User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:comprehensive

Degree of Difficulty: Intermediate
This guide assumes you can:

OpenVPN Comprehensive

VPN Server Purpose

  • Provides encrypted remote connection over WAN
    • Remote Device WAN Router's Local Interfaces

  • Gateway Redirect encrypts local interface traffic
    • Local Interface VPN Interface Router WAN

SSL VPN Requirements

File & Folder Locations

  1. Config Locations:
    • Firewall Script: /etc/firewall.user
    • Firewall: /etc/config/firewall
    • Network: /etc/config/network
    • OpenVPN: /etc/config/openvpn

  2. Folder Locations:
    • CA & ICA Certs: /etc/ssl/ca/
    • CSR: /etc/ssl/ca/csr/
    • CRL: /etc/ssl/crl/
    • Server Certs: /etc/ssl/openvpn/
    • Client Certs: /etc/ssl/openvpn/clients/

Install Packages

Required

  1. Install OpenVPN & OpenSSL: (1160KB)
    opkg update && opkg install openvpn-openssl luci-app-openvpn openssl-util

Optional

  1. Install GnuPG: (767KB)
    opkg update && opkg install gnupg gnupg-utils

Encryption

Utilizing OpenSSL directly, via an openssl.cnf, is recommended, as Easy-RSA has too many limitations

Certificates

  1. Create CA, ICA, Server, and Client certificates via: OpenSSL PKI Wiki
  2. Generate P12 Cert: (executed from /etc/ssl/)
    openssl pkcs12 -export -out ./vpn-server.p12 -inkey ./vpn-server.key.pem -in ./vpn-server.crt.pem -certfile ./ica-chain.crt.pem
    1. Optional: More efficient means of certificate transport, maintaining Chain of Trust

Diffie-Hellman Key

  1. Generate DH Key: (executed from /etc/ssl/)
    openssl dhparam -out openvpn/dh2048.pem 2048
    1. Generating DH keys takes substantial amounts of time and is CPU intensive

    2. OpenVPN added support for EC [Elliptic Curve] ciphers in v2.4

TLS-Crypt PSK

  1. Generate TLS-Crypt Key: (executed from /etc/ssl/)
    openvpn --genkey --secret openvpn/tls-crypt.key
    1. Adds an additional layer of HMAC authentication on top of the TLS control channel
      • Requires all Control Channel packets to be authenticated and encrypted
      • Ensures Perfect Forward Secrecy is maintained

    2. tls-crypt requires a static Pre-Shared Key, generated in advance, and shared among all clients
      • Max key lifetime is 8,171 yrs divided by users (at least every 8 yrs/1000 users)
      • If key is changed, it must be changed on all clients (no support for rollover)

Network

Interface Creation

  1. Create VPN Interface:
    uci set network.vpn0=interface && uci set network.vpn0.ifname=tun0 && uci set network.vpn0.proto=none && \
      uci commit network && service network reload

Configure DDNS

/etc/config/ddns Remote WAN Connections

  1. A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs
    1. DDNS:
      • Dynamic Domain Name Service providers provide the user with a dynamically updated DNS name for their public IP
      • Purchasing occurs as a service subscription fee from DDNS providers
    2. FQDN
      • Fully Qualified Domain Name is a URL (google.com is a FQDN)
      • Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA (Internet Assigned Numbers Authority)

  2. Most users will likely configure DDNS

Firewall

/etc/config/firewall Notations

  1. Traffic rules should be placed in the following order
    1. Firewall.User Script
    2. Redirect Rules
    3. Router Network Default
    4. VPN Network Default
    5. VPN InterZone Forwarding
    6. VPN Traffic Rules

  2. Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes
    1. Allowing both prevents having to edit the firewall every time troubleshooting is needed

  3. SSL VPNs should always use UDP
    1. Except under the following two scenarios
      1. When troubleshooting
        OR
      2. When packet loss is high

  4. A port >1025 should be utilized for the VPN
    1. If using a custom port, update VPN Server & VPN Client configs accordingly
      1. If needing to bypass a strict firewall in front of the router, utilize port 443 [HTTPS]
    2. A non-standard port (i.e. not 1194) is recommended to limit firewall logging from unauthorized connections attempts

