How do I tunnel OpenVPN to one specific device connected to wireless wlan/lan

Hey guys! I'm trying to setup an OpenVPN server that will connect directly to my raspberry pi's Octoprint webserver and said VPN will be exposed to the internet. I followed this guide this guide in order to setup the firewall, network, and openvpn configurations. But I'm wondering if it is possible to have my server only tunnel to my raspberry pi (which is connected wirelessly on my router); however the guide seems to assume the device is being hooked via an ethernet.

Here's some photos of my router settings

Drop the forwarding from vpn to lan and create a rule to allow from vpn to the raspberry.

Erm.. how exactly do I do that? I don't seem an option on the firewall settings that allow me to specifically forward to a device on my network, only the interfaces and zones

Oops! I also forgot to mention this traffic rule the guide mentions too

From the main firewall zone, edit the vpn zone, and deselect lan from Allow forward to destination zones at the bottom.
Then go to Traffic Rules tab.
Create a new rule and select Source zone vpn, destination zone lan, destination address the IP of RaspBerry, and action Accept.

1 Like

Sorry for the late reply! Thanks for info, I got it and OpenVPN configured and running so far. However, I'm wondering about two things:

  1. I'm at the part of configuring the client.ovpn file but I'm wondering since I will have multiple clients connecting to it (not at once but varying times depending on what device I have access to at the time) how can I input all of the client keys in the same file? The format the author of the guide used is as follows:
#specify TUN vs. TAP (if you're not sure, you want TUN)
dev tun

#specify protocol to use (default is UDP)
proto udp

#Certificate information
ca   ca.crt
cert user1.crt
key  user1.key

#client settings
remote-cert-tls server
remote YOUR_DNS_ENTRY_OR_IP 1194
  1. I'm wondering how I can port forward the vpn server so my clients can still access it whenever they are outside of the router's network. I have a DDNS from Duckdns setup so I don't have to access the server via the router's ip address and that has https enabled (as per the guide as well)

The have to be in the same working directory.

You have already opened the access on the router.
Opening the uhttpd on the internet is a security risk as it is not hardened against attacks.

So would I have to put them in the client file as cert user1.crt; user2.crt?

What is uhttpd? I want to be able to have the VPN server accessed with my client devices (my phone and laptop specifically). I originally had it where I just portforwarded http directly to my raspberry pi and had a reverse proxy setup via haproxy but I was unable to get http setup properly on the local side (it kept giving me https errors whenever I accessed the webserver within the network connection. But I did get it working when accessing the webserver outside of the network). At least from what I was told on the Octoprint community, forwarding a VPN would be much safer than the haproxy method.

No, this format is used when you have the certificates as external files.
If you want to include them in the main configuration file you can follow the official guide.

The default web server.

Ah ok. I don't plan on making the Luci interface public, just the Octoprint server on my raspberry pi via the VPN. How can I make the VPN alone public and have that basically be a tunnel that directs all connections to the raspberry pi/Octoprint? The end goal I'm trying to achieve is what this guide describes

You can follow the guide I posted earlier to setup the OpenVPN server on the OpenWrt.
After you follow all the steps the vpn will be able to communicate with the devices in the lan.
If you really need to block everything and allow the web server on raspberry it is possible, but a few modifications are needed.

The guide I sent in my very initial post did the same thing as the one you sent (the main difference from what I saw was the guide I followed didn't generate a TLS PSK. In fact both guides are actually old because some of the commands have changed and certain steps had to be done differently), which I just finished getting up and running. I followed what you said about making the VPN traffic go directly to the pi, but I still can't figure out how to portforward the VPN. How do I do that?

Last modified: 2020/05/11 04:18 by vgaetera

Such as?

Either I don't understand the question or you didn't understand that the OpenVPN tunnel as it is described in the guide allows native routing between the VPN clients and the lan. So I don't see where port forwarding is involved.

source vars
build-key-server c7
build-key-pkcs12 user1

All of these commands are completely different with the version of EasyRsa that OpenWrt ships with now. build-dh is now gen-dh, and build-key-server/build-key-client are now build-server-full/buld-client-full respectively. And easyrsa --batch init-pki doesn't need to ran, easyrsa clean-all does the same thing as easyrsa --batch init-pki but it also removes all easyrsa data.

