Show pagesourceOld revisionsBacklinksBack to top × Table of Contents OpenVPN extras Introduction Extras References Web interface Instance management Commercial provider Dynamic connection Network interface Static addresses Site-to-site Disable gateway redirection Split gateway IPv6 gateway TCP Bridging Compression Compatibility Verbose logging Dual-stack Windows client DNS over VPN DNS and domain Kill switch Multi-client Automated OpenVPN extras This article relies on the following: Accessing OpenWrt CLI Managing configurations Managing packages Managing services Introduction This how-to describes the most common OpenVPN tuning scenarios adapted for OpenWrt. Follow OpenVPN server for server setup and OpenVPN client for client setup. Follow Random generator to overcome low entropy issues. Extras References OpenVPN for BSD/Linux/Windows OpenVPN for Android OpenVPN documentation Web interface Install the necessary packages and provide instance management if you want to manage VPN instances using web interface. # Install packages opkg update opkg install luci-app-openvpn /etc/init.d/rpcd restart Navigate to LuCI → VPN → OpenVPN to manage OpenVPN instances. Instance management If you need to manage multiple VPN instances or use web interface. Make sure to specify different VPN interface names for each instance. # Provide VPN instance management ls /etc/openvpn/*.conf \ | while read -r OVPN_CONF do OVPN_ID="$(basename ${OVPN_CONF%.*} | sed -e "s/\W/_/g")" uci -q delete openvpn.${OVPN_ID} uci set openvpn.${OVPN_ID}="openvpn" uci set openvpn.${OVPN_ID}.enabled="1" uci set openvpn.${OVPN_ID}.config="${OVPN_CONF}" done uci commit openvpn /etc/init.d/openvpn restart Commercial provider If you use a commercial VPN provider. Set up credentials for username/password authentication and enforce gateway redirection. # Configuration parameters OVPN_DIR="/etc/openvpn" OVPN_ID="client" OVPN_USER="USERNAME" OVPN_PASS="PASSWORD" # Save username/password credentials umask go= cat << "EOF" > ${OVPN_DIR}/${OVPN_ID}.auth ${OVPN_USER} ${OVPN_PASS} EOF # Configure VPN service sed -i -e " /^auth-user-pass/s/^/#/ \$a auth-user-pass ${OVPN_ID}.auth /^redirect-gateway/s/^/#/ \$a redirect-gateway def1 ipv6 " ${OVPN_DIR}/${OVPN_ID}.conf /etc/init.d/openvpn restart Dynamic connection Restart VPN client upon reconnecting WAN interface with hotplug. # Configure hotplug cat << "EOF" > /etc/hotplug.d/iface/50-openvpn if [ "${INTERFACE}" = "wan" -o "${INTERFACE}" = "wan6" ] \ && [ "${ACTION}" = "ifup" -o "${ACTION}" = "ifupdate" ] then /etc/init.d/openvpn restart fi EOF Network interface If you want to manage VPN interface using web interface. Beware of race condition with netifd service. uci del_list firewall.wan.device="tun+" uci add_list firewall.wan.network="vpn" uci commit firewall /etc/init.d/firewall restart uci -q delete network.vpn uci set network.vpn="interface" uci set network.vpn.proto="none" uci set network.vpn.ifname="tun0" uci commit network /etc/init.d/network restart Static addresses Provide static IP address allocation on VPN server assuming that: 192.168.8.0/24 - VPN network fdf1:e8a1:8d3f:8::/64 - VPN6 network umask go=rx mkdir -p /etc/openvpn/ccd cat << EOF > /etc/openvpn/ccd/client ifconfig-push 192.168.8.2 255.255.255.0 ifconfig-ipv6-push fdf1:e8a1:8d3f:8::2/64 EOF cat << EOF >> /etc/openvpn/server.conf client-config-dir ccd EOF /etc/init.d/openvpn restart Site-to-site Implement plain routing between server side LAN and client side LAN assuming that: 192.168.1.0/24 - server side LAN 192.168.2.0/24 - client side LAN Set up static address allocation on VPN server, add route to client side LAN, push route to server side LAN, selectively disable gateway redirection. cat << EOF >> /etc/openvpn/ccd/client iroute 192.168.2.0 255.255.255.0 push-remove redirect-gateway EOF cat << EOF >> /etc/openvpn/server.conf route 192.168.2.0 255.255.255.0 192.168.8.2 push "route 192.168.1.0 255.255.255.0" EOF /etc/init.d/openvpn restart Consider VPN network as private and assign VPN interface to LAN zone on VPN client. uci del_list firewall.wan.device="tun+" uci add_list firewall.lan.device="tun+" uci commit firewall /etc/init.d/firewall restart Disable gateway redirection If you do not need to redirect all traffic to VPN. Disable gateway redirection on VPN server. sed -i -e " /^push.