User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:server.setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:services:vpn:openvpn:server.setup [2018/06/10 21:10]
tojestzart shit isp
docs:guide-user:services:vpn:openvpn:server.setup [2018/08/08 01:05] (current)
jw0914 Removed em values from wraps
Line 25: Line 25:
 ==== Install OpenVPN and Other Packages ==== ==== Install OpenVPN and Other Packages ====
 Install the following packages either from Web UI or SSH into your router and run: Install the following packages either from Web UI or SSH into your router and run:
-<​WRAP ​42.5em ​lo><​code bash>​opkg update && opkg install openvpn-openssl openssl-util luci-app-openvpn</​code></​WRAP>​+<WRAP lo><​code bash>​opkg update && opkg install openvpn-openssl openssl-util luci-app-openvpn</​code></​WRAP>​
  
 ==== Generate Certificates ==== ==== Generate Certificates ====
Line 32: Line 32:
 Copy-paste the following commands into your router via the SSH session: Copy-paste the following commands into your router via the SSH session:
  
-<​WRAP ​81em lo>+<WRAP lo>
   * **PLEASE NOTE:**   * **PLEASE NOTE:**
-    * **Preferred way to garnish scripts is to utilize ''​wget'':​** <WRAP outdent ​63em><​code bash>cd /tmp && wget https://​openwrt.org/​_export/​code/​docs/​guide-user/​services/​vpn/​openvpn/​server.setup?​codeblock=3+    * **Preferred way to garnish scripts is to utilize ''​wget'':​** <WRAP outdent><​code bash>cd /tmp && wget https://​openwrt.org/​_export/​code/​docs/​guide-user/​services/​vpn/​openvpn/​server.setup?​codeblock=3
  
 mv server.setup?​codeblock=3 create-certs.sh && chmod 754 ./​create-certs.sh && ./​create-certs.sh mv server.setup?​codeblock=3 create-certs.sh && chmod 754 ./​create-certs.sh && ./​create-certs.sh
Line 54: Line 54:
       * [[https://​notepad-plus-plus.org/​|Notepad++]]       * [[https://​notepad-plus-plus.org/​|Notepad++]]
       * [[https://​atom.io/​|Atom]]\\ \\       * [[https://​atom.io/​|Atom]]\\ \\
-    * If installed, ''​dos2unix''​ on the router can be utilized: ​<WRAP 22.5em><code bash>​dos2unix -u create-certs.sh</​code></​WRAP>​+    * If installed, ''​dos2unix''​ on the router can be utilized: <code bash>​dos2unix -u create-certs.sh</​code></​WRAP>​
 ++++ ++++
 </​WRAP>​ </​WRAP>​
Line 147: Line 147:
 Copy-paste the following commands into your router via the SSH session: ​ Copy-paste the following commands into your router via the SSH session: ​
  
-<​WRAP ​55em lo><​file bash create-configs.sh>​+<WRAP lo><​file bash create-configs.sh>​
 #!/bin/sh #!/bin/sh
  
