User Tools

Site Tools


doc:howto:vpn.openvpn
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.openvpn [2016/12/03 03:03]
ExaltedVanguard
doc:howto:vpn.openvpn [2018/01/30 00:07] (current)
numbers warned about weak ciphers and provided link to newer howto
Line 1: Line 1:
 +<WRAP centeralign><​wrap danger>​This HOWTO will leave your VPN using several ciphers that are weak and exploitable as per the SWEET32 attack. [[openvpn-streamlined-server-setup|OpenVPN Server HowTo (Streamlined)]] is a more modern alternative.</​wrap></​WRAP>​
 +
 ====== OpenVPN Setup Guide for Beginners ====== ​ ====== OpenVPN Setup Guide for Beginners ====== ​
-This is a beginner'​s guide to setting up OpenVPN on a server and a client where, in this instance, both are running ​OpenWrt ​(although the OpenVPN client could easily be running on another OS, such as Windows or Linux).+This is a beginner'​s guide to setting up an OpenVPN ​connection ​on OpenWrt.
  
-For non-beginners or real-world tunnels, [[doc/​howto/​vpn.server.openvpn.tun]] may be better place to start.+The primary goal of this HOWTO is to get working OpenVPN tunnel and establish a basic platform for further customization. Most users will require further configuration tailored ​to their individual needs.
  
-The primary goal of this HOWTO is to get a working OpenVPN tunnel; the strategy used by this HOWTO is to keep it simple. ​ Because of that, this is a very basic OpenVPN tunnel configuration that will not suit most people'​s needs without ​further configuration. However, once the basic tunnel is working, additional recipes for other use-cases ​can be found at [[doc/​howto/​vpn.server.openvpn.tun]].+Links to pages guiding ​further configuration can be found under the [[#other considerations|Other Considerations]] section of this guide.
  
 For an overview of all VPN-related articles (including other VPN technologies),​ see [[doc/​howto/​vpn.overview]]. For an overview of all VPN-related articles (including other VPN technologies),​ see [[doc/​howto/​vpn.overview]].
Line 18: Line 20:
 It should be noted that using a TAP adapter is not a synonym for server-bridging,​ however a TAP adapter is required for server-bridging,​ whereas TUN is almost always superior if not bridging. For the sake of simplicity, we will use these terms interchangeably,​ since comparing the terms "​server"​ and "​server-bridge"​ could cause confusion. TUN will be used to refer to a traditional server and TAP will refer to a server-bridge configuration. It should be noted that using a TAP adapter is not a synonym for server-bridging,​ however a TAP adapter is required for server-bridging,​ whereas TUN is almost always superior if not bridging. For the sake of simplicity, we will use these terms interchangeably,​ since comparing the terms "​server"​ and "​server-bridge"​ could cause confusion. TUN will be used to refer to a traditional server and TAP will refer to a server-bridge configuration.
  
-While it is possible to configure OpenVPN on OpenWRT ​using a remote connection (through SSH, for example), it is recommended that testing is performed locally with the Default (TUN) Server, as this will simplify any troubleshooting. If using a TAP server, it is better to test with a remote connection if possible since a server-bridge connection will use the same subnet and your client will be assigned two IP addresses on the same network (which may or may not cause connectivity issues).+While it is possible to configure OpenVPN on OpenWrt ​using a remote connection (through SSH, for example), it is recommended that testing is performed locally with the Default (TUN) Server, as this will simplify any troubleshooting. If using a TAP server, it is better to test with a remote connection if possible since a server-bridge connection will use the same subnet and your client will be assigned two IP addresses on the same network (which may or may not cause connectivity issues).
  
 A TUN server has less overhead, and will only send traffic destined for the client, where a TAP server is less efficient and will send broadcast packets to the clients. A TUN server has less overhead, and will only send traffic destined for the client, where a TAP server is less efficient and will send broadcast packets to the clients.
Line 28: Line 30:
 A TAP server integrates clients into the network in a more seamless manner, and can simplify the process for setting up a variety of network applications. However, such integration may come at the price of security. Please note that regardless of method chosen, setting up proper firewall rules is essential for proper security, and is far more important than the discrimination between TUN and TAP servers. A TAP server integrates clients into the network in a more seamless manner, and can simplify the process for setting up a variety of network applications. However, such integration may come at the price of security. Please note that regardless of method chosen, setting up proper firewall rules is essential for proper security, and is far more important than the discrimination between TUN and TAP servers.
  
