Got it finally fully running, to say things first not all the options are available through LuCI and in part of creating the "OPENVPN" interface I wasn't wrong because that to make it work you need to create the a firewall zone using the interface firstly created and assigned to the tun0 adapter so the clients may have access to LAN resources and/or internet access.
So this is my working config:
Server side:
On /etc/config/openvpn file:
config openvpn 'server'
option dev_type 'tun'
option dev 'tun'
option keep alive '10 60'
option verb '3'
option ca /etc/openvpn/ca.crt'
option enable '1'
option proto 'tcp-server'
option port '8443'
option persist_key '1'
option persist_tun '1'
option topology 'subnet'
option client_to_client '1'
option server '192.168.10.0 255.255.255.0'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh2048.pem'
list push 'redirect-gateway'
list push 'route 192.168.1.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.10.1'
list push 'dhcp-option WINS 192.168.10.1'
- Key and Certs may be uploaded using LuCI (I've created them as explained in the next part)
- Proto option can be 'udp' or 'tcp-server'
- Client_to_client option enables clients connected to the VPN may interact with each other.
- Server option you may choose whatever network range you like, but OpenVPN 2.4 doesn't likes long ranges, I would suggest to keep it on 254 range (255.255.255.0)
- List push 'redirect-gateway', makes all the clients connected to the server redirect all its traffic through the VPN
- List push 'route', makes the client to create a route to you're internal network (mine is 192.168.1.0/24)
- List push 'dhcp-option DNS', makes the client force the use the specified DNS server IP
- List push 'dhcp-option WINS', makes the client force the use the specified WINS server IP (in my case I have also samba36 package installed sharing my attached USB device, this is optional)
Create the following firewall rule to accept incoming connections:
Network > Firewall > Traffic Rules
Rule "Allow-OpenVPN"
Protocol "TCP/UDP"
Source zone "WAN"
Destination zone "Device (input)"
Destination port "8443"
Action "ACCEPT"
Create the Interface OPENVPN so you can assign it to a new firewall zone as this:
Network > Interface
Name "OPENVPN"
Adapter "tun0"
Protocol "Unmanaged"
Create the firewall zone openvpn as this:
Network > Firewall
Name "openvpn"
Input "accept"
output "accept"
Forward "accept"
covered networks "OPENVPN"
Allow forward to destination zones "lan/wan"
- If you select on "Allow forward to destination zones" only lan, you only have access to your local lan resource, if you want to give only internet access select only wan.
Creating the certs:
Ive first tried using EasyRSA 3 but I ended up with cert problems at trying to connect. So, I went with EasyRSA 2.2.2
If you have a macOS device as I, you need to install brew and the install openssl by doing the following commands:
xcode-select --install
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install vim
brew install openssl
- If you have Xcode installed already skip the first command
Untar the easyrsa-2.2.2.tar downloaded file and go with the terminal to the extracted directory, then, edit vars file the following lines as you wish (I use VI for editing so I do, vi vars, then press I and edit the lines, once you finish press "ESC" key followed by :wq the "Enter")
export KEY_COUNTRY=
export KEY_PROVINCE=
export KEY_CITY=
export KEY_ORG=
export KEY_EMAIL=
export KEY_OU=
Next you put the following commands:
export PATH="/usr/local/opt/openssl/bin:$PATH"
cp openssl-1.0.0.cnf openssl.cnf
. ./vars
./clean-all
./build-ca
At "build-ca", EasyRSA will ask you for some parameters as specified on the vars file.
Next, create the server keys and follow the same parameters as specified above, only that on "Common name" and "Name" put "server"
./build-key-server server
Next create the clients keys, note that as said on the server, it will ask you for "Common name" and "Name" put the client name you want (with no space between)
./build-key client1
./build-key client2
./build-key client3
After creating all clients keys and certs, build the generate Diffie Hellman parameters by:
./build-dh
So the certs goes like this on the server:
ca.crt > ca
server.crt > cert
server.key > key
dh2048.pem > dh
Creating the clients config:
Create a .opvn file (name it as you wish) with this inside:
client
dev tun
proto tcp-client
float
resolv-retry infinite
remote-cert-tls server
persist-key
persist-tun
remote (WAN IP or HOSTNAME to your OpenWrt device) 8443
<ca>
-----BEGIN CERTIFICATE-----
(content on ca.crt file between this lines)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(content on client#.crt file between this lines)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(content on client#.key file between this lines)
-----END PRIVATE KEY-----
</key>
Congrats!! You're done, you may now connect your clients to the OpenVPN server!!