User Tools

Site Tools


doc:howto:vpn.openvpn
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.openvpn [2017/08/08 22:19]
zxdavb [Using openssl commands (most secure)]
doc:howto:vpn.openvpn [2018/01/30 00:07] (current)
numbers warned about weak ciphers and provided link to newer howto
Line 1: Line 1:
 +<WRAP centeralign><​wrap danger>​This HOWTO will leave your VPN using several ciphers that are weak and exploitable as per the SWEET32 attack. [[openvpn-streamlined-server-setup|OpenVPN Server HowTo (Streamlined)]] is a more modern alternative.</​wrap></​WRAP>​
 +
 ====== OpenVPN Setup Guide for Beginners ====== ​ ====== OpenVPN Setup Guide for Beginners ====== ​
 This is a beginner'​s guide to setting up an OpenVPN connection on OpenWrt. This is a beginner'​s guide to setting up an OpenVPN connection on OpenWrt.
Line 18: Line 20:
 It should be noted that using a TAP adapter is not a synonym for server-bridging,​ however a TAP adapter is required for server-bridging,​ whereas TUN is almost always superior if not bridging. For the sake of simplicity, we will use these terms interchangeably,​ since comparing the terms "​server"​ and "​server-bridge"​ could cause confusion. TUN will be used to refer to a traditional server and TAP will refer to a server-bridge configuration. It should be noted that using a TAP adapter is not a synonym for server-bridging,​ however a TAP adapter is required for server-bridging,​ whereas TUN is almost always superior if not bridging. For the sake of simplicity, we will use these terms interchangeably,​ since comparing the terms "​server"​ and "​server-bridge"​ could cause confusion. TUN will be used to refer to a traditional server and TAP will refer to a server-bridge configuration.
  
-While it is possible to configure OpenVPN on OpenWRT ​using a remote connection (through SSH, for example), it is recommended that testing is performed locally with the Default (TUN) Server, as this will simplify any troubleshooting. If using a TAP server, it is better to test with a remote connection if possible since a server-bridge connection will use the same subnet and your client will be assigned two IP addresses on the same network (which may or may not cause connectivity issues).+While it is possible to configure OpenVPN on OpenWrt ​using a remote connection (through SSH, for example), it is recommended that testing is performed locally with the Default (TUN) Server, as this will simplify any troubleshooting. If using a TAP server, it is better to test with a remote connection if possible since a server-bridge connection will use the same subnet and your client will be assigned two IP addresses on the same network (which may or may not cause connectivity issues).
  
 A TUN server has less overhead, and will only send traffic destined for the client, where a TAP server is less efficient and will send broadcast packets to the clients. A TUN server has less overhead, and will only send traffic destined for the client, where a TAP server is less efficient and will send broadcast packets to the clients.
Line 28: Line 30:
 A TAP server integrates clients into the network in a more seamless manner, and can simplify the process for setting up a variety of network applications. However, such integration may come at the price of security. Please note that regardless of method chosen, setting up proper firewall rules is essential for proper security, and is far more important than the discrimination between TUN and TAP servers. A TAP server integrates clients into the network in a more seamless manner, and can simplify the process for setting up a variety of network applications. However, such integration may come at the price of security. Please note that regardless of method chosen, setting up proper firewall rules is essential for proper security, and is far more important than the discrimination between TUN and TAP servers.
  
