OpenVPN server

Has anyone managed to get openvpn to go to openwrt?

My request derives from need to access my lan from another location by wan connection. I tested ovpn config file and inserted user/pass in the correct box but vpn won't to start. It is not mandatory use the ovpn profile. Also may be independent (probably more secure) client/server connection than intermediate servers service.
I prefer to use Luci interface if is possible.

For testing purpose i will try client (phone) to server (router) but if work properly the final use is router to router connection in order to merge the two lan.

Thank you guys!.

OpenVPN sends a lot of messages to the System Log as clues for why the connection didn't start.

For a point to point between two sites that you control, Wireguard would be a lot simpler.

For either Wireguard or OpenVPN, the requirement is the same that one of the sites' ISP needs to provide an IP address that allows incoming connections from the Internet.

I don't why but i have no log about ovpn. Furthermore also using config file , the tunnel interface is not been created.Try to install wireguard. Installed wireguard nothing in the status.

11016×546 23.4 KB

2871×577 4.92 KB

System log:

Sat Jul 30 13:17:18 2022 kern.info kernel: [   11.967237] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
Sat Jul 30 13:17:18 2022 kern.info kernel: [   11.967272] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

OpenVPN logs to the general system log which is under the System top level tab.

After installing Wireguard you need to go to Network-Interfaces and create an interface of protocol wireguard for it to do anything.

Both OpenVPN and wireguard work very well, but you need to configure them properly. Wireguard is faster and easier to configure.

What steps have you taken to configure them so far?

Just as a data point --- I had openvpn configured and working well for several years in FreshTomato as an R7000 was my main router.

I switched main router to an openwrt router, and transitioned the settings from FreshTomato to openwrt. I followed openwrt forum and wiki instructions to take care of some hiccups.

The setup was working well for a while, but then my clients stopped being able to connect "without any other changes."

After trying "everything" I remembered reading in the commit logs that wolfssl was updated, and so I decided change my build config from openvpn-wolfssl to openvpn-openssl, and with that I was able to connect again.

Not suggesting that is your issue here, but noting this here in case others are compiling their own firmware, or building through buildbot and specifying the type openvpn build that this is something to look at.

I believe the default openwrt openvpn is built using openssl, so if the above doesn't make sense, it likely doesn't apply to your scenario.

I've installed from gui;

openvpn-openssl
luci-app-openvpn
luci-i18n-openvpn-en
(also is needed openvpn-easy-rsa ? actually not installed)

11002×457 19.4 KB

Imported config file .ovpn for connection to server

2990×510 16 KB

Added used user/password form edit --> user/password box at the bottom from my profile form ovpn site.

31005×252 4.48 KB

Flagged active and start = that's all folks

This procedure does not create automatically vpn network interface and zones. I'ts normal?

4338×561 9.52 KB

and

51014×342 13.4 KB

With wireguard i obtained the same behavior and result.

I want to remember you my need. I want to access my lan when i'm out of office. I 'm not interessed a VPN to hide my external IP.

This is normal. You need to do this yourself (for both Wireguard and OpenVPN).

Have you followed either of the guides on the OpenWrt wiki?

I've seen both pages,last evening i tried again to create OpenVPN server but not terminated due to long time creating key and i followed the instruction at https://openwrt.org/docs/guide-user/services/vpn/openvpn/server . Previous time i've terminated the procedure ( dragged and dropped from page to SSH cmd) but no interface and firewall setting created . So something was goes wrong.Today i will try again .

Certainly I'm wrong in something, but either way I can't get them to work. The only exception is with Wireguard that once I run the script and configure the interface I can't navigate anymore. Once uninstalled, everything works properly again. Using OpenWrt 21.02.3. I've done other VPNs with other routers but I've never had as many problems as this time.

Those guides work for most users. So you may either have a mistake or some type of conflict. Let’s look at your configuration.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Have you edited auth-user-pass in the ovpn file to point to the user/password?

auth-user-pass /etc/openvpn/OVPN.auth

The box below it's used for insert user and pass. Why also i need to add auth-user-pass /etc/openvpn/OVPN.auth ?

That's how a vpn client is set up so the service knows where to look for the user/password, I assume it would be the same for a server. You could also try it with just the keys to see if it's created without user/password.

 cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        option noresolv '1'
        option doh_backup_noresolv '-1'
        list doh_backup_server '/use-application-dns.net/'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr 'xxx.xxx.xxx.xxx'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns 'xxx.xxx.xxx.xxx.'
        option broadcast 'xxx.xxx.xxx.xxx'
        option delegate '0'
        option gateway 'xxx.xxx.xxx.xxx'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        list dns 'xxx.xxx.xxx.xxx'
        option ipaddr 'xxx.xxx.xxx.xxx'
        option netmask '255.255.255.0'
        option gateway 'xxx.xxx.xxx.xxx'
        option broadcast 'xxx.xxx.xxx.xxx'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '100'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'xxxxt'
        option encryption 'psk2'
        option key 'xxxx'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option country 'xx'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'xxxx'
        option encryption 'psk2'
        option key 'xxxx'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option channel 'auto'
        option country 'xx'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'xxxx'
        option encryption 'psk2'
        option key 'xxxx'

 cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'

config include
        option path '/etc/firewall.user'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'



config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '1194 VPN'
        option src_dport '1194'
        option dest_ip '192.168.1.4'
        option dest_port '1194'
        option src 'wan'
        option enabled '0'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

Ok guys the vpn work . I can connect to server in my router using external ip. The problem is i can't access on my devices in the lan . May be a netmask restriction? I use /24. MyLAN may be 192.168.100.1 where the ip provides to VPN client is on 192.168.8.0 Lan. Furthermore nothing VPN interface compare in network/interface . Only Wan e Lan Interface. So if is correct i need to provide a client the same lan IP so 192.168.100.xxx . I hope the DHCP also work in this case.

This is parte of the server.conf file:

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>

Can i modify the network provided by server 192.168.8.0 to my lan 192.168.100.0?

You don’t need to redact this info. It is not sensitive or secret. With it redacted, nobody can help. Only redact things that are unique and actually sensitive such as your wireguard keys, public ip, max addresses, and WiFi passwords.

OK. Actually VPN network is 192.168.8.0 while the router network is 192.168.100.0 . Both interface are /24 so 255.255.255.0 . The client connect successfully to external ip and VPN server but i cant access to my devices in lan 192.168.100.0 . It is the information that is missing. Are Enought?

you need to push a route from the server to the client (push directive in the server configuration file) for 192.168.100.0 255.255.255.0.