Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| docs:guide-user:services:vpn:openvpn:basic [2020/10/03 20:45] – [Introduction] add link to RNG setup vgaetera | docs:guide-user:services:vpn:openvpn:server [2023/10/29 01:00] (current) – consolidate naming vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== OpenVPN | + | ====== OpenVPN |
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| - | | + | * Follow [[docs: |
| - | | + | * It requires OpenWrt 21.02+ with OpenVPN 2.5+ supporting '' |
| - | * Follow | + | * OpenWrt 19.07 users with OpenVPN 2.4 should refer to an [[docs: |
| ===== Goals ===== | ===== Goals ===== | ||
| - | * Encrypt your internet connection to enforce security and privacy. | + | {{section> |
| - | * Prevent data leak and traffic spoofing on the client side. | + | |
| - | * Bypass regional restrictions using commercial providers. | + | |
| - | * Escape client side content filters and internet censorship. | + | |
| - | * Access your LAN services | + | |
| - | ===== Instructions | + | ===== Command-line instructions |
| ==== 1. Preparation ==== | ==== 1. Preparation ==== | ||
| - | Set up [[docs: | + | Install the required |
| - | Install the packages and specify the VPN server | + | Specify configuration parameters for VPN server. |
| <code bash> | <code bash> | ||
| Line 26: | Line 22: | ||
| # Configuration parameters | # Configuration parameters | ||
| - | OVPN_DIR="/ | + | VPN_DIR="/ |
| - | OVPN_PKI="/ | + | VPN_PKI="/ |
| - | OVPN_DEV=" | + | VPN_PORT=" |
| - | OVPN_PORT=" | + | VPN_PROTO=" |
| - | OVPN_PROTO=" | + | VPN_POOL=" |
| - | OVPN_POOL=" | + | VPN_DNS="${VPN_POOL%.* *}.1" |
| - | OVPN_DNS="${OVPN_POOL%.* *}.1" | + | VPN_DN=" |
| - | OVPN_DOMAIN=" | + | |
| - | # Fetch IP address | + | # Fetch server |
| + | NET_FQDN=" | ||
| . / | . / | ||
| network_flush_cache | network_flush_cache | ||
| network_find_wan NET_IF | network_find_wan NET_IF | ||
| network_get_ipaddr NET_ADDR " | network_get_ipaddr NET_ADDR " | ||
| - | OVPN_SERV=" | ||
| - | |||
| - | # Fetch FQDN from DDNS client | ||
| - | NET_FQDN=" | ||
| - | | sed -n -e "/ | ||
| - | | sed -n -e " | ||
| if [ -n " | if [ -n " | ||
| - | then OVPN_SERV=" | + | then VPN_SERV=" |
| + | else VPN_SERV=" | ||
| fi | fi | ||
| </ | </ | ||
| Line 53: | Line 44: | ||
| ==== 2. Key management ==== | ==== 2. Key management ==== | ||
| Use [[https:// | Use [[https:// | ||
| - | Utilize private key password protection if required. | + | Utilize private key password protection if necessary. |
| <code bash> | <code bash> | ||
| + | # Work around EasyRSA issues | ||
| + | wget -U "" | ||
| + | https:// | ||
| + | releases/ | ||
| + | tar -z -x -f / | ||
| + | |||
| # Configuration parameters | # Configuration parameters | ||
| - | export EASYRSA_PKI=" | + | cat << EOF > / |
| - | export | + | export EASYRSA_PKI=" |
| + | export | ||
| + | export EASYRSA_CERT_EXPIRE="3650" | ||
| export EASYRSA_BATCH=" | export EASYRSA_BATCH=" | ||
| + | alias easyrsa="/ | ||
| + | EOF | ||
| + | . / | ||
| - | # Remove and re-initialize | + | # Remove and re-initialize PKI directory |
| easyrsa init-pki | easyrsa init-pki | ||
| Line 70: | Line 72: | ||
| easyrsa build-ca nopass | easyrsa build-ca nopass | ||
