Differences

This shows you the differences between two versions of the page.

doc:howto:vpn.server.openvpn.tun [2013/03/13 22:14]
del
doc:howto:vpn.server.openvpn.tun [2014/06/10 07:59] (current)
roberts multiple routes through server
Line 1: Line 1:
-====== OpenVPN Configuration ======+====== OpenVPN Setup Guide ====== 
 +FIXME This wiki article is undergoing a major re-write and may be a bit messy for a while.  The old version of this page will always be at: http://wiki.openwrt.org/doc/howto/vpn.server.openvpn.tun?rev=1401488265 
 + 
 +This is a guide to setting up OpenVPN on an OpenWrt-based router with OpenVPN clients that are also based upon OpenWrt (although the client could easily be running on another OS, such as Windows, or *nix).  
 + 
 +What follows has been tested on trunk (currently BB, b39757), but will likely work on the latest stable branch (currently AA, b39408).  It is based upon OpenVPN v2.3, but will likely work with v2.2.   
 + 
 +| For beginners, [[doc/howto/vpn.openvpn]] is probably a better place to start. | 
 + 
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki (including alternatives to OpenVPN), please visit [[doc/howto/vpn.overview]] 
FIXME Configuration example of multirouter setup FIXME Configuration example of multirouter setup
-===== Introduction ===== 
-If you are already familiar with [[http://en.wikipedia.org/wiki/Openvpn|OpenVPN]] and know how you want to use and configure it, feel free to skip the introduction. OpenVPN provides a leading [[http://en.wikipedia.org/wiki/Vpn|Virtual Private Network]] solution. There are many possible configurations of OpenVPN, and this can be confusing. We will only briefly cover the most important aspects here, for comprehensive documentation please consult the projects [[http://openvpn.net/index.php/open-source.html|homepage]]. 
-For routers running OpenWrt performance is often a scarce resource. This has some important implications for running OpenVPN. The most important factor is the CPU of the router, which will need to do encryption of all traffic. You will find indicators of what to expect [[https://forum.openwrt.org/viewtopic.php?id=35597|here]], basically the Atheros 680MHz CPU found in many routers is reported to give 20-25Mb/s throughput. Moreover, OpenVPN optionally provides compression of network traffic, which boosts your network bandwidth, but puts and even heavier toll on your CPU. Hence, consider whether you want to use a node in your network as OpenVPN server rather than the router. One obvious reason you may want to install OpenVPN on the router is that the router is typically always on, and hence provides excellent availability.+===== Use-Case 0: the 'Beginner's Configuration' ===== 
 +This is a review of the (OpenWrt-based) OpenVPN configuration used in [[doc/howto/vpn.openvpn]], and specifically based upon Scenario 1 (client and server in different subnets).
-We will cover two common ways of configuring OpenVPN here. The main difference between the two is that the first is easier to set-up but only provides one client and one server. The second is a bit more involved to set-up, but provides full flexiblity with respect to number of servers and clients you want to connect.+==== Review of the Beginner's Configuration ==== 
 +You can review the network configuration by executing the following commands:<code c> 
 +  uci show network | grep vpn 
 +  uci show firewall | grep zone 
 +  uci show firewall | grep rule 
 +</code>
-===== Installation ===== +Alternatively, some like to use (NB: there are important differences between these commands, and those used above):<code c
-Regardless of whether you are setting up a client or a server, you will need to install the openvpn package. On OpenWrt do: + cat /etc/config/network 
-<code> + cat /etc/config/firewall
-opkg update +
-opkg install openvpn+
</code> </code>
-Currently the Luci web-interface has the luci-app-openvpn package marked as broken, and hence it is not available in the package system. If you still want to use it, preferably to help fix it, you will have track down the source code, an old package, or build OpenWrt yourself. If you build OpenWrt yourself, you can choose to expose broken packages, allowing you to include luci-app-openvpn on your router. 
-===== Modify your firewall ===== +The OpenWrt-based OpenVPN client was configured similarly to the server, but it does not have the rule called **Allow-OpenVPN-Inbound**. 
