Configuration example of multirouter setup

If you are already familiar with OpenVPN and know how you want to use and configure it, feel free to skip the introduction. OpenVPN provides a leading Virtual Private Network solution. There are many possible configurations of OpenVPN, and this can be confusing. We will only briefly cover the most important aspects here, for comprehensive documentation please consult the projects homepage.

For routers running OpenWrt performance is often a scarce resource. This has some important implications for running OpenVPN. The most important factor is the CPU of the router, which will need to do encryption of all traffic. You will find indicators of what to expect here, basically the Atheros 680MHz CPU found in many routers is reported to give 20-25Mb/s throughput. Moreover, OpenVPN optionally provides compression of network traffic, which boosts your network bandwidth, but puts and even heavier toll on your CPU. Hence, consider whether you want to use a node in your network as OpenVPN server rather than the router. One obvious reason you may want to install OpenVPN on the router is that the router is typically always on, and hence provides excellent availability.

We will cover two common ways of configuring OpenVPN here. The main difference between the two is that the first is easier to set-up but only provides one client and one server. The second is a bit more involved to set-up, but provides full flexiblity with respect to number of servers and clients you want to connect.

Regardless of whether you are setting up a client or a server, you will need to install the openvpn package. On OpenWrt do:

opkg update
opkg install openvpn

Currently the Luci web-interface has the luci-app-openvpn package marked as broken, and hence it is not available in the package system. If you still want to use it, preferably to help fix it, you will have track down the source code, an old package, or build OpenWrt yourself. If you build OpenWrt yourself, you can choose to expose broken packages, allowing you to include luci-app-openvpn on your router.

By default OpenVPN uses UDP over port 1194. Hence we need to configure the firewall on the OpenVPN server to allow UDP traffic on 1194. The client will only have outgoing traffic on port 1194 and for most set-ups do not need any firewall configuration. If for some reason port 1194 is blocked, you may configure OpenVPN to use other ports, just be sure to set both server and client to use the same port. Open the firewall file

vi /etc/config/firewall

Towards the bottom append change the dest_port variable to your preference:

config 'rule'
        option 'target' 'ACCEPT'
        option 'dest_port' '1194'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'family' 'ipv4'

Restart the firewall

/etc/init.d/firewall restart

Make sure you fix any syntax errors in /etc/config/firewall before proceeding.

The easiest way to configure OpenVPN is using static keys. The main draw-back is that it only provides single server and single client configuration. First thing you need to do is create the static key, which is done by:

cd /etc/openvpn
openvpn --genkey --secret static.key

Copy the key to your client over a secure channel. Now configure openvpn by editing /etc/config/openvpn to look like this:

option 'dev' 'tun'
option 'secret' '/etc/openvpn/static.key'
option 'ifconfig' '192.168.2.1 192.168.2.2'

This is assuming that you want your server IP address to be 192.168.2.1, and you client IP address to be 192.168.2.2.

If your client is a linux-box, simply install openvpn from your package system and set your openvpn configuration file to:

remote myremote.mydomain
dev tun
ifconfig 192.168.2.2 192.168.2.1
secret static.key

where you replace myremote.mydomain with the domain name or external IP address of your OpenVPN server. If your client is an OpenWrt server, simply adjust the configuration to the option format.

If you want your client to reach the entire subnet on you server, and your server subnet is 192.168.1.1/24, then add the following line to the client configuration:

route 192.168.1.0 255.255.255.0

First we need to install the package for creating keys and certificates:

opkg install openvpn-easy-rsa

Edit the /etc/easy-rsa/vars file and modify the default location area

cd /etc/easy-rsa
vi vars

at bottom, change to suit your location at will, but make sure none of them are empty:

export KEY_COUNTRY="US"
export KEY_PROVINCE="TX"
export KEY_CITY="Houston"
export KEY_ORG="My Cool Place"
export KEY_EMAIL="my@email.org"     
export KEY_OU="myorganisation"

Now we need to source in the variables you just set:

source vars

We will need to generate keys and certificates for server and clients. Prime your cert database:

clean-all
build-ca
build-dh

Create the server key

build-key-server server

Create as many client keys for each person who will connect.
Normal Keys:

build-key Jimmy
build-key Sara
build-key Soandso
...

For PKCS12 Format (combines the key and ca certificate in one file), then instead do:

build-key-pkcs12 Jimmy
build-key-pkcs12 Sara
build-key-pkcs12 Soandso
...

Copy the important files to the /etc/openvpn directory, so that they are duplicated

cd /etc/easy-rsa/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/

Finally, edit /etc/config/openvpn to fit your need.

vi /etc/config/openvpn

The following is an example. There are multiple examples included in the configuration file.

option 'port' '1194'
option 'proto' 'udp'
option 'dev' 'tun'
option 'ca' '/etc/openvpn/ca.crt'
option 'cert' '/etc/openvpn/server.crt'
option 'key' '/etc/openvpn/server.key'
option 'dh' '/etc/openvpn/dh.pem'
option 'tls_auth' '/etc/openvpn/shared.key 0'
option 'server' '10.8.0.0 255.255.255.0'
list 'push' 'route 192.168.1.0 255.255.255.0'
list 'push' 'redirect-gateway"'
option 'comp_lzo'
option 'keepalive' '10 120'
option 'status' '/tmp/openvpn.status'

There is a bug in the /etc/init.d/openvpn. the push directives to openvpn should be encapsulated with double quotes ("), but the init script uses single quotes ('). If you want the push directives to work with openvpn you should modify the init script lines 103 and 107 to look like.

There is a ticket about this ( https://dev.openwrt.org/ticket/10518 ). It has been fixed upstream but it has not hit any of the stable releases yet. — sup 2012/05/07 12:16

tun_mtu tun_mtu_extra txqueuelen user verb push

        # append multi-value params
        append_params_quoted "$s" \
                down up