User Tools

Site Tools

This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at <<<<<<<<<<

Using OpenWrt as an OpenVPN server with a TAP device (with bridging)

:!: There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. Some are better than others, and others are an out-of-date muddled mess. For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with vpn.openvpn instead of this wiki. :!:

It is not that the other wikis aren't worth reading; it is just that (IMHO) vpn.openvpn is a better place to start (it has been rewritten from scratch just a few weeks ago). Maybe you could improve it further? In this instance, this wiki has several minor issues (as at May 2014), such as advocating TAP rather than TUN where TUN would, in most cases, be preferable. If you definitely want TAP rather than TUN, then vpn.openvpn might still be a useful place to visit.

For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit vpn.overview

Install OpenVPN

opkg install openvpn-openssl

is all that is needed for the OpenSSL build which should be fine for most people. Though, recently the openvpn package has been split into different flavors. To see all of them listed type

opkg update
opkg list | grep openvpn

Generate keys

Follow the official documentation.

You can also installopenvpn-easy-rsa package for OpenWRT and generate the keys on the router itself:

opkg update
opkg install openvpn-easy-rsa

Setup Server

First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall on OpenWRT. Edit /etc/config/firewall and add the following.

config 'rule'
        option 'name' 'openvpn-udp'
        option 'src' 'wan' 
        option 'target' 'ACCEPT'
        option 'proto' 'udp'   
        option 'dest_port' '1194'

Bridge the tap interface you will be using with your lan interface by adding the following two lines to the respective section in /etc/config/network. This assumes your lan consists of wifi interface called wlan0 that will be bridged with tap0 interface used by OpenVPN.

config interface 'lan'
	option type 'bridge'
	option ifname 'wlan0 tap0'

Next comes the OpenVPN server config file:

config 'openvpn' 'your_name'
        option 'enable' '1'
	option 'tls_server' '1'
	option 'port' '1194' # to bypass restrictive firewalls, you might consider running OpenVPN on port 443 or 22
	option 'proto' 'udp' # TCP might be more reliable but slower; if you change this to tcp, change the firewall rule as well
	option 'dev' 'tap0'
	option 'ca' '/path/to/ca.crt'
	option 'cert' '/path/to/server.crt'
	option 'key' '/path/to/server.key'
	option 'dh' '/path/to/dh1024.pem'
	option 'server_bridge' '' # this assumes the lan is and will give out address in range
	list 'push' 'dhcp-option DNS' # this will make the clients use openwrt for DNS resolution
	list 'push' 'redirect-gateway def1' # this redirects all traffic over vpn
	option 'client_to_client' '1'
	option 'comp_lzo' 'yes'
	option 'keepalive' '10 120'
	option 'status' '/tmp/openvpn_tap0.status'
	option 'persist_key' '1'
	option 'persist_tun' '1'
	option 'verb' '3'
	option 'mute' '20'

Configure Client

Client configuration must correspond with the server configuration. Something like this with the IP address of the VPN server should work:

dev tap
proto udp
remote Your.IP.Goes.Here 1194
resolv-retry infinite
verb 3
keepalive 10 120

Wrap Up

If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful.

If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable:

In Backfire 10.03.1 edit /etc/init.d/openvpn and add the following above the "append_param()" function:

# Make sure tun/tap devices are present /etc/openvpnbridge

This is not needed in Attitude Adjustment

Then enable openvpn to start on boot with:

/etc/init.d/openvpn enable

Static leases

Put this into your /etc/config/opevpn:

option topology subnet
option 'ifconfig_pool_persist' '/etc/openvpn/ipp.txt 0'

/etc/openvpn/ipp.txt has this format:

CN, # CN is the COMMON NAME specified in the clients security certificate

doc/howto/vpn.server.openvpn.tap.txt · Last modified: 2016/07/19 21:00 by MrBW