OpenVPN extras

• This how-to describes the most common OpenVPN tuning scenarios adapted for OpenWrt.
• Follow OpenVPN server for server setup and OpenVPN client for client setup.
• Follow DDNS client to use own server with dynamic IP address.
• Follow Random generator to overcome low entropy issues.

• OpenVPN for BSD/Linux/Windows
• OpenVPN for Android
• OpenVPN documentation

If you want to manage VPN instances using web interface. Install the necessary packages and provide instance management.

# Install packages
opkg update
opkg install luci-app-openvpn
/etc/init.d/rpcd restart

Navigate to LuCI → VPN → OpenVPN to manage OpenVPN instances.

If you need to manage multiple VPN instances or use web interface. Configure VPN instances.

# Provide VPN instance management
ls /etc/openvpn/*.conf \
| while read -r OVPN_CONF
do OVPN_ID="$(basename ${OVPN_CONF%.*} | sed -e "s/\W/_/g")"
uci -q delete openvpn.${OVPN_ID}
uci set openvpn.${OVPN_ID}="openvpn"
uci set openvpn.${OVPN_ID}.enabled="1"
uci set openvpn.${OVPN_ID}.config="${OVPN_CONF}"
done
uci commit openvpn
/etc/init.d/openvpn restart

Be sure to specify a different VPN interface name for each instance.

If you use a commercial VPN provider. Set up credentials for username/password authentication.

# Save username/password credentials
umask go=
cat << EOF > /etc/openvpn/client.auth
USERNAME
PASSWORD
EOF
 
# Configure VPN service
cat << EOF >> /etc/openvpn/client.conf
auth-user-pass client.auth
EOF
/etc/init.d/openvpn restart

Set up Hotplug extras to restart VPN client upon reconnecting WAN interface.

# Configure hotplug
mkdir -p /etc/hotplug.d/online
cat << "EOF" > /etc/hotplug.d/online/00-openvpn
/etc/init.d/openvpn restart
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/hotplug.d/online/00-openvpn
EOF

Allow the peer to change its address/port.

# Configure VPN service
cat << EOF >> /etc/openvpn/client.conf
float
EOF
/etc/init.d/openvpn restart

If you want to set up PBR. Declare the VPN interface.

uci del_list firewall.wan.device="tun+"
uci add_list firewall.wan.network="vpn"
uci commit firewall
/etc/init.d/firewall restart
uci -q delete network.vpn
uci set network.vpn="interface"
uci set network.vpn.proto="none"
uci set network.vpn.device="tun0"
uci commit network
/etc/init.d/network restart

Be sure to resolve race condition with netifd service.

Provide static IP address allocation on VPN server assuming that:

• 192.168.8.0/24 - VPN network
• fdf1:e8a1:8d3f:8::/64 - IPv6 VPN network

umask go=rx
mkdir -p /etc/openvpn/ccd
cat << EOF > /etc/openvpn/ccd/client
ifconfig-push 192.168.8.2 255.255.255.0
ifconfig-ipv6-push fdf1:e8a1:8d3f:8::2/64
EOF
cat << EOF >> /etc/openvpn/server.conf
client-config-dir ccd
EOF
/etc/init.d/openvpn restart

Implement plain routing between server side LAN and client side LAN assuming that:

• 192.168.1.0/24 - server side LAN
• 192.168.2.0/24 - client side LAN

Set up static address allocation on VPN server, add route to client side LAN, push route to server side LAN, selectively disable gateway redirection.

cat << EOF >> /etc/openvpn/ccd/client
iroute 192.168.2.0 255.255.255.0
push-remove redirect-gateway
EOF
cat << EOF >> /etc/openvpn/server.conf
route 192.168.2.0 255.255.255.0 192.168.8.2
push "route 192.168.1.0 255.255.255.0"
EOF
/etc/init.d/openvpn restart

Consider VPN network as private and assign VPN interface to LAN zone on VPN client.

uci del_list firewall.wan.device="tun+"
uci add_list firewall.lan.device="tun+"
uci commit firewall
/etc/init.d/firewall restart

More detail about site to site / iroute

If you do not need to redirect all traffic to VPN. Disable gateway redirection on VPN server, or ignore it on VPN client.

cat << EOF >> /etc/openvpn/client.conf
pull-filter ignore redirect-gateway
EOF

If VPN gateway is separate from your LAN gateway. Implement plain routing between LAN network and VPN network assuming that:

• 192.168.1.0/24 - LAN network
• 192.168.1.2/24 - VPN gateway
• 192.168.8.0/24 - VPN network

Add port forwarding for VPN server on LAN gateway.

uci -q delete firewall.ovpn
uci set firewall.ovpn="redirect"
uci set firewall.ovpn.name="Redirect-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.src_dport="1194"
uci set firewall.ovpn.dest="lan"
uci set firewall.ovpn.dest_ip="192.168.1.2"
uci set firewall.ovpn.family="ipv4"
uci set firewall.ovpn.proto="udp"
uci set firewall.ovpn.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Add route to VPN network via VPN gateway on LAN gateway.

uci -q delete network.vpn
uci set network.vpn="route"
uci set network.vpn.interface="lan"
uci set network.vpn.target="192.168.8.0/24"
uci set network.vpn.gateway="192.168.1.2"
uci commit network
/etc/init.d/network restart

Set up an IPv6 tunnel broker or IPv6 masquerading if necessary. Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway.

