Hi
I've compiled firmware for my router several times now and I often pre-configure the firmware with the config files that hold all settings. This is brilliant because I can simply factory reset the router and it goes back to a fully working router without needing to re-configure everything.
I would like to setup a OpenVPN server and I'm currently following this guide https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic.
Unfortunately I've found it too long winded and instead I've created the certificates using the desktop version of Easy-RSA using the below commands:-
sudo apt-get update
sudo-apt-get install openvpn && sudo apt-get install easy-rsa
sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
# Modify 'vars' file
sudo su
mkdir keys
source ./vars
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
# The 4 files needed for OpenVPN:-
server.crt
server.key
ca.crt
dh2048.pem
# Create Client key
sudo su
cd /etc/openvpn/easy-rsa/
source ./vars
./pkitool John.Smith
# Copy files to client:-
chmod -R 777 /etc/openvpn/easy-rsa
ca.crt
John.Smith.crt
John.Smith.key
My next step is to create the server itself on OpenWrt. Would I be better off using the LuCI OpenVPN GUI or using something like WinSCP, editing the '/etc/config/openvpn' and pointing the settings to the 4 files I created with Easy-RSA inside a folder, for example '/etc/config/OpenVPN/Easy-RSA'?
The following code was pulled from an earlier revision of the guide mentioned above. This is what I was planning on using:-
# Configure Interface
uci set network.vpn="interface"
uci set network.vpn.ifname="tun0"
uci set network.vpn.proto="none"
uci set network.vpn.auto="1"
uci commit network
# Configure Firewall
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-OpenVPN-Inbound"
uci set firewall.@rule[-1].target="ACCEPT"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].dest_port="1194"
# Configure firewall zone
uci add firewall zone
uci set firewall.@zone[-1].name="vpn"
uci set firewall.@zone[-1].input="ACCEPT"
uci set firewall.@zone[-1].forward="ACCEPT"
uci set firewall.@zone[-1].output="ACCEPT"
uci set firewall.@zone[-1].masq="1"
uci set firewall.@zone[-1].network="vpn"
# Configure port forwarding
uci add firewall forwarding
uci set firewall.@forwarding[-1].src="vpn"
uci set firewall.@forwarding[-1].dest="wan"
uci add firewall forwarding
uci set firewall.@forwarding[-1].src="vpn"
uci set firewall.@forwarding[-1].dest="lan"
uci commit firewall
# Save and reload settings
/etc/init.d/network reload
/etc/init.d/firewall reload
Many thanks
Will