How do I set up OpenVPN server for site to site connection

t_open · February 15, 2025, 5:33am

I have an old DD-WRT router where I had setup OpenVPN Server with static key to create a site to site OpenVPN connection from a laptop running an OpenVPN client so I could reach my home network while away. I am switching to a new OpenWRT router and not sure how to replicate an equivalent OpenWRT OpenVPN setup, so I am looking for advice.

The laptop's OpenVPN configuration is as follows which I would like to work unmodified as I create the new setup on the router:

#viscosity startonopen false
#viscosity dhcp true
#viscosity dnssupport true
#viscosity name tun1 mooo
#viscosity ipv6 false
route-gateway 10.0.1.1
remote tkoyn.mooo.com 2001 udp
secret secret.key
comp-lzo yes
dev tun
route 192.168.0.0 255.255.255.0 10.0.1.1 default
cipher AES-256-CBC
ifconfig 10.0.1.2 10.0.1.1
keepalive 15 60

And there is a key file that laptop uses:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[A whole bunch of hexadecimal codes that I am not gonna disclose...]
-----END OpenVPN Static key V1-----

My DD-WRT solution involved setting up a startup script and a firewall script and I need to know who to do the equivalent on OpenWrt.

The startup script in DD-WRT would store a configuration into a working file with the content

proto udp4
port 2001
dev tun1
secret /tmp/static.key
cipher AES-256-CBC
verb 4
comp-lzo
keepalive 15 60
ping-timer-rem
auth-nocache
daemon

The the same static key as for the client was stored into another file on the router.

Then the startup script would do the following to create the tunnel and start openvpn

/tmp/myvpn --mktun --dev tun1
ifconfig tun1 10.0.1.1 netmask 255.255.255.0 promisc up
/tmp/myvpn --config SiteA-SiteB.conf

The DD-WRT firewall script had

# Open firewall holes for VPN
iptables -I INPUT 2 -p udp --dport 2001 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT

# Allow ping over VPN
iptables -I INPUT 3 -i tun1 -p icmp -j ACCEPT

# Allow router admin over VPN
iptables -I INPUT 1 -i tun1 -p tcp --dport 80 -j ACCEPT

# Allow telnet to router over VPN
iptables -I INPUT 1 -i tun1 -p tcp --dport 23 -j ACCEPT

# Allow SSH to router over VPN
iptables -I INPUT 1 -i tun1 -p tcp --dport 22 -j ACCEPT

# Support access to Internet with client coming in through tun1 and going out this WAN
iptables -I FORWARD -i tun1 -o vlan2 -j ACCEPT

Thanks in advance for any advice.

egc · February 15, 2025, 8:11am

Static keys are deprecated.

Better use WireGuard easier to setup and much faster

t_open · February 15, 2025, 1:14pm

Are static keys actually disallowed? If not, how would I proceed with OpenVPN and static key?

egc · February 15, 2025, 1:35pm

https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--secretStatus:Deprecatedpendingremoval

mk24 · February 15, 2025, 1:47pm

Also newer versions of OpenVPN server refuse to connect to old versions of the client. You will need to upgrade both at once.

As far as answering the question that was originally asked, there are two ways to configure OpenVPN on OpenWrt.

Options in file /etc/config/openvpn which will be translated to a temporary .ovpn native format config file at runtime.
Use option config in /etc/config/openvpn which points at a native format .ovpn file. OpenWrt has a fully writeable filesystem so that any arbitrary files can be stored permanently, up to the limit of flash size.

OpenWrt has a high level firewall system, so allowing input of encrypted packets would be handled by a rule, and controlling flow in and out of the tunnel would be done with a zone and rules attached to that zone. There is no need to write kernel table rules directly.

t_open · February 15, 2025, 2:08pm

Which version of OpenVPN are we using with OpenWRT?

t_open · February 15, 2025, 2:10pm

OK, then assume I will update the version of OpenVPN on the client. Then how would I proceed with each of the two options you describe?

egc · February 15, 2025, 2:30pm

For OpenWRT 24.10 we are using 2.6.12, for Main I think already 2.6.13 and 23.05.5 is still on 2.5.8

You can easily check with openvpn --version

But I recommend using WireGuard which is much easier to setup and much faster

t_open · February 15, 2025, 5:57pm

OK, then those OpenWRT versions still have the static key feature. I have other reasons I do not wish to change the laptop to wireguard.

So I am still hoping you or someone can provide me some assistance on my original question. Thanks.

alexq · February 15, 2025, 9:12pm

OpenVPN site to site config:

https://www.i-programmer.info/projects/27-networking/14745-setting-up-site-to-site-openvpn-.html