OpenVPN configurations

I've read the OpenVPN wiki. I must ask for help.
client config CS
I see that there are a client VPN and a server VPN. I have no idea as to which supports my goals.
My Goals: I have LEDE installed on my wifi-router. I want to run all 'net traffic through it. I have an AT&T NGV510 modem (which, incidentally is also a wifi and router).

I don't know which option to choose for my application from the LuCI menu. Bridge? Simple? Multi-point? Routed or not? Point to Point? FWIW, these are the connected devices. Via ethernet cable one Linux based computer, one Windows 'puter. One Raspberry PI/OpenELEC stack, and one "Smart" TV.
Via WiFI, two Windows laptops and 2 "Smart" phones. One tablet. None of these devices are in constant use. Typically, while one or two are using the 'net, the others are turned off or using minimal WiFi signal.

Hi, OpenVPN involves on a Server, internet reacheable (with open and redirected ports on the ISP modem/router) and Clients that connect to that Server.

A Client it could be a Windows, Mac, Linux, Android, etc, any OpenVPN capable device with internet, it will connect to the server...
Also, you can have your LEDE Router as Client, and have access to that VPN using your LEDE Router, via cable or WiFi.

The differences of ethernet, routed, and routed point-to-point AFAIK is that:
Ethernet you will have the VPN interface connected to the LAN interface and I think that any packets will pass. Since this is a virtual ethernet TAP is needed.
Routed multiclient is the common one, you have a server and multiple devices will connect to the VPN and the VPN will assign their own internal IP.
The routed point-to-point (also called site-to-site) is usually used for example to interconnect two offices buildings to allow traffic between them.

Usually someone will just need normal IP connections and for that, TUN is enough.

to read more about:
Here is a drawing about p2p:
more about usages:

So, if you want to be able to reach your devices from your home when are outside use routed multi-client server on your LEDE router, and install openvpn client on your computer or mobile phone.

You could also install LEDE on a portable router, and have access to your VPN anywhere without need to install any software on Computer or mobile phone, like a TL-MR3020 or TL-MR3040

I'm my ignorance of networking/OpenVPN and LEDE Project, I'm not asking the question intelligently. I have a LEDE wifi router. One of it's LAN ports connects to the modem (via ethernet cable). I would like to put all the devices that access the Internet behind a VPN. I would prefer to have the LEDE wifi router perform that function. Does the LEDE wifi router need to be a server? Or a client?

The ISP in my case is AT&T. I have a Motorola NGV510 modem-router-wifi device from them. Will I need to configure the modem for IP passthrough to setup and use a VPN?

Your router should be configured as a VPN client.
Your modem does not need to be reconfigured.

I assume that your desire is to use a VPN for all the traffic from your home network such that your ISP cannot snoop on your internet activities.
Just to make sure it is clear, you will need a VPN service to which you connect to provide privacy from your ISP (usually commercial products from companies like tunnelbear, private internet access, and plenty of others).

Your router will be configured as a client device, and will connect to the service of your choosing. Traffic to and from devices connected to your router will be transparently routed to through the vpn. This is pretty easy to accomplish, and many of the commercial vpn providers have tutorials or preconfigured files ready for use so you don’t need to do much manual work.

Have you selected a vpn provider yet?

Whether or not you set up OpenVPN as a client or server, don't use LuCI to do so... the OpenVPN package for LuCI is extremely convoluted and makes configuring OpenVPN far more complicated than it should be.

  • I wrote an OpenVPN server wiki a while back, and even if you don't configure yours as a server, it has a lot of reference information you may find helpful

@psherman. I use Cryptostorm for a VPN service. Yes I will put all 'net traffic behind the VPN. I have the necessary .ovpn and .ca files ready to go.

When you're subscribing to a VPN service, and they provide a suggested .ovpn file, use that as the basis of your configuration. Place the file in /etc/openvpn on the router, and reference to it in /etc/config/openvpn. Since the .ovpn file contains all the configuration information, /etc/config/openvpn should be only this:

package openvpn
config openvpn 'VPNclient'
	option enabled '1'
	option config /etc/openvpn/vpn-provider.ovpn

which of course tells OpenVPN to read the provider's file at startup. You may need to edit that file slightly, using the OpenVPN docs. Also you will need to set up networks and firewall rules to route through the VPN tunnel.

@MarkP2015 - Cool. So where exactly are you stuck?

In addition to some of the wiki articles on LEDE's site, you might check out the tutorial by Logan Marchione -- it uses an MR3020 portable router. Since that router has limited storage, extroot was required. But if your router has sufficient flash (~16MB or more), you should be able to skip all the extroot process preamble and move right to the OpenVPN section.