-:!: If using a TAP server, it is highly recommended that you change your DHCP subnet to something other than 192.168.**0**.XXX or 192.168.**1**.XXX. These are very common and will cause routing conflicts and connectivity issues if you attempt to connect from a client attached to a router utilizing the same subnet. This can generally be accomplished by changing the IP address of the OpenWRT/OpenVPN router to something like 192.168.**7**.1+:!: If using a TAP server, it is highly recommended that you change your DHCP subnet to something other than 192.168.**0**.XXX or 192.168.**1**.XXX. These are very common and will cause routing conflicts and connectivity issues if you attempt to connect from a client attached to a router utilizing the same subnet. This can generally be accomplished by changing the IP address of the OpenWrt/OpenVPN router to something like 192.168.**7**.1
 ===== Prerequisites ===== ===== Prerequisites =====
 This HOWTO requires that the OpenVPN server is an OpenWrt router running OpenWrt 15.05 Chaos Calmer. This HOWTO requires that the OpenVPN server is an OpenWrt router running OpenWrt 15.05 Chaos Calmer.
Line 37: Line 39:
 opkg install openvpn-openssl openvpn-easy-rsa opkg install openvpn-openssl openvpn-easy-rsa
 </​code>​ </​code>​
 +:!: Note that although the **easy-rsa** package uses the latest version of openssl, its bash scripts are from 2013 (execute: ''​opkg list | grep easy-rsa''​);​ this may not be '​secure'​ enough for you (for example, 2048-bit keys were considered unbreakable in 2013). For this reason, you may want to consider the alternative means of creating the client/​server certificates,​ below (just know that using easy-rsa is a lot '​easier'​).
  
 ===== Create the certificates ===== ===== Create the certificates =====
 If you are creating an OpenVPN server (either type), you must create security certificates using the instructions below. If you are using OpenVPN as a client, the required certificates should have been provided with your configuration details. If you are creating an OpenVPN server (either type), you must create security certificates using the instructions below. If you are using OpenVPN as a client, the required certificates should have been provided with your configuration details.
 +
 +Each of these methods create a server certificate named //​my-server//​ and a client certificate named //​my-client//​. The first two methods are roughly the same, the third method is arguably more '​secure',​ but is also somewhat more complicated (and thus prone to mistakes). I suggest you get your tunnel working using easy-rsa scripts first, then try the most '​secure'​ method after that.
 +
 +<tabbox Using easy-rsa scripts (easiest)>​
 <​code>​ <​code>​
 build-ca build-ca
Line 49: Line 56:
 The above creates a server certificate named //​my-server//​ and a client certificate named //​my-client//​. You can create multiple client certificates by running ''​build-key-pkcs12''​ multiple times and specifying different names. The above creates a server certificate named //​my-server//​ and a client certificate named //​my-client//​. You can create multiple client certificates by running ''​build-key-pkcs12''​ multiple times and specifying different names.
  
-You can create a new set of certificates by running ''​clean-all''​ and then the above commands again.ls+You can create a new set of certificates by running ''​clean-all''​ and then the above commands again.
  
