First of all I want to note that I have spent MANY hours in the past week, installing, configuring, resetting and starting all over, trying to find the best way to have BOTH an OpenVPN server and an OpenVPN client on the same router. Some things I have learned:
- All the cryptographic parameters (ca, dh, cert, key, tlscrypt-v2) can be generated outside of the router, be re-used wherever I want, and overall be modular
- OpenVPN server & client is possible on the same machine. It's been working even when BOTH are set to connect over UDP port 1194 (maybe because of different tun devices), but I gather it would be wiser to use different protocols/ports
I could use some clarification on the firewall instructions (on this tutorial: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server) listed below:
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="tun+"
uci add_list firewall.lan.device="tun+"
uci -q delete firewall.ovpn
uci set firewall.ovpn="rule"
uci set firewall.ovpn.name="Allow-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.dest_port="${VPN_PORT}"
uci set firewall.ovpn.proto="${VPN_PROTO}"
uci set firewall.ovpn.target="ACCEPT"
uci commit firewall
service firewall restart
- Why do we perform the renaming in the beginning?
- Why do we delete all tun+ devices (that would be tun0, tun1, tun2, etc)? I may already be using a tun device, created because of the router being an OpenVPN client
- Omitting the renaming (commands 1, 2) and deleting (commands 3 & 5) resulted in NO internet for the clients connected to the router as OpenVPN server. Once I ran the whole code block, internet was available again, but I don't understand WHY.
Is there a place to read about these things? I barely have time, but I am at a loss with these configurations. I would be hesitant (for example) to first set up the VPN client, and then follow the instructions for a VPN server, given how the above commands delete all tun devices, am I right to assume that things will break?
After much testing, I see that creating the VPN server after creating the VPN client, in order for the connecting clients to the server to get internet connection, I need to add both tun devices to the WAN zone. I don't know why this is the case
I also don't understand why some tutorials instruct one to create a new interface (similar to lan, wan, etc), while other don't. I don't know if I should expect to see a new OpenVPN interface somehow, or if that offers some advantage
Trying to also install a VPN server (after setting up a VPN client and Policy based routing) messed things up. Should there be a conflict if all these 3 are served by the same machine or did I do something wrong?