User Tools

Site Tools


playground:vpn.client.openvpn.tun
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

OpenVPN client with TUN (Layer 3) device

:!: A lot of the instructions for OpenVPN are terrible. I have added this one to clear up a few things. The main issue I want to address is DNS leak resolution. This howto includes the use of Luci for at a minimum starting the connection. This was tested using OpenWrt Designated Driver 50097 in a virtual machine. The configuration was done using Private Internet Access VPN.

Prerequisites

Packages

  • luci
  • luci-app-openvpn
  • openssl-util
  • openvpn-openssl

Scripts

:!: These scripts are only required to stop DNS leaking. This information was taken from https://github.com/jlund/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client. You will need to be able to log in to the router using SSH and create these files.

Create ovpn-up script

cat<<'EOF' > /usr/bin/ovpn-up
#!/bin/sh
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto
echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
EOF

Create ovpn-down script

cat<<'EOF' > /usr/bin/ovpn-down
#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto
EOF

Make the scripts executable

chmod 0100 /usr/bin/ovpn-up
chmod 0100 /usr/bin/ovpn-down

Certificates

You will need the .pem and .crt files supplied by your VPN provider. I placed mine under /etc/openvpn directory. The way I do this is to download the certificates on my computer and then do the following.

cat<<'EOF' > /etc/openvpn/ovpn.crt

Open the .crt file in a text editor on your computer and copy and paste its contents into the SSH session, followed by:

EOF

You will need to do the same for the .pem file.

cat<<'EOF' > /etc/openvpn/ovpn.pem

Paste in contents of the .pem file

EOF

userpass.txt

You need to create a text file with your VPN connections username and password. The easiest way to do this is as follows.

cat<<'EOF' > /etc/openvpn/userpass.txt
You will then enter your username, press enter, type password, press enter, type EOF, press enter. This will create a file with your username on the first line and your password on the second.

OpenVPN Configuration

Since there are a lot of problems with the OpenVPN Luci App it will probably be easier to modify your /etc/config/openvpn configuration file to be something similar to below.

config openvpn 'Private_Internet_Access'
        option float '1'
        option client '1'
        option remote_random '0'
        option proto 'udp'
        option dev 'tun0'
        option comp_lzo 'yes'
        option auth 'sha256'
        option cipher 'aes-256-cbc'
        option auth_user_pass '/etc/openvpn/userpass.txt'
        option resolv_retry 'infinite'
        option remote 'aus-melbourne.privateinternetaccess.com 1197'
        option crl_verify '/etc/openvpn/ovpn.pem'
        option nobind '1'
        option persist_tun '1'
        option persist_key '1'
        option tls_client '1'
        option remote_cert_tls 'server'
        option reneg_sec '0'
        option up '/usr/bin/ovpn-up'
        option down '/usr/bin/ovpn-down'
        option script_security '2'
        option down_pre '1'
        option up_restart '1'
        option up_delay '5'
        option log '/var/log/openvpn.log'
        option ca '/etc/openvpn/ovpn.crt'
        option enabled '1'

playground/vpn.client.openvpn.tun.txt · Last modified: 2017/06/11 02:08 by simplexion