User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:multiple-vpns-to-vlans

How to Setup Multiple OpenVPN Server to Different VLANs

a humbly committed student 2019/01/19 10:31

The purpose of this wiki is to show users how to configure an OpenWrt 18.01 router to serve multiple OpenVPN Servers that connect to their own respected VLAN.

This example contains one OpenWrt router configured as the OpenVPN server and having it also generate the security certs for the client files that will be given to the end user. In this example, the Linksys WRT 3200acm router with OpenWrt 18.01 was used, tested, and validated to work. It has also worked on OpenWrt 17.01.

These procedures are primarily done on the cli on the routers config files with limited configuration via the Luci GUI. Due to me not being able to attach screenshots, I have done the configuration through the routers config files via an ssh session into the router.

Server Configs

The directories and configuration files that will be used:

  • /etc/config/firewall
  • /etc/config/network
  • /etc/config/openvpn
  • /etc/openvpn

It is recommended to be familiar with the following wiki articles to perform this task.

I primarily used the OpenVPN Basic tutorial as a guide throughout this build. However, I tried using the

create-configs.sh

script that was provided in an older version of the OpenVPN Basic tutorial, to try and create multiple vlan servers and interfaces by simply changing some of the commands to create different naming conventions, directory outputs, configs, etc. I even had problems running the

uci set

commands and ran into problems, so I went with manually editing the config files to create different OpenVPN servers and tunnel network interfaces that were desired.

Use-Case Scenario

This is a network topology for this example:

Network Topology Example

Network VLAN Configuration Breakdown

There are three VLANs created in this example. Each Network interface was added to their own specific VLAN ID with a respective VPN server configured to connect to them.

List of VLANs:

  • Private: VLAN1 (eth0.1) = Magick Mushroom, Gaming (Private network)
  • Guest: VLAN3 (eth0.3) = Slave (Guest network)
  • Tor: VLAN4 (eth0.4) = tor (annonymity network)

1. Run the following Scripts (modify/create/copy each of these scripts to match the requirements your infrastructure i.e. naming convention for each of the separate VLANs, number of VLANs you will have, the number of OpenVPN servers that is desired).

1a. This script will create a VPN Server to connect to private lan network.

01.create-certs.lan.sh

Click to see less

#!/bin/sh
 
# Installing packages
opkg update
opkg install openssl-util openvpn-openssl
 
# Creating Directory Structure
VPN_DIR="/etc/openvpn/lan"
PKI_DIR="$VPN_DIR/ssl"
 
if [ -d "$PKI_DIR" ]
then
    rm -rf "$PKI_DIR"
fi
mkdir -p "$PKI_DIR"
chmod -R 600 "$PKI_DIR"
cd "$PKI_DIR"
touch index.txt index
echo 1000 > serial
cp -f /etc/ssl/openssl.cnf "$PKI_DIR"
 
# Customizing openssl.cnf
PKI_CONF="$PKI_DIR/openssl.cnf"
 
sed -i "
                              s:\\\\:/:g
/^dir/                        s:=.*:= $PKI_DIR:
/^new_certs_dir/              s:=.*:= $PKI_DIR:
/.*Name/                      s:= match:= optional:
/organizationName_default/    s:= .*:= OG.Infraverse:
/stateOrProvinceName_default/ s:= .*:= Yorkshire:
/countryName_default/         s:= .*:= UK:
/default_days/                s:=.*:= 3650:
/default_bits/                s:=.*:= 4096:
" "$PKI_CONF"
 
cat << "EOF" >> "$PKI_CONF"
[ lanvpnserver ]
  keyUsage = digitalSignature, keyEncipherment
  extendedKeyUsage = serverAuth
 
[ lanvpnclient ]
  keyUsage = digitalSignature
  extendedKeyUsage = clientAuth
EOF
 
