OpenVPN Basics

castillofrancodamian · April 9, 2019, 10:07pm

This.
Before there was script and it was easier to create a server.

jeff · April 9, 2019, 10:35pm

The “pipe” | is part of the command

mk24 · April 9, 2019, 11:47pm

I don't like that approach very much. It is doing a lot of script to dump the certificates inline into the .ovpn file. It is simpler to just store them on the machine and refer to them by filename.

It's a lot less headache to create certificates on your desktop machine with a GUI certificate tool like xca.

castillofrancodamian · April 10, 2019, 1:06am

And what steps could be skipped if I create the certificate on a PC?

vgaetera · April 10, 2019, 5:16am

XCA doesn't create proper certificates for OpenVPN from scratch. Missing correct KU and EKU parameters results in an additional attack vector. It requires quite some skill and time to carefully create and apply configuration templates with required parameters and sign requests with proper key. A single mistake is enough to mess everything. Troubleshooting is much more complicated. And forget about automation.

It makes import/export a lot more troublesome.

vgaetera · April 10, 2019, 5:24am

Here you go:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#automated

castillofrancodamian · April 10, 2019, 5:17pm

Thanks, but what else should I know about copying and pasting?

vgaetera · April 10, 2019, 5:32pm

Possible explanation is - haste makes waste.
If you are sure you have done everything correctly, then proceed with the troubleshooting section of the guide.

jeff · April 10, 2019, 5:32pm

Make sure "smart quotes" aren't turned on.

" and " often look the same to humans, but fail miserably in code

castillofrancodamian · April 10, 2019, 6:04pm

root@Archer_C60:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Wed Apr 10 14:50:13 2019 daemon.err openvpn(vpnserver)[24328]: event_wait : Interrupted system call (code=4)
Wed Apr 10 14:50:13 2019 daemon.notice openvpn(vpnserver)[24328]: Closing TUN/TAP interface
Wed Apr 10 14:50:13 2019 daemon.notice openvpn(vpnserver)[24328]: /sbin/ifconfig tun0 0.0.0.0
Wed Apr 10 14:50:13 2019 daemon.warn openvpn(vpnserver)[24328]: Linux ip addr del failed: external program exited with error status: 1
Wed Apr 10 14:50:13 2019 daemon.notice openvpn(vpnserver)[24328]: SIGTERM[hard,] received, process exiting
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.10
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: Diffie-Hellman initialized with 2048 bit key
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: TUN/TAP device tun0 opened
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: TUN/TAP TX queue length set to 100
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Wed Apr 10 14:50:14 2019 daemon.warn openvpn(vpnserver)[25353]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: UDPv4 link remote: [AF_UNSPEC]
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: GID set to nogroup
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: UID set to nobody
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: MULTI: multi_init called, r=256 v=256
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: IFCONFIG POOL: base=192.168.8.2 size=252, ipv6=0
Wed Apr 10 14:50:14 2019 daemon.notice openvpn(vpnserver)[25353]: Initialization Sequence Completed
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           25353/openvpn

root@Archer_C60:~# pgrep -f -a openvpn
25353 /usr/sbin/openvpn --syslog openvpn(vpnserver) --status /var/run/openvpn.vpnserver.status --cd /etc/openvpn --config /etc/openvpn/vpnserver.conf

