Show pagesourceOld revisionsBacklinksBack to top × Table of Contents OpenVPN server Introduction Goals Instructions 1. Preparation 2. Key management 3. Firewall 4. VPN service Testing Troubleshooting OpenVPN server This article relies on the following: Accessing OpenWrt CLI Managing configurations Managing packages Managing services Introduction This how-to describes the method for setting up OpenVPN server on OpenWrt. Follow OpenVPN client for client setup and OpenVPN extras for additional tuning. Goals Encrypt your internet connection to enforce security and privacy. Prevent data leak and traffic spoofing on the client side. Bypass regional restrictions using commercial providers. Escape client side content filters and internet censorship. Access your LAN services remotely without port forwarding. Instructions 1. Preparation Set up DDNS client if required. Install the packages and specify the VPN server configuration parameters. # Install packages opkg update opkg install openvpn-openssl openvpn-easy-rsa # Configuration parameters OVPN_DIR="/etc/openvpn" OVPN_PKI="/etc/easy-rsa/pki" OVPN_PORT="1194" OVPN_PROTO="udp" OVPN_POOL="192.168.8.0 255.255.255.0" OVPN_DNS="${OVPN_POOL%.* *}.1" OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)" # Fetch WAN IP address . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF network_get_ipaddr NET_ADDR "${NET_IF}" OVPN_SERV="${NET_ADDR}" # Fetch FQDN from DDNS client NET_FQDN="$(uci -q get "$(uci -q show ddns \ | sed -n -e "/\.enabled='1'$/s//.lookup_host/p" \ | sed -n -e "1p")")" if [ -n "${NET_FQDN}" ] then OVPN_SERV="${NET_FQDN}" fi 2. Key management Use EasyRSA to manage the PKI. Utilize private key password protection if required. # Configuration parameters export EASYRSA_PKI="${OVPN_PKI}" export EASYRSA_REQ_CN="ovpnca" export EASYRSA_BATCH="1" # Remove and re-initialize the PKI directory easyrsa init-pki # Generate DH parameters easyrsa gen-dh # Create a new CA easyrsa build-ca nopass # Generate a key pair and sign locally for a server easyrsa build-server-full server nopass # Generate a key pair and sign locally for a client easyrsa build-client-full client nopass # Generate TLS PSK openvpn --genkey --secret ${OVPN_PKI}/tc.pem 3. Firewall Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone. # Configure firewall uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[1]="wan" uci del_list firewall.lan.device="tun+" uci add_list firewall.lan.device="tun+" uci -q delete firewall.ovpn uci set firewall.ovpn="rule" uci set firewall.ovpn.name="Allow-OpenVPN" uci set firewall.ovpn.src="wan" uci set firewall.ovpn.dest_port="${OVPN_PORT}" uci set firewall.ovpn.proto="${OVPN_PROTO}" uci set firewall.ovpn.target="ACCEPT" uci commit firewall /etc/init.d/firewall restart 4. VPN service Configure VPN service and generate client profiles. # Configuration parameters OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)" OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)" OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)" NL=$'\n' # Configure VPN service and generate client profiles umask go= ls ${OVPN_PKI}/issued \ | sed -e "s/\.\w*$//" \ | while read -r OVPN_ID do OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)" OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)" OVPN_EKU="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt -purpose)" OVPN_CONF_SERVER="\ user nobody group nogroup dev tun port ${OVPN_PORT} proto ${OVPN_PROTO} server ${OVPN_POOL} topology subnet client-to-client keepalive 10 60 persist-tun persist-key push \"dhcp-option DNS ${OVPN_DNS}\" push \"dhcp-option DOMAIN ${OVPN_DOMAIN}\" push \"redirect-gateway def1\" push \"persist-tun\" push \"persist-key\" <dh>${NL}${OVPN_DH}${NL}</dh>" OVPN_CONF_CLIENT="\ dev tun nobind client remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO} auth-nocache remote-cert-tls server" OVPN_CONF_COMMON="\ <tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt> <key>${NL}${OVPN_KEY}${NL}</key> <cert>${NL}${OVPN_CERT}${NL}</cert> <ca>${NL}${OVPN_CA}${NL}</ca>" case ${OVPN_EKU} in (*"SSL server : Yes"*) cat << EOF > ${OVPN_DIR}/${OVPN_ID}.conf ;; ${OVPN_CONF_SERVER} ${OVPN_CONF_COMMON} EOF (*"SSL client : Yes"*) cat << EOF > ${OVPN_DIR}/${OVPN_ID}.ovpn ;; ${OVPN_CONF_CLIENT} ${OVPN_CONF_COMMON} EOF esac done /etc/init.d/openvpn restart ls ${OVPN_DIR}/*.ovpn Perform OpenWrt backup. Extract client profiles from the archive and import them to your clients. Testing Establish the VPN connection. Verify your client traffic is routed via VPN gateway. traceroute openwrt.org traceroute6 openwrt.org Check your client public IP addresses. https://ipleak.net/ Make sure there is no DNS leak on the client side. https://dnsleaktest.com/ Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default. https://ipv6-test.com/ Troubleshooting Collect and analyze the following information. # Restart services /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10 # Log and status logread -e openvpn; netstat -l -n -p | grep -e openvpn # Runtime configuration pgrep -f -a openvpn ip address show; ip route show table all ip rule show; ip -6 rule show; iptables-save; ip6tables-save # Persistent configuration uci show network; uci show firewall; uci show openvpn head -n -0 /etc/openvpn/*.conf This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2020/11/30 07:48by vgaetera