Hello everybody,
I have been working with OpenWrt for about 1 month trying to get a simultaneous OpenVPN Server and Client working with VPN Policy Routing.
It is fully functional using static routing as per my post of April 15, 2019 and I have resolved the issue with the Certificate Error by setting in /etc/config/uhttpd 'option redirect_https 0'
@stangri documentation and instructions and code are superb but I must of missed something simple.
The server without the client running works 100% without any errors in the log file.
Please note that the server is setup to use 2 tunnels even though it has 8 possible clients. This is the default setup as per OpenVPN Basic and OpenVPN Extra documentation.
Procedure used to create Server/Client
# Configure firewall
uci set firewall.@zone[0].device="tun0"
uci -q delete firewall.vpn
uci set firewall.vpn="rule"
uci set firewall.vpn.name="Allow-OpenVPN"
uci set firewall.vpn.src="wan"
uci set firewall.vpn.dest_port="1194"
uci set firewall.vpn.proto="udp"
uci set firewall.vpn.target="ACCEPT"
uci commit firewall
service firewall restart
# Install packages
opkg update
opkg install openvpn-easy-rsa
# Configuration parameters
export EASYRSA_PKI="/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="vpnca"
# Remove and re-initialize the PKI directory
easyrsa --batch init-pki
# Generate DH parameters
# May take a while to complete (~25m on WRT3200ACM)
easyrsa --batch gen-dh
# Create a new CA
easyrsa --batch build-ca nopass
# Generate a keypair and sign locally for vpnserver
easyrsa --batch build-server-full vpnserver0 nopass
# Generate a keypair and sign locally for vpnclient
easyrsa --batch build-client-full vpnclient0 nopass
easyrsa --batch build-client-full vpnclient1 nopass
easyrsa --batch build-client-full vpnclient2 nopass
easyrsa --batch build-client-full vpnclient3 nopass
easyrsa --batch build-client-full vpnclient4 nopass
easyrsa --batch build-client-full vpnclient5 nopass
easyrsa --batch build-client-full vpnclient6 nopass
easyrsa --batch build-client-full vpnclient7 nopass
--------------------------------------------------------------------------------
# Install packages
opkg update
opkg install openvpn-openssl
# Generate TLS PSK
EASYRSA_PKI="/etc/easy-rsa/pki"
openvpn --genkey --secret "${EASYRSA_PKI}/tc.pem"
# Configuration parameters
VPN_DEV="$(uci get firewall.@zone[0].device)"
VPN_POOL="192.168.8.0 255.255.255.0"
VPN_DNS="${VPN_POOL%.* *}.1"
VPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
EASYRSA_PKI="/etc/easy-rsa/pki"
DH_KEY="$(cat "${EASYRSA_PKI}/dh.pem")"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
NL=$'\n'
# Configure VPN-server
grep -l -r -e "TLS Web Server Authentication" "${EASYRSA_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read VPN_ID
do
VPN_CONF="/etc/openvpn/${VPN_ID}.conf"
VPN_CERT="$(openssl x509 -in "${EASYRSA_PKI}/issued/${VPN_ID}.crt")"
VPN_KEY="$(cat "${EASYRSA_PKI}/private/${VPN_ID}.key")"
cat << EOF > "${VPN_CONF}"
verb 3
dev ${VPN_DEV}
port 1194
proto udp
server ${VPN_POOL}
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DOMAIN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>${NL}${DH_KEY}${NL}</dh>
<tls-crypt>${NL}${TC_KEY}${NL}</tls-crypt>
<ca>${NL}${CA_CERT}${NL}</ca>
<cert>${NL}${VPN_CERT}${NL}</cert>
<key>${NL}${VPN_KEY}${NL}</key>
EOF
chmod "u=rw,g=,o=" "${VPN_CONF}"
done
service openvpn restart
--------------------------------------------------------------------------------
# Configuration parameters
VPN_CONF="/etc/openvpn/vpnserver0.conf"
VPN_SERV="cricri.dlinkddns.com"
VPN_PORT="$(sed -n -e "/^port\s/s///p" "${VPN_CONF}")"
VPN_PROTO="$(sed -n -e "/^proto\s/s///p" "${VPN_CONF}")"