Line 186: Line 186:
   uci set openvpn.vpnserver.enabled='​1'​   uci set openvpn.vpnserver.enabled='​1'​
   uci set openvpn.vpnserver.dev_type='​tun'​   uci set openvpn.vpnserver.dev_type='​tun'​
-  uci set openvpn.vpnserver.dev='​ovpns0'​+  uci set openvpn.vpnserver.dev='​ovpns0' ​  
 +  uci set openvpn.vpnserver.proto='​udp'
   uci set openvpn.vpnserver.port='​1194'​   uci set openvpn.vpnserver.port='​1194'​
-  uci set openvpn.vpnserver.proto='udp' ​# Warning: sometimes u need declare udp4 or udp6 ! +  uci set openvpn.vpnserver.topology='subnet
-  uci set openvpn.vpnserver.comp_lzo='yes'+  uci set openvpn.vpnserver.tls_server='1' 
 +  uci set openvpn.vpnserver.mode='​server'​ 
 +  uci set openvpn.vpnserver.server='​192.168.200.0 255.255.255.0'​ 
 +  uci set openvpn.vpnserver.route_gateway='​dhcp'​ 
 +  uci set openvpn.vpnserver.compress='​lzo'
   uci set openvpn.vpnserver.keepalive='​10 120'   uci set openvpn.vpnserver.keepalive='​10 120'
   uci set openvpn.vpnserver.persist_key='​1'​   uci set openvpn.vpnserver.persist_key='​1'​
Line 198: Line 203:
   uci set openvpn.vpnserver.dh='/​etc/​openvpn/​dh2048.pem'​   uci set openvpn.vpnserver.dh='/​etc/​openvpn/​dh2048.pem'​
   uci set openvpn.vpnserver.tls_auth='/​etc/​openvpn/​tls-auth.key 0'   uci set openvpn.vpnserver.tls_auth='/​etc/​openvpn/​tls-auth.key 0'
-  uci set openvpn.vpnserver.mode='​server'​ 
-  uci set openvpn.vpnserver.tls_server='​1'​ 
-  uci set openvpn.vpnserver.server='​192.168.200.0 255.255.255.0'​ 
-  uci set openvpn.vpnserver.topology='​subnet'​ 
-  uci set openvpn.vpnserver.route_gateway='​dhcp'​ 
   uci set openvpn.vpnserver.client_to_client='​1'​   uci set openvpn.vpnserver.client_to_client='​1'​
-  uci set openvpn.vpnserver.log=/​tmp/​openvpn.log +  uci set openvpn.vpnserver.log='/​tmp/​openvpn.log'​ 
-   +
-  uci add_list openvpn.vpnserver.push='​comp-lzo yes+
-  uci add_list openvpn.vpnserver.push='​persist-key'​ +
-  uci add_list openvpn.vpnserver.push='​persist-tun'​+
   uci add_list openvpn.vpnserver.push='​topology subnet'​   uci add_list openvpn.vpnserver.push='​topology subnet'​
-  uci add_list openvpn.vpnserver.push='​route-gateway dhcp' 
   uci add_list openvpn.vpnserver.push='​redirect-gateway def1'   uci add_list openvpn.vpnserver.push='​redirect-gateway def1'
 +  uci add_list openvpn.vpnserver.push='​route-gateway dhcp'
   uci add_list openvpn.vpnserver.push='​route 192.168.200.0 255.255.255.0'​   uci add_list openvpn.vpnserver.push='​route 192.168.200.0 255.255.255.0'​
   uci add_list openvpn.vpnserver.push='​dhcp-option DNS 192.168.1.1'​   uci add_list openvpn.vpnserver.push='​dhcp-option DNS 192.168.1.1'​
 +  uci add_list openvpn.vpnserver.push='​compress lzo'
 +  uci add_list openvpn.vpnserver.push='​persist-key'​
 +  uci add_list openvpn.vpnserver.push='​persist-tun'​
 +  ldomain="​$(uci -q get dhcp.@dnsmasq[0].domain)"​
 +  [ -n "​$ldomain"​ ] && uci add_list openvpn.vpnserver.push="​DOMAIN $ldomain"​
 +  ​
 uci commit openvpn uci commit openvpn
 </​file></​WRAP>​ </​file></​WRAP>​
Line 222: Line 225:
  
 Updated contents of ''/​etc/​config/​network''​ Updated contents of ''/​etc/​config/​network''​
-<​WRAP ​54.5em ​lo><​code bash>+<WRAP lo><​code bash>
 config interface '​vpnserver'​ config interface '​vpnserver'​
-    option ​ ifname ​     '​ovpns0'​ +    option ​ ifname ​             '​ovpns0'​ 
-    option ​ proto       ​'​none'​ +    option ​ proto               ​'​none'​ 
-    option ​ auto        1+    option ​ auto                1
 </​code></​WRAP>​ </​code></​WRAP>​
  
  
 Updated contents of ''/​etc/​config/​firewall''​ Updated contents of ''/​etc/​config/​firewall''​
-<​WRAP ​54.5em ​lo><​code bash>+<WRAP lo><​code bash>
 config rule config rule
-    option ​ name        '​Allow-OpenVPN-Inbound'​ +    option ​ name                '​Allow-OpenVPN-Inbound'​ 
-    option ​ target ​     '​ACCEPT'​ +    option ​ target ​             '​ACCEPT'​ 
-    option ​ src         ​+    option ​ src                 ​
-    option ​ proto       ​'​tcpudp'​ +    option ​ proto               ​'​tcpudp'​ 
-    option ​ dest_port ​  ​1194+    option ​ dest_port ​          ​1194
  
 config zone config zone
-    option ​ name        '​vpnserver'​ +    option ​ name                '​vpnserver'​ 
-    option ​ network ​    ​'​vpnserver'​ +    option ​ network ​            ​'​vpnserver'​ 
-    option ​ input       ​'​ACCEPT'​ +    option ​ input               ​'​ACCEPT'​ 
-    option ​ forward ​    ​'​REJECT'​ +    option ​ forward ​            ​'​REJECT'​ 
-    option ​ output ​     '​ACCEPT'​ +    option ​ output ​             '​ACCEPT'​ 
-    option ​ masq        1+    option ​ masq                1
  
 config forwarding config forwarding
-    option ​ src         ​'​vpnserver'​ +    option ​ src                 ​'​vpnserver'​ 
-    option ​ dest        '​wan'​+    option ​ dest                '​wan'​
  
 config forwarding config forwarding
-    option ​ src         ​'​vpnserver'​ +    option ​ src                 ​'​vpnserver'​ 
-    option ​ dest        '​lan'​+    option ​ dest                '​lan'​
 </​code></​WRAP>​ </​code></​WRAP>​
  
