This is an old revision of the document!
To prevent discombobulation, please follow the format already in place within this Wiki when editing
(incl. the Table of Contents)
Five requirements for SSL VPNs:
Easy-RSA does not create secure enough certs & has too many limitations, therefore OpenSSL should be utilized directly via an openssl.cnf
Commands are executed from within /etc/ssl/
OpenVPN Prerequisites
opkg update ; opkg install openvpn-openssl luci-app-openvpn
/etc/ssl/openssl.cnf
cd /etc/ssl ; mkdir -p ca/csr crl openvpn/clients
echo 00 > serial
echo 00 > crlnumber
touch index
touch rand
File & Folder Locations
/etc/config/firewall
/etc/config/network
/etc/ssl/openssl.cnf
/etc/config/openvpn
/etc/ssl/ca/
/etc/ssl/ca/csr/
/etc/ssl/crl/
/etc/ssl/openvpn/clients/
/etc/ssl/openvpn/
Certificate Extensions
Section Synopsis
OpenSSL Information
Command Manuals
keyUsage
keyAgreement
is requiredkeyAgreement
is requiredextendedKeyUsage
nscertype
options (ns
in nscertype
stands for NetScape [browser])clientAuth
can be utilized in a IPSec VPN client certKey Exchange
keyAgreement
DH_RSA
, except CA used a DSA key in lieu of RSAdigitalSignature
DHE_RSA
, except CA used a DSA key in lieu of RSAElliptic-Curve Key Exchange
DH_DSA
, but with elliptic curvesECDH_ECDSA
, except CA used an RSA keyDHE_DSS
, but with elliptic curves for both the Diffie-Hellman & signatureECDHE_ECDSA
, except Server public key is an RSA key
/etc/ssl/openssl.cnf
CA OpenSSL Prerequisites
Modify the following SubjectAltNames & V3 Profiles
DNS.1 = Router.1
Router.1
to what you'd like the name of your Certificate Authority to bealt_ca_main
to alt_ca_openwrt
[lines 185, 306, & 310][ alt_ca_openwrt ]
[ v3_ca_openwrt ]
subjectAltName = @alt_ca_openwrt
Commands are executed from within /etc/ssl/
CA OpenSSL Commands
openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/OpenWrt-CA.key.pem -out ca/OpenWrt-CA.crt.pem -config ./openssl.cnf -extensions v3_ca_openwrt
openssl ca -gencrl -keyfile ca/OpenWrt-CA.key.pem -cert ca/OpenWrt-CA.crt.pem -out crl/OpenWrt-CA.crl.pem -config ./openssl.cnf
openssl crl -inform PEM -in crl/OpenWrt-CA.crl.pem -outform DER -out crl/OpenWrt-CA.crl
/etc/ssl/openssl.cnf
ICA OpenSSL Prerequisites
Modify the following SubjectAltNames & V3 Profiles
DNS.1 = Router.2
Router.2
to what you'd like the name of your Intermediate CA to bealt_ica_router2
to alt_ica_openvpn
[lines 190, 313, & 317][ alt_ica_openvpn ]
[ v3_ica_openvpn ]
subjectAltName = @alt_ica_openvpn
Commands are executed from within /etc/ssl/
ICA OpenSSL Commands
openssl req -out ca/csr/OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/OpenVPN-ICA.key -config ./openssl.cnf -extensions v3_ica_openvpn
openssl x509 -req -sha512 -days 3650 -in ca/csr/OpenVPN-ICA.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out ca/OpenVPN-ICA.crt.pem -extfile ./openssl.cnf -extensions v3_ica_openvpn
openssl ca -gencrl -keyfile ca/OpenVPN-ICA.key -cert ca/OpenVPN-ICA.crt.pem -out crl/OpenVPN-ICA.crl.pem -config ./openssl.cnf
openssl crl -inform PEM -in crl/OpenVPN-ICA.crl.pem -outform DER -out crl/OpenVPN-ICA.crl
cat ca/OpenVPN-ICA.crt.pem ca/OpenWrt-CA.crt.pem > ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem
/etc/ssl/index
Index Info
openssl ca
must be used to sign certsopenssl ca
is not used in this wiki as it requires additional steps & adds unneeded complexity
/etc/ssl/index
Index File
Manually maintaining the index file consists of inputting 1 cert entry per line in the following format
openssl x509 -in certificate.crt -text -noout
