User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:extra

OpenVPN extras

Introduction

Extras

References

Web interface

Install the necessary packages and provide instance management if you want to manage VPN instances via web interface.

# Install packages
opkg update
opkg install luci-app-openvpn

Navigate to LuCI → Services → OpenVPN to manage OpenVPN instances.

Instance management

If you need to manage multiple VPN instances or use web interface. Make sure to specify different VPN interface names for each instance.

# Provide VPN instance management
ls /etc/openvpn/*.conf \
| while read -r OVPN_CONF
do
OVPN_ID="$(basename ${OVPN_CONF%.*} | sed -e "s/\W/_/g")"
uci -q delete openvpn.${OVPN_ID}
uci set openvpn.${OVPN_ID}="openvpn"
uci set openvpn.${OVPN_ID}.enabled="1"
uci set openvpn.${OVPN_ID}.config="${OVPN_CONF}"
done
uci commit openvpn
/etc/init.d/openvpn restart

PKI

Use EasyRSA to add clients or revoke their certificates via CRL.

# Configuration parameters
export EASYRSA_PKI="/etc/easy-rsa/pki"
 
# Add one more client
easyrsa --batch build-client-full client1 nopass
 
# Add another client encrypting its private key
easyrsa --batch build-client-full client2
 
# Revoke client certificate
easyrsa --batch revoke client
 
# Generate a CRL
easyrsa --batch gen-crl
 
# Enable CRL verification
OVPN_CRL="$(cat ${EASYRSA_PKI}/crl.pem)"
NL=$'\n'
sed -i -e "
/^<crl-verify>/,/^<\/crl-verify>/s/^/#/
\$a <crl-verify>\n${OVPN_CRL//${NL}/\n}\n</crl-verify>
" /etc/openvpn/server.conf
/etc/init.d/openvpn restart

Static addresses

Use CCD on VPN server to provide static IP address allocation for clients assuming that:

  • 192.168.8.0/24 - VPN network
  • fdf1:7610:d152:3a9c::/64 - VPN6 network
mkdir -p /etc/openvpn/ccd
cat << EOF > /etc/openvpn/ccd/client
ifconfig-push 192.168.8.2 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::2/64
EOF
cat << EOF >> /etc/openvpn/server.conf
client-config-dir /etc/openvpn/ccd
EOF
/etc/init.d/openvpn restart

Disable gateway redirect

If you do not need to push all the traffic via VPN gateway. Disable gateway redirect on VPN server.

sed -i -e "
/^push.*redirect-gateway/s/^/#/
" /etc/openvpn/server.conf
/etc/init.d/openvpn restart

Or ignore it on VPN client.

sed -i -e "
/^redirect-gateway/s/^/#/
\$a pull-filter ignore redirect-gateway
" /etc/openvpn/client.conf
/etc/init.d/openvpn restart

Site-to-site

Implement plain routing between server side LAN and client side LAN assuming that:

  • 192.168.1.0/24 - server side LAN
  • 192.168.2.0/24 - client side LAN
  • 192.168.8.0/24 - VPN network
  • 192.168.8.2/24 - VPN client

Enable CCD on VPN server, add route to client side LAN, push route to server side LAN, selectively disable gateway redirect.

mkdir -p /etc/openvpn/ccd
cat << EOF > /etc/openvpn/ccd/client
ifconfig-push 192.168.8.2 255.255.255.0
iroute 192.168.2.0 255.255.255.0
push-remove redirect-gateway
EOF
cat << EOF >> /etc/openvpn/server.conf
client-config-dir /etc/openvpn/ccd
route 192.168.2.0 255.255.255.0 192.168.8.2
push "route 192.168.1.0 255.255.255.0"
EOF
/etc/init.d/openvpn restart

Consider VPN network as private and assign VPN interface to LAN zone on VPN client.

uci del_list firewall.wan.device="tun0"
uci add_list firewall.lan.device="tun0"
uci commit firewall
/etc/init.d/firewall restart

