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-server.crt
Line 126: Line 353:
 uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh2048.pem uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh2048.pem
 uci commit openvpn uci commit openvpn
-/​etc/​init.d/​openvpn enable 
-/​etc/​init.d/​openvpn start 
 </​code>​ </​code>​
-===== Configure the OpenWrt ​client ​=====+ 
 +<tabbox Client>​ 
 +Configuration of a client ​connection will be highly dependent upon the settings of the server. Featured below is a very simple example which will likely require customization.
 <​code=bash>​ <​code=bash>​
-echo > /​etc/​config/​openvpn+echo > /​etc/​config/​openvpn ​# clear the openvpn uci config
 uci set openvpn.myvpn=openvpn uci set openvpn.myvpn=openvpn
 uci set openvpn.myvpn.enabled=1 uci set openvpn.myvpn.enabled=1
Line 144: Line 371:
 uci set openvpn.myvpn.remote="​SERVER_IP_ADDRESS 1194" uci set openvpn.myvpn.remote="​SERVER_IP_ADDRESS 1194"
 uci commit openvpn uci commit openvpn
-/etc/init.d/openvpn start +</code>If your server requires password authentication,​ you can accomplish this by using:<​code bash> 
-</​code>​+uci set openvpn.myvpn.auth_user_pass=/path/​to/​password.txt 
 +</​code>​Where password.txt is a plain-text file containing the username on the first line and the password on the second line. This file, since it contains login information,​ should be saved in an appropriately secure location.
  
-Or alternatively drop an openvpn configuration file into /​etc/​openvpn/<vpnName>.conf You can test it in a shell with <​code>​openvpn ​/​etc/​openvpn/​myVpnName.conf</​code>​ +Depending on the server you are connecting to, it may be prudent to use OpenVPN'​s route-nopull option to prevent the server from altering routes on your router (and potentially redirecting traffic inappropriately). This will require you to add the routes manually (advanced) by specifying them in the client config or by using a route-up/down scripts. The route-nopull option can be added using the following:<code bash> 
-===== Configure ​other clients ​=====+uci set openvpn.myvpn.route_nopull=1 
 +</code> 
 +</​tabbox>​ 
 +Now that you have finished your basic configuration,​ start up OpenVPN:<​code bash> 
 +/etc/init.d/​openvpn ​enable 
 +/etc/init.d/openvpn start</​code>​ 
 +===== Configure ​Clients For Your Server ​=====
 Create the following OpenVPN client configuration file, save it with an ''​.ovpn''​ extension in the Windows or ''​.conf''​ in the *nix and give it to your client: Create the following OpenVPN client configuration file, save it with an ''​.ovpn''​ extension in the Windows or ''​.conf''​ in the *nix and give it to your client:
 +
 +<tabbox Traditional (TUN) Client>
  
 <​code>​ <​code>​
Line 167: Line 403:
 </​code>​ </​code>​
  
-===== Configure other clients ​(bridge)===== +<tabbox Server-Bridge ​(TAPClient>
-Create the following OpenVPN client configuration file, save it with an ''​.ovpn''​ extension and give it to your client:+
  
 <​code>​ <​code>​
Line 185: Line 420:
 remote SERVER_IP_ADDRESS 1194 remote SERVER_IP_ADDRESS 1194
 </​code>​ </​code>​
 +
 +</​tabbox>​
 +
  
 ===== Test the tunnel ===== ===== Test the tunnel =====
-  - The tunnel should have made a change to the client's route table (so you can access the tunnel end-point, ​should be 10.8.0.1):<​code bash> +Congratulations! Your OpenVPN server or client should ​now be operationalIf you are creating a server traffic might not be sent over it yet since we have not yet created routes ​to direct client connections through ​the tunnel. ​Before configuring our server to send routes to clients, we should ​verify that clients can connect ​to the server, and then ensure they can send traffic through it by pinging the server through ​the tunnel.
-  cat /​tmp/​openvpn.log | grep "route add" +
-     ... +
-  route +
-</​code>​ +
-  - You should ​be able to ping the tunnel ​end-point (i.e. the OpenVPN ​server):<code bash> +
-  traceroute 10.8.0.1 +
-</​code>​ +
-  - You should still be able to ping hosts on the Internet via your default gateway:<​code bash> +
-  traceroute 8.8.8.8 +
-</​code>​ +
-  - You should ​be able to ping hosts on the Internet via the tunnel:<code bash> +
-  route add -net 8.8.8.8 netmask 255.255.255.255 gateway 10.8.0.5 +
-  route +
-     ... +
-  traceroute 8.8.8.+
-</​code>​+
  
