User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:basic

OpenVPN Basic

VPN Server Purpose

  • The OpenVPN server running on your router can provide a secure connection back to your home network while you're away.
    • If you need to access the router itself, or any of your home network devices remotely, the OpenVPN server is a great and secure solution.

  • This article provides a concise and correct procedure for setting up an OpenVPN server on your router.
    • This procedure has been tested on LEDE 17.01 & 18.06 and should work with earlier OpenWrt versions.

Requirements

  • Files & Folder Locations:

Prerequisites

  • Preferred way to garnish scripts is to utilize wget
  • If downloading via Windows

Generate Certs

  • The OpenVPN Server (running on your router) and your OpenVPN Client device (running remotely) need certificates to secure the communication.

  • This procedure covers generating the certificates on the router itself.
    • Please be aware, this process may take a long time (~20 min on newer devices, to possibly many hours on older ones).
  • Download:
    wget --no-check-certificate -O /tmp/create-certs.sh "https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/basic?codeblock=2"
    sh -v -x /tmp/create-certs.sh
    • create-certs.sh

Server Configs

  • create-configs.sh edits the following config files:
    • /etc/config/firewall
    • /etc/config/network
    • /etc/config/openvpn
  • Download:
    wget --no-check-certificate -O /tmp/create-configs.sh "https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/basic?codeblock=4"
    sh -v -x /tmp/create-configs.sh
    • create-configs.sh

Client Config

Generate

  • Your OpenVPN Client will need an .ovpn-file to connect to your OpenVPN server.
    • This section generates a .ovpn-file on your router so you can later copy it to your client devices.

  • To connect to your router remotely (from the internet) you will need to know the router's IP-address or DNS name.
    • If your ISP assigns a dynamic IP-address you need to configure DDNS Client service beforehand.
  • Download:
    wget --no-check-certificate -O /tmp/create-ovpn.sh "https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/basic?codeblock=6"
    sh -v -x /tmp/create-ovpn.sh
    • create-ovpn.sh

Import

  • The script above displays the generated .ovpn-file as its final step. Now copy it to your computer.
    • The easiest way is to copy that text from the screen, and paste it into a new file on your computer named vpnclient.ovpn

  • After you've saved .ovpn-file to your device, distribute it to any additional devices that will use the OpenVPN client.

  • The way you connect to your OpenVPN Server depends on the OS utilized

Notes

Advanced

For a complete reference material on the OpenVPN Server setup, please visit OpenVPN Comprehensive.

Compression

The example above uses the default compression (lzo), you may want to utilize a better (lz4) compression if your clients support it (notably, as of version 67 ChromeOS does not).

Security

Ensure Windows clients are utilizing >2.4.2, which includes a DNS leak patch (Changelog | Bug #605)

TAP

In case you need a bridged network

Troubleshooting

  1. Verify OpenVPN successfully started:
    ps | grep [o]penvpn
    logread -e openvpn
  2. Change protocol to tcp and increase log verbosity:
    1. Server:
      uci set openvpn.vpnserver.verb="5"
      uci set openvpn.vpnserver.proto="tcp"
      uci commit openvpn && service openvpn restart
    2. Client:
      verb 7
      proto tcp
  3. Disconnect client, then reconnect

  4. If asking for help in a forum, please perform the above and include the following in your initial post:
    1. Include

Credits

docs/guide-user/services/vpn/openvpn/basic.txt · Last modified: 2018/12/13 00:21 by jw0914