This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

This is an old revision of the document!

OpenVPN Server HowTo (Streamlined)

^{To prevent discombobulation, please follow the format already in place within this Wiki when editing}
^{(incl. the Table of Contents)}

Introduction

VPN Requirements

Five requirements for SSL VPNs:

Encryption

Easy-RSA does not create secure enough certs & has too many limitations, therefore OpenSSL should be utilized directly via an openssl.cnf

Prerequisites

openssl.cnf

Prerequisites

Commands are executed from within /etc/ssl/ OpenVPN Prerequisites

Install Packages:
1. opkg update ; opkg install openvpn-openssl luci-app-openvpn
Download openssl.cnf:
1. Save as /etc/ssl/openssl.cnf
Navaigate to SSL directory & create required directories
1. cd /etc/ssl ; mkdir -p ca/csr crl openvpn/clients
Create Serial file
1. echo 00 > serial
  - Maintains the serial for the most recent cert in order to know what serial to next assign
    - Serial is in hex, not dec[imal] format
Create CRLnumber file
1. echo 00 > crlnumber
  - CRL should be generated, but will only be utilized once a cert is revoked
Create Index file
1. touch index
  - Maintains an index of all certs issued ^{[lines 698 - 738]}
    - Keeps track of certs issued; extremely important if one has revoked a cert
Create Rand file
1. touch rand
  - Utilized for random characters & is queried by OpenSSL during key creation

Files & Folders

File & Folder Locations

Config Locations:
- Firewall: /etc/config/firewall
- Network: /etc/config/network
- OpenSSL: /etc/ssl/openssl.cnf
- OpenVPN: /etc/config/openvpn
Folder Locations:
- OpenVPN
  - CA & ICA Certs: /etc/ssl/ca/
    - CSR: /etc/ssl/ca/csr/
    - CRL: /etc/ssl/crl/
  - Client Certs: /etc/ssl/openvpn/clients/
  - Server Certs: /etc/ssl/openvpn/

Extensions

Certificate Extensions

.csr:
- certificate request
.key:
- private key
  - 4All key files, except for a server's, should be encrypted with a passphrase
.crt:
- signed certificate
.p12:
- PKCS12 certificate
  - Contains the CA.crt or concatenated ICA-CA.crt, Certificate.crt, and CertificateKey.key

OpenSSL

Synopsis

Cookbook Wiki Section Synopsis

These tabs contain critical information one will likely find helpful while going through the steps in this wiki
- Tabs 2 - 3 contain informational & reference links to the main man pages
- Tabs 4 - 7 cover the definitions of KUs, EKUs, KEAs, & EC KEAs

Info

Changelog OpenSSL Information

Certificates Explained

Blog Vulnerabilities News

Index OIDs Standards

Conf Config x509 Config

SSL Library SSL Manual

Crypto Library Crypto Manual

Man Pages

Command List OpenSSL Utility Command Manuals

req x509 pkcs12

ca crl verify

dhparam ecparam rsa

ciphers dgst engine list

speed

oscp smime

keyUsage

keyUsage

digitalSignature
1. Certificate may be used to apply a digital signature
  1. Digital signatures are often used for entity authentication & data origin authentication with integrity
nonRepudiation
1. Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services
  1. This prevents the signing entity from falsely denying some action
keyEncipherment
1. Certificate may be used to encrypt a symmetric key which is then transferred to the target
  1. Target decrypts key, subsequently using it to encrypt & decrypt data between the entities
dataEncipherment
1. Certificate may be used to encrypt & decrypt actual application data
keyAgreement
1. Certificate enables use of a key agreement protocol to establish a symmetric key with a target
2. Symmetric key may then be used to encrypt & decrypt data sent between the entities
keyCertSign
1. CA ONLY
  1. Subject public key is used to verify signatures on certificates
  2. This extension must only be used for CA certificates
cRLSign
1. CA ONLY
  1. Subject public key is to verify signatures on revocation information, such as a CRL
  2. This extension must only be used for CA certificates
encipherOnly
1. KU keyAgreement is required
2. Public key used only for enciphering data while performing key agreement
decipherOnly
1. KU keyAgreement is required
2. Public key used only for deciphering data while performing key agreement

extendedKeyUsage

OID repository extendedKeyUsage

serverAuth
1. All VPN servers should be signed with this EKU present
  1. SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against
  2. This supersedes nscertype options (ns in nscertype stands for NetScape [browser])
clientAuth
1. All VPN clients must be signed with this EKU present
  1. SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only
codeSigning
1. Code Signing
emailProtection
1. Email Protection via S/MIME, allows you to send and receive encrypted emails
timeStamping
1. Trusted Timestamping
OCSPSigning
1. OCSP Signing
ipsecIKE
1. IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8]
  1. Research needs to be performed to determine if this EKU should also no longer be utilized
  2. clientAuth can be utilized in a IPSec VPN client cert
ipsecEndSystem, ipsecTunnel, & ipsecUser
1. SHOULD NOT BE UTILIZED
  1. Assigned in 1999, the semantics of these values were never clearly defined
  2. RFC 4945: The use of these three EKU values is obsolete and explicitly deprecated by this specification ^[5.1.3.12]
msCodeInd
1. Microsoft Individual Code Signing (authenticode)
msCodeCom
1. Microsoft Commerical Code Signing (authenticode)
mcCTLSign
1. Microsoft Trust List Signing
msEFS
1. Microsoft Encrypted File System Signing