V 261231235959Z 0a unknown /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com 1 2-----------> 3-> 4-> 5-----> 6--------------------------------------------------------------------------------------------------->
V
[Valid]R
[Revoked]E
[Expired]YYMMDDHHMMSS
followed by Z
YYMMDDHHMMSSZ,reason
keyCompromise
CACompromise
affiliationChanged
superseded
cessationOfOperation
certificateHold
privilegeWithdrawn
AACompromise
0a
is hex for 10 printf '%d\n' 0x0a
returns 10
printf '%x\n' 10
returns 0a
unknown
/etc/ssl/openssl.cnf
Server Cert OpenSSL Prerequisites
Modify the following SubjectAltNames & V3 Profiles
SubjectAltNames Profile
alt_vpn_server2
to alt_openvpn_server
[ alt_openvpn_server ]
10.0.1.1
to match your VPN Server IPIP.1 = 10.0.1.1
your.ddns.com
to match your own DDNS and/or FQDNDNS.1 = your.ddns.com
V3 Profile
[ v3_vpn_server2 ]
to match alt name set above[ v3_openvpn_server ]
@alt_vpn_server2
to match alt name set abovesubjectAltName = @alt_openvpn_server
Commands are executed from within /etc/ssl/
Server Cert OpenSSL Commands
openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_openvpn_server -nodes
-nodes
creates a signing key without encryptionopenssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-server.csr -CA ca/OpenVPN-ICA.crt.pem -CAkey ca/OpenVPN-ICA.key -CAserial ./serial -out certs/vpn-server.crt.pem -extfile ./openssl.cnf -extensions v3_openvpn_server
openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem
Do not use the same Common Name (CN) on more than one certificate
/etc/ssl/openssl.cnf
Client Cert OpenSSL Prerequisites
Modify the following SubjectAltNames & V3 Profiles
SubjectAltNames Profile
alt_vpn2_user1 to
alt_openvpn_<username>
[ alt_openvpn_<username> ]
VPNserver-Client1-Device-Hostname
to match client usernameDNS.1 = VPN-<username>-Hostname
user1@email.com
to user's emailemail.1 = user1@email.com
V3 Profile
[ v3_vpn2_user1 ]
to match alt name set above[ v3_openvpn_<username> ]
@alt_vpn2_user1
to match alt name set abovesubjectAltName = @alt_openvpn_<username>
Commands are executed from within /etc/ssl/
Client Cert OpenSSL Commands
openssl req -out ca/csr/vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/clients/vpn-client1-<username>-<hostname>.key.pem -config ./openssl.cnf -extensions v3_openvpn_<username>
openssl x509 req -sha512 -days 3650 -in ca/csr/vpn-client1.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key -CAserial ./serial -out openvpn/clients/vpn-client1-<username>-<hostname>.crt.pem -extfile ./openssl.cnf -extensions v3_openvpn_<username>
openssl pkcs12 -export -out openvpn/clients/vpn-client1.p12 -inkey openvpn/clients/vpn-client1.key.pem -in openvpn/clients/vpn-client1.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem
/etc/ssl/
)openssl dhparam -out openvpn/dh2048.pem 2048
/etc/ssl/
)openvpn --genkey --secret openvpn/ta.key
tls-auth
requires a static Pre-Shared Key, generated in advance, and shared among all clientsGnuPG is a great tool to manage CAs and client certificates
/etc/sysupgrade.conf
Backup
Create a backup:
chmod 600 /etc/ssl/ca/* /etc/ssl/ca/csr/* /etc/ssl/crl/* /etc/ssl/openvpn/* /etc/ssl/openvpn/clients/* ; chmod 644 /etc/ssl/ca/*.crt* /etc/ssl/openvpn/*.crt* /etc/ssl/openvpn/clients/*.crt* /etc/ssl/crl/*.crl
/etc/ssl/
/etc/ssl/ca/
/etc/ssl/openvpn/
/etc/ssl/openvpn/clients/
/etc/sysupgrade.conf
vi /etc/sysupgrade.conf
/etc/config/
/etc/openvpn/
/etc/ssl/
/etc/firewall.user
/etc/sysupgrade.conf
# LuCI: System - Backup/Flash Firmware - Configuration # Directories # #--------------------------------------------------- /etc/config/ /etc/openvpn/ /etc/ssl/ # Files # #--------------------------------------------------- /etc/firewall.user /etc/sysupgrade.conf
Linux & BSD
