This is an old revision of the document!
To prevent discombobulation, please follow the format already in place within this Wiki when editing
(incl. the Table of Contents)
Five things are required for a SSL VPN:
Easy-RSA does not create secure enough certs & has too many limitations, therefore OpenSSL should be utilized directly via an openssl.cnf
Commands are executed from within /etc/ssl/
OpenVPN Prerequisites
opkg update ; opkg install openvpn-openssl luci-app-openvpn
/etc/ssl/openssl.cnf
cd /etc/ssl ; mkdir -p ca/csr crl openvpn/clients
echo 00 > serial
echo 00 > crlnumber
touch index
touch rand
File & Folder Locations
/etc/config/firewall
/etc/config/network
/etc/config/openvpn
etc/ssl/
/etc/ssl/ca/
/etc/ssl/ca/csr/
/etc/ssl/crl/
/etc/ssl/openvpn/clients/
/etc/ssl/openvpn/
Certificate Extensions
Section Synopsis
OpenSSL Information
Command Manuals
keyUsage
keyAgreement
is requiredkeyAgreement
is requiredextendedKeyUsage
nscertype
options (ns
in nscertype
stands for NetScape [browser])clientAuth
can be utilized in a IPSec VPN client certKey Exchange
keyAgreement
DH_RSA
, except CA used a DSA key in lieu of RSAdigitalSignature
DHE_RSA
, except CA used a DSA key in lieu of RSAElliptic-Curve Key Exchange
ECDH_ECDSA
, except CA used an RSA keyECDHE_ECDSA
, except Server public key is an RSA key
/etc/ssl/openssl.cnf
CA OpenSSL Prerequisites
Modify the following SubjectAltNames & V3 Profiles
DNS.1 = Router.1
Router.1
to what you'd like the name of your Certificate Authority to bealt_ca_main
to alt_ca_openwrt
[lines 233, 353, & 357][ alt_ca_openwrt ]
[ v3_ca_openwrt ]
subjectAltName = @alt_ca_openwrt
Commands are executed from within /etc/ssl/
CA OpenSSL Commands
openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/OpenWrt-CA.key.pem -out ca/OpenWrt-CA.crt.pem -config ./openssl.cnf -extensions v3_ca
openssl ca -gencrl -keyfile ca/OpenWrt-CA.key.pem -cert ca/OpenWrt-CA.crt.pem -out crl/OpenWrt-CA.crl.pem -config ./openssl.cnf
openssl crl -inform PEM -in crl/OpenWrt-CA.crl.pem -outform DER -out crl/OpenWrt-CA.crl
/etc/ssl/openssl.cnf
ICA OpenSSL Prerequisites
Modify the following SubjectAltNames & V3 Profiles
DNS.1 = Router.2
Router.2
to what you'd like the name of your Intermediate CA to bealt_ica_router2
to alt_ica_openvpn
[lines 238, 360, & 364][ alt_ica_openvpn ]
[ v3_ica_openvpn ]
subjectAltName = @alt_ica_openvpn
Commands are executed from within /etc/ssl/
ICA OpenSSL Commands
openssl req -out ca/csr/OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/OpenVPN-ICA.key -config ./openssl.cnf -extensions v3_ica_openvpn
openssl x509 -req -sha512 -days 3650 -in ca/csr/OpenVPN-ICA.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out ca/OpenVPN-ICA.crt.pem -extfile ./openssl.cnf -extensions v3_ica_openvpn
openssl ca -gencrl -keyfile ca/OpenVPN-ICA.key -cert ca/OpenVPN-ICA.crt.pem -out crl/OpenVPN-ICA.crl.pem -config ./openssl.cnf
openssl crl -inform PEM -in crl/OpenVPN-ICA.crl.pem -outform DER -out crl/OpenVPN-ICA.crl
cat ca/OpenVPN-ICA.crt.pem ca/OpenWrt-CA.crt.pem > ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem
Index Info
openssl ca
must be used to sign certsopenssl ca
is not used in this wiki as it requires additional steps & adds unneeded complexity
/etc/ssl/index
Index File
Manually maintaining the index file consists of inputting 1 cert entry per line in the following format
openssl x509 -in certificate.crt -text -noout
V 261231235959Z 0a unknown /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com 1 2-----------> 4-> 5-----> 6--------------------------------------------------------------------------------------------------->
V
[Valid] R
[Revoked] E
[Expired]YYMMDDHHMMSS
followed by Z
YYMMDDHHMMSSZ,reason
keyCompromise
CACompromise
affiliationChanged
superseded
cessationOfOperation
certificateHold
privilegeWithdrawn
AACompromise
0a