 +<tabbox Using pkitool from easy-rsa>​
 +<​code>​
 +pkitool --initca ​                     ## equivalent to the '​build-ca'​ script
 +pkitool --server my-server ​           ## equivalent to the '​build-key-server'​ script
 +pkitool ​         my-client ​           ## equivalent to the '​build-key'​ script (*not build-key-pkcs12)
 +openssl dhparam -out dh2048.pem 2048  ## equivalent to the '​build-dh'​ script
 +</​code>​
 +
 +You can wipe everything and start again by running ''​clean-all''​.
 +
 +<tabbox Using openssl commands (most secure)>
 +<​code>###​ Step 1: Create the PKI directory tree
 +  PKI_DIR="/​etc/​openvpn/​ssl"​
 +# rm -r ${PKI_DIR} ​ ## ir required, remove the folder, and start again
 +
 +  mkdir -p ${PKI_DIR}
 +# chown -R root:root ${PKI_DIR}
 +  chmod -R 0600 ${PKI_DIR}
 +
 +  cd ${PKI_DIR} ## popd ${PKI_DIR}
 +  ​
 +  touch index.txt; echo 1000 > serial
 +  mkdir newcerts # certs crl csr private
 +# chmod 0700 private
 +  ​
 +  ​
 +### Step 2: Start with a clean configuration,​ and establish the basic variables
 +  cp /​etc/​ssl/​openssl.cnf ${PKI_DIR}
 +  PKI_CNF=${PKI_DIR}/​openssl.cnf
 +  ​
 +  sed -i '/​^dir/ ​  ​s:​=.*:​= /​etc/​openvpn/​ssl:' ​                     ${PKI_CNF}
 +  sed -i '/​.*Name/​ s:= match:= optional:' ​                   ${PKI_CNF}
 +
 +  sed -i '/​organizationName_default/ ​   s:= .*:= WWW Ltd.:' ​ ${PKI_CNF}
 +  sed -i '/​stateOrProvinceName_default/​ s:= .*:= London:' ​   ${PKI_CNF}
 +  sed -i '/​countryName_default/ ​        s:= .*:= GB:' ​       ${PKI_CNF}
 +  ​
 +  sed -i '/​default_days/ ​  ​s:​=.*:​= 3650:' ​                   ${PKI_CNF} ## default usu.: -days 365 
 +  sed -i '/​default_bits/ ​  ​s:​=.*:​= 4096:' ​                   ${PKI_CNF} ## default usu.: -newkey rsa:2048
 +# sed -i '/​default_md/ ​    ​s:​=.*:​= default:' ​                ​${PKI_CNF} ## default usu.: sha256
 +
 +
 +cat >> ${PKI_CNF} <<"​EOF"​
 +###############################################################################​
 +### Check via: openssl x509 -text -noout -in *.crt | grep 509 -A 1
 +[ my-server ] 
 +#  X509v3 Key Usage: ​         Digital Signature, Key Encipherment
 +#  X509v3 Extended Key Usage: TLS Web Server Authentication
 +  keyUsage = digitalSignature,​ keyEncipherment
 +  extendedKeyUsage = serverAuth
 +
 +[ my-client ] 
 +#  X509v3 Key Usage: ​         Digital Signature
 +#  X509v3 Extended Key Usage: TLS Web Client Authentication
 +  keyUsage = digitalSignature
 +  extendedKeyUsage = clientAuth
 +
 +EOF
 +  ​
 +  ​
 +### Step 3a: Create the CA, Server, and Client certificates (*without* using easy-rsa):
 +# pkitool --initca ​           ## equivalent to the '​build-ca'​ script
 +  openssl req -batch -nodes -new -keyout "​ca.key"​ -out "​ca.crt"​ -x509 -config ${PKI_CNF} ​ ## x509 (self-signed) for the CA
 +
 +# pkitool --server my-server ​ ## equivalent to the '​build-key-server'​ script
 +  openssl req -batch -nodes -new -keyout "​my-server.key"​ -out "​my-server.csr"​ -subj "/​CN=my-server"​ -config ${PKI_CNF}
 +  openssl ca  -batch -keyfile "​ca.key"​ -cert "​ca.crt"​ -in "​my-server.csr"​ -out "​my-server.crt"​ -config ${PKI_CNF} -extensions my-server
 +  ​
 +# pkitool ​         my-client ​ ## equivalent to the '​build-key'​ script
 +  openssl req -batch -nodes -new -keyout "​my-client.key"​ -out "​my-client.csr"​ -subj "/​CN=my-client"​ -config ${PKI_CNF}
 +  openssl ca  -batch -keyfile "​ca.key"​ -cert "​ca.crt"​ -in "​my-client.csr"​ -out "​my-client.crt"​ -config ${PKI_CNF} -extensions my-client ​    
 +
 +  chmod 0600 "​ca.key"​
 +  chmod 0600 "​my-server.key"​
 +  chmod 0600 "​my-client.key"​
 + 
 +
 +### Step 3b: Create the Diffie-Hellman parameters (will take a long time - you may want to go get a meal!):
 +  openssl dhparam -out dh2048.pem 2048     ## equivalent to the '​build-dh'​ script
 +
 +
 +### Step 4: Keep the PKI even if performing a sysupgrade, check with: sysupgrade -l | grep rsa
 +# echo ${PKI_DIR}/​* ​    > /​lib/​upgrade/​keep.d/​my-pki
 +  ​
 +  ​
 +### Step 5: Create the client'​s .ovpn file
 +###
 +
 +  OVPN_FILE="/​etc/​openvpn/​uk-tunnel0.ovpn"​
 +
 +tee /​etc/​openvpn/​uk-tunnel0.ovpn >/​dev/​null <<​EOF2
 +  client ​    ## implies pull, tls-client
 +  dev tun
 +# proto udp  ## udp is the default
 +  fast-io
 +  remote ${MY_PUBLIC_FQDN} 1194
 +  remote-cert-tls server
 +  nobind
 +  persist-key
 +  persist-tun
 +  comp-lzo no
 +  verb 3
 +EOF2
 +
 +echo '<​ca>' ​   >> ${OVPN_FILE}
 +cat            >> ${OVPN_FILE} < ca.crt ​       ​
 +echo '</​ca>' ​  >>​ ${OVPN_FILE}
 +
 +echo '<​cert>' ​ >> ${OVPN_FILE}
 +cat            >> ${OVPN_FILE} < my-client.crt ​
 +echo '</​cert>'​ >> ${OVPN_FILE}
 +
 +echo '<​key>' ​  >>​ ${OVPN_FILE}
 +cat            >> ${OVPN_FILE} < my-client.key ​
 +echo '</​key>' ​ >> ${OVPN_FILE}
 +
 +
 +### Step 5: Copy the client certificate from the server to the client (e.g. via a USB stick, or using the scp utility).
 +#  ssh -y root@192.168.1.234 'mkdir -p /​etc/​openvpn'​
 +#  scp ${OVPN_FILE} root@192.168.1.234:/​etc/​openvpn
 +</​code>​
 +</​tabbox>​
  
