User Tools

Site Tools


doc:howto:vpn.server.openvpn.tun

This is an old revision of the document!


OpenVPN Configuration

:!: There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. Some are better than others, and others are an out-of-date muddled mess. For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with vpn.openvpn instead of this wiki. :!:

It is not that the other wikis aren't worth reading; it is just that (IMHO) vpn.openvpn is a better place to start (it has been rewritten from scratch just a few weeks ago). Maybe you could improve it further?

For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit vpn.overview

FIXME Configuration example of multirouter setup

Introduction

If you are already familiar with OpenVPN and know how you want to use and configure it, feel free to skip the introduction. OpenVPN provides a leading Virtual Private Network solution. There are many possible configurations of OpenVPN, and this can be confusing. We will only briefly cover the most important aspects here, for comprehensive documentation please consult the projects homepage.

For routers running OpenWrt performance is often a scarce resource. This has some important implications for running OpenVPN. The most important factor is the CPU of the router, which will need to do encryption of all traffic. You will find indicators of what to expect here, basically the Atheros 680MHz CPU found in many routers is reported to give 20-25Mb/s throughput. Moreover, OpenVPN optionally provides compression of network traffic, which boosts your network bandwidth, but puts and even heavier toll on your CPU. Hence, consider whether you want to use a node in your network as OpenVPN server rather than the router. One obvious reason you may want to install OpenVPN on the router is that the router is typically always on, and hence provides excellent availability.

We will cover two common ways of configuring OpenVPN here. The main difference between the two is that the first is easier to set-up but only provides one client and one server. The second is a bit more involved to set-up, but provides full flexiblity with respect to number of servers and clients you want to connect.

Installation

Regardless of whether you are setting up a client or a server, you will need to install the openvpn package. On OpenWrt do:

opkg update
opkg install openvpn
Currently the Luci web-interface has the luci-app-openvpn package marked as broken, and hence it is not available in the package system. If you still want to use it, preferably to help fix it, you will have track down the source code, an old package, or build OpenWrt yourself. If you build OpenWrt yourself, you can choose to expose broken packages, allowing you to include luci-app-openvpn on your router.

Modify your network interfaces

A new virtual interface "vpn" must be created which is later used in firewall rules:

Open the network file:

vi /etc/config/network

Add the following interface definition to the end of the file:

config interface 'vpn'
        option proto 'none'
        option ifname 'tun0'

Modify your firewall

By default OpenVPN uses UDP over port 1194. Hence we need to configure the firewall on the OpenVPN server to allow UDP traffic on 1194. The client will only have outgoing traffic on port 1194 and for most set-ups do not need any firewall configuration. If for some reason port 1194 is blocked, you may configure OpenVPN to use other ports, just be sure to set both server and client to use the same port.

Open the firewall file

vi /etc/config/firewall

Towards the bottom append change the dest_port variable to your preference:

config 'rule'
        option 'target' 'ACCEPT'
        option 'dest_port' '1194'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'family' 'ipv4'

In the same file, a zone entry is needed to allow traffic on tun0:

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'vpn'
	option masq 1
	option mtu_fix 1

If you want to access the LAN zone from the VPN, add the following forwarding entries:

config forwarding
	option dest 'lan'
	option src 'vpn'

config forwarding
	option dest 'vpn'
	option src 'lan'

Restart networking and firewall

/etc/init.d/network restart
/etc/init.d/firewall restart
Make sure you fix any syntax errors in /etc/config/firewall before proceeding.

Simple OpenVPN set-up

The easiest way to configure OpenVPN is using static keys. The main draw-back is that it only provides single server and single client configuration. First thing you need to do is create the static key, which is done by:

cd /etc/openvpn
openvpn --genkey --secret static.key
Copy the key to your client over a secure channel. Now configure openvpn by editing /etc/config/openvpn to look like this:
option 'dev' 'tun'
option 'secret' '/etc/openvpn/static.key'
option 'ifconfig' '192.168.2.1 192.168.2.2'
This is assuming that you want your server IP address to be 192.168.2.1, and you client IP address to be 192.168.2.2.