OVPN_POOL6="fdf1:e8a1:8d3f:8::/64"
OVPN_DNS6="${OVPN_POOL6%/*}1"
cat << EOF >> /etc/openvpn/server.conf
proto udp6
server-ipv6 ${OVPN_POOL6}
push "dhcp-option DNS ${OVPN_DNS6}"
push "redirect-gateway ipv6"
EOF
/etc/init.d/openvpn restart

Disable source routing on the server. Disable ISP prefix delegation to avoid IPv6 leak on the client.

Use TCP if necessary. Beware of performance issues.

OVPN_PROTO="tcp"
cat << EOF >> /etc/openvpn/server.conf
proto ${OVPN_PROTO}
proto ${OVPN_PROTO}6
EOF
/etc/init.d/openvpn restart
uci set firewall.ovpn.proto="${OVPN_PROTO}"
uci commit firewall
/etc/init.d/firewall restart

If you need to utilize bridging. Beware of compatibility issues.

OVPN_ADDR="$(uci get network.lan.ipaddr)"
OVPN_MASK="$(uci get network.lan.netmask)"
OVPN_POOL="${OVPN_ADDR%.*}.128 ${OVPN_ADDR%.*}.254"
OVPN_DNS="${OVPN_ADDR}"
cat << EOF >> /etc/openvpn/server.conf
dev tap
server-bridge ${OVPN_ADDR} ${OVPN_MASK} ${OVPN_POOL}
push "dhcp-option DNS ${OVPN_DNS}"
EOF
/etc/init.d/openvpn restart
uci -q delete firewall.lan.device
uci commit firewall
/etc/init.d/firewall restart
uci add_list network.@device[0].ports="tap0"
uci commit network
/etc/init.d/network restart

Fix IPv6 routing for Windows desktop client when using dual-stack mode.

NETSH_IPV6="C:\\\\Windows\\\\System32\\\\cmd.exe /c netsh interface ipv6"
cat << EOF >> /etc/openvpn/client.ovpn
script-security 2
up '${NETSH_IPV6} set privacy state=disabled store=active & echo'
ipchange '${NETSH_IPV6} set global randomizeidentifiers=disabled store=active & echo'
route-up '${NETSH_IPV6} delete route prefix=%ifconfig_ipv6_local%/%ifconfig_ipv6_netbits% interface=%dev_idx% store=active'
EOF

Modify the VPN client profile for Windows desktop client.

cat << EOF >> /etc/openvpn/client.ovpn
block-outside-dns
EOF

Use DNS and domain provided by VPN server on OpenWrt client.

cat << "EOF" > /etc/hotplug.d/net/00-openvpn-resolv
if [ "${INTERFACE%%[0-9]*}" = "tun" ]
then case "${ACTION}" in
(add) RESOLV_CONF="/tmp/resolv.conf.d/resolv.conf.vpn" ;;
(remove) RESOLV_CONF="/tmp/resolv.conf.d/resolv.conf.auto" ;;
esac
uci set dhcp.@dnsmasq[0].resolvfile="${RESOLV_CONF}"
/etc/init.d/dnsmasq restart
fi
EOF
cat << "EOF" > /etc/hotplug.d/openvpn/00-resolv
env | sed -n -e "
/^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p
/^foreign_option_.*=dhcp-option.*DOMAIN/s//search/p
" | sort -u > /tmp/resolv.conf.d/resolv.conf.vpn
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/hotplug.d/net/00-openvpn-resolv
/etc/hotplug.d/openvpn/00-resolv
EOF
/etc/init.d/openvpn restart

Prevent traffic leak on OpenWrt client isolating VPN interface in a separate firewall zone.

uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci add_list firewall.vpn.device="tun+"
uci del_list firewall.wan.device="tun+"
uci -q delete firewall.@forwarding[0]
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci commit firewall
/etc/init.d/firewall restart

Set up multi-client VPN server. Use EasyRSA to add clients or revoke their certificates via CRL.

# Configuration parameters
OVPN_PKI="/etc/easy-rsa/pki"
export EASYRSA_PKI="${OVPN_PKI}"
export EASYRSA_BATCH="1"
 
# Add one more client
easyrsa build-client-full client1 nopass
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client1.pem
 
# Revoke client certificate
easyrsa revoke client
 
# Generate a CRL
easyrsa gen-crl
 
# Enable CRL verification
OVPN_CRL="$(cat ${OVPN_PKI}/crl.pem)"
cat << EOF >> /etc/openvpn/server.conf
<crl-verify>
${OVPN_CRL}
</crl-verify>
EOF
/etc/init.d/openvpn restart

Automated VPN server installation and client profiles generation.

URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn"
cat << EOF > openvpn-server.sh
$(uclient-fetch -O - "${URL}/server?codeblock=0")
$(uclient-fetch -O - "${URL}/server?codeblock=1")
$(uclient-fetch -O - "${URL}/server?codeblock=2")
$(uclient-fetch -O - "${URL}/server?codeblock=3")
EOF
sh openvpn-server.sh