 ===== Distribute the certificates ===== ===== Distribute the certificates =====
 Copy your server keys to the /​etc/​openvpn directory so that they don't get overwritten. Copy your server keys to the /​etc/​openvpn directory so that they don't get overwritten.
 +
 +<tabbox Using easy-rsa Scripts>
 <​code>​ <​code>​
 cp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh2048.pem /​etc/​openvpn cp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh2048.pem /​etc/​openvpn
Line 61: Line 192:
 scp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn scp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn
 </​code>​ </​code>​
 +<tabbox Using OpenSSL Commands> ​
 +
 +<​code>​
 +cp /​etc/​openvpn/​ssl/​ca.crt /​etc/​openvpn/​ssl/​my-server.* /​etc/​openvpn/​ssl/​dh2048.pem /​etc/​openvpn
 +</​code>​
 +Copy the client keys to your SSH machine so you can distribute it to your intended client. This is just a reference for ease of use - these keys can be distributed in whatever way is most convenient (i.e. USB drive).
 +<​code>​
 +scp /​etc/​openvpn/​ssl/​ca.crt /​etc/​openvpn/​ssl/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn
 +</​code>​
 +</​tabbox>​
  
 ===== Configure the network on the OpenWrt router ===== ===== Configure the network on the OpenWrt router =====
 <tabbox Traditional (TUN) Server> <tabbox Traditional (TUN) Server>
  
-  - Create the VPN interface:<​code bash>+  - Create the VPN interface ​(named vpn0):<code bash>
 uci set network.vpn0=interface uci set network.vpn0=interface
 uci set network.vpn0.ifname=tun0 uci set network.vpn0.ifname=tun0
Line 71: Line 212:
 uci set network.vpn0.auto=1 uci set network.vpn0.auto=1
 </​code>​ </​code>​
-  - Allow incoming client connections:<​code bash> +  - Allow incoming client connections ​by opening the server port (default 1194) in our firewall:<code bash> 
-uci set firewall.Allow-OpenVPN-Inbound=rule +uci set firewall.Allow_OpenVPN_Inbound=rule 
-uci set firewall.Allow-OpenVPN-Inbound.target=ACCEPT +uci set firewall.Allow_OpenVPN_Inbound.target=ACCEPT 
-uci set firewall.Allow-OpenVPN-Inbound.src=* +uci set firewall.Allow_OpenVPN_Inbound.src=* 
-uci set firewall.Allow-OpenVPN-Inbound.proto=udp +uci set firewall.Allow_OpenVPN_Inbound.proto=udp 
-uci set firewall.Allow-OpenVPN-Inbound.dest_port=1194+uci set firewall.Allow_OpenVPN_Inbound.dest_port=1194
 </​code>​ </​code>​
-  - Create firewall zone for new vpn0 network. By default, it will allow both incoming and outgoing connections being created within the VPN tunnel. Edit the defaults as required. This does not (yet) allow clients to access the LAN or WAN networks, but allows clients to communicate with services on the router and may allow connections between VPN clients if your OpenVPN server configuration allows:<​code bash>+  - Create firewall zone (named vpn) for the new vpn0 network. By default, it will allow both incoming and outgoing connections being created within the VPN tunnel. Edit the defaults as required. This does not (yet) allow clients to access the LAN or WAN networks, but allows clients to communicate with services on the router and may allow connections between VPN clients if your OpenVPN server configuration allows:<​code bash>
 uci set firewall.vpn=zone uci set firewall.vpn=zone
 +uci set firewall.vpn.name=vpn
 uci set firewall.vpn.network=vpn0 uci set firewall.vpn.network=vpn0
 uci set firewall.vpn.input=ACCEPT uci set firewall.vpn.input=ACCEPT
Line 108: Line 250:
  
