Migrate OpenVPN AS to OpenWrt device

All,

I currently use an OpenVPN Access Server that's downstream of my device as a connection solution.

Does anyone in the forum have experience converting their AS config into an OpenWrt instance?

Could you post the config?

The config of what (that's what I need help with)?

I just have a Ubuntu server with OpenVPN AS installed. I want to get rid of it and move to OpenWrt.

I'll try to produce the AS server's configs by using this guide: https://docs.openvpn.net/configuration/migrating-an-access-server-installation/

Try this link to export OpenVPN Access Server config:
https://openvpn.net/vpn-server-resources/configuration-database-management-and-backups/#viewing-the-current-server-configuration

1 Like

/usr/local/openvpn_as/etc/as.conf

# OpenVPN AS 1.1 configuration file
#
# NOTE:  The ~ symbol used below expands to the directory that
# the configuration file is saved in

# remove for production
# DEBUG=false

# enable AS Connect functionality
AS_CONNECT=true

# temporary directory
tmp_dir=~/tmp

lic.dir=~/licenses

# run_start retries
run_start_retry.give_up=60
run_start_retry.resample=10

# enable client gateway
sa.show_c2s_routes=true

# certificates database
certs_db=sqlite:///~/db/certs.db

# user properties DB
user_prop_db=sqlite:///~/db/userprop.db

# configuration DB
config_db=sqlite:///~/db/config.db

# log DB
log_db=sqlite:///~/db/log.db

# wait this many seconds between failed retries
db_retry.interval=1

# how many retries to attempt before failing
db_retry.n_attempts=6

# On startup, wait up to n seconds for DB files to become
# available if they do not yet exist.  This is generally
# only useful on secondary nodes used for standby purposes.
# db_startup_wait=

# Node type: PRIMARY|SECONDARY.  Defaults to PRIMARY.
# node_type=

# bootstrap authentication via PAM -- allows
# admin to log into web UI before authentication
# system has been configured.  Configure PAM users
# allowed to access via the bootstrap auth mechanism.
boot_pam_service=openvpnas
boot_pam_users.0=openvpn
# boot_pam_users.1=
# boot_pam_users.2=
# boot_pam_users.3=
# boot_pam_users.4=

# System users that are allowed to access the server agent XML API.
# The user that the web server will run as should be in this list.
system_users_local.0=root
system_users_local.1=openvpn_as

# The user/group that the web server will run as
cs.user=openvpn_as
cs.group=openvpn_as

# socket directory
general.sock_dir=~/sock

# path to linux openvpn executable
# if undefined, find openvpn on the PATH
#general.openvpn_exe_path=

# source directory for OpenVPN Windows executable
# (Must have been built with MultiFileExtract)
sa.win_exe_dir=~/exe

# The company name will be shown in the UI
sa.company_name=OpenVPN Technologies, Inc.

# server agent socket
sa.sock=~/sock/sagent

# If enabled, automatically generate a client configuration
# when a client logs into the site and successfully authenticates
cs.auto_generate=true

# files for web server (PEM format)
cs.ca_bundle=~/web-ssl/ca.crt
cs.priv_key=~/web-ssl/server.key
cs.cert=~/web-ssl/server.crt

# web server will use three consecutive ports starting at this
# address, for use with the OpenVPN port share feature
cs.dynamic_port_base=870

# which service groups should be started during
# server agent initialization
sa.initial_run_groups.0=web_group
#sa.initial_run_groups.1=openvpn_group

# use this twisted reactor
sa.reactor=epoll

# The unit number of this particular AS configuration.
# Normally set to 0.  If you have multiple, independent AS instances
# running on the same machine, each should have a unique unit number.
sa.unit=0

# If true, open up web ports on the firewall using iptables
iptables.web=true

vpn.server.user=openvpn_as
vpn.server.group=openvpn_as

Dump from AS config db:

