User Tools

Site Tools


doc:howto:vpn.server.openvpn.tap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.server.openvpn.tap [2013/10/28 08:27]
lorema
doc:howto:vpn.server.openvpn.tap [2014/06/05 12:04] (current)
masnia
Line 1: Line 1:
 ====== How to setup OpenVPN with bridging ====== ====== How to setup OpenVPN with bridging ======
 +| :!: There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. ​ Some are better than others, and others are an out-of-date muddled mess.  For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with [[doc/​howto/​vpn.openvpn]] instead of this wiki. :!: |
 +
 +It is not that the other wikis aren't worth reading; it is just that (IMHO) [[doc/​howto/​vpn.openvpn]] is a better place to start (it has been rewritten from scratch just a few weeks ago).  Maybe you could improve it further? ​ In this instance, this wiki has several minor issues (as at May 2014), such as advocating TAP rather than TUN where TUN would, in most cases, be preferable. ​ If you definitely want TAP rather than TUN, then [[doc/​howto/​vpn.openvpn]] might still be a useful place to visit.
 +
 | For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] | | For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] |
  
-===== Step 1: Install ​Software ​=====+===== Install ​OpenVPN ​=====
 <code bash> <code bash>
 opkg install openvpn-openssl opkg install openvpn-openssl
Line 10: Line 14:
  
 <code bash> <code bash>
 +opkg update
 opkg list | grep openvpn opkg list | grep openvpn
 </​code>​ </​code>​
  
-Windows users can either download the standard OpenVPN distribution or get the GUI version from here: http://​openvpn.se/​download.html . Non-Windows clients just follow the OpenVPN install instructions. 
  
 +===== Generate keys =====
 +Follow the [[official documentation|http://​openvpn.net/​index.php/​open-source/​documentation/​howto.html#​pki]].
  
-===== Step 2: Generate Static Key ===== +You can also install''​openvpn-easy-rsa''​ package for OpenWRT and generate ​the keys on the router itself:
-Windows users click the icon to generate a static key. Everyone else run: +
- +
-<code bash> +
-# openvpn --genkey --secret static.key +
-</​code>​ +
- +
-This only needs to be done once and then copied to all machines to be part of the VPN. I suggest placing the key file in /etc on the OpenWRT computer and leaving in the default place on Windows.  +
- +
-An alternative way is to install ''​openvpn-easy-rsa''​ package for OpenWRT and do this batch: +
- +
-<code bash> +
-# ssh 192.168.1.1 (make sure to use the correct IP address of your router) +
-# cd /​etc/​easy-rsa +
-# nano vars +
-</​code>​ +
- +
-<code bash> +
-#​*OPTIONAL* +
-#(Comment out the following lines if you do not want your certificates to expire) +
-export CA_EXPIRE=3650 +
-export KEY_EXPIRE=3650 +
- +
-#(Change these last lines to suit your own country etc) +
-export KEY_COUNTRY="​US"​ +
-export KEY_PROVINCE="​CA"​ +
-export KEY_CITY="​SanFrancisco"​ +
-export KEY_ORG="​Fort-Funston"​ +
-export KEY_EMAIL="​me@myhost.mydomain"​ +
- +
-build-ca +
-build-dh +
-build-key-server server +
-build-key client +
-</​code>​ +
- +
-//This snippet code was copied from [[http://​wiki.openwrt.org/​inbox/​vpn.howto]].//​ +
- +
-===== Step 3: Setup Server ===== +
-First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall ​on OpenWRT. ​ Add the following two lines after the section allowing WAN SSH access: +
 <​code>​ <​code>​
-### Allow SSH from WAN  +opkg update 
-iptables ​-t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT +opkg install openvpn-easy-rsa
-iptables ​       -A input_rule ​     -i $WAN -p tcp --dport 22 -j ACCEPT +
- +
-### Allow OpenVPN connections +
-iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT +
-iptables ​       -A input_rule ​     -i $WAN -p udp --dport 1194 -j ACCEPT +
- +
-### Port forwarding +
-# Add your stuff here+
 </​code>​ </​code>​
  