-In particularlook at hops 1 and 2 of the **traceroute**;​ hop 1 should ​be one of the gateways from your route table If hop 2 of **traceroute 8.8.8.8** is the IP address of VPN_SERVER_ID,​ then the tunnel is working+If you created a serveryou should ​now connect to it using an OpenVPN client compatible with your operating systemExact instructions on how to use your client will vary by operating system, but it is generally a straightforward process ​of loading the [[#​configure_clients_for_your_server|configuration file]] and [[#​distribute_the_certificates|client keys]] made previously in the guidePlease refer to the official documentation/​manual for directions specific to your operating system'​s client.
  
-:-D Congratulations! Now look to '​tune' ​the OpenVPN tunnel for a specific use-case.+If you created a client connection on OpenWrt instead of a server, then you should verify connectivity ​to the external server. 
 +<tabbox Traditional (TUN) Server>
  
-===== Route Only Local LAN Client Traffic Through ​the Tunnel ===== +Ping the server using:<​code bash> 
-If all that is needed is to allow clients access to the local subnet (e.g.to access a server ​at home from work)and to leave Internet access as-is, all one needs to do is advertise ​the local subnet and configure the firewall to allow traffic through. First, to advertise ​the route:+traceroute 10.8.0.1 
 +</​code>​Aside from traffic directed ​to the OpenVPN ​server, ​no traffic will be sent over the server until routes are created. Using traceroute on an internet address should show traffic ​leaving ​through the client'​s default gateway.<​code bash> 
 +traceroute 8.8.8.8 #Google-DNS server 
 +</​code>​
  
-<code bash+After verifying that the connection is working, you'll want to configure your server to push routes to the clients. 
-uci set openvpn.myvpn.push='​route ​192.168.1.0 255.255.255.0' + 
-uci commit openvpn +<tabbox Server-Bridge (TAP) Server
-/etc/init.d/openvpn restart+Traffic within the local subnet (192.168.7.XXX) will be routed through the VPN without any further configurationOther traffic will be sent through the default gatewayPing a client using:<​code bash> 
 +traceroute 192.168.7.100 #Example IP. Change to match your local subnet.
 </​code>​ </​code>​
  
-In this example the subnet is 192.168.1.0/​24. Adjust your configuration accordingly for your LAN. Now, the firewall has to be enabled to allow traffic ​from the VPN clients to the local LAN. To allow itedit **/​etc/​config/​firewall**:​+If you only require intranet access and do not want to route normal internet (WAN) traffic ​through your VPN, your configuration is now complete!
  
-<code+<tabbox Client
-## NB: this zone should ​have already been created ​in the previous setup step; just add the masq option as noted below +Unless the OpenVPN option route-nopull was specified by the client, routes pushed by the server ​should ​be in place. If route-nopull was used, only the server will be accessible. Using traceroute on any address with a route pushed by the server should result in that traffic being sent through ​the VPN, while other addresses should be sent through the default gateway.
-config zone +
- option name '​vpn'​ +
- option masq '​1'​ ## NB: this option was added to enable forwarding out of the VPN zone +
- option input '​ACCEPT'​ +
- option forward '​ACCEPT'​ +
- option output '​ACCEPT'​ +
- option network '​vpn0'​+
  
-## NB this section was added +The OpenVPN gateway can generally be found on *nix systems using:<code bash> 
-config forwarding +ifconfig tun0
- option src '​vpn'​ +
- option dest '​lan'​+
 </​code>​ </​code>​
- +And you can then test it using:<code bash> 
-After editing the firewall changes, enable them by executing: +traceroute 10.8.0.1 #Arbitrary example IP
-<code bash> +
-/etc/init.d/firewall reload+
 </​code>​ </​code>​
  
