• This guide provides most common OpenVPN tuning scenarios adapted for OpenWrt.
• Follow OpenVPN client for client setup and OpenVPN basic for server setup.

Recommended desktop and mobile clients:

• OpenVPN for BSD/Linux/Windows
• OpenVPN for Android

Use EasyRSA to add clients or revoke their certificates via CRL.

# Configuration parameters
export EASYRSA_PKI="/etc/easy-rsa/pki"
 
# Add one more client
easyrsa --batch build-client-full vpnclient1 nopass
 
# Add another client encrypting its private key
easyrsa --batch build-client-full vpnclient2
 
# Revoke vpnclient certificate
easyrsa --batch revoke vpnclient
 
# Generate a CRL
easyrsa --batch gen-crl
 
# Enable CRL verification
VPN_CRL="$(cat "${EASYRSA_PKI}/crl.pem")"
NL=$'\n'
sed -i -e "
/^<crl-verify>/,/^<\/crl-verify>/s/^/#/
\$a <crl-verify>\n${VPN_CRL//${NL}/\n}\n</crl-verify>
" /etc/openvpn/vpnserver.conf
service openvpn restart

If you want to manage VPN instances via LuCI. Make sure to specify different network interface names to avoid collisions.

# Install packages
opkg update
opkg install luci-app-openvpn
 
# Provide VPN instance management
ls /etc/openvpn/*.conf \
| while read VPN_CONF
do
VPN_ID="$(basename "${VPN_CONF}" ".conf" | sed -e "s/[^0-9a-zA-Z]/_/g")"
uci -q delete openvpn.${VPN_ID}
uci set openvpn.${VPN_ID}="openvpn"
uci set openvpn.${VPN_ID}.enabled="1"
uci set openvpn.${VPN_ID}.config="${VPN_CONF}"
done
uci commit openvpn
service openvpn restart

Use CCD on VPN server to provide static IP address allocation for clients assuming that:

• 192.168.8.0/24 - VPN network
• fdf1:7610:d152:3a9c::/64 - VPN6 network

VPN_CCD="/etc/openvpn/ccd"
mkdir -p "${VPN_CCD}"
cat << EOF > "${VPN_CCD}/vpnclient"
ifconfig-push 192.168.8.2 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::2/64
EOF
cat << EOF >> /etc/openvpn/vpnserver.conf
client-config-dir ${VPN_CCD}
EOF
service openvpn restart

If you do not need to push all the traffic via VPN gateway. Disable gateway redirect on VPN server.

sed -i -e "
/^push.*redirect-gateway/s/^/#/
" /etc/openvpn/vpnserver.conf
service openvpn restart

Or ignore it on VPN client.

sed -i -e "
/^redirect-gateway/s/^/#/
\$a pull-filter ignore redirect-gateway
" /etc/openvpn/vpnclient.conf
service openvpn restart

Implement plain routing between server side LAN and client side LAN assuming that:

• 192.168.1.0/24 - server side LAN
• 192.168.2.0/24 - client side LAN
• 192.168.8.0/24 - VPN network
• 192.168.8.2/24 - VPN client

Enable CCD on VPN server, add route to client side LAN, push route to server side LAN.

VPN_CCD="/etc/openvpn/ccd"
mkdir -p "${VPN_CCD}"
cat << EOF > "${VPN_CCD}/vpnclient"
ifconfig-push 192.168.8.2 255.255.255.0
iroute 192.168.2.0 255.255.255.0
EOF
cat << EOF >> /etc/openvpn/vpnserver.conf
client-config-dir ${VPN_CCD}
route 192.168.2.0 255.255.255.0 192.168.8.2
push "route 192.168.1.0 255.255.255.0"
EOF
service openvpn restart

Consider VPN network as private and assign VPN interface to LAN zone on VPN client.

uci -q delete firewall.@zone[1].device
uci set firewall.@zone[0].device="tun0"
uci commit firewall
service firewall restart

If VPN gateway is not your LAN gateway. Implement plain routing between LAN network and VPN network assuming that:

• 192.168.1.0/24 - LAN network
• 192.168.1.2/24 - VPN gateway
• 192.168.8.0/24 - VPN network

Add port forwarding for VPN server on LAN gateway.

uci -q delete firewall.vpn
uci set firewall.vpn="redirect"
uci set firewall.vpn.name="Redirect-OpenVPN"
uci set firewall.vpn.src="wan"
uci set firewall.vpn.src_dport="1194"
uci set firewall.vpn.dest="lan"
uci set firewall.vpn.dest_ip="192.168.1.2"
uci set firewall.vpn.family="ipv4"
uci set firewall.vpn.proto="udp"
uci set firewall.vpn.target="DNAT"
uci commit firewall
service firewall restart

Add route to VPN network via VPN gateway on LAN gateway.

uci -q delete network.vpn
uci set network.vpn="route"
uci set network.vpn.interface="lan"
uci set network.vpn.target="192.168.8.0/24"
uci set network.vpn.gateway="192.168.1.2"
uci commit network
service network reload

Utilize dual-stack mode assuming that VPN server has dual-stack connectivity. Set up transitional connectivity if required.

