Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:services:vpn:openvpn:basic [2020/10/03 20:45] – [Introduction] add link to RNG setup vgaeteradocs:guide-user:services:vpn:openvpn:server [2023/10/29 01:00] (current) – consolidate naming vgaetera
Line 1: Line 1:
-====== OpenVPN basic ====== +====== OpenVPN server ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>OpenVPN|OpenVPN]] server on OpenWrt.   * This how-to describes the method for setting up [[wp>OpenVPN|OpenVPN]] server on OpenWrt.
-  * It helps generate OpenVPN client profiles which are easy to export/import between devices. +  * Follow [[docs:guide-user:services:vpn:openvpn:client|OpenVPN client]] for client setup and [[docs:guide-user:services:vpn:openvpn:extras|OpenVPN extras]] for additional tuning. 
-  * Follow [[docs:guide-user:services:vpn:openvpn:client|OpenVPN client]] for client setup and [[docs:guide-user:services:vpn:openvpn:extra|OpenVPN extras]] for additional tuning. +  * It requires OpenWrt 21.02+ with OpenVPN 2.5+ supporting ''tls-crypt-v2''
-  * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.+    * OpenWrt 19.07 users with OpenVPN 2.4 should refer to an [[docs:guide-user:services:vpn:openvpn:server?rev=1632708683|older revision]].
  
 ===== Goals ===== ===== Goals =====
-  * Encrypt your internet connection to enforce security and privacy. +{{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}
-    * Prevent data leak and traffic spoofing on the client side. +
-  * Bypass regional restrictions using commercial providers. +
-    * Escape client side content filters and internet censorship. +
-  * Access your LAN services remotely without port forwarding.+
  
-===== Instructions =====+===== Command-line instructions =====
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Set up [[docs:guide-user:services:ddns:client|DDNS client]] if required. +Install the required packages
-Install the packages and specify the VPN server configuration parameters.+Specify configuration parameters for VPN server.
  
 <code bash> <code bash>
Line 26: Line 22:
  
 # Configuration parameters # Configuration parameters
-OVPN_DIR="/etc/openvpn" +VPN_DIR="/etc/openvpn" 
-OVPN_PKI="/etc/easy-rsa/pki" +VPN_PKI="/etc/easy-rsa/pki" 
-OVPN_DEV="tun0" +VPN_PORT="1194" 
-OVPN_PORT="1194" +VPN_PROTO="udp" 
-OVPN_PROTO="udp" +VPN_POOL="192.168.9.0 255.255.255.0" 
-OVPN_POOL="192.168.8.0 255.255.255.0" +VPN_DNS="${VPN_POOL%.* *}.1" 
-OVPN_DNS="${OVPN_POOL%.* *}.1" +VPN_DN="$(uci -q get dhcp.@dnsmasq[0].domain)"
-OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"+
  
-# Fetch IP address+# Fetch server address 
 +NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
 . /lib/functions/network.sh . /lib/functions/network.sh
 network_flush_cache network_flush_cache
 network_find_wan NET_IF network_find_wan NET_IF
 network_get_ipaddr NET_ADDR "${NET_IF}" network_get_ipaddr NET_ADDR "${NET_IF}"
-OVPN_SERV="${NET_ADDR}" 
- 
-# Fetch FQDN from DDNS client 
-NET_FQDN="$(uci -q get "$(uci -q show ddns \ 
-| sed -n -e "/\.enabled='1'$/s//.lookup_host/p" \ 
-| sed -n -e "1p")")" 
 if [ -n "${NET_FQDN}" ] if [ -n "${NET_FQDN}" ]
-then OVPN_SERV="${NET_FQDN}"+then VPN_SERV="${NET_FQDN}" 
 +else VPN_SERV="${NET_ADDR}"
 fi fi
 </code> </code>
Line 53: Line 44:
 ==== 2. Key management ==== ==== 2. Key management ====
 Use [[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]] to manage the PKI. Use [[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]] to manage the PKI.
-Utilize private key password protection if required.+Utilize private key password protection if necessary.
  
 <code bash> <code bash>
 +# Work around EasyRSA issues
 +wget -U "" -O /tmp/easyrsa.tar.gz \
 +https://github.com/OpenVPN/easy-rsa/\
 +releases/download/v3.1.7/EasyRSA-3.1.7.tgz
 +tar -z -x -f /tmp/easyrsa.tar.gz
 +
 # Configuration parameters # Configuration parameters
-export EASYRSA_PKI="${OVPN_PKI}" +cat << EOF > /etc/profile.d/easy-rsa.sh 
-export EASYRSA_REQ_CN="ovpnca"+export EASYRSA_PKI="${VPN_PKI}" 
 +export EASYRSA_TEMP_DIR="/tmp" 
 +export EASYRSA_CERT_EXPIRE="3650"
 export EASYRSA_BATCH="1" export EASYRSA_BATCH="1"
 +alias easyrsa="/root/EasyRSA-3.1.7/easyrsa"
 +EOF
 +. /etc/profile.d/easy-rsa.sh
  