VPN_DEV="$(sed -n -e "/^dev\s/s///p" "${VPN_CONF}")"
EASYRSA_PKI="/etc/easy-rsa/pki"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
NL=$'\n'
# Generate VPN-client profiles
grep -l -r -e "TLS Web Client Authentication" "${EASYRSA_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read VPN_ID
do
VPN_CONF="/etc/openvpn/${VPN_ID}.ovpn"
VPN_CERT="$(openssl x509 -in "${EASYRSA_PKI}/issued/${VPN_ID}.crt")"
VPN_KEY="$(cat "${EASYRSA_PKI}/private/${VPN_ID}.key")"
cat << EOF > "${VPN_CONF}"
verb 3
dev ${VPN_DEV%%[0-9]*}
nobind
client
remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}
auth-nocache
remote-cert-tls server
<tls-crypt>${NL}${TC_KEY}${NL}</tls-crypt>
<ca>${NL}${CA_CERT}${NL}</ca>
<cert>${NL}${VPN_CERT}${NL}</cert>
<key>${NL}${VPN_KEY}${NL}</key>
EOF
chmod "u=rw,g=,o=" "${VPN_CONF}"
done
ls /etc/openvpn/*.ovpn
--------------------------------------------------------------------------------
# Configuration parameters
export EASYRSA_PKI="/etc/easy-rsa/pki"
# Add one more client
#easyrsa --batch build-client-full vpnclient1 nopass
# Add another client encrypting its private key
#easyrsa --batch build-client-full vpnclient2
# Revoke vpnclient certificate
#easyrsa --batch revoke vpnclient
# Generate a CRL
easyrsa --batch gen-crl
# Enable CRL-verification
VPN_CRL="$(cat "${EASYRSA_PKI}/crl.pem")"
NL=$'\n'
sed -i -e "
/^<crl-verify>/,/^<\/crl-verify>/s/^/#/
\$a <crl-verify>\n${VPN_CRL//${NL}/\n}\n</crl-verify>
" /etc/openvpn/vpnserver0.conf
service openvpn restart
--------------------------------------------------------------------------------
# Install imavpn2client.conf
# Copy ArcherC7v5Vpnclient.ovpn to imavpn2client.conf
vi /etc/openvpn/imavpn2client.conf
# type i
# Open ArcherC7v5Vpnclient.ovpn and type CTL-A
# Right click in OpenWrt window
# Press Esc key
# type :wq
--------------------------------------------------------------------------------
# Install packages
opkg update
opkg install luci-app-openvpn
# Provide VPN-instance management
ls /etc/openvpn/*.conf \
| while read VPN_CONF
do
VPN_ID="$(basename "${VPN_CONF}" ".conf" | sed -e "s/[^0-9a-zA-Z]/_/g")"
uci -q delete openvpn.${VPN_ID}
uci set openvpn.${VPN_ID}="openvpn"
uci set openvpn.${VPN_ID}.enabled="1"
uci set openvpn.${VPN_ID}.config="${VPN_CONF}"
done
uci commit openvpn
service openvpn restart
--------------------------------------------------------------------------------
## Use CCD on VPN-server for client static IP-address allocation assuming that:
## 192.168.8.0/24 - VPN-network
## fdf1:7610:d152:3a9c::/64 - VPN6-network
VPN_CCD="/etc/openvpn/ccd"
mkdir -p "${VPN_CCD}"
cat << EOF > "${VPN_CCD}/vpnclient0"
ifconfig-push 192.168.8.2 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::2/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient1"
ifconfig-push 192.168.8.3 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::3/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient2"
ifconfig-push 192.168.8.4 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::4/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient3"
ifconfig-push 192.168.8.5 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::5/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient4"
ifconfig-push 192.168.8.6 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::6/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient5"
ifconfig-push 192.168.8.7 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::7/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient6"
ifconfig-push 192.168.8.8 255.255.255.0ls/
ifconfig-ipv6-push fdf1:7610:d152:3a9c::8/64
EOF
cat << EOF > "${VPN_CCD}/vpnclient7"