# Generating Server PSK and CA, Server, & Client Certs
# Generating Certifcate Authority Cert & Key
openssl req -batch -nodes -new -keyout "ca.key" -out "ca.crt" -x509 -config "$PKI_CONF" -days "3650"
# Generating Server Cert & Key
openssl req -batch -nodes -new -keyout "lanvpnserver.key" -out "lanvpnserver.csr" -subj "/CN=lanvpnserver" -config "$PKI_CONF"
# Signing Server Cert
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "lanvpnserver.csr" -out "lanvpnserver.crt" -config "$PKI_CONF" -extensions "lanvpnserver"
# Generating Client Cert & Key
# PASSPHRASE MUST BE SET (4 chars minimum, 16+ chars recommended)
openssl req -batch -new -keyout "lanvpnclient.key" -out "lanvpnclient.csr" -subj "/CN=lanvpnclient" -config "$PKI_CONF"
# Signing Client Cert
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "lanvpnclient.csr" -out "lanvpnclient.crt" -config "$PKI_CONF" -extensions "lanvpnclient"
 
# Generating OpenVPN TLS PSK
openvpn --genkey --secret "tc.pem"
 
# Generating Diffie-Hellman Cert
# May take a while to complete (~25m on WRT3200ACM)
openssl dhparam -out "dh.pem" 2048
 
# Correcting Permissions
chmod 600 tc.pem dh.pem ca.key lanvpnserver.key lanvpnclient.key
 
# Copying Certs & Keys to $VPN_DIR
cp tc.pem dh.pem ca.crt lanvpnserver.* lanvpnclient.* "$VPN_DIR"
 
# Returning to initial working directory
cd -
 
# Done

1b. This script will create a VPN Server to connect to guest slave network.

01.create-certs.slave.sh

Click to see less

#!/bin/sh
 
# Installing packages
#opkg update
#opkg install openssl-util openvpn-openssl
 
# Creating Directory Structure
VPN_DIR="/etc/openvpn/slave"
PKI_DIR="$VPN_DIR/ssl"
 
if [ -d "$PKI_DIR" ]
then
    rm -rf "$PKI_DIR"
fi
mkdir -p "$PKI_DIR"
chmod -R 600 "$PKI_DIR"
cd "$PKI_DIR"
touch index.txt index
echo 1000 > serial
cp -f /etc/ssl/openssl.cnf "$PKI_DIR"
 
# Customizing openssl.cnf
PKI_CONF="$PKI_DIR/openssl.cnf"
 
sed -i "
                              s:\\\\:/:g
/^dir/                        s:=.*:= $PKI_DIR:
/^new_certs_dir/              s:=.*:= $PKI_DIR:
/.*Name/                      s:= match:= optional:
/organizationName_default/    s:= .*:= slave.Infraverse:
/stateOrProvinceName_default/ s:= .*:= Yorkshire:
/countryName_default/         s:= .*:= UK:
/default_days/                s:=.*:= 3650:
/default_bits/                s:=.*:= 4096:
" "$PKI_CONF"
 
cat << "EOF" >> "$PKI_CONF"
[ slavevpnserver ]
  keyUsage = digitalSignature, keyEncipherment
  extendedKeyUsage = serverAuth
 
[ slavevpnclient ]
  keyUsage = digitalSignature
  extendedKeyUsage = clientAuth
EOF
 
# Generating Server PSK and CA, Server, & Client Certs
# Generating Certifcate Authority Cert & Key
openssl req -batch -nodes -new -keyout "ca.key" -out "ca.crt" -x509 -config "$PKI_CONF" -days "3650"
# Generating Server Cert & Key
openssl req -batch -nodes -new -keyout "slavevpnserver.key" -out "slavevpnserver.csr" -subj "/CN=slavevpnserver" -config "$PKI_CONF"
# Signing Server Cert
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "slavevpnserver.csr" -out "slavevpnserver.crt" -config "$PKI_CONF" -extensions "slavevpnserver"
# Generating Client Cert & Key
# PASSPHRASE MUST BE SET (4 chars minimum, 16+ chars recommended)
openssl req -batch -new -keyout "slavevpnclient.key" -out "slavevpnclient.csr" -subj "/CN=slavevpnclient" -config "$PKI_CONF"
# Signing Client Cert
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "slavevpnclient.csr" -out "slavevpnclient.crt" -config "$PKI_CONF" -extensions "slavevpnclient"
 
