18.06 Build with Simultaneous OpenVPN Server & Client

OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch (git-19.020.41695-6f6641d)
TP-Link TL-WR1043ND v1.7
Atheros AR9132 rev 2
A successful installation of a simultaneous OpenVPN Server and Client using Static Routing for the Server was configured on the above platform .

Please note that the OpenWrt router was used only as a server/client behind a DVA-5592 router attached to the internet. The TL-WR1043ND WAN port was connected to the DVA-5592 LAN port using DHCP. Port 1194 UDP was forwarded from DVA-5592 to the TL-WR1043ND IP. The OpenWrt Client was connected to a TP-Link Archer C7.v5 Router running a factory installed OpenVPN Server that has a static IP configured.

An attempt to use Policy based Routing was discarded after the installation of the procedure caused the OpenWrt Luci Login to fail with an Untrusted Certificate error. SSH connection continued to function.

The router was upgraded 3 times from factory reset to verify that the error was repeatable. The error occurs after a power down/up cycle. The same installation procedure without the Policy Routing does not produce the Untrusted Certificate error.

Archer C7 Router LAN IP is set at 192.168.2.1 255.255.255.0
Archer C7 Router WAN IP is set at xxx.xxx.xxx.44 255.255.255.255
OpenVPN Client Tunnel IP 192.168.7.1, 255.255.255.0

DVA-5592 Router LAN IP is set at 192.168.1.1, 255.255.255.0
OpenVPN Server Tunnel IP 192.168.8.1, 255.255.255.0
TL-WR1043ND OpenWrt Router LAN IP 192.168.3.1, 255.255.255.0

The following procedure from OpenVPN Basic, Client and Extra was used to build the router:

  1. Via LuCI -set the Root password
  2. Via LuCI - Network>Interfaces>Lan-Edit>IPv4 address 192.168.3.1 > Save & Apply.

Using Putty/SSH 22 cut & paste one section at a time.

# Configure firewall
uci set firewall.@zone[0].device="tun0"
uci -q delete firewall.vpn
uci set firewall.vpn="rule"
uci set firewall.vpn.name="Allow-OpenVPN"
uci set firewall.vpn.src="wan"
uci set firewall.vpn.dest_port="1194"
uci set firewall.vpn.proto="udp"
uci set firewall.vpn.target="ACCEPT"
uci commit firewall
service firewall restart
--------------------------------------------------------------------------------

# Install packages
opkg update
opkg install openvpn-easy-rsa
 
# Configuration parameters
export EASYRSA_PKI="/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="vpnca"
 
# Remove and re-initialize the PKI directory
easyrsa --batch init-pki
 
# Generate DH parameters
# May take a while to complete (~25m on WRT3200ACM)
easyrsa --batch gen-dh
 
# Create a new CA
easyrsa --batch build-ca nopass
 
# Generate a keypair and sign locally for vpnserver
easyrsa --batch build-server-full vpnserver0 nopass
 
# Generate a keypair and sign locally for vpnclient
easyrsa --batch build-client-full vpnclient0 nopass
easyrsa --batch build-client-full vpnclient1 nopass
easyrsa --batch build-client-full vpnclient2 nopass
easyrsa --batch build-client-full vpnclient3 nopass
easyrsa --batch build-client-full vpnclient4 nopass
easyrsa --batch build-client-full vpnclient5 nopass
easyrsa --batch build-client-full vpnclient6 nopass
easyrsa --batch build-client-full vpnclient7 nopass
--------------------------------------------------------------------------------

# Install packages
opkg update
opkg install openvpn-openssl
 
# Generate TLS PSK
EASYRSA_PKI="/etc/easy-rsa/pki"
openvpn --genkey --secret "${EASYRSA_PKI}/tc.pem"
 
# Configuration parameters
VPN_DEV="$(uci get firewall.@zone[0].device)"
VPN_POOL="192.168.8.0 255.255.255.0"
VPN_DNS="${VPN_POOL%.* *}.1"
VPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
EASYRSA_PKI="/etc/easy-rsa/pki"
DH_KEY="$(cat "${EASYRSA_PKI}/dh.pem")"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
NL=$'\n'
 
# Configure VPN-server
grep -l -r -e "TLS Web Server Authentication" "${EASYRSA_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read VPN_ID
do
VPN_CONF="/etc/openvpn/${VPN_ID}.conf"
VPN_CERT="$(openssl x509 -in "${EASYRSA_PKI}/issued/${VPN_ID}.crt")"
VPN_KEY="$(cat "${EASYRSA_PKI}/private/${VPN_ID}.key")"
cat << EOF > "${VPN_CONF}"
verb 3
user nobody
group nogroup
dev ${VPN_DEV}
port 1194
proto udp
server ${VPN_POOL}
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DOMAIN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>${NL}${DH_KEY}${NL}</dh>
<tls-crypt>${NL}${TC_KEY}${NL}</tls-crypt>
<ca>${NL}${CA_CERT}${NL}</ca>
<cert>${NL}${VPN_CERT}${NL}</cert>
<key>${NL}${VPN_KEY}${NL}</key>
EOF
chmod "u=rw,g=,o=" "${VPN_CONF}"
done
service openvpn restart
--------------------------------------------------------------------------------