Split gateway

If VPN gateway is not your LAN gateway. Implement plain routing between LAN network and VPN network assuming that:

  • 192.168.1.0/24 - LAN network
  • 192.168.1.2/24 - VPN gateway
  • 192.168.8.0/24 - VPN network

Add port forwarding for VPN server on LAN gateway.

uci -q delete firewall.ovpn
uci set firewall.ovpn="redirect"
uci set firewall.ovpn.name="Redirect-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.src_dport="1194"
uci set firewall.ovpn.dest="lan"
uci set firewall.ovpn.dest_ip="192.168.1.2"
uci set firewall.ovpn.family="ipv4"
uci set firewall.ovpn.proto="udp"
uci set firewall.ovpn.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Add route to VPN network via VPN gateway on LAN gateway.

uci -q delete network.vpn
uci set network.vpn="route"
uci set network.vpn.interface="lan"
uci set network.vpn.target="192.168.8.0/24"
uci set network.vpn.gateway="192.168.1.2"
uci commit network
/etc/init.d/network restart

Dual-stack gateway

Utilize dual-stack mode assuming that VPN server has dual-stack connectivity. Set up transitional connectivity or NAT6 with IPv6 masquerading if required.

Enable VPN6 network on VPN server, provide DNS6, redirect GW6. Add default IPv6 route for VPN clients.

OVPN_POOL6="fdf1:7610:d152:3a9c::/64"
OVPN_DNS6="${OVPN_POOL6%/*}1"
cat << EOF >> /etc/openvpn/server.conf
proto udp6
server-ipv6 ${OVPN_POOL6}
push "dhcp-option DNS ${OVPN_DNS6}"
push "redirect-gateway ipv6"
EOF
/etc/init.d/openvpn restart
. /lib/functions/network.sh
network_flush_cache
network_find_wan6 NET_IF6
network_get_gateway6 NET_GW6 "${NET_IF6}"
uci -q delete network.vpn6
uci set network.vpn6="route6"
uci set network.vpn6.interface="${NET_IF6}"
uci set network.vpn6.source="${OVPN_POOL6}"
uci set network.vpn6.target="::/0"
uci set network.vpn6.gateway="${NET_GW6}"
uci commit network
/etc/init.d/network restart

PBR

Use different routing paths with PBR. Route LAN clients to WAN and other clients to VPN.

uci set network.wan.ip4table="1"
uci set network.wan6.ip6table="1"
uci -q delete network.lan_wan
uci set network.lan_wan="rule"
uci set network.lan_wan.in="lan"
uci set network.lan_wan.lookup="1"
uci commit network
/etc/init.d/network restart

NAT6

Enable NAT6 with IPv6 masquerading if you have no public prefix for VPN6 network.

opkg update
opkg install kmod-ipt-nat6
cat << EOF > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d" \
| ip6tables-restore -T nat
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart

TCP

Use TCP for troubleshooting.

OVPN_PROTO="tcp"
sed -i -e "
/^proto/s/^/#/
\$a proto ${OVPN_PROTO}
" /etc/openvpn/server.conf
/etc/init.d/openvpn restart
uci set firewall.ovpn.proto="${OVPN_PROTO}"
uci commit firewall
/etc/init.d/firewall restart

Bridging

If you need to utilize bridging. Beware of compatibility issues.

OVPN_DEV="tap0"
OVPN_ADDR="$(uci get network.lan.ipaddr)"
OVPN_MASK="$(uci get network.lan.netmask)"
OVPN_POOL="${OVPN_ADDR%.*}.128 ${OVPN_ADDR%.*}.254"
OVPN_DNS="${OVPN_ADDR}"
sed -i -e "
/^dev/s/^/#/
\$a dev ${OVPN_DEV}
/^server/s/^/#/
\$a server-bridge ${OVPN_ADDR} ${OVPN_MASK} ${OVPN_POOL}
/^push.*dhcp-option.*DNS/s/^/#/
\$a push \"dhcp-option DNS ${OVPN_DNS}\"
" /etc/openvpn/server.conf
/etc/init.d/openvpn restart
uci set network.lan.type="bridge"
uci set network.lan.ifname="$(uci get network.lan.ifname) ${OVPN_DEV}"
uci commit network
/etc/init.d/network restart
uci -q delete firewall.lan.device
uci commit firewall
/etc/init.d/firewall restart

