Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openvpn:client [2019/08/22 09:14] – [1. Firewall] We list `device`, not `network`, because it `netifd` doesn't properly interact with `openvpn` which may result in race condition. This how-to doesn't rely on manual config file modification, because it may lead to the file corruption which w vgaetera | docs:guide-user:services:vpn:openvpn:client [2021/09/27 03:25] – [2. Firewall] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== OpenVPN client ====== | ====== OpenVPN client ====== | ||
| - | |||
| - | FIXME Show //results// in the config files of the inscrutable set of commands described here | ||
| - | |||
| {{section> | {{section> | ||
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | * This guide describes | + | * This how-to describes the method for setting up [[wp> |
| - | * You can use it to connect to your own OpenVPN server or a commercial OpenVPN provider. | + | * Follow [[docs: |
| - | * Follow [[basic|OpenVPN | + | |
| ===== Goals ===== | ===== Goals ===== | ||
| - | {{section> | + | {{section> |
| - | ===== Instructions | + | ===== Command-line instructions |
| - | ==== 1. Firewall | + | ==== 1. Preparation |
| - | Consider VPN network as public and assign VPN interface to WAN zone to minimize firewall setup. | + | Install the required packages. |
| <code bash> | <code bash> | ||
| - | # Configure firewall | ||
| - | uci del_list firewall.@zone[1].device=" | ||
| - | uci add_list firewall.@zone[1].device=" | ||
| - | uci commit firewall | ||
| - | service firewall restart | ||
| - | </ | ||
| - | |||
| - | ==== 2. Basic client ==== | ||
| - | Save your client profile. | ||
| - | Install and configure VPN client. | ||
| - | Drop VPN service privileges and ensure VPN interface name matches firewall configuration. | ||
| - | |||
| - | <code bash> | ||
| - | # Save VPN client profile | ||
| - | cat << " | ||
| - | COPY_PASTE_CLIENT_PROFILE_HERE | ||
| - | EOF | ||
| - | |||
| - | # Fix permissions | ||
| - | chmod " | ||
| - | |||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| opkg install openvpn-openssl | opkg install openvpn-openssl | ||
| - | |||
| - | # Configure VPN client | ||
| - | sed -i -e " | ||
| - | / | ||
| - | \$a user nobody | ||
| - | / | ||
| - | \$a group nogroup | ||
| - | / | ||
| - | \$a dev $(uci get firewall.@zone[1].device | sed -e " | ||
| - | " / | ||
| - | service openvpn restart | ||
| </ | </ | ||
| - | The first portion of this copies the client config to ''/ | + | ==== 2. Firewall ==== |
| + | Consider VPN network as public. | ||
| + | Assign VPN interface to WAN zone to minimize firewall setup. | ||
| - | After installing the required packages, the '' | + | < |
| - | < | + | # Configure firewall |
| - | user nobody | + | uci rename firewall.@zone[0]=" |
| - | group nogroup | + | uci rename firewall.@zone[1]=" |
| - | dev tun0 | + | uci del_list firewall.wan.device=" |
| + | uci add_list firewall.wan.device=" | ||
| + | uci commit firewall | ||
| + | / | ||
| </ | </ | ||
| - | (or whichever device was specified in the previous section) | ||
| - | It then restarts the openvpn service. | + | ==== 3. VPN service |
| - | + | Save your client profile to configure | |
| - | ==== 3. Commercial provider | + | |
| - | If using a commercial | + | |
| <code bash> | <code bash> | ||
| - | # Save username/ | + | # Save VPN client profile |
| - | cat << | + | umask go= |
| - | YOUR_VPN_USERNAME | + | cat << EOF > / |
| - | YOUR_VPN_PASSWORD | + | COPY_PASTE_CLIENT_PROFILE_HERE |
| EOF | EOF | ||
| - | + | /etc/init.d/openvpn restart | |
| - | # Fix permissions | + | |
| - | chmod " | + | |
| - | + | ||
| - | # Configure VPN client | + | |
| - | sed -i -e " | + | |
| - | /^auth-user-pass/ | + | |
| - | \$a auth-user-pass / | + | |
| - | / | + | |
| - | \$a redirect-gateway def1 ipv6 | + | |
| - | " / | + | |
| - | service | + | |
| </ | </ | ||
| - | See also: [[extra#instance_management|Instance management]], | + | Configure credentials for [[docs: |
| ===== Testing ===== | ===== Testing ===== | ||
| - | {{section> | + | {{section> |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| - | {{section> | + | {{section> |
| - | + | ||
| - | {{tag> | + | |