-:!: If using a TAP server, it is highly recommended that you change your DHCP subnet to something other than 192.168.**0**.XXX or 192.168.**1**.XXX. These are very common and will cause routing conflicts and connectivity issues if you attempt to connect from a client attached to a router utilizing the same subnet. This can generally be accomplished by changing the IP address of the OpenWRT/OpenVPN router to something like 192.168.**7**.1+:!: If using a TAP server, it is highly recommended that you change your DHCP subnet to something other than 192.168.**0**.XXX or 192.168.**1**.XXX. These are very common and will cause routing conflicts and connectivity issues if you attempt to connect from a client attached to a router utilizing the same subnet. This can generally be accomplished by changing the IP address of the OpenWrt/OpenVPN router to something like 192.168.**7**.1
 ===== Prerequisites ===== ===== Prerequisites =====
 This HOWTO requires that the OpenVPN server is an OpenWrt router running OpenWrt 15.05 Chaos Calmer. This HOWTO requires that the OpenVPN server is an OpenWrt router running OpenWrt 15.05 Chaos Calmer.
Line 37: Line 39:
 opkg install openvpn-openssl openvpn-easy-rsa opkg install openvpn-openssl openvpn-easy-rsa
 </​code>​ </​code>​
-:!: Note that although the **easy-rsa** package uses the latest version of openssl, its bash scripts are from 2013 (execute: ​**opkg list | grep easy-rsa**); this may not be '​secure'​ enough for you (for example, 2048-bit keys were considered unbreakable in 2013). ​ For this reason, you may want to consider the alternative means of creating the client/​server certificates,​ below (just know that using easy-rsa is a lot '​easier'​).+:!: Note that although the **easy-rsa** package uses the latest version of openssl, its bash scripts are from 2013 (execute: ​''​opkg list | grep easy-rsa''​); this may not be '​secure'​ enough for you (for example, 2048-bit keys were considered unbreakable in 2013). For this reason, you may want to consider the alternative means of creating the client/​server certificates,​ below (just know that using easy-rsa is a lot '​easier'​).
  
 ===== Create the certificates ===== ===== Create the certificates =====
 If you are creating an OpenVPN server (either type), you must create security certificates using the instructions below. If you are using OpenVPN as a client, the required certificates should have been provided with your configuration details. If you are creating an OpenVPN server (either type), you must create security certificates using the instructions below. If you are using OpenVPN as a client, the required certificates should have been provided with your configuration details.
  
-Each of these options ​create a server certificate named //​my-server//​ and a client certificate named //​my-client//​. ​ The first two are roughly the same, the third option ​is most secure, but is 'complicated' I suggest you get your tunnel working using easy-rsa scripts first, then try the most '​secure'​ method after that.+Each of these methods ​create a server certificate named //​my-server//​ and a client certificate named //​my-client//​. The first two methods ​are roughly the same, the third method ​is arguably more 'secure', but is also somewhat more complicated ​(and thus prone to mistakes). I suggest you get your tunnel working using easy-rsa scripts first, then try the most '​secure'​ method after that.
  
 <tabbox Using easy-rsa scripts (easiest)>​ <tabbox Using easy-rsa scripts (easiest)>​
Line 54: Line 56:
 The above creates a server certificate named //​my-server//​ and a client certificate named //​my-client//​. You can create multiple client certificates by running ''​build-key-pkcs12''​ multiple times and specifying different names. The above creates a server certificate named //​my-server//​ and a client certificate named //​my-client//​. You can create multiple client certificates by running ''​build-key-pkcs12''​ multiple times and specifying different names.
  
-You can create a new set of certificates by running ''​clean-all''​ and then the above commands again.ls+You can create a new set of certificates by running ''​clean-all''​ and then the above commands again.
  
 <tabbox Using pkitool from easy-rsa>​ <tabbox Using pkitool from easy-rsa>​
Line 86: Line 88:
   PKI_CNF=${PKI_DIR}/​openssl.cnf   PKI_CNF=${PKI_DIR}/​openssl.cnf
   ​   ​
-  sed -i '/​^dir/ ​  ​s:​=.*:​= /root/​ssl:' ​                     ${PKI_CNF}+  sed -i '/​^dir/ ​  ​s:​=.*:​= /etc/openvpn/​ssl:' ​                     ${PKI_CNF}
   sed -i '/​.*Name/​ s:= match:= optional:' ​                   ${PKI_CNF}   sed -i '/​.*Name/​ s:= match:= optional:' ​                   ${PKI_CNF}
  
Line 173: Line 175:
  