 <tabbox Server-Bridge (TAP) Server> <tabbox Server-Bridge (TAP) Server>
-  - Create the VPN interface: <code bash>+  - Create the VPN interface ​(named vpn0): <code bash>
 uci set network.vpn0=interface uci set network.vpn0=interface
 uci set network.vpn0.ifname=tap0 uci set network.vpn0.ifname=tap0
Line 117: Line 259:
 uci set network.lan.ifname="​$(uci get network.lan.ifname) tap0" uci set network.lan.ifname="​$(uci get network.lan.ifname) tap0"
 </​code>​ </​code>​
-  - Allow incoming client connections:<​code bash> +  - Allow incoming client connections ​by opening the server port (default 1194) in our firewall:<code bash> 
-uci set firewall.Allow-OpenVPN-Inbound=rule +uci set firewall.Allow_OpenVPN_Inbound=rule 
-uci set firewall.Allow-OpenVPN-Inbound.target=ACCEPT +uci set firewall.Allow_OpenVPN_Inbound.target=ACCEPT 
-uci set firewall.Allow-OpenVPN-Inbound.src=* +uci set firewall.Allow_OpenVPN_Inbound.src=* 
-uci set firewall.Allow-OpenVPN-Inbound.proto=udp +uci set firewall.Allow_OpenVPN_Inbound.proto=udp 
-uci set firewall.Allow-OpenVPN-Inbound.dest_port=1194+uci set firewall.Allow_OpenVPN_Inbound.dest_port=1194
 </​code>​ </​code>​
   - Commit the changes:<​code bash>   - Commit the changes:<​code bash>
Line 133: Line 275:
 <tabbox Client> <tabbox Client>
  
-  - Create the VPN interface: <code bash>+  - Create the VPN interface ​(named vpn0): <code bash>
 uci set network.vpn0=interface uci set network.vpn0=interface
 uci set network.vpn0.ifname=tun0 uci set network.vpn0.ifname=tun0
Line 139: Line 281:
 uci set network.vpn0.auto=1 uci set network.vpn0.auto=1
 </​code>​ </​code>​
-  - Create firewall zone for new vpn0 network. By default, it will allow both incoming and outgoing connections being created within the VPN tunnel. Edit the defaults as required. This does not (yet) allow clients to access the LAN or WAN networks, but allows clients to communicate with services on the router and may allow connections between VPN clients if your OpenVPN server configuration allows. :!: If you are planning to use your OpenVPN client as a second (or replacement) WAN adapter, it's recommended that you reject incoming traffic by default:<​code bash>+  - Create firewall zone (named vpn) for new vpn0 network. By default, it will allow both incoming and outgoing connections being created within the VPN tunnel. Edit the defaults as required. This does not (yet) allow clients to access the LAN or WAN networks, but allows clients to communicate with services on the router and may allow connections between VPN clients if your OpenVPN server configuration allows. :!: If you are planning to use your OpenVPN client as a second (or replacement) WAN adapter, it's recommended that you reject incoming traffic by default:<​code bash>
 uci set firewall.vpn=zone uci set firewall.vpn=zone
 +uci set firewall.vpn.name=vpn
 uci set firewall.vpn.network=vpn0 uci set firewall.vpn.network=vpn0
 uci set firewall.vpn.input=ACCEPT #REJECT if using as WAN replacement uci set firewall.vpn.input=ACCEPT #REJECT if using as WAN replacement
Line 147: Line 290:
 uci set firewall.vpn.masq=1 uci set firewall.vpn.masq=1
 </​code>​ </​code>​
-  - (Optional) If you plan to allow clients behind the VPN sesrver ​to connect to computers within your LAN, you'll need to allow traffic to be forwarded between the vpn firewall zone and the lan firewall zone:<​code bash>+  - (Optional) If you plan to allow clients behind the VPN server ​to connect to computers within your LAN, you'll need to allow traffic to be forwarded between the vpn firewall zone and the lan firewall zone:<​code bash>
 uci set firewall.vpn_forwarding_lan_in=forwarding uci set firewall.vpn_forwarding_lan_in=forwarding
 uci set firewall.vpn_forwarding_lan_in.src=vpn uci set firewall.vpn_forwarding_lan_in.src=vpn
Line 166: Line 309:
  