-===== Route All Client Traffic Through the Tunnel ===== +If you are not using route-nopull, then your configuration should now be complete!
-If the OpenVPN server can access the Internet, then the client has the //option// of routing //all// its IP traffic via the tunnel rather than through it's local gateway. ​ If the tunnel is merely provide access to other subnets (e.g. to access a server at home from work), but Internet access is to remain as-is, then this is not your answer. ​ Instead, see [[doc/​howto/​vpn.openvpn#​route_only_local_lan_client_traffic_through_the_tunnel|Routing Only Local LAN Client Traffic Through the Tunnel]].+
  
-Before you do this, you should know whether your network is **Scenario 1** (client and server in different subnets), or **Scenario 2** (client and server in the same subnet).  ​+</​tabbox>​
  
-In **Scenario 1**, the client and server ​are in different subnets: +===== Routing Traffic ===== 
-  - On the OpenVPN ​server, ​execute ​the following<​code bash> +Routes ​are what tell clients where to look for an IP address (or subnet). By having our server ​push routes to clientswe can direct their traffic through ​the VPNIf we don'​t ​push the routethen the client will send traffic through their normal gateway instead.
-  uci set openvpn.myvpn.push='​redirect-gateway def1' ​       ## NB: these are single quotes +
-  uci commit openvpn +
-  /​etc/​init.d/​openvpn restart +
-</​code>​ +
-  - On the OpenVPN clientexecute ​the following:<​code bash> +
-  /etc/init.d/openvpn restart +
-  traceroute 8.8.8.8 +
-</​code>​+
  
-Alternatively,​ in **Scenario 2**, the client and server ​are in the same subnet ​(useful for creating/​testing an OpenVPN tunnel at home): +If you are running a client instead of a serverthen the server you connected to should have pushed the appropriate routes to you already. Advanced users may wish to alter this behavior. 
-  - On the OpenVPN ​server, ​execute ​the following:<code bash> + 
-  uci set openvpn.myvpn.push='​redirect-gateway def1 local' ​ ## NB: these are single quotes +:!: Please be aware that just because a route is not pushed doesn'​t mean the client ​can't add it themselves ​and send that traffic through the VPN anyway. That is when your firewall configuration should take effect. A notable example is our TAP configuration,​ which has no firewall rules preventing WAN access since clients ​are treated ​the same as any other LAN client. 
-  uci commit openvpn; /​etc/​init.d/​openvpn restart +<tabbox Traditional ​(TUNServer> 
-</​code>​ + 
-  - On the OpenVPN clientexecute ​the following:<code bash> +In order to route local LAN traffic to the server, ​ensure you've made the appropriate firewall changes from the network section, and have the server push the route to clients using:<code bash> 
-  /​etc/​init.d/​openvpn ​restart +uci add_list ​openvpn.myvpn.push='​route 192.168.1.0 255.255.255.0' #Change to match your router'​s subnet 
-  traceroute 8.8.8.8  ​+</​code>​If you wish to route ALL (internetWAN, etc) traffic through your VPN (effectively making a proxy), ensure you've made the appropriate firewall changes from the network section and have the server push this route instead:<code bash> 
 +uci add_list ​openvpn.myvpn.push='​redirect-gateway def1'
 </​code>​ </​code>​
  
-:!: If your OpenVPN client is not to route all it's traffic via the server ​(and therefore continue to use it's existing default gateway), then you should not push the **redirect-gateway** option at all.+<tabbox Server-Bridge ​(TAPServer>
  
-You might need to make OpenWrt ​route traffic ​from vpn to wan. Add to /​etc/​config/​firewall: +Traffic within your LAN network should be routed without any further configuration. If you wish to route all (internet, WAN, etc) traffic ​through your tunnel, have the server push the route to clients using the following:<​code ​bash
-<​code>​ +uci add_list openvpn.myvpn.push='redirect-gateway def1'
-config forwarding +
- option src '​vpn'​ +
- option dest 'wan'+
 </​code>​ </​code>​
-This worked for BB RC2 (uci commands would be better). 
  