As @JW0914 said, the LuCI interface can be harder to use than just working with the text config file. IIRC, if you remove the LuCI app for OpenVPN (or never installed it in the first place), you should be able to simply drop in the config files provided by Cryptostorm. The LuCI app stores the config file in a slightly different way -- again, IIRC, you might be able to get it to 'migrate' your working OpenVPN config into the LuCI app environment once you have things running. I do like the LuCI app for the ability to use the web interface for starting/stopping the process and seeing the current status, but configuration is better done on raw text files. Conversely, @mk24 shows how to shoehorn the standard config files directly into the LuCI app's config file, so that would work, too.

Another thing you can do is to make sure your VPN config and account credentials work in general by connecting to the service using an OpenVPN client on your computer -- this just helps reduce one level of troubleshooting in the event that your router doesn't successfully connect.

You need to connect the WAN port of the LEDE router to your Modem, in that way, if you had the default config just enable again dhcp if it was disabled and LEDE will route traffic to your other devices...
Now you are able to enable OpenVPN...
I had a post here, same instructions should work with any OpenVPN VPN provider of your choice:

When you finish that configuration you will have your LEDE connected devices using the VPN tunnel instead of the internet connection itself.

The LuCI OpenVPN does not need to be removed, as it serve's a useful purpose for quickly checking the status of the VPN... but this is all it should be utilized for.

This is factually inaccurate, as the LuCI OpenVPN app does not alter the location of the the config files

  • The configs are store in the same place regardless if this is utilized or not, as it's OpenVPN that determines were the default configs are located. The only thing this will do, just like anything else saved via LuCI, is remove all sane formatting from configs.

Actually, this depends on how you have things setup.
Option 1: you can call the config file as shown by @mk24 above in #8 (I actually didn't know that was possible until I saw that), where the config file is literally just the line-by-line standard OVPN directive list. This requires no changes to the OVPN config file and is very clean, but I'm pretty sure that this prevents the OpenVPN LuCI app from being able to provide any further insight into the operation other than the up/down status and PID, and presumably makes it impossible to perform any configuration from the LuCI interface.

Option 2: It is possible to have the config file defined in the UCI formatting (which gets converted to the standard OVPN formatting when the /etc/init.d/openvpn script is executed). This is stored in /etc/config/openvpn and, if populated directly (rather than using option 1 above), gives the ability to see more complete status/config info from LuCI. I have my devices (both client and servers) running with this method.

The UCI method config file is not directly compatible with the OpenVPN process, which is why the actual config file needs to be generated when the init.d script is run (just prior to starting the OpenVPN executable).

All of that said, I agree that the LuCI app for OpenVPN can be confusing and can actually make a bit of a mess of things, and so it is often better to only use it for basic status, while keeping the OVPN config file in the standard format.

This is stated clearly in the OpenVPN man page and is not an option most users will ever have a need to utilize (there's no benefit to this on a single user system, such as LEDE).

No, this method does not prevent LuCI from reporting the status of the VPN... where do you believe LuCI get's it's OpenVPN status information from?

/etc/init.d/openvpn is executed regardless if using uci commands or an actual config.... this is the script that starts, stops, or restarts /usr/sbin/openvpn

Um... what?? uci is the command interface, and as such, it's executed as a script, as anything with uci commands in it are not configs, they're scripts... where are you getting your information from?

@JW0914 - I feel like this is becoming a hostile conversation and I don't want this to go that route :slight_smile:. Just to be clear, I do think you are giving good advice in general. I'm just reporting my experience and it is possible I have either misunderstood how certain things are happening and/or that I haven't properly described some of the nuances of my config.

For my example, let's start with an assumption that a user has used the LuCI or UCI interface to configure OpenVPN (I think that this would be contrary to your suggestion of using a simple flat file with the directives listed line by line, but this still can work):

  • I think (*citation needed -- I can test this later) that the /etc/init.d/openvpn file actually gets modified/replaced when the OpenVPN LuCI app is installed as compared to the version installed when you install OpenVPN initially. (Like I said, I can check this later, but keep reading...)
  • When the /etc/init.d/openvpn script runs (when OVPN LuCI app is installed), it looks at /etc/config/openvpn for the config data. If the config data points to a normal flat openvpn config file (scenario A), it will use that (as established earlier). Else, the UCI formatted openvpn file will be parsed and the system will create, at execution time, a standard flat config file for OpenVPN (scenario B)
  • /etc/init.d/openvpn then calls the openvpn binary file with either the scenario A config file, or the file it just created as part of scenario B.

