Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openvpn:server [2021/10/18 01:21] – use OpenVPN 2.5, tls-crypt-v2 vgaetera | docs:guide-user:services:vpn:openvpn:server [2023/10/14 05:14] – use service invocation vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== OpenVPN server ====== | ====== OpenVPN server ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| * Follow [[docs: | * Follow [[docs: | ||
| + | * It requires OpenWrt 21.02+ with OpenVPN 2.5+ supporting '' | ||
| + | * OpenWrt 19.07 users with OpenVPN 2.4 should refer to an [[docs: | ||
| ===== Goals ===== | ===== Goals ===== | ||
| Line 12: | Line 14: | ||
| ==== 1. Preparation ==== | ==== 1. Preparation ==== | ||
| Install the required packages. | Install the required packages. | ||
| - | Specify | + | Specify configuration parameters |
| <code bash> | <code bash> | ||
| Line 20: | Line 22: | ||
| # Configuration parameters | # Configuration parameters | ||
| - | OVPN_DIR="/ | + | VPN_DIR="/ |
| - | OVPN_PKI="/ | + | VPN_PKI="/ |
| - | OVPN_PORT=" | + | VPN_PORT=" |
| - | OVPN_PROTO=" | + | VPN_PROTO=" |
| - | OVPN_POOL=" | + | VPN_POOL=" |
| - | OVPN_DNS="${OVPN_POOL%.* *}.1" | + | VPN_DNS="${VPN_POOL%.* *}.1" |
| - | OVPN_DOMAIN=" | + | VPN_DN=" |
| - | # Fetch WAN IP address | + | # Fetch server |
| + | NET_FQDN=" | ||
| . / | . / | ||
| network_flush_cache | network_flush_cache | ||
| network_find_wan NET_IF | network_find_wan NET_IF | ||
| network_get_ipaddr NET_ADDR " | network_get_ipaddr NET_ADDR " | ||
| - | OVPN_SERV=" | ||
| - | |||
| - | # Fetch FQDN from DDNS client | ||
| - | NET_FQDN=" | ||
| if [ -n " | if [ -n " | ||
| - | then OVPN_SERV=" | + | then VPN_SERV=" |
| + | else VPN_SERV=" | ||
| fi | fi | ||
| </ | </ | ||
| Line 48: | Line 48: | ||
| <code bash> | <code bash> | ||
| # Configuration parameters | # Configuration parameters | ||
| - | export EASYRSA_PKI=" | + | cat << EOF > / |
| - | export | + | export EASYRSA_PKI=" |
| + | export | ||
| + | export EASYRSA_CERT_EXPIRE="3650" | ||
| export EASYRSA_BATCH=" | export EASYRSA_BATCH=" | ||
| + | EOF | ||
| + | . / | ||
| - | # Remove and re-initialize | + | # Remove and re-initialize PKI directory |
| easyrsa init-pki | easyrsa init-pki | ||
| Line 61: | Line 65: | ||
| easyrsa build-ca nopass | easyrsa build-ca nopass | ||
| - | # Generate | + | # Generate server |
| easyrsa build-server-full server nopass | easyrsa build-server-full server nopass | ||
| + | openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/ | ||
| - | # Generate | + | # Generate client |
| easyrsa build-client-full client nopass | easyrsa build-client-full client nopass | ||
| - | |||
| - | # Generate TLS crypt v2 server key | ||
| - | openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/ | ||
| - | |||
| - | # Generate TLS crypt v2 client key | ||
| openvpn --tls-crypt-v2 ${EASYRSA_PKI}/ | openvpn --tls-crypt-v2 ${EASYRSA_PKI}/ | ||
| --genkey tls-crypt-v2-client ${EASYRSA_PKI}/ | --genkey tls-crypt-v2-client ${EASYRSA_PKI}/ | ||
| Line 90: | Line 90: | ||
| uci set firewall.ovpn.name=" | uci set firewall.ovpn.name=" | ||
| uci set firewall.ovpn.src=" | uci set firewall.ovpn.src=" | ||
| - | uci set firewall.ovpn.dest_port=" | + | uci set firewall.ovpn.dest_port=" |
| - | uci set firewall.ovpn.proto=" | + | uci set firewall.ovpn.proto=" |
| uci set firewall.ovpn.target=" | uci set firewall.ovpn.target=" | ||
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| Line 103: | Line 103: | ||
| # Configure VPN service and generate client profiles | # Configure VPN service and generate client profiles | ||
| umask go= | umask go= | ||
| - | OVPN_DH=" | + | VPN_DH=" |
| - | OVPN_CA=" | + | VPN_CA=" |