  
 Updated contents of ''/​etc/​config/​openvpn''​ Updated contents of ''/​etc/​config/​openvpn''​
-<​WRAP ​54.5em ​lo><​code bash>+<WRAP lo><​code bash>
 config openvpn '​vpnserver'​ config openvpn '​vpnserver'​
     option ​ enabled ​            1     option ​ enabled ​            1
     option ​ dev_type ​           '​tun'​     option ​ dev_type ​           '​tun'​
     option ​ dev                 '​ovpns0'​     option ​ dev                 '​ovpns0'​
-    option  ​port                1194+    option  ​topology ​           '​subnet'​
     option ​ proto               '​udp'​     option ​ proto               '​udp'​
 +    option ​ port                1194
 +
 +    option ​ tls_server ​         1
 +    oprion ​ mode                '​server'​
 +    option ​ server ​             '​192.168.200.0 255.255.255.0'​
 +    option ​ route_gateway ​      '​dhcp'​
  
-    option  ​comp_lzo ​           '​yes'+    option  ​compress ​           '​lz4'
     option ​ keepalive ​          '​10 120'     option ​ keepalive ​          '​10 120'
     option ​ persist_key ​        1     option ​ persist_key ​        1
Line 277: Line 286:
     option ​ tls_auth ​           '/​etc/​openvpn/​tls-auth.key 0'     option ​ tls_auth ​           '/​etc/​openvpn/​tls-auth.key 0'
  
-    option  ​mode                '​server'​ +    option  ​client_to_client ​   1 
-    option ​ tls_server ​         '1' +    option ​ log                 ​'/​tmp/​openvpn.log'​
-    option  ​server ​             '​192.168.200.0 255.255.255.0'​ +
-    option ​ topology ​           '​subnet'​ +
-    option ​ route_gateway ​      '​dhcp'​ +
- +
-    option ​ client_to_client ​   '​1'​ +
-    option ​log '/​tmp/​openvpn.log'​ +
  
-    list    push                'comp-lzo yes'+    list    push                'topology ​          ​subnet'​ 
 +    list    push                '​redirect-gateway ​  ​def1'​ 
 +    list    push                '​route-gateway ​     dhcp'​ 
 +    list    push                '​route ​             192.168.200.0 255.255.255.0'​ 
 +    list    push                '​dhcp-option ​       DNS 192.168.1.1'​ 
 +    list    push                '​compress ​          lz4'
     list    push                '​persist-key'​     list    push                '​persist-key'​
     list    push                '​persist-tun'​     list    push                '​persist-tun'​
-    list    push                '​topology subnet'​ 
-    list    push                '​route-gateway dhcp' 
-    list    push                '​redirect-gateway def1' 
-    list    push                'route 192.168.200.0 255.255.255.0'​ 
-    list    push                '​dhcp-option DNS 192.168.1.1'​ 
 </​code></​WRAP>​ </​code></​WRAP>​
 ++++ ++++
Line 305: Line 307:
  
 Now start your own OpenVPN Server. You can either enable/​start it from the Web UI (if you have installed the ''​luci-app-openvpn''​) or from the command line on the router by running: Now start your own OpenVPN Server. You can either enable/​start it from the Web UI (if you have installed the ''​luci-app-openvpn''​) or from the command line on the router by running:
-<​WRAP ​95em lo><​code bash>/​etc/​init.d/​openvpn enable && /​etc/​init.d/​openvpn start</​code></​WRAP>​+<WRAP lo><​code bash>/​etc/​init.d/​openvpn enable && /​etc/​init.d/​openvpn start</​code></​WRAP>​
  
 Wait a few seconds and then you can verify if the OpenVPN Server has successfully started by running the command below. If it produces any output, that means your OpenVPN Server is running. Wait a few seconds and then you can verify if the OpenVPN Server has successfully started by running the command below. If it produces any output, that means your OpenVPN Server is running.
-<​WRAP ​102em lo><​code bash> ps | grep "​[o]penvpn(vpnserver)"</​code></​WRAP>​+<WRAP lo><​code bash> ps | grep "​[o]penvpn(vpnserver)"</​code></​WRAP>​
  
