Installing vpn-server with guide

Hello all,

I am trying to install the vpn server on my router using the guide:
https://lede-project.org/docs/user-guide/openvpn.server#openvpn_server
At Server Cert OpenSSL Prerequisites I have to Change the server's SAN IP from 10.0.1.1 to match your VPN Server IP, says the guide
Who knows which ip address I can use best? And why? Thank you.

I am using Lede 17.01.4, clean install.

Regards,
Lucas

I can't answer your question directly, but I found this tutorial by Logan Marchione extremely useful.

Note that Logan uses easy-RSA. I had no issues creating my certs and keys using Easy-RSA and I have had no problems (although I did at one point have certs/keys that were not 'yet' valid since the keys generated with an assumption of UTC and I was running it with UTC - 8; it resolved itself 8 hours later the keys were older than (current time - 8 hrs).

OpenSSL is advised in the LEDE tutorial based on better encryption and more options, but I'm not sure how significant these factors are in the grand scheme of things.

1 Like

Hello @psherman,
Thank you for the reply. I've used the same guide you mentioned. Was working well, but hotels were blocking that vpn. So I am trying now to config a vpn with "tcp", "ssl", "443" and with obfsproxy so that hotels will see not a vpn to block but see just normal https trafic.

To install vpn with the guide I mentioned, I was curious why I have to change and in which ip.
So when anybody knows "what and why" I have to change the ip, I am eager to learn.
Regards,
Lucas

I have not made the move to OpenSSL certs and keys, but I have several mitigation methods in place to hopefully avoid firewalls blocking my VPN connection to home, including through the Great Firewall of China (I haven't been there recently, though, so can't comment on the current status of this approach).

My strategy is to run OpenVPN TCP + UDP on ports 1194 and 443. The OVPN 'signature' is a bit different than standard HTTPs traffic and is not masked, so DPI can obviously still determine the data type (just not the content inside the tunnel), but this gives me 4 connection possibilities right off the bat. Then I also run Shadowsocks and stunnel so that I can push the tunnel over either of those obfuscation methods (at the expense of performance, of course). This gives me a total of 6 different connection options.

The other thing to consider is that some of the blocking techniques are not necessarily just DPI, but also connection duration -- a VPN-ish tunnel is often open for a longer period of time than a standard SSL transaction, so that is also a clue that some of the firewalls may use to throttle or drop/block connections.

Wireguard is supposed to overcome some of these issues (IIRC, it has some form of stateless connection so it doesn't raise flags about the duration of the connection, and it is supposed to be more data efficient and possibly easier on the processors for the encryption/decryption operations), but I haven't tried it.

Hi @psherman,

Beautiful strategy. I will copy that strategy. Tnx.
My efforts to install vpn-server using the Lede guide does did not succeed.I will use now the Logan Marchione guide you mentioned.
For UDP I use port 5060, because it's easier with the firewall of my isp-router.
Regards,

Lucas

I am still trying to install vpn server on the Lede way with the guide I mentioned. Does anyone have experience with installing vpn server with the ssl guide? Can you share that experience? I have a lot of trouble installing it. Now I have an eror with the first genoa CA command openssl req -x509-new ...... nodes
error:0E079065:lib(14):func(121):reason(101):NA:0:line 920

So I think I made a mistake with a adjustment in my file /etc/ssl/openssl.cnf

@Lucas -- you may want to post an exact command you've used (and sometimes a few commands you ran before it) to get meaningful help.

I personally used this article when setting up OpenVPN Server: https://wiki.openwrt.org/doc/howto/vpn.openvpn -- just pick the OpenSSL tabs for certificates/commands and TUN for OpenVPN setup instructions.

