Help with setting up own OpenVPN Server

apn3agr · August 8, 2022, 11:03am

Hello community,

For easier reading i am breaking down my post to: a) what i want to achieve and; b) what i've tried already

Background:
I have a D-Link router running latest Openwrt, sitting behind another router that provides the WAN. I've already setup DDNS successfully - it's up and running on d-link.

I've installed OpenVPN easy RSA, luci app openvpn, and openvpn openssl.

A) Goal
Create my own OpenVPN server sitting on the D-Link router using the ddns hostname i've already configured so i can access my local WAN IP throughout my devices when i am traveling abroad.

So i want to create client openvpn configuration files, which i will import to the app and connect to the router when abroad.

B) Attempts

I know a lot of you will tell me to go through CLI (i tried this guide, but failed miserably as i cannot even import the profile on openvpn on MacBook - getting a weird error "option_error: option 'pardtx560tx1120tx1680tx...' is too long").

So i tried through the GUI version (luci) - i configured the parameters such as server (xxx.ddns.net 255.255.255.0) etc.; however, no matter how i configure the wizard, the server never starts on the router.

Would really appreciate it if someone can guide me step by step.

Thanks

carliedu · August 8, 2022, 12:06pm

Can you see an error in syslog?

Have you configured this (WAN) router to redirect UDP port 1194 form WAN to D-LINK-IP-Address to UDP port 1194?

bill888 · August 8, 2022, 12:25pm

What version of OpenWrt are you using?

Are you using this Openvpn client for macos?
https://openvpn.net/client-connect-vpn-for-mac-os/

Have you tried the equivalent openvpn client for IOS and/or android?

apn3agr · August 8, 2022, 12:34pm

Yes, tons of.. i think it's not configured correctly. and i start noticing that luci is no better than CLI in terms of compexity

yes, i am forwarding the 1194 port (TCP/UDP) from WAN to D-link

i am still trying to understand the steps required based on the guides i've found; it's very confusing. i don't mind trying CLI again, but need to understand what to watch out based on the scenario i described above.

apn3agr · August 8, 2022, 12:40pm

OpenWrt 22.03.0-rc6 r19590-042d558536 / LuCI openwrt-22.03 branch git-22.213.35949-d09fbe0

correct

No because it seems something did not get configured properly. based on the guide i followed, i think the DDNS was not configured properly on openvpn. the instructions are not very clear on how to this.

carliedu · August 8, 2022, 12:40pm

Check it with ping. You must see your actual IP.

apn3agr · August 8, 2022, 12:43pm

no i mean in the OpenVPN server configuration. The DDNS resolves fine, took me a while to set it up correctly. the openvpn guides give instructions only on how to set up the server on the main router; not on a router sitting behind the WAN.

i will try again with this guide. any idea how do i configure the server to listen to the ddns ip?

. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
OVPN_SERV="${NET_ADDR}" // ***i guess i need to put ddns server here?***
 
# Fetch FQDN from DDNS client ***//what about this parameter?***
NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
if [ -n "${NET_FQDN}" ]
then OVPN_SERV="${NET_FQDN}"
fi

carliedu · August 8, 2022, 12:48pm

I had an OpenVPN server running on my OpenWRT WR842N a time ago and I could connect to it with IOS OpenVPN and with an DIR-505 with OpenWRT and OpenVPN client configured. I remember that I had a lot of trouble, but finally it worked fine.
But this year I lost my WR842N, and had no time to configura an DIR-860 I'm using now.
What I can say, is that the /var/log/openvpn.log helped me a lot.

apn3agr · August 8, 2022, 12:50pm

i have a DIR-853, and am completely new to OpenWrt so you can imagine the frustration.. at least now i know it's not easy, but doable

apn3agr · August 8, 2022, 1:08pm

ok, managed to run the server with these settings:

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"

how do i "link" the 192.168.8.0 server to the ddns hostname?

carliedu · August 8, 2022, 1:41pm

I'll will try to help you a little.
I'm going to follow a script I wrote at the time
First of all, have you created the certificates?

apn3agr · August 8, 2022, 2:22pm

Thank you. Yes, first with this guide and then with this guide i tried to make the configuration visible to luci.

however, i cannot import the client.ovpn file neither on my mac or my iphone due to the error i mentioned in my second post.

so i would appreciate it if you can guide me a bit on the certificate generation as well

mk24 · August 8, 2022, 3:27pm

That's not how it works. DDNS is separate from OpenVPN. DDNS is a way for the client(s) to find your house by name instead of by IP number, which may get changed by the ISP (thus the dynamic part).

The IP that is registered with DDNS must be the same as the WAN IP of your main router. Then that router is configured to forward port 1194 UDP from its WAN to your OpenVPN server on the LAN.

The 192.168.8.0 network is the tunnel network of user's packets that are decrypted. It exists only at the tunnel endpoints. It doesn't have anything to do with transport of encrypted packets through the Internet.

apn3agr · August 8, 2022, 5:14pm

Thanks, mk24. a little clearer now.

on the WAN router, i am forwarding 1194 TCP/UDP to the OpenWrt router IP (192.168.70.12). Do i need to forward it to the 192.168.8.0 network? If so, how do i do that?

bill888 · August 8, 2022, 5:24pm

No, you do not need to forward 192.168.8.0 network. (see PM)

fwiw, I presume you have edited client.ovpn file and specified your DDNS hostname within it.

remote mydns 1194 udp

fwiw, Openvpn 21.02 server guide I wrote for HH5a last December 2021 based on owrt wiki cli instructions at the time for openvpn server for 21.02.
https://www.dropbox.com/s/idjzqs3cyyb1zai/7-OpenVPN%20Server%20for%20HH5A.pdf?dl=0

The guide includes useful information and tips omitted from the owrt wiki page which may be helpful to beginners.

ulmwind · August 8, 2022, 6:16pm

Where are certificates, and keys?

192.168.8.0 is INTRINSIC LAN, there is no need to configure anything like DNS.

bill888 · August 8, 2022, 7:07pm

Update

I used my guide and by copy and pasting the current (Aug 2022) cli instructions from
https://openwrt.org/docs/guide-user/services/vpn/openvpn/server

for '1 - Preparation' through to '4 - VPN service'

I can confirm the cli instructions are valid for OpenWrt 22.03.0-rc6 on my Xiaomi 4A gigabit (MT7621) router.

apn3agr · August 8, 2022, 7:24pm

thank you bill all your help and for providing the guide and confirming on your end as well. i managed to make it work by using your guide.

regarding not being able to import the profile to openvpn connect, i was copying the config file directly from CLI instead of downloading it.. seems this was the issue.

thank you everyone else in the thread for your support and guidance

carliedu · August 8, 2022, 8:08pm

@apn3agr, are you sure that DDNS is pointing to your IP address? I like to resolve the things by part. Without DDNS it will not function.

system · August 18, 2022, 8:08pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.