User Tools

Site Tools


doc:howto:vpn.server.openvpn.tap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.server.openvpn.tap [2013/10/28 08:27]
lorema
doc:howto:vpn.server.openvpn.tap [2015/12/30 12:56] (current)
tmomas [Generate keys] link fixed
Line 1: Line 1:
 +====== Using OpenWrt as an OpenVPN server with a TAP device (with bridging) ======
 +| :!: There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. ​ Some are better than others, and others are an out-of-date muddled mess.  For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with [[doc/​howto/​vpn.openvpn]] instead of this wiki. :!: |
  
 +It is not that the other wikis aren't worth reading; it is just that (IMHO) [[doc/​howto/​vpn.openvpn]] is a better place to start (it has been rewritten from scratch just a few weeks ago).  Maybe you could improve it further? ​ In this instance, this wiki has several minor issues (as at May 2014), such as advocating TAP rather than TUN where TUN would, in most cases, be preferable. ​ If you definitely want TAP rather than TUN, then [[doc/​howto/​vpn.openvpn]] might still be a useful place to visit.
 +
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] |
 +
 +===== Install OpenVPN =====
 +<code bash>
 +opkg install openvpn-openssl
 +</​code>​
 +
 +is all that is needed for the OpenSSL build which should be fine for most people. Though, recently the openvpn package has been split into different flavors. To see all of them listed type
 +
 +<code bash>
 +opkg update
 +opkg list | grep openvpn
 +</​code>​
 +
 +
 +===== Generate keys =====
 +Follow the [[http://​openvpn.net/​index.php/​open-source/​documentation/​howto.html#​pki|official documentation]].
 +
 +You can also install''​openvpn-easy-rsa''​ package for OpenWRT and generate the keys on the router itself:
 +<​code>​
 +opkg update
 +opkg install openvpn-easy-rsa
 +</​code>​
 +
 +===== Setup Server =====
 +First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall on OpenWRT. Edit /​etc/​config/​firewall and add the following.  ​
 +<​code>​
 +config '​rule'​
 +        option '​name'​ '​openvpn-udp'​
 +        option '​src'​ '​wan' ​
 +        option '​target'​ '​ACCEPT'​
 +        option '​proto'​ '​udp' ​  
 +        option '​dest_port'​ '​1194'​
 +</​code>​
 +
 +Bridge the tap interface you will be using with your lan interface by adding the following two lines to the respective section in /​etc/​config/​network. This assumes your lan consists of wifi interface called wlan0 that will be bridged with tap0 interface used by OpenVPN.
 +<​code>​
 +config interface '​lan'​
 + option type '​bridge'​
 + option ifname 'wlan0 tap0'
 +</​code>​
 +
 +Next comes the OpenVPN server config file:
 +
 +<​code>​
 +config '​openvpn'​ '​your_name'​
 +        option '​enable'​ '​1'​
 + option '​tls_server'​ '​1'​
 + option '​port'​ '​1194'​ # to bypass restrictive firewalls, you might consider running OpenVPN on port 443 or 22
 + option '​proto'​ '​udp'​ # TCP might be more reliable but slower; if you change this to tcp, change the firewall rule as well
 + option '​dev'​ '​tap0'​
 + option '​ca'​ '/​path/​to/​ca.crt'​
 + option '​cert'​ '/​path/​to/​server.crt'​
 + option '​key'​ '/​path/​to/​server.key'​
 + option '​dh'​ '//​path/​to/​dh1024.pem'​
 + option '​server_bridge'​ '​192.168.1.1 255.255.255.0 192.168.1.220 192.168.1.229'​ # this assumes the lan is 192.168.1.1/​24 and will give out address in range 192.168.1.220-229
 + list '​push'​ '​dhcp-option DNS 192.168.1.1'​ # this will make the clients use openwrt for DNS resolution
 + list '​push'​ '​redirect-gateway def1' # this redirects all traffic over vpn
 + option '​client_to_client'​ '​1'​
 + option '​comp_lzo'​ '​yes'​
 + option '​keepalive'​ '10 120'
 + option '​status'​ '/​tmp/​openvpn_tap0.status'​
 + option '​persist_key'​ '​1'​
 + option '​persist_tun'​ '​1'​
 + option '​verb'​ '​3'​
 + option '​mute'​ '​20'​
 +</​code>​
 +
 +
 +===== Configure Client =====
 +
 +Client configuration must correspond with the server configuration. Something like this with the IP address of the VPN server should work:
 +
 +<​code>​
 +dev tap
 +proto udp
 +remote Your.IP.Goes.Here 1194
 +resolv-retry infinite
 +mute-replay-warnings
 +comp-lzo
 +verb 3
 +keepalive 10 120
 +persist-key
 +persist-tun
 +nobind
 +</​code>​
 +
 +===== Wrap Up =====
 +If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful.
 +
 +If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable:
 +
 +
 +In Backfire 10.03.1 edit /​etc/​init.d/​openvpn and add the following above the "​append_param()"​ function:
 +
 +''​
 +# Make sure tun/tap devices are present
 +/​etc/​openvpnbridge
 +''​
 +
 +This is not needed in Attitude Adjustment
 +
 +Then enable openvpn to start on boot with:
 +
 +<​code>​
 +/​etc/​init.d/​openvpn enable
 +</​code>​
 +
 +===== Static leases =====
 +
 +Put this into your /​etc/​config/​opevpn:​
 +<​code>​
 +option topology subnet
 +option '​ifconfig_pool_persist'​ '/​etc/​openvpn/​ipp.txt 0'
 +</​code>​
 +
 +/​etc/​openvpn/​ipp.txt has this format:
 +<​code>​
 +CN,​192.168.1.235 # CN is the COMMON NAME specified in the clients security certificate
 +</​code>​