Key Exchange

Key Exchange

RSA
1. Key exchange occurs via encryption of a random value
  1. Client chooses a random value via the server public key
  2. Server public key must be an RSA key
  3. Server certificate must utilize KU keyAgreement
DH_RSA
1. Key exchange occurs via a static Diffie-Hellman key
  1. Server public key must be a Diffie-Hellman key
  2. Diffie-Hellman key must have been issued by a CA
  3. CA must be using an RSA key signing key
DH_DSA
1. Like DH_RSA, except CA used a DSA key in lieu of RSA
DHE_RSA
1. Key exchange occurs via an ephemeral Diffie-Hellman
  1. Server dynamically generates & signs a DH public key, sending it to the client
  2. Server Public Key must be an RSA key
  3. Server certificate must utilize KU digitalSignature
DHE_DSA
1. Like DHE_RSA, except CA used a DSA key in lieu of RSA

EC Key Exchange

Elliptic-Curve Key Exchange

ECDH_ECDSA
1. Like DH_DSA, but with elliptic curves
  1. Server public key must be an ECDH key
  2. Server certificate must be issued by a CA utilizing an ECDSA public key
ECDH_RSA
1. Like ECDH_ECDSA, except CA used an RSA key
ECDHE_ECDSA
1. Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key
  1. Equivalent to DHE_DSS, but with elliptic curves for both the Diffie-Hellman & signature
ECDHE_RSA
1. Like ECDHE_ECDSA, except Server public key is an RSA key
  1. Server public key signs the ephemeral EC Diffie-Hellman key

CA Creation

Prerequisites

/etc/ssl/openssl.cnf CA OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

CRL Directory ^{[Lines 68 + 69]}
1. In order to avoid an openssl error when generating the CA, modify the following options:
  1. Line 68: crlnumber = $DIR/crl/crlnumber
  2. Line 69: crl = $DIR/crl/ca.crl.pem

Certificate Authorities ^{[Line 180]}
1. Main
  1. Line 186: DNS.1 = Router.1
    - Change Router.1 to what you'd like the name of your Certificate Authority to be
Certificate Authority Clients ^{[Line 205]}
1. Servers
  - Lines: 211 - 233
2. Clients
  - Lines: 235 - 239
Change SAN & V3 profile names from alt_ca_main to alt_ca_openwrt^{[lines 185, 306, & 310]}
1. Line 185: [ alt_ca_openwrt ]
2. Line 306: [ v3_ca_openwrt ]
3. Line 310: subjectAltName = @alt_ca_openwrt

Commands

Commands are executed from within /etc/ssl/ CA OpenSSL Commands

Generate CA

openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/OpenWrt-CA.key.pem -out ca/OpenWrt-CA.crt.pem -config ./openssl.cnf -extensions v3_ca_openwrt

Key passphrase should be a 20 character minimum, containing at least: 2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols

Generate CA CRL

openssl ca -gencrl -keyfile ca/OpenWrt-CA.key.pem -cert ca/OpenWrt-CA.crt.pem -out crl/OpenWrt-CA.crl.pem -config ./openssl.cnf

Convert CA CRL → DER CRL

openssl crl -inform PEM -in crl/OpenWrt-CA.crl.pem -outform DER -out crl/OpenWrt-CA.crl

ICA Creation

Prerequisites

/etc/ssl/openssl.cnf ICA OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

Certificate Authorities ^{[Line 180]}
1. Router 2
  1. Line 191: DNS.1 = Router.2
    - Change Router.2 to what you'd like the name of your Intermediate CA to be
Intermediate Certificate Authority Clients ^{[Line 242]}
1. Servers
  - Lines: 248 - 264
2. Clients
  - Lines: 266 - 274:
Change SAN & V3 profile names from alt_ica_router2 to alt_ica_openvpn ^{[lines 190, 313, & 317]}
1. Line 190: [ alt_ica_openvpn ]
2. Line 313: [ v3_ica_openvpn ]
3. Line 317: subjectAltName = @alt_ica_openvpn

Commands

Commands are executed from within /etc/ssl/ ICA OpenSSL Commands

Generate Intermediate CA CSR

openssl req -out ca/csr/OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/OpenVPN-ICA.key -config ./openssl.cnf -extensions v3_ica_openvpn

Key passphrase should be a 20 character minimum, containing at least: 2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols

Create & Sign ICA with CA

openssl x509 -req -sha512 -days 3650 -in ca/csr/OpenVPN-ICA.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out ca/OpenVPN-ICA.crt.pem -extfile ./openssl.cnf -extensions v3_ica_openvpn

Generate ICA CRL

openssl ca -gencrl -keyfile ca/OpenVPN-ICA.key -cert ca/OpenVPN-ICA.crt.pem -out crl/OpenVPN-ICA.crl.pem -config ./openssl.cnf

Convert ICA CRL → DER CRL

openssl crl -inform PEM -in crl/OpenVPN-ICA.crl.pem -outform DER -out crl/OpenVPN-ICA.crl

Concatenate ICA → CA Chain

cat ca/OpenVPN-ICA.crt.pem ca/OpenWrt-CA.crt.pem > ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem

Index File

Info

/etc/ssl/index Index Info

If wishing to maintain the index file automatically, openssl ca must be used to sign certs
- openssl ca is not used in this wiki as it requires additional steps & adds unneeded complexity

Index

/etc/ssl/index Index File

Manually maintaining the index file consists of inputting 1 cert entry per line in the following format

Entering certificate information into the index file takes ~30s per cert
Copy & paste DN from the output of: openssl x509 -in certificate.crt -text -noout

V    261231235959Z            0a    unknown    /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com
1    2----------->    3->     4->   5----->    6--------------------------------------------------------------------------------------------------->

