User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:dual_stack

Degree of difficulty: Intermediate.

This guide assumes you can:

  • Copy-paste and run commands in command line.
  • Edit files using nano, vi, etc.
  • Use wiki to search for additional information.
  • Use forum to get technical support.

OpenVPN Dual Stack

Introduction

  • This guide describes how to install and configure OpenWrt with OpenVPN Server as dual stack gateway running on VPS/VDS.
  • We try to keep balance between security and simplicity, making an emphasis on privacy and automation.
  • It includes all the necessary workarounds for tunnel connectivity, private network routing and masquerading.
  • Also it helps to generate OpenVPN Client profile as a single file for easy export/import between devices.

Premises

  • You are tired of internet censorship and traffic spoofing.
  • Your ISP does not provide dual stack connectivity or public IP-addresses.
  • You want to connect to your private network services without redundant port forwarding.

Goals

  • Client dual stack connectivity even when your ISP does not support it.
  • Client dual stack privacy including DNS-privacy.

Requirements

Instructions

1. Preparation

Allocate RAW-drive, attach it to your server and set direct boot from that drive. Boot into recovery mode and install OpenWrt. Reboot the server, connect to its console and configure interfaces WAN and WAN6.

2. Network

Create VPN-interface. Add default IPv6-route for VPN-traffic.

source /lib/functions/network.sh
network_find_wan6 NET_IF
network_get_gateway6 NET_GW "$NET_IF"
uci add network route6
uci set network.@route6[-1].interface="$NET_IF"
uci set network.@route6[-1].target="::/0"
uci set network.@route6[-1].gateway="$NET_GW"
uci set network.vpnserver="interface"
uci set network.vpnserver.ifname="tun0"
uci set network.vpnserver.proto="none"
uci commit network
service network restart

3. Firewall

Consider VPN-network as trusted and assign it to LAN-zone. Otherwise create a separate zone with appropriate policy. Open port for incoming traffic to the OpenVPN Server.

uci add_list firewall.@zone[0].network="vpnserver"
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-OpenVPN"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].dest_port="1194"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall
service firewall restart

4. NAT6

Request IPv6-pool from your VPS-provider to skip NAT6-configuration. Otherwise use firewall script populating NAT6-table from NAT4-table dump.

opkg update
opkg install kmod-ipt-nat6
cat << "EOF" > /etc/firewall.user
iptables-save --table="nat" \
| sed -e "/ [DS]NAT /d" \
| ip6tables-restore --table="nat"
EOF
uci set firewall.@include[0].reload="1"
uci commit firewall
service firewall restart

5. PKI

Use Easy-RSA for PKI-management. Advanced parameters may require launching OpenSSL directly.

opkg install openvpn-easy-rsa
export EASYRSA="/etc/easy-rsa"
export EASYRSA_PKI="$EASYRSA/pki"
easyrsa --batch init-pki
easyrsa --batch gen-dh
easyrsa --batch --req-cn="vpnca" build-ca nopass
easyrsa --batch build-server-full "vpnserver" nopass
easyrsa --batch build-client-full "vpnclient1" nopass
easyrsa --batch build-client-full "vpnclient2" nopass

6. OpenVPN Server

Configure OpenVPN Server. Replace private IPv6-pool with public one obtained from your VPS-provider.

opkg install openvpn-openssl
EASYRSA_PKI="/etc/easy-rsa/pki"
openvpn --genkey --secret "$EASYRSA_PKI/tc.key"
uci set openvpn.vpnserver="openvpn"
uci set openvpn.vpnserver.enabled="1"
uci set openvpn.vpnserver.verb="3"
uci set openvpn.vpnserver.dev="tun0"
uci set openvpn.vpnserver.topology="subnet"
uci set openvpn.vpnserver.proto="udp"
uci set openvpn.vpnserver.port="1194"
uci set openvpn.vpnserver.server="192.168.8.0 255.255.255.0"
uci set openvpn.vpnserver.server_ipv6="fdf1:7610:d152:3a9c::/64"
uci set openvpn.vpnserver.keepalive="10 120"
uci set openvpn.vpnserver.persist_tun="1"
uci set openvpn.vpnserver.persist_key="1"
uci set openvpn.vpnserver.tls_crypt="$EASYRSA_PKI/tc.key"
uci set openvpn.vpnserver.dh="$EASYRSA_PKI/dh.pem"
uci set openvpn.vpnserver.ca="$EASYRSA_PKI/ca.crt"
uci set openvpn.vpnserver.cert="$EASYRSA_PKI/issued/vpnserver.crt"
uci set openvpn.vpnserver.key="$EASYRSA_PKI/private/vpnserver.key"
uci add_list openvpn.vpnserver.push="redirect-gateway def1 ipv6"
uci add_list openvpn.vpnserver.push="dhcp-option DOMAIN $(uci get dhcp.@dnsmasq[0].domain)"
uci add_list openvpn.vpnserver.push="dhcp-option DNS $(uci get openvpn.vpnserver.server_ipv6 | sed -e "s/\/.*$/1/")"
uci add_list openvpn.vpnserver.push="persist-tun"
uci add_list openvpn.vpnserver.push="persist-key"
uci commit openvpn
service openvpn restart