I'm trying to make the VPN public so my devices can use the VPN as a 'gateway' of sorts to access my raspberry pi's Octoprint server. Yes, I know there's security risks to that but I still want to go ahead and do it anyway, it seems to be a better option than how I had it originally. That's where the portforwarding is involved, the way the VPN is now I still can't access the VPN if my devices are NOT connected to the router's network.

As stated here, once you leave the home network, you can't access Octoprint anymore since it is hidden behind the private network's firewalls. And in order to allow remote access, you could portforward the Octoprint instance directly (which can be dangerous as I am aware of) or you could set up a VPN server on the home network, and configure your devices to access the network via a VPN client.

These commands don't exist in the guide. build-ca is an argument of an easy-rsa command.

There is no easyrsa clean-all in the guide.

So it is still unclear to me what didn't work from the guide.

If the OpenWrt running the OpenVPN server is not connected to the ISP directly, then you need to port forward 1194 udp on your ISP router.

Ok... now I got a problem. I can't get my phone to connect to the VPN at all (rather on wifi or not). So I went and tried to follow the guide you sent me but I followed it and it didn't even generate the Openvpn server configuration at all.

Also, I have my duckdns address in my client.ovpn files instead of the ip address

Does the duckdns name point to your correct public IP? Testing needs to be done from outside the network, it is very unlikely to work with the phone connected to your wifi so always use the cell network.

The server doesn't need copies of the client certificates or keys. Any client certificate which you have issued and signed with the CA certificate will be allowed as an authorized client, those which are not so signed are not allowed.

You should also set up a CRL to disallow clients in case the device with certificate / key has been lost or stolen or otherwise that client should not be allowed any more. Or if there are only a very few clients you could make a new CA and re-issue all certificates.

It does match, but Im noticing in the logs im getting TLS errors when I try to connect to it

Sat May 30 15:36:03 2020 OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat May 30 15:36:03 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Sat May 30 15:36:03 2020 Diffie-Hellman initialized with 2048 bit key
Sat May 30 15:36:04 2020 TUN/TAP device tun0 opened
Sat May 30 15:36:04 2020 TUN/TAP TX queue length set to 100
Sat May 30 15:36:04 2020 /sbin/ifconfig tun0 XXXXXX netmask mtu 1500 broadcast
Sat May 30 15:36:04 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat May 30 15:36:04 2020 Socket Buffers: R=[XXXXXX->XXXXXX] S=[XXXXXX->XXXXXX]
Sat May 30 15:36:04 2020 UDPv4 link local (bound): [AF_INET][undef]:1194
Sat May 30 15:36:04 2020 UDPv4 link remote: [AF_UNSPEC]
Sat May 30 15:36:04 2020 GID set to nogroup
Sat May 30 15:36:04 2020 UID set to nobody
Sat May 30 15:36:04 2020 MULTI: multi_init called, r=256 v=256
Sat May 30 15:36:04 2020 IFCONFIG POOL: base=XXXXXX size=252, ipv6=0
Sat May 30 15:36:04 2020 Initialization Sequence Completed
Sat May 30 15:39:46 2020 XXXXXX TLS: Initial packet from [AF_INET]XXXXXX, sid=XXXXXX XXXXXX
Sat May 30 15:39:56 2020 XXXXXX TLS: Initial packet from [AF_INET]XXXXXX, sid=XXXXXX XXXXXX
Sat May 30 15:40:46 2020 XXXXXXTLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 30 15:40:46 2020 XXXXXX TLS Error: TLS handshake failed
Sat May 30 15:40:46 2020 XXXXXX SIGUSR1[soft,tls-error] received, client-instance restarting
Sat May 30 15:40:56 2020 XXXXXX TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 30 15:40:56 2020 XXXXXX TLS Error: TLS handshake failed

I censored stuff with XXXXXX

I got all of the clients I want to connect to signed already.

And how do I do that?