Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openvpn:server [2021/09/27 04:56] – [1. Preparation] reorganize vgaetera | docs:guide-user:services:vpn:openvpn:server [2023/10/14 05:14] – use service invocation vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== OpenVPN server ====== | ====== OpenVPN server ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| * Follow [[docs: | * Follow [[docs: | ||
| + | * It requires OpenWrt 21.02+ with OpenVPN 2.5+ supporting '' | ||
| + | * OpenWrt 19.07 users with OpenVPN 2.4 should refer to an [[docs: | ||
| ===== Goals ===== | ===== Goals ===== | ||
| Line 12: | Line 14: | ||
| ==== 1. Preparation ==== | ==== 1. Preparation ==== | ||
| Install the required packages. | Install the required packages. | ||
| - | Specify | + | Specify configuration parameters |
| <code bash> | <code bash> | ||
| Line 20: | Line 22: | ||
| # Configuration parameters | # Configuration parameters | ||
| - | OVPN_DIR="/ | + | VPN_DIR="/ |
| - | OVPN_PKI="/ | + | VPN_PKI="/ |
| - | OVPN_PORT=" | + | VPN_PORT=" |
| - | OVPN_PROTO=" | + | VPN_PROTO=" |
| - | OVPN_POOL=" | + | VPN_POOL=" |
| - | OVPN_DNS="${OVPN_POOL%.* *}.1" | + | VPN_DNS="${VPN_POOL%.* *}.1" |
| - | OVPN_DOMAIN=" | + | VPN_DN=" |
| - | # Fetch WAN IP address | + | # Fetch server |
| + | NET_FQDN=" | ||
| . / | . / | ||
| network_flush_cache | network_flush_cache | ||
| network_find_wan NET_IF | network_find_wan NET_IF | ||
| network_get_ipaddr NET_ADDR " | network_get_ipaddr NET_ADDR " | ||
| - | OVPN_SERV=" | ||
| - | |||
| - | # Fetch FQDN from DDNS client | ||
| - | NET_FQDN=" | ||
| if [ -n " | if [ -n " | ||
| - | then OVPN_SERV=" | + | then VPN_SERV=" |
| + | else VPN_SERV=" | ||
| fi | fi | ||
| </ | </ | ||
| Line 48: | Line 48: | ||
| <code bash> | <code bash> | ||
| # Configuration parameters | # Configuration parameters | ||
| - | export EASYRSA_PKI=" | + | cat << EOF > / |
| - | export | + | export EASYRSA_PKI=" |
| + | export | ||
| + | export EASYRSA_CERT_EXPIRE="3650" | ||
| export EASYRSA_BATCH=" | export EASYRSA_BATCH=" | ||
| + | EOF | ||
| + | . / | ||
| - | # Remove and re-initialize | + | # Remove and re-initialize PKI directory |
| easyrsa init-pki | easyrsa init-pki | ||
| Line 61: | Line 65: | ||
| easyrsa build-ca nopass | easyrsa build-ca nopass | ||
| - | # Generate | + | # Generate server |
| easyrsa build-server-full server nopass | easyrsa build-server-full server nopass | ||
| + | openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/ | ||
| - | # Generate | + | # Generate client |
| easyrsa build-client-full client nopass | easyrsa build-client-full client nopass | ||
| - | + | openvpn | |
| - | # Generate TLS PSK | + | --genkey |
| - | openvpn --genkey | + | |
| </ | </ | ||
| Line 86: | Line 90: | ||
| uci set firewall.ovpn.name=" | uci set firewall.ovpn.name=" | ||
| uci set firewall.ovpn.src=" | uci set firewall.ovpn.src=" | ||
| - | uci set firewall.ovpn.dest_port=" | + | uci set firewall.ovpn.dest_port=" |
| - | uci set firewall.ovpn.proto=" | + | uci set firewall.ovpn.proto=" |
| uci set firewall.ovpn.target=" | uci set firewall.ovpn.target=" | ||
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| Line 97: | Line 101: | ||
| <code bash> | <code bash> | ||
| - | # Configuration parameters | ||
| - | OVPN_DH=" | ||
| - | OVPN_TC=" | ||
| - | OVPN_CA=" | ||
| - | NL=$' | ||
| - | |||
| # Configure VPN service and generate client profiles | # Configure VPN service and generate client profiles | ||