Compression

Enable lz4 compression. Beware of compatibility and security issues.

cat << EOF >> /etc/openvpn/server.conf
compress lz4
push "compress lz4"
EOF
/etc/init.d/openvpn restart

Compatibility

If using OpenVPN 2.3 or older, replace tls-crypt with tls-auth.

sed -i -e "
/^<.*tls-crypt>/s/crypt/auth/
\$a key-direction 0
" /etc/openvpn/server.conf
/etc/init.d/openvpn restart
 
sed -i -e "
/^<.*tls-crypt>/s/crypt/auth/
\$a key-direction 1
" /etc/openvpn/client.conf
/etc/init.d/openvpn restart

Verbose logging

Increase log verbosity for troubleshooting.

sed -i -e "
/^verb/s/^/#/
\$a verb 5
" /etc/openvpn/*.conf
/etc/init.d/openvpn restart

Fix DNS leak

Prevent DNS leak on OpenWrt client utilizing a VPN-routed DNS provider or DNS encryption.

Modify the VPN connection using NetworkManager on Linux desktop client.

nmcli connection modify OVPN_CON ipv4.dns-priority "-50" ipv6.dns-priority "-50"

Modify the VPN client profile for Windows desktop client.

cat << EOF >> /etc/openvpn/client.ovpn
block-outside-dns
EOF

Dual-stack Windows client

Fix IPv6 routing for Windows desktop client when using dual-stack mode.

NETSH_IPV6="C:\\\\Windows\\\\System32\\\\cmd.exe /c netsh interface ipv6"
cat << EOF >> /etc/openvpn/client.ovpn
script-security 2
up '${NETSH_IPV6} set privacy state=disabled store=active & echo'
ipchange '${NETSH_IPV6} set global randomizeidentifiers=disabled store=active & echo'
route-up '${NETSH_IPV6} delete route prefix=%ifconfig_ipv6_local%/%ifconfig_ipv6_netbits% interface=%dev_idx% store=active'
EOF

DNS and domain

Use DNS and domain options on OpenWrt client.

cat << "EOF" > /etc/openvpn/client.sh
#!/bin/sh
env | sed -n -e "
/^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p
/^foreign_option_.*=dhcp-option.*DOMAIN/s//domain/p
" | sort -u > /tmp/resolv.conf.vpn
case "${script_type}" in
up) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn" ;;
down) uci revert dhcp ;;
esac
/etc/init.d/dnsmasq restart &
EOF
chmod +x /etc/openvpn/client.sh
 
sed -i -e "
/^script-security/s/^/#/
\$a script-security 2
/^up/s/^/#/
\$a up /etc/openvpn/client.sh
/^down/s/^/#/
\$a down /etc/openvpn/client.sh
" /etc/openvpn/client.conf
/etc/init.d/openvpn restart

Kill switch

Prevent traffic leak on OpenWrt client isolating VPN interface in a separate firewall zone.

uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci del_list firewall.wan.device="tun0"
uci add_list firewall.vpn.device="tun0"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart
 
cat << "EOF" > /etc/openvpn/killswitch.sh
#!/bin/sh
if pgrep openvpn
then
uci set firewall.lan_wan.enabled="1"
/etc/init.d/openvpn stop &
else
uci revert firewall
/etc/init.d/openvpn start &
fi
/etc/init.d/firewall restart &
EOF
chmod +x /etc/openvpn/killswitch.sh
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/vpn/openvpn/extra.txt · Last modified: 2019/10/20 06:50 by vgaetera