-Another way to accomplish routing all client ​traffic through ​the tunnel via LUCI is to navigate to Network ​-> Firewall and make the options look like this: +<tabbox Client>​ 
-<​code>​ +The correct routes should be automatically provided by the server without additional configuration. Depending on your use case, an advanced user may wish to alter this behavior. This can be accomplished by telling the client ​to ignore routes pushed by the server using route-nopull, then adding your own. This will be highly individualized,​ but can be accomplished using this general example:<​code ​bash
-LAN: (lan: images) ​=> VPN   : ​  ​accept accept accept (just changing this one to point to VPN instead of WAN) +uci set openvpn.myvpn.route_nopull='​1'​ 
-WAN: (wan: images) ​=> REJECT :  reject accept reject (no changes here) +uci add_list openvpn.myvpn.route='​123.456.789.0 255.255.255.0'​ 
-VPN: (vpn: image) ​=> WAN : accept accept accept (change forwarding ​to accept, check masquerading option) +uci add_list openvpn.myvpn.route='​234.567.891.0 255.255.255.0'​ 
-</code>+</code>Note that using route-nopull will cause errors ​to appear in the OpenVPN log when it rejects the server'​s pushed routes. This is considered normal behavior. 
 +</tabbox>
  
 +===== Other Considerations =====
 +When attempting to add an OpenVPN option which would normally use a hyphen (such as route-nopull),​ OpenWrt'​s UCI system requires you to replace the hyphen with an underscore (route_nopull).
  
-Once this is working, head to [[doc/​howto/​vpn.server.openvpn.tun]] ​for more OpenVPN ​'​recipes'​.+  * Various other configuration examples can be found here: [[doc/​howto/​vpn.server.openvpn.tun]] 
 +  * The OpenVPN ​manual can be found here: [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|OpenVPN 2.3 man-page]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 297: Line 505:
  
 ===== Asking for help ===== ===== Asking for help =====
-You can ask for help on the OpenWrt forum: [[https://​forum.openwrt.org/​]]. ​ +You can ask for help on the OpenWrt forum: [[https://​forum.openwrt.org/​]].
  
 When asking for help, you should at a minimum include the contents of the following files: When asking for help, you should at a minimum include the contents of the following files:
Line 306: Line 514:
 cat /​etc/​config/​openvpn cat /​etc/​config/​openvpn
 </​code>​ </​code>​
- 
-===== Caveats ===== 
- 
-==== Client Config Dir ==== 
- 
-When using UCI, you need to define the client config dir differently. All OpenVPN manuals tell you write it out as **client-config-dir** (with dashes), but for UCI you need to call it **client_config_dir** (with underscores). If unsure, check the openvpn conf file that is generated in /var/etc/, as that will have **client-config-dir** (with dashes) when all went well. 
- 
-===== References and examples ===== 
-  * [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|OpenVPN 2.3 man-page]] 
- 
-===== Additions ===== 
-You may create text config file, for example /​etc/​openvpn/​server,​ /​etc/​openvpn/​client and next include it in the openvpn instance in the /​etc/​config/​openvpn:​ 
-<​code>​uci set openvpn.myvpnserver.config=/​etc/​openvpn/​myvpnserver.conf</​code>​ 
-You may use included file and other tokens simultaneous,​ for example: 
-<​code>​ 
-uci set openvpn.myvpnserverudp.config=/​etc/​openvpn/​common.conf 
-uci set openvpn.myvpnserverudp.proto=udp 
-uci set openvpn.myvpnservertcp.config=/​etc/​openvpn/​common.conf 
-uci set openvpn.myvpnservertcp.proto=tcp 
- 
-</​code>​ 
- 
-| FIXME: Integrate any useful information from [[inbox:​vpn.howto]]. | 
- 
- 
doc/howto/vpn.openvpn.1475420753.txt.bz2 · Last modified: 2016/10/02 17:05 by hbogert