If utilizing Linux/BSD:
Windows
If utilizing Windows:
uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none
network.vpn0
with network.<name>
ifname=tun0
with ifname=<name>
uci commit network ; /etc/init.d/network reload
Applies to connections from WAN
A non-standard port (not 1194) should be utilized for the VPN
/etc/config/firewall
Firewall Info
/etc/config/firewall
Firewall Rules
The following rules are required:
vi /etc/config/firewall
#::: Traffic Rules :::# # LuCI: Network - Firewall - Traffic Rules #::: Defaults :::# # LuCI: Network - Firewall #------------------------------------------------ #::: Firewall.User Rules :::# # LuCI: Network - Firewall - Custom Rules config include option path '/etc/firewall.user' # Default OpenWRT Rule # config defaults option input 'ACCEPT' option output 'ACCEPT' option forward 'DROP' option syn_flood 1 option drop_invalid 1 # Allow initial VPN connection # #------------------------------------------------ # LuCI: From any host in any zone To any router # IP at port 5000 on this device (Accept Input) config rule option target 'ACCEPT' option family 'ipv4' option proto 'tcp udp' option src '*' option dest_port 5000 option name 'Allow Forwarded VPN Request -> <device>' # Once Assigned VPN IP, Allow Inbound -> LAN # #------------------------------------------------ # LuCI: From IP range 10.1.0.0/28 in any zone To IP # range 192.168.1.0/28 on this device (Accept Input) config rule option target 'ACCEPT' option family 'ipv4' option proto 'tcp udp' option src '*' option src_ip '10.1.0.0/28' option dest_ip '192.168.1.0/26' option name 'Allow VPN0 -> LAN' # Once Assigned VPN IP, Allow Forwarded -> LAN # #------------------------------------------------ # LuCI: From IP range 10.1.0.0/28 in any zone To IP # range 192.168.1.0/28 on this device (Accept Forward) config rule option target 'ACCEPT' option proto 'tcp udp' option family 'ipv4' option src '*' option src_ip '10.1.0.0/28' option dest '*' option dest_ip '192.168.1.0/26' option name 'Allow Forwarded VPN0 -> LAN' # Allow Outbound ICMP Traffic from VPN # #------------------------------------------------ # LuCI: ICMP From IP range 10.1.0.0/28 in any # zone To any host in lan (Accept Forward) config rule option target 'ACCEPT' option proto 'icmp' option src '*' option src_ip '10.1.0.0/28' option dest 'lan' option name 'Allow VPN0 (ICMP) -> LAN' # Allow Outbound Ping Requests from VPN # #------------------------------------------------ # LuCI: ICMP with type echo-request From IP range # 10.1.0.0/28 in any zone To any host in wan (Accept Forward) config rule option target 'ACCEPT' option proto 'icmp' list icmp_type 'echo-request' option src '*' option src_ip '10.1.0.0/28' option dest 'wan' option name 'Allow VPN0 (ICMP 8) -> <device> ' #::: Zones :::# # LuCI: Network - Firewall - Zones #------------------------------------------------ # LAN # config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'DROP' # VPN # config zone option name 'vpn' option network 'vpn0' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' # WAN # config zone option name 'wan' option network 'wan wan6' option input 'DROP' option output 'ACCEPT' option forward 'DROP' option masq 1 option mtu_fix 1 #::: InterZone Forwarding :::# # LuCI: Network -> Firewall -> Zones - # VPN - Edit - Inter-Zone Forwarding #------------------------------------------------ # LAN to VPN # config forwarding option dest 'vpn' option src 'lan' # LAN to WAN # config forwarding option dest 'wan' option src 'lan' # VPN to LAN # config forwarding option dest 'lan' option src 'vpn'
/etc/init.d/firewall restart
firewall.user Script
/etc/firewall.user