  
Line 321: Line 323:
  
 Copy-paste the following commands into your router via the SSH session: Copy-paste the following commands into your router via the SSH session:
-<​WRAP ​38.5em ​lo><​file bash create-ovpn.sh>​+<WRAP lo><​file bash create-ovpn.sh>​
 #!/bin/sh #!/bin/sh
  
Line 334: Line 336:
   client   client
   dev tun   dev tun
-  proto udp # Warning : Sometimes u need to declare udp4 or udp6+  proto udp
   fast-io   fast-io
   remote $wanIP 1194   remote $wanIP 1194
Line 341: Line 343:
   persist-key   persist-key
   persist-tun   persist-tun
-  ​comp-lzo no+  ​compress ​lzo
   verb 3   verb 3
   key-direction 1   key-direction 1
 +  block-outside-dns
 EOF EOF
  
-echo '<​ca>' ​   >> ${OVPN_FILE} +echo '<​ca>' ​        ​>> ${OVPN_FILE} 
-cat            >> ${OVPN_FILE} < /​etc/​openvpn/​ca.crt ​        +cat                 ​>> ${OVPN_FILE} < /​etc/​openvpn/​ca.crt ​        
-echo '</​ca>' ​  ​>> ${OVPN_FILE}+echo '</​ca>' ​       >> ${OVPN_FILE}
  
-echo '<​cert>' ​ >> ${OVPN_FILE} +echo '<​cert>' ​      ​>> ${OVPN_FILE} 
-cat            >> ${OVPN_FILE} < /​etc/​openvpn/​my-client.crt  +cat                 ​>> ${OVPN_FILE} < /​etc/​openvpn/​my-client.crt  
-echo '</​cert>'​ >> ${OVPN_FILE}+echo '</​cert>' ​     >> ${OVPN_FILE}
  
-echo '<​key>' ​  ​>> ${OVPN_FILE} +echo '<​key>' ​       >> ${OVPN_FILE} 
-cat            >> ${OVPN_FILE} < /​etc/​openvpn/​my-client.key  +cat                 ​>> ${OVPN_FILE} < /​etc/​openvpn/​my-client.key  
-echo '</​key>' ​ >> ${OVPN_FILE}+echo '</​key>' ​      ​>> ${OVPN_FILE}
  
 echo '<​tls-auth>' ​  >>​ ${OVPN_FILE} echo '<​tls-auth>' ​  >>​ ${OVPN_FILE}
-cat            >> ${OVPN_FILE} < /​etc/​openvpn/​tls-auth.key ​+cat                 ​>> ${OVPN_FILE} < /​etc/​openvpn/​tls-auth.key ​
 echo '</​tls-auth>' ​ >> ${OVPN_FILE} echo '</​tls-auth>' ​ >> ${OVPN_FILE}
  
Line 377: Line 380:
 ===== Post-Setup Notes ===== ===== Post-Setup Notes =====
 If you want your files to remain on router after upgrades (this is recommended),​ run the following: If you want your files to remain on router after upgrades (this is recommended),​ run the following:
-<​WRAP ​50em lo><​file bash copy-certs.sh>​+<WRAP lo><​file bash copy-certs.sh>​
 #!/bin/sh #!/bin/sh
  
Line 387: Line 390:
 </​file></​WRAP>​ </​file></​WRAP>​
  
 +The example above uses the default compression (lzo), you may want to utilize a better (lz4) compression if your clients support it (notably, as of version 67 ChromeOS does not).
  
 ==== Additional Information ==== ==== Additional Information ====
Line 415: Line 419:
 ===== ToDo ===== ===== ToDo =====
   * (maybe) link to sources of OpenVPN clients for various operating systems (Win7, Win10, macOS, Linux, Chromebooks,​ etc). Actually, this info also belongs on an OpenVPN Client page...   * (maybe) link to sources of OpenVPN clients for various operating systems (Win7, Win10, macOS, Linux, Chromebooks,​ etc). Actually, this info also belongs on an OpenVPN Client page...
-  * Add information on pfx creation <​WRAP ​56em lo><​code bash>​openssl pkcs12 -export -out my-client.pfx -inkey my-client.key -in my-client.crt -certfile ca.crt</​code></​WRAP>​+  * Add information on pfx creation <WRAP lo><​code bash>​openssl pkcs12 -export -out my-client.pfx -inkey my-client.key -in my-client.crt -certfile ca.crt</​code></​WRAP>​
docs/guide-user/services/vpn/openvpn/server.setup.1528665038.txt.gz · Last modified: 2018/06/10 21:10 by tojestzart