-# Remove and re-initialize the PKI directory+# Remove and re-initialize PKI directory
 easyrsa init-pki easyrsa init-pki
  
Line 70: Line 72:
 easyrsa build-ca nopass easyrsa build-ca nopass
  
-# Generate a key pair and sign locally for a server+# Generate server keys and certificate
 easyrsa build-server-full server nopass easyrsa build-server-full server nopass
 +openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
  
-# Generate a key pair and sign locally for a client+# Generate client keys and certificate
 easyrsa build-client-full client nopass easyrsa build-client-full client nopass
- +openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \ 
-# Generate TLS PSK +--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem
-openvpn --genkey --secret ${OVPN_PKI}/tc.pem+
 </code> </code>
  
 ==== 3. Firewall ==== ==== 3. Firewall ====
-Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup.+Consider VPN network as private
 +Assign VPN interface to LAN zone to minimize firewall setup.
 Allow access to VPN server from WAN zone. Allow access to VPN server from WAN zone.
  
Line 88: Line 91:
 uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[0]="lan"
 uci rename firewall.@zone[1]="wan" uci rename firewall.@zone[1]="wan"
-uci rename firewall.@forwarding[0]="lan_wan" +uci del_list firewall.lan.device="tun+
-uci del_list firewall.lan.device="${OVPN_DEV}+uci add_list firewall.lan.device="tun+"
-uci add_list firewall.lan.device="${OVPN_DEV}"+
 uci -q delete firewall.ovpn uci -q delete firewall.ovpn
 uci set firewall.ovpn="rule" uci set firewall.ovpn="rule"
 uci set firewall.ovpn.name="Allow-OpenVPN" uci set firewall.ovpn.name="Allow-OpenVPN"
 uci set firewall.ovpn.src="wan" uci set firewall.ovpn.src="wan"
-uci set firewall.ovpn.dest_port="${OVPN_PORT}" +uci set firewall.ovpn.dest_port="${VPN_PORT}" 
-uci set firewall.ovpn.proto="${OVPN_PROTO}"+uci set firewall.ovpn.proto="${VPN_PROTO}"
 uci set firewall.ovpn.target="ACCEPT" uci set firewall.ovpn.target="ACCEPT"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
-==== 4. Basic server ==== +==== 4. VPN service ==== 
-Configure VPN server and generate client profiles.+Configure VPN service and generate client profiles.
  
 <code bash> <code bash>
-# Configuration parameters +# Configure VPN service and generate client profiles
-OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)" +
-OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)" +
-OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)" +
-NL=$'\n' +
- +
-# Configure VPN server and generate client profiles+
 umask go= umask go=
-ls ${OVPN_PKI}/issued \+VPN_DH="$(cat ${VPN_PKI}/dh.pem)" 
 +VPN_CA="$(openssl x509 -in ${VPN_PKI}/ca.crt)" 
 +ls ${VPN_PKI}/issued \
 | sed -e "s/\.\w*$//" \ | sed -e "s/\.\w*$//" \
-| while read -r OVPN_ID+| while read -r VPN_ID
 do do
-OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)" +VPN_TC="$(cat ${VPN_PKI}/private/${VPN_ID}.pem)" 
-OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)" +VPN_KEY="$(cat ${VPN_PKI}/private/${VPN_ID}.key)" 
-OVPN_CERT_EXT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt -purpose)" +VPN_CERT="$(openssl x509 -in ${VPN_PKI}/issued/${VPN_ID}.crt)" 
-OVPN_CONF_SERVER="\+VPN_EKU="$(echo "${VPN_CERT}" | openssl x509 -noout -purpose)" 
 +case ${VPN_EKU} in 
 +(*"SSL server : Yes"*) 
 +VPN_CONF="${VPN_DIR}/${VPN_ID}.conf" 
 +cat << EOF > ${VPN_CONF} ;;
 user nobody user nobody
 group nogroup group nogroup
-dev ${OVPN_DEV} +dev tun 
-port ${OVPN_PORT+port ${VPN_PORT
-proto ${OVPN_PROTO+proto ${VPN_PROTO
-server ${OVPN_POOL}+server ${VPN_POOL}
 topology subnet topology subnet
 client-to-client client-to-client
Line 133: Line 135:
 persist-tun persist-tun
 persist-key persist-key
-push \"dhcp-option DNS ${OVPN_DNS}\+push "dhcp-option DNS ${VPN_DNS}" 
-push \"dhcp-option DOMAIN ${OVPN_DOMAIN}\+push "dhcp-option DOMAIN ${VPN_DN}" 
-push \"redirect-gateway def1\+push "redirect-gateway def1" 
-push \"persist-tun\+push "persist-tun" 
-push \"persist-key\+push "persist-key" 
-<dh>${NL}${OVPN_DH}${NL}</dh>" +<dh> 
-OVPN_CONF_CLIENT="\ +${VPN_DH} 
-dev ${OVPN_DEV%%[0-9]*}+</dh> 
 +EOF 
 +(*"SSL client : Yes"*) 
 +VPN_CONF="${VPN_DIR}/${VPN_ID}.ovpn" 
 +cat << EOF > ${VPN_CONF;; 
 +user nobody 
 +group nogroup 
 +dev tun
 nobind nobind
 client client
-remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO}+remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}
 auth-nocache auth-nocache
-remote-cert-tls server+remote-cert-tls server
-OVPN_CONF_COMMON="+
-<tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt> +
-<key>${NL}${OVPN_KEY}${NL}</key> +
-<cert>${NL}${OVPN_CERT}${NL}</cert> +
-<ca>${NL}${OVPN_CA}${NL}</ca>" +
-case ${OVPN_CERT_EXT} in +
-(*"SSL server : Yes"*) cat << EOF > ${OVPN_DIR}/${OVPN_ID}.conf ;; +
-${OVPN_CONF_SERVER} +
-${OVPN_CONF_COMMON} +
-EOF +
-(*"SSL client : Yes"*) cat << EOF > ${OVPN_DIR}/${OVPN_ID}.ovpn ;; +
-${OVPN_CONF_CLIENT} +
-${OVPN_CONF_COMMON}+
 EOF EOF
 esac esac
 +cat << EOF >> ${VPN_CONF}
 +<tls-crypt-v2>
 +${VPN_TC}
 +</tls-crypt-v2>
 +<key>
 +${VPN_KEY}
 +</key>
 +<cert>
 +${VPN_CERT}
 +</cert>
 +<ca>
 +${VPN_CA}
 +</ca>
 +EOF
 done done
-/etc/init.d/openvpn restart +service openvpn restart 
-ls ${OVPN_DIR}/*.ovpn+ls ${VPN_DIR}/*.ovpn
 </code> </code>
  
