User Tools

Site Tools


inbox:vpn.howto

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Previous revision
inbox:vpn.howto [2014/02/21 21:40]
inbox:vpn.howto [2016/12/03 03:21] (current)
ExaltedVanguard
Line 1: Line 1:
 +====== OpenVPN server ======
 +| :!: This page is now obsolete. Users looking to set up OpenVPN should instead visit [[doc/​howto/​vpn.openvpn]]. :!: |
 +
 +====== OpenVPN server ======
 +This guide is based on the use of a stable OpenWrt "​Backfire"​ 10.03.1 OpenVPN. The aim is to show how secure Internet sharing is setup in 7 steps.
 +
 +As prerequisite make sure you the router has correct date an time (use the "​date"​ command to verify it). OpenVPN needs the router real time clock (RTC)to be accurate. The RTC accurate configuration can be achieved with ntpclient. Check the wiki on how to install and configure ntpclient.
 +
 +
 +==== Installation ====
 +<​code>​
 +opkg update
 +opkg install openvpn openvpn-easy-rsa
 +</​code>​
 +
 +==== Configure certificates ====
 +<​code>​
 +cd /​etc/​easy-rsa
 +vi vars
 +</​code>​
 +
 +*OPTIONAL* ​ (Comment out the following lines if you do not want your certificates to expire)
 +
 +<​code>​export CA_EXPIRE=3650
 +export KEY_EXPIRE=3650</​code>​
 +
 +(Change these last lines to suit your own country etc)
 +<​code>​export KEY_COUNTRY="​US"​
 +export KEY_PROVINCE="​CA"​
 +export KEY_CITY="​SanFrancisco"​
 +export KEY_ORG="​Fort-Funston"​
 +export KEY_EMAIL="​me@myhost.mydomain"</​code>​
 +
 +==== Generate certificates ====
 +   - //​OPTIONAL://​ Clean out the ''/​etc/​easy-rsa/​keys''​ directory and start fresh.<​code>​
 +clean-all
 +</​code>​
 +   - Build certificates<​code>​
 +build-ca
 +build-dh
 +</​code>​
 +   - Create the server key<​code>​
 +build-key-server server
 +</​code>​
 +   - Create client keys. Include a password since many clients may balk at a key without a password.\\ Normal Keys:<​code>​
 +build-key client
 +</​code>​Alternatively,​ create client keys in PKCS12 Format (combines the key and ca certificate in one file)<​code>​
 +build-key-pkcs12 client
 +</​code>​
 +   - Copy the important files to the ''/​etc/​openvpn''​ directory, so that they are duplicated<​code>​
 +cd /​etc/​easy-rsa/​keys
 +cp dh1024.pem server.crt server.key /​etc/​openvpn/​
 +</​code>​
 +**Note - if a dh2048.pem file was generated - remember to change 1024 to 2048 on the configuration files below.**
 +It's a good idea to make an offline backup of all the generated files in the ''/​etc/​easy-rsa/​keys''​ directory. Use a utility like [[http://​winscp.net/​|WinSCP]] to transfer the files from the router to your computer. For SFTP support, install the SFTP server on the router:
 +
 +<​code>​
 +opkg update
 +opkg install openssh-sftp-server
 +</​code>​
 +
 +That way a SFTP client like [[https://​filezilla-project.org/​|Filezilla]] can be used to transfer files to and from the router.
