Best vpn software on OpenWrt

Owengerig · October 2, 2018, 4:35pm

I mostly want to access my home media (samba, sftp or dlna) from my ios, android and windows clients; but of course lan access will likely be desired in the future.

I have tried a few versions with LEDE before the 18.06 release and had varing results

I really liked openConnect as it was easy to setup both the server and the clients. however when using it i would have alot of disconnection and performance problems.

Has anyone had a good experience with others (ease of setting up and good performance)? StrongSwan, wireguard (from my readings they dont have an ios or windows client), maybe there are other i dont know about.

I have had openVpn setup before however im currently trying to set it up again and having trouble getting it working (trying to follow this guide)

All good until section:
Server Cert - Generate VPN Server CSR

command:

openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512
-newkey rsa:2048 -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions
v3_vpn_server -nodes

output:

Error Loading extension section v3_vpn_server

lleachii · October 2, 2018, 5:33pm

I use Wireguard. You simply key and address interfaces. There's a few threads on setup available by searching the forum.

Owengerig · October 2, 2018, 5:35pm

do they have an ios android and windows client/solution?

lleachii · October 2, 2018, 5:37pm

No windows client at this time.

rog · October 2, 2018, 7:11pm

There is actually a wireguard windows client called TunSafe. Although in beta, it's working well for me.

diizzy · October 2, 2018, 8:08pm

Softether (v5) is probably your best bet if you want something multiplatform

dibdot · October 2, 2018, 8:22pm

My personal recommendation: use Wireguard. Fast, really easy setup, excellent Linux & OpenWrt support, quite nice Android App and Windows client is on the way (https://tunsafe.com/) ... even it's not yet complete, it's much better than the other VPN solutions - IMHO.

Owengerig · October 2, 2018, 8:33pm

seems like they dont have an ios client either
maybe this but similar to windows https://git.zx2c4.com/wireguard-ios/about/

slh · October 2, 2018, 8:48pm

In terms of ubiquitous operating system support, IPsec (strongswan) and OpenVPN probably win. IPsec comes in many flavours, making the initial setup a little harder, but it's often natively supported by the OS (e.g. iOS, blackberry and windows have native IPsec/ IKEv2 support; there is a free strongswan app for android and desktop linux isn't an issue anyways) and is relatively fast - OpenVPN has free clients for most operating systems, but tends to be significantly slower.

wireguard is interesting, but so far it hasn't been merged mainline yet, this means there's still a significant chance that it will have to be changed (in potentially incompatible ways) in order to meet the bar - and even then it will take 2-3 years until you can expect it (in a compatible fashion) to be present on every linux derived distro or android device, draw your conclusions from that regarding support for other operating systems.

Per · October 2, 2018, 9:36pm

You are using the old wiki. Have you looked at the guides on the new one? https://openwrt.org/docs/guide-user/services/vpn/openvpn/start

mpa · October 2, 2018, 10:05pm

The strongswan user documentation explains how to set up IPsec/IKE on various client OS, in the Interoperability section.

jtaczanowski · October 2, 2018, 10:35pm

I would like to recommend strongswan with IKEv2. Built in clients in many operating systems is a huge advantage for me. They are stable. And for example configuring iPhones via sending configuration profile via mail sometimes make life easier
I have using Strongswan. My client are Windows, iOS, Mac OS, Android, Linux.
Initially Strongswan configuration on server side is not too easy, but after, everything is working great.

diizzy · October 2, 2018, 10:59pm

softether does all that...

Kherby · October 3, 2018, 3:35am

Is there any usefull guide about softether with OpenWRT?

Andy2244 · October 3, 2018, 10:49am

https://wordpress.tirlins.com/2015/03/setting-up-softether-vpn-on-openwrt/

Used this a long time ago for my initial v4 setup, which works the same for v5. I think the only problem was that i needed to build/get the full bridge tool version, instead of the busybox one, but not sure if thats the case anymore.

The v4 is in the official package repo and the v5 is in my feed.

PS: I personally use it via its own Softether Protocol and windows client, which was the fastest on my tests. Yet if a official Wireguard client comes out, i will try to switch, since Softether is quite the overkill feature wise, for just a simple VPN connection.

Kherby · October 3, 2018, 11:24am

Thanks for the link. I'll try to set up a Softether VPN server on my WRT3200ACM to use it with my Windows laptop and my Android Smartphone.

atrocia · October 3, 2018, 4:42pm

+1 for wireguard. Simple and a pleasure to use. The downsides are, as others have mentioned, that it's a relatively young project, with limited documentation and possibly subject to change (or to being found insecure, although that seems highly unlikely).

To look at it another way, troubleshooting can be difficult, since the kernel does everything transparently to the user, and there's no verbose / debug mode. But the plus side is that it just works, so you shouldn't need major troubleshooting (except on the routing side, which the documentation doesn't really cover in any significant way).

MooMan · October 5, 2018, 12:23am

I love and vote for Wireguard, made a testrun on performance with iperf3, Wireguard server is my WRT32X with OpenWRT 18.01 , and its also the iperf3 server, on the other side, my MacPro 2013 which is connected via WireGuard to the WRT 32X, and iPerf3 runnign throught the WireguardTunel, client uses PSK function of Wireguard:

iperf3 -c 192.168.200.1 -p 2000
Connecting to host 192.168.200.1, port 2000
[ 5] local 192.168.200.2 port 50693 connected to 192.168.200.1 port 2000
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 51.1 MBytes 429 Mbits/sec
[ 5] 1.00-2.00 sec 51.9 MBytes 436 Mbits/sec
[ 5] 2.00-3.00 sec 52.0 MBytes 436 Mbits/sec
[ 5] 3.00-4.00 sec 52.0 MBytes 436 Mbits/sec
[ 5] 4.00-5.00 sec 52.1 MBytes 437 Mbits/sec
[ 5] 5.00-6.00 sec 53.4 MBytes 448 Mbits/sec
[ 5] 6.00-7.00 sec 53.4 MBytes 448 Mbits/sec
[ 5] 7.00-8.00 sec 52.8 MBytes 443 Mbits/sec
[ 5] 8.00-9.00 sec 53.1 MBytes 446 Mbits/sec
[ 5] 9.00-10.00 sec 52.6 MBytes 441 Mbits/sec

[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.00 sec 525 MBytes 440 Mbits/sec sender
[ 5] 0.00-10.03 sec 525 MBytes 439 Mbits/sec receiver

iperf Done.

But I can understand, for those, who need wide compatibilty, chooses another VPN Type...for me, its fanatstic, I only have MacOS and Linux Machines running...and a Android Client...

Kherby · October 5, 2018, 12:53am

@MoonMan
Impressive results! I would like to switch to wireguard but my current VPN provider doesn't support WG.

MooMan · October 5, 2018, 1:06am

If Im not wrong, I saw here somewhere in the OpenWRT Forum, somebody of the members, mentioning a VPN service that supports wireguard... if Im not wrong, its this one: https://mullvad.net/de/ ...but Im sure, there are more...