Status of Certificate
1. V [Valid]
2. R [Revoked]
3. E [Expired]
Expiration Date
1. Format: YYMMDDHHMMSS followed by Z
  - 2026.12.31 @ 23:59:59
Revocation Date
1. Format: YYMMDDHHMMSSZ,reason
  1. Valid reasons are:
    1. keyCompromise
    2. CACompromise
    3. affiliationChanged
    4. superseded
    5. cessationOfOperation
    6. certificateHold
    7. privilegeWithdrawn
    8. AACompromise
2. Empty if not revoked
  - Certain distros were erroring out without a whitespace for 3 in the index file, which is why it's there
Serial number ^{(hex format)}
1. 0a is hex for 10
  1. Windows:
    - Calculator has programmer feature which can convert dec ↔ hex
  2. Linux/BSD
    - cli hex → dec: printf '%d\n' 0x0a returns 10
    - cli dec → hex: printf '%x\n' 10 returns 0a
Certificate Filename or Literal String
1. Certificate Filename or Literal String unknown
Distinguished Name

Server Cert

Prerequisites

/etc/ssl/openssl.cnf Server Cert OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

SubjectAltNames Profile

Intermediate Certificate Authority Clients ^{(Line 242)}
1. Change the SAN alt name alt_vpn_server2 to alt_openvpn_server
  1. Line 262: [ alt_openvpn_server ]
2. Change the SAN IP from 10.0.1.1 to match your VPN Server IP
  1. Line 263: IP.1 = 10.0.1.1
3. Change the SAN DNS from your.ddns.com to match your own DDNS and/or FQDN
  1. Line 264: DNS.1 = your.ddns.com
    - For each additional DNS or FQDN, add a new line in sequential order (i.e. DNS.2, DNS.3, etc.)

V3 Profile

Intermediate Certificate Authority Clients ^{(Line 427)}
1. Change the V3 profile name from [ v3_vpn_server2 ] to match alt name set above
  1. Line 450: [ v3_openvpn_server ]
2. Change the SAN alt name from @alt_vpn_server2 to match alt name set above
  1. Line 456: subjectAltName = @alt_openvpn_server

Commands

Commands are executed from within /etc/ssl/ Server Cert OpenSSL Commands

Generate VPN Server CSR

openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_openvpn_server -nodes

-nodes creates a signing key without encryption
- For server certs only, as a passphrase prevents the server from starting/restarting without manual intervention

Create & Sign Cert with CA

openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-server.csr -CA ca/OpenVPN-ICA.crt.pem -CAkey ca/OpenVPN-ICA.key -CAserial ./serial -out certs/vpn-server.crt.pem -extfile ./openssl.cnf -extensions v3_openvpn_server

Export to PKCS12
```
openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem
```
- Do not encrypt this PKCS12
- ICA is still used to sign the certs it issues
  - ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust
    - Chain of Trust hierarchy: CA → Intermediate CA → Client

Client Certs

Do not use the same Common Name (CN) on more than one certificate

Prerequisites

/etc/ssl/openssl.cnf Client Cert OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

SubjectAltNames Profile

Intermediate Certificate Authority Clients ^{(Line 242)}
1. Change the SAN alt name alt_vpn2_user1 to alt_openvpn_<username>
  1. Line 267: [ alt_openvpn_<username> ]
2. Change the SAN DNS from VPNserver-Client1-Device-Hostname to match client username
  1. Line 268: DNS.1 = VPN-<username>-Hostname
    - This makes configuring CCD more convenient
3. Change the SAN email from user1@email.com to user's email
  1. Line 269 email.1 = user1@email.com

V3 Profile

Intermediate Certificate Authority Clients ^{(Line 427)}
1. Change the V3 profile name from [ v3_vpn2_user1 ] to match alt name set above
  1. Line 459: [ v3_openvpn_<username> ]
2. Change the SAN alt name from @alt_vpn2_user1 to match alt name set above
  1. Line 465: subjectAltName = @alt_openvpn_<username>

Commands

Commands are executed from within /etc/ssl/ Client Cert OpenSSL Commands

Generate VPN Client Certs

openssl req -out ca/csr/vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/clients/vpn-client1-<username>-<hostname>.key.pem -config ./openssl.cnf -extensions v3_openvpn_<username>

Key passphrase should be a 20 character minimum, containing at least: 2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols

Sign Cert with CA

openssl x509 req -sha512 -days 3650 -in ca/csr/vpn-client1.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key -CAserial ./serial -out openvpn/clients/vpn-client1-<username>-<hostname>.crt.pem -extfile ./openssl.cnf -extensions v3_openvpn_<username>

Export to PKCS12

openssl pkcs12 -export -out openvpn/clients/vpn-client1.p12 -inkey openvpn/clients/vpn-client1.key.pem -in openvpn/clients/vpn-client1.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem

Diffie-Hellman Key

DH Wiki EC Wiki

Generate DH Key ^{(executed from /etc/ssl/)}
```
openssl dhparam -out openvpn/dh2048.pem 2048
```
- Generating DH keys takes substantial amounts of time
- You may wish to generate 3072bit and 4096bit DH keys as well
  - Generating multiple DH keys at once takes substantially less time due to the rand file
- OpenVPN will add support for EC [Elliptic Curve] ciphers in v2.4
  - For EC, the Diffie-Hellman key must be generated with a value greater than the encryption key
    - For example, if you generate 2048bit cert keys, your dh.pem must exceed that value

TLS-Auth Key

Generate TLS-Auth key ^{(executed from /etc/ssl/)}
```
openvpn --genkey --secret openvpn/ta.key
```
- This ensures Perfect Forward Secrecy is maintained when utilizing a SSL cipher
- tls-auth requires a static Pre-Shared Key, generated in advance, and shared among all clients
  - This requires incoming packets to have a valid signature generated using the PSK key
    - If key is changed, it must be changed on all clients at the same time (no support for rollover)