| - | # Generate | + | # Generate server |
| easyrsa build-server-full server nopass | easyrsa build-server-full server nopass | ||
| + | openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/ | ||
| - | # Generate | + | # Generate client |
| easyrsa build-client-full client nopass | easyrsa build-client-full client nopass | ||
| - | + | openvpn | |
| - | # Generate TLS PSK | + | --genkey |
| - | openvpn --genkey --secret | + | |
| </ | </ | ||
| ==== 3. Firewall ==== | ==== 3. Firewall ==== | ||
| - | Consider VPN network as private | + | Consider VPN network as private. |
| + | Assign | ||
| Allow access to VPN server from WAN zone. | Allow access to VPN server from WAN zone. | ||
| Line 88: | Line 91: | ||
| uci rename firewall.@zone[0]=" | uci rename firewall.@zone[0]=" | ||
| uci rename firewall.@zone[1]=" | uci rename firewall.@zone[1]=" | ||
| - | uci rename firewall.@forwarding[0]=" | + | uci del_list firewall.lan.device=" |
| - | uci del_list firewall.lan.device=" | + | uci add_list firewall.lan.device=" |
| - | uci add_list firewall.lan.device=" | + | |
| uci -q delete firewall.ovpn | uci -q delete firewall.ovpn | ||
| uci set firewall.ovpn=" | uci set firewall.ovpn=" | ||
| uci set firewall.ovpn.name=" | uci set firewall.ovpn.name=" | ||
| uci set firewall.ovpn.src=" | uci set firewall.ovpn.src=" | ||
| - | uci set firewall.ovpn.dest_port=" | + | uci set firewall.ovpn.dest_port=" |
| - | uci set firewall.ovpn.proto=" | + | uci set firewall.ovpn.proto=" |
| uci set firewall.ovpn.target=" | uci set firewall.ovpn.target=" | ||
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| - | ==== 4. Basic server | + | ==== 4. VPN service |
| - | Configure VPN server | + | Configure VPN service |
| <code bash> | <code bash> | ||
| - | # Configuration parameters | + | # Configure VPN service |
| - | OVPN_DH=" | + | |
| - | OVPN_TC=" | + | |
| - | OVPN_CA=" | + | |
| - | NL=$' | + | |
| - | + | ||
| - | # Configure VPN server | + | |
| umask go= | umask go= | ||
| - | ls ${OVPN_PKI}/issued \ | + | VPN_DH=" |
| + | VPN_CA=" | ||
| + | ls ${VPN_PKI}/issued \ | ||
| | sed -e " | | sed -e " | ||
| - | | while read -r OVPN_ID | + | | while read -r VPN_ID |
| do | do | ||
| - | OVPN_KEY=" | + | VPN_TC=" |
| - | OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)" | + | VPN_KEY="$(cat ${VPN_PKI}/private/${VPN_ID}.key)" |
| - | OVPN_CERT_EXT=" | + | VPN_CERT=" |
| - | OVPN_CONF_SERVER="\ | + | VPN_EKU=" |
| + | case ${VPN_EKU} in | ||
| + | (*"SSL server : Yes" | ||
| + | VPN_CONF="${VPN_DIR}/ | ||
| + | cat << EOF > ${VPN_CONF} ;; | ||
| user nobody | user nobody | ||
| group nogroup | group nogroup | ||
| - | dev ${OVPN_DEV} | + | dev tun |
| - | port ${OVPN_PORT} | + | port ${VPN_PORT} |
| - | proto ${OVPN_PROTO} | + | proto ${VPN_PROTO} |
| - | server ${OVPN_POOL} | + | server ${VPN_POOL} |
| topology subnet | topology subnet | ||
| client-to-client | client-to-client | ||
| Line 133: | Line 135: | ||
| persist-tun | persist-tun | ||
| persist-key | persist-key | ||
| - | push \" | + | push " |
| - | push \" | + | push " |
| - | push \" | + | push " |
| - | push \" | + | push " |
| - | push \" | + | push " |
| - | < | + | <dh> |
| - | OVPN_CONF_CLIENT="\ | + | ${VPN_DH} |