Create Rules

  1. Modify: /etc/config/firewall
    vi /etc/config/firewall
    1. /etc/config/firewall

    2. Advanced: Restrict by IP

    3. Advanced: Restrict by IP & MAC

  2. Commit Changes:
    service firewall reload

Logging

  1. Modify: /etc/config/firewall.user
    vi /etc/firewall.user
    1. /etc/firewall.user

    2. Advanced: Log VPN & VPN SSH

  2. Commit Changes:
    service firewall reload

VPN Server

It's strongly encouraged to read through the OpenVPN HowTo & Man Page

/etc/config/openvpn Notations

  1. The OpenVPN HowTo & Man Page provide every possible option for Server & Client Configs

    1. This specific configuration has been designed to give the best performance possible, via MTU & Buffer Tuning
      1. DNS primary & secondary are OpenDNS'
      2. NTP is garnished from NIST (time-c) and can be updated to your NTP server of choice
        • NTP should be specified (doesn't need to be NIST), as encryption handshakes must be accurate to within milliseconds

    2. CCD directives (under Client Config) are commented out, as the OpenVPN HowTo must be read to understand how it's used
      • CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used

    3. Two or more servers can be run from this config file
      • To add additional servers, copy & paste first config directly below itself, with a blank line separating the two

Encryption Annotations

Config

  1. Modify: /etc/config/openvpn
    cd /etc/config && cp openvpn openvpn.orig && echo > openvpn && vi openvpn

    /etc/config/openvpn

  2. Commit Changes:
    service openvpn enable && service openvpn start; echo && sleep 2 && ps | grep [o]penvpn; echo && logread -e openvpn

CCD

To Enable CCD:

Log Output

CCD Disabled

CCD Enabled

VPN Clients

Android

Client Information

For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure
It's imperative, for the security of the VPN, to ensure the certificate key is encrypted as specified under Create Certificates

  1. OpenVPN for Android is the best app for VPNs on Android

  2. PKCS12 certs are installed into the Android Keychain
    1. As a security feature, a warning toast will always appear in the notification area due to user installed certs
      • This toast can be removed if you have a rooted device via:
        1. Toast Removal

    2. Another option is to include all certs & keys via inline XML within the client config file
      • Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs

  3. Rather than utilizing inline XML, one can:
    1. Reference the tls-crypt.key

KNOWN ISSUES:

VPNserver.ovpn

Inline XML

BSD/Linux

Client Information

  • Due to the sheer number of distros & variances from one to the other, only the client config is being provided

VPNserver.conf

Windows

Client Information

  1. If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced
    1. You must use double backslashes for the path: %UserProfile%\\.ovpn\\OpenWrt\\VPN-Client1.p12

  2. Ensure clients are utilizing >2.4.2, which includes a DNS leak patch (Changelog | Bug #605)

VPNserver.ovpn



Optional

Backup & Import

GnuPG is a great tool for managing CAs and client certificates

Configure Backup

  1. Apply correct permissions:
    chmod 600 /etc/ssl/ca/* /etc/ssl/ca/csr/* /etc/ssl/crl/* /etc/ssl/openvpn/* /etc/ssl/openvpn/clients/*
    chmod 644 /etc/ssl/ca/*.crt* /etc/ssl/openvpn/*.crt* /etc/ssl/openvpn/clients/*.crt* /etc/ssl/crl/*.crl
  2. Optional:
    1. Encrypt with GnuPG

  3. Add directories & files to /etc/sysupgrade.conf
    vi /etc/sysupgrade.conf
    1. Add:
      • /etc/config/
      • /etc/openvpn/
      • /etc/ssl/
      • /etc/firewall.user
      • /etc/sysupgrade.conf

    2. /etc/sysupgrade.conf

      OR

    3. /lib/upgrade/keep.d/openvpn

Redirect Gateway

It's recommended to read Gateway Redirect prior to continuing

Same Subnet

  1. Modify Forwarding

  2. Modify Routes



Troubleshooting

  1. Verify OpenVPN successfully started:
    ps | grep [o]penvpn; echo && logread -e openvpn
  2. Change protocol to tcp and increase log verbosity:
    1. Server:
      uci set openvpn.vpnserver.verb='5'
      uci set openvpn.vpnserver.proto='tcp'
      uci commit openvpn && service openvpn restart
    2. Client:
      verb 7
      proto tcp
  3. Disconnect client, then reconnect

  4. If asking for help in a forum, please perform the above and include the following in your initial post:
    1. Include

VPN Wikis

Notes

  • The answer to any question about an OpenVPN Client / Server configuration is contained within the OpenVPN or OpenSSL sections
    • If still unable to find a solution, please create a thread in the applicable device or topic section within the OpenVPN or OpenWrt forums

Credits

docs/guide-user/services/vpn/openvpn/comprehensive.txt · Last modified: 2018/12/05 16:13 by jw0914