 ===== Configure OpenVPN ===== ===== Configure OpenVPN =====
 +OpenVPN can be configured either by using OpenWrt'​s UCI interface, or via traditional OpenVPN configuration (*.conf) files. OpenVPN will automatically attempt to load all *.conf files placed in the /​etc/​openvpn folder.
 +
 +Users familiar with OpenVPN will likely prefer to use configuration files, and this option is likely simpler to manage for those planning to run multiple OpenVPN instances.
 +
 +For the sake of simplicity and consistency,​ the remainder of this guide will use the OpenWrt UCI interface to configure OpenVPN, as detailed below. Of note, the [[#routing traffic|Routing Traffic section]] contains instructions applying to the UCI interface (users utilizing configuration files will need to modify those instructions).
 +
 <tabbox Traditional (TUN) Server> <tabbox Traditional (TUN) Server>
  
Line 177: Line 326:
 uci set openvpn.myvpn.dev=tun uci set openvpn.myvpn.dev=tun
 uci set openvpn.myvpn.server='​10.8.0.0 255.255.255.0'​ uci set openvpn.myvpn.server='​10.8.0.0 255.255.255.0'​
 +uci set openvpn.myvpn.keepalive='​10 120'
 uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt uci set openvpn.myvpn.ca=/​etc/​openvpn/​ca.crt
 uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-server.crt uci set openvpn.myvpn.cert=/​etc/​openvpn/​my-server.crt
 uci set openvpn.myvpn.key=/​etc/​openvpn/​my-server.key uci set openvpn.myvpn.key=/​etc/​openvpn/​my-server.key
-uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh2048.pem +uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh2048.pem
-uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh1024.pem+
 uci commit openvpn uci commit openvpn
-/​etc/​init.d/​openvpn enable 
-/​etc/​init.d/​openvpn start 
 </​code>​ </​code>​
  
Line 196: Line 343:
 uci set openvpn.myvpn.proto=udp uci set openvpn.myvpn.proto=udp
 uci set openvpn.myvpn.port=1194 uci set openvpn.myvpn.port=1194
-uci set openvpn.myvpn.dev=tap0+uci set openvpn.myvpn.dev=tap
 uci set openvpn.myvpn.mode=server uci set openvpn.myvpn.mode=server
 uci set openvpn.myvpn.tls_server=1 uci set openvpn.myvpn.tls_server=1
Line 206: Line 353:
 uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh2048.pem uci set openvpn.myvpn.dh=/​etc/​openvpn/​dh2048.pem
 uci commit openvpn uci commit openvpn
-/​etc/​init.d/​openvpn enable 
-/​etc/​init.d/​openvpn start 
 </​code>​ </​code>​
  
