Simplified OpenVPN Setup

Hi

To cut a long story short I'm in the process of making pre-configured files which I will be embedding into my own compiled router firmware.

The biggest task is setting up a VPN server so that outside traffic will be able to join my LAN, access LAN resources such as a SMB server, and ensure an encrypted connection when using open, unsecured AP's, therefore would like to use a secure VPN tunnel to encrypt the data.

I've been trying to setup OpenVPN following this guide https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic

So far I have setup a VPN interface that is set to 'tun0'. The guide says to use firewall rules but I'd rather use firewall zone as it seems a better of keeping track of what interface is connected to what firewall zone whilst using LuCI.

The problem I find with the current guide is that the big blocks of commands are uneasy to follow, often losing track of what command(s) I Iast typed in as most of it is automated. I'd rather like to configure everything manually via the nano editor or accessing the configuration files via SFTP/SCP, modifying them and re-uploading them so I know how everything is working.

In terms of generating the CA, private and public keys, I'm leaning towards using my desktop PC for that as it's a lot more powerful. I'm already using OpenSSL to generate to make my own certificate authority that I was going to use to sign my private and public keys.

All I'm thinking of doing is generating the certificates on my Linux PC using the Easy-RSA package and then tweaking the '/etc/config/OpenVPN' config and setting the paths to where I have uploaded the certificates onto the router. So long as I set the hostnames, common names and SAN's (subject alternative names) I should be fine? I assume if I have setup a DDNS hostname, do I set this in the SAN's? Is there anything else that needs doing?

Is anyone able to supply a fully configured OpenVPN config file (excluding sensitive information)?

My last question is how do I setup the IP addresses for the VPN interface. In my case I would like the VPN clients to be able to access my home network, as though they're on the LAN. How do I achieve this?

For example if I set the VPN interface's network ID to 10.0.0.1/24 in the OpenVPN configuration do the clients connected get a host IP within the 10.0.0.0/24 range? If so how do I get the outside connecting client to communicate with existing LAN clients or is it a simple case of knowing the client IP address/hostname to connect to its resources?

Any help appreciated

Many thanks

Will

You should use any manual for Linux, pay attention to sample config files from OpenVPN - distribution. Generation of certificates and keys is also important, you can use any names. The following client configuration works for me:
client
dev tun
proto tcp-client
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
;float
nobind
persist-key
persist-tun
auth SHA1
cipher BF-CBC
comp-lzo adaptive
nice 0
verb 3
mute 10
;ns-cert-type server

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----


-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----


-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----

key-direction 1

Server configuration file:
proto tcp-server
port 1194
dev tun
topology subnet
server 10.8.0.0 255.255.255.0
client-config-dir ccd
push "route 192.168.2.0 255.255.255.0"
auth SHA1
cipher BF-CBC
comp-lzo adaptive
push "comp-lzo adaptive"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.2.1"
ca /etc/storage/openvpn/server/ca.crt
dh /etc/storage/openvpn/server/dh1024.pem
cert /etc/storage/openvpn/server/server.crt
key /etc/storage/openvpn/server/server.key
tls-auth /etc/storage/openvpn/server/ta.key 0
persist-key
persist-tun
user nobody
group nogroup
script-security 2

User params:

max-clients 10
client-to-client
keepalive 10 60
nice 3
verb 0
mute 10
push "dhcp-option DNS 8.8.8.8"

On raspberry pi and on Debian there is a pivpn script for automating the configuration. There is ám attempt to do it ön openwrt: New Script to Auto-Create OpenVPN Server - Request for Input

What is the recommended method for setting up the firewall? Do I create firewall rules or do I create a firewall zone, or both?

Both, of course.

Have you got any of your firewall config you could share please? The guide from here > https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic only has a single firewall rule.

UPDATE
I found a guide for multiple VPN's that I will deconstruct.

So what is your question? You should create zone for tun interface, and open port for incoming connections.

I've assigned a firewall zone to the tun0 interface Do I need to enable zone forwarding to the LAN or WAN interfaces and should the input and output be set the reject by default? I assume this is where the port forward rule comes in?

Yes, of course, you should enable zone-tun0 to lan forwarding in order OpenVPN-clients be able to access lan resources. Input and output are not significant for lan access. No, port forwarding is used when you want e.g. to bind internal resource with port to ip of router itself.

1 Like

Sorry for the late reply.

I've taken some screenshots of the zone and traffic rule. Please advise if I've set it up wrong.

Does it work? I think, there is no need to set Masquerading for lan zone.

No I haven't had time to compile my OpenVPN files yet. As soon as I do I will let you know.