Import & Backup

GnuPG is a great tool to manage CAs and client certificates GnuPG

Backup

/etc/sysupgrade.conf Backup

Create a backup:

Apply correct permissions:

chmod 600 /etc/ssl/ca/* /etc/ssl/ca/csr/* /etc/ssl/crl/* /etc/ssl/openvpn/* /etc/ssl/openvpn/clients/* ; chmod 644 /etc/ssl/ca/*.crt* /etc/ssl/openvpn/*.crt* /etc/ssl/openvpn/clients/*.crt* /etc/ssl/crl/*.crl

Utilize GnuPG to encrypt a copy of /etc/ssl/
1. Create separate encryption tars for:
  - /etc/ssl/ca/
  - /etc/ssl/openvpn/
  - /etc/ssl/openvpn/clients/
2. After creating encrypted backups:
  1. Copy p12s to their respective clients
  2. Securely erase unencrypted client, CA, & ICA keys and PKCS12s, overwriting freespace at least 5x

Add directories & files to /etc/sysupgrade.conf

vi /etc/sysupgrade.conf
1. Add:
  - /etc/config/
  - /etc/openvpn/
  - /etc/ssl/
  - /etc/firewall.user
  - /etc/sysupgrade.conf

# LuCI: System - Backup/Flash Firmware - Configuration
 
    # Directories #
#---------------------------------------------------
/etc/config/
/etc/openvpn/
/etc/ssl/
 
    # Files #
#---------------------------------------------------
/etc/firewall.user
/etc/sysupgrade.conf

Linux/BSD

Linux & BSD

If utilizing Linux/BSD:

Due to the sheer number of distros, and differing means of handling certificate authorities, please google:
1. <your distro name> install certificate authority
2. <your distro name> install intermediate certificate authority

Windows

Windows PEM Association.reg

If utilizing Windows:

Download PEM Association.reg, then import into registry ^{(Right Click → Merge)}
- This causes Windows to associate the .pem extension as a valid certificate extension
Add your CA cert to the Trusted Root Certification Authorities ^{(user must have Administrator privileges)}
1. Right click on OpenWrt-CA.crt.pem:
  1. Install Certificate → Local Machine → Place all certificates in the following store → Browse → Trusted Root Certification Authorities
Add your ICA cert to the Intermediate Certification Authorities ^{(user must have Administrator privileges)}
1. Right click on OpenVPN-ICA.crt.pem:
  1. Install Certificate → Local Machine → Place all certificates in the following store → Browse → Intermediate Certification Authorities

Network

Network Wiki

Interface Creation

Create VPN interface
```
uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none
```
1. You can replace network.vpn0 with network.<name>
  1. If you choose to do so, vpn will need to be updated accordingly in Firewall Rules
2. You can replace ifname=tun0 with ifname=<name>
  1. If you choose to do so, option dev tun0 will need to be updated accordingly in VPN Server Config

Commit changes

uci commit network ; /etc/init.d/network reload

Configure DDNS

DDNS Wiki

Applies to connections from WAN

A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs
1. DDNS:
  - Dynamic Domain Name Service providers provide the user with a dynamically updated DNS name for their public IP
  - Purchasing occurs as a service subscription fee from DDNS providers
2. FQDN
  - Fully Qualified Domain Name is a URL ^{(google.com is a FQDN)}
  - Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA ^{(Internet Assigned Numbers Authority)}
Most users will likely configure DDNS
- See the DDNS Clients wiki

Firewall

Firewall Wiki

Create Rules

A non-standard port (not 1194) should be utilized for the VPN

Information

/etc/config/firewall Firewall Info

Traffic rules should be placed in the following order
1. Firewall.User Script
2. Redirect Rules
3. Router Network Default
4. VPN Network Default
5. VPN InterZone Forwarding
6. VPN Traffic Rules
Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes
1. Allowing both prevents having to edit the firewall every time troubleshooting is needed
SSL VPNs should always use UDP
1. Except under the following two scenarios
  1. When troubleshooting
    OR
  2. When packet loss is high
A port >1025 but <10000 should be utilized for the VPN
1. If using a custom port, update VPN Server & VPN Client configs accordingly
  1. If needing to bypass a strict firewall in front of the router, utilize port 443 ^[HTTPS]

Rules

/etc/config/firewall Firewall Rules

The following rules are required:

vi /etc/config/firewall

#::: Traffic Rules :::#
# LuCI: Network - Firewall - Traffic Rules
 
 
#::: Defaults :::#
# LuCI: Network - Firewall
#------------------------------------------------
 
#::: Firewall.User Rules :::#
# LuCI: Network - Firewall - Custom Rules
config include
    option  path            '/etc/firewall.user'
 
# Default OpenWRT Rule #
config defaults
    option  input           'ACCEPT'
    option  output          'ACCEPT'
    option  forward         'DROP'
    option  syn_flood       1
    option  drop_invalid    1
 
 
# Allow initial VPN connection #
#------------------------------------------------
# LuCI: From any host in any zone To any router
# IP at port 5000 on this device (Accept Input) 
config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             '*'
    option  dest_port       5000
    option  name            'Allow Forwarded VPN Request -> <device>'
 
# Once Assigned VPN IP, Allow Inbound -> LAN #
#------------------------------------------------
# LuCI: From IP range 10.1.0.0/28 in any zone To IP
# range 192.168.1.0/28 on this device (Accept Input)
config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             '*'
    option  src_ip          '10.1.0.0/28'
    option  dest_ip         '192.168.1.0/26'
    option  name            'Allow VPN0 -> LAN'
 