-Perform OpenWrt [[docs:guide-user:troubleshooting:backup_restore|backup]]. +Basic openvpn server configuration is now complete. 
-Extract client profiles from the archive and import them to your clients.+  - Perform OpenWrt [[docs:guide-user:troubleshooting:backup_restore|backup]]. 
 +  - Either extract client profile from the archive file, or use SCP to retrieve the <color #ed1c24>/etc/openvpn/client.ovpn</color> file from the router.   
 +  - Review/edit the IP address for the 'remote' line contained within the <color #ed1c24>client.ovpn</color> file.   
 +  - Import the client.ovpn profile into your clients
 + 
 +For an additional .ovpn after completing the above: 
 +  - Run this [[docs:guide-user:services:vpn:openvpn:extras#multi-client]] script. 
 +  - Now make a script consisting of the "Configuration parameters" of Part 1 above and all of Part 4 above and run it. Note that the "remote" line may be missing in the new ovpn (use the original as a reference for that).
  
 ===== Testing ===== ===== Testing =====
-Establish the VPN connection. +{{section>docs:guide-user:services:vpn:wireguard:server#testing&noheader&nofooter&noeditbutton}}
-Verify your client traffic is routed via VPN gateway. +
- +
-<code bash> +
-traceroute openwrt.org +
-traceroute6 openwrt.org +
-</code> +
- +
-Check your client public IP addresses. +
-  * [[https://ipleak.net/]] +
-Make sure there is no DNS leak on the client side. +
-  * [[https://dnsleaktest.com/]] +
-Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default. +
-  * [[https://ipv6-test.com/]]+
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 190: Line 194:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10+service log restart; service openvpn restart; sleep 10
  
 # Log and status # Log and status
Line 197: Line 201:
 # Runtime configuration # Runtime configuration
 pgrep -f -a openvpn pgrep -f -a openvpn
-ip address show; ip route show table all type unicast +ip address show; ip route show table all 
-ip rule show; ip -6 rule show; iptables-save; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
 uci show network; uci show firewall; uci show openvpn uci show network; uci show firewall; uci show openvpn
-head -n -0 /etc/openvpn/*.conf+head -v -n -0 /etc/openvpn/*.conf
 </code> </code>
 +
 +===== Notes =====
 +For beginners to OpenVPN server, this PDF guide may be helpful.  It is based on above cli instructions with additional note and tips.
 +[[https://www.dropbox.com/s/idjzqs3cyyb1zai/7-OpenVPN%20Server%20for%20HH5A.pdf?dl=0|OpenVPN server setup guide for BT Home Hub 5A]]
  
  • Last modified: 2023/10/29 01:00
  • by vgaetera