-Alternatively you can edit /​etc/​config/​firewall and add the following ​to the end.  ​This has the added benefit of causing the firewall rules for ssh and OpenVPN to appear in the LuCI configuration interface. +===== Setup Server ===== 
 +First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall on OpenWRT. Edit /​etc/​config/​firewall and add the following.  ​
 <​code>​ <​code>​
 config '​rule'​ config '​rule'​
-        option 'target'​ '​ACCEPT'​ +        option 'name' '​openvpn-udp'​
-        option '​src'​ '​wan'​  +
-        option '​proto'​ '​tcp' ​  +
-        option '​dest_port'​ '​22'​ +
-        option '​_name'​ '​ssh-wan'​ +
-                                  +
-config '​rule'​ +
-        option '_name' '​openvpn-udp'​+
         option '​src'​ '​wan' ​         option '​src'​ '​wan' ​
         option '​target'​ '​ACCEPT'​         option '​target'​ '​ACCEPT'​
Line 88: Line 39:
 </​code>​ </​code>​
  
-Some HOWTOs elsewhere on the web recommend ​the following in /etc/firewall.rules: +Bridge ​the tap interface you will be using with your lan interface by adding ​the following ​two lines to the respective section ​in /etc/config/​network. This assumes your lan consists of wifi interface called wlan0 that will be bridged with tap0 interface used by OpenVPN.
 <​code>​ <​code>​
-iptables -I OUTPUT -o tap+ -j ACCEPT +config interface '​lan'​ 
-iptables -I INPUT -i tap+ -j ACCEPT + option type '​bridge'​ 
- + option ifname 'wlan0 tap0'
-iptables -I FORWARD -o tap+ -j ACCEPT +
-iptables -I FORWARD -i tap+ -j ACCEPT+
 </​code>​ </​code>​
- 
- 
-Next we need to add the script to start the bridge: 
- 
-<code bash> 
-#!/bin/sh 
- 
-#/​etc/​openvpnbridge 
-# OpenVPN Bridge Config File 
-# Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge 
-# Taken from http://​openvpn.net/​bridge.html 
- 
-# Make sure module is loaded 
-insmod tun 
- 
-# Define Bridge Interface 
-# Preexisting on OpenWRT 
-br="​br0"​ 
- 
-# Define list of TAP interfaces to be bridged, 
-# for example tap="​tap0 tap1 tap2". 
-tap="​tap0"​ 
- 
-# Build tap devices 
-for t in $tap; do 
-    openvpn --mktun --dev $t 
-done 
- 
-# Add TAP interfaces to OpenWRT bridge 
- 
-for t in $tap; do 
-    brctl addif $br $t 
-done 
- 
-#Configure bridged interfaces 
- 
-for t in $tap; do 
-    ifconfig $t 0.0.0.0 promisc up 
-done 
-</​code>​ 
- 
-This file will create the OpenVPN tap devices and add them to the default OpenWRT ethernet/​wifi bridge. As indicated I call it ''/​etc/​openvpnbridge''​. Make sure to ''​chmod +x''​ to ensure that it is executable. ​ 
  
 Next comes the OpenVPN server config file: Next comes the OpenVPN server config file:
  