is hex for 10 printf '%d\n' 0x0a
returns 10
printf '%x\n' 10
returns 0a
unknown
/etc/ssl/openssl.cnf
Server Cert OpenSSL Prerequisites
Modify the following SubjectAltNames & V3 Profiles
SubjectAltNames Profile
alt_vpn_server2
to alt_openvpn_server
[ alt_openvpn_server ]
10.0.1.1
to match your VPN Server IPIP.1 = 10.0.1.1
your.ddns.com
to match your own DDNS and/or FQDNDNS.1 = your.ddns.com
V3 Profile
[ v3_vpn_server2 ]
to match alt name set above[ v3_openvpn_server ]
@alt_vpn_server2
to match alt name set abovesubjectAltName = @alt_openvpn_server
Commands are executed from within /etc/ssl/
Server Cert OpenSSL Commands
openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_vpn_server -nodes
-nodes
creates a signing key without encryptionopenssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-server.csr -CA ca/OpenVPN-ICA.crt.pem -CAkey ca/OpenVPN-ICA.key -CAserial ./serial -out certs/vpn-server.crt.pem -extfile ./openssl.cnf -extensions v3_vpn_server
openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_CA-Chain.crt.pem
Do not use the same Common Name (CN) on more than one certificate
/etc/ssl/openssl.cnf
Client Cert OpenSSL Prerequisites
Modify the following SubjectAltNames & V3 Profiles
SubjectAltNames Profile
alt_vpn2_user1 to
alt_openvpn_<username>
[ alt_openvpn_<username> ]
VPNserver-Client1-Device-Hostname
to match client usernameDNS.1 = VPN-<username>-Hostname
user1@email.com
to user's emailemail.1 = user1@email.com
V3 Profile
[ v3_vpn2_user1 ]
to match alt name set above[ v3_openvpn_<username> ]
@alt_vpn2_user1
to match alt name set abovesubjectAltName = @alt_openvpn_<username>
Commands are executed from within /etc/ssl/
Client Cert OpenSSL Commands
openssl req -out ca/csr/vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/clients/vpn-client1-<username>-<hostname>.key.pem -config ./openssl.cnf -extensions v3_openvpn_<username>
openssl x509 req -sha512 -days 3650 -in ca/csr/vpn-client1.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key -CAserial ./serial -out openvpn/clients/vpn-client1-<username>-<hostname>.crt.pem -extfile ./openssl.cnf -extensions v3_openvpn_<username>
openssl pkcs12 -export -out openvpn/clients/vpn-client1.p12 -inkey openvpn/clients/vpn-client1.key.pem -in openvpn/clients/vpn-client1.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem
/etc/ssl/
)openssl dhparam -out openvpn/dh2048.pem 2048
/etc/ssl/
)openvpn --genkey --secret openvpn/ta.key
tls-auth
requires a static pre-shared key [PSK], generated in advance, and shared among all clientsGnuPG is a great tool to manage CAs and client certificates
Backup
Create a backup:
chmod 600 /etc/ssl/ca/* /etc/ssl/ca/csr/* /etc/ssl/crl/* /etc/ssl/openvpn/* /etc/ssl/openvpn/clients/* ; chmod 644 /etc/ssl/ca/*.crt* /etc/ssl/openvpn/*.crt* /etc/ssl/openvpn/clients/*.crt* /etc/ssl/crl/*.crl
vi /etc/sysupgrade.conf
/etc/config/
/etc/openvpn/
/etc/ssl/
/etc/firewall.user
/etc/sysupgrade.conf
# LuCI: System - Backup/Flash Firmware - Configuration # Directories # #--------------------------------------------------- /etc/config/ /etc/openvpn/ /etc/ssl/ # Files # #--------------------------------------------------- /etc/firewall.user /etc/sysupgrade.conf
Linux & BSD
If utilizing Linux/BSD:
Windows
If utilizing Windows:
uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none
network.vpn0
with network.<name>
ifname=tun0
with ifname=<name>
uci commit network ; /etc/init.d/network reload
A non-standard port (not 1194) should be utilized for the VPN
Firewall Info
option path /etc/firewall.user
and any redirect rules
/etc/config/firewall
Firewall Rules
The following rules are required:
vi /etc/config/firewall