# Generating OpenVPN TLS PSK
openvpn --genkey --secret "tc.pem"
 
# Generating Diffie-Hellman Cert
# May take a while to complete (~25m on WRT3200ACM)
openssl dhparam -out "dh.pem" 2048
 
# Correcting Permissions
chmod 600 tc.pem dh.pem ca.key slavevpnserver.key slavevpnclient.key
 
# Copying Certs & Keys to $VPN_DIR
cp tc.pem dh.pem ca.crt slavevpnserver.* slavevpnclient.* "$VPN_DIR"
 
# Returning to initial working directory
cd -
 
# Done

1c. This script will create a VPN Server to connect to the tor network.

01.create-certs.tor.sh

Click to see less

#!/bin/sh
 
# Installing packages
#opkg update
#opkg install openssl-util openvpn-openssl
 
# Creating Directory Structure
VPN_DIR="/etc/openvpn/tor"
PKI_DIR="$VPN_DIR/ssl"
 
if [ -d "$PKI_DIR" ]
then
    rm -rf "$PKI_DIR"
fi
mkdir -p "$PKI_DIR"
chmod -R 600 "$PKI_DIR"
cd "$PKI_DIR"
touch index.txt index
echo 1000 > serial
cp -f /etc/ssl/openssl.cnf "$PKI_DIR"
 
# Customizing openssl.cnf
PKI_CONF="$PKI_DIR/openssl.cnf"
 
sed -i "
                              s:\\\\:/:g
/^dir/                        s:=.*:= $PKI_DIR:
/^new_certs_dir/              s:=.*:= $PKI_DIR:
/.*Name/                      s:= match:= optional:
/organizationName_default/    s:= .*:= tor-Infraverse:
/stateOrProvinceName_default/ s:= .*:= Yorkshire:
/countryName_default/         s:= .*:= UK:
/default_days/                s:=.*:= 3650:
/default_bits/                s:=.*:= 4096:
" "$PKI_CONF"
 
cat << "EOF" >> "$PKI_CONF"
[ torvpnserver ]
  keyUsage = digitalSignature, keyEncipherment
  extendedKeyUsage = serverAuth
 
[ torvpnclient ]
  keyUsage = digitalSignature
  extendedKeyUsage = clientAuth
EOF
 
# Generating Server PSK and CA, Server, & Client Certs
# Generating Certifcate Authority Cert & Key
openssl req -batch -nodes -new -keyout "ca.key" -out "ca.crt" -x509 -config "$PKI_CONF" -days "3650"
# Generating Server Cert & Key
openssl req -batch -nodes -new -keyout "torvpnserver.key" -out "torvpnserver.csr" -subj "/CN=torvpnserver" -config "$PKI_CONF"
# Signing Server Cert
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "torvpnserver.csr" -out "torvpnserver.crt" -config "$PKI_CONF" -extensions "torvpnserver"
# Generating Client Cert & Key
# PASSPHRASE MUST BE SET (4 chars minimum, 16+ chars recommended)
openssl req -batch -new -keyout "torvpnclient.key" -out "torvpnclient.csr" -subj "/CN=torvpnclient" -config "$PKI_CONF"
# Signing Client Cert
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "torvpnclient.csr" -out "torvpnclient.crt" -config "$PKI_CONF" -extensions "torvpnclient"
 
# Generating OpenVPN TLS PSK
openvpn --genkey --secret "tc.pem"
 
# Generating Diffie-Hellman Cert
# May take a while to complete (~25m on WRT3200ACM)
openssl dhparam -out "dh.pem" 2048
 
# Correcting Permissions
chmod 600 tc.pem dh.pem ca.key torvpnserver.key torvpnclient.key
 
# Copying Certs & Keys to $VPN_DIR
cp tc.pem dh.pem ca.crt torvpnserver.* torvpnclient.* "$VPN_DIR"
 
# Returning to initial working directory
cd -
 
# Done

2. Run this script to create .ovpn files for end-users

2a. This script will create the .ovpn client file for end-user to connect via VPN to private lan network.

