|There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. Some are better than others, and others are an out-of-date muddled mess. For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with vpn.openvpn instead of this wiki.|
It is not that the other wikis aren't worth reading; it is just that (IMHO) vpn.openvpn is a better place to start (it has been rewritten from scratch just a few weeks ago).
Although this wiki does cover some material not covered in vpn.openvpn (e.g. non-OpenWrt clients), it might still be a useful place to visit. Maybe you could improve it further rather than edit this wiki?
This guide is based on the use of a stable OpenWrt "Backfire" 10.03.1 OpenVPN. The aim is to show how secure Internet sharing is setup in 7 steps.
As prerequisite make sure you the router has correct date an time (use the "date" command to verify it). OpenVPN needs the router real time clock (RTC)to be accurate. The RTC accurate configuration can be achieved with ntpclient. Check the wiki on how to install and configure ntpclient.
opkg update opkg install openvpn openvpn-easy-rsa
cd /etc/easy-rsa vi vars
*OPTIONAL* (Comment out the following lines if you do not want your certificates to expire)
export CA_EXPIRE=3650 export KEY_EXPIRE=3650
(Change these last lines to suit your own country etc)
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="firstname.lastname@example.org"
/etc/easy-rsa/keysdirectory and start fresh.
build-key clientAlternatively, create client keys in PKCS12 Format (combines the key and ca certificate in one file)
/etc/openvpndirectory, so that they are duplicated
cd /etc/easy-rsa/keys cp dh1024.pem server.crt server.key /etc/openvpn/
Note - if a dh2048.pem file was generated - remember to change 1024 to 2048 on the configuration files below.
It's a good idea to make an offline backup of all the generated files in the
/etc/easy-rsa/keys directory. Use a utility like WinSCP to transfer the files from the router to your computer. For SFTP support, install the SFTP server on the router:
opkg update opkg install openssh-sftp-server
That way a SFTP client like Filezilla can be used to transfer files to and from the router.
If you are using UCI to configure your system, use this configuration file:
config 'openvpn' 'lan' option 'enable' '1' option 'port' '1194' option 'proto' 'udp' option 'dev' 'tun' option 'ca' '/etc/easy-rsa/keys/ca.crt' option 'cert' '/etc/easy-rsa/keys/server.crt' option 'key' '/etc/easy-rsa/keys/server.key' option 'dh' '/etc/easy-rsa/keys/dh1024.pem' option 'ifconfig_pool_persist' '/tmp/ipp.txt' option 'keepalive' '10 120' option 'comp_lzo' 'no' # this will break the tunnel in chaos calmer option 'persist_key' '1' option 'persist_tun' '1' option 'status' '/var/log/openvpn-status.log' option 'verb' '3' option 'server' '10.0.0.0 255.255.255.0' option 'client_to_client' '1' list 'push' 'redirect-gateway def1' list 'push' 'dhcp-option DNS 192.168.1.1' list 'push' 'route 192.168.1.0 255.255.255.0'If you use TunnelBlick to connect, keep in mind that it adds "openvpn" as a search domain which messes up hostnames. By default openwrt adds "lan" as a search domain via the dhcp. so add the following to make sure vpn client will be able to ping machines correctly:
list 'push' 'dhcp-option DOMAIN lan'
If there are revoked cerficates add also
option 'crl_verify' '/etc/easy-rsa/keys/crl.pem'
This will create a VPN on the 10.0.0.x IP range. If you'd like to choose a different IP range, edit it accordingly. Also change the 192.168.1.1 DNS entry to the IP address of your router if different.
If you are not using UCI configuration, use this configuration file:
mode server tls-server ### network options port 1194 proto udp dev tun ### Certificate and key files ca /etc/easy-rsa/keys/ca.crt cert /etc/easy-rsa/keys/server.crt key /etc/easy-rsa/keys/server.key dh /etc/easy-rsa/keys/dh1024.pem client-to-client server 10.0.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 192.168.1.1" # Change this to your router's LAN IP Address push "route 192.168.1.0 255.255.255.0" # Change this to your network ### (optional) compression (Can be slow). If not used specifically set to no and do not comment out. ### with no comp-lzo can result in write to TUN/TAP : Invalid argument (code=22) error comp-lzo no #comp-lzo yes persist-key persist-tun verb 3 keepalive 10 120 log-append /var/log/openvpn/openvpn.log
|: A better "more in the principals of UCI" firewall settings can be found at openvpn-streamlined-server-setup the below just bypasses the rules with custom and is not easily visible in LUCI rules.
Why has this been added? What is wrong/missing, what should be fixed? What is the action that this should trigger? — tmomas 2015/12/22 20:24
- Start openvpn:
/etc/init.d/openvpn start- Enable openvpn to let it be automatically loaded by
Windows # Create a folder called example VirtualNet in C:/Program Files
dh1024.pem located in
/etc/easy-rsa/keys/ on the router, and place them in the VirtualNet dir
# Open up a text editor and add the following lines…
# Save the file as
client.ovpn in VirtualNet
sudo apt-get install openvpn
pacman -S openvpn
http://openvpn.se/download.html *Choose Installation Package*
client.p12file to your SD card or internal memory.
client.p12file. Enter your key's password under "PKCS12 Password" to have it automatically log in.
Note: You may need to install tun.ko using the TUN.ko Installer (http://goo.gl/mFX8v). tun.ko may also be compiled into your kernel in which case the tun.ko module is not necessary on your Android device.
cd /home/your-user/VirtualNet/ sudo openvpn client.ovpn
client.ovpnand choose run with OpenVPN GUI