| umask go= | umask go= | ||
| - | ls ${OVPN_PKI}/issued \ | + | VPN_DH=" |
| + | VPN_CA=" | ||
| + | ls ${VPN_PKI}/issued \ | ||
| | sed -e " | | sed -e " | ||
| - | | while read -r OVPN_ID | + | | while read -r VPN_ID |
| do | do | ||
| - | OVPN_KEY=" | + | VPN_TC=" |
| - | OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)" | + | VPN_KEY="$(cat ${VPN_PKI}/private/${VPN_ID}.key)" |
| - | OVPN_EKU=" | + | VPN_CERT=" |
| - | case ${OVPN_EKU} in | + | VPN_EKU=" |
| + | case ${VPN_EKU} in | ||
| (*"SSL server : Yes"*) | (*"SSL server : Yes"*) | ||
| - | OVPN_CONF="\ | + | VPN_CONF="${VPN_DIR}/ |
| - | port ${OVPN_PORT} | + | cat << EOF > ${VPN_CONF} ;; |
| - | proto ${OVPN_PROTO} | + | user nobody |
| - | server ${OVPN_POOL} | + | group nogroup |
| + | dev tun | ||
| + | port ${VPN_PORT} | ||
| + | proto ${VPN_PROTO} | ||
| + | server ${VPN_POOL} | ||
| topology subnet | topology subnet | ||
| client-to-client | client-to-client | ||
| Line 123: | Line 128: | ||
| persist-tun | persist-tun | ||
| persist-key | persist-key | ||
| - | push \" | + | push " |
| - | push \" | + | push " |
| - | push \" | + | push " |
| - | push \" | + | push " |
| - | push \" | + | push " |
| - | < | + | <dh> |
| - | OVPN_EXT=" | + | ${VPN_DH} |
| + | </ | ||
| + | EOF | ||
| (*"SSL client : Yes"*) | (*"SSL client : Yes"*) | ||
| - | OVPN_CONF="\ | + | VPN_CONF="${VPN_DIR}/ |
| + | cat << EOF > ${VPN_CONF} ;; | ||
| + | user nobody | ||
| + | group nogroup | ||
| + | dev tun | ||
| nobind | nobind | ||
| client | client | ||
| - | remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO} | + | remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO} |
| auth-nocache | auth-nocache | ||
| - | remote-cert-tls server" | + | remote-cert-tls server |
| - | OVPN_EXT=" | + | EOF |
| esac | esac | ||
| - | cat << EOF > ${OVPN_DIR}/ | + | cat << EOF >> ${VPN_CONF} |
| - | user nobody | + | < |
| - | group nogroup | + | ${VPN_TC} |
| - | dev tun | + | </ |
| - | ${OVPN_CONF} | + | <key> |
| - | < | + | ${VPN_KEY} |
| - | < | + | </ |
| - | < | + | < |
| - | < | + | ${VPN_CERT} |
| + | </ | ||
| + | <ca> | ||
| + | ${VPN_CA} | ||
| + | </ca> | ||
| EOF | EOF | ||
| done | done | ||
| - | / | + | service |
| - | ls ${OVPN_DIR}/*.ovpn | + | ls ${VPN_DIR}/*.ovpn |
| </ | </ | ||
| - | Perform OpenWrt [[docs: | + | Basic openvpn server configuration is now complete. |
| - | Extract | + | - Perform OpenWrt [[docs: |
| + | - Either extract | ||
| + | - Review/edit the IP address for the ' | ||
| + | - Import the client.ovpn profile into your clients. | ||
| + | For an additional .ovpn after completing the above: | ||
| + | - Run this [[docs: | ||
| + | - Now make a script consisting of the " | ||
| ===== Testing ===== | ===== Testing ===== | ||
| {{section> | {{section> | ||
| Line 165: | Line 186: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 173: | Line 194: | ||
| pgrep -f -a openvpn | pgrep -f -a openvpn | ||
| ip address show; ip route show table all | ip address show; ip route show table all | ||
| - | ip rule show; iptables-save -c | + | ip rule show; ip -6 rule show; nft list ruleset |
| - | ip -6 rule show; ip6tables-save -c | + | |
| # Persistent configuration | # Persistent configuration | ||
| Line 180: | Line 200: | ||
| head -v -n -0 / | head -v -n -0 / | ||
| </ | </ | ||
| + | |||
| + | ===== Notes ===== | ||
| + | For beginners to OpenVPN server, this PDF guide may be helpful. | ||
| + | [[https:// | ||