# Once Assigned VPN IP, Allow Forwarded -> LAN #
#------------------------------------------------
# LuCI: From IP range 10.1.0.0/28 in any zone To IP
# range 192.168.1.0/28  on this device (Accept Forward)
config rule
    option  target          'ACCEPT'
    option  proto           'tcp udp'
    option  family          'ipv4'
    option  src             '*'
    option  src_ip          '10.1.0.0/28'
    option  dest            '*'
    option  dest_ip         '192.168.1.0/26'
    option  name            'Allow Forwarded VPN0 -> LAN'
 
# Allow Outbound ICMP Traffic from VPN #
#------------------------------------------------
# LuCI: ICMP From IP range 10.1.0.0/28 in any 
# zone To any host in lan (Accept Forward)
config rule
    option  target          'ACCEPT'
    option  proto           'icmp'
    option  src             '*'
    option  src_ip          '10.1.0.0/28'
    option  dest            'lan'
    option  name            'Allow VPN0 (ICMP) -> LAN'
 
# Allow Outbound Ping Requests from VPN #
#------------------------------------------------
# LuCI: ICMP with type echo-request From IP range
# 10.1.0.0/28 in any zone To any host in wan (Accept Forward)
config rule
    option  target          'ACCEPT'
    option  proto           'icmp'
    list    icmp_type       'echo-request'
    option  src             '*'
    option  src_ip          '10.1.0.0/28'
    option  dest            'wan'
    option  name            'Allow VPN0 (ICMP 8) -> <device> '
 
 
#::: Zones :::#
# LuCI: Network - Firewall - Zones
#------------------------------------------------
 
# LAN #
config zone
    option  name            'lan'
    option  network         'lan'
    option  input           'ACCEPT'
    option  output          'ACCEPT'
    option  forward         'DROP'
 
# VPN #
config zone
    option  name            'vpn'
    option  network         'vpn0'
    option  input           'ACCEPT'
    option  output          'ACCEPT'
    option  forward         'ACCEPT'
 
# WAN #
config zone
    option  name            'wan'
    option  network         'wan wan6'
    option  input           'DROP'
    option  output          'ACCEPT'
    option  forward         'DROP'
    option  masq            1
    option  mtu_fix         1
 
 
#::: InterZone Forwarding :::#
# LuCI: Network -> Firewall -> Zones -
# VPN - Edit - Inter-Zone Forwarding
#------------------------------------------------
 
# LAN to VPN #    
config forwarding
    option  dest            'vpn'
    option  src             'lan'
 
# LAN to WAN #
config forwarding
    option  dest            'wan'
    option  src             'lan'
 
# VPN to LAN #    
config forwarding
    option  dest            'lan'
    option  src             'vpn'

Commit changes
```
/etc/init.d/firewall restart
```

Logging

firewall.user Script Netfilter Log

/etc/firewall.user

The following rules are required:

vi /etc/firewall.user

#::: Traffic Rules :::#
# LuCI: Network - Firewall - Custom Rules
 
  # These rules make the assumption the default port of 1194 is not used for the VPN
    # Port 5000 is being used arbitrarily for the VPN port
 
 
    # Establish Custom Zones #
#---------------------------------------------------
iptables    -N  LOG-VPN
iptables    -N  Rate_Limit
 
    # Establish Rate Limit #
#---------------------------------------------------
iptables    -A  Rate_Limit  -p  tcp     --dport     5000                                -j  LOG-VPN
iptables    -A  Rate_Limit  -p  udp     --dport     5000                                -j  LOG-VPN
iptables    -A  Rate_Limit  -p  tcp                                                     -j  REJECT      --reject-with   tcp-reset
iptables    -A  Rate_Limit  -p  udp                                                     -j  REJECT      --reject-with   icmp-port-unreachable
iptables    -A  Rate_Limit  !   -p      ICMP                                            -j  LOG         --log-prefix    "<[[--- Connection DROPPED ---]]>: "
iptables    -A  Rate_Limit                                                              -j  DROP
 
    # Apply Rate Limit #
#---------------------------------------------------
iptables    -I  INPUT       -p  tcp     --dport     5000    -m  state   --state NEW     -j  Rate_Limit
iptables    -I  INPUT       -p  udp     --dport     5000    -m  state   --state NEW     -j  Rate_Limit
 
    # Log VPN Traffic #
#---------------------------------------------------
iptables    -A  LOG-VPN                                                                 -j  LOG         --log-prefix    "<[[---  VPN Traffic ---]]> : "         --log-level 4
iptables    -A  LOG-VPN                                                                 -j  ACCEPT

Commit changes
```
/etc/init.d/firewall restart
```
Please also see:

VPN Server

VPN Overview

Config

It's strongly encouraged to read through the OpenVPN HowTo & Man Page

Information

/etc/config/openvpn OpenVPN Information

This specific configuration has been designed to give the best performance possible, via MTU & Buffer Tuning recommendations
- DNS primary & secondary are Google's
- NTP is garnished from NIST (time-c) and can be updated to your NTP server of choice
  - NTP should be specified, but doesn't need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds
CCD directives (under Client Config) are commented out, as one will need to read the OpenVPN HowTo to understand how it's used
- CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used
Two or more servers can be run from this config file
- To add additional servers, copy & paste first config directly below itself, with a blank line separating the two
The OpenVPN HowTo & Man Page provide every possible option for the Server & Client Configs

Config

/etc/config/openvpn OpenVPN Server Config

Create config:

echo > /etc/config/openvpn ; vi /etc/config/openvpn

Paste the following & edit accordingly

config openvpn 'VPNserver'
    option  enabled             1
 
    # Protocol #
#------------------------------------------------
    option  dev                 'tun'
    option  dev                 'tun0'
    option  topology            'subnet'
    option  proto               'udp'
    option  port                5000
 