03.create-ovpn.lan.sh

Click to see less

#!/bin/sh
 
# Obtaining server address from WAN-interface IP
source /lib/functions/network.sh
network_find_wan WAN_IF
network_get_ipaddr SERVER_ADDR "$WAN_IF"
 
# Obtaining server address from DDNS client service
SERVER_FQDN="$(uci -q get $(uci -q show ddns \
    | sed -n -e "s/^\(.*\)\.enabled='1'$/\1/p" \
    | head -n 1).lookup_host)"
if [ -n "$SERVER_FQDN" ]
then
    SERVER_ADDR="$SERVER_FQDN"
fi
 
# Setting configuration parameters
SERVER_PORT="$(uci get openvpn.lanvpn.port)"
SERVER_PROTO="$(uci get openvpn.lanvpn.proto)"
CLIENT_DEV="$(uci get openvpn.lanvpn.dev | sed -e "s/\d*$//")"
CLIENT_COMPR="$(uci get openvpn.lanvpn.compress)"
VPN_DIR="/etc/openvpn/lan"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "$VPN_DIR/tc.pem")"
CA_CERT="$(openssl x509 -in "$VPN_DIR/ca.crt")"
 
# Generating .ovpn-files
grep -l -e "TLS Web Client Authentication" "$VPN_DIR"/*.crt \
| sed -e "s/^.*\///;s/\.[^.]*$//" \
| while read CLIENT_ID
do
CLIENT_CERT="$(openssl x509 -in "$VPN_DIR/$CLIENT_ID.crt")"
CLIENT_KEY="$(cat "$VPN_DIR/$CLIENT_ID.key")"
CLIENT_CONF="$VPN_DIR/$CLIENT_ID.ovpn"
cat << EOF > "$CLIENT_CONF"
verb 3
nobind
dev $CLIENT_DEV
client
remote $SERVER_ADDR $SERVER_PORT $SERVER_PROTO
fast-io
compress $CLIENT_COMPR
auth-nocache
remote-cert-tls server
<tls-crypt>
$TC_KEY
</tls-crypt>
<ca>
$CA_CERT
</ca>
<cert>
$CLIENT_CERT
</cert>
<key>
$CLIENT_KEY
</key>
EOF
done
 
# Setting permissions
chmod 600 "$VPN_DIR"/*.ovpn
 
# Showing generated .ovpn-files
head -v -n -0 "$VPN_DIR"/*.ovpn
 
# Done

2b. This script will create the .ovpn client file for end-user to connect via VPN to the slave network.

03.create-ovpn.slave.sh

Click to see less

#!/bin/sh
 
# Obtaining server address from WAN-interface IP
source /lib/functions/network.sh
network_find_wan WAN_IF
network_get_ipaddr SERVER_ADDR "$WAN_IF"
 
# Obtaining server address from DDNS client service
SERVER_FQDN="$(uci -q get $(uci -q show ddns \
    | sed -n -e "s/^\(.*\)\.enabled='1'$/\1/p" \
    | head -n 1).lookup_host)"
if [ -n "$SERVER_FQDN" ]
then
    SERVER_ADDR="$SERVER_FQDN"
fi
 
# Setting configuration parameters
SERVER_PORT="$(uci get openvpn.slavevpn.port)"
SERVER_PROTO="$(uci get openvpn.slavevpn.proto)"
CLIENT_DEV="$(uci get openvpn.slavevpn.dev | sed -e "s/\d*$//")"
CLIENT_COMPR="$(uci get openvpn.slavevpn.compress)"
VPN_DIR="/etc/openvpn/slave"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "$VPN_DIR/tc.pem")"
CA_CERT="$(openssl x509 -in "$VPN_DIR/ca.crt")"
 