#::: Traffic Rules :::# # LuCI: Network - Firewall - Traffic Rules #::: Defaults :::# # LuCI: Network - Firewall #------------------------------------------------ #::: Firewall.User Rules :::# # LuCI: Network - Firewall - Custom Rules config include option path '/etc/firewall.user' # Default OpenWRT Rule # config defaults option input 'ACCEPT' option output 'ACCEPT' option forward 'DROP' option syn_flood 1 option drop_invalid 1 # Allow initial VPN connection # #------------------------------------------------ # LuCI: From any host in any zone To any router # IP at port 1194 on this device (Accept Input) config rule option target 'ACCEPT' option family 'ipv4' option proto 'tcp udp' option src '*' option dest_port 1194 option name 'Allow Forwarded VPN Request -> <device>' # Once Assigned VPN IP, Allow Inbound -> LAN # #------------------------------------------------ # LuCI: From IP range 10.1.1.0/24 in any zone To IP # range 192.168.1.0/24 on this device (Accept Input) config rule option target 'ACCEPT' option family 'ipv4' option proto 'tcp udp' option src '*' option src_ip '10.1.1.0/24' option dest_ip '192.168.1.0/26' option name 'Allow VPN0 -> LAN' # Once Assigned VPN IP, Allow Forwarded -> LAN # #------------------------------------------------ # LuCI: From IP range 10.1.1.0/24 in any zone To IP # range 192.168.1.0/24 on this device (Accept Forward) config rule option target 'ACCEPT' option proto 'tcp udp' option family 'ipv4' option src '*' option src_ip '10.1.1.0/24' option dest '*' option dest_ip '192.168.1.0/26' option name 'Allow Forwarded VPN0 -> LAN' # Allow Outbound ICMP Traffic from VPN # #------------------------------------------------ # LuCI: ICMP From IP range 10.1.1.0/24 in any # zone To any host in lan (Accept Forward) config rule option target 'ACCEPT' option proto 'icmp' option src '*' option src_ip '10.1.1.0/24' option dest 'lan' option name 'Allow VPN0 (ICMP) -> LAN' # Allow Outbound Ping Requests from VPN # #------------------------------------------------ # LuCI: ICMP with type echo-request From IP range # 10.1.1.0/24 in any zone To any host in wan (Accept Forward) config rule option target 'ACCEPT' option proto 'icmp' list icmp_type 'echo-request' option src '*' option src_ip '10.1.1.0/24' option dest 'wan' option name 'Allow VPN0 (ICMP 8) -> <device> ' #::: Zones :::# # LuCI: Network - Firewall - Zones #------------------------------------------------ # LAN # config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'DROP' # VPN # config zone option name 'vpn' option network 'vpn0' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' # WAN # config zone option name 'wan' option network 'wan wan6' option input 'DROP' option output 'ACCEPT' option forward 'DROP' option masq 1 option mtu_fix 1 #::: InterZone Forwarding :::# # LuCI: Network -> Firewall -> Zones - # VPN - Edit - Inter-Zone Forwarding #------------------------------------------------ # LAN to VPN # config forwarding option dest 'vpn' option src 'lan' # LAN to WAN # config forwarding option dest 'wan' option src 'lan' # VPN to LAN # config forwarding option dest 'lan' option src 'vpn'
uci commit firewall ; /etc/init.d/firewall restart
/etc/firewall.user
firewall.user Script
The following rules are required:
vi /etc/firewall.user
#::: Traffic Rules :::# # LuCI: Network - Firewall - Custom Rules # These rules make the assumption the default port of 1194 is not used for the VPN # Port 5000 is being used arbitrarily for the VPN port # Establish Custom Zones # #--------------------------------------------------- iptables -N DROP-Brute iptables -N LOG-VPN iptables -N Rate_Limit # Log All Dropped # #--------------------------------------------------- iptables -A DROP-Brute -j LOG --log-prefix "<[[--- BRUTE DROPPED ---]]> : " --log-level 4 iptables -A DROP-Brute -j DROP # Establish Rate Limit # #--------------------------------------------------- iptables -A Rate_Limit -p tcp --dport 1194 -m limit --limit 1/min --limit-burst 1 -j DROP-Brute iptables -A Rate_Limit -p udp --dport 1194 -m limit --limit 1/min --limit-burst 1 -j DROP-Brute iptables -A Rate_Limit -p tcp --dport 5000 -j LOG-VPN iptables -A Rate_Limit -p udp --dport 5000 -j LOG-VPN iptables -A Rate_Limit -p tcp -j REJECT --reject-with tcp-reset iptables -A Rate_Limit -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A Rate_Limit ! -p ICMP -j LOG --log-prefix "<[[--- Connection DROPPED ---]]>: " iptables -A Rate_Limit -j DROP # Apply Rate Limit # #--------------------------------------------------- iptables -w -I INPUT -p tcp --dport 1194 -m state --state NEW -m recent --set iptables -w -I INPUT -p tcp --dport 1194 -m state --state NEW --update --seconds 60 --hitcount 1 -j Rate_Limit iptables -w -I INPUT -p udp --dport 1194 -m state --state NEW -m recent --set iptables -w -I INPUT -p udp --dport 1194 -m state --state NEW --update --seconds 60 --hitcount 1 -j Rate_Limit iptables -I INPUT -p tcp --dport 5000 -m state --state NEW -j Rate_Limit iptables -I INPUT -p udp --dport 5000 -m state --state NEW -j Rate_Limit # Check for bans in Rate_Limit # #--------------------------------------------------- iptables -w -A INPUT -p tcp --dport 1194 -j Rate_Limit # Log VPN Traffic # #--------------------------------------------------- iptables -A LOG-VPN -j LOG --log-prefix "<[[--- VPN Traffic ---]]> : " --log-level 4 iptables -A LOG-VPN -j ACCEPT
/etc/init.d/firewall restart
It's strongly encouraged to read through the OpenVPN HowTo & Man Page
OpenVPN Information
/etc/config/openvpn
OpenVPN Server Config
echo > /etc/config/openvpn ; vi /etc/config/openvpn
config openvpn 'VPNserver' option enabled 1 # Protocol # #------------------------------------------------ option dev 'tun' option dev 'tun0' option topology 'subnet' option proto 'udp' option port 1194 # Routes # #------------------------------------------------ option server '10.1.0.0 255.255.255.240' option ifconfig '10.1.0.1 255.255.255.240' # Client Config # #------------------------------------------------ # option ccd_exclusive 1 # option ifconfig_pool_persist '/etc/openvpn/clients/ipp.txt' # option client_config_dir '/etc/openvpn/clients/' # Pushed Routes # #------------------------------------------------ list push 'route 192.168.1.0 255.255.255.0' list push 'dhcp-option DNS 192.168.1.1' list push 'dhcp-option WINS 192.168.1.1' list push 'dhcp-option DNS 8.8.8.8' list push 'dhcp-option DNS 8.8.4.4' list push 'dhcp-option NTP 129.6.15.30' # Encryption # #------------------------------------------------ # Diffie-Hellman: option dh '/etc/ssl/openvpn/dh2048.pem' # PKCS12: option pkcs12 '/etc/ssl/openvpn/vpn-server.p12' # SSL: option cipher AES-256-CBC option auth 'SHA512' option tls_auth '/etc/ssl/openvpn/ta.key 0' # TLS: option tls_server 1 option tls_version_min 1.2 option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-RSA-WITH-AES-256-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4' option remote-cert-eku 'TLS Web Client Authentication' # Logging # #------------------------------------------------ option log_append '/tmp/openvpn.log' option status '/tmp/openvpn-status.log' option verb 7 # Connection Options # #------------------------------------------------ option keepalive '10 120' option comp_lzo 'yes' # Connection Reliability # #------------------------------------------------ option client_to_client 1 option persist_key 1 option persist_tun 1 # Connection Speed # #------------------------------------------------ option sndbuf 393216 option rcvbuf 393216 option fragment 0 option mssfix 0 option tun_mtu 48000 # Pushed Buffers # #------------------------------------------------ list push 'sndbuf 393216' list push 'rcvbuf 393216' # Permissions # #------------------------------------------------ option user 'nobody' option group 'nogroup' # chroot # #------------------------------------------------ # chroot should be utilized in case the VPN is ever exploited; however, most commercial # routers don't have internal flash storage large enough to support it. An OpenVPN # chroot would be ~11MB in size. # Modify if chroot is configured # #-------------------------------------------- # option ccd_exclusive 1 # option ifconfig_pool_persist /var/chroot-openvpn/etc/openvpn/clients/ipp.txt # option client_config_dir /var/chroot-openvpn/etc/openvpn/clients # option cipher AES-256-CBC # option dh /var/chroot-openvpn/etc/ssl/openvpn/dh2048.pem # option pkcs12 /var/chroot-openvpn/etc/ssl/openvpn/vpn-server.p12 # option tls_auth '/var/chroot-openvpn/etc/ssl/openvpn/ta.key 0'
/etc/init.d/openvpn enable ; /etc/init.d/openvpn start ; sleep 2 ; cat /tmp/openvpn.log
/tmp/openvpn.log
Log Output w/o CCD Enabled
root@OpenWrt ~ # cat /tmp/openvpn.log Thu Oct 20 13:35:00 2016 us=668816 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Oct 20 13:35:00 2016 us=705387 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes Thu Oct 20 13:35:00 2016 us=705489 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes Thu Oct 20 13:35:00 2016 us=705535 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ] Thu Oct 20 13:35:00 2016 us=705589 Socket Buffers: R=[87380->327680] S=[16384->327680] Thu Oct 20 13:35:00 2016 us=706121 TUN/TAP device tun0 opened Thu Oct 20 13:35:00 2016 us=706200 TUN/TAP TX queue length set to 100 Thu Oct 20 13:35:00 2016 us=706254 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Oct 20 13:35:00 2016 us=706327 /sbin/ip link set dev tun0 up mtu 48000 Thu Oct 20 13:35:00 2016 us=708260 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15 Thu Oct 20 13:35:00 2016 us=713288 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ] Thu Oct 20 13:35:00 2016 us=713438 GID set to nogroup Thu Oct 20 13:35:00 2016 us=713500 UID set to nobody Thu Oct 20 13:35:00 2016 us=713746 Listening for incoming TCP connection on [undef] Thu Oct 20 13:35:00 2016 us=713811 TCPv4_SERVER link local (bound): [undef] Thu Oct 20 13:35:00 2016 us=713857 TCPv4_SERVER link remote: [undef] Thu Oct 20 13:35:00 2016 us=713922 MULTI: multi_init called, r=256 v=256 Thu Oct 20 13:35:00 2016 us=714000 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0 Thu Oct 20 13:35:00 2016 us=714070 MULTI: TCP INIT maxclients=1024 maxevents=1028 Thu Oct 20 13:35:00 2016 us=714678 Initialization Sequence Completed
/tmp/openvpn.log
Log Output w/ CCD Enabled
root@OpenWrt ~ # cat /tmp/openvpn.log Thu Oct 20 13:35:30 2016 us=653309 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Oct 20 13:35:30 2016 us=706722 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes Thu Oct 20 13:35:30 2016 us=706760 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes Thu Oct 20 13:35:30 2016 us=706804 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ] Thu Oct 20 13:35:30 2016 us=706857 Socket Buffers: R=[87380->327680] S=[16384->327680] Thu Oct 20 13:35:30 2016 us=707392 TUN/TAP device tun0 opened Thu Oct 20 13:35:30 2016 us=707465 TUN/TAP TX queue length set to 100 Thu Oct 20 13:35:30 2016 us=707517 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Oct 20 13:35:30 2016 us=707587 /sbin/ip link set dev tun0 up mtu 48000 Thu Oct 20 13:35:30 2016 us=709190 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15 Thu Oct 20 13:35:30 2016 us=714514 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ] Thu Oct 20 13:35:30 2016 us=714630 GID set to nogroup Thu Oct 20 13:35:30 2016 us=714680 UID set to nobody Thu Oct 20 13:35:30 2016 us=714859 Listening for incoming TCP connection on [undef] Thu Oct 20 13:35:30 2016 us=714908 TCPv4_SERVER link local (bound): [undef] Thu Oct 20 13:35:30 2016 us=714945 TCPv4_SERVER link remote: [undef] Thu Oct 20 13:35:30 2016 us=714986 MULTI: multi_init called, r=256 v=256 Thu Oct 20 13:35:30 