{
  "Default": {
    "admin_ui.https.ip_address": "enp0s3",
    "admin_ui.https.port": "943",
    "aui.eula_version": "2",
    "auth.ldap.0.name": "My LDAP servers",
    "auth.ldap.0.ssl_verify": "never",
    "auth.ldap.0.timeout": "4",
    "auth.ldap.0.use_ssl": "never",
    "auth.module.type": "pam",
    "auth.pam.0.service": "openvpnas",
    "auth.radius.0.acct_enable": "false",
    "auth.radius.0.name": "My Radius servers",
    "cs.priv_key": "-----BEGIN PRIVATE KEY-----\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n-----END PRIVATE KEY-----\n",
    "cs.prof_sign_web": "true",
    "cs.ssl_method": "SSLv3",
    "cs.ssl_reneg": "false",
    "cs.tls_version_min": "1.2",
    "host.name": "xxxxx.xxxxx.xxxxx",
    "sa.compression_warning_shown": "displayed",
    "sa.initial_run_groups.0": "web_group",
    "sa.initial_run_groups.1": "openvpn_group",
    "sa.ssl_lib": "openssl",
    "vpn.client.config_text": "",
    "vpn.client.routing.inter_client": "false",
    "vpn.client.routing.reroute_dns": "true",
    "vpn.client.routing.reroute_gw": "true",
    "vpn.client.routing.superuser_c2c_access": "true",
    "vpn.daemon.0.client.netmask_bits": "20",
    "vpn.daemon.0.client.network": "172.27.224.0",
    "vpn.daemon.0.listen.ip_address": "enp0s3",
    "vpn.daemon.0.listen.port": "xxx",
    "vpn.daemon.0.listen.protocol": "tcp",
    "vpn.daemon.0.server.ip_address": "enp0s3",
    "vpn.general.osi_layer": "3",
    "vpn.server.config_text": "",
    "vpn.server.daemon.enable": "true",
    "vpn.server.daemon.tcp.n_daemons": "2",
    "vpn.server.daemon.tcp.port": "xxxx",
    "vpn.server.daemon.udp.n_daemons": "2",
    "vpn.server.daemon.udp.port": "xxxx",
    "vpn.server.duplicate_cn": "true",
    "vpn.server.group_pool.0": "172.27.240.0/20",
    "vpn.server.port_share.enable": "true",
    "vpn.server.port_share.ip_address": "1.2.3.4",
    "vpn.server.port_share.port": "1234",
    "vpn.server.port_share.service": "admin+client",
    "vpn.server.routing.gateway_access": "false",
    "vpn.server.routing.private_access": "no",
    "vpn.server.tls_auth": "true",
    "vpn.server.tls_version_min": "1.2",
    "vpn.tls_refresh.do_reauth": "true",
    "vpn.tls_refresh.interval": "360"
  },
  "_INTERNAL": {
    "run_api.active_profile": "Default",
    "webui.edit_profile": "Default",
    "webui.welcome_shown": "true"
  }
}

Dump from AS User and groups db:

{
  "__DEFAULT__": {
    "def_deny": "true",
    "prop_autogenerate": "true",
    "prop_lzo": "false",
    "type": "user_default"
  },
  "xxxxx": {
    "access_to.0": "+NAT:192.168.xxx.0/24",
    "access_to.1": "+NAT:192.168.xxx.0/24",
    "access_to.2": "+NAT:192.168.xxx.0/24",
    "prop_superuser": "true",
    "pvt_google_auth_secret": "xxxxxxxxxxx",
    "pvt_google_auth_secret_locked": "false",
    "type": "user_compile"
  },
  "xxxxx": {
    "type": "user_connect"
  }

You should consider possible issues:

  • Requirements to server CPU resources.
  • Client-server compatibility.
  • Server PKI migration.

It's possible to use either OVPN-formatting, or UCI-formatting, each has its pros and cons.
OpenWrt OpenVPN init-script has some implementation features/limitations:

  • If you save OVPN-config to /etc/openvpn/*.conf, you can skip creating VPN-instance in UCI-config, but in that case it's impossible to operate (start/stop) VPN-instances separately.
  • If you include OVPN-config in UCI-config with option config, other UCI-options for that VPN-instance would be ignored.

It seems OpenVPN Access Server configs are too different to convert them line by line.
I think it would be easier to configure OpenWrt OpenVPN using one of our wiki guides.
Skip PKI-generation section and replace parameters in accordance with your configs posted above.

1 Like