castillofrancodamian · April 10, 2019, 6:09pm

root@Archer_C60:~# ip addr show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP qlen 1000
    link/ether 50:c7:bf:75:81:b0 brd ff:ff:ff:ff:ff:ff
    inet IP-public/24 brd 190.244.143.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::52c7:bfff:fe75:81b0/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN qlen 1000
    link/ether 50:c7:bf:75:81:b1 brd ff:ff:ff:ff:ff:ff
4: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether 8a:ff:72:6e:cc:85 brd ff:ff:ff:ff:ff:ff
5: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether 2e:d6:37:2f:a2:04 brd ff:ff:ff:ff:ff:ff
16: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 50:c7:bf:75:81:b1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::52c7:bfff:fe75:81b1/64 scope link
       valid_lft forever preferred_lft forever
17: eth1.1@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 50:c7:bf:75:81:b1 brd ff:ff:ff:ff:ff:ff
18: 2G_ap: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 50:c7:bf:75:81:b0 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::52c7:bfff:fe75:81b0/64 scope link
       valid_lft forever preferred_lft forever
19: 5G_ap: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 50:c7:bf:75:81:af brd ff:ff:ff:ff:ff:ff
    inet6 fe80::52c7:bfff:fe75:81af/64 scope link
       valid_lft forever preferred_lft forever
20: 2G_ap_guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 52:c7:bf:75:81:b0 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::50c7:bfff:fe75:81b0/64 scope link
       valid_lft forever preferred_lft forever
21: 2G_ap_wds: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::211:22ff:fe33:4455/64 scope link
       valid_lft forever preferred_lft forever
59: ifb4eth0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN qlen 32
    link/ether e6:6a:c7:6b:a5:cc brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e46a:c7ff:fe6b:a5cc/64 scope link
       valid_lft forever preferred_lft forever
63: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534]
    inet 192.168.8.1/24 brd 192.168.8.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::7f1f:2d30:cb03:9779/64 scope link
       valid_lft forever preferred_lft forever
default via 190.244.143.1 dev eth0  src IP-public
190.244.143.0/24 dev eth0 scope link  src IP-public
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.8.0/24 via 192.168.1.2 dev br-lan
192.168.8.0/24 dev tun0 scope link  src 192.168.8.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.2 on Wed Apr 10 15:10:03 2019
*nat
:PREROUTING ACCEPT [6246:1253616]
:INPUT ACCEPT [1228:89648]
:OUTPUT ACCEPT [1272:87572]
:POSTROUTING ACCEPT [423:34552]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.10/32 -p tcp -m tcp --dport 7586 -m comment --comment "!fw3: qBittorrent (GA-B150M-DS3H) (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.10/32 -p udp -m udp --dport 7586 -m comment --comment "!fw3: qBittorrent (GA-B150M-DS3H) (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.10/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: Plex (GA-B150M-DS3H) (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.10/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: Plex (GA-B150M-DS3H) (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 11814 -m comment --comment "!fw3: qBittorrent (NOBLEX-NT1013E) (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 11814 -m comment --comment "!fw3: qBittorrent (NOBLEX-NT1013E) (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: Plex (NOBLEX-NT1013E) (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: Plex (NOBLEX-NT1013E) (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.1.0/24 -d IP-public/32 -p tcp -m tcp --dport 7586 -m comment --comment "!fw3: qBittorrent (GA-B150M-DS3H) (reflection)" -j DNAT --to-destination 192.168.1.10:7586
-A zone_lan_prerouting -s 192.168.1.0/24 -d IP-public/32 -p udp -m udp --dport 7586 -m comment --comment "!fw3: qBittorrent (GA-B150M-DS3H) (reflection)" -j DNAT --to-destination 192.168.1.10:7586
-A zone_lan_prerouting -s 192.168.1.0/24 -d IP-public/32 -p tcp -m tcp --dport 5500 -m comment --comment "!fw3: Plex (GA-B150M-DS3H) (reflection)" -j DNAT --to-destination 192.168.1.10:32400
-A zone_lan_prerouting -s 192.168.1.0/24 -d IP-public/32 -p udp -m udp --dport 5500 -m comment --comment "!fw3: Plex (GA-B150M-DS3H) (reflection)" -j DNAT --to-destination 192.168.1.10:32400
-A zone_lan_prerouting -s 192.168.1.0/24 -d IP-public/32 -p tcp -m tcp --dport 11814 -m comment --comment "!fw3: qBittorrent (NOBLEX-NT1013E) (reflection)" -j DNAT --to-destination 192.168.1.11:11814
-A zone_lan_prerouting -s 192.168.1.0/24 -d IP-public/32 -p udp -m udp --dport 11814 -m comment --comment "!fw3: qBittorrent (NOBLEX-NT1013E) (reflection)" -j DNAT --to-destination 192.168.1.11:11814
-A zone_lan_prerouting -s 192.168.1.0/24 -d IP-public/32 -p tcp -m tcp --dport 5501 -m comment --comment "!fw3: Plex (NOBLEX-NT1013E) (reflection)" -j DNAT --to-destination 192.168.1.11:32400
-A zone_lan_prerouting -s 192.168.1.0/24 -d IP-public/32 -p udp -m udp --dport 5501 -m comment --comment "!fw3: Plex (NOBLEX-NT1013E) (reflection)" -j DNAT --to-destination 192.168.1.11:32400
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 7586 -m comment --comment "!fw3: qBittorrent (GA-B150M-DS3H)" -j DNAT --to-destination 192.168.1.10:7586
-A zone_wan_prerouting -p udp -m udp --dport 7586 -m comment --comment "!fw3: qBittorrent (GA-B150M-DS3H)" -j DNAT --to-destination 192.168.1.10:7586
-A zone_wan_prerouting -p tcp -m tcp --dport 5500 -m comment --comment "!fw3: Plex (GA-B150M-DS3H)" -j DNAT --to-destination 192.168.1.10:32400
-A zone_wan_prerouting -p udp -m udp --dport 5500 -m comment --comment "!fw3: Plex (GA-B150M-DS3H)" -j DNAT --to-destination 192.168.1.10:32400
-A zone_wan_prerouting -p tcp -m tcp --dport 11814 -m comment --comment "!fw3: qBittorrent (NOBLEX-NT1013E)" -j DNAT --to-destination 192.168.1.11:11814
-A zone_wan_prerouting -p udp -m udp --dport 11814 -m comment --comment "!fw3: qBittorrent (NOBLEX-NT1013E)" -j DNAT --to-destination 192.168.1.11:11814
-A zone_wan_prerouting -p tcp -m tcp --dport 5501 -m comment --comment "!fw3: Plex (NOBLEX-NT1013E)" -j DNAT --to-destination 192.168.1.11:32400
-A zone_wan_prerouting -p udp -m udp --dport 5501 -m comment --comment "!fw3: Plex (NOBLEX-NT1013E)" -j DNAT --to-destination 192.168.1.11:32400
COMMIT
# Completed on Wed Apr 10 15:10:03 2019
# Generated by iptables-save v1.6.2 on Wed Apr 10 15:10:03 2019
*mangle
:PREROUTING ACCEPT [1202180:1159553639]
:INPUT ACCEPT [37121:5222125]
:FORWARD ACCEPT [1164327:1154223258]
:OUTPUT ACCEPT [35215:6651125]
:POSTROUTING ACCEPT [1199323:1160864687]
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Apr 10 15:10:03 2019
# Generated by iptables-save v1.6.2 on Wed Apr 10 15:10:03 2019
*filter
:INPUT ACCEPT [1:40]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Apr 10 15:10:03 2019

