User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:basic

OpenVPN basic

Introduction

  • This how-to describes the method for setting up OpenVPN server on OpenWrt.
  • It helps generate OpenVPN client profiles which are easy to export/import between devices.
  • Follow OpenVPN client for client setup and OpenVPN extras for additional tuning.

Goals

  • Encrypt your internet connection to enforce security and privacy.
    • Prevent data leak and traffic spoofing on the client side.
  • Bypass regional restrictions using commercial providers.
    • Escape client side content filters and internet censorship.
  • Access your LAN services remotely without port forwarding.

Instructions

1. Firewall

Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.lan.device="tun0"
uci add_list firewall.lan.device="tun0"
uci -q delete firewall.vpn
uci set firewall.ovpn="rule"
uci set firewall.ovpn.name="Allow-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.dest_port="1194"
uci set firewall.ovpn.proto="udp"
uci set firewall.ovpn.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

2. PKI

Use EasyRSA to manage the PKI. Utilize private key password protection if required.

# Install packages
opkg update
opkg install openvpn-easy-rsa
 
# Configuration parameters
export EASYRSA_PKI="/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="ovpnca"
 
# Remove and re-initialize the PKI directory
easyrsa --batch init-pki
 
# Generate DH parameters
easyrsa --batch gen-dh
 
# Create a new CA
easyrsa --batch build-ca nopass
 
# Generate a keypair and sign locally for a server
easyrsa --batch build-server-full server nopass
 
# Generate a keypair and sign locally for a client
easyrsa --batch build-client-full client nopass

3. Basic server

Install and configure VPN server.

# Install packages
opkg update
opkg install openvpn-openssl
 
# Generate TLS PSK
OVPN_PKI="/etc/easy-rsa/pki"
openvpn --genkey --secret ${OVPN_PKI}/tc.pem
 
# Configuration parameters
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_DEV="$(uci get firewall.lan.device | sed -e "s/^.*\s//")"
OVPN_PORT="$(uci get firewall.ovpn.dest_port)"
OVPN_PROTO="$(uci get firewall.ovpn.proto)"
OVPN_POOL="192.168.8.0 255.255.255.0"
OVPN_DNS="${OVPN_POOL%.* *}.1"
OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'
 
# Configure VPN server
umask u=rw,g=,o=
grep -l -r -e "TLS Web Server Auth" "${OVPN_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read -r OVPN_ID
do
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
cat << EOF > ${OVPN_DIR}/${OVPN_ID}.conf
verb 3
user nobody
group nogroup
dev ${OVPN_DEV}
port ${OVPN_PORT}
proto ${OVPN_PROTO}
server ${OVPN_POOL}
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS ${OVPN_DNS}"
push "dhcp-option DOMAIN ${OVPN_DOMAIN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>${NL}${OVPN_DH}${NL}</dh>
<tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt>
<ca>${NL}${OVPN_CA}${NL}</ca>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<key>${NL}${OVPN_KEY}${NL}</key>
EOF
done
/etc/init.d/openvpn restart

4. Client profiles

Set up DDNS client if required. Generate VPN client profiles.

# Fetch IP address
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr OVPN_SERV "${NET_IF}"
 
# Fetch FQDN from DDNS client
OVPN_FQDN="$(uci -q get "$(uci -q show ddns \
| sed -n -e "/\.enabled='1'$/s//.lookup_host/p" \
| sed -n -e "1p")")"
if [ -n "${OVPN_FQDN}" ]
then
OVPN_SERV="${OVPN_FQDN}"
fi
 
# Configuration parameters
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_DEV="$(uci get firewall.lan.device | sed -e "s/^.*\s//")"
OVPN_PORT="$(uci get firewall.ovpn.dest_port)"
OVPN_PROTO="$(uci get firewall.ovpn.proto)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'
 
# Generate VPN client profiles
umask u=rw,g=,o=
grep -l -r -e "TLS Web Client Auth" "${OVPN_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read -r OVPN_ID
do
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
cat << EOF > ${OVPN_DIR}/${OVPN_ID}.ovpn
verb 3
dev ${OVPN_DEV%%[0-9]*}
nobind
client
remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO}
auth-nocache
remote-cert-tls server
<tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt>
<ca>${NL}${OVPN_CA}${NL}</ca>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<key>${NL}${OVPN_KEY}${NL}</key>
EOF
done
ls ${OVPN_DIR}/*.ovpn

Perform OpenWrt backup. Extract client profiles from the archive and import them to your clients.

Automated script on PC

Creating private key on an embedded device requires a lot of time. You can speed up things creating certificates on your PC.

Install openvpn on your pc (it is required to create build the certificate) and then run this script. It will ask you a password to encrypt the private key of client.ovpn. Then you only have to transfer server.conf on your router in /etc/openvpn path and run service openvpn restart.

# Change SERVER.DOMAIN.OR.IP in client.ovpn
 
writeclient(){
    cat << EOF > "client.ovpn"
verb 3
dev tun
nobind
client
remote SERVER.DOMAIN.OR.IP 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt>
${TC_KEY}
</tls-crypt>
<ca>
${CA_CERT}
</ca>
<cert>
${CLI_CERT}
</cert>
<key>
${CLI_KEY}
</key>
EOF
}
 
writeserver(){
    cat << EOF > "server.conf"
verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
duplicate-cn
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
${DH_KEY}
</dh>
<tls-crypt>
${TC_KEY}
</tls-crypt>
<ca>
${CA_CERT}
</ca>
<cert>
${SER_CERT}
</cert>
<key>
${SER_KEY}
</key>
EOF
}
 
if [ ! -f "EasyRSA.tgz" ]
then
    wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz -O EasyRSA.tgz
    tar -xf EasyRSA.tgz
fi
 
cd EasyRSA-v3.0.6
./easyrsa --batch init-pki
 
export EASYRSA_PKI="pki"
export EASYRSA_REQ_CN="vpnca"
./easyrsa --batch gen-dh
./easyrsa --batch build-ca nopass
./easyrsa --batch build-server-full vpnserver nopass
./easyrsa --batch build-client-full vpnclient # nopass # uncomment to remove password on client.ovpn
openvpn --genkey --secret pki/tc.pem
 
DH_KEY="$(cat "pki/dh.pem")"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "pki/tc.pem")"
CA_CERT="$(openssl x509 -in "pki/ca.crt")"
SER_CERT="$(openssl x509 -in "pki/issued/vpnserver.crt")"
SER_KEY="$(cat "pki/private/vpnserver.key")"
CLI_CERT="$(openssl x509 -in "pki/issued/vpnclient.crt")"
CLI_KEY="$(cat "pki/private/vpnclient.key")"
 
writeserver
writeclient
 
echo Done! You can find config files here:
echo $(pwd)/server.conf
echo $(pwd)/client.ovpn

Testing

Establish the VPN connection. Verify your client traffic is routed via VPN gateway.

traceroute openwrt.org
traceroute6 openwrt.org

Check your client public IP addresses.

Make sure there is no DNS leak on the client side.

Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default.

Troubleshooting

Collect and analyze the following information.

# Restart the services, then try to reconnect
/etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10
 
# Log and status
logread -e openvpn; netstat -l -n -p | grep -e openvpn
 
# Runtime configuration
pgrep -f -a openvpn
ip address show; ip route show; ip rule show; iptables-save
ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save
 
# Persistent configuration
uci show network; uci show firewall; uci show openvpn
head -n -0 /etc/openvpn/*.conf
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/vpn/openvpn/basic.txt · Last modified: 2019/11/18 16:25 by bignerd95