    # Routes # 
#------------------------------------------------
    option  server              '10.1.0.0 255.255.255.240'
    option  ifconfig            '10.1.0.1 255.255.255.240'        
 
    # Client Config # 
#------------------------------------------------
    #   option  ccd_exclusive           1
    #   option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
    #   option  client_config_dir       '/etc/openvpn/clients/'
 
    # Pushed Routes # 
#------------------------------------------------
    list    push                'route 192.168.1.0 255.255.255.0'
    list    push                'dhcp-option    DNS 192.168.1.1'
    list    push                'dhcp-option    WINS 192.168.1.1'
    list    push                'dhcp-option    DNS 8.8.8.8'
    list    push                'dhcp-option    DNS 8.8.4.4'
    list    push                'dhcp-option    NTP 129.6.15.30'
 
    # Encryption # 
#------------------------------------------------
    # Diffie-Hellman:
    option  dh                  '/etc/ssl/openvpn/dh2048.pem'
 
    # PKCS12:
    option  pkcs12              '/etc/ssl/openvpn/vpn-server.p12'
 
    # SSL:
    option  cipher              AES-256-CBC
    option  auth                'SHA512'
    option  tls_auth            '/etc/ssl/openvpn/ta.key 0'
 
    # TLS:
    option  tls_server          1
    option  tls_version_min     1.2
    option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-RSA-WITH-AES-256-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4'
 
    # Logging # 
#------------------------------------------------
    option  log_append          '/tmp/openvpn.log'
    option  status              '/tmp/openvpn-status.log'
    option  verb                4
 
    # Connection Options # 
#------------------------------------------------
    option  keepalive           '10 120'
    option  comp_lzo            'yes'
 
    # Connection Reliability # 
#------------------------------------------------
    option  client_to_client    1
    option  persist_key         1
    option  persist_tun         1
 
    # Connection Speed # 
#------------------------------------------------
    option  sndbuf              393216
    option  rcvbuf              393216
    option  fragment            0
    option  mssfix              0
    option  tun_mtu             48000
 
    # Pushed Buffers # 
#------------------------------------------------
    list    push                'sndbuf 393216'
    list    push                'rcvbuf 393216'
 
    # Permissions # 
#------------------------------------------------
    option  user                'nobody'
    option  group               'nogroup'
 
 
    # chroot #
#------------------------------------------------
    # chroot should be utilized in case the VPN is ever exploited; however, most commercial
    # routers don't have internal flash storage large enough to support it.  An OpenVPN 
    # chroot would be ~11MB in size.
 
        # Modify if chroot is configured #
    #--------------------------------------------
        # option  ccd_exclusive             1
        # option  ifconfig_pool_persist     /var/chroot-openvpn/etc/openvpn/clients/ipp.txt
        # option  client_config_dir         /var/chroot-openvpn/etc/openvpn/clients
 
        # option  cipher                    AES-256-CBC
        # option  dh                        /var/chroot-openvpn/etc/ssl/openvpn/dh2048.pem
        # option  pkcs12                    /var/chroot-openvpn/etc/ssl/openvpn/vpn-server.p12
        # option  tls_auth                  '/var/chroot-openvpn/etc/ssl/openvpn/ta.key 0'

Commit changes

/etc/init.d/openvpn enable ; /etc/init.d/openvpn start ; sleep 2 ; cat /tmp/openvpn.log

CCD

/etc/openvpn/clients OpenVPN Server CCD Config

Enable CCD within Server config:
1. vi /etc/config/openvpn
```
   option  ccd_exclusive           1
   option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
   option  client_config_dir       '/etc/openvpn/clients/'
```
  - ccd_exclusive: enables CCD
  - client_config_dir: Directory housing CCD client files
  - ifconfig_pool_persist: File containing common names from client files, followed by static IP for device
Configure CCD files
1. For each VPN client, a file must be created which exactly mirrors the common name of each client cert
  1. File should contain an ifconfig command pushing a static IP to the client
    1. Client Certificate CN: John Doe (OpenWrt VPNserver Client)
      1. Client File: /etc/openvpn/clients/John Doe (OpenWrt VPNserver Client)
        
        File Output: ifconfig-push 10.1.0.6 255.255.255.240
Configure IPP file
1. One per line, each VPN client's CN needs to be specified, followed by their static IP
  1. IPP File: /etc/openvpn/clients/ipp.txt
    1. File Output: John Doe (OpenWrt VPNserver Client),10.1.0.6

Start/Restart OpenVPN

Connect with each client to test

/etc/init.d/openvpn stop ; /etc/init.d/openvpn start ; tail -f /tmp/openvpn.log

Log Output

CCD Disabled

/tmp/openvpn.log Log Output w/o CCD Enabled

root@OpenWrt ~ # cat /tmp/openvpn.log
Thu Oct 20 13:35:00 2016 us=668816 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key
Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file
Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:00 2016 us=705387 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Thu Oct 20 13:35:00 2016 us=705489 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes
Thu Oct 20 13:35:00 2016 us=705535 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Thu Oct 20 13:35:00 2016 us=705589 Socket Buffers: R=[87380->327680] S=[16384->327680]
Thu Oct 20 13:35:00 2016 us=706121 TUN/TAP device tun0 opened
Thu Oct 20 13:35:00 2016 us=706200 TUN/TAP TX queue length set to 100
Thu Oct 20 13:35:00 2016 us=706254 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 20 13:35:00 2016 us=706327 /sbin/ip link set dev tun0 up mtu 48000
Thu Oct 20 13:35:00 2016 us=708260 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15
Thu Oct 20 13:35:00 2016 us=713288 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Oct 20 13:35:00 2016 us=713438 GID set to nogroup
Thu Oct 20 13:35:00 2016 us=713500 UID set to nobody
Thu Oct 20 13:35:00 2016 us=713746 Listening for incoming TCP connection on [undef]
Thu Oct 20 13:35:00 2016 us=713811 TCPv4_SERVER link local (bound): [undef]
Thu Oct 20 13:35:00 2016 us=713857 TCPv4_SERVER link remote: [undef]
Thu Oct 20 13:35:00 2016 us=713922 MULTI: multi_init called, r=256 v=256
Thu Oct 20 13:35:00 2016 us=714000 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Thu Oct 20 13:35:00 2016 us=714070 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Oct 20 13:35:00 2016 us=714678 Initialization Sequence Completed