| - | dev ${OVPN_DEV%%[0-9]*} | + | </dh> |
| + | EOF | ||
| + | (*"SSL client : Yes"*) | ||
| + | VPN_CONF="${VPN_DIR}/ | ||
| + | cat << EOF > ${VPN_CONF} ;; | ||
| + | user nobody | ||
| + | group nogroup | ||
| + | dev tun | ||
| nobind | nobind | ||
| client | client | ||
| - | remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO} | + | remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO} |
| auth-nocache | auth-nocache | ||
| - | remote-cert-tls server" | + | remote-cert-tls server |
| - | OVPN_CONF_COMMON=" | + | |
| - | < | + | |
| - | < | + | |
| - | < | + | |
| - | < | + | |
| - | case ${OVPN_CERT_EXT} in | + | |
| - | (*"SSL server : Yes"*) cat << EOF > ${OVPN_DIR}/ | + | |
| - | ${OVPN_CONF_SERVER} | + | |
| - | ${OVPN_CONF_COMMON} | + | |
| - | EOF | + | |
| - | (*"SSL client : Yes"*) cat << EOF > ${OVPN_DIR}/ | + | |
| - | ${OVPN_CONF_CLIENT} | + | |
| - | ${OVPN_CONF_COMMON} | + | |
| EOF | EOF | ||
| esac | esac | ||
| + | cat << EOF >> ${VPN_CONF} | ||
| + | < | ||
| + | ${VPN_TC} | ||
| + | </ | ||
| + | <key> | ||
| + | ${VPN_KEY} | ||
| + | </ | ||
| + | < | ||
| + | ${VPN_CERT} | ||
| + | </ | ||
| + | <ca> | ||
| + | ${VPN_CA} | ||
| + | </ca> | ||
| + | EOF | ||
| done | done | ||
| - | / | + | service |
| - | ls ${OVPN_DIR}/*.ovpn | + | ls ${VPN_DIR}/*.ovpn |
| </ | </ | ||
| - | Perform OpenWrt [[docs: | + | Basic openvpn server configuration is now complete. |
| - | Extract | + | - Perform OpenWrt [[docs: |
| + | - Either extract | ||
| + | - Review/edit the IP address for the ' | ||
| + | - Import the client.ovpn profile into your clients. | ||
| + | |||
| + | For an additional .ovpn after completing the above: | ||
| + | - Run this [[docs: | ||
| + | - Now make a script consisting of the " | ||
| ===== Testing ===== | ===== Testing ===== | ||
| - | Establish the VPN connection. | + | {{section>docs:guide-user:services:vpn: |
| - | Verify your client traffic is routed via VPN gateway. | + | |
| - | + | ||
| - | <code bash> | + | |
| - | traceroute openwrt.org | + | |
| - | traceroute6 openwrt.org | + | |
| - | </ | + | |
| - | + | ||
| - | Check your client public IP addresses. | + | |
| - | * [[https:// | + | |
| - | Make sure there is no DNS leak on the client side. | + | |
| - | * [[https:// | + | |
| - | Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default. | + | |
| - | * [[https:// | + | |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 190: | Line 194: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 197: | Line 201: | ||
| # Runtime configuration | # Runtime configuration | ||
| pgrep -f -a openvpn | pgrep -f -a openvpn | ||
| - | ip address show; ip route show table all type unicast | + | ip address show; ip route show table all |
| - | ip rule show; ip -6 rule show; iptables-save; | + | ip rule show; ip -6 rule show; nft list ruleset |
| # Persistent configuration | # Persistent configuration | ||
| uci show network; uci show firewall; uci show openvpn | uci show network; uci show firewall; uci show openvpn | ||
| - | head -n -0 / | + | head -v -n -0 / |
| </ | </ | ||
| + | |||
| + | ===== Notes ===== | ||
| + | For beginners to OpenVPN server, this PDF guide may be helpful. | ||
| + | [[https:// | ||