User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:server.comprehensive

OpenVPN Server (Comprehensive)


.
This article isn't following the Wiki contribution guide's guidelines, please help improve it.
.


  • This wiki will be broken up into several smaller wiki pages, which can then inter-linked to, as it's impractical to keep everything in this wiki without tabboxes.

  • When I format wikis, it generally takes days as I try to ensure they appear as close to the same as possible across PC and mobile browsers, so this will likely take me a few weeks to complete in it's entirety.
    • Should any wish to contribute, please ensure the ToC [Table of Contents] layout is maintained in a cohesive manner and that information does not become discombobulated.
    • Many will likely find the DokuWiki wrap plugin helpful, as it's the most versatile plugin for markdown and formatting, and is used heavily throughout this wiki.

Introduction

Purpose

VPN Server Purpose

  • Provides an encrypted remote connection over WAN to router and downstream devices
  • If Gateway Redirect is utilized, it provides an encrypted connection for local traffic

Requirements

SSL VPN Requirements

  1. Encryption [Certificates]
  2. Network [VPN Interface]
  3. Firewall [Traffic Rules]
  4. Server [Config]
  5. Clients [Config]

Editing

VimRC Vim Tutorial Editing Configs

  • Vim is the default command line text editor

  • If you've never utilized Vim before, please see the Vim Tutorial
    • Save the VimRC to ~/.vimrc

Prerequisites

Prerequisites

OpenVPN Prerequisites

  1. Install Packages & navaigate to SSL directory:
    1. opkg update && opkg install openvpn-openssl luci-app-openvpn
  2. Create CA, ICA, Server, and Client certificates via the OpenSSL wiki

File Locations

File & Folder Locations

  1. Config Locations:
    • Firewall: /etc/config/firewall
    • Network: /etc/config/network
    • OpenVPN: /etc/config/openvpn

  2. Folder Locations:
    • OpenVPN
      • CA & ICA Certs: /etc/ssl/ca/
      • CSR: /etc/ssl/ca/csr/
      • CRL: /etc/ssl/crl/
      • Client Certs: /etc/ssl/openvpn/clients/
      • Server Certs: /etc/ssl/openvpn/

Encryption

Easy-RSA does not create secure enough, nor proper, certs & has too many limitations, therefore OpenSSL should be utilized directly via an openssl.cnf

Diffie-Hellman Key

  1. Generate DH Key (executed from /etc/ssl/)
    openssl dhparam -out openvpn/dh2048.pem 2048
    • Generating DH keys takes substantial amounts of time

    • You may wish to generate 3072bit and 4096bit DH keys as well
      • Generating multiple DH keys at once takes substantially less time due to the rand file

    • OpenVPN added support for EC [Elliptic Curve] ciphers in v2.4

TLS-Auth PSK

  1. Generate TLS-Auth key (executed from /etc/ssl/)
    openvpn --genkey --secret openvpn/tls-auth.key
    • Adds an additional layer of HMAC authentication on top of the TLS control channel
      • Ensures Perfect Forward Secrecy is maintained

    • tls-auth requires a static Pre-Shared Key, generated in advance, and shared among all clients
      • This requires incoming packets to have a valid signature generated using the PSK key
        • If key is changed, it must be changed on all clients (no support for rollover)

Import & Backup

GnuPG is a great tool to manage CAs and client certificates GnuPG

Backup

/etc/sysupgrade.conf Backup

Create a backup:

  1. Apply correct permissions:
    chmod 600 /etc/ssl/ca/* /etc/ssl/ca/csr/* /etc/ssl/crl/* /etc/ssl/openvpn/* /etc/ssl/openvpn/clients/*
    chmod 644 /etc/ssl/ca/*.crt* /etc/ssl/openvpn/*.crt* /etc/ssl/openvpn/clients/*.crt* /etc/ssl/crl/*.crl
  2. Utilize GnuPG to encrypt a copy of /etc/ssl/
  3. Create separate encryption tars for:
    • /etc/ssl/ca/
    • /etc/ssl/openvpn/
    • /etc/ssl/openvpn/clients/

  4. After creating encrypted backups:
    1. Copy p12s to their respective clients
    2. Securely erase unencrypted client, CA, & ICA keys and PKCS12s, overwriting freespace at least 5x