-<​code ​ini+<​code>​ 
-# Which TCP/​UDP ​port should ​OpenVPN ​listen ​on+config '​openvpn'​ '​your_name'​ 
-port 1194 +        option '​enable'​ '​1'​ 
- + option '​tls_server'​ '​1'​ 
-# TCP or UDP server? + option 'port' '​1194'​ # to bypass restrictive firewalls, you might consider running ​OpenVPN on port 443 or 22 
-proto udp + option 'proto' 'udp' ​TCP might be more reliable but slower; if you change this to tcp, change the firewall rule as well 
- + option 'dev' '​tap0'​ 
-"dev tap" will create an ethernet tunnel. + option '​ca'​ '/​path/​to/​ca.crt'​ 
-dev tap + option '​cert'​ '/​path/​to/​server.crt'​ 
- + option '​key'​ '/​path/​to/​server.key'​ 
- + option '​dh'​ '//​path/​to/dh1024.pem' 
-# The keepalive directive causes ping-like + option '​server_bridge'​ '​192.168.1.1 255.255.255.0 192.168.1.220 192.168.1.229' ​this assumes ​the lan is 192.168.1.1/24 and will give out address ​in range 192.168.1.220-229 
-# messages ​to be sent back and forth over + list '​push'​ 'dhcp-option DNS 192.168.1.1' ​this will make the clients use openwrt for DNS resolution 
-# the link so that each side knows when + list '​push'​ '​redirect-gateway def1' ​this redirects all traffic over vpn 
-# the other side has gone down+ option '​client_to_client'​ '​1'​ 
-# Ping every 10 seconds, assume that remote + option '​comp_lzo'​ '​yes'​ 
-# peer is down if no ping received during + option '​keepalive'​ '10 120' 
-# a 120 second time period. + option 'status' '/​tmp/​openvpn_tap0.status' 
-keepalive 10 120 + option '​persist_key'​ '​1'​ 
- + option '​persist_tun'​ '​1'​ 
-Enable compression on the VPN link. + option 'verb' '3' 
-# If you enable it here, you must also + option 'mute' '20'
-# enable it in the client config file+
-;comp-lzo +
- +
-The persist options ​will try to avoid +
-accessing certain resources on restart +
-# that may no longer be accessible because +
-# of the privilege downgrade. +
-;​persist-key +
-;​persist-tun +
- +
-# Output a short status ​file showing +
-# current connections,​ truncated +
-# and rewritten every minute. +
-status ​openvpn-status.log +
- +
-# Set the appropriate level of log +
-# file verbosity. +
-+
-# 0 is silent, except for fatal errors +
-# 4 is reasonable for general usage +
-# 5 and 6 can help to debug connection problems +
-# 9 is extremely verbose +
-verb 3 +
- +
-# Silence repeating messages. ​ At most 20 +
-# sequential messages of the same message +
-# category will be output to the log. +
-;mute 20 +
- +
-#Static Key +
-secret /​etc/​openvpn.key+
 </​code>​ </​code>​
 +
  
 +===== Configure Client =====
  
-I call this file ''/​etc/​server.ovpn''​. At this point you can start OpenVPN for testing:+Client configuration must correspond with the server ​configurationSomething like this with the IP address of the VPN server should work:
  
-''​openvpn /​etc/​server.ovpn''​ +<​code>​
- +
-With logread you should be able to see if it started up normally. +
- +
-===== Step 4: Configure Client ===== +
- +
-Client configuration is pretty simple. Just place the following file in the config directory and remember to change the server IP address to match: +
- +
-<​code ​ini>+
 dev tap dev tap
- 
 proto udp proto udp
- 
-# The hostname/IP and port of the server. 
-# You can have multiple remote entries 
-# to load balance between the servers. 
 remote Your.IP.Goes.Here 1194 remote Your.IP.Goes.Here 1194
- 
- 
-# Keep trying indefinitely to resolve the 
-# host name of the OpenVPN server. ​ Very useful 
-# on machines which are not permanently connected 
-# to the internet such as laptops. 
 resolv-retry infinite resolv-retry infinite
- 
-# Most clients don't need to bind to 
-# a specific local port number. 
-nobind 
- 
-# Try to preserve some state across restarts. 
-;​persist-key 
-;​persist-tun 
- 
- 
-# Wireless networks often produce a lot 
-# of duplicate packets. ​ Set this flag 
-# to silence duplicate packet warnings. 
 mute-replay-warnings mute-replay-warnings
- +comp-lzo
- +
-secret secret.key +
- +
- +
-# Enable compression on the VPN link. +
-# Don't enable this unless it is also +
-# enabled in the server config file. +
-;comp-lzo +
- +
-# Set log file verbosity.+
 verb 3 verb 3
- +keepalive 10 120 
-# Silence repeating messages +persist-key 
-;mute 20+persist-tun 
 +nobind
 </​code>​ </​code>​
  
-Now that should be it. Start the OpenVPN client either through the GUI or command line and it should link up.  +===== Wrap Up =====
- +
-===== Step 5: Wrap Up =====+
 If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful. If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful.
  