7. OpenVPN Client

Generate OpenVPN Client configurations. Download backup from OpenWrt web-interface, extract client profiles from the archive and import them to your clients. Remove Windows-specific options block from non-Windows clients.

source /lib/functions/network.sh
network_find_wan NET_IF
network_get_ipaddr SERVER_ADDR "$NET_IF"
SERVER_PORT="$(uci get openvpn.vpnserver.port)"
SERVER_PROTO="$(uci get openvpn.vpnserver.proto)"
CLIENT_DEV="$(uci get openvpn.vpnserver.dev | sed -e "s/\d*$//")"
EASYRSA_PKI="/etc/easy-rsa/pki"
TC_KEY="$(sed -e "/^#/d" "$EASYRSA_PKI/tc.key")"
CA_CERT="$(openssl x509 -in "$EASYRSA_PKI/ca.crt")"
NETSH_IPV6="C:\\\\Windows\\\\System32\\\\cmd.exe /c netsh interface ipv6"
NL=$'\n'
grep -r -l -e "TLS Web Client Authentication" "$EASYRSA_PKI/issued" \
| sed -e "s/^.*\///;s/\.[^.]*$//" \
| while read CLIENT_ID
do
CLIENT_CONF="/etc/openvpn/$CLIENT_ID.ovpn"
CLIENT_CERT="$(openssl x509 -in "$EASYRSA_PKI/issued/$CLIENT_ID.crt")"
CLIENT_KEY="$(openssl pkcs8 -in "$EASYRSA_PKI/private/$CLIENT_ID.key" -nocrypt)"
cat << EOF > "$CLIENT_CONF"
# <windows dns-leak-fix tun6-connectivity-fix>
block-outside-dns
script-security 2
up '$NETSH_IPV6 set privacy state=disabled store=active & echo'
ipchange '$NETSH_IPV6 set global randomizeidentifiers=disabled store=active & echo'
route-up '$NETSH_IPV6 delete route prefix=%ifconfig_ipv6_local%/%ifconfig_ipv6_netbits% interface=%dev_idx% store=active'
# </windows>
verb 3
nobind
dev $CLIENT_DEV
client
remote $SERVER_ADDR $SERVER_PORT $SERVER_PROTO
auth-nocache
remote-cert-tls server
<tls-crypt>$NL$TC_KEY$NL</tls-crypt>
<ca>$NL$CA_CERT$NL</ca>
<cert>$NL$CLIENT_CERT$NL</cert>
<key>$NL$CLIENT_KEY$NL</key>
EOF
chmod 600 "$CLIENT_CONF"
ls "$CLIENT_CONF"
done

8. Tests

Request IPv6-pool and delegate it to your VPN-network to pass Browser-Default-IPv6 and Browser-Fallback-IPv4 tests. Make sure there are no ISP DNS-servers in the DNS-Leak test results.

9. Diagnostics

service log restart
service openvpn restart
sleep 10; logread -e openvpn
pgrep -f -a openvpn
ip -4 a; ip -4 r
ip -6 a; ip -6 r
iptables-save -t nat
ip6tables-save -t nat
uci show network
uci show firewall
uci show openvpn

Credits

docs/guide-user/services/vpn/openvpn/dual_stack.txt · Last modified: 2018/10/12 06:03 by vgaetera