-By default OpenVPN uses UDP over port 1194. Hence we need to configure the firewall on the OpenVPN server to allow UDP traffic on 1194. The client will only have outgoing traffic on port 1194 and for most set-ups do not need any firewall configuration. If for some reason port 1194 is blocked, you may configure OpenVPN to use other ports, just be sure to set both server and client to use the same port. + 
-Open the firewall file +=== The tunnel configuration === 
-<code> +You can review the tunnel configuration by executing the following command(s):<code c
-vi /etc/config/firewall+ uci show openvpn
</code> </code>
-Towards the bottom append change the dest_port variable to your preference: + 
-<code> +Alternatively, some like to use (NB: there is an important difference between these commands, and those used above):<code c
-config 'rule' + cat /etc/config/openvpn
-        option 'target' 'ACCEPT' +
-        option 'dest_port' '1194' +
-        option 'src' 'wan' +
-        option 'proto' 'tcpudp' +
-        option 'family' 'ipv4'+
</code> </code>
-Restart the network filter + 
-<code> +Another useful option, //if// the tunnel is running (i.e. it is enabled, and...):<code c
-/etc/init.d/network restart+ cat /var/etc/openvpn-myvpn.conf
</code> </code>
 +
 +==== Testing the Configuration ====
 +
 +===== Use-Case 1: Private Channel to the OpenWrt Router =====
 +
 +Use-case 1 is based upon use-case 0 (the 'beginner's configuration'), with some changes for optimizations/best practice.  Ensure you have use-case 0 configured correctly before you make these changes.
 +
 +:!: This server configuration change will 'break' the tunnel until you make the corresponding change (specifically comp-lzo) to the client configuration.
 +
 +  - On the OpenVPN //server//, make the following changes to the OpenVPN configuration:<code c>
 +  uci set      openvpn.myvpn.persist_tun=1
 +  uci set      openvpn.myvpn.persist_key=1
 +  uci set      openvpn.myvpn.ifconfig_pool_persist=/tmp/openvpn-ipp.txt
 +  uci set      openvpn.myvpn.fast_io=on
 +
 +  uci set      openvpn.myvpn.comp_lzo=adaptive          ## this is definitely 'adaptive', and not 'no'
 +  uci set      openvpn.myvpn.push='comp_lzo adaptive'
 +
 +  uci commit; /etc/init.d/openvpn reload
 +</code>
 +  - On the OpenVPN //client// (running OpenWrt), make the following changes to the configuration:<code c>
 +  uci set      openvpn.myvpn.persist_tun=1
 +  uci set      openvpn.myvpn.persist_key=1
 +  uci set      openvpn.myvpn.fast_io=on
 +
 +  uci set      openvpn.myvpn.comp_lzo=no                ## this is definitely 'no', and not 'adaptive'
 +
 +  uci commit; /etc/init.d/openvpn reload
 +</code>
 +
 +In this case, the server will push an instruction to the client, **comp-lzo adaptive**, that will overrule the client configuration, **comp-lzo no**.
 +
 +==== Testing the Configuration ====
 +If you execute **uci show openvpn** on the OpenVPN //server//, you should see:<code text>
 +  openvpn.myvpn=openvpn
 +  openvpn.myvpn.enabled=1
 +  openvpn.myvpn.dev=tun
 +  openvpn.myvpn.proto=udp
 +  openvpn.myvpn.server='10.8.0.0 255.255.255.0'
 +  openvpn.myvpn.port=1194
 +  openvpn.myvpn.ca=/etc/openvpn/ca.crt
 +  openvpn.myvpn.cert=/etc/openvpn/my-server.crt
 +  openvpn.myvpn.key=/etc/openvpn/my-server.key
 +  openvpn.myvpn.dh=/etc/openvpn/dh2048.pem
 +  openvpn.myvpn.log=/tmp/openvpn.log
 +  openvpn.myvpn.verb=3
 +  openvpn.myvpn.keepalive='10 120'
 +  openvpn.myvpn.persist_tun=1
 +  openvpn.myvpn.persist_key=1
 +  openvpn.myvpn.ifconfig_pool_persist=/tmp/openvpn-vpn0-ipp.txt
 +  openvpn.myvpn.fast_io=on
 +  openvpn.myvpn.comp_lzo=adaptive
 +  openvpn.myvpn.push='comp_lzo adaptive'
 +</code>
 +
 +Alternatively, if you execute **cat /etc/config/openvpn** on the OpenWrt-based OpenVPN //client//, you should see:<code text>
 +  config option 'myvpn'
 +      option enabled '1'
 +      option client '1'
 +      option dev 'tun'
 +      option proto 'udp'
 +      option remote='VPN_SERVER_ID 1194'
 +      option ca '/etc/openvpn/ca.crt
 +      option cert '/etc/openvpn/my-server.crt
 +      option key '/etc/openvpn/my-server.key
 +      option remote_cert_tls 'server'
 +      option log '/tmp/openvpn.log
 +      option verb '3'
 +      option persist_tun '1'
 +      option persist_key '1'
 +      option fast_io 'on'
 +      option comp_lzo 'no'
 +</code>
 +
 +===== Use-Case 2: Access the Internet via the OpenWrt Router =====
 +
 +Use-case 2 is based upon use-case 1, but with some changes to the client configuration.  Ensure you have use-case 1 configured correctly before you make these changes.