If your client is a linux-box, simply install openvpn from your package system and set your openvpn configuration file to:

remote myremote.mydomain
dev tun
ifconfig 192.168.2.2 192.168.2.1
secret static.key
where you replace myremote.mydomain with the domain name or external IP address of your OpenVPN server. If your client is an OpenWrt server, simply adjust the configuration to the option format.

If you want your client to reach the entire subnet on you server, and your server subnet is 192.168.1.1/24, then add the following line to the client configuration:

route 192.168.1.0 255.255.255.0

Flexible OpenVPN set-up

First we need to install the package for creating keys and certificates:

opkg install openvpn-easy-rsa
Edit the /etc/easy-rsa/vars file and modify the default location area
cd /etc/easy-rsa
vi vars
at bottom, change to suit your location at will, but make sure none of them are empty:
export KEY_COUNTRY="US"
export KEY_PROVINCE="TX"
export KEY_CITY="Houston"
export KEY_ORG="My Cool Place"
export KEY_EMAIL="my@email.org"     
export KEY_OU="myorganisation"
Now we need to source in the variables you just set:
source vars
We will need to generate keys and certificates for server and clients. Prime your cert database:
clean-all
build-ca
build-dh
Create the server key
build-key-server server
Create as many client keys for each person who will connect.
Normal Keys:
build-key Jimmy
build-key Sara
build-key Soandso
...
For PKCS12 Format (combines the key and ca certificate in one file), then instead do:
build-key-pkcs12 Jimmy
build-key-pkcs12 Sara
build-key-pkcs12 Soandso
...
Copy the important files to the /etc/openvpn directory, so that they are duplicated
cd /etc/easy-rsa/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/

Finally, edit /etc/config/openvpn to fit your need.

vi /etc/config/openvpn
The following is an example. There are multiple examples included in the configuration file.
option 'port' '1194'
option 'proto' 'udp'
option 'dev' 'tun'
option 'ca' '/etc/openvpn/ca.crt'
option 'cert' '/etc/openvpn/server.crt'
option 'key' '/etc/openvpn/server.key'
option 'dh' '/etc/openvpn/dh.pem'
option 'tls_auth' '/etc/openvpn/shared.key 0'
option 'server' '10.8.0.0 255.255.255.0'
list 'push' 'route 192.168.1.0 255.255.255.0'
list 'push' 'redirect-gateway'
option 'keepalive' '10 120'
option 'status' '/tmp/openvpn.status'

Notes

  • In the /etc/config/openvpn all options with two (or more) parameters should use special syntax, where all parameters are enclosed into quotes or double-quotes:
  option option_name 'parameter1 parameter2'
  option option_name "parameter1 parameter2"
  • All options specified without parameters in the /etc/openvpn/openvpn.conf, in the /etc/config/openvpn should be specified with parameter "1":
  option option_name '1'

Examples:

  option persist-tun 1
  option keepalive "10 25"
  list route '172.16.0.0 255.240.0.0'

Known bugs and notes

  • Option 'comp-lzo' '1' isn't work yet with client on x86, error message on client side (Linux/x86) is: "Bad LZO decompression header byte: 42", error message on server side (OpenWRT/MIPS): "IP packet with unknown IP version=15 seen".
  • Option 'management' not implemented yet.
  • Fixed in r30719 at 25.02.2012 15:32:21:

There is a bug in the /etc/init.d/openvpn. the push directives to openvpn should be encapsulated with double quotes ("), but the init script uses single quotes ('). If you want the push directives to work with openvpn you should modify the init script lines 103 and 107 to look like. There is a ticket about this ( https://dev.openwrt.org/ticket/10518 ).

doc/howto/vpn.server.openvpn.tun.1401488265.txt.bz2 · Last modified: 2014/05/31 00:17 by zxdavb