Enable VPN6 network on VPN server, provide DNS6, redirect GW6. Add default IPv6 route for VPN clients.

VPN_POOL6="fdf1:7610:d152:3a9c::/64"
VPN_DNS6="${VPN_POOL6%/*}1"
cat << EOF >> /etc/openvpn/vpnserver.conf
server-ipv6 ${VPN_POOL6}
push "dhcp-option DNS ${VPN_DNS6}"
push "redirect-gateway ipv6"
EOF
service openvpn restart
source /lib/functions/network.sh
network_find_wan6 NET_IF6
network_get_gateway6 NET_GW6 "${NET_IF6}"
uci -q delete network.vpn6gw
uci set network.vpn6gw="route6"
uci set network.vpn6gw.interface="${NET_IF6}"
uci set network.vpn6gw.source="${VPN_POOL6}"
uci set network.vpn6gw.target="::/0"
uci set network.vpn6gw.gateway="${NET_GW6}"
uci commit network
service network reload

Request a public IPv6 prefix from the server side ISP and delegate it to VPN6 network, otherwise enable NAT6.

opkg update
opkg install kmod-ipt-nat6
cat << EOF > /etc/firewall.nat6
iptables-save --table="nat" \
| sed -e "/\s[DS]NAT\s/d" \
| ip6tables-restore --table="nat"
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
service firewall restart

Use TCP for troubleshooting.

VPN_PROTO="tcp"
sed -i -e "
/^proto/s/^/#/
\$a proto ${VPN_PROTO}
" /etc/openvpn/vpnserver.conf
service openvpn restart
uci set firewall.vpn.proto="${VPN_PROTO}"
uci commit firewall
service firewall restart

If you need to utilize bridging. Beware of compatibility issues.

VPN_DEV="tap0"
VPN_ADDR="$(uci get network.lan.ipaddr)"
VPN_MASK="$(uci get network.lan.netmask)"
VPN_POOL="${VPN_ADDR%.*}.128 ${VPN_ADDR%.*}.254"
VPN_DNS="${VPN_ADDR}"
sed -i -e "
/^dev/s/^/#/
\$a dev ${VPN_DEV}
/^server/s/^/#/
\$a server-bridge ${VPN_ADDR} ${VPN_MASK} ${VPN_POOL}
/^push.*dhcp-option.*DNS/s/^/#/
\$a push \"dhcp-option DNS ${VPN_DNS}\"
" /etc/openvpn/vpnserver.conf
service openvpn restart
uci set network.lan.type="bridge"
uci set network.lan.ifname="$(uci get network.lan.ifname) ${VPN_DEV}"
uci commit network
service network reload
uci -q delete firewall.@zone[0].device
uci commit firewall
service firewall restart

Enable lz4 compression. Beware of compatibility and security issues.

cat << EOF >> /etc/openvpn/vpnserver.conf
compress lz4
push "compress lz4"
EOF
service openvpn restart

If using OpenVPN 2.3 or older, replace tls-crypt with tls-auth.

sed -i -e "
/^<.*tls-crypt>/s/crypt/auth/
\$a key-direction 0
" /etc/openvpn/vpnserver.conf
service openvpn restart
 
sed -i -e "
/^<.*tls-crypt>/s/crypt/auth/
\$a key-direction 1
" /etc/openvpn/vpnclient.conf
service openvpn restart

Increase log verbosity for troubleshooting.

sed -i -e "
/^verb/s/^/#/
\$a verb 5
" /etc/openvpn/*.conf
service openvpn restart

Fix DNS leak on Linux desktop client using NetworkManager.

nmcli connection modify vpnclient ipv4.dns-priority "-50" ipv6.dns-priority "-50"

Fix DNS leak for Windows desktop client.

cat << EOF >> /etc/openvpn/vpnclient.ovpn
block-outside-dns
EOF

If using dual-stack mode, fix IPv6 routing for Windows desktop client.

NETSH_IPV6="C:\\\\Windows\\\\System32\\\\cmd.exe /c netsh interface ipv6"
cat << EOF >> /etc/openvpn/vpnclient.ovpn
script-security 2
up '${NETSH_IPV6} set privacy state=disabled store=active & echo'
ipchange '${NETSH_IPV6} set global randomizeidentifiers=disabled store=active & echo'
route-up '${NETSH_IPV6} delete route prefix=%ifconfig_ipv6_local%/%ifconfig_ipv6_netbits% interface=%dev_idx% store=active'
EOF