  5. Add directories & files to /etc/sysupgrade.conf
    vi /etc/sysupgrade.conf
    1. Add:
      • /etc/config/
      • /etc/openvpn/
      • /etc/ssl/
      • /etc/firewall.user
      • /etc/sysupgrade.conf
        # LuCI: System - Backup/Flash Firmware - Configuration
         
            # Directories #
        #---------------------------------------------------
        /etc/config/
        /etc/openvpn/
        /etc/ssl/
         
            # Files #
        #---------------------------------------------------
        /etc/firewall.user
        /etc/sysupgrade.conf

Linux/BSD

Linux & BSD

If utilizing Linux/BSD:

  • Due to the sheer number of distros, and differing means of handling certificate authorities, please google:
    1. <your distro name> install certificate authority
    2. <your distro name> install intermediate certificate authority

Windows

Windows PEM Association.reg

If utilizing Windows:

  1. Download PEM Association.reg, then import into registry (Right ClickMerge)
    • This causes Windows to associate the .pem extension as a valid certificate extension

  2. Add your CA cert to the Trusted Root Certification Authorities (user must have Administrator privileges)
    1. Right click on OpenWrt-CA.crt.pem:
    2. Install CertificateLocal MachinePlace all certificates in the following storeBrowseTrusted Root Certification Authorities

  3. Add your ICA cert to the Intermediate Certification Authorities (user must have Administrator privileges)
    1. Right click on OpenVPN-ICA.crt.pem:
    2. Install CertificateLocal MachinePlace all certificates in the following storeBrowseIntermediate Certification Authorities

Network

Interface Creation

  1. Create VPN interface
    uci set network.vpn0=interface && uci set network.vpn0.ifname=tun0 && uci set network.vpn0.proto=none && \
      uci commit network && /etc/init.d/network reload

Configure DDNS

DDNS Wiki

Applies to connections from WAN

  1. A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs
    1. DDNS:
      • Dynamic Domain Name Service providers provide the user with a dynamically updated DNS name for their public IP
      • Purchasing occurs as a service subscription fee from DDNS providers
    2. FQDN
      • Fully Qualified Domain Name is a URL (google.com is a FQDN)
      • Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA (Internet Assigned Numbers Authority)

  2. Most users will likely configure DDNS

Firewall

Create Rules

A non-standard port (not 1194) should be utilized for the VPN

Information

/etc/config/firewall Firewall Info

  1. Traffic rules should be placed in the following order
    1. Firewall.User Script
    2. Redirect Rules
    3. Router Network Default
    4. VPN Network Default
    5. VPN InterZone Forwarding
    6. VPN Traffic Rules

  2. Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes
    1. Allowing both prevents having to edit the firewall every time troubleshooting is needed

  3. SSL VPNs should always use UDP
    1. Except under the following two scenarios
      1. When troubleshooting
        OR
      2. When packet loss is high

  4. A port >1025 should be utilized for the VPN
    1. If using a custom port, update VPN Server & VPN Client configs accordingly
      1. If needing to bypass a strict firewall in front of the router, utilize port 443 [HTTPS]
    2. A non-standard port (i.e. not 1194) is recommended to limit firewall logging from unauthorized connections attempts to the default OpenVPN port

Rules

/etc/config/firewall Firewall Rules

The following rules are required:

  1. vi /etc/config/firewall
    #::: Traffic Rules :::#
    # LuCI: Network - Firewall - Traffic Rules
     
     
    #::: Defaults :::#
    # LuCI: Network - Firewall
    #------------------------------------------------
     
    #::: Firewall.User Rules :::#
    # LuCI: Network - Firewall - Custom Rules
    config include
        option  path            '/etc/firewall.user'
     
    # Default OpenWrt Rule #
    config defaults
        option  input           'ACCEPT'
        option  output          'ACCEPT'
        option  forward         'DROP'
        option  syn_flood       1
        option  drop_invalid    1
     
     
    # Allow initial VPN connection #
    #------------------------------------------------
    # LuCI: From any host in any zone To any router
    # IP at port 5000 on this device (Accept Input)
    config rule
        option  target          'ACCEPT'
        option  family          'ipv4'
        option  proto           'tcp udp'
        option  src             '*'
        option  dest_port       5000
        option  name            'Allow Forwarded VPN Request -> <device>'
     