 +
 +==== Create OpenVPN configuration ====
 +If you are using UCI to configure your system, use this configuration file:
 +<​code>​
 +vi /​etc/​config/​openvpn
 +</​code>​
 +<​code>​
 +config '​openvpn'​ '​lan'​
 +        option '​enable'​ '​1'​
 +        option '​port'​ '​1194'​
 +        option '​proto'​ '​udp'​
 +        option '​dev'​ '​tun'​
 +        option '​ca'​ '/​etc/​easy-rsa/​keys/​ca.crt'​
 +        option '​cert'​ '/​etc/​easy-rsa/​keys/​server.crt'​
 +        option '​key'​ '/​etc/​easy-rsa/​keys/​server.key'​
 +        option '​dh'​ '/​etc/​easy-rsa/​keys/​dh1024.pem'​
 +        option '​ifconfig_pool_persist'​ '/​tmp/​ipp.txt'​
 +        option '​keepalive'​ '10 120'
 +        option '​comp_lzo'​ '​no'​ # this will break the tunnel in chaos calmer
 +        option '​persist_key'​ '​1'​
 +        option '​persist_tun'​ '​1'​
 +        option '​status'​ '/​var/​log/​openvpn-status.log' ​
 +        option '​verb'​ '​3'​
 +        option '​server'​ '​10.0.0.0 255.255.255.0'​
 +        option '​client_to_client'​ '​1'​
 +        list '​push'​ '​redirect-gateway def1'
 +        list '​push'​ '​dhcp-option DNS 192.168.1.1'​
 + list '​push'​ 'route 192.168.1.0 255.255.255.0'​
 +</​code>​
 +If you use TunnelBlick to connect, keep in mind that it adds "​openvpn"​ as a search domain which messes up hostnames. By default openwrt adds "​lan"​ as a search domain via the dhcp. so add the following to make sure vpn client will be able to ping machines correctly:
 +<​code>​
 +        list '​push'​ '​dhcp-option DOMAIN lan'
 +</​code>​
 +
 +If there are [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html#​revoke|revoked cerficates]] add also
 +<​code>​
 +option '​crl_verify'​ '/​etc/​easy-rsa/​keys/​crl.pem'​
 +</​code>​
 +
 +This will create a VPN on the 10.0.0.x IP range. If you'd like to choose a different IP range, edit it accordingly. Also change the 192.168.1.1 DNS entry to the IP address of your router if different.
 +
 +If you are not using UCI configuration,​ use this configuration file:
 +<​code>​
 +vi /​etc/​openvpn/​openvpn.conf
 +</​code>​
 +
 +<​code>​
 +mode server
 +tls-server
 +
 +### network options
 +port 1194
 +proto udp
 +dev tun
 +
 +### Certificate and key files
 +ca /​etc/​easy-rsa/​keys/​ca.crt
 +cert /​etc/​easy-rsa/​keys/​server.crt
 +key /​etc/​easy-rsa/​keys/​server.key
 +dh /​etc/​easy-rsa/​keys/​dh1024.pem
 +
 +client-to-client
 +server 10.0.0.0 255.255.255.0
 +push "​redirect-gateway def1"
 +push "​dhcp-option DNS 192.168.1.1"​ # Change this to your router'​s LAN IP Address
 +push "route 192.168.1.0 255.255.255.0"​ # Change this to your network
 +
 +### (optional) compression (Can be slow). If not used specifically set to no and do not comment out.
 +### with no comp-lzo can result in write to TUN/TAP : Invalid argument (code=22) error
 +comp-lzo no
 +#comp-lzo yes
 +
 +persist-key
 +persist-tun
 +
 +verb 3
 +keepalive 10 120
 +log-append /​var/​log/​openvpn/​openvpn.log
 +</​code>​
 +
 +==== Configure the firewall ====
 +
 +|FIXME: A better "more in the principals of UCI" firewall settings can be found at [[/​doc/​howto/​openvpn-streamlined-server-setup]] the below just bypasses the rules with custom and is not easily visible in LUCI rules.\\ \\ //Why has this FIXME been added? What is wrong/​missing,​ what should be fixed? What is the action that this FIXME should trigger? --- tmomas 2015/12/22 20:24// |
 +
 +
 +<​code>​
 +vi /​etc/​config/​firewall
 +</​code>​
 +
 +|''​
 +config '​include'​
 +        option '​path'​ '/​etc/​firewall.user'​
 +
 +config '​rule'​
 +        option '​target'​ '​ACCEPT'​
 +        option '​name'​ '​VPN'​
 +        option '​src'​ '​wan'​
 +        option '​proto'​ '​udp'​
 +        option '​dest_port'​ '​1194'​
 +''​|
 +
 +<​code>​
 +vi /​etc/​firewall.user
 +</​code>​
 +
 +|''​%%iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
 +iptables -A input_wan -p udp --dport 1194 -j ACCEPT
 +
 +iptables -I INPUT -i tun+ -j ACCEPT
 +iptables -I FORWARD -i tun+ -j ACCEPT
 +iptables -I OUTPUT -o tun+ -j ACCEPT
 +iptables -I FORWARD -o tun+ -j ACCEPT
 +%%''​|
 +
 +==== Autostart needed? ====
 +- Start openvpn:
 +<​code>​
 +/​etc/​init.d/​openvpn start
 +</​code>​
 +- Enable openvpn to let it be automatically loaded by ''​init''​ at startup
 +<​code>​
 +/​etc/​init.d/​openvpn enable
 +</​code>​
 +
 +===== Configure the client =====
 +GNU/Linux
 +<​code>​
 +mkdir ~/​VirtualNet
 +</​code>​
 +
 +Windows
 +# Create a folder called example VirtualNet in C:/Program Files
 +
 +Download ''​ca.crt'',​ ''​client.crt'',​ ''​client.key'',​ and ''​dh1024.pem''​ located in ''/​etc/​easy-rsa/​keys/''​ on the router, and place them in the VirtualNet dir
 +
 +# Open up a text editor and add the following lines...