# Generating .ovpn-files
grep -l -e "TLS Web Client Authentication" "$VPN_DIR"/*.crt \
| sed -e "s/^.*\///;s/\.[^.]*$//" \
| while read CLIENT_ID
do
CLIENT_CERT="$(openssl x509 -in "$VPN_DIR/$CLIENT_ID.crt")"
CLIENT_KEY="$(cat "$VPN_DIR/$CLIENT_ID.key")"
CLIENT_CONF="$VPN_DIR/$CLIENT_ID.ovpn"
cat << EOF > "$CLIENT_CONF"
verb 3
nobind
dev $CLIENT_DEV
client
remote $SERVER_ADDR $SERVER_PORT $SERVER_PROTO
fast-io
compress $CLIENT_COMPR
auth-nocache
remote-cert-tls server
<tls-crypt>
$TC_KEY
</tls-crypt>
<ca>
$CA_CERT
</ca>
<cert>
$CLIENT_CERT
</cert>
<key>
$CLIENT_KEY
</key>
EOF
done
 
# Setting permissions
chmod 600 "$VPN_DIR"/*.ovpn
 
# Showing generated .ovpn-files
head -v -n -0 "$VPN_DIR"/*.ovpn
 
# Done

2c. This script will create the .ovpn client file for end-user to connect via VPN to the tor network.

03.create-ovpn.tor.sh

Click to see less

#!/bin/sh
 
# Obtaining server address from WAN-interface IP
source /lib/functions/network.sh
network_find_wan WAN_IF
network_get_ipaddr SERVER_ADDR "$WAN_IF"
 
# Obtaining server address from DDNS client service
SERVER_FQDN="$(uci -q get $(uci -q show ddns \
    | sed -n -e "s/^\(.*\)\.enabled='1'$/\1/p" \
    | head -n 1).lookup_host)"
if [ -n "$SERVER_FQDN" ]
then
    SERVER_ADDR="$SERVER_FQDN"
fi
 
# Setting configuration parameters
SERVER_PORT="$(uci get openvpn.torvpn.port)"
SERVER_PROTO="$(uci get openvpn.torvpn.proto)"
CLIENT_DEV="$(uci get openvpn.torvpn.dev | sed -e "s/\d*$//")"
CLIENT_COMPR="$(uci get openvpn.torvpn.compress)"
VPN_DIR="/etc/openvpn/tor"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "$VPN_DIR/tc.pem")"
CA_CERT="$(openssl x509 -in "$VPN_DIR/ca.crt")"
 
# Generating .ovpn-files
grep -l -e "TLS Web Client Authentication" "$VPN_DIR"/*.crt \
| sed -e "s/^.*\///;s/\.[^.]*$//" \
| while read CLIENT_ID
do
CLIENT_CERT="$(openssl x509 -in "$VPN_DIR/$CLIENT_ID.crt")"
CLIENT_KEY="$(cat "$VPN_DIR/$CLIENT_ID.key")"
CLIENT_CONF="$VPN_DIR/$CLIENT_ID.ovpn"
cat << EOF > "$CLIENT_CONF"
verb 3
nobind
dev $CLIENT_DEV
client
remote $SERVER_ADDR $SERVER_PORT $SERVER_PROTO
fast-io
compress $CLIENT_COMPR
auth-nocache
remote-cert-tls server
<tls-crypt>
$TC_KEY
</tls-crypt>
<ca>
$CA_CERT
</ca>
<cert>
$CLIENT_CERT
</cert>
<key>
$CLIENT_KEY
</key>
EOF
done
 