    # Once Assigned VPN IP, Allow Inbound -> LAN #
    #------------------------------------------------
    # LuCI: From IP range 10.1.0.0/28 in vpn To IP
    # range 192.168.3.0/26 on this device (Accept Input)
    config rule
        option  target          'ACCEPT'
        option  family          'ipv4'
        option  proto           'tcp udp'
        option  src             'vpn'
        option  src_ip          '10.1.0.0/28'
        option  dest_ip         '192.168.1.0/24'
        option  name            'Allow OpenVPN -> LAN'
     
    # Once Assigned VPN IP, Allow Forwarded -> LAN #
    #------------------------------------------------
    # LuCI: From any host in vpn To any host in any
    # zone (Accept Forward)
    config rule
        option  target          'ACCEPT'
        option  family          'ipv4'
        option  proto           'tcp udp'
        option  src             'vpn'
        option  dest            *
        option  name            'Allow Forwarded OpenVPN -> <device>'
     
    # Allow Outbound ICMP Traffic from VPN #
    #------------------------------------------------
    # LuCI: ICMP From IP range 10.1.0.0/28 in vpn To
    # any host in lan (Accept Forward)
    config rule
        option  target          'ACCEPT'
        option  family          'ipv4'
        option  proto           'icmp'
        option  src             'vpn'
        option  src_ip          '10.1.0.0/28'
        option  dest            'lan'
        option  name            'Allow OpenVPN (ICMP) -> LAN'
     
    # Allow Outbound Ping Requests from VPN #
    #------------------------------------------------
    # LuCI: ICMP with type echo-request From IP range
    # 10.1.0.0/28 in vpn To any host in wan (Accept Forward)
    config rule
        option  target          'ACCEPT'
        option  family          'ipv4'
        option  proto           'icmp'
        list    icmp_type       'echo-request'
        option  src             'vpn'
        option  src_ip          '10.1.0.0/28'
        option  dest            'wan'
        option  name            'Allow OpenVPN (ICMP 8: echo-request) -> WAN'
     
     
    #::: Zones :::#
    # LuCI: Network - Firewall - Zones
    #------------------------------------------------
     
    # LAN #
    config zone
        option  name            'lan'
        option  network         'lan'
        option  input           'ACCEPT'
        option  output          'ACCEPT'
        option  forward         'DROP'
     
    # VPN #
    config zone
        option  name            'vpn'
        option  network         'vpn0'
        option  input           'ACCEPT'
        option  output          'ACCEPT'
        option  forward         'ACCEPT'
     
    # WAN #
    config zone
        option  name            'wan'
        option  network         'wan wan6'
        option  input           'DROP'
        option  output          'ACCEPT'
        option  forward         'DROP'
        option  masq            1
        option  mtu_fix         1
     
     
    #::: InterZone Forwarding :::#
    # LuCI: Network -> Firewall -> Zones -
    # VPN - Edit - Inter-Zone Forwarding
    #------------------------------------------------
     
    # LAN to VPN #
    config forwarding
        option  dest            'vpn'
        option  src             'lan'
     
    # LAN to WAN #
    config forwarding
        option  dest            'wan'
        option  src             'lan'
     
    # VPN to LAN #
    config forwarding
        option  dest            'lan'
        option  src             'vpn'
  2. Commit changes
    /etc/init.d/firewall restart

Logging

firewall.user Script Netfilter Log

/etc/firewall.user

The following rules are required:

  1. vi /etc/firewall.user
    #::: Traffic Rules :::#
    # LuCI: Network - Firewall - Custom Rules
     
      # These rules make the assumption the default port of 1194 is not used for the VPN
        # Port 5000 is being used arbitrarily for the VPN port
     
     
        # Establish Custom Zones #
    #---------------------------------------------------
    iptables    -N  LOG-VPN
    iptables    -N  Rate_Limit
     
