This is an old revision of the document!
|There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. Some are better than others, and others are an out-of-date muddled mess. For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with vpn.openvpn instead of this wiki.|
It is not that the other wikis aren't worth reading; it is just that (IMHO) vpn.openvpn is a better place to start (it has been rewritten from scratch just a few weeks ago). Maybe you could improve it further?
|For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit vpn.overview|
Configuration example of multirouter setup
If you are already familiar with OpenVPN and know how you want to use and configure it, feel free to skip the introduction. OpenVPN provides a leading Virtual Private Network solution. There are many possible configurations of OpenVPN, and this can be confusing. We will only briefly cover the most important aspects here, for comprehensive documentation please consult the projects homepage.
For routers running OpenWrt performance is often a scarce resource. This has some important implications for running OpenVPN. The most important factor is the CPU of the router, which will need to do encryption of all traffic. You will find indicators of what to expect here, basically the Atheros 680MHz CPU found in many routers is reported to give 20-25Mb/s throughput. Moreover, OpenVPN optionally provides compression of network traffic, which boosts your network bandwidth, but puts and even heavier toll on your CPU. Hence, consider whether you want to use a node in your network as OpenVPN server rather than the router. One obvious reason you may want to install OpenVPN on the router is that the router is typically always on, and hence provides excellent availability.
We will cover two common ways of configuring OpenVPN here. The main difference between the two is that the first is easier to set-up but only provides one client and one server. The second is a bit more involved to set-up, but provides full flexiblity with respect to number of servers and clients you want to connect.
Regardless of whether you are setting up a client or a server, you will need to install the openvpn package. On OpenWrt do:
opkg update opkg install openvpnCurrently the Luci web-interface has the luci-app-openvpn package marked as broken, and hence it is not available in the package system. If you still want to use it, preferably to help fix it, you will have track down the source code, an old package, or build OpenWrt yourself. If you build OpenWrt yourself, you can choose to expose broken packages, allowing you to include luci-app-openvpn on your router.
A new virtual interface "vpn" must be created which is later used in firewall rules:
Open the network file:
Add the following interface definition to the end of the file:
config interface 'vpn' option proto 'none' option ifname 'tun0'
By default OpenVPN uses UDP over port 1194. Hence we need to configure the firewall on the OpenVPN server to allow UDP traffic on 1194. The client will only have outgoing traffic on port 1194 and for most set-ups do not need any firewall configuration. If for some reason port 1194 is blocked, you may configure OpenVPN to use other ports, just be sure to set both server and client to use the same port.
Open the firewall file
Towards the bottom append change the dest_port variable to your preference:
config 'rule' option 'target' 'ACCEPT' option 'dest_port' '1194' option 'src' 'wan' option 'proto' 'udp' option 'family' 'ipv4'
In the same file, a zone entry is needed to allow traffic on tun0:
config zone option name 'vpn' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' option network 'vpn' option masq 1 option mtu_fix 1
If you want to access the LAN zone from the VPN, add the following forwarding entries:
config forwarding option dest 'lan' option src 'vpn' config forwarding option dest 'vpn' option src 'lan'
Restart networking and firewall
/etc/init.d/network restart /etc/init.d/firewall restartMake sure you fix any syntax errors in /etc/config/firewall before proceeding.
The easiest way to configure OpenVPN is using static keys. The main draw-back is that it only provides single server and single client configuration. First thing you need to do is create the static key, which is done by:
cd /etc/openvpn openvpn --genkey --secret static.keyCopy the key to your client over a secure channel. Now configure openvpn by editing /etc/config/openvpn to look like this:
option 'dev' 'tun' option 'secret' '/etc/openvpn/static.key' option 'ifconfig' '192.168.2.1 192.168.2.2'This is assuming that you want your server IP address to be 192.168.2.1, and you client IP address to be 192.168.2.2.
If your client is a linux-box, simply install openvpn from your package system and set your openvpn configuration file to:
remote myremote.mydomain dev tun ifconfig 192.168.2.2 192.168.2.1 secret static.keywhere you replace myremote.mydomain with the domain name or external IP address of your OpenVPN server. If your client is an OpenWrt server, simply adjust the configuration to the
If you want your client to reach the entire subnet on you server, and your server subnet is 192.168.1.1/24, then add the following line to the client configuration:
route 192.168.1.0 255.255.255.0
First we need to install the package for creating keys and certificates:
opkg install openvpn-easy-rsaEdit the /etc/easy-rsa/vars file and modify the default location area
cd /etc/easy-rsa vi varsat bottom, change to suit your location at will, but make sure none of them are empty:
export KEY_COUNTRY="US" export KEY_PROVINCE="TX" export KEY_CITY="Houston" export KEY_ORG="My Cool Place" export KEY_EMAIL="firstname.lastname@example.org" export KEY_OU="myorganisation"Now we need to source in the variables you just set:
source varsWe will need to generate keys and certificates for server and clients. Prime your cert database:
clean-all build-ca build-dhCreate the server key
build-key-server serverCreate as many client keys for each person who will connect.
build-key Jimmy build-key Sara build-key Soandso ...For PKCS12 Format (combines the key and ca certificate in one file), then instead do:
build-key-pkcs12 Jimmy build-key-pkcs12 Sara build-key-pkcs12 Soandso ...Copy the important files to the /etc/openvpn directory, so that they are duplicated
cd /etc/easy-rsa/keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/
Finally, edit /etc/config/openvpn to fit your need.
vi /etc/config/openvpnThe following is an example. There are multiple examples included in the configuration file.
option 'port' '1194' option 'proto' 'udp' option 'dev' 'tun' option 'ca' '/etc/openvpn/ca.crt' option 'cert' '/etc/openvpn/server.crt' option 'key' '/etc/openvpn/server.key' option 'dh' '/etc/openvpn/dh.pem' option 'tls_auth' '/etc/openvpn/shared.key 0' option 'server' '10.8.0.0 255.255.255.0' list 'push' 'route 192.168.1.0 255.255.255.0' list 'push' 'redirect-gateway' option 'keepalive' '10 120' option 'status' '/tmp/openvpn.status'
option option_name 'parameter1 parameter2' option option_name "parameter1 parameter2"
option option_name '1'
option persist-tun 1 option keepalive "10 25" list route '172.16.0.0 255.240.0.0'
There is a bug in the /etc/init.d/openvpn. the push directives to openvpn should be encapsulated with double quotes ("), but the init script uses single quotes ('). If you want the push directives to work with openvpn you should modify the init script lines 103 and 107 to look like. There is a ticket about this ( https://dev.openwrt.org/ticket/10518 ).