# Setting permissions
chmod 600 "$VPN_DIR"/*.ovpn
 
# Showing generated .ovpn-files
head -v -n -0 "$VPN_DIR"/*.ovpn
 
# Done

3. Check the contents of the /etc/openvpn directory to confirm certs and .ovpn files were cerated.

/etc/openvpn

Click to see less

root@infraverse:/etc/openvpn# ls
lan    slave  tor
root@infraverse:/etc/openvpn# ll lan
drwxr-xr-x    3 root     root           976 Jan 17 00:09 ./
drwxr-xr-x    1 root     root           352 Jan 17 00:05 ../
-rw-r--r--    1 root     root          1879 Jan 17 00:05 ca.crt
-rw-r--r--    1 root     root           424 Jan 17 00:05 dh.pem
-rw-r--r--    1 root     root          6612 Jan 17 00:05 lanvpnclient.crt
-rw-r--r--    1 root     root          1590 Jan 17 00:05 lanvpnclient.csr
-rw-r--r--    1 root     root          3394 Jan 17 00:05 lanvpnclient.key
-rw-------    1 root     root          7832 Jan 17 00:17 lanvpnclient.ovpn
-rw-r--r--    1 root     root          6630 Jan 17 00:05 lanvpnserver.crt
-rw-r--r--    1 root     root          1590 Jan 17 00:05 lanvpnserver.csr
-rw-r--r--    1 root     root          3268 Jan 17 00:05 lanvpnserver.key
drwxr-xr-x    2 root     root          1608 Jan 17 00:05 ssl/
-rw-r--r--    1 root     root           636 Jan 17 00:05 tc.pem
root@infraverse:/etc/openvpn# ll slave
drwxr-xr-x    3 root     root           976 Jan 17 00:09 ./
drwxr-xr-x    1 root     root           352 Jan 17 00:05 ../
-rw-r--r--    1 root     root          1887 Jan 17 00:05 ca.crt
-rw-r--r--    1 root     root           424 Jan 17 00:05 dh.pem
-rw-r--r--    1 root     root          6625 Jan 17 00:05 slavevpnclient.crt
-rw-r--r--    1 root     root          1590 Jan 17 00:05 slavevpnclient.csr
-rw-r--r--    1 root     root          3394 Jan 17 00:05 slavevpnclient.key
-rw-------    1 root     root          7848 Jan 17 00:19 slavevpnclient.ovpn
-rw-r--r--    1 root     root          6643 Jan 17 00:05 slavevpnserver.crt
-rw-r--r--    1 root     root          1590 Jan 17 00:05 slavevpnserver.csr
-rw-r--r--    1 root     root          3272 Jan 17 00:05 slavevpnserver.key
drwxr-xr-x    2 root     root          1608 Jan 17 00:05 ssl/
-rw-r--r--    1 root     root           636 Jan 17 00:05 tc.pem
root@infraverse:/etc/openvpn# ll tor
drwxr-xr-x    3 root     root           976 Jan 17 00:10 ./
drwxr-xr-x    1 root     root           352 Jan 17 00:05 ../
-rw-r--r--    1 root     root          1883 Jan 17 00:05 ca.crt
-rw-r--r--    1 root     root           424 Jan 17 00:05 dh.pem
drwxr-xr-x    2 root     root          1608 Jan 17 00:05 ssl/
-rw-r--r--    1 root     root           636 Jan 17 00:05 tc.pem
-rw-r--r--    1 root     root          6613 Jan 17 00:05 torvpnclient.crt
-rw-r--r--    1 root     root          1590 Jan 17 00:05 torvpnclient.csr
-rw-r--r--    1 root     root          3394 Jan 17 00:05 torvpnclient.key
-rw-------    1 root     root          7835 Jan 17 00:19 torvpnclient.ovpn
-rw-r--r--    1 root     root          6631 Jan 17 00:05 torvpnserver.crt
-rw-r--r--    1 root     root          1590 Jan 17 00:05 torvpnserver.csr
-rw-r--r--    1 root     root          3272 Jan 17 00:05 torvpnserver.key
root@infraverse:/etc/openvpn#

4. Create the following firewall rules

Be sure to confirm the firewall configurations are reflected in Luci web GUI to confirm the configurations were saved and are functioning properly