 If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable: If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable:
  
-<code bash> 
-#!/bin/sh 
-#/​etc/​init.d/​S46openvpn 
-/​etc/​openvpnbridge 
-openvpn /​etc/​server.ovpn & 
-</​code>​ 
  
-In Backfire 10.03.1 /​etc/​init.d/​openvpn ​appears to be present already. ​ Edit it to add the following above the "​append_param()"​ function:+In Backfire 10.03.1 ​edit /​etc/​init.d/​openvpn ​and add the following above the "​append_param()"​ function:
  
 ''​ ''​
Line 276: Line 104:
 ''​ ''​
  
-Then enable openvpn to start on boot from the LuCI interface (System->​Startup),​ or from the command line with+This is not needed in Attitude Adjustment
  
-<​code ​bash>+Then enable openvpn to start on boot with: 
 + 
 +<​code>​
 /​etc/​init.d/​openvpn enable /​etc/​init.d/​openvpn enable
 </​code>​ </​code>​
  
-===== Notes =====+===== Static leases ​=====
  
 +Put this into your /​etc/​config/​opevpn:​
 <​code>​ <​code>​
-# auf dem OpenVPN-Server ein virtuelles bridge-iface über das tap0 und das eth0 interface. +option topology subnet 
-# apt-get install bridge-utils +option '​ifconfig_pool_persist'​ '/etc/openvpn/ipp.txt 0' 
-openvpn ​--mktun --dev tap0   ​erzeugt tap-device +</​code>​
-# brctl addbr br0              erzeugt bridge+
  
-# brctl addif br0 eth0         ​anflanschen von eth0 an br0 +/etc/openvpn/ipp.txt has this format: 
-# brctl addif br0 tap0         ​anflanschen von tap0 an br0 +<​code>​ 
- +CN,192.168.1.235 CN is the COMMON NAME specified in the clients security certificate
-# ifconfig tap0 0.0.0.0 promisc up +
-# ifconfig eth0 0.0.0.0 promisc up +
-# ifconfig br0 192.168.8.2 netmask 255.255.255.0 broadcast 192.168.8.255 +
-# route add default gw 192.168.8.1 +
- +
-# iptables -A INPUT -i tap0 -j ACCEPT +
-# iptables -A INPUT -i eth0 -j ACCEPT +
-# iptables -A FORWARD -i br0 -j ACCEPT +
- +
-### OpenVPN +
-# dev tap +
-# dev-node tap-bridge +
-# server-bridge 192.168.8.1 255.255.255.0 192.168.8.220 192.168.8.240 (Achtung: Kollision mit DHCP vermeiden!) +
- +
- +
-######## ​/etc/network/interfaces ##########​ +
- +
-auto lo +
-iface lo inet loopback +
-allow-hotplug eth0 +
- +
-iface eth0 inet static +
-   up ifconfig eth0 promisc up +
- +
-# the primary network iface +
-auto br0 +
-iface br0 inet static +
-   ​adress 192.168.8.2 +
-   netmask 255.255.255.0 +
-   network ​192.168.8.+
-   ​broadcast 192.168.8.255 +
-   ​gateway 192.168.8.1 +
-   ​bridge_ports eth0 tap0 +
-   ​bridge_fd 1 +
-   ​bridge_stp off +
-   ​brdge_hello 1 +
- +
-tap0 for OpenVPN +
-auto tap0 +
-iface tap0 inet manual +
-   ​pre-up tunctl -t tap0 +
-   up ifconfig promisc tap0 up +
-   ​post-up brctl addif intern tap0 +
-   down ifconfig tap0 down +
-   ​post-down tunctl -d tap0+
 </​code>​ </​code>​
doc/howto/vpn.server.openvpn.tap.1382945267.txt.bz2 · Last modified: 2013/10/28 08:27 by lorema