|There are many redundant wiki pages relating to configuring OpenVPN on OpenWrt. Some are better than others, and others are an out-of-date muddled mess. For a reasonably complete / up-to-date guide to installing, configuring and troubleshooting OpenVPN clients & servers on OpenWrt (including creating a simple PKI), could I suggest you consider starting with vpn.openvpn instead of this wiki.|
It is not that the other wikis aren't worth reading; it is just that (IMHO) vpn.openvpn is a better place to start (it has been rewritten from scratch just a few weeks ago). Maybe you could improve it further? In this instance, this wiki has several minor issues (as at May 2014), such as advocating TAP rather than TUN where TUN would, in most cases, be preferable. If you definitely want TAP rather than TUN, then vpn.openvpn might still be a useful place to visit.
|For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit vpn.overview|
opkg install openvpn-openssl
is all that is needed for the OpenSSL build which should be fine for most people. Though, recently the openvpn package has been split into different flavors. To see all of them listed type
opkg update opkg list | grep openvpn
Follow the official documentation.
You can also install
openvpn-easy-rsa package for OpenWRT and generate the keys on the router itself:
opkg update opkg install openvpn-easy-rsa
First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall on OpenWRT. Edit /etc/config/firewall and add the following.
config 'rule' option 'name' 'openvpn-udp' option 'src' 'wan' option 'target' 'ACCEPT' option 'proto' 'udp' option 'dest_port' '1194'
Bridge the tap interface you will be using with your lan interface by adding the following two lines to the respective section in /etc/config/network. This assumes your lan consists of wifi interface called wlan0 that will be bridged with tap0 interface used by OpenVPN.
config interface 'lan' option type 'bridge' option ifname 'wlan0 tap0'
Next comes the OpenVPN server config file:
config 'openvpn' 'your_name' option 'enable' '1' option 'tls_server' '1' option 'port' '1194' # to bypass restrictive firewalls, you might consider running OpenVPN on port 443 or 22 option 'proto' 'udp' # TCP might be more reliable but slower; if you change this to tcp, change the firewall rule as well option 'dev' 'tap0' option 'ca' '/path/to/ca.crt' option 'cert' '/path/to/server.crt' option 'key' '/path/to/server.key' option 'dh' '/path/to/dh1024.pem' option 'server_bridge' '192.168.1.1 255.255.255.0 192.168.1.220 192.168.1.229' # this assumes the lan is 192.168.1.1/24 and will give out address in range 192.168.1.220-229 list 'push' 'dhcp-option DNS 192.168.1.1' # this will make the clients use openwrt for DNS resolution list 'push' 'redirect-gateway def1' # this redirects all traffic over vpn option 'client_to_client' '1' option 'comp_lzo' 'yes' option 'keepalive' '10 120' option 'status' '/tmp/openvpn_tap0.status' option 'persist_key' '1' option 'persist_tun' '1' option 'verb' '3' option 'mute' '20'
Client configuration must correspond with the server configuration. Something like this with the IP address of the VPN server should work:
dev tap proto udp remote Your.IP.Goes.Here 1194 resolv-retry infinite mute-replay-warnings comp-lzo verb 3 keepalive 10 120 persist-key persist-tun nobind
If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful.
If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable:
In Backfire 10.03.1 edit /etc/init.d/openvpn and add the following above the "append_param()" function:
# Make sure tun/tap devices are present
This is not needed in Attitude Adjustment
Then enable openvpn to start on boot with:
Put this into your /etc/config/opevpn:
option topology subnet option 'ifconfig_pool_persist' '/etc/openvpn/ipp.txt 0'
/etc/openvpn/ipp.txt has this format:
CN,192.168.1.235 # CN is the COMMON NAME specified in the clients security certificate