I searched multiple places found several guides but can't get my openvp server up and running. i could not even generate ca certificates. build-ca is not running. i tried with ./build-ca this file is not present on my router. i have installed all packages for openvpn. can you help me?
Most of the tutorials do not indicate that you can generate the keys directly on your PC, which is much easier.
https://openvpn.net/index.php/download/community-downloads.html
Scroll down to the EasyRSA links.
I also suggest you generate more client keys than you think you will use. It seems we keep adding more devices to our networks and it's easier to store them than to update them.
1 Like
@anon20279570 - There is a great tutorial here that I found easier to follow than the documentation on the OpenWRT/LEDE pages. As @RangerZ suggested, it is much easier/faster to generate your certs on a full fledged computer (Mac/Linux/Win) using EasyRSA and then copying the files over via scp. Meanwhile, there is also a LuCI app for OpenVPN that may be useful, especially if you prefer GUI based workflows.
1 Like
I generated keys on my PC.
I use this configuration file on my clients (this is my laptop) from which it works. laptop is directly connected to this router (10.0.0.1) so it works from the LAN. But still i can't enter router by ssh with VPN ip. But it pings so it works.
client
tls-client
dev tun
proto udp
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client1.crt
key /etc/openvpn/client1.key
remote 10.0.0.1 1194
resolv-retry infinite
nobind
persist-tun
persist-key
ns-cert-type server
comp-lzo
verb 3
log openvpn.log
On the other hand the same configuration does not work from my work PC. Of course i have used my global ip address which is static. also i use different port on my work PC configuration but i have forwarded that port UDP (only) from WAN interface to 10.0.0.1 (which is router) 1194 (default ovpn port) and when i try to connect ovpn.log reads this. I gues the problem is in the port forwarding, but i have the same forwarding at my work (we have big network, seismic stations all over the country and all works perfectly)
@anon20279570 - can you post your server config file?
Also, just to make sure I understand your configuration in general -- is the LEDE router directly connected to the internet, or do you have a router between the ISP and the LEDE router?
You might have an issue with the firewall/port forwarding...
you should not be using port forwarding. Instead, you should use Traffic Rules.
If you do this from LuCI, you should end up with:
Any udp
From any host in any zone
To any router IP at port 1194 on this device
If you're doing this in the firewall config file, you want it to look like this:
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '1194'
option name 'Allow-UDP1194-Inbound'
option src '*'
1 Like
Other important questions:
What is your LAN subnet? From your previous post, I would assume it is 10.0.0.0/24. Have you defined the VPN interface in your network config? If you can post your network config file, that may help. You should have something like this:
config interface 'vpn0'
option proto 'none'
option ifname 'tun0'
When you post your OpenVPN server config, I'll be able to see the network defined there, but it must be something other than 10.0.0.0/xx -- maybe something like 10.1.1.0/24 or whatever ... just as long as it is non-overlapping.
Finally, if you can post your firewall file, that would be useful, too. You'll need a firewall zone associated with your VPN tunnel -- the specifics of how it is set depends on the access you want when connecting via the tunnel, but it might look something like this:
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'vpn0'
config forwarding
option dest 'wan'
option src 'vpn'
1 Like
Thank you very much. Adding Traffic rule did the trick! I have that interface configured in my network file and added firewall zone and forwarding too. (I saw it in some tutorial and did it earlier i did not have Traffic rule i just had port forwarding)
Now my work PC has got VPN ip address. And goes to the internet through my vpn (When i checked it got my global ip) My VPN network is 10.8.0.0/24 my local network is 10.0.0.0/24 and yes my lede router is directly connected to my ISP and to my laptop.
I am curious why port forwarding did not work. At my work i have forwarded 5111 port to my Ovpn servers 1194 port and it works great. Here i did the same i forwarded 5111 port to my routers lan 10.0.0.1 1194 port but it did not work. Now my openvpn setup uses default port is it safe to use default port?
And also is there any other changes to be made in firewall to get ping working? I can't ping from client my vpn server and vice versa. Also i can't ssh into hosts with vpn ip.