        # Establish Rate Limit #
    #---------------------------------------------------
    iptables    -A  Rate_Limit  -p  tcp     --dport     5000                                -j  LOG-VPN
    iptables    -A  Rate_Limit  -p  udp     --dport     5000                                -j  LOG-VPN
    iptables    -A  Rate_Limit  -p  tcp                                                     -j  REJECT      --reject-with   tcp-reset
    iptables    -A  Rate_Limit  -p  udp                                                     -j  REJECT      --reject-with   icmp-port-unreachable
    iptables    -A  Rate_Limit  !   -p      ICMP                                            -j  LOG         --log-prefix    "<[[--- Connection DROPPED ---]]>: "
    iptables    -A  Rate_Limit                                                              -j  DROP
     
        # Apply Rate Limit #
    #---------------------------------------------------
    iptables    -I  INPUT       -p  tcp     --dport     5000    -m  state   --state NEW     -j  Rate_Limit
    iptables    -I  INPUT       -p  udp     --dport     5000    -m  state   --state NEW     -j  Rate_Limit
     
        # Log VPN Traffic #
    #---------------------------------------------------
    iptables    -A  LOG-VPN                                                                 -j  LOG         --log-prefix    "<[[---  VPN Traffic ---]]> : "         --log-level 4
    iptables    -A  LOG-VPN                                                                 -j  ACCEPT
  2. Commit changes
    /etc/init.d/firewall restart
  3. Please also see:

VPN Server

Config

It's strongly encouraged to read through the OpenVPN HowTo & Man Pag e

Information

/etc/config/openvpn OpenVPN Information

  • The OpenVPN HowTo & Man Page provide every possible option for the Server & Client Configs

    • This specific configuration has been designed to give the best performance possible, via MTU & Buffer Tuning recommendations
      • DNS primary & secondary are OpenDNS'
      • NTP is garnished from NIST (time-c) and can be updated to your NTP server of choice
        • NTP should be specified (doesn't need to be NIST), as encryption handshakes must be accurate to within milliseconds

    • CCD directives (under Client Config) are commented out, as one will need to read the OpenVPN HowTo to understand how it's used
      • CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used

    • Two or more servers can be run from this config file
      • To add additional servers, copy & paste first config directly below itself, with a blank line separating the two


  • OpenVPN 2.4 added TLS Elliptic-Curve '[EC] support

    • EC ciphers are faster & more efficient to process than SSL ciphers, resulting in higher throughput & less load

    • OpenVPN on OpenWrt only supports a maximum of 256 characters for option tls_cipher
      • Ciphers are listed in a hierarchical, chronological order of most secure & efficient to least efficient
      • Disabled ciphers are specified at the end with an ! in front of the cipher

    • Ciphers must match the capabilities of the server & clients
      • Available TLS ciphers:
        openssl ciphers -V | grep TLS
        • For Windows client:
          openssl ciphers -V | findstr /R TLS
      • Available SSL ciphers:
        openssl ciphers -V | grep SSL
        • For Windows client:
          openssl ciphers -V | findstr /R SSL
    • x64 CPUs processes SHA512 hashes more efficiently than SHA256
      • If utilizing only on devices with x86/ARM processors, change server's & client's auth 'SHA512' to auth 'SHA256'
        • Verify SHA256 speed:
          openssl speed sha256
        • Verify SHA512 speed:
          openssl speed sha512

Config

/etc/config/openvpn OpenVPN Server Config

  1. Create config:
    echo > /etc/config/openvpn && vi /etc/config/openvpn
    1. Paste the following & edit accordingly
      config openvpn 'VPNserver'
          option  enabled             1
       
          # Protocol #
      #------------------------------------------------
          option  dev                 'tun'
          option  dev                 'tun0'
          option  topology            'subnet'
          option  proto               'udp'
          option  port                5000
       
          # Routes # 
      #------------------------------------------------
          option  server              '10.1.0.0 255.255.255.240'
          option  ifconfig            '10.1.0.1 255.255.255.240'        
       
          # Pushed Routes # 
      #------------------------------------------------
          list    push                'route 192.168.1.0 255.255.255.0'
          list    push                'dhcp-option    DNS 192.168.1.1'
          list    push                'dhcp-option    WINS 192.168.1.1'
          list    push                'dhcp-option    DNS 208.67.222.123'
          list    push                'dhcp-option    DNS 208.67.220.123'
          list    push                'dhcp-option    NTP 129.6.15.30'
       