*redirect-gateway/s/^/#/ " /etc/openvpn/server.conf /etc/init.d/openvpn restart Or ignore it on VPN client. sed -i -e " /^redirect-gateway/s/^/#/ \$a pull-filter ignore redirect-gateway " /etc/openvpn/client.conf /etc/init.d/openvpn restart Split gateway If VPN gateway is not your LAN gateway. Implement plain routing between LAN network and VPN network assuming that: 192.168.1.0/24 - LAN network 192.168.1.2/24 - VPN gateway 192.168.8.0/24 - VPN network Add port forwarding for VPN server on LAN gateway. uci -q delete firewall.ovpn uci set firewall.ovpn="redirect" uci set firewall.ovpn.name="Redirect-OpenVPN" uci set firewall.ovpn.src="wan" uci set firewall.ovpn.src_dport="1194" uci set firewall.ovpn.dest="lan" uci set firewall.ovpn.dest_ip="192.168.1.2" uci set firewall.ovpn.family="ipv4" uci set firewall.ovpn.proto="udp" uci set firewall.ovpn.target="DNAT" uci commit firewall /etc/init.d/firewall restart Add route to VPN network via VPN gateway on LAN gateway. uci -q delete network.vpn uci set network.vpn="route" uci set network.vpn.interface="lan" uci set network.vpn.target="192.168.8.0/24" uci set network.vpn.gateway="192.168.1.2" uci commit network /etc/init.d/network restart IPv6 gateway Provide IPv6 tunnel connectivity. Set up transitional connectivity or NAT6 with IPv6 masquerading if required. Enable VPN6 network on VPN server, provide DNS6, redirect GW6. Provide default IPv6 route for VPN clients. OVPN_POOL6="fdf1:e8a1:8d3f:8::/64" OVPN_DNS6="${OVPN_POOL6%/*}1" cat << EOF >> /etc/openvpn/server.conf proto udp6 server-ipv6 ${OVPN_POOL6} push "dhcp-option DNS ${OVPN_DNS6}" push "redirect-gateway ipv6" EOF /etc/init.d/openvpn restart uci set network.wan6.sourcefilter="0" uci commit network /etc/init.d/network restart TCP Use TCP for troubleshooting. OVPN_PROTO="tcp" sed -i -e " /^proto/s/^/#/ \$a proto ${OVPN_PROTO} " /etc/openvpn/server.conf /etc/init.d/openvpn restart uci set firewall.ovpn.proto="${OVPN_PROTO}" uci commit firewall /etc/init.d/firewall restart Bridging If you need to utilize bridging. Beware of compatibility issues. OVPN_ADDR="$(uci get network.lan.ipaddr)" OVPN_MASK="$(uci get network.lan.netmask)" OVPN_POOL="${OVPN_ADDR%.*}.128 ${OVPN_ADDR%.*}.254" OVPN_DNS="${OVPN_ADDR}" NET_IF="$(uci get network.lan.ifname)" sed -i -e " /^dev/s/^/#/ \$a dev tap /^server/s/^/#/ \$a server-bridge ${OVPN_ADDR} ${OVPN_MASK} ${OVPN_POOL} /^push.*dhcp-option.*DNS/s/^/#/ \$a push \"dhcp-option DNS ${OVPN_DNS}\" " /etc/openvpn/server.conf sed -i -e " /^dev/s/^/#/ \$a dev tap " /etc/openvpn/client.ovpn /etc/init.d/openvpn restart uci -q delete firewall.lan.device uci commit firewall /etc/init.d/firewall restart uci set network.lan.type="bridge" uci set network.lan.ifname="${NET_IF%% *} tap0" uci commit network /etc/init.d/network restart Compression Enable lz4 compression. Beware of compatibility and security issues. cat << EOF >> /etc/openvpn/server.conf compress lz4 push "compress lz4" EOF /etc/init.d/openvpn restart Compatibility If using OpenVPN 2.3 or older, replace tls-crypt with tls-auth. sed -i -e " /^<.*tls-crypt>/s/crypt/auth/ \$a key-direction 0 " /etc/openvpn/server.conf /etc/init.d/openvpn restart sed -i -e " /^<.