 +
 +  - On the OpenVPN //server//, make the following changes to the configuration:<code c>
 +  uci add_list openvpn.myvpn.push='redirect-gateway def1'
 +  uci commit openvpn; /etc/init.d/openvpn reload
 +</code>
 +
 +This change ...
 +
 +===== Use-Case 3: Satellite Network to Access the Internet via the OpenWrt Router =====
 +
 +Use-case 3 is based upon use-case 2, but with some changes to the configuration of the OpenVPN client.  Ensure you have use-case 2 configured correctly before you make these changes.
 +
 +This use-case requires that the node in the satellite network use the OpenVPN client as their default gateway.
 +
 +  - On the OpenVPN //client// (running OpenWrt), make the following changes to the configuration:<code c>
 +  uci add firewall  zone
 +  uci set firewall.@zone[X].masq=1
 +  uci set firewall.@zone[X].mtu_fix=1
 +  uci commit openvpn; /etc/init.d/openvpn reload
 +</code>
 +
 +This change enables NAT on the client's VPN interface, so that from the server's point of view, nothing has changed.
 +
 +==== Testing the Configuration ====
 +
 +===== Use-Case 9: How to OpenVPN over a SSH tunnel =====
 +This is useful if you can SSH through a firewall that you can't negotiate an OpenVPN tunnel through.
 +
 +:!: However, if you use **socks_proxy='localhost 1080'**, then it wont work by default.
 +
 +For a work-around, see: https://forum.openwrt.org/viewtopic.php?pid=235158#p235158
 +
 +==== Testing the Configuration ====
 +
 +FIXME What follows is the remnants of the old wiki...
 +
 +===== Introduction =====
 +If you are already familiar with [[http://en.wikipedia.org/wiki/Openvpn|OpenVPN]] and know how you want to use and configure it, feel free to skip the introduction. OpenVPN provides a leading [[http://en.wikipedia.org/wiki/Vpn|Virtual Private Network]] solution. There are many possible configurations of OpenVPN, and this can be confusing. We will only briefly cover the most important aspects here, for comprehensive documentation please consult the projects [[http://openvpn.net/index.php/open-source.html|homepage]].
 +
 +For routers running OpenWrt performance is often a scarce resource. This has some important implications for running OpenVPN. The most important factor is the CPU of the router, which will need to do encryption of all traffic. You will find indicators of what to expect [[https://forum.openwrt.org/viewtopic.php?id=35597|here]], basically the Atheros 680MHz CPU found in many routers is reported to give 20-25Mb/s throughput. Moreover, OpenVPN optionally provides compression of network traffic, which boosts your network bandwidth, but puts and even heavier toll on your CPU. Hence, consider whether you want to use a node in your network as OpenVPN server rather than the router. One obvious reason you may want to install OpenVPN on the router is that the router is typically always on, and hence provides excellent availability.