/etc/config/firewall

Click to see less

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'slave'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'slave'
	option input 'REJECT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Slave dns'
	option src 'slave'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'slave dhcp'
	option src 'slave'

config zone
	option name 'tor'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'tor'
	option input 'ACCEPT'
	option syn_flood '1'
	option conntrack '1'

config rule
	option src 'tor'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'
	option name 'tor DHCP'

config rule
	option src 'tor'
	option proto 'tcp'
	option dest_port '9040'
	option target 'ACCEPT'
	option name 'tor transport'

config rule
	option src 'tor'
	option proto 'udp'
	option dest_port '9053'
	option target 'ACCEPT'
	option name 'tor dns'

config redirect
	option name 'Redirect-Tor-Traffic'
	option src 'tor'
	option src_dip '!10.1.1.1'
	option dest_port '9040'
	option proto 'tcp'
	option target 'DNAT'

config redirect
	option name 'Redirect-Tor-DNS'
	option src 'tor'
	option src_dport '53'
	option dest_port '9053'
	option proto 'udp'
	option target 'DNAT'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'tor'

config forwarding
	option dest 'tor'
	option src 'wan'

config forwarding
	option dest 'wan'
	option src 'slave'

5. Create the following Network configurations for each respect tunnel interfaces the VPNs will connect to.

Be sure to check the network interfaces in the Luci Web GUI to confirm and validate their create and are functioning properly

/etc/config/network

Click to see less

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfb:7e04:aca7::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'
	option gateway '192.168.0.1'
	option broadcast '192.168.0.255'
	option dns '8.8.8.8'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option hostname 'infraverse.network'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'slave'
	option type 'bridge'
	option proto 'static'
	option ipaddr '172.16.0.1'
	option netmask '255.255.0.0'
	option ifname 'eth0.3 radio1'
	option gateway '172.16.0.1'
	option broadcast '172.16.255.255'

config interface 'tor'
	option proto 'static'
	option ipaddr '10.1.1.1'
	option netmask '255.0.0.0'
	option type 'bridge'
	option ifname 'eth0.4'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 5t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '0t 5t'

config interface 'lanvpn'
	option proto 'none'
	option ifname 'tun0'

config interface 'slavevpn'
	option proto 'none'
	option ifname 'tun1'

config interface 'torvpn'
	option proto 'none'
	option ifname 'tun2'

6. Configure the OpenVPN config file with the following configurations to match the network interfaces created in step 5. and security certificates created in steps 1.

/etc/config/openvpn

Click to see less

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option compress 'lzo'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option compress 'lzo'
	option verb '3'

config openvpn 'lanvpn'
	option enabled '1'
	option verb '11'
	option log '/var/log/openvpn/openvpn.log'
	option log_append '/var/log/openvpn/openvpn.log'
	option dev 'tun0'
	option port '1999'
	option proto 'udp'
	option server '192.168.200.0 255.255.255.0'
	option client_to_client '1'
	option compress 'lzo'
	option keepalive '10 120'
	option persist_tun '1'
	option persist_key '1'
	option dh '/etc/openvpn/lan/dh.pem'
	option tls_crypt '/etc/openvpn/lan/tc.pem'
	option ca '/etc/openvpn/lan/ca.crt'
	option cert '/etc/openvpn/lan/lanvpnserver.crt'
	option key '/etc/openvpn/lan/lanvpnserver.key'
	list push 'redirect-gateway def1'
	list push 'route 192.168.0.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.0.1'
	list push 'compress lzo'
	list push 'persist-tun'
	list push 'persist-key'
	list push 'dhcp-option DOMAIN lan'