castillofrancodamian · April 10, 2019, 6:15pm

root@Archer_C60:~# uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.delegate='0'
network.lan.igmp_snooping='1'
network.lan.ifname='eth1.1 tap0'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='1.1.1.1 8.8.8.8'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 0t'
network.vpn=route
network.vpn.interface='lan'
network.vpn.target='192.168.8.0/24'
network.vpn.gateway='192.168.1.2'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[0].device='tun0'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 wwan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='7586'
firewall.@redirect[0].dest_ip='192.168.1.10'
firewall.@redirect[0].dest_port='7586'
firewall.@redirect[0].name='qBittorrent (GA-B150M-DS3H)'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp udp'
firewall.@redirect[1].src_dport='5500'
firewall.@redirect[1].dest_ip='192.168.1.10'
firewall.@redirect[1].dest_port='32400'
firewall.@redirect[1].name='Plex (GA-B150M-DS3H)'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='tcp udp'
firewall.@redirect[2].src_dport='11814'
firewall.@redirect[2].dest_ip='192.168.1.11'
firewall.@redirect[2].dest_port='11814'
firewall.@redirect[2].name='qBittorrent (NOBLEX-NT1013E)'
firewall.@redirect[3]=redirect
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].proto='tcp udp'
firewall.@redirect[3].src_dport='5501'
firewall.@redirect[3].dest_ip='192.168.1.11'
firewall.@redirect[3].dest_port='32400'
firewall.@redirect[3].name='Plex (NOBLEX-NT1013E)'
firewall.vpn=rule
firewall.vpn.name='Allow-OpenVPN'
firewall.vpn.src='wan'
firewall.vpn.dest_port='1194'
firewall.vpn.proto='udp'
firewall.vpn.target='ACCEPT'
openvpn.vpnserver=openvpn
openvpn.vpnserver.enabled='1'
openvpn.vpnserver.config='/etc/openvpn/vpnserver.conf'

castillofrancodamian · April 10, 2019, 6:17pm

root@Archer_C60:~# head -n -0 /etc/openvpn/*.conf
verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN Archer_C60"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
xxxx
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
xxxx
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxxxx
-----END PRIVATE KEY-----
</key>

vgaetera · April 10, 2019, 6:19pm

ls -l /etc/easy-rsa/pki/issued/ /etc/easy-rsa/pki/private/

castillofrancodamian · April 10, 2019, 6:20pm

root@Archer_C60:~# ls -l /etc/easy-rsa/pki/issued/ /etc/easy-rsa/pki/private/
/etc/easy-rsa/pki/issued/:
-rw-------    1 root     root          4411 Apr 10 14:15 vpnclient.crt
-rw-------    1 root     root          4533 Apr 10 14:14 vpnserver.crt

/etc/easy-rsa/pki/private/:
-rw-------    1 root     root          1708 Apr 10 14:14 ca.key
-rw-------    1 root     root          1704 Apr 10 14:15 vpnclient.key
-rw-------    1 root     root          1708 Apr 10 14:14 vpnserver.key

castillofrancodamian · April 10, 2019, 6:28pm

Copy each line individually?

castillofrancodamian · April 10, 2019, 6:32pm

root@Archer_C60:~# sh /tmp/openvpn-client-profiles.sh
/etc/openvpn/vpnclient.ovpn

castillofrancodamian · April 10, 2019, 6:47pm

I think I did not understand.

vgaetera · April 10, 2019, 7:01pm

It looks fine now, you can proceed with the following step:

castillofrancodamian · April 10, 2019, 8:11pm

I already extracted the .ovpn file but I do not have internet access.