 <tabbox Client> <tabbox Client>
 +Configuration of a client connection will be highly dependent upon the settings of the server. Featured below is a very simple example which will likely require customization.
 <​code=bash>​ <​code=bash>​
 echo > /​etc/​config/​openvpn # clear the openvpn uci config echo > /​etc/​config/​openvpn # clear the openvpn uci config
Line 226: Line 371:
 uci set openvpn.myvpn.remote="​SERVER_IP_ADDRESS 1194" uci set openvpn.myvpn.remote="​SERVER_IP_ADDRESS 1194"
 uci commit openvpn uci commit openvpn
 +</​code>​If your server requires password authentication,​ you can accomplish this by using:<​code bash>
 +uci set openvpn.myvpn.auth_user_pass=/​path/​to/​password.txt
 +</​code>​Where password.txt is a plain-text file containing the username on the first line and the password on the second line. This file, since it contains login information,​ should be saved in an appropriately secure location.
 +
 +Depending on the server you are connecting to, it may be prudent to use OpenVPN'​s route-nopull option to prevent the server from altering routes on your router (and potentially redirecting traffic inappropriately). This will require you to add the routes manually (advanced) by specifying them in the client config or by using a route-up/​down scripts. The route-nopull option can be added using the following:<​code bash>
 +uci set openvpn.myvpn.route_nopull=1
 +</​code>​
 +</​tabbox>​
 +Now that you have finished your basic configuration,​ start up OpenVPN:<​code bash>
 /​etc/​init.d/​openvpn enable /​etc/​init.d/​openvpn enable
-/​etc/​init.d/​openvpn start +/​etc/​init.d/​openvpn start</​code>​
-</​code>​Depending on the server you are connecting to, it may be prudent to use OpenVPN'​s route-nopull option to prevent the server from altering routes on your router (and potentially redirecting traffic inappropriately). This will require you to add the routes manually (advanced) by specifying them in the client config or by using a route-up/​down scripts. +
-</​tabbox>​ +
- +
- +
-Or alternatively drop an openvpn configuration file into /​etc/​openvpn/<​vpnName>​.conf. ​ You can test it in a shell with <​code>​openvpn /​etc/​openvpn/​myVpnName.conf</​code>​+
 ===== Configure Clients For Your Server ===== ===== Configure Clients For Your Server =====
 Create the following OpenVPN client configuration file, save it with an ''​.ovpn''​ extension in the Windows or ''​.conf''​ in the *nix and give it to your client: Create the following OpenVPN client configuration file, save it with an ''​.ovpn''​ extension in the Windows or ''​.conf''​ in the *nix and give it to your client:
Line 276: Line 425:
  
 ===== Test the tunnel ===== ===== Test the tunnel =====
-Congratulations! Your OpenVPN ​client/server should now be operational, although ​traffic might not be sent over it yetsince we have not yet created routes to direct connections through the tunnel. ​Routes tell the client ​to try to find a given IP address (or a subnet of IPs) via a certain gateway. On *nix systemsyour current routing table can be viewed by using:<​code bash> +Congratulations! Your OpenVPN server ​or client ​should now be operational. If you are creating a server ​traffic might not be sent over it yet since we have not yet created routes to direct ​client ​connections through the tunnel. ​Before configuring our server ​to send routes ​to clientswe should verify that clients ​can connect to the server, and then ensure they can send traffic through it by pinging ​the server through ​the tunnel.
-route +
-</​code>​ +
- +
-Routes added by the client will be listed in the OpenVPN log.+
  
-Before configuring our server ​to send routes to clientswe should ​verify that clients can connect to the server, and then ensure they can send traffic through ​it by pinging ​the server through ​the tunnel.+If you created a server, ​you should ​now connect to it using an OpenVPN client compatible with your operating system. Exact instructions on how to use your client will vary by operating system, but it is generally a straightforward process of loading ​the [[#​configure_clients_for_your_server|configuration file]] and [[#​distribute_the_certificates|client keys]] made previously in the guide. Please refer to the official documentation/​manual for directions specific to your operating system'​s client.
  
 +If you created a client connection on OpenWrt instead of a server, then you should verify connectivity to the external server.
 <tabbox Traditional (TUN) Server> <tabbox Traditional (TUN) Server>
  
Line 296: Line 442:
 <tabbox Server-Bridge (TAP) Server> <tabbox Server-Bridge (TAP) Server>
 Traffic within the local subnet (192.168.7.XXX) will be routed through the VPN without any further configuration. Other traffic will be sent through the default gateway. Ping a client using:<​code bash> Traffic within the local subnet (192.168.7.XXX) will be routed through the VPN without any further configuration. Other traffic will be sent through the default gateway. Ping a client using:<​code bash>
-traceroute 192.168.7.#Example IP. Change to match your local subnet.+traceroute 192.168.7.100 #Example IP. Change to match your local subnet.
 </​code>​ </​code>​
  
Line 316: Line 462:
  
 ===== Routing Traffic ===== ===== Routing Traffic =====
 +Routes are what tell clients where to look for an IP address (or subnet). By having our server push routes to clients, we can direct their traffic through the VPN. If we don't push the route, then the client will send traffic through their normal gateway instead.
 +
 +If you are running a client instead of a server, then the server you connected to should have pushed the appropriate routes to you already. Advanced users may wish to alter this behavior.
  