config openvpn 'slavevpn'
	option enabled '1'
	option verb '3'
	option port '1111'
	option proto 'udp'
	option server '172.16.200.0 255.255.255.0'
	option client_to_client '1'
	option compress 'lzo'
	option keepalive '10 120'
	option persist_tun '1'
	option persist_key '1'
	option dh '/etc/openvpn/slave/dh.pem'
	option tls_crypt '/etc/openvpn/slave/tc.pem'
	option ca '/etc/openvpn/slave/ca.crt'
	option cert '/etc/openvpn/slave/slavevpnserver.crt'
	option key '/etc/openvpn/slave/slavevpnserver.key'
	list push 'redirect-gateway def1'
	list push 'route 172.16.0.0 255.255.0.0'
	list push 'dhcp-option DNS 192.168.0.1'
	list push 'compress lzo'
	list push 'persist-tun'
	list push 'persist-key'
	list push 'dhcp-option DOMAIN lan'
	option dev 'tun1'

config openvpn 'torvpn'
	option enabled '1'
	option verb '3'
	option port '666'
	option proto 'udp'
	option server '10.1.200.0 255.255.255.0'
	option client_to_client '1'
	option compress 'lzo'
	option keepalive '10 120'
	option persist_tun '1'
	option persist_key '1'
	option dh '/etc/openvpn/tor/dh.pem'
	option tls_crypt '/etc/openvpn/tor/tc.pem'
	option ca '/etc/openvpn/tor/ca.crt'
	option cert '/etc/openvpn/tor/torvpnserver.crt'
	option key '/etc/openvpn/tor/torvpnserver.key'
	list push 'redirect-gateway def1'
	list push 'route 10.1.1.0 255.0.0.0'
	list push 'dhcp-option DNS 10.1.1.1'
	list push 'compress lzo'
	list push 'persist-tun'
	list push 'persist-key'
	list push 'dhcp-option DOMAIN lan'
	option dev 'tun2'

7. reboot the router

reboot now

8. confirm openvpn is up and running

8a. check to see the openvpn process is running

ps -ef | grep -i openvpn

output

Click to see less

root@infraverse:/etc/openvpn# ps -ef | grep -i openvpn
root      2517     1  0 Feb01 ?        00:00:03 /usr/sbin/openvpn --syslog openvpn(lanvpn) --status /var/run/openvpn.lanvpn.status --cd /var/etc --config openvpn-lanvpn.conf
root      2518     1  0 Feb01 ?        00:00:02 /usr/sbin/openvpn --syslog openvpn(slavevpn) --status /var/run/openvpn.slavevpn.status --cd /var/etc --config openvpn-slavevpn.conf
root      2519     1  0 Feb01 ?        00:00:03 /usr/sbin/openvpn --syslog openvpn(torvpn) --status /var/run/openvpn.torvpn.status --cd /var/etc --config openvpn-torvpn.conf
root      4342 28774  0 00:33 pts/0    00:00:00 grep -i openvpn
root@infraverse:/etc/openvpn#

8b. check to see if openvpn created network routes

route

output

Click to see less

root@infraverse:/etc/openvpn# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         cpe-66-75-96-1. 0.0.0.0         UG    0      0        0 eth1.2
10.0.0.0        *               255.0.0.0       U     0      0        0 br-tor
10.1.200.0      10.1.200.2      255.255.255.0   UG    0      0        0 tun2
10.1.200.2      *               255.255.255.255 UH    0      0        0 tun2
66.75.96.0      *               255.255.248.0   U     0      0        0 eth1.2
172.16.0.0      *               255.255.0.0     U     0      0        0 br-slave
172.16.200.0    172.16.200.2    255.255.255.0   UG    0      0        0 tun1
172.16.200.2    *               255.255.255.255 UH    0      0        0 tun1
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.200.0   192.168.200.2   255.255.255.0   UG    0      0        0 tun0
192.168.200.2   *               255.255.255.255 UH    0      0        0 tun0

9. Troubleshooting: There may be times when the router reboots and the openvpn servers do not create the routes and in turn it still allows vpn clients to connect but they will not have access to network resources or the internet. Simply check if the routes are created with the

route

command mentioned in step 8b. to confirm if the routes are up. If they are not, restart the openvpn service.

service ovpn restart
docs/guide-user/services/vpn/openvpn/multiple-vpns-to-vlans.txt · Last modified: 2019/02/10 05:10 by unitelife