2016 us=715050 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0 Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(), in='vpn-client1-foobar1-device1,10.1.0.5', TODO: IPv6 Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set() Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(), in='vpn-client2-foobar2-device1,10.1.0.6', TODO: IPv6 Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set() Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST Thu Oct 20 13:35:30 2016 us=715287 vpn-client1-foobar1-device1,10.1.0.5 Thu Oct 20 13:35:30 2016 us=715331 vpn-client2-foobar2-device1,10.1.0.6 Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028 Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed
Server's TLS-Auth key goes within the inline XML space
Android Client Information
ta.key
, instead of utilizing inline XMLkey-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- #PASTED-KEY-INLINE-HERE# -----END OpenVPN Static key V1----- </tls-auth>
tls-auth /path/to/ta.key 1
# Encryption # pkcs12 '/sdcard/openvpn/vpn-client1.p12'
# Encryption # ca '/sdcard/openvpn/OpenWRT-OpenVPN_CA-Chain.crt.pem' cert '/sdcard/openvpn/vpn-client1.crt.pem' key '/sdcard/openvpn/vpn-client1.key.pem'
/sdcard/OpenVPN/OpenWrt/VPNserver.ovpn
Android Client Config
# Config Type # #------------------------------------------------ client # Connection # #------------------------------------------------ dev tun proto udp remote your.ddns.com 1194 # Speed # #------------------------------------------------ fragment 0 mssfix 0 tun-mtu 48000 # Reliability # #------------------------------------------------ comp-lzo float nobind persist-key persist-tun resolv-retry infinite # Encryption # #------------------------------------------------ auth-nocache cipher AES-256-CBC remote-cert-eku "TLS Web Server Authentication" <tls-auth> -----BEGIN OpenVPN Static key V1----- #PASTE-KEY-INLINE-HERE# -----END OpenVPN Static key V1----- </tls-auth> key-direction 1 # Logging # #------------------------------------------------ verb 5
VPNserver-BSD.ovpn
BSD Client Config
VPNserver-Linux.ovpn
Linux Client Config
Windows Client Information
C:\\Path\\to\\PKCS12
C:\Program Files\OpenVPN\config\OpenWrt\VPNserver.ovpn
Windows Client Config
# Config Type # #------------------------------------------------ client # Connection # #------------------------------------------------ dev tun proto udp remote your.ddns.com 1194 # Speed # #------------------------------------------------ fragment 0 mssfix 0 tun-mtu 48000 # Reliability # #------------------------------------------------ comp-lzo float nobind persist-key persist-tun resolv-retry infinite # Encryption # #------------------------------------------------ auth-nocache cipher AES-256-CBC pkcs12 vpn-client1.p12 remote-cert-eku "TLS Web Server Authentication" <tls-auth> -----BEGIN OpenVPN Static key V1----- #PASTE-KEY-INLINE-HERE# -----END OpenVPN Static key V1----- </tls-auth> key-direction 1 # Logging # #------------------------------------------------ verb 5
It's recommended to read Gateway Redirect prior to continuing
/etc/config/firewall LAN Zone & InterZone Forwarding
#::: Zones :::# # LuCI: Network - Firewall - Zones # Add: LAN Masquerade # #------------------------------------------------ config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'DROP' option masq 1
#::: InterZone Forwarding :::# # LuCI: Network -> Firewall -> Zones -> VPN - # Edit - Inter-Zone Forwarding # Allow Forwarding VPN -> WAN # #------------------------------------------------ config forwarding option dest 'wan' option src 'vpn'
/etc/init.d/firewall restart
/etc/config/openvpn
Pushed Routes
list push 'dhcp-option DNS 8.8.8.8' list push 'dhcp-option DNS 8.8.4.4'
list push 'redirect-gateway def1 local' list push 'dhcp-option DNS 10.1.0.1'
/etc/init.d/openvpn restart
Android