CCD Enabled

/tmp/openvpn.log Log Output w/ CCD Enabled

root@OpenWrt ~ # cat /tmp/openvpn.log
Thu Oct 20 13:35:30 2016 us=653309 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key
Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file
Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:30 2016 us=706722 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Thu Oct 20 13:35:30 2016 us=706760 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes
Thu Oct 20 13:35:30 2016 us=706804 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Thu Oct 20 13:35:30 2016 us=706857 Socket Buffers: R=[87380->327680] S=[16384->327680]
Thu Oct 20 13:35:30 2016 us=707392 TUN/TAP device tun0 opened
Thu Oct 20 13:35:30 2016 us=707465 TUN/TAP TX queue length set to 100
Thu Oct 20 13:35:30 2016 us=707517 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 20 13:35:30 2016 us=707587 /sbin/ip link set dev tun0 up mtu 48000
Thu Oct 20 13:35:30 2016 us=709190 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15
Thu Oct 20 13:35:30 2016 us=714514 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Oct 20 13:35:30 2016 us=714630 GID set to nogroup
Thu Oct 20 13:35:30 2016 us=714680 UID set to nobody
Thu Oct 20 13:35:30 2016 us=714859 Listening for incoming TCP connection on [undef]
Thu Oct 20 13:35:30 2016 us=714908 TCPv4_SERVER link local (bound): [undef]
Thu Oct 20 13:35:30 2016 us=714945 TCPv4_SERVER link remote: [undef]
Thu Oct 20 13:35:30 2016 us=714986 MULTI: multi_init called, r=256 v=256
Thu Oct 20 13:35:30 2016 us=715050 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(), in='vpn-client1-foobar1-device1,10.1.0.5', TODO: IPv6
Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set()
Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(), in='John Doe (OpenWrt VPNserver Client),10.1.0.6', TODO: IPv6
Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set()
Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST
Thu Oct 20 13:35:30 2016 us=715287 vpn-client1-foobar1-device1,10.1.0.5
Thu Oct 20 13:35:30 2016 us=715331 John Doe (OpenWrt VPNserver Client),10.1.0.6
Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed

Clients

Server's TLS-Auth key goes within the inline XML space

Android

Information

OpenVPN for Android Android Client Information

For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure
It's imperative, for the security of the VPN, to ensure the certificate key is encrypted as specified under Client Certs

OpenVPN for Android is the best app for VPNs on Android
PKCS12 certs are installed into the Android Keychain
- As a security feature, a warning toast will always appear in the notification area due to user installed certs
  - This toast can be removed if you have a rooted device by following Toast Removal tutorial
- Another option is to include all certs & keys via inline XML within the client config file
- Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs

If you choose to reference the ta.key, instead of utilizing inline XML

Remove:

    # Encryption #
#------------------------------------------------
key-direction 1
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTED-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>

Add:

    # Encryption #
#------------------------------------------------
tls-auth    '/path/to/ta.key' 1

Some Android devices are not able to convert PKCS12 certs to x509 certs

If your device is affected, you will need to reference your individual certs in your Server Config

Add:

    # Encryption #
#------------------------------------------------
ca      '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem'
cert    '/sdcard/openvpn/vpn-client1.crt.pem'
key     '/sdcard/openvpn/vpn-client1.key.pem'

Config

/sdcard/OpenVPN/OpenWrt/VPNserver.ovpn Android Client Config

    # Config Type #
#------------------------------------------------
client
 
    # Connection  #
#------------------------------------------------
dev tun
proto udp
remote your.ddns.com 5000
 
    # Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000
 
    # Reliability #
#------------------------------------------------
float
nobind
comp-lzo
 
persist-key
persist-tun
resolv-retry infinite
 
    # Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-256-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
remote-cert-eku 'TLS Web Server Authentication'
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
 
    # Logging #
#------------------------------------------------
verb 5

Inline XML

Referencing certs via Inline XML

Remove:

    # Encryption #
#------------------------------------------------
ca        '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem'
cert      '/sdcard/openvpn/vpn-client1.crt.pem'
key       '/sdcard/openvpn/vpn-client1.key.pem'
tls-auth  '/path/to/ta.key' 1

Add:

    # Encryption #
#------------------------------------------------
<ca>
#PASTE-CA-CERT-INLINE-HERE#
</ca>
 
<cert>
#PASTE-VPN-SERVER-CERT-INLINE-HERE#
</cert>
 
<key>
#PASTE-VPN-SERVER-KEY-INLINE-HERE#
</key>
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>

Toast Removal

CAcert Wiki PDF Certificate Warning Toast Removal

If /system/etc/security/cacerts.bks exists on your device, refer to CAcert wiki, then continue

