I have set up my openwrt router like this (note that much of my notes are from here):
- Removed all of the files in the Backup File List (LUCI -> System -> Backup/Flash Firmware -> Configuration (I think there were too many conflicts as #ulmwind suggested.)
- Completely reset the router:
- Unplug router from cable modem
- Reboot router
- Press & hold WPS button when light starts to blink (other light should blink very fast)
- Set PC IP address to manual (192.168.1.2/255.255.255.0)
- connect PC to LAN port
- ssh -p 22 root@192.168.1.1
- firstboot -y
- mtd -r erase rootfs_data (router reboots)
- ssh -p22 root@192.168.1.1
- rm -r /overlay/*
- reboot -f
- Reinstalled from my backup (make sure you make a backup!!!)
- Connect router to WAN again
- Add Luci interface for open vpn
- Navigate to System->Software
- Search for luci-app-openvpn and install it
- Followed the instructions from here (as suggested by #trendy) (See Below)
- Note that I did comment out the following lines in /etc/config/firewall because it looked like there was some overlap:
# config rule
# option name 'Allow-OpenVPN-Inbound'
# option target 'ACCEPT'
# option src '*'
# option proto 'tcpudp'
# option dest_port '1194'
- I did have to modify /etc/config/openvpn as follows (as suggested by #trendy):
config openvpn 'home'
option config '/etc/openvpn/vpnserver.conf'
option enabled '1'
- I also had to change /etc/openvpn/vpnclient.ovpn because the scripts had it pointing to the server's IPaddress rather than the host.domain name (because I am on a DHCP connection out of my house I wanted to make sure I can access it when the my ISP changes my IP address):
remote myhost.mydomain 1194 udp
The following comes (mostly) from here:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic
##################################
# Configure firewall
##################################
uci set firewall.@zone[0].device="tun0"
uci -q delete firewall.vpn
uci set firewall.vpn="rule"
uci set firewall.vpn.name="Allow-OpenVPN"
uci set firewall.vpn.src="wan"
uci set firewall.vpn.dest_port="1194"
uci set firewall.vpn.proto="udp"
uci set firewall.vpn.target="ACCEPT"
uci commit firewall
service firewall restart
##################################
# Setup PKI
##################################
# Install packages
opkg update
opkg install openvpn-easy-rsa
# Configuration parameters
export EASYRSA_PKI="/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="vpnca"
# Remove and re-initialize the PKI directory
easyrsa --batch init-pki
# Generate DH parameters
# May take a while to complete (~25m on WRT3200ACM)
easyrsa --batch gen-dh
# Create a new CA
easyrsa --batch build-ca nopass
# Generate a keypair and sign locally for vpnserver
easyrsa --batch build-server-full vpnserver nopass
# Generate a keypair and sign locally for vpnclient
easyrsa --batch build-client-full vpnclient nopass
##################################
# Basic server setup
##################################
# Install packages
opkg update
opkg install openvpn-openssl
# Generate TLS PSK
EASYRSA_PKI="/etc/easy-rsa/pki"
openvpn --genkey --secret "${EASYRSA_PKI}/tc.pem"
# Configuration parameters
VPN_DEV="$(uci get firewall.@zone[0].device)"
VPN_POOL="10.13.8.0 255.255.255.0"
# VPN_POOL="192.168.8.0 255.255.255.0"
VPN_DNS="${VPN_POOL%.* *}.1"
VPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
EASYRSA_PKI="/etc/easy-rsa/pki"
DH_KEY="$(cat "${EASYRSA_PKI}/dh.pem")"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
