Differences

This shows you the differences between two versions of the page.

doc:howto:vpn.server.openvpn.tun [2013/10/28 08:28]
lorema
doc:howto:vpn.server.openvpn.tun [2013/11/03 22:37] (current)
lukas0907
Line 17: Line 17:
</code> </code>
Currently the Luci web-interface has the luci-app-openvpn package marked as broken, and hence it is not available in the package system. If you still want to use it, preferably to help fix it, you will have track down the source code, an old package, or build OpenWrt yourself. If you build OpenWrt yourself, you can choose to expose broken packages, allowing you to include luci-app-openvpn on your router. Currently the Luci web-interface has the luci-app-openvpn package marked as broken, and hence it is not available in the package system. If you still want to use it, preferably to help fix it, you will have track down the source code, an old package, or build OpenWrt yourself. If you build OpenWrt yourself, you can choose to expose broken packages, allowing you to include luci-app-openvpn on your router.
 +
 +===== Modify your network interfaces =====
 +A new virtual interface "vpn" must be created which is later used in firewall rules:
 +
 +Open the network file:
 +<code>vi /etc/config/network</code>
 +
 +Add the following interface definition to the end of the file:
 +
 +<code>
 +config interface 'vpn'
 +        option proto 'none'
 +        option ifname 'tun0'
 +</code>
===== Modify your firewall ===== ===== Modify your firewall =====
By default OpenVPN uses UDP over port 1194. Hence we need to configure the firewall on the OpenVPN server to allow UDP traffic on 1194. The client will only have outgoing traffic on port 1194 and for most set-ups do not need any firewall configuration. If for some reason port 1194 is blocked, you may configure OpenVPN to use other ports, just be sure to set both server and client to use the same port. By default OpenVPN uses UDP over port 1194. Hence we need to configure the firewall on the OpenVPN server to allow UDP traffic on 1194. The client will only have outgoing traffic on port 1194 and for most set-ups do not need any firewall configuration. If for some reason port 1194 is blocked, you may configure OpenVPN to use other ports, just be sure to set both server and client to use the same port.
 +
Open the firewall file Open the firewall file
<code> <code>
vi /etc/config/firewall vi /etc/config/firewall
</code> </code>
 +
Towards the bottom append change the dest_port variable to your preference: Towards the bottom append change the dest_port variable to your preference:
 +
<code> <code>
config 'rule' config 'rule'
Line 33: Line 50:
        option 'family' 'ipv4'         option 'family' 'ipv4'
</code> </code>
-Also we need to pass traffic via tun* interface:+ 
 +In the same file, a zone entry is needed to allow traffic on tun0: 
<code> <code>
-vi /etc/firewall.user+config zone 
 + option name 'vpn' 
 + option input 'ACCEPT' 
 + option forward 'REJECT' 
 + option output 'ACCEPT' 
 + option network 'vpn'
</code> </code>
-and add following lines to pass all via all tun* interfaces+ 
 +If you want to access the LAN zone from the VPN, add the following forwarding entries: 
<code> <code>
-iptables -I INPUT 1 -i tun+ -j ACCEPT +config forwarding 
-iptables -I OUTPUT 1 -o tun+ -j ACCEPT + option dest 'lan' 
-iptables -I FORWARD 1 -o tun+ -j ACCEPT + option src 'vpn' 
-iptables -I FORWARD 1 -i tun+ -j ACCEPT+ 
 +config forwarding 
 + option dest 'vpn' 
 + option src 'lan'
</code> </code>
-Warning: these rules allow all traffic between all tun interfaces and all other interfaces. For security you may write more accuracy rules into chains "forwarding_rule", "input_rule", "output_rule" or "forwarding_lan_rule", "input_lan_rule", "output_lan_rule".  
-Restart the firewall+Restart networking and firewall
<code> <code>
 +/etc/init.d/network restart
/etc/init.d/firewall restart /etc/init.d/firewall restart
</code> </code>

Back to top

doc/howto/vpn.server.openvpn.tun.txt · Last modified: 2013/11/03 22:37 by lukas0907