Differences

This shows you the differences between two versions of the page.

doc:howto:vpn.server.openvpn.tun [2013/03/13 23:14]
del
doc:howto:vpn.server.openvpn.tun [2013/11/03 22:37] (current)
lukas0907
Line 1: Line 1:
====== OpenVPN Configuration ====== ====== OpenVPN Configuration ======
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/howto/vpn.overview]] |
 +
FIXME Configuration example of multirouter setup FIXME Configuration example of multirouter setup
===== Introduction ===== ===== Introduction =====
Line 15: Line 17:
</code> </code>
Currently the Luci web-interface has the luci-app-openvpn package marked as broken, and hence it is not available in the package system. If you still want to use it, preferably to help fix it, you will have track down the source code, an old package, or build OpenWrt yourself. If you build OpenWrt yourself, you can choose to expose broken packages, allowing you to include luci-app-openvpn on your router. Currently the Luci web-interface has the luci-app-openvpn package marked as broken, and hence it is not available in the package system. If you still want to use it, preferably to help fix it, you will have track down the source code, an old package, or build OpenWrt yourself. If you build OpenWrt yourself, you can choose to expose broken packages, allowing you to include luci-app-openvpn on your router.
 +
 +===== Modify your network interfaces =====
 +A new virtual interface "vpn" must be created which is later used in firewall rules:
 +
 +Open the network file:
 +<code>vi /etc/config/network</code>
 +
 +Add the following interface definition to the end of the file:
 +
 +<code>
 +config interface 'vpn'
 +        option proto 'none'
 +        option ifname 'tun0'
 +</code>
===== Modify your firewall ===== ===== Modify your firewall =====
By default OpenVPN uses UDP over port 1194. Hence we need to configure the firewall on the OpenVPN server to allow UDP traffic on 1194. The client will only have outgoing traffic on port 1194 and for most set-ups do not need any firewall configuration. If for some reason port 1194 is blocked, you may configure OpenVPN to use other ports, just be sure to set both server and client to use the same port. By default OpenVPN uses UDP over port 1194. Hence we need to configure the firewall on the OpenVPN server to allow UDP traffic on 1194. The client will only have outgoing traffic on port 1194 and for most set-ups do not need any firewall configuration. If for some reason port 1194 is blocked, you may configure OpenVPN to use other ports, just be sure to set both server and client to use the same port.
 +
Open the firewall file Open the firewall file
<code> <code>
vi /etc/config/firewall vi /etc/config/firewall
</code> </code>
 +
Towards the bottom append change the dest_port variable to your preference: Towards the bottom append change the dest_port variable to your preference:
 +
<code> <code>
config 'rule' config 'rule'
Line 28: Line 47:
        option 'dest_port' '1194'         option 'dest_port' '1194'
        option 'src' 'wan'         option 'src' 'wan'
-        option 'proto' 'tcpudp'+        option 'proto' 'udp'
        option 'family' 'ipv4'         option 'family' 'ipv4'
</code> </code>
-Restart the network filter+ 
 +In the same file, a zone entry is needed to allow traffic on tun0: 
 + 
 +<code> 
 +config zone 
 + option name 'vpn' 
 + option input 'ACCEPT' 
 + option forward 'REJECT' 
 + option output 'ACCEPT' 
 + option network 'vpn' 
 +</code> 
 + 
 +If you want to access the LAN zone from the VPN, add the following forwarding entries: 
 + 
 +<code> 
 +config forwarding 
 + option dest 'lan' 
 + option src 'vpn' 
 + 
 +config forwarding 
 + option dest 'vpn' 
 + option src 'lan' 
 +</code> 
 + 
 +Restart networking and firewall
<code> <code>
/etc/init.d/network restart /etc/init.d/network restart
 +/etc/init.d/firewall restart
</code> </code>
 +Make sure you fix any syntax errors in /etc/config/firewall before proceeding.
===== Simple OpenVPN set-up ===== ===== Simple OpenVPN set-up =====