          # Client Config # 
      #------------------------------------------------
          #   option  ccd_exclusive           1
          #   option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
          #   option  client_config_dir       '/etc/openvpn/clients/'
       
          # Encryption # 
      #------------------------------------------------
          # Diffie-Hellman:
          option  dh                  '/etc/ssl/openvpn/dh2048.pem'
       
          # PKCS12:
          option  pkcs12              '/etc/ssl/openvpn/vpn-server.p12'
       
          # SSL:
          option  cipher              'AES-128-CBC'
          option  auth                'SHA512'
          option  tls_auth            '/etc/ssl/openvpn/tls-auth.key 0'
       
          # TLS:
          option  tls_server          1
          option  tls_version_min     1.2
          option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
       
          # Logging # 
      #------------------------------------------------
          option  log_append          '/tmp/openvpn.log'
          option  status              '/tmp/openvpn-status.log'
          option  verb                4
       
          # Connection Options # 
      #------------------------------------------------
          option  keepalive           '10 120'
          option  compress            'lz4'
       
          # Connection Reliability # 
      #------------------------------------------------
          option  client_to_client    1
          option  persist_key         1
          option  persist_tun         1
       
          # Connection Speed # 
      #------------------------------------------------
          option  sndbuf              393216
          option  rcvbuf              393216
       
          # Pushed Buffers # 
      #------------------------------------------------
          list    push                'sndbuf 393216'
          list    push                'rcvbuf 393216'
       
          # Permissions # 
      #------------------------------------------------
          option  user                'nobody'
          option  group               'nogroup'
       
       
          # chroot #
      #------------------------------------------------
          # chroot should be utilized in case the VPN is ever exploited; however, most commercial
          # routers don't have internal flash storage large enough to support it.  An OpenVPN 
          # chroot would be ~11MB in size.
       
              # Modify if chroot is configured #
          #--------------------------------------------
              # option  ccd_exclusive             1
              # option  ifconfig_pool_persist     '/var/chroot-openvpn/etc/openvpn/clients/ipp.txt'
              # option  client_config_dir         '/var/chroot-openvpn/etc/openvpn/clients'
       
              # option  cipher                    'AES-128-CBC'
              # option  dh                        '/var/chroot-openvpn/etc/ssl/openvpn/dh2048.pem'
              # option  pkcs12                    '/var/chroot-openvpn/etc/ssl/openvpn/vpn-server.p12'
              # option  tls_auth                  '/var/chroot-openvpn/etc/ssl/openvpn/tls-auth.key 0'
  2. Commit changes
    cd /etc/init.d && ./openvpn enable && ./openvpn start && sleep 2 && cat /tmp/openvpn.log

CCD

/etc/openvpn/clients OpenVPN Server CCD Config

  1. Enable CCD within Server config:
    1. vi /etc/config/openvpn
         option  ccd_exclusive           1
         option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
         option  client_config_dir       '/etc/openvpn/clients/'
      • ccd_exclusive: enables CCD
      • client_config_dir: Directory housing CCD client files
      • ifconfig_pool_persist: File containing common names from client files, followed by static IP for device

  2. Configure CCD files
    1. For each VPN client, a file must be created which exactly mirrors the common name of each client cert
      1. File should contain an ifconfig command pushing a static IP to the client
        1. Client Certificate CN: John Doe (OpenWrt VPNserver Client)
        2. Client File: /etc/openvpn/clients/John Doe (OpenWrt VPNserver Client)
        3. File Output: ifconfig-push 10.1.0.6 255.255.255.240

  3. Configure IPP file
    1. One per line, each VPN client's CN needs to be specified, followed by their static IP
      1. IPP File: /etc/openvpn/clients/ipp.txt
      2. File Output: John Doe (OpenWrt VPNserver Client),10.1.0.6

  4. Start/Restart OpenVPN
    1. Connect with each client to test
      cd /etc/init.d && ./openvpn stop && ./openvpn start && tail -f /tmp/openvpn.log

