This is an old revision of the document!


OpenConnect extras

Install the necessary packages if you want to manage VPN settings using web interface.

# Install packages
opkg update
opkg install luci-app-ocserv
/etc/init.d/rpcd restart

Navigate to LuCIVPN → OpenConnect VPN to configure OpenConnect server.

# Install packages
opkg update
opkg install luci-proto-openconnect
/etc/init.d/rpcd restart

Navigate to LuCI → Network → Interfaces to configure OpenConnect client.

Preserve default route to restore WAN connectivity when VPN is disconnected.

# Preserve default route
uci set network.wan.metric="1024"
uci commit network
service network restart

Introduction

Extras

References
Web interface

If you want to manage VPN settings using web interface. Install the necessary packages.

# Install packages
opkg update
opkg install luci-proto-ppp
service rpcd restart

Navigate to LuCI → Network → Interfaces to configure PPTP.

Dynamic connection

Preserve default route to restore WAN connectivity when VPN is disconnected.

# Preserve default route
uci set network.wan.metric="1024"
uci commit network
service network restart
NAT traversal

Provide PPTP passthrough for LAN clients over your router.

# Install packages
opkg update
opkg install kmod-nf-nathelper-extra
service firewall restart
Static addresses

Provide static IP address allocation on VPN server.

# Configure VPN service
rm -f /tmp/etc/chap-secrets
uci set pptpd.client.remoteip="192.168.9.2"
uci commit pptpd
service pptpd restart
Site-to-site

Implement plain routing between server side LAN and client side LAN assuming that:

  • 192.168.1.0/24 - server side LAN
  • 192.168.2.0/24 - client side LAN

Set up static address allocation on VPN server, add route to client side LAN.

cat << "EOF" > /etc/ppp/ip-up
#!/bin/sh
case ${IPREMOTE} in
(192.168.9.2) ip route add 192.168.2.0/24 via ${IPREMOTE} dev ${IFNAME} ;;
esac
EOF
chmod +x /etc/ppp/ip-up

Consider VPN network as private and assign VPN interface to LAN zone on VPN client, add route to server side LAN.

uci del_list firewall.wan.network="vpn"
uci add_list firewall.lan.network="vpn"
uci commit firewall
service firewall restart
uci -q delete network.vpn_rt
uci set network.vpn_rt="route"
uci set network.vpn_rt.interface="vpn"
uci set network.vpn_rt.target="192.168.1.0/24"
uci set network.vpn_rt.gateway="192.168.9.1"
uci commit network
service network restart
Default gateway
Split gateway

If VPN gateway is separate from your LAN gateway. Implement plain routing between LAN and VPN networks assuming that:

  • 192.168.1.0/24 - LAN network
  • 192.168.1.2/24 - VPN gateway
  • 192.168.9.0/24 - VPN network

Add port forwarding for VPN server on LAN gateway.

uci -q delete firewall.pptp
uci set firewall.pptp="redirect"
uci set firewall.pptp.name="Redirect-PPTP"
uci set firewall.pptp.src="wan"
uci set firewall.pptp.src_dport="1723"
uci set firewall.pptp.dest="lan"
uci set firewall.pptp.dest_ip="192.168.1.2"
uci set firewall.pptp.family="ipv4"
uci set firewall.pptp.proto="tcp"
uci set firewall.pptp.target="DNAT"
uci commit firewall
service firewall restart

Add route to VPN network via VPN gateway on LAN gateway.

uci -q delete network.vpn
uci set network.vpn="route"
uci set network.vpn.interface="lan"
uci set network.vpn.target="192.168.9.0/24"
uci set network.vpn.gateway="192.168.1.2"
uci commit network
service network restart
IPv6 gateway

Set up IPv6 tunnel broker or use IPv6 NAT or NPT if necessary. Configure IPv6 on VPN server.

cat << "EOF" > /etc/ppp/ip-up
#!/bin/sh
ip address add fd00:9::1/64 dev ${IFNAME}
EOF
chmod +x /etc/ppp/ip-up

Configure IPv6 on VPN client, redirect IPv6 gateway.

uci add_list firewall.wan.network="vpn6"
uci commit firewall
service firewall restart
uci -q delete network.vpn6
uci set network.vpn6="interface"
uci set network.vpn6.proto="static"
uci set network.vpn6.device="@vpn"
uci set network.vpn6.ip6addr="fd00:9::2/64"
uci -q delete network.vpn6_rt
uci set network.vpn6_rt="route6"
uci set network.vpn6_rt.interface="vpn6"
uci set network.vpn6_rt.target="::/0"
uci commit network
service network restart

Disable ISP prefix delegation to prevent IPv6 leaks on VPN client.

DNS over VPN

Serve DNS for VPN clients on OpenWrt server when using point-to-point topology.

Route DNS over VPN to prevent DNS leaks on VPN client.

Replace peer DNS with public or VPN-specific DNS provider on OpenWrt client.

Modify the VPN connection using NetworkManager on Linux desktop client.

nmcli connection modify id VPN_CON \
ipv4.dns-search ~. ipv4.dns-priority -50 \
ipv6.dns-search ~. ipv6.dns-priority -50
Kill switch

Prevent traffic leaks on OpenWrt client isolating VPN interface in a separate firewall zone.

uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci add_list firewall.vpn.network="vpn"
uci del_list firewall.wan.network="vpn"
uci -q delete firewall.@forwarding[0]
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci commit firewall
service firewall restart
Multi-client

Set up multi-client VPN server. Use unique credentials for each client.

# Configure VPN service
VPN_USER="USERNAME1"
VPN_PASS="PASSWORD1"
uci -q delete pptpd.client1
uci set pptpd.client1="login"
uci set pptpd.client1.username="${VPN_USER}"
uci set pptpd.client1.password="${VPN_PASS}"
uci commit pptpd
service pptpd restart
Automated

Automated VPN server installation.

URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/pptp/server"
cat << EOF > pptp-server.sh
$(wget -U "" -O - "${URL}?codeblock=0")
$(wget -U "" -O - "${URL}?codeblock=1")
$(wget -U "" -O - "${URL}?codeblock=2")
EOF
sh pptp-server.sh

Generate server certificate hash.

# Install packages
opkg update
opkg install openssl-util
 
# Generate certificate hash
OC_CERT="/etc/ocserv/server-cert.pem"
OC_HASH="$(echo pin-sha256:\
$(openssl x509 -in ${OC_CERT} -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64))"
echo ${OC_HASH}

Serve DNS for VPN clients on OpenWrt server when using point-to-point topology.

Route DNS over VPN to prevent DNS leaks on VPN client.

Replace peer DNS with public or VPN-specific DNS provider on OpenWrt client.

Modify the VPN connection using NetworkManager on Linux desktop client.

nmcli connection modify id VPN_CON \
ipv4.dns-search ~. ipv4.dns-priority -50 \
ipv6.dns-search ~. ipv6.dns-priority -50

Prevent traffic leaks on OpenWrt client isolating VPN interface in a separate firewall zone.

uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci add_list firewall.vpn.network="vpn"
uci del_list firewall.wan.network="vpn"
uci -q delete firewall.@forwarding[0]
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci commit firewall
service firewall restart

Automated VPN server installation.

opkg update
opkg install curl
URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect"
cat << EOF > oc.sh
$(curl "${URL}/server?codeblock=0")
$(curl "${URL}/server?codeblock=1")
$(curl "${URL}/server?codeblock=2")
EOF
sh oc.sh
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/11/28 08:01
  • by vgaetera