ifconfig-push 192.168.8.9 255.255.255.0
ifconfig-ipv6-push fdf1:7610:d152:3a9c::9/64
EOF
cat << EOF >> /etc/openvpn/vpnserver0.conf
client-config-dir ${VPN_CCD}
EOF
service openvpn restart
--------------------------------------------------------------------------------
# To minimize firewall setup consider VPN-network as public and assign VPN-interface to WAN-zone.
# Configure firewall imavpn2client
uci set firewall.@zone[1].device="tun8"
uci commit firewall
service firewall restart
--------------------------------------------------------------------------------
Install the VPN-Policy-Routing
# VPN Policy-Based Routing
opkg update; opkg install ipset resolveip ip-full kmod-ipt-ipset iptables
opkg update; opkg remove dnsmasq; opkg install dnsmasq-full
# Remove Old version and re-run to install newer version
#### Causes Web certificate not trusted error
opkg update
opkg list-installed | grep -q uclient-fetch || opkg install uclient-fetch
opkg list-installed | grep -q libustream || opkg install libustream-mbedtls
echo -e -n 'untrusted comment: LEDE usign key of Stan Grishin\nRWR//HUXxMwMVnx7fESOKO7x8XoW4/dRidJPjt91hAAU2L59mYvHy0Fa\n' > /tmp/stangri-repo.pub && opkg-key add /tmp/stangri-repo.pub
! grep -q 'stangri_repo' /etc/opkg/customfeeds.conf && echo 'src/gz stangri_repo https://raw.githubusercontent.com/stangri/openwrt-repo/master' >> /etc/opkg/customfeeds.conf
opkg update
opkg install vpn-policy-routing luci-app-vpn-policy-routing
#### To fix Certificate Error edit /etc/config/uhttpd
#### Set 'option redirect_https 0' from 'option redirect_https 1'
#### then run 'service uhttpd restart'
# VPN Client & Server Simultaneously
if [ -s /etc/config/vpn-policy-routing ]; then
uci add_list vpn-policy-routing.config.ignored_interface='vpnserver0'
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1]=policy
uci set vpn-policy-routing.@policy[-1].comment='OpenVPN Server'
uci set vpn-policy-routing.@policy[-1].interface='wan'
uci set vpn-policy-routing.@policy[-1].local_ports='1194'
uci commit vpn-policy-routing
fi
# Create another firewall forwarding (in the code below replace the vpnclient with the firewall zone for your VPN client, refer to the tail of /etc/config/firewall):
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpnserver0'
#uci set firewall.@forwarding[-1].dest='vpnclient'
uci set firewall.@forwarding[-1].dest='wan'
uci commit firewall
# Restart/reload the service:
service vpn-policy-routing reload
VPR log files requested
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option strict_enforcement '1'
option boot_timeout '30'
list ignored_interface 'vpnserver0'
option enabled '1'
config policy
option name 'OpenVPN Server'
option interface 'wan'
option local_port '1194'
option chain 'OUTPUT'
option proto 'udp'
/etc/init.d/vpn-policy-routing status
login as: root
root@192.168.3.1's password:
BusyBox v1.28.4 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 18.06.2, r7676-cddd7b4c77
-----------------------------------------------------
vpn-policy-routing 0.0.5-0 running on OpenWrt 18.06.2.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 192.168.7.5 128.0.0.0 UG 0 0 0 tun8
default 192.168.7.5 0.0.0.0 UG 0 0 0 tun8
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0.2
IPv4 Table 201: default via 192.168.1.1 dev eth0.2
IPv4 Table 201 Rules:
32765: from all fwmark 0x10000 lookup 201
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -p udp -m multiport --sports 1194 -m comment --comment OpenVPN_Server -c 30 2532 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
/etc/init.d/vpn-policy-routing reload
Creating table 'wan/192.168.1.1' [✓]
Routing 'OpenVPN Server' via wan [✓]
vpn-policy-routing 0.0.5-0 started on wan/192.168.1.1 [✓]
vpn-policy-routing 0.0.5-0 monitoring interfaces: wan [✓]
Log file Errors
Sun May 12 18:56:02 2019 daemon.err openvpn(vpnserver0)[1929]: 151.82.169.21:31484 TLS Error: tls-crypt unwrapping failed from [AF_INET]151.82.169.21:31484
Sun May 12 18:56:03 2019 daemon.err openvpn(vpnserver0)[1929]: 151.82.169.21:31484 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1557687157) Sun May 12 18:52:37 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun May 12 18:56:03 2019 daemon.err openvpn(vpnserver0)[1929]: 151.82.169.21:31484 tls-crypt unwrap error: packet replay
Sun May 12 18:56:03 2019 daemon.err openvpn(vpnserver0)[1929]: 151.82.169.21:31484 TLS Error: tls-crypt unwrapping failed from [AF_INET]151.82.169.21:31484
Sun May 12 18:56:47 2019 daemon.err openvpn(vpnserver0)[1929]: 151.82.169.21:31482 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun May 12 18:56:47 2019 daemon.err openvpn(vpnserver0)[1929]: 151.82.169.21:31482 TLS Error: TLS handshake failed
Sun May 12 18:56:47 2019 daemon.notice openvpn(vpnserver0)[1929]: 151.82.169.21:31482 SIGUSR1[soft,tls-error] received, client-instance restarting
Sun May 12 18:56:57 2019 daemon.err openvpn(vpnserver0)[1929]: 151.82.169.21:31484 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun May 12 18:56:57 2019 daemon.err openvpn(vpnserver0)[1929]: 151.82.169.21:31484 TLS Error: TLS handshake failed
Sun May 12 18:56:57 2019 daemon.notice openvpn(vpnserver0)[1929]: 151.82.169.21:31484 SIGUSR1[soft,tls-error] received, client-instance restarting
If the imavpn2client is disabled then vpnserver0 is accessable by all 8 of vpnclient0 … vpnclient7 from both PC and Android. Perhaps this structure is not compatible with VPN-Policy-Routing?
Any help is much appreciated. Thanks in advance.