Setup openVPN server through LuCI with access to LAN

Hello,
I want to set up a VPN server in my router (Archer C7) which would also enabling accessing my LAN from anywhere. I have already setup DDNS.
I was trying to find a guide to do this through LuCI but couldn't find anything. Can someone help?

Check your package repository for the luci-app-openvpn. It adds OpenVPN options to LuCI. More information here.

Sorry that's the client. However, setting up OpenVPN isn't hard. Use XCA or something to generate certificates, and there are a lot of OpenVPN server config generators online. Btw don't expect miracles from running OpenVPN on the C7. Your throughput will be around 20 mbps max.

I am sure it is not hard. I had done it before on my Ubuntu box using this guide


However I am looking for a guide with concrete steps on how to do this in LuCI without struggling for hours and trying to reinvent the wheel.

OpenVPN server and WireGuard (faster).
There is no Luci guide as far as I know. Some things, like keys cannot be created in Luci anyway. But for the rest you can adapt the guidelines to Luci.

It seems there just isn't a LuCI interface for that. There's even a guide on the wiki that does everything for you. First result on Google when searching for openvpn openwrt.

Not recommended if you have your own certificates or having multiple LAN interfaces tho. And setting it up is almost the same as the guide you mentioned.. No need for struggling or reinventing the wheel here. Is there a specific problem you're having with setting it up?

So I followed the above guide, executing each command line by line with sudo. I went up to the point in #3 Basic server, where the line
OVPN_DEV="$(uci get firewall.lan.device | sed -e "s/^.*\s//")"
outputs I/O error and cannot be executed with sudo. Am I missing something here?

Why sudo? Default user in OpenWrt is root.

Yeah what @trendy says. In general for Linux, you can look at your shell prompt to see if you have super user rights. A user with root privileges is denoted with #, a normal user without privileges is denoted with $. If a normal user is in the sudoers group, they can use sudo

user@host: ~# has root privileges, no need for sudo
user@host: ~$ has no root privileges, can use sudo if the user is in the sudoers group

As for your problem, a I/O error is weird. It shouldn't give a IO error in any case. What is the exact error? Possible errors are:

root@openwrt:~# uci get firewall.lan.device | sed -e "s/^.*\s//"
uci: Entry not found

In this case, you haven't set up your firewall correctly as described in the firewall section of the guide.

root@openwrt:~# sudo uci get firewall.lan.device | sed -e "s/^.*\s//"
-ash: sudo: not found

This is already mentioned by Trendy. OpenWRT default is user is root. There is no need for sudo, and OpenWRT doesn't include sudo binaries.

By the way where did you even put the sudo declaration? You're setting an variable here. Just copy-paste the code line-per-line into your shell.

root@openwrt:~# OVPN_DEV="$(uci get firewall.lan.device | sed -e "s/^.*\s//")"

You could also copy that whole section into your shell after the opkg install openvpn-openssl. Should also work.

1 Like

Ok so that was my mistake, I had created a regular user to log on to my router and had disabled root user (which is actually recommended).
I had to re-enable root and start from scratch.
Went through the guide and everything completed successfully, the only thing I changed is the default port from 1194 to a random 5-digit port e.g. 55555 as an extra security measure.

However the problem now is that that I cannot actually connect from an outside network but the connection times out. I also checked if the port 55555 is open in https://www.yougetsignal.com/tools/open-ports/ but it shows as closed. Any ideas?

Are there hits on the firewall?
iptables-save -c | grep 55555

No it doesn't output anything

Then you skipped the 1st step to open the port on the firewall.

I'm pretty sure I did it, don't know why this happens.
However I run the first part again and now It outputs
root@OpenWrt:~# iptables-save -c | grep 55555
[0:0] -A zone_wan_input -p udp -m udp --dport 55555 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
Still port shows closed from outside and client cannot connect.

No hits, nothing tried to come in.

That portforwarder you're using only checks tcp ports.

Ok now the output is

[66:5412] -A zone_wan_input -p udp -m udp --dport 55555 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
client still wont connect

https://check-host.net/check-udp

Also shows connection refused

Run the troubleshooting part at the bottom of the page and post here the output.

Ok here's the whole output of the troubleshooting part
https://pastebin.com/mNSxmX1E
I filtered out private information (IPs - MAC addresses - keys etc.)
I also have an existing port forwarding rule for port 12345 that I use for my ssh, which works perfectly.

Sat May 9 13:57:22 2020 daemon.err openvpn(server)[5234]: Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/server.conf:5: port (2.4.5)