Hi @stangri
First a reset LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685)
I am following the guide with:

#Install Packages:
opkg update ; opkg install openvpn-openssl luci-app-openvpn openssl-util

#Download openssl.cnf:
    # Save as /etc/ssl/openssl.cnf
    cd /etc/ssl ; mkdir -p ca/csr crl openvpn/clients
    echo 00 > serial
    echo 00 > crl/crlnumber

    touch index
    touch rand

openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout CA.key.pem -out CA.crt.pem -config ./openssl.cnf -extensions v3_ca -nodes
Error is:
1998245048:error:0E079065:lib(14):func(121):reason(101):NA:0:line 920

My openssl.cnf, only my hanges are:

#https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/OpenSSL/openssl.cnf
next changes made:
Line 183: DNS.1 = Router.1 Change Router.1 => DNS.1 = weteling
Line188: DNS.1 = Router.2 Change Router.2 => DNS.1 = vanspaen
all DNS1 and DNS2 added with isp dns1 and isp dns2
all your.ddnns.com replaced with weteling.ddns.net and dns 1 etc replaced with isp dns

Judging by the edits history it's @JW0914's guide, ping him.

Any RFC1918 subnet block

That guide is not only obsolete and inefficient, it's nothing other than a generic, cookie cutter VPN setup that can be found in 95 - 99% of OpenVPN server wikis. This doesn't even touch on the fact it utilizes Easy-RSA, which should never be utilized... I noted the specific reasons here.

  • Easy-RSA also requires one to utilize an IP or DNS host name as the CN, which was obsoleted decades ago in the RFC (this is why Google Chrome no longer trusts SSL certs utilizing the CN for the IP or DNS instead of properly putting them in the SAN). Easy-RSA is the equivalent of WPS for WiFi.

One can do things the right way or the easy way, and if users would like to know why an openssl.cnf should be utilized over Easy-RSA, see the OpenSSL Man pages.

  • Considering I'm answering why Easy-RSA should not be utilized at least once a week on the LEDE forum, users can either trust that I did my due diligence and read through all the content I link to, or they can read through the same information to fact check my assertions... It's getting old explaining why Easy-RSA should not be utilized over and over again.

TCP should not be utilized unless you've verified they're blocking udp on 443, as TCP cannot efficiently encapsulate itself.

  • The only two use cases for TCP usage are for troubleshooting or when packet loss is high.
  • Please post the openssl.cnf from your ssl directory, as Line 920 in my openssl.cnf is commented out (all lines after 429 are commented out)

    • Please delete your DDNS from the posted output, and please post in a code box (three back ticks, content on new line, three back ticks on new line following content)
  • No CA/ICA should ever be generated with -nodes specified. There needs to be a password set for all CA/ICA keys.

I get no errors issuing your command:

[root@LEDE] /etc/ssl # wget https://raw.githubusercontent.com/JW0914/Wikis/master/Scripts%2BConfigs/OpenSSL/openssl.cnf
   --2018-01-15 18:48:48--     https://raw.githubusercontent.com/JW0914/Wikis/master/Scripts%2BConfigs/OpenSSL/openssl.cnf
   Resolving raw.githubusercontent.com... 151.101.64.133, 151.101.128.133, 151.101.192.133, ...
   Connecting to raw.githubusercontent.com|151.101.64.133|:443... connected.
   HTTP request sent, awaiting response... 200 OK
   Length: 39308 (38K) [text/plain]
   Saving to: 'openssl.cnf'
   
   openssl.cnf    100%   [============================================================>]  38.39K  --.-KB/s    in 0.06s
   
   2018-01-15 18:48:48 (646 KB/s) - 'openssl.cnf' saved [39308/39308]
   
   [root@LEDE] /etc/ssl # mkdir -p ca/csr crl openvpn/clients
   [root@LEDE] /etc/ssl # echo 00 > serial
   [root@LEDE] /etc/ssl # echo 00 > crl/crlnumber
   [root@LEDE] /etc/ssl # touch index
   [root@LEDE] /etc/ssl # touch rand
   [root@LEDE] /etc/ssl # openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout CA.key.pem -out CA.crt.pem -config ./openssl.cnf -extensions v3_ca -nodes
   Generating a 4096 bit RSA private key
   ...............................................++
   ...............................................................................++
   writing new private key to 'CA.key.pem'
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   xx [US]:
   State [State]:
   Locality [Locality]:
   Organization [Sophos UTM]:
   Organizational Unit [LAN]:
   Common Name []:test
  • I also corrected DN output on lines 146 & 157
    • Should be Country [xx]:, not xx [US]:

10 posts were split to a new topic: Wiki: docs/user-guide/openvpn.server