  
-### Step 5: Copy the client certificate from the server to the client (e.g. via a USB stick, or using the scp utility). ​+### Step 5: Copy the client certificate from the server to the client (e.g. via a USB stick, or using the scp utility).
 #  ssh -y root@192.168.1.234 'mkdir -p /​etc/​openvpn'​ #  ssh -y root@192.168.1.234 'mkdir -p /​etc/​openvpn'​
 #  scp ${OVPN_FILE} root@192.168.1.234:/​etc/​openvpn #  scp ${OVPN_FILE} root@192.168.1.234:/​etc/​openvpn
Line 181: Line 183:
 ===== Distribute the certificates ===== ===== Distribute the certificates =====
 Copy your server keys to the /​etc/​openvpn directory so that they don't get overwritten. Copy your server keys to the /​etc/​openvpn directory so that they don't get overwritten.
 +
 +<tabbox Using easy-rsa Scripts>
 <​code>​ <​code>​
 cp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh2048.pem /​etc/​openvpn cp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh2048.pem /​etc/​openvpn
Line 188: Line 192:
 scp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn scp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn
 </​code>​ </​code>​
 +<tabbox Using OpenSSL Commands> ​
 +
 +<​code>​
 +cp /​etc/​openvpn/​ssl/​ca.crt /​etc/​openvpn/​ssl/​my-server.* /​etc/​openvpn/​ssl/​dh2048.pem /​etc/​openvpn
 +</​code>​
 +Copy the client keys to your SSH machine so you can distribute it to your intended client. This is just a reference for ease of use - these keys can be distributed in whatever way is most convenient (i.e. USB drive).
 +<​code>​
 +scp /​etc/​openvpn/​ssl/​ca.crt /​etc/​openvpn/​ssl/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn
 +</​code>​
 +</​tabbox>​
  
 ===== Configure the network on the OpenWrt router ===== ===== Configure the network on the OpenWrt router =====
Line 295: Line 309:
  
 ===== Configure OpenVPN ===== ===== Configure OpenVPN =====
-OpenVPN can be configured either by using OpenWRT's UCI interface, or via traditional OpenVPN configuration (*.conf) files. OpenVPN will automatically attempt to load all *.conf files placed in the /​etc/​openvpn folder.+OpenVPN can be configured either by using OpenWrt's UCI interface, or via traditional OpenVPN configuration (*.conf) files. OpenVPN will automatically attempt to load all *.conf files placed in the /​etc/​openvpn folder.
  
 Users familiar with OpenVPN will likely prefer to use configuration files, and this option is likely simpler to manage for those planning to run multiple OpenVPN instances. Users familiar with OpenVPN will likely prefer to use configuration files, and this option is likely simpler to manage for those planning to run multiple OpenVPN instances.
  
-For the sake of simplicity and consistency,​ the remainder of this guide will use the OpenWRT ​UCI interface to configure OpenVPN, as detailed below. Of note, the [[#routing traffic|Routing Traffic section]] contains instructions applying to the UCI interface (users utilizing configuration files will need to modify those instructions).+For the sake of simplicity and consistency,​ the remainder of this guide will use the OpenWrt ​UCI interface to configure OpenVPN, as detailed below. Of note, the [[#routing traffic|Routing Traffic section]] contains instructions applying to the UCI interface (users utilizing configuration files will need to modify those instructions).
  
 <tabbox Traditional (TUN) Server> <tabbox Traditional (TUN) Server>
Line 476: Line 490:
  
 ===== Other Considerations ===== ===== Other Considerations =====
-When attempting to add an OpenVPN option which would normally use a hyphen (such as route-nopull), ​OpenWRT's UCI system requires you to replace the hyphen with an underscore (route_nopull).+When attempting to add an OpenVPN option which would normally use a hyphen (such as route-nopull), ​OpenWrt's UCI system requires you to replace the hyphen with an underscore (route_nopull).
  
   * Various other configuration examples can be found here: [[doc/​howto/​vpn.server.openvpn.tun]]   * Various other configuration examples can be found here: [[doc/​howto/​vpn.server.openvpn.tun]]
Line 491: Line 505:
  
 ===== Asking for help ===== ===== Asking for help =====
-You can ask for help on the OpenWrt forum: [[https://​forum.openwrt.org/​]]. ​ +You can ask for help on the OpenWrt forum: [[https://​forum.openwrt.org/​]].
  
 When asking for help, you should at a minimum include the contents of the following files: When asking for help, you should at a minimum include the contents of the following files:
doc/howto/vpn.openvpn.1502223581.txt.bz2 · Last modified: 2017/08/08 22:19 by zxdavb