User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:client

OpenVPN Client

Introduction

  • This guide describes how to configure OpenWrt to run OpenVPN client.
  • You can use it to connect to your own OpenVPN server or a commercial OpenVPN provider.
  • Follow OpenVPN Basic for server setup and OpenVPN Extra for additional tuning.

Goals

  • Encrypt your internet connection to enforce security and privacy:
    • Prevent data leak and traffic spoofing on the path to client-ISP.
    • Escape client-ISP content-filters and internet censorship.
  • Access your VPN-server LAN-services remotely without port forwarding.
  • Access region-restricted services and content using commercial VPN-providers.

Requirements

  • OpenWrt 18.06.1
  • OpenVPN 2.4.5

Instructions

1. Preparation

Install OpenWrt and perform initial network and firewall setup. Use a public DNS-provider to prevent DNS-leak.

2. Firewall

To minimize firewall setup consider VPN-network as public and assign VPN-interface to WAN-zone.

# Configure firewall
uci set firewall.@zone[1].device="tun0"
uci commit firewall
service firewall restart

3. VPN-Service

Save your client profile. Install and configure VPN-client. Drop VPN-service privileges and ensure VPN-interface name matches network configuration.

# Save VPN-client profile
cat << "EOF" > /etc/openvpn/vpnclient.conf
COPY_PASTE_CLIENT_PROFILE_HERE
EOF
 
# Fix permissions
chmod "u=rw,g=,o=" /etc/openvpn/vpnclient.conf
 
# Install packages
opkg update
opkg install openvpn-openssl
 
# Configure VPN-client
sed -i -e "
\$a user nobody
\$a group nogroup
/^dev/s/^/#/
\$a dev $(uci get firewall.@zone[1].device)
" /etc/openvpn/vpnclient.conf
service openvpn restart

If using a commercial VPN-provider, set up credentials for username/password authentication and enforce gateway redirect.

# Save username/password credentials
cat << "EOF" > /etc/openvpn/vpnclient.auth
YOUR_VPN_USERNAME
YOUR_VPN_PASSWORD
EOF
 
# Fix permissions
chmod "u=rw,g=,o=" /etc/openvpn/vpnclient.auth
 
# Configure VPN-client
sed -i -e "
/^auth-user-pass/s/^/#/
\$a auth-user-pass /etc/openvpn/vpnclient.auth
/^redirect-gateway/s/^/#/
\$a redirect-gateway def1 ipv6
" /etc/openvpn/vpnclient.conf
service openvpn restart

OpenVPN Extra > Instance Management

Testing

Troubleshooting

docs/guide-user/services/vpn/openvpn/client.txt · Last modified: 2019/03/18 07:59 by vgaetera