Of course /etc/init.d/openvpn is used to call the actual binary file, regardless of the existence of the LuCI app. And it is possible that it is the same script that regardless and that it will ingest the flat file or the UCI file either way.

Now, the LuCI app shows the following fields: Enabled [checkbox], Started [yes/no + PID], Start/Stop [button], Port, Protocol. And it has Edit and Delete buttons, too. Obviously the Enabled checkbox is affecting the UCI file, and the start/stop button hits the /etc/init.d/openvpn [start/stop] script. The started and PID status info comes from the openvpn process itself. Deleting a config would just remove the UCI definitions for that particular config - whatever is under it. All makes sense so far.

As I understand it (and I could be wrong), the port and protocol information are pulled from the UCI formatted /etc/config/openvpn file. This means that if the UCI file references a normal flat file, it may not be able to give the status of those two values (although it will default to UDP 1194 -- I know this for fact because I have some client config files that do this even though they use TCP or another port). And if you hit the Edit button when there is a flat file referenced, I'm actually not sure what it does. In contrast, it is possible (although as you rightly point out, not recommended) to edit essentially any field/directive in the OpenVPN UCI formatted file from the LuCI app.

Meanwhile, to clarify another point I was making -- my OpenVPN config is 100% UCI formatted (location: /etc/config/openvpn), and I do not have a flat file in my system. I cannot directly pass that UCI file as an argument into the /usr/sbin/openvpn executable the way I could with a regular flat OVPN file. However, the /etc/init.d/openvpn script actually does generate the flat file (/tmp/etc/openvpn.conf) and then calls that openvpn.conf config file when it starts /usr/sbin/openvpn.

Yes, @JW0914, that is basically correct. Though it does not appear that /etc/init.d/openvpn is any different for LuCI. This file is part of the openvpn package not luci-app-openvpn. The opkg files command is useful to see what files are part of a package (though you do have to install the package first for it to work).

I am using a flat file and as you said, anything LuCI shows other than the Enabled checkbox and the start/stop button is going to be either blank or wrong (the port number, as you said, will show 1194 if it is not set in /etc/config/openvpn). I believe it is using UCI calls to read the options and it is also unaware of the config option to point to a user file.

A script that does the opposite, converting a provider-supplied .ovpn file into UCI format, could be useful. Or making "Use .ovpn style config file" an option with a way in LuCI to use a web browser to upload and edit the file.

So I checked the /etc/config/openvpn and /etc/init.d/openvpn files -- turns out they do not change when the LuCI app is installed, confirming what @mk24 said and indicating that I did have some erroneous information in my posts.

But my comments earlier about the flat vs UCI formatted config files and the interaction with the LuCI app also seems to be confirmed by @mk24 as well. Fundamentally, it doesn't matter if someone uses the UCI (with or without the LuCI app) or the flat file for their openVPN config -- the init.d script will handle everything necessary to run openvpn. It just comes down to the ability to edit via LuCI (which is admittedly not a great UX, but adds flexibility) vs needing to work with a text editor.

My reply wasn't intended to be hostile, and I apologize that that's the way it came across.

Unless one is utilizing user scripts to auto configure certain aspects of the firmware, there is no benefit to utilizing uci formatted commands, and in fact, it's far more intrusive, cumbersome, and inefficient to do so. There are certain times when uci scripting is more efficient to utilize in a wiki, but the every day user will find almost no benefit from utilizing uci over a formatted config.

  • If one is using uci command scripts, more likely than not that user will managing most of the router via SSH not LuCI. If this is the case, configs created from uci commands will be ridiculously inefficient to read and edit. For example, compare the two config files below, one of which is formatted by uci commands, the other formatted via a text editor [vim/nano on router, or atom on PC]