Line 60: Line 105:
If you want your client to reach the entire subnet on you server, and your server subnet is 192.168.1.1/24, then add the following line to the client configuration: If you want your client to reach the entire subnet on you server, and your server subnet is 192.168.1.1/24, then add the following line to the client configuration:
<code> <code>
-route 192.168.1.1 255.255.255.0+route 192.168.1.0 255.255.255.0
</code> </code>
===== Flexible OpenVPN set-up ===== ===== Flexible OpenVPN set-up =====
 +First we need to install the package for creating keys and certificates:
 +<code>
 +opkg install openvpn-easy-rsa
 +</code>
Edit the /etc/easy-rsa/vars file and modify the default location area Edit the /etc/easy-rsa/vars file and modify the default location area
<code> <code>
-vi /etc/easy-rsa/vars</code> +cd /etc/easy-rsa 
-at bottom, change to suit your location at will:+vi vars 
 +</code> 
 +at bottom, change to suit your location at will, but make sure none of them are empty:
<code> <code>
export KEY_COUNTRY="US" export KEY_COUNTRY="US"
Line 73: Line 124:
export KEY_CITY="Houston" export KEY_CITY="Houston"
export KEY_ORG="My Cool Place" export KEY_ORG="My Cool Place"
 +export KEY_EMAIL="my@email.org"   
 +export KEY_OU="myorganisation"
 +</code>
 +Now we need to source in the variables you just set:
 +<code>
 +source vars
</code> </code>
- 
We will need to generate keys and certificates for server and clients. Prime your cert database: We will need to generate keys and certificates for server and clients. Prime your cert database:
<code> <code>
Line 119: Line 175:
option 'server' '10.8.0.0 255.255.255.0' option 'server' '10.8.0.0 255.255.255.0'
list 'push' 'route 192.168.1.0 255.255.255.0' list 'push' 'route 192.168.1.0 255.255.255.0'
-list 'push' 'redirect-gateway"' +list 'push' 'redirect-gateway'
-option 'comp_lzo'+
option 'keepalive' '10 120' option 'keepalive' '10 120'
option 'status' '/tmp/openvpn.status' option 'status' '/tmp/openvpn.status'
</code> </code>
-There is a bug in the /etc/init.d/openvpn. the push directives to openvpn should be encapsulated with double quotes ("), but the init script uses single quotes ('). If you want the push directives to work with openvpn you should modify the init script lines 103 and 107 to look like. 
-There is a ticket about this ( https://dev.openwrt.org/ticket/10518 ). It has been fixed upstream but it has not hit any of the stable releases yet.  --- //sup 2012/05/07 12:16//+===== Notes =====
-<code> +  * In the /etc/config/openvpn all options with two (or more) parameters should use special syntax, where all parameters are enclosed into quotes or double-quotes:
-tun_mtu tun_mtu_extra txqueuelen user verb push+
-        # append multi-value params +    option option_name 'parameter1 parameter2' 
-       append_params_quoted "$s"; \ +   option option_name "parameter1 parameter2"
-                down up +
-</code>;+
 +  * All options specified without parameters in the /etc/openvpn/openvpn.conf, in the /etc/config/openvpn should be specified with parameter "1":
 +
 +    option option_name '1'
 +
 +**Examples:**
 +    option persist-tun 1
 +    option keepalive "10 25"
 +    list route '172.16.0.0 255.240.0.0'
 +
 +===== Known bugs and notes =====
 +
 +  * Option 'comp-lzo' '1' isn't work yet with client on x86, error message on client side (Linux/x86) is: "Bad LZO decompression header byte: 42", error message on server side (OpenWRT/MIPS): "IP packet with unknown IP version=15 seen".
 +  * Option 'management' not implemented yet.
 +
 +  * Fixed  in r30719 at 25.02.2012 15:32:21:
 +There is a bug in the /etc/init.d/openvpn. the push directives to openvpn should be encapsulated with double quotes ("), but the init script uses single quotes ('). If you want the push directives to work with openvpn you should modify the init script lines 103 and 107 to look like.
 +There is a ticket about this ( https://dev.openwrt.org/ticket/10518 ).

Back to top

doc/howto/vpn.server.openvpn.tun.1363212898.txt.bz2 · Last modified: 2013/03/13 23:14 by del