OpenWrt Forum Archive

Topic: OpenVPN Server on a WRT54G Strawman Config

The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I finally got around to documenting my WRT54G/OpenWrt OpenVPN server and a notebook Win2K OpenVPN client in one spot.  Lacking is key generation.  I think I used about every security option there is, though.

I don't have a full understanding of cert and key files - but client keys were all generated the same time as the server and each end should have the minimum files required.  I generated more keys than I'll ever use long ago using Win2K commandline easy-rsa in version 2.0.5.  I understand new key file formats may be used now and the GUI is much easier to use.

This particular configuration has been used for over a year with much success and remained virtually identical on RC4/5/6/0.9.  I recall user and group 'nobody' and 'nogroup' may have been an issue on RC4(?)  OpenVPN itself started at 2.0.5 which is what I still run on the Win2K notebook.

From hotspots and hotels anywhere in the world my Win2K notebook can connect and behave as if it were plugged into my LAN including internet access out my LAN gateway.  It uses my LAN DNS server, too.  If you don't have a LAN DNS server I think you should be able to push your ISPs DNS the same way.  I wanted nothing, including DNS, to be public and I watched it several times to be sure *everything* was through the tunnel and added a note about TAP networking order in Win2K to accomplish this.

This is a BRIDGED configuration.  If you just want to connect to the OpenVPN server and not become an IP on an existing LAN then this configuration is not for you.

Linux clients and Windows servers should be very similar.

I like to convey important things rather than "do this" HowTo format.  For example, you can use chmod or WinSCP to set x permissions for the startup file /etc/init.d/S70openvpnserver.

I've munged most filenames to generic ones and carefully altered addresses (these are not my real LAN addresses).  I hope there are no errors.  My goal is to get this down for any discussions.

First, the WRT54G Server...

*** OpenVPN Server on OpenWrt 0.9

OpenVPN 2.0.8-1
Webif response when installing...
   Installing openvpn (2.0.8-1) to root...
   Downloading http://downloads.openwrt.org/whiterussian/packages/openvpn_2.0.8-1_mipsel.ipk
   Installing kmod-tun (2.4.30-brcm-5) to root...
   Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-tun_2.4.30-brcm-5_mipsel.ipk
   Installing libopenssl (0.9.8d-1) to root...
   Downloading http://downloads.openwrt.org/whiterussian/packages/libopenssl_0.9.8d-1_mipsel.ipk
   Installing liblzo (2.02-1) to root...
   Downloading http://downloads.openwrt.org/whiterussian/packages/liblzo_2.02-1_mipsel.ipk
   Configuring kmod-tun
   Configuring liblzo
   Configuring libopenssl
   Configuring openvpn
   Successfully terminated.

Server configuration file
LAN is currently 192.168.34.0/24
OpenVPN clients will be assigned 192.168.34.21-25
Existing LAN gateway is 192.168.34.1
Existing LAN DNS server is 192.168.34.55
/tmp/log/openvpn.log very helpful
  /etc/openvpn/server.conf
    daemon
    port (MyOpenVPNPort)
    proto udp
    dev tap0
    ca   /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server01.crt
    key  /etc/openvpn/keys/server01.key
    dh   /etc/openvpn/keys/dh1024.pem
    server-bridge 192.168.34.1 255.255.255.0 192.168.34.21 192.168.34.25
    push "route 192.168.34.0 255.255.255.0"
    push "redirect-gateway"
    push "dhcp-option DNS 192.168.34.55"
    keepalive 10 120
    tls-auth /etc/openvpn/keys/ta.key 0
    cipher BF-CBC
    comp-lzo
    user nobody
    group nogroup
    persist-key
    persist-tun
    max-clients 5
    log-append  /tmp/log/openvpn.log
    verb 4

All keys generated on Win2K per: http://openvpn.net/howto.html
All files set rw------- to avoid security/permissions warnings
  /etc/openvpn/keys/server01.crt
  /etc/openvpn/keys/server01.key
  /etc/openvpn/keys/ca.crt
  /etc/openvpn/keys/ca.key
  /etc/openvpn/keys/dh1024.pem
  /etc/openvpn/keys/ta.key

Startup set rwxr-xr-x
Creates tap0, adds it to the bridge and brings it up
The '&' may be redundant since config has option 'daemon'
Run manually for debugging
  /etc/init.d/S70openvpnserver
    #!/bin/sh
    # OpenVPN Startup
    killall -q openvpn
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 up
    openvpn /etc/openvpn/server.conf &

As a simple AP on my LAN (no WAN configured):
  Forward UDP port (MyOpenVPNPort) to the WRT54G's LAN address at the main router.
If this WRT54G is the main router:
  The WAN firewall must be set to 'accept' UDP (MyOpenVPNPort)

Now for the Win2K client...

*** OpenVPN Client on Win2K - version is 2.0.5 with GUI
TAP interface created per HowTo

All keys generated on Win2K per: http://openvpn.net/howto.html
  C:\Program Files\OpenVPN\keys\ca.crt
  C:\Program Files\OpenVPN\keys\notebook.crt
  C:\Program Files\OpenVPN\keys\notebook.key
  C:\Program Files\OpenVPN\keys\ta.key

Config file
  C:\Program Files\OpenVPN\config\client.ovpn
    client
    dev tap
    proto udp
    remote (MyPublicAddress) (MyOpenVPNPort)
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca "C:\\Program Files\\OpenVPN\\keys\\ca.crt"
    cert "C:\\Program Files\\OpenVPN\\keys\\notebook.crt"
    key "C:\\Program Files\\OpenVPN\\keys\\notebook.key"
    ns-cert-type server
    tls-auth "C:\\Program Files\\OpenVPN\\keys\\ta.key" 1
    cipher BF-CBC
    comp-lzo
    verb 3

It is important when connecting via public hotspot to place TAP interface as top priority.
This forces remote DNS from the LAN to be used and not the local DNS.
This is in Win2K Networking Properties: Advanced -> Advanced Settings under "Connections".
The client CANNOT connect successfully when already on the LAN.

All Comments Welcomed.

(Last edited by Bill_MI on 25 Feb 2007, 23:39)

Thanks very much, it took me far too long before I learned I need to use dev tap0 and dev tap in my script, this saved my day...

Hi sup and thanks for making my day, too. smile

I continue to invite all comments - I think I'm pretty optimal and secure but sure want to know of anything better.

Just trying X-Wrt Milestone 3 and OpenVPN is identical except:
  Starts in /etc/init.d/S95custom-user-startup
  I disabled /etc/init.d/S50openvpn to avoid syslog complaints.  They do OpenVPN client-only last I looked.

The discussion might have continued from here.