The following rules are required:
vi /etc/firewall.user
#::: Traffic Rules :::# # LuCI: Network - Firewall - Custom Rules # These rules make the assumption the default port of 1194 is not used for the VPN # Port 5000 is being used arbitrarily for the VPN port # Establish Custom Zones # #--------------------------------------------------- iptables -N LOG-VPN iptables -N Rate_Limit # Establish Rate Limit # #--------------------------------------------------- iptables -A Rate_Limit -p tcp --dport 5000 -j LOG-VPN iptables -A Rate_Limit -p udp --dport 5000 -j LOG-VPN iptables -A Rate_Limit -p tcp -j REJECT --reject-with tcp-reset iptables -A Rate_Limit -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A Rate_Limit ! -p ICMP -j LOG --log-prefix "<[[--- Connection DROPPED ---]]>: " iptables -A Rate_Limit -j DROP # Apply Rate Limit # #--------------------------------------------------- iptables -I INPUT -p tcp --dport 5000 -m state --state NEW -j Rate_Limit iptables -I INPUT -p udp --dport 5000 -m state --state NEW -j Rate_Limit # Log VPN Traffic # #--------------------------------------------------- iptables -A LOG-VPN -j LOG --log-prefix "<[[--- VPN Traffic ---]]> : " --log-level 4 iptables -A LOG-VPN -j ACCEPT
/etc/init.d/firewall restart
It's strongly encouraged to read through the OpenVPN HowTo & Man Page
/etc/config/openvpn
OpenVPN Information
/etc/config/openvpn
OpenVPN Server Config
echo > /etc/config/openvpn ; vi /etc/config/openvpn
config openvpn 'VPNserver' option enabled 1 # Protocol # #------------------------------------------------ option dev 'tun' option dev 'tun0' option topology 'subnet' option proto 'udp' option port 5000 # Routes # #------------------------------------------------ option server '10.1.0.0 255.255.255.240' option ifconfig '10.1.0.1 255.255.255.240' # Client Config # #------------------------------------------------ # option ccd_exclusive 1 # option ifconfig_pool_persist '/etc/openvpn/clients/ipp.txt' # option client_config_dir '/etc/openvpn/clients/' # Pushed Routes # #------------------------------------------------ list push 'route 192.168.1.0 255.255.255.0' list push 'dhcp-option DNS 192.168.1.1' list push 'dhcp-option WINS 192.168.1.1' list push 'dhcp-option DNS 8.8.8.8' list push 'dhcp-option DNS 8.8.4.4' list push 'dhcp-option NTP 129.6.15.30' # Encryption # #------------------------------------------------ # Diffie-Hellman: option dh '/etc/ssl/openvpn/dh2048.pem' # PKCS12: option pkcs12 '/etc/ssl/openvpn/vpn-server.p12' # SSL: option cipher AES-256-CBC option auth 'SHA512' option tls_auth '/etc/ssl/openvpn/ta.key 0' # TLS: option tls_server 1 option tls_version_min 1.2 option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-RSA-WITH-AES-256-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4' # Logging # #------------------------------------------------ option log_append '/tmp/openvpn.log' option status '/tmp/openvpn-status.log' option verb 4 # Connection Options # #------------------------------------------------ option keepalive '10 120' option comp_lzo 'yes' # Connection Reliability # #------------------------------------------------ option client_to_client 1 option persist_key 1 option persist_tun 1 # Connection Speed # #------------------------------------------------ option sndbuf 393216 option rcvbuf 393216 option fragment 0 option mssfix 0 option tun_mtu 48000 # Pushed Buffers # #------------------------------------------------ list push 'sndbuf 393216' list push 'rcvbuf 393216' # Permissions # #------------------------------------------------ option user 'nobody' option group 'nogroup' # chroot # #------------------------------------------------ # chroot should be utilized in case the VPN is ever exploited; however, most commercial # routers don't have internal flash storage large enough to support it. An OpenVPN # chroot would be ~11MB in size. # Modify if chroot is configured # #-------------------------------------------- # option ccd_exclusive 1 # option ifconfig_pool_persist /var/chroot-openvpn/etc/openvpn/clients/ipp.txt # option client_config_dir /var/chroot-openvpn/etc/openvpn/clients # option cipher AES-256-CBC # option dh /var/chroot-openvpn/etc/ssl/openvpn/dh2048.pem # option pkcs12 /var/chroot-openvpn/etc/ssl/openvpn/vpn-server.p12 # option tls_auth '/var/chroot-openvpn/etc/ssl/openvpn/ta.key 0'
/etc/init.d/openvpn enable ; /etc/init.d/openvpn start ; sleep 2 ; cat /tmp/openvpn.log
/etc/openvpn/clients
OpenVPN Server CCD Config
vi /etc/config/openvpn
option ccd_exclusive 1 option ifconfig_pool_persist '/etc/openvpn/clients/ipp.txt' option client_config_dir '/etc/openvpn/clients/'
ccd_exclusive
: enables CCDclient_config_dir
: Directory housing CCD client filesifconfig_pool_persist
: File containing common names from client files, followed by static IP for deviceifconfig
command pushing a static IP to the clientJohn Doe (OpenWrt VPNserver Client)
/etc/openvpn/clients/John Doe (OpenWrt VPNserver Client)
ifconfig-push 10.1.0.6 255.255.255.240
/etc/openvpn/clients/ipp.txt
John Doe (OpenWrt VPNserver Client),10.1.0.6
/etc/init.d/openvpn stop ; /etc/init.d/openvpn start ; tail -f /tmp/openvpn.log
/tmp/openvpn.log
Log Output w/o CCD Enabled
root@OpenWrt ~ # cat /tmp/openvpn.log Thu Oct 20 13:35:00 2016 us=668816 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Oct 20 13:35:00 2016 us=705387 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes Thu Oct 20 13:35:00 2016 us=705489 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes Thu Oct 20 13:35:00 2016 us=705535 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ] Thu Oct 20 13:35:00 2016 us=705589 Socket Buffers: R=[87380->327680] S=[16384->327680] Thu Oct 20 13:35:00 2016 us=706121 TUN/TAP device tun0 opened Thu Oct 20 13:35:00 2016 us=706200 TUN/TAP TX queue length set to 100 Thu Oct 20 13:35:00 2016 us=706254 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Oct 20 13:35:00 2016 us=706327 /sbin/ip link set dev tun0 up mtu 48000 Thu Oct 20 13:35:00 2016 us=708260 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15 Thu Oct 20 13:35:00 2016 us=713288 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ] Thu Oct 20 13:35:00 2016 us=713438 GID set to nogroup Thu Oct 20 13:35:00 2016 us=713500 UID set to nobody Thu Oct 20 13:35:00 2016 us=713746 Listening for incoming TCP connection on [undef] Thu Oct 20 13:35:00 2016 us=713811 TCPv4_SERVER link local (bound): [undef] Thu Oct 20 13:35:00 2016 us=713857 TCPv4_SERVER link remote: [undef] Thu Oct 20 13:35:00 2016 us=713922 MULTI: multi_init called, r=256 v=256 Thu Oct 20 13:35:00 2016 us=714000 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0 Thu Oct 20 13:35:00 2016 us=714070 MULTI: TCP INIT maxclients=1024 maxevents=1028 Thu Oct 20 13:35:00 2016 us=714678 Initialization Sequence Completed
/tmp/openvpn.log
Log Output w/ CCD Enabled