config openvpn 'OpenVPN'
  option enabled '1'
  option dev 'tun0'
  option topology 'subnet'
  option proto 'udp'
  option port '00000'
  option server ''
  option ifconfig ''
  option ccd_exclusive '1'
  option ifconfig_pool_persist '/etc/openvpn/clients/private/ipp.txt'
  option client_config_dir '/etc/openvpn/clients/private'
  list push 'route'
  list push 'dhcp-option DNS'
  list push 'dhcp-option WINS'
  list push 'dhcp-option DNS'
  list push 'dhcp-option DNS'
  list push 'dhcp-option NTP'
  list push 'sndbuf 393216'
  list push 'rcvbuf 393216'
  option dh '/etc/ssl/openvpn/dh3072.pem'
  option pkcs12 '/etc/ssl/openvpn/wrt1900ac-vpn_server.p12'
  option cipher 'AES-256-CBC'
  option auth 'SHA512'
  option tls_auth '/etc/ssl/openvpn/tls-auth.key 0'
  option tls_version_min '1.2'
  option log '/tmp/openvpn-server.log'
  option status '/tmp/openvpn-server-status.log'
  option keepalive '10 120'
  option comp_lzo 'yes'
  option client_to_client '1'
  option persist_key '1'
  option persist_tun '1'
  option sndbuf '393216'
  option rcvbuf '393216'
  option fragment '0'
  option mssfix '0'
  option tun_mtu '48000'
  option user 'nobody'
  option group 'nogroup'
  option verb '4'



    ##::[[---  LEDE OpenVPN Config  ---]]::##

           ##----- Custom Config -----##

    # Custom #
#config openvpn 'CustomVPN'
#   option  enabled                 0
#   option  config                  '/etc/openvpn/custom-vpn.conf'

          ##----- VPN Server TCP -----##

config openvpn 'OpenVPN'
    option  enabled                 1

        # Protocol #
    option  dev                     'tun'
    option  dev                     'tun0'
    option  topology                'subnet'
    option  proto                   'udp'
    option  port                    00000

    # Routes #
    option  server                  ''
    option  ifconfig                ''

    # Client Config #
    option  ccd_exclusive           1
    option  ifconfig_pool_persist   '/etc/openvpn/clients/private/ipp.txt'
    option  client_config_dir       '/etc/openvpn/clients/private'

    # Pushed Routes #
    list    push                    'route'
    list    push                    'dhcp-option    DNS'
    list    push                    'dhcp-option    WINS'
    list    push                    'dhcp-option    DNS'
    list    push                    'dhcp-option    DNS'
    list    push                    'dhcp-option    NTP'

    # Encryption #
    # Diffie-Hellmann:
    option  dh                      '/etc/ssl/openvpn/dh3072.pem'

    # PKCS12:
    option  pkcs12                  '/etc/ssl/openvpn/wrt1900ac-vpn_server.p12'

    # SSL:
    option  cipher                  'AES-256-CBC'
    option  auth                    'SHA512'
    option  tls_auth                '/etc/ssl/openvpn/tls-auth.key 0'

    # TLS:
    option  tls_version_min         1.2
    option  tls_cipher              'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-2

    # Logging #
    option  log                     '/tmp/openvpn-server.log'
    option  status                  '/tmp/openvpn-server-status.log'
    option  verb                    4

    # Connection Options #
    option  keepalive               '10 120'
    option  comp_lzo                'yes'

    # Connection Reliability #
    option  client_to_client        1
    option  persist_key             1
    option  persist_tun             1

    # Connection Speed #
    option  sndbuf                  393216
    option  rcvbuf                  393216
    option  fragment                0
    option  mssfix                  0
    option  tun_mtu                 48000

    # Pushed Buffers #
    list    push                    'sndbuf 393216'
    list    push                    'rcvbuf 393216'

    # Permissions #
    option  user                    'nobody'
    option  group                   'nogroup'

  • Note the # on the first line, as without this, vim will not syntax highlight (nano will), and this especially matters if one is doing the bulk of router management via SSH instead of LuCI


I found the file, /etc/config/openvpn but I cannot clearly understand what to put in it from your post #8.

package openvpn
config openvpn 'VPNclient'
option enabled '1'
option config /etc/openvpn/vpn-provider.ovpn

As I have a VPN service named Cryptostorm, do I put 'Cryptostorm" where you put 'VPNclient'?
and (as dumb as this is) do I copy and paste those 3 or 4 lines into /etc/config/openvpn ?

"VPNclient" is just an internal name for this instance of OpenVPN, you can call it whatever you want. The important thing is that the file name in option config matches the file that you obtained from the provider and copied into /etc/openvpn.

Install a text editor like nano. You will probably need to edit the provider's .ovpn file slightly anyway so having an editor on the router will be useful. Remove the default /etc/config/openvpn file entirely and replace it with those 4 lines.

"You will probably need to edit . . . cstorm_linux-lisbon_udp.ovpn (name of file).

What should I be looking for to edit, or do I look in a log (and which one) and use that info?

I had Nano installed. I added the info you posted. Looking over that file, I'm double checking about deleting all other lines. Do I add that info at a later config? Some of it, like choice of UDP or TCP looks relevant.