Found this problem too. comp-lzo option was yes on my server side but on the client side it was no. When i changed no to yes in client.conf ping worked and i can ssh from client to server and vise versa.
Would you suggest anything about using default port? Or any other options to include in my server file to make conection secure?
This is my server.conf
@anon20279570 - Glad it is working!
I have a few more directives in my VPN config that may increase security:
option auth 'SHA256'
option cipher 'AES-256-CBC'
Aside from that, I don't have any concerns about running on the default port and I believe that the security should be fine (although I am not a security expert).
To answer your question about port forwarding vs traffic rules...
Forwarding is really designed to forward from outside the network to an entirely different device on your network (i.e. not the router). Your other network, from the sound of it, may have the OpenVPN server on a physically distinct device (or a virtualized server). When forwarding, the router is just literally forwarding any connections on a given port to another device/IP address. Now, forwarding to itself could work, in theory, but the OpenVPN server is not listening at 10.0.0.1 -- the IP of the server is actually 10.8.0.1. If you attempt to forward to that IP, I think that the router would not know where to send it since it is outside the LAN subnet and is unroutable on the WAN side. Then you might be able to do some custom routes, but it is already getting more cumbersome than just adding the traffic rule.
On the other hand, Traffic Rules have more control and importantly can bind to 0.0.0.0 (essentially 'all interfaces' within the context of the LEDE device, "any router IP") and allow any services on the router itself listening on a specific port to receive the traffic. This means that 10.8.0.1 (OpenVPN server) will be able to see and connect to the activity on port 1194. No concerns about the specific IP address of the device versus the OpenVPN server, no need to create custom routes, and essentially just a transparent connection through.
That's the best I can do to explain it... hopefully it makes sense.
1 Like
Great i added those options. I will read more documentation about openvpn to understand it's security features and to know how to use them.
I asked about default port because it's known. When i use default port for ssh i get so many tries to get to my server that auth.log goes crazy 
I got this message
"TLS Error: cannot locate HMAC in incoming packet from [AF_INET]95.137.165.153:41354"
in my ovpn.log file too many times. I guess this ip tries to connect to my openvpn network. I thought that it would be better if it was not running on default port.
I think this topic is over too. Problem is solved. Thank you again to all that helped me.
I have the same types of things with lots of random systems trying to connect. I use TCP and UDP 443 and 1194. This makes it less likely that I'll find myself unable to connect due to firewall blocked ports/services on remote networks, but gives 4 attack surfaces for connection attempts. AFAIK, they are never able to establish a tunnel because they don't have the right credentials (certs/keys).
From a pure security perspective, the best option is to close all ports. But if a VPN server on is wanted/needed, obviously this is a compromise one has to make.
Moving to a non-default or uncommon port will likely reduce, but not eliminate the connection attempts from random systems on the internet. But as long as your keys and certs are secure and your server (and router as a whole) is configured properly, you shouldn't have any risks that are significantly higher with the standard port(s) vs non-standard ones, barring an unknown/un-patched exploit or other breach. I would imagine that there are security experts who could give better answers/advice, but as long as you aren't running high-value/high-visibility target network (i.e. a major corporation, government agency, or political group), it is unlikely that your network will be of much interest for extra attention/effort in hacking.
1 Like
hello,
I'm facing to a problem
I have an tplink arch C7 with LEDE
my openvpn work as server, I have a remote peer which connect to this server
I see it connected, I can ping it but ssh don't work,
here is my config file
firewall
config rule 'Allow_OpenVPN_Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '8080'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone 'vpn'
option name 'vpn'
option network 'vpn0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding 'vpn_forwarding_lan_in'
option src 'vpn'
option dest 'lan'
config forwarding 'vpn_forwarding_lan_out'
option src 'lan'
option dest 'vpn'
config forwarding 'vpn_forwarding_wan'
option src 'vpn'
option dest 'wan'
Network
config rule 'Allow_OpenVPN_Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '8080'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
option ipaddr '192.168.77.254'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6'
config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'
any help will be appreciated 
hello everyone
I found the solution, may be it'll help someone in the future
the compression was not activated
option comp_lzo 'no
I changed it to
option comp_lzo 'yes' and now it's working