Base OPENVPN OpenWrt 18.06.2 multiple clients

I've recently brought the factory defaults on WR1043ND v2 running newest OpenWrt 18.06 and tried to configure OpenVPN. I got stuck once executing command build-ca (it was not found). I did manually configuration many times in the past and it worked. Checked for needed plugins as well.

I didn't managed to do it old way, so I followed this new guide https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic
and with this i was able to generate certificates, server and client file.

The question is how can I generate more users for OpenVPN and how can I allocate them with static IP on VPN network 192.168.200.0/24??
Since I can't create ca with command?

Now i can generate only openvpnclient.ovpn

OUTPUTS:

root@HM1:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-OpenVPN'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='1194'
firewall.@rule[9].proto='tcp udp'
firewall.@rule[9].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnserver'
firewall.@zone[2].network='vpnserver'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='vpnserver'
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='vpnserver'
firewall.@forwarding[2].dest='lan'

root@HM1:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd52:579a:76e2::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 6t'
network.vpnserver=interface
network.vpnserver.ifname='tun0'
network.vpnserver.proto='none'

root@HM1:~# uci show openvpn
openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.vpnserver=openvpn
openvpn.vpnserver.enabled='1'
openvpn.vpnserver.verb='3'
openvpn.vpnserver.dev='tun0'
openvpn.vpnserver.topology='subnet'
openvpn.vpnserver.port='1194'
openvpn.vpnserver.proto='udp'
openvpn.vpnserver.server='192.168.200.0 255.255.255.0'
openvpn.vpnserver.client_to_client='1'
openvpn.vpnserver.compress='lzo'
openvpn.vpnserver.keepalive='10 120'
openvpn.vpnserver.persist_tun='1'
openvpn.vpnserver.persist_key='1'
openvpn.vpnserver.dh='/etc/openvpn/dh.pem'
openvpn.vpnserver.tls_crypt='/etc/openvpn/tc.pem'
openvpn.vpnserver.ca='/etc/openvpn/ca.crt'
openvpn.vpnserver.cert='/etc/openvpn/vpnserver.crt'
openvpn.vpnserver.key='/etc/openvpn/vpnserver.key'
openvpn.vpnserver.push='redirect-gateway def1' 'route 192.168.1.0 255.255.255.0' 'dhcp-option DNS 192.168.1.1' 'compress lzo' 'persist-tun' 'persist-key' 'dhcp-option DOMAIN lan'

I've updated the guide to use Easy-RSA.
Now you can add more clients.

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#multi-client

Thanks for the reply. I was able to create CCD for allocating static IPs.

I'm trying to run the script for the next user but is generating the same vpnclient over and over instead of creating new client. Could you tell me step by step how can I create new VPN user with TLS authentication as in script?

Used from the base site for creating vpnclient

wget --no-check-certificate -O /tmp/create-ovpn.sh "https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/basic?codeblock=5"
sh -v -x /tmp/create-ovpn.sh

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#multi-client
And restart client config generation script.

Thank you for the response. Guess sth is broken in my config, so I will do everything from the scratch

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.