NL=$'\n'
# Configure VPN server
grep -l -r -e "TLS Web Server Authentication" "${EASYRSA_PKI}/issued" | sed -e "s/^.*\///;s/\.\w*$//" |while read VPN_ID
do
VPN_CONF="/etc/openvpn/${VPN_ID}.conf"
VPN_CERT="$(openssl x509 -in "${EASYRSA_PKI}/issued/${VPN_ID}.crt")"
VPN_KEY="$(cat "${EASYRSA_PKI}/private/${VPN_ID}.key")"
cat << EOF > "${VPN_CONF}"
verb 3
user nobody
group nogroup
dev ${VPN_DEV}
port 1194
proto udp
server ${VPN_POOL}
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DOMAIN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
push "route 10.13.0.0 255.255.252.0"
push "dhcp-option DNS 10.13.0.1"
<dh>${NL}${DH_KEY}${NL}</dh>
<tls-crypt>${NL}${TC_KEY}${NL}</tls-crypt>
<ca>${NL}${CA_CERT}${NL}</ca>
<cert>${NL}${VPN_CERT}${NL}</cert>
<key>${NL}${VPN_KEY}${NL}</key>
EOF
chmod "u=rw,g=,o=" "${VPN_CONF}"
done
service openvpn restart
#############################
# Create client profiles:
#############################
# Fetch IP address
source /lib/functions/network.sh
network_find_wan NET_IF
network_get_ipaddr VPN_SERV "${NET_IF}"
# Fetch FQDN from DDNS client
VPN_FQDN="$(uci -q get "$(uci -q show ddns \
| sed -n -e "/\.enabled='1'$/s//.lookup_host/p" \
| sed -n -e "1p")")"
if [ -n "${VPN_FQDN}" ]
then
VPN_SERV="${VPN_FQDN}"
fi
# Configuration parameters
VPN_CONF="/etc/openvpn/vpnserver.conf"
VPN_PORT="$(sed -n -e "/^port\s/s///p" "${VPN_CONF}")"
VPN_PROTO="$(sed -n -e "/^proto\s/s///p" "${VPN_CONF}")"
VPN_DEV="$(sed -n -e "/^dev\s/s///p" "${VPN_CONF}")"
EASYRSA_PKI="/etc/easy-rsa/pki"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
NL=$'\n'
# Generate VPN client profiles
grep -l -r -e "TLS Web Client Authentication" "${EASYRSA_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read VPN_ID
do
VPN_CONF="/etc/openvpn/${VPN_ID}.ovpn"
VPN_CERT="$(openssl x509 -in "${EASYRSA_PKI}/issued/${VPN_ID}.crt")"
VPN_KEY="$(cat "${EASYRSA_PKI}/private/${VPN_ID}.key")"
cat << EOF > "${VPN_CONF}"
verb 3
dev ${VPN_DEV%%[0-9]*}
nobind
client
remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}
auth-nocache
remote-cert-tls server
<tls-crypt>${NL}${TC_KEY}${NL}</tls-crypt>
<ca>${NL}${CA_CERT}${NL}</ca>
<cert>${NL}${VPN_CERT}${NL}</cert>
<key>${NL}${VPN_KEY}${NL}</key>
EOF
chmod "u=rw,g=,o=" "${VPN_CONF}"
done
ls /etc/openvpn/*.ovpn
# this comes from here:
# https://forum.openwrt.org/t/cannot-access-host-by-hostname-from-phone/17788/11
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 10.13.0.1
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 10.13.0.1
/etc/init.d/dnsmasq restart
Everything is working great (more or less):
When connected normally to my network:
- I can ping by IP inside my 10.13.0.1/22 network
- I can ping by hostname inside my 10.13.0.1/22 network
- I can ping by host/domain outside my network
When I connect to my VPN from outside the network:
- I can ping by host/domain to the outside network
- I can ping by IP in my 10.13.0.1/22 network
BUT:
- I CANNOT ping by hostname inside my 10.13.0.1/22 network
Any suggestions would be MOST welcome
- When I remotely connect to my router with my phone running the actual openvpn android app, I am able to connect to my local hosts by name (everything works fine.)
- I tried from my Windows laptop running OpenVPN and it works fine.
- The problem I am having ONLY occurs on my remotely connected macbook (running tunnelblick).
All three devices are using the same .ovpn file. I connected my windows and mac laptops through the same wifi hotspot.