User Tools

Site Tools


doc:howto:vpn.openvpn
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.openvpn [2017/08/09 00:08]
tmomas OpenWrt spelling
doc:howto:vpn.openvpn [2018/01/30 00:07] (current)
numbers warned about weak ciphers and provided link to newer howto
Line 1: Line 1:
 +<WRAP centeralign><​wrap danger>​This HOWTO will leave your VPN using several ciphers that are weak and exploitable as per the SWEET32 attack. [[openvpn-streamlined-server-setup|OpenVPN Server HowTo (Streamlined)]] is a more modern alternative.</​wrap></​WRAP>​
 +
 ====== OpenVPN Setup Guide for Beginners ====== ​ ====== OpenVPN Setup Guide for Beginners ====== ​
 This is a beginner'​s guide to setting up an OpenVPN connection on OpenWrt. This is a beginner'​s guide to setting up an OpenVPN connection on OpenWrt.
Line 42: Line 44:
 If you are creating an OpenVPN server (either type), you must create security certificates using the instructions below. If you are using OpenVPN as a client, the required certificates should have been provided with your configuration details. If you are creating an OpenVPN server (either type), you must create security certificates using the instructions below. If you are using OpenVPN as a client, the required certificates should have been provided with your configuration details.
  
-Each of these options ​create a server certificate named //​my-server//​ and a client certificate named //​my-client//​. The first two are roughly the same, the third option ​is most secure, but is 'complicated'. I suggest you get your tunnel working using easy-rsa scripts first, then try the most '​secure'​ method after that.+Each of these methods ​create a server certificate named //​my-server//​ and a client certificate named //​my-client//​. The first two methods ​are roughly the same, the third method ​is arguably more 'secure', but is also somewhat more complicated ​(and thus prone to mistakes). I suggest you get your tunnel working using easy-rsa scripts first, then try the most '​secure'​ method after that.
  
 <tabbox Using easy-rsa scripts (easiest)>​ <tabbox Using easy-rsa scripts (easiest)>​
Line 86: Line 88:
   PKI_CNF=${PKI_DIR}/​openssl.cnf   PKI_CNF=${PKI_DIR}/​openssl.cnf
   ​   ​
-  sed -i '/​^dir/ ​  ​s:​=.*:​= /root/​ssl:' ​                     ${PKI_CNF}+  sed -i '/​^dir/ ​  ​s:​=.*:​= /etc/openvpn/​ssl:' ​                     ${PKI_CNF}
   sed -i '/​.*Name/​ s:= match:= optional:' ​                   ${PKI_CNF}   sed -i '/​.*Name/​ s:= match:= optional:' ​                   ${PKI_CNF}
  
Line 181: Line 183:
 ===== Distribute the certificates ===== ===== Distribute the certificates =====
 Copy your server keys to the /​etc/​openvpn directory so that they don't get overwritten. Copy your server keys to the /​etc/​openvpn directory so that they don't get overwritten.
 +
 +<tabbox Using easy-rsa Scripts>
 <​code>​ <​code>​
 cp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh2048.pem /​etc/​openvpn cp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-server.* /​etc/​easy-rsa/​keys/​dh2048.pem /​etc/​openvpn
Line 188: Line 192:
 scp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn scp /​etc/​easy-rsa/​keys/​ca.crt /​etc/​easy-rsa/​keys/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn
 </​code>​ </​code>​
 +<tabbox Using OpenSSL Commands> ​
 +
 +<​code>​
 +cp /​etc/​openvpn/​ssl/​ca.crt /​etc/​openvpn/​ssl/​my-server.* /​etc/​openvpn/​ssl/​dh2048.pem /​etc/​openvpn
 +</​code>​
 +Copy the client keys to your SSH machine so you can distribute it to your intended client. This is just a reference for ease of use - these keys can be distributed in whatever way is most convenient (i.e. USB drive).
 +<​code>​
 +scp /​etc/​openvpn/​ssl/​ca.crt /​etc/​openvpn/​ssl/​my-client.* root@CLIENT_IP_ADDRESS:/​etc/​openvpn
 +</​code>​
 +</​tabbox>​
  
 ===== Configure the network on the OpenWrt router ===== ===== Configure the network on the OpenWrt router =====
doc/howto/vpn.openvpn.1502230128.txt.bz2 · Last modified: 2017/08/09 00:08 by tmomas