OpenVPN on OpenWrt

Hi,
I installed OpenVPN on OpenWRT using the steps here:

I made one minor adjustment to the client,ovpn file to overide my OpenWRT IP address with the WAN connected router (my OpenWRT router is inside my home network).
remote XX.XX.XXX.X 1194 udp

Now I can connect from a public internet connection to my OpenWRT router via either SSH or Luci.
But, I can't access any devices on my local home network. I also can't access the internet at all. My preference here is to have internet access also via my home network.

Appreciate if anyone has any ideas how to solve this one.

Thanks,
Dave

tun0 network device missing?

I'm not sure - I'm quite new to this ...
I see the following, but they seem to mainly ovpn settings

root@OpenWrt:~# uci show | grep tun
firewall.lan.device='tun+'
openvpn.sample_server.dev='tun'
openvpn.sample_server.persist_tun='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.persist_tun='1'
openvpn_recipes.server_tun_ptp=openvpn_recipe
openvpn_recipes.server_tun_ptp._description='Simple server configuration for a routed point-to-point VPN'
openvpn_recipes.server_tun_ptp._role='server'
openvpn_recipes.server_tun_ptp.dev='tun'
openvpn_recipes.server_tun_ptp.ifconfig='10.0.0.1 10.0.0.2'
openvpn_recipes.server_tun_ptp.secret='shared-secret.key'
openvpn_recipes.server_tun_ptp.keepalive='10 60'
openvpn_recipes.server_tun_ptp.comp_lzo='yes'
openvpn_recipes.server_tun_ptp.verb='3'
openvpn_recipes.server_tun_ptp.mssfix='1420'
openvpn_recipes.client_tun_ptp=openvpn_recipe
openvpn_recipes.client_tun_ptp._description='Simple client configuration for a routed point-to-point VPN'
openvpn_recipes.client_tun_ptp._role='client'
openvpn_recipes.client_tun_ptp.dev='tun'
openvpn_recipes.client_tun_ptp.remote='vpnserver.example.org'
openvpn_recipes.client_tun_ptp.ifconfig='10.0.0.2 10.0.0.1'
openvpn_recipes.client_tun_ptp.secret='shared-secret.key'
openvpn_recipes.client_tun_ptp.nobind='1'
openvpn_recipes.client_tun_ptp.comp_lzo='yes'
openvpn_recipes.client_tun_ptp.verb='3'
openvpn_recipes.server_tun=openvpn_recipe
openvpn_recipes.server_tun._description='Server configuration for a routed multi-client VPN'
openvpn_recipes.server_tun._role='server'
openvpn_recipes.server_tun.dev='tun'
openvpn_recipes.server_tun.server='10.0.100.0 255.255.255.0'
openvpn_recipes.server_tun.ca='ca.crt'
openvpn_recipes.server_tun.cert='server.crt'
openvpn_recipes.server_tun.key='server.key'
openvpn_recipes.server_tun.dh='dh1024.pem'
openvpn_recipes.server_tun.keepalive='10 60'
openvpn_recipes.server_tun.comp_lzo='yes'
openvpn_recipes.server_tun.verb='3'
openvpn_recipes.server_tun.mssfix='1420'
openvpn_recipes.client_tun=openvpn_recipe
openvpn_recipes.client_tun._description='Client configuration for a routed multi-client VPN'
openvpn_recipes.client_tun._role='client'
openvpn_recipes.client_tun.client='1'
openvpn_recipes.client_tun.dev='tun'
openvpn_recipes.client_tun.remote='vpnserver.example.org'
openvpn_recipes.client_tun.pkcs12='my_client.p12'
openvpn_recipes.client_tun.remote_cert_tls='server'
openvpn_recipes.client_tun.comp_lzo='yes'
openvpn_recipes.client_tun.nobind='1'
openvpn_recipes.client_tun.persist_key='1'
openvpn_recipes.client_tun.persist_tun='1'
openvpn_recipes.client_tun.verb='3'
openvpn_recipes.client_tun.reneg_sec='0'
openvpn_recipes.client_tun.float='1'

You seem to have the tun setup ok.

But compression support is removed from OpenVPN from 2.5 and for all future. So you must delete all lines in server and clients configs that specify any kind of compression.

Enable masquerading on the firewall zone which your main connection is assigned to.

If you only need to make a secure connection, the best way i think is now wireguard its faster and more secure with easy automatic setup. For a tutorial click here

I like wireguard

More or less secure than what exactly?

Than openvpn This is not the only source but the first hit on google.

Using ovpn files sets the configuration in those files, not the UCI system. Make changes in the ovpn files.

Regardless of which layer 3 VPN system you use, if the VPN server is not running within the network's main router, you need to install a static route in the main router. The main router needs to know that the route to the VPN clients (which is a different subnet than the LAN) is via the VPN server. If the VPN client is also a router (i.e. not a single "road warrior" machine), routes to the remote LAN also need to be installed.

Actually, you don't necessarily need a static route on the main router. What I've done in the past (and/or where routes are not accessible in the user configuration) is to connect the VPN router to the main network via the VPN router's WAN port. Then I allow VPN > WAN in the firewall zone and it 'just works' (you also need to set the firewall traffic rules to accept the VPN connection, and I also allow ssh/LuCI over WAN because the main network is trusted in this situation). This assumes that the WAN is masqueraded, of course.

EDIT: to clarify, this is a VPN server type configuration. My use case for this is the road-warrior type thing where my I have a travel router (or local VPN app on mobile/laptop) that establishes the VPN tunnel back to my home via my VPN server. This is not a site-to-site configuration or outbound (client) VPN connection to a commercial VPN provider.

Yes there are other options:

• NAT the VPN users into the house LAN as you've done.
  ** This means you'd have to forward ports through the VPN server to allow a LAN user to make an outgoing connection to a VPN user. That is a minor issue since a road warrior use case is unlikely to need that functionality anyway.

• Use a layer 2 VPN, like OpenVPN's TAP mode.

Except mobile OSs (iOS, Android) don't support TAP, so this would always require a travel router type setup to connect. To give myself the maximum flexibility when/where ports or protocols may be blocked, I use OpenVPN (TUN) and WireGuard. I have stunnel and shadowsocks as well to give me additional methods of connectivity into the OpenVPN sever -- these of course require my travel router and don't work on mobile alone.

That link compare commercial VPN solutions, these vpn solutions are never secure since they are the definition of a man in the middle attack no matter the name of the service you pay for.

OpenVPN setup as a real vpn tunnel where you control both point A and B at least have some checking for server authenticity with x.509 certificate and run TLS 1.2 or 1.3. If that would break than the whole https concept breaks.

But they officially don’t really say wireguard is secure anywhere…

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable.

Not even on wireguard homepage they never say it is secure. Their whole commercial say they are faster and easier than IPSec and OpenVPN. But not secure…

State-of-the-art cryptography isn’t the same as secure! It is just state-of-the-art cryptography. Nothing more and nothing less.

Thanks for this, enabling masquerading fixed the issue. I can now access all the devices on my lan including folder shares as well as the internet through my vpn.

Thanks also to everyone for all your ideas.
Dave

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.