 +# Save the file as ''​client.ovpn''​ in VirtualNet
 +
 +|''​client
 +tls-client
 +dev tun
 +proto udp
 +remote SERVER-IP 1194 # Change to your router'​s External IP
 +resolv-retry infinite
 +nobind
 +ca ca.crt
 +cert client.crt
 +key client.key
 +dh dh1024.pem
 +#comp-lzo
 +
 +persist-tun
 +persist-key
 +verb 3
 +''​|
 +
 +===== Client Usage GNU/Linux - Download OpenVPN =====
 +
 +==== Debian ====
 +<​code>​
 +sudo apt-get install openvpn
 +</​code>​
 +
 +==== Arch Linux ====
 +<​code>​
 +pacman -S openvpn
 +</​code>​
 +
 +==== Gentoo ====
 +<​code>​
 +emerge openvpn
 +</​code>​
 +
 +===== Client Usage Windows - Download OpenVPN client =====
 +
 +==== On Windows XP / 32 Bit ====
 +http://​openvpn.se/​download.html
 +*Choose Installation Package*
 +
 +==== On Windows Vista 64 ====
 +  *It seems like Windows Vista 64 does not like the tun/tap driver from the client package;\\ So we need to download the entire OpenVPN pack including Server & Client from http://​openvpn.net/​index.php/​open-source/​downloads.html \\Choose Windows Installer
 +
 +===== Client Usage on Android =====
 +
 +  - Install and run the __OpenVPN for Android__ by Arne Schwabe (http://​goo.gl/​1Gu0sm). ​
 +  - Copy the ''​client.p12''​ file to your SD card or internal memory.
 +  - Create a new profile. Under "​Basic"​ settings, supply your router'​s WAN [[http://​www.whatsmyip.org/​|IP address or server address]] and disable "LZO Compression."​ Choose "​PKCS12 File" under "​Type"​ and select ''​client.p12''​ file. Enter your key's password under "​PKCS12 Password"​ to have it automatically log in.
 +
 +Note: You may need to install tun.ko using the __TUN.ko Installer__ (http://​goo.gl/​mFX8v). ​ tun.ko may also be compiled into your kernel in which case the tun.ko module is not necessary on your Android device.
 +
 +===== Client Usage MacOS X / iOS / ... =====
 +TODO
 +
 +===== Client Usage GNU/Linux Connect =====
 +<​code>​
 +cd /​home/​your-user/​VirtualNet/​
 +sudo openvpn client.ovpn
 +</​code>​
 +
 +===== Client Usage Windows Connect =====
 +
 +  * browse to the VirtualNet dir 
 +  * Right click on ''​client.ovpn''​ and choose run with OpenVPN GUI
 +
 +===== Known Issue (and Fix) for Windows 10 Client =====
 +
 +Windows 10 under-prioritizes OpenVPN Client DNS queries. This causes the Windows OS to use the local network adapter to query DNS instead of the tunneled adapter (TAP-Windows Adapter V9). Ultimately, this prevents DNS queries to occur over the tunneled OpenVPN server network, and leaks DNS queries to your client'​s local network. OpenVPN Client for windows as of version 2.3.9 provides a fix for this with the use of --block-outside-dns in the server config or client config, see [[https://​community.openvpn.net/​openvpn/​ticket/​605]] for more info.