Log Output

CCD Disabled

/tmp/openvpn.log Log Output w/o CCD Enabled

root@OpenWrt ~ # cat /tmp/openvpn.log
Thu Oct 20 13:35:00 2016 us=668816 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key
Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication: using '/etc/ssl/openvpn/tls-auth.key' as a OpenVPN static key file
Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:00 2016 us=705387 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Thu Oct 20 13:35:00 2016 us=705489 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes
Thu Oct 20 13:35:00 2016 us=705535 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Thu Oct 20 13:35:00 2016 us=705589 Socket Buffers: R=[87380->327680] S=[16384->327680]
Thu Oct 20 13:35:00 2016 us=706121 TUN/TAP device tun0 opened
Thu Oct 20 13:35:00 2016 us=706200 TUN/TAP TX queue length set to 100
Thu Oct 20 13:35:00 2016 us=706254 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 20 13:35:00 2016 us=706327 /sbin/ip link set dev tun0 up mtu 48000
Thu Oct 20 13:35:00 2016 us=708260 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15
Thu Oct 20 13:35:00 2016 us=713288 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Oct 20 13:35:00 2016 us=713438 GID set to nogroup
Thu Oct 20 13:35:00 2016 us=713500 UID set to nobody
Thu Oct 20 13:35:00 2016 us=713746 Listening for incoming TCP connection on [undef]
Thu Oct 20 13:35:00 2016 us=713811 TCPv4_SERVER link local (bound): [undef]
Thu Oct 20 13:35:00 2016 us=713857 TCPv4_SERVER link remote: [undef]
Thu Oct 20 13:35:00 2016 us=713922 MULTI: multi_init called, r=256 v=256
Thu Oct 20 13:35:00 2016 us=714000 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Thu Oct 20 13:35:00 2016 us=714070 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Oct 20 13:35:00 2016 us=714678 Initialization Sequence Completed

CCD Enabled

/tmp/openvpn.log Log Output w/ CCD Enabled

root@OpenWrt ~ # cat /tmp/openvpn.log
Thu Oct 20 13:35:30 2016 us=653309 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key
Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication: using '/etc/ssl/openvpn/tls-auth.key' as a OpenVPN static key file
Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:30 2016 us=706722 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Thu Oct 20 13:35:30 2016 us=706760 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes
Thu Oct 20 13:35:30 2016 us=706804 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Thu Oct 20 13:35:30 2016 us=706857 Socket Buffers: R=[87380->327680] S=[16384->327680]
Thu Oct 20 13:35:30 2016 us=707392 TUN/TAP device tun0 opened
Thu Oct 20 13:35:30 2016 us=707465 TUN/TAP TX queue length set to 100
Thu Oct 20 13:35:30 2016 us=707517 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 20 13:35:30 2016 us=707587 /sbin/ip link set dev tun0 up mtu 48000
Thu Oct 20 13:35:30 2016 us=709190 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15
Thu Oct 20 13:35:30 2016 us=714514 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Oct 20 13:35:30 2016 us=714630 GID set to nogroup
Thu Oct 20 13:35:30 2016 us=714680 UID set to nobody
Thu Oct 20 13:35:30 2016 us=714859 Listening for incoming TCP connection on [undef]
Thu Oct 20 13:35:30 2016 us=714908 TCPv4_SERVER link local (bound): [undef]
Thu Oct 20 13:35:30 2016 us=714945 TCPv4_SERVER link remote: [undef]
Thu Oct 20 13:35:30 2016 us=714986 MULTI: multi_init called, r=256 v=256
Thu Oct 20 13:35:30 2016 us=715050 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(), in='vpn-client1-foobar1-device1,10.1.0.5', TODO: IPv6
Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set()
Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(), in='John Doe (OpenWrt VPNserver Client),10.1.0.6', TODO: IPv6
Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set()
Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST
Thu Oct 20 13:35:30 2016 us=715287 vpn-client1,10.1.0.5
Thu Oct 20 13:35:30 2016 us=715331 John Doe (OpenWrt VPNserver Client),10.1.0.6
Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed

VPN Clients

Server's TLS-Auth key goes within the inline XML space

Android

Information

OpenVPN for Android Android Client Information

For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure
It's imperative, for the security of the VPN, to ensure the certificate key is encrypted as specified under Client Certs

  • OpenVPN for Android is the best app for VPNs on Android

  • PKCS12 certs are installed into the Android Keychain
    • As a security feature, a warning toast will always appear in the notification area due to user installed certs
      • This toast can be removed if you have a rooted device by following Toast Removal tutorial