| - | ls ${OVPN_PKI}/issued \ | + | ls ${VPN_PKI}/issued \ |
| | sed -e " | | sed -e " | ||
| - | | while read -r OVPN_ID | + | | while read -r VPN_ID |
| do | do | ||
| - | OVPN_KEY=" | + | VPN_TC=" |
| - | OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)" | + | VPN_KEY="$(cat ${VPN_PKI}/private/${VPN_ID}.key)" |
| - | OVPN_TC="$(cat ${OVPN_PKI}/private/${OVPN_ID}.pem)" | + | VPN_CERT="$(openssl x509 -in ${VPN_PKI}/issued/${VPN_ID}.crt)" |
| - | OVPN_EKU=" | + | VPN_EKU="$(echo " |
| - | case ${OVPN_EKU} in | + | case ${VPN_EKU} in |
| (*"SSL server : Yes"*) | (*"SSL server : Yes"*) | ||
| - | OVPN_CONF="${OVPN_DIR}/${OVPN_ID}.conf" | + | VPN_CONF="${VPN_DIR}/${VPN_ID}.conf" |
| - | cat << EOF > ${OVPN_CONF} ;; | + | cat << EOF > ${VPN_CONF} ;; |
| user nobody | user nobody | ||
| group nogroup | group nogroup | ||
| dev tun | dev tun | ||
| - | port ${OVPN_PORT} | + | port ${VPN_PORT} |
| - | proto ${OVPN_PROTO} | + | proto ${VPN_PROTO} |
| - | server ${OVPN_POOL} | + | server ${VPN_POOL} |
| topology subnet | topology subnet | ||
| client-to-client | client-to-client | ||
| Line 128: | Line 128: | ||
| persist-tun | persist-tun | ||
| persist-key | persist-key | ||
| - | push " | + | push " |
| - | push " | + | push " |
| push " | push " | ||
| push " | push " | ||
| push " | push " | ||
| <dh> | <dh> | ||
| - | ${OVPN_DH} | + | ${VPN_DH} |
| </dh> | </dh> | ||
| EOF | EOF | ||
| (*"SSL client : Yes"*) | (*"SSL client : Yes"*) | ||
| - | OVPN_CONF="${OVPN_DIR}/${OVPN_ID}.ovpn" | + | VPN_CONF="${VPN_DIR}/${VPN_ID}.ovpn" |
| - | cat << EOF > ${OVPN_CONF} ;; | + | cat << EOF > ${VPN_CONF} ;; |
| user nobody | user nobody | ||
| group nogroup | group nogroup | ||
| Line 145: | Line 145: | ||
| nobind | nobind | ||
| client | client | ||
| - | remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO} | + | remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO} |
| auth-nocache | auth-nocache | ||
| remote-cert-tls server | remote-cert-tls server | ||
| EOF | EOF | ||
| esac | esac | ||
| - | cat << EOF >> ${OVPN_CONF} | + | cat << EOF >> ${VPN_CONF} |
| < | < | ||
| - | ${OVPN_TC} | + | ${VPN_TC} |
| </ | </ | ||
| <key> | <key> | ||
| - | ${OVPN_KEY} | + | ${VPN_KEY} |
| </ | </ | ||
| < | < | ||
| - | ${OVPN_CERT} | + | ${VPN_CERT} |
| </ | </ | ||
| <ca> | <ca> | ||
| - | ${OVPN_CA} | + | ${VPN_CA} |
| </ca> | </ca> | ||
| EOF | EOF | ||
| done | done | ||
| - | / | + | service |
| - | ls ${OVPN_DIR}/*.ovpn | + | ls ${VPN_DIR}/*.ovpn |
| </ | </ | ||
| - | Perform OpenWrt [[docs: | + | Basic openvpn server configuration is now complete. |
| - | Extract | + | - Perform OpenWrt [[docs: |
| + | - Either extract | ||
| + | - Review/edit the IP address for the ' | ||
| + | - Import the client.ovpn profile into your clients. | ||
| + | For an additional .ovpn after completing the above: | ||
| + | - Run this [[docs: | ||
| + | - Now make a script consisting of the " | ||
| ===== Testing ===== | ===== Testing ===== | ||
| {{section> | {{section> | ||
| Line 180: | Line 186: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 188: | Line 194: | ||
| pgrep -f -a openvpn | pgrep -f -a openvpn | ||
| ip address show; ip route show table all | ip address show; ip route show table all | ||
| - | ip rule show; iptables-save -c | + | ip rule show; ip -6 rule show; nft list ruleset |
| - | ip -6 rule show; ip6tables-save -c | + | |
| # Persistent configuration | # Persistent configuration | ||
| Line 195: | Line 200: | ||
| head -v -n -0 / | head -v -n -0 / | ||
| </ | </ | ||
| + | |||
| + | ===== Notes ===== | ||
| + | For beginners to OpenVPN server, this PDF guide may be helpful. | ||
| + | [[https:// | ||