Method 1:
1. Add certificate to Android Keychain
  1. Settings –> Security –> Install from Storage
2. Move certificate from userland to system trusted
  1. Android < 5.0:
    1. Move new file
      1. From: /data/misc/keychain/cacertsadded/
      2. To: /system/etc/security/cacerts/
  2. Android > 5.0:
    1. Move new file
      1. From: /data/misc/user/0/cacerts-added/
      2. To: /system/etc/security/cacerts/
Method 2:
1. Save certificate with .pem extension
2. Garnish subject of certificate:
  1. openssl x509 -inform PEM -subject_hash -in 0b112a89.0
    1. Should be similar to: 0b112a89
3. Save certificate as text:
  1. openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt
4. Swap PEM section and text:
  1. —–BEGIN CERTIFICATE—– must be at top of file
5. Rename file: 0b112a89.0
  1. Replace with subject from step b
6. Copy file to: /system/etc/security/cacerts/
7. Set permissions:
  1. chmod 644 0b112a89.0
8. Certificate should be listed under:
  1. Settings –> Security –> Trusted Credentials - System
    1. If it's still under User:
      1. Disable/Re-Enable certificate in Android Settings
        
        This creates a file in /data/misc/keychain/cacertsadded/
      2. Move that file to /system/etc/security/cacerts/
      3. Delete original file from step f

BSD/Linux

Information

OpenVPN Client BSD/Linux Client Information

Due to the sheer number of distros & variances from one to the other, only the client config is being provided

Config

/etc/openvpn/VPNserver.conf Linux/BSD Client Config

# Config Type #
#------------------------------------------------
client
 
# Connection  #
#------------------------------------------------
dev tun
proto udp
remote your.ddns.com 5000
 
# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000
 
# Reliability #
#------------------------------------------------
float
nobind
comp-lzo
 
persist-key
persist-tun
resolv-retry infinite
 
    # Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-256-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
pkcs12 '/etc/ssl/openvpn/vpn-client1.p12'
remote-cert-eku 'TLS Web Server Authentication'
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
 
# Logging #
#------------------------------------------------
verb 5

Windows

Information

OpenVPN Client Windows Client Information

If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced
- You must use double backslashes for the path: C:\\Path\\to\\PKCS12

Config

C:\Program Files\OpenVPN\config\OpenWrt\VPNserver.ovpn Windows Client Config

# Config Type #
#------------------------------------------------
client
 
# Connection  #
#------------------------------------------------
dev tun
proto udp
remote your.ddns.com 5000
 
# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000
 
# Reliability #
#------------------------------------------------
float
nobind
comp-lzo
 
persist-key
persist-tun
resolv-retry infinite
 
    # Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-256-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
pkcs12 vpn-client1.p12
remote-cert-eku "TLS Web Server Authentication"
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
 
# Logging #
#------------------------------------------------
verb 5

Optional

Redirect Gateway (Same Subnet)

It's recommended to read Gateway Redirect prior to continuing Gateway Redirect

Firewall Config

/etc/config/firewall LAN Zone & InterZone Forwarding

Add:

#::: Zones :::#
# LuCI: Network - Firewall - Zones
 
# Add: LAN Masquerade #
#------------------------------------------------
config zone
    option  name            'lan'
    option  network         'lan'
    option  input           'ACCEPT'
    option  output          'ACCEPT'
    option  forward         'DROP'
    option  masq            1

Add:

#::: InterZone Forwarding :::#
# LuCI: Network -> Firewall -> Zones -> VPN - 
# Edit - Inter-Zone Forwarding
 
# Allow Forwarding VPN -> WAN #
#------------------------------------------------
config forwarding
    option  dest            'wan'
    option  src             'vpn'

Commit changes
```
/etc/init.d/firewall restart
```

Server Config

/etc/config/openvpn Pushed Routes

Remove:

    list    push                'dhcp-option    DNS 8.8.8.8'
    list    push                'dhcp-option    DNS 8.8.4.4'

Add:

    list    push                'redirect-gateway   def1 local'
    list    push                'dhcp-option        DNS 10.1.0.1'

Commit changes
```
/etc/init.d/openvpn restart
```

VPN Wikis

OpenSSL

Guides

OpenSSL Guides

Info

OpenSSL Info

Deploying a VPN with PKI on GNU/Linux

OpenVPN

Android

Android

Guides

Guides

Highly Recommended

Help

If needing help

OpenVPN Forum

Tuning

Tuning

OpenWrt

Help

If needing help

OpenWrt Forum

Wiki

Wiki

Questions

Please take the time to read
- If you refuse to help yourself, don't expect someone else to help you
The answer to any question about an OpenVPN Client or Server configuration is contained within the VPN Wiki or OpenSSL sections
- If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the OpenWRT or OpenVPN forums
Please do not publish questions directly to this Wiki, as:
- Most importantly, it's not monitored for questions
- It clutters the Wiki, possibly making it more difficult for others to navigate

OpenWrt Wiki

User Tools

Site Tools

Table of Contents

OpenVPN Server HowTo (Streamlined)

Introduction

VPN Requirements

Encryption

Prerequisites

Prerequisites

Files & Folders

Extensions

OpenSSL

Synopsis

Info

Man Pages

keyUsage

extendedKeyUsage

Key Exchange

EC Key Exchange

CA Creation

Prerequisites

Commands

ICA Creation

Prerequisites

Commands

Index File

Info

Index

Server Cert

Prerequisites

Commands

Client Certs

Prerequisites

Commands

Diffie-Hellman Key

TLS-Auth Key

Import & Backup

Backup

Linux/BSD

Windows

Network

Interface Creation

Configure DDNS

Firewall

Create Rules

Information

Rules

Logging

VPN Server

Config

Information

Config

CCD

Log Output

CCD Disabled

CCD Enabled

Clients

Android

Information

Config

Inline XML

Toast Removal

BSD/Linux

Information

Config

Windows

Information

Config

Optional

Redirect Gateway (Same Subnet)

Firewall Config

Server Config

VPN Wikis

OpenSSL

Guides

Info

OpenVPN

Android

Guides