    • Another option is to include all certs & keys via inline XML within the client config file
      • Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs

  • If you choose to reference the tls-auth.key, instead of utilizing inline XML
    1. Remove:
          # Encryption #
      #------------------------------------------------
      key-direction 1
       
      <tls-auth>
      -----BEGIN OpenVPN Static key V1-----
      #PASTED-KEY-INLINE-HERE#
      -----END OpenVPN Static key V1-----
      </tls-auth>
    2. Add:
          # Encryption #
      #------------------------------------------------
      tls-auth    '/path/to/tls-auth.key 1'
  • Some Android devices are not able to utilize certain tuning options
    • Option: fragment 0
      • This must be removed from the client and server configs for the following:
        • OnePlusOne devices
          • Affected: At least certain Android 6 (Marshmallow) custom ROMs

  • Some Android devices are not able to convert PKCS12 certs to x509 certs
    • If your device is affected, you will need to reference your individual certs in your Server Config
      1. Add:
            # Encryption #
        #------------------------------------------------
        ca      '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem'
        cert    '/sdcard/openvpn/vpn-client1.crt.pem'
        key     '/sdcard/openvpn/vpn-client1.key.pem'

Config

/sdcard/OpenVPN/OpenWrt/VPNserver.ovpn Android Client Config

    # Config Type #
#------------------------------------------------
client
 
    # Connection  #
#------------------------------------------------
dev tun
proto udp
remote your.ddns.com 5000
 
    # Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000
 
    # Reliability #
#------------------------------------------------
float
nobind
compress lz4
 
persist-key
persist-tun
resolv-retry infinite
 
    # Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-128-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
remote-cert-eku 'TLS Web Server Authentication'
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
 
    # Logging #
#------------------------------------------------
verb 5

Inline XML

Referencing certs via Inline XML

  1. Remove:
        # Encryption #
    #------------------------------------------------
    ca        '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem'
    cert      '/sdcard/openvpn/vpn-client1.crt.pem'
    key       '/sdcard/openvpn/vpn-client1.key.pem'
    tls-auth  '/path/to/tls-auth.key 1'
  2. Add:
        # Encryption #
    #------------------------------------------------
     
    # --- TLS --- #
    key-direction 1
     
    <ca>
    #PASTE-CA-CERT-INLINE-HERE#
    </ca>
     
    <cert>
    #PASTE-VPN-SERVER-CERT-INLINE-HERE#
    </cert>
     
    <key>
    #PASTE-VPN-SERVER-KEY-INLINE-HERE#
    </key>
     
    <tls-auth>
    -----BEGIN OpenVPN Static key V1-----
    #PASTE-KEY-INLINE-HERE#
    -----END OpenVPN Static key V1-----
    </tls-auth>

Toast Removal

CAcert Wiki PDF Certificate Warning Toast Removal

If /system/etc/security/cacerts.bks exists on your device, refer to CAcert wiki, then continue

  1. Method 1:
    1. Add certificate to Android Keychain
      1. Settings –> Security –> Install from Storage

    2. Move certificate from userland to system trusted
      1. Android < 5.0:
        1. Move new file
          1. From: /data/misc/keychain/cacertsadded/
          2. To: /system/etc/security/cacerts/

      2. Android > 5.0:
        1. Move new file
          1. From: /data/misc/user/0/cacerts-added/
          2. To: /system/etc/security/cacerts/

  2. Method 2:
    1. Save certificate with .pem extension

    2. Garnish subject of certificate:
      1. openssl x509 -inform PEM -subject_hash -in 0b112a89.0
        1. Should be similar to: 0b112a89

    3. Save certificate as text:
      1. openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt
    4. Swap PEM section and text:
      1. —–BEGIN CERTIFICATE—– must be at top of file

    5. Rename file: 0b112a89.0
      1. Replace with subject from step b

    6. Copy file to: /system/etc/security/cacerts/

    7. Set permissions:
      1. chmod 644 0b112a89.0
    8. Certificate should be listed under:
      1. Settings –> Security –> Trusted Credentials - System
        1. If it's still under User:
          1. Disable/Re-Enable certificate in Android Settings
            1. This creates a file in /data/misc/keychain/cacertsadded/
            2. Move that file to system/etc/security/cacerts/
            3. Delete original file from step f

