User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:basic

OpenVPN Basic

Introduction

  • This guide describes how to configure OpenWrt to run OpenVPN server.
  • It helps to generate OpenVPN client profile as a single file easy to export/import between devices.
  • Optionally you can turn your OpenVPN server into a dual stack gateway.
  • Follow OpenVPN Client for client setup and OpenVPN Extra for additional tuning.

Goals

  • Encrypt your internet connection to enforce security and privacy:
    • Prevent data leak and traffic spoofing on the path to client-ISP.
    • Escape client-ISP content-filters and internet censorship.
  • Access your VPN-server LAN-services remotely without port forwarding.
  • Become your own tunnel broker providing client dual stack connectivity.

Requirements

  • OpenWrt 18.06.1
  • OpenVPN 2.4.5
  • Easy-RSA 3.0.4

OpenVPN Extra > Recommended Clients

Instructions

1. Preparation

Install OpenWrt and perform initial network and firewall setup.

2. Network

Assign VPN-interface to VPN-network.

uci set network.vpn="interface"
uci set network.vpn.ifname="tun0"
uci set network.vpn.proto="none"
uci commit network
service network reload

3. Firewall

To minimize firewall setup consider VPN-network as private and assign it to LAN-zone. Allow access to VPN-server from WAN-zone.

uci add_list firewall.@zone[0].network="vpn"
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-OpenVPN"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].dest_port="1194"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall
service firewall restart

4. PKI

Use Easy-RSA for PKI-management. Utilize private key password protection if required.

# Install packages
opkg update
opkg install openvpn-easy-rsa
 
# Configuration parameters
EASYRSA_PKI="/etc/easy-rsa/pki"
 
# Remove and re-initialize the PKI directory
easyrsa --batch --pki-dir="$EASYRSA_PKI" init-pki
 
# Generate DH parameters
# May take a while to complete (~25m on WRT3200ACM)
easyrsa --batch --pki-dir="$EASYRSA_PKI" gen-dh
 
# Create a new CA
easyrsa --batch --pki-dir="$EASYRSA_PKI" --req-cn="vpnca" build-ca nopass
 
# Generate a keypair and sign locally for vpnserver
easyrsa --batch --pki-dir="$EASYRSA_PKI" build-server-full vpnserver nopass
 
# Generate a keypair and sign locally for vpnclient
easyrsa --batch --pki-dir="$EASYRSA_PKI" build-client-full vpnclient nopass

OpenVPN Extra > PKI

5. VPN-Server

Install and configure VPN-server.

# Install packages
opkg update
opkg install openvpn-openssl
 
# Generate TLS PSK
EASYRSA_PKI="/etc/easy-rsa/pki"
openvpn --genkey --secret "$EASYRSA_PKI/tc.pem"
 
# Configuration parameters
VPN_DEV="$(uci get network.vpn.ifname)"
VPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
VPN_DNS="$(uci get network.lan.ipaddr)"
EASYRSA_PKI="/etc/easy-rsa/pki"
DH_KEY="$(cat "$EASYRSA_PKI/dh.pem")"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "$EASYRSA_PKI/tc.pem")"
CA_CERT="$(openssl x509 -in "$EASYRSA_PKI/ca.crt")"
NL=$'\n'
 
# Configure VPN-server
grep -l -r -e "TLS Web Server Authentication" "$EASYRSA_PKI/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read VPN_ID
do
VPN_CONF="/etc/openvpn/$VPN_ID.conf"
VPN_CERT="$(openssl x509 -in "$EASYRSA_PKI/issued/$VPN_ID.crt")"
VPN_KEY="$(cat "$EASYRSA_PKI/private/$VPN_ID.key")"
cat << EOF > "$VPN_CONF"
verb 3
user nobody
group nogroup
dev $VPN_DEV
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "redirect-gateway def1"
push "dhcp-option DOMAIN $VPN_DOMAIN"
push "dhcp-option DNS $VPN_DNS"
push "persist-tun"
push "persist-key"
<dh>$NL$DH_KEY$NL</dh>
<tls-crypt>$NL$TC_KEY$NL</tls-crypt>
<ca>$NL$CA_CERT$NL</ca>
<cert>$NL$VPN_CERT$NL</cert>
<key>$NL$VPN_KEY$NL</key>
EOF
chmod "u=rw,g=,o=" "$VPN_CONF"
done
service openvpn restart

OpenVPN Extra > Instance Management

6. VPN-Client

Set up DDNS-client service if required. Generate VPN-client profiles.

# Fetch WAN-interface IP-address
source /lib/functions/network.sh
network_find_wan NET_IF
network_get_ipaddr VPN_SERV "$NET_IF"
 
# Fetch VPN-server FQDN from DDNS-client
VPN_FQDN="$(uci -q get $(uci -q show ddns \
    | sed -n -e "s/^\(.*\)\.enabled='1'$/\1/p" \
    | sed -n -e "1p").lookup_host)"
if [ -n "$VPN_FQDN" ]
then
    VPN_SERV="$VPN_FQDN"
fi
 
# Configuration parameters
VPN_CONF="/etc/openvpn/vpnserver.conf"
VPN_PORT="$(sed -n -r -e 's/^port\s(.*)/\1/p' "$VPN_CONF")"
VPN_PROTO="$(sed -n -r -e 's/^proto\s(.*)/\1/p' "$VPN_CONF")"
VPN_DEV="$(sed -n -r -e 's/^dev\s([a-z]*).*/\1/p' "$VPN_CONF")"
EASYRSA_PKI="/etc/easy-rsa/pki"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "$EASYRSA_PKI/tc.pem")"
CA_CERT="$(openssl x509 -in "$EASYRSA_PKI/ca.crt")"
NL=$'\n'
 
# Generate VPN-client profiles
grep -l -r -e "TLS Web Client Authentication" "$EASYRSA_PKI/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read VPN_ID
do
VPN_CONF="/etc/openvpn/$VPN_ID.ovpn"
VPN_CERT="$(openssl x509 -in "$EASYRSA_PKI/issued/$VPN_ID.crt")"
VPN_KEY="$(cat "$EASYRSA_PKI/private/$VPN_ID.key")"
cat << EOF > "$VPN_CONF"
verb 3
dev $VPN_DEV
nobind
client
remote $VPN_SERV $VPN_PORT $VPN_PROTO
auth-nocache
remote-cert-tls server
<tls-crypt>$NL$TC_KEY$NL</tls-crypt>
<ca>$NL$CA_CERT$NL</ca>
<cert>$NL$VPN_CERT$NL</cert>
<key>$NL$VPN_KEY$NL</key>
EOF
chmod "u=rw,g=,o=" "$VPN_CONF"
done
ls /etc/openvpn/*.ovpn

OpenVPN Extra > Desktop-Client Fixes

Perform OpenWrt backup. Extract client profiles from the archive and import them to your clients.

Testing

Troubleshooting

docs/guide-user/services/vpn/openvpn/basic.txt · Last modified: 2019/02/19 10:20 by vgaetera