 +:!: Please be aware that just because a route is not pushed doesn'​t mean the client can't add it themselves and send that traffic through the VPN anyway. That is when your firewall configuration should take effect. A notable example is our TAP configuration,​ which has no firewall rules preventing WAN access since clients are treated the same as any other LAN client.
 <tabbox Traditional (TUN) Server> <tabbox Traditional (TUN) Server>
  
Line 334: Line 484:
 The correct routes should be automatically provided by the server without additional configuration. Depending on your use case, an advanced user may wish to alter this behavior. This can be accomplished by telling the client to ignore routes pushed by the server using route-nopull,​ then adding your own. This will be highly individualized,​ but can be accomplished using this general example:<​code bash> The correct routes should be automatically provided by the server without additional configuration. Depending on your use case, an advanced user may wish to alter this behavior. This can be accomplished by telling the client to ignore routes pushed by the server using route-nopull,​ then adding your own. This will be highly individualized,​ but can be accomplished using this general example:<​code bash>
 uci set openvpn.myvpn.route_nopull='​1'​ uci set openvpn.myvpn.route_nopull='​1'​
-uci add_list openvpn.myvpn.push='route 123.456.789.0 255.255.255.0'​ +uci add_list openvpn.myvpn.route='​123.456.789.0 255.255.255.0'​ 
-uci add_list openvpn.myvpn.push='route 234.567.891.0 255.255.255.0'​ +uci add_list openvpn.myvpn.route='​234.567.891.0 255.255.255.0'​ 
-</​code>​Note that using route-nopull will cause errors ​(ex: "PUSH cannot be used in this context"​) ​to appear in the OpenVPN log when it rejects the server'​s pushed routes. This is considered normal behavior.+</​code>​Note that using route-nopull will cause errors to appear in the OpenVPN log when it rejects the server'​s pushed routes. This is considered normal behavior.
 </​tabbox>​ </​tabbox>​
  
 ===== Other Considerations ===== ===== Other Considerations =====
-When attempting to add an OpenVPN option which would normally use a hyphen (such as route-nopull), ​OpenWRT's UCI system requires you to replace the hyphen with an underscore (route_nopull).+When attempting to add an OpenVPN option which would normally use a hyphen (such as route-nopull), ​OpenWrt's UCI system requires you to replace the hyphen with an underscore (route_nopull).
  
-  * Various other configuration examples can be found here: [[https://​wiki.openwrt.org/​doc/​howto/​vpn.server.openvpn.tun]]+  * Various other configuration examples can be found here: [[doc/​howto/​vpn.server.openvpn.tun]]
   * The OpenVPN manual can be found here: [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|OpenVPN 2.3 man-page]]   * The OpenVPN manual can be found here: [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|OpenVPN 2.3 man-page]]
  
Line 355: Line 505:
  
 ===== Asking for help ===== ===== Asking for help =====
-You can ask for help on the OpenWrt forum: [[https://​forum.openwrt.org/​]]. ​ +You can ask for help on the OpenWrt forum: [[https://​forum.openwrt.org/​]].
  
 When asking for help, you should at a minimum include the contents of the following files: When asking for help, you should at a minimum include the contents of the following files:
Line 363: Line 513:
 cat /​etc/​config/​firewall cat /​etc/​config/​firewall
 cat /​etc/​config/​openvpn cat /​etc/​config/​openvpn
-</​code>​ 
- 
-===== Additions ===== 
-You may create text config file, for example /​etc/​openvpn/​server,​ /​etc/​openvpn/​client and next include it in the openvpn instance in the /​etc/​config/​openvpn:​ 
-<​code>​uci set openvpn.myvpnserver.config=/​etc/​openvpn/​myvpnserver.conf</​code>​ 
-You may use included file and other tokens simultaneous,​ for example: 
-<​code>​ 
-uci set openvpn.myvpnserverudp.config=/​etc/​openvpn/​common.conf 
-uci set openvpn.myvpnserverudp.proto=udp 
-uci set openvpn.myvpnservertcp.config=/​etc/​openvpn/​common.conf 
-uci set openvpn.myvpnservertcp.proto=tcp 
 </​code>​ </​code>​
doc/howto/vpn.openvpn.1480730608.txt.bz2 · Last modified: 2016/12/03 03:03 by ExaltedVanguard