root@OpenWrt ~ # cat /tmp/openvpn.log Thu Oct 20 13:35:30 2016 us=653309 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Oct 20 13:35:30 2016 us=706722 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes Thu Oct 20 13:35:30 2016 us=706760 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes Thu Oct 20 13:35:30 2016 us=706804 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ] Thu Oct 20 13:35:30 2016 us=706857 Socket Buffers: R=[87380->327680] S=[16384->327680] Thu Oct 20 13:35:30 2016 us=707392 TUN/TAP device tun0 opened Thu Oct 20 13:35:30 2016 us=707465 TUN/TAP TX queue length set to 100 Thu Oct 20 13:35:30 2016 us=707517 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Oct 20 13:35:30 2016 us=707587 /sbin/ip link set dev tun0 up mtu 48000 Thu Oct 20 13:35:30 2016 us=709190 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15 Thu Oct 20 13:35:30 2016 us=714514 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ] Thu Oct 20 13:35:30 2016 us=714630 GID set to nogroup Thu Oct 20 13:35:30 2016 us=714680 UID set to nobody Thu Oct 20 13:35:30 2016 us=714859 Listening for incoming TCP connection on [undef] Thu Oct 20 13:35:30 2016 us=714908 TCPv4_SERVER link local (bound): [undef] Thu Oct 20 13:35:30 2016 us=714945 TCPv4_SERVER link remote: [undef] Thu Oct 20 13:35:30 2016 us=714986 MULTI: multi_init called, r=256 v=256 Thu Oct 20 13:35:30 2016 us=715050 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0 Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(), in='vpn-client1-foobar1-device1,10.1.0.5', TODO: IPv6 Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set() Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(), in='John Doe (OpenWrt VPNserver Client),10.1.0.6', TODO: IPv6 Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set() Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST Thu Oct 20 13:35:30 2016 us=715287 vpn-client1-foobar1-device1,10.1.0.5 Thu Oct 20 13:35:30 2016 us=715331 John Doe (OpenWrt VPNserver Client),10.1.0.6 Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028 Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed
Server's TLS-Auth key goes within the inline XML space
Android Client Information
For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure
It's imperative, for the security of the VPN, to ensure the certificate key is encrypted as specified under Client Certs
ta.key
, instead of utilizing inline XML# Encryption # #------------------------------------------------ key-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- #PASTED-KEY-INLINE-HERE# -----END OpenVPN Static key V1----- </tls-auth>
# Encryption # #------------------------------------------------ tls-auth '/path/to/ta.key' 1
# Encryption # #------------------------------------------------ ca '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem' cert '/sdcard/openvpn/vpn-client1.crt.pem' key '/sdcard/openvpn/vpn-client1.key.pem'
/sdcard/OpenVPN/OpenWrt/VPNserver.ovpn
Android Client Config
# Config Type # #------------------------------------------------ client # Connection # #------------------------------------------------ dev tun proto udp remote your.ddns.com 5000 # Speed # #------------------------------------------------ mssfix 0 fragment 0 tun-mtu 48000 # Reliability # #------------------------------------------------ float nobind comp-lzo persist-key persist-tun resolv-retry infinite # Encryption # #------------------------------------------------ auth SHA512 auth-nocache # --- SSL --- # cipher AES-256-CBC # --- TLS --- # key-direction 1 tls-version-min 1.2 remote-cert-eku 'TLS Web Server Authentication' <tls-auth> -----BEGIN OpenVPN Static key V1----- #PASTE-KEY-INLINE-HERE# -----END OpenVPN Static key V1----- </tls-auth> # Logging # #------------------------------------------------ verb 5
Referencing certs via Inline XML