 +
 +We will cover two common ways of configuring OpenVPN here. The main difference between the two is that the first is easier to set-up but only provides one client and one server. The second is a bit more involved to set-up, but provides full flexiblity with respect to number of servers and clients you want to connect.
===== Simple OpenVPN set-up ===== ===== Simple OpenVPN set-up =====
Line 60: Line 185:
If you want your client to reach the entire subnet on you server, and your server subnet is 192.168.1.1/24, then add the following line to the client configuration: If you want your client to reach the entire subnet on you server, and your server subnet is 192.168.1.1/24, then add the following line to the client configuration:
<code> <code>
-route 192.168.1.1 255.255.255.0+route 192.168.1.0 255.255.255.0 
 +</code> 
 + 
 +if you want to reach more than one route through your server use: 
 +<code> 
 +list 'route' '192.168.1.0 255.255.255.0' 
 +list 'route' '192.168.2.0 255.255.255.0'
</code> </code>
===== Flexible OpenVPN set-up ===== ===== Flexible OpenVPN set-up =====
 +First we need to install the package for creating keys and certificates:
 +<code>
 +opkg install openvpn-easy-rsa
 +</code>
Edit the /etc/easy-rsa/vars file and modify the default location area Edit the /etc/easy-rsa/vars file and modify the default location area
<code> <code>
-vi /etc/easy-rsa/vars</code> +cd /etc/easy-rsa 
-at bottom, change to suit your location at will:+vi vars 
 +</code> 
 +at bottom, change to suit your location at will, but make sure none of them are empty:
<code> <code>
export KEY_COUNTRY="US" export KEY_COUNTRY="US"
Line 73: Line 210:
export KEY_CITY="Houston" export KEY_CITY="Houston"
export KEY_ORG="My Cool Place" export KEY_ORG="My Cool Place"
 +export KEY_EMAIL="my@email.org"   
 +export KEY_OU="myorganisation"
 +</code>
 +Now we need to source in the variables you just set:
 +<code>
 +source vars
</code> </code>
- 
We will need to generate keys and certificates for server and clients. Prime your cert database: We will need to generate keys and certificates for server and clients. Prime your cert database:
<code> <code>
Line 119: Line 261:
option 'server' '10.8.0.0 255.255.255.0' option 'server' '10.8.0.0 255.255.255.0'
list 'push' 'route 192.168.1.0 255.255.255.0' list 'push' 'route 192.168.1.0 255.255.255.0'
-list 'push' 'redirect-gateway"' +list 'push' 'redirect-gateway'
-option 'comp_lzo'+
option 'keepalive' '10 120' option 'keepalive' '10 120'
option 'status' '/tmp/openvpn.status' option 'status' '/tmp/openvpn.status'
</code> </code>
-There is a bug in the /etc/init.d/openvpn. the push directives to openvpn should be encapsulated with double quotes ("), but the init script uses single quotes ('). If you want the push directives to work with openvpn you should modify the init script lines 103 and 107 to look like. 
-There is a ticket about this ( https://dev.openwrt.org/ticket/10518 ). It has been fixed upstream but it has not hit any of the stable releases yet.  --- //sup 2012/05/07 12:16// 
-<code> 
-tun_mtu tun_mtu_extra txqueuelen user verb push 
-        # append multi-value params +===== Known bugs and notes =====
-        append_params_quoted "$s" \ +
-                down up +
-</code>+
 +  * Option 'comp-lzo' '1' isn't work yet with client on x86, error message on client side (Linux/x86) is: "Bad LZO decompression header byte: 42", error message on server side (OpenWRT/MIPS): "IP packet with unknown IP version=15 seen".
 +  * Option 'management' not implemented yet.
 +
 +  * Fixed  in r30719 at 25.02.2012 15:32:21:
 +There is a bug in the /etc/init.d/openvpn. the push directives to openvpn should be encapsulated with double quotes ("), but the init script uses single quotes ('). If you want the push directives to work with openvpn you should modify the init script lines 103 and 107 to look like.
 +There is a ticket about this ( https://dev.openwrt.org/ticket/10518 ).

Back to top

doc/howto/vpn.server.openvpn.tun.1363212898.txt.bz2 · Last modified: 2013/03/13 22:14 by del