BSD/Linux

Information

OpenVPN Client BSD/Linux Client Information

  • Due to the sheer number of distros & variances from one to the other, only the client config is being provided

Config

/etc/openvpn/VPNserver.conf Linux/BSD Client Config

# Config Type #
#------------------------------------------------
client
 
# Connection  #
#------------------------------------------------
dev tun
proto udp
remote your.ddns.com 5000
 
# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000
 
# Reliability #
#------------------------------------------------
float
nobind
compress lz4
 
persist-key
persist-tun
resolv-retry infinite
 
    # Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-128-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
pkcs12 '/etc/ssl/openvpn/vpn-client1.p12'
remote-cert-eku 'TLS Web Server Authentication'
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
 
# Logging #
#------------------------------------------------
verb 5

Windows

Information

OpenVPN Client Windows Client Information

  • If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced
    • You must use double backslashes for the path: %UserProfile%\\OpenVPN\\config\\OpenWrt\\VPN-Client1.p12

Config

%UserProfile%\OpenVPN\config\OpenWrt\VPNserver.ovpn Windows Client Config

# Config Type #
#------------------------------------------------
client
 
# Connection  #
#------------------------------------------------
dev tun
proto udp
remote your.ddns.com 5000
 
# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000
 
# Reliability #
#------------------------------------------------
float
nobind
compress lz4
 
persist-key
persist-tun
resolv-retry infinite
 
    # Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-128-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
pkcs12 VPN-Client1.p12
remote-cert-eku "TLS Web Server Authentication"
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
 
# Logging #
#------------------------------------------------
verb 5


Optional

Redirect Gateway (Same Subnet)

It's recommended to read Gateway Redirect prior to continuing Gateway Redirect

Firewall Config

/etc/config/firewall LAN & InterZone Forwarding

  1. Add:
    #::: Zones :::#
    # LuCI: Network - Firewall - Zones
     
    # Add: LAN Masquerade #
    #------------------------------------------------
    config zone
        option  name            'lan'
        option  network         'lan'
        option  input           'ACCEPT'
        option  output          'ACCEPT'
        option  forward         'DROP'
        option  masq            1
  2. Add:
    #::: InterZone Forwarding :::#
    # LuCI: Network -> Firewall -> Zones -> VPN - Edit - Inter-Zone Forwarding
     
    # Allow Forwarding VPN -> WAN #
    #------------------------------------------------
    config forwarding
        option  dest            'wan'
        option  src             'vpn'
  3. Commit changes
    /etc/init.d/firewall restart

Server Config

/etc/config/openvpn Pushed Routes

  1. Remove:
        list    push                'dhcp-option        DNS 208.67.222.123'
        list    push                'dhcp-option        DNS 208.67.220.123'
  2. Add:
        list    push                'redirect-gateway   def1 local'
        list    push                'dhcp-option        DNS 10.1.0.1'
  3. Commit changes
    /etc/init.d/openvpn restart


Troubleshooting

If asking for help in a forum, please perform the following steps to include in your initial post:

  1. Server
    1. /etc/config/openvpn:
      • verb 5
      • proto tcp
    2. /etc/config/firewall:
      • Change OpenVPN rules to proto 'tcp udp'
        cd /etc/init.d && ./firewall reload && ./openvpn restart
  2. Client:
    1. client.ovpn:
      • verb 7
      • proto tcp
    2. Disconnect client, then reconnect

  3. Once client connect attempt fails, please post your client and server logs, as well as the configs for each
    • Ensure WAN IP, DDNS, and port # are removed from configs and logs
      • Server Log: /tmp/openvpn.log
      • Client Log:
        • Windows: Right click on OpenVPN tray iconView Log
        • BSD/Linux: Refer to client.ovpn

VPN Wikis


Notes

  • The answer to any question about an OpenVPN Client or Server configuration is contained within the VPN Wiki or OpenSSL sections
  • If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the LEDE or OpenVPN forums
docs/guide-user/services/vpn/openvpn/server.comprehensive.txt · Last modified: 2018/06/30 13:12 by jw0914