# Encryption # #------------------------------------------------ ca '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem' cert '/sdcard/openvpn/vpn-client1.crt.pem' key '/sdcard/openvpn/vpn-client1.key.pem' tls-auth '/path/to/ta.key' 1
# Encryption # #------------------------------------------------ <ca> #PASTE-CA-CERT-INLINE-HERE# </ca> <cert> #PASTE-VPN-SERVER-CERT-INLINE-HERE# </cert> <key> #PASTE-VPN-SERVER-KEY-INLINE-HERE# </key> <tls-auth> -----BEGIN OpenVPN Static key V1----- #PASTE-KEY-INLINE-HERE# -----END OpenVPN Static key V1----- </tls-auth>
Certificate Warning Toast Removal
If /system/etc/security/cacerts.bks
exists on your device, refer to CAcert wiki, then continue
/data/misc/keychain/cacertsadded/
/system/etc/security/cacerts/
/data/misc/user/0/cacerts-added/
/system/etc/security/cacerts/
.pem
extensionopenssl x509 -inform PEM -subject_hash -in 0b112a89.0
openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt
—–BEGIN CERTIFICATE—–
must be at top of file0b112a89.0
/system/etc/security/cacerts/
chmod 644 0b112a89.0
/data/misc/keychain/cacertsadded/
/system/etc/security/cacerts/
BSD/Linux Client Information
/etc/openvpn/VPNserver.conf
Linux/BSD Client Config
# Config Type # #------------------------------------------------ client # Connection # #------------------------------------------------ dev tun proto udp remote your.ddns.com 5000 # Speed # #------------------------------------------------ mssfix 0 fragment 0 tun-mtu 48000 # Reliability # #------------------------------------------------ float nobind comp-lzo persist-key persist-tun resolv-retry infinite # Encryption # #------------------------------------------------ auth SHA512 auth-nocache # --- SSL --- # cipher AES-256-CBC # --- TLS --- # key-direction 1 tls-version-min 1.2 pkcs12 '/etc/ssl/openvpn/vpn-client1.p12' remote-cert-eku 'TLS Web Server Authentication' <tls-auth> -----BEGIN OpenVPN Static key V1----- #PASTE-KEY-INLINE-HERE# -----END OpenVPN Static key V1----- </tls-auth> # Logging # #------------------------------------------------ verb 5
Windows Client Information
C:\\Path\\to\\PKCS12
C:\Program Files\OpenVPN\config\OpenWrt\VPNserver.ovpn
Windows Client Config
# Config Type # #------------------------------------------------ client # Connection # #------------------------------------------------ dev tun proto udp remote your.ddns.com 5000 # Speed # #------------------------------------------------ mssfix 0 fragment 0 tun-mtu 48000 # Reliability # #------------------------------------------------ float nobind comp-lzo persist-key persist-tun resolv-retry infinite # Encryption # #------------------------------------------------ auth SHA512 auth-nocache # --- SSL --- # cipher AES-256-CBC # --- TLS --- # key-direction 1 tls-version-min 1.2 pkcs12 vpn-client1.p12 remote-cert-eku "TLS Web Server Authentication" <tls-auth> -----BEGIN OpenVPN Static key V1----- #PASTE-KEY-INLINE-HERE# -----END OpenVPN Static key V1----- </tls-auth> # Logging # #------------------------------------------------ verb 5
It's recommended to read Gateway Redirect prior to continuing
/etc/config/firewall LAN Zone & InterZone Forwarding
#::: Zones :::# # LuCI: Network - Firewall - Zones # Add: LAN Masquerade # #------------------------------------------------ config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'DROP' option masq 1
#::: InterZone Forwarding :::# # LuCI: Network -> Firewall -> Zones -> VPN - # Edit - Inter-Zone Forwarding # Allow Forwarding VPN -> WAN # #------------------------------------------------ config forwarding option dest 'wan' option src 'vpn'
/etc/init.d/firewall restart
/etc/config/openvpn
Pushed Routes
list push 'dhcp-option DNS 8.8.8.8' list push 'dhcp-option DNS 8.8.4.4'
list push 'redirect-gateway def1 local' list push 'dhcp-option DNS 10.1.0.1'
/etc/init.d/openvpn restart
Android