# Configuration parameters
VPN_CONF="/etc/openvpn/vpnserver0.conf"
VPN_SERV="cricri.dlinkddns.com"
VPN_PORT="$(sed -n -e "/^port\s/s///p" "${VPN_CONF}")"
VPN_PROTO="$(sed -n -e "/^proto\s/s///p" "${VPN_CONF}")"
VPN_DEV="$(sed -n -e "/^dev\s/s///p" "${VPN_CONF}")"
EASYRSA_PKI="/etc/easy-rsa/pki"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
NL=$'\n'
 
# Generate VPN-client profiles
grep -l -r -e "TLS Web Client Authentication" "${EASYRSA_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read VPN_ID
do
VPN_CONF="/etc/openvpn/${VPN_ID}.ovpn"
VPN_CERT="$(openssl x509 -in "${EASYRSA_PKI}/issued/${VPN_ID}.crt")"
VPN_KEY="$(cat "${EASYRSA_PKI}/private/${VPN_ID}.key")"
cat << EOF > "${VPN_CONF}"
verb 3
dev ${VPN_DEV%%[0-9]*}
nobind
client
remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}
auth-nocache
remote-cert-tls server
<tls-crypt>${NL}${TC_KEY}${NL}</tls-crypt>
<ca>${NL}${CA_CERT}${NL}</ca>
<cert>${NL}${VPN_CERT}${NL}</cert>
<key>${NL}${VPN_KEY}${NL}</key>
EOF
chmod "u=rw,g=,o=" "${VPN_CONF}"
done
ls /etc/openvpn/*.ovpn
--------------------------------------------------------------------------------

# Configuration parameters
export EASYRSA_PKI="/etc/easy-rsa/pki"
 
# Add one more client
#easyrsa --batch build-client-full vpnclient1 nopass
 
# Add another client encrypting its private key
#easyrsa --batch build-client-full vpnclient2
 
# Revoke vpnclient certificate
#easyrsa --batch revoke vpnclient
 
# Generate a CRL
easyrsa --batch gen-crl
 
# Enable CRL-verification
VPN_CRL="$(cat "${EASYRSA_PKI}/crl.pem")"
NL=$'\n'
sed -i -e "
/^<crl-verify>/,/^<\/crl-verify>/s/^/#/
\$a <crl-verify>\n${VPN_CRL//${NL}/\n}\n</crl-verify>
" /etc/openvpn/vpnserver0.conf
service openvpn restart
--------------------------------------------------------------------------------

# Install imavpn2client.conf
# Copy ArcherC7v5Vpnclient.ovpn to imavpn2client.conf
vi /etc/openvpn/imavpn2client.conf
# type i
# Open ArcherC7v5Vpnclient.ovpn and type CTL-A
# Right click in OpenWrt window
# Press Esc key
# type :wq
--------------------------------------------------------------------------------

# Install packages
opkg update
opkg install luci-app-openvpn
 
# Provide VPN-instance management
ls /etc/openvpn/*.conf \
| while read VPN_CONF
do
VPN_ID="$(basename "${VPN_CONF}" ".conf" | sed -e "s/[^0-9a-zA-Z]/_/g")"
uci -q delete openvpn.${VPN_ID}
uci set openvpn.${VPN_ID}="openvpn"
uci set openvpn.${VPN_ID}.enabled="1"
uci set openvpn.${VPN_ID}.config="${VPN_CONF}"
done
uci commit openvpn
service openvpn restart
--------------------------------------------------------------------------------
## Comment out User and Group entries in vpnserver0.conf to use CCD
## Use CCD on VPN-server for client static IP-address allocation assuming that: 
## 192.168.8.0/24 - VPN-network
## fdf1:7610:d152:3a9c::/64 - VPN6-network
VPN_CCD="/etc/openvpn/ccd"
mkdir -p "${VPN_CCD}"
cat << EOF > "${VPN_CCD}/vpnclient0"
ifconfig-push 192.168.8.2 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::2/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient1"
ifconfig-push 192.168.8.3 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::3/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient2"
ifconfig-push 192.168.8.4 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::4/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient3"
ifconfig-push 192.168.8.5 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::5/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient4"
ifconfig-push 192.168.8.6 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::6/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient5"
ifconfig-push 192.168.8.7 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::7/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient6"
ifconfig-push 192.168.8.8 255.255.255.0ls/
ifconfig-ipv6-push fdf1:7610:d152:3a9c::8/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient7"
ifconfig-push 192.168.8.9 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::9/64
EOF
cat << EOF >> /etc/openvpn/vpnserver0.conf
client-config-dir ${VPN_CCD}
EOF
service openvpn restart
--------------------------------------------------------------------------------

# To minimize firewall setup consider VPN-network as public and assign VPN-interface to WAN-zone.
# Configure firewall imavpn2client
uci set firewall.@zone[1].device="tun8"
uci commit firewall
service firewall restart
--------------------------------------------------------------------------------

Via LuCl - Network> Static Routes>Add 
wan, xxx.xxx.xxx.40,255.255.255.248,192.168.1.1,0,1500,unicast
Save & Apply

Welcome

Please use the Pre-formatted text tool to include code and the likes.

Edit your message, Highlight the code in your message and click the Pre-formatted text tool (sixth from left in the tool bar) or press Ctrl. + Shift + C.

1 Like

Thank you very much. I was looking for the tool but I did not understand how it works. My bad!

2 Likes