*tls-crypt>/s/crypt/auth/ \$a key-direction 1 " /etc/openvpn/client.conf /etc/init.d/openvpn restart Verbose logging Increase log verbosity for troubleshooting. sed -i -e " /^verb/s/^/#/ \$a verb 5 " /etc/openvpn/*.conf /etc/init.d/openvpn restart Dual-stack Windows client Fix IPv6 routing for Windows desktop client when using dual-stack mode. NETSH_IPV6="C:\\\\Windows\\\\System32\\\\cmd.exe /c netsh interface ipv6" cat << EOF >> /etc/openvpn/client.ovpn script-security 2 up '${NETSH_IPV6} set privacy state=disabled store=active & echo' ipchange '${NETSH_IPV6} set global randomizeidentifiers=disabled store=active & echo' route-up '${NETSH_IPV6} delete route prefix=%ifconfig_ipv6_local%/%ifconfig_ipv6_netbits% interface=%dev_idx% store=active' EOF DNS over VPN Utilize DNS over VPN to prevent DNS leak. Disable peer DNS and configure a VPN-routed DNS provider on OpenWrt client. Modify the VPN connection using NetworkManager on Linux desktop client. nmcli connection modify id VPN_CON ipv4.dns-search ~. ipv6.dns-search ~. ipv4.dns-priority -50 ipv6.dns-priority -50 Modify the VPN client profile for Windows desktop client. cat << EOF >> /etc/openvpn/client.ovpn block-outside-dns EOF DNS and domain Use DNS and domain provided by VPN server on OpenWrt client. cat << "EOF" > /etc/openvpn/client.sh #!/bin/sh env | sed -n -e " /^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p /^foreign_option_.*=dhcp-option.*DOMAIN/s//search/p " | sort -u > /tmp/resolv.conf.vpn case ${script_type} in (up) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn" ;; (down) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.auto" ;; esac /etc/init.d/dnsmasq restart & EOF chmod +x /etc/openvpn/client.sh sed -i -e " /^script-security/s/^/#/ \$a script-security 2 /^up/s/^/#/ \$a up /etc/openvpn/client.sh /^down/s/^/#/ \$a down /etc/openvpn/client.sh " /etc/openvpn/client.conf /etc/init.d/openvpn restart Kill switch Prevent traffic leak on OpenWrt client isolating VPN interface in a separate firewall zone. uci rename firewall.@forwarding[0]="lan_wan" uci set firewall.lan_wan.enabled="0" uci -q delete firewall.vpn uci set firewall.vpn="zone" uci set firewall.vpn.name="vpn" uci set firewall.vpn.input="REJECT" uci set firewall.vpn.output="ACCEPT" uci set firewall.vpn.forward="REJECT" uci set firewall.vpn.masq="1" uci set firewall.vpn.mtu_fix="1" uci add_list firewall.vpn.device="tun+" uci del_list firewall.wan.device="tun+" uci -q delete firewall.lan_vpn uci set firewall.lan_vpn="forwarding" uci set firewall.lan_vpn.src="lan" uci set firewall.lan_vpn.dest="vpn" uci commit firewall /etc/init.d/firewall restart cat << "EOF" > /etc/openvpn/killswitch.sh #!/bin/sh if pgrep openvpn then uci set firewall.lan_wan.enabled="1" /etc/init.d/openvpn stop & else uci set firewall.lan_wan.enabled="0" /etc/init.d/openvpn start & fi /etc/init.d/firewall restart & EOF chmod +x /etc/openvpn/killswitch.sh Multi-client Set up multi-client VPN server. Use EasyRSA to add clients or revoke their certificates via CRL. # Configuration parameters OVPN_PKI="/etc/easy-rsa/pki" export EASYRSA_PKI="${OVPN_PKI}" export EASYRSA_BATCH="1" # Add one more client easyrsa build-client-full client1 nopass # Add another client encrypting its private key easyrsa build-client-full client2 # Revoke client certificate easyrsa revoke client # Generate a CRL easyrsa gen-crl # Enable CRL verification OVPN_CRL="$(cat ${OVPN_PKI}/crl.pem)" sed -i -e " /^<crl-verify>/,/^<\/crl-verify>/s/^/#/ \$a <crl-verify>\n${OVPN_CRL//$'\n'/\\n}\n</crl-verify> " /etc/openvpn/server.conf /etc/init.d/openvpn restart Automated Automated VPN server installation and client profiles generation. opkg update opkg install curl URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn" cat << EOF > openvpn-server.sh $(curl "${URL}/server?codeblock=0") $(curl "${URL}/server?codeblock=1") $(curl "${URL}/server?codeblock=2") $(curl "${URL}/server?codeblock=3") EOF sh openvpn-server.sh This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2020/12/07 06:25by vgaetera