[Solved] Help getting current ovpn setup running on OpenWrt

Installing and Using OpenWrt
1

I have openvpn running on my ddwrt router and want to move over to openwrt. I already have clients set up and do not want to change settings at this time. I have a tls key and auth. Trying to understand where to put all the certificates and everything and am a bit confused. I am trying to do this through the UI. I am running the latest on a netgear wndr3700v4. Once I get a setup working and am confortable with openwrt, I'll be putting this on my Netgear R7800.

This is my config:

push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
server 192.168.66.0 255.255.255.0
dev tun0
fragment 1400
mssfix
proto udp4
keepalive 10 120
tls-server
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0

So, how do I select openvpn server from the UI and get to a page that allows me to put this all in? I get this:

openwrt_ovpn
openwrt_ovpn933×621 145 KB

Most of the howtos all are cli. Is that a requirement to set it up? Also, how do I put all these certificates in a pkcs12 file? Please go easy on me as I am a noob on this...

TIA

2

The template you can use is the server for routed multi-client.
If you want to configure it in Luci, you can match the commands mentioned in the guide and in your existing config file. Or you can use the configuration file from OVPN configuration file upload. Just fix the paths for the keys and certs, as tmp will not survive a reboot, better /etc/openvpn.

3

Trendy,

Thanks for the guidance. I tried to do that, but for whatever reason, I was unable to get to any page that looked like a place I could enter any information.

In the end, I went to this page and followed the instructions here:
https://www.leowkahman.com/2016/03/14/setup-4096-bit-openvpn-openwrt/

Once I had the files in place, the UI showed the configuration. I had a slight error and was able to fix it in the UI and in my setup. I was able to connect via OpenVPN.

I am comfortable with the cli, but my experience with routers is from OEM and ddwrt firmwares which are UI based. I was confused about what info I found online was current and what is old. Also, I thought that now that OpenWRT has a UI that the UI is the best place to do everything. That does not appear to be so. This is a big learning curve to move here from ddwrt, but I think I am finally 'getting it'.

Thanks for the help.

4

There is the official guide for OpenVPN.
You can do a lot of things in Luci, I think except the key and certificate issuing.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

5

The official guide has no reference to the GUI. I guess that is where I was confused. I expected some reference there to the GUI as that is where I as a new user went looking.

6

I didn't see any Luci reference in the guide you used either.
The good thing is that our guide is very well written; you can simply copy-paste it on the console and will produce a working instance of OpenVPN.

7

UPDATE corrected file location typo:

I moved a few years ago to the more stable OpenWRT platform and glad I did (too many personality clashes and firmware issues) ....

If you can use Windows and the Notepad editor, you can follow this rough guide to customize files without the Luci interface and get your OpenVPN server up and running. Then later you can take a second router and experiment with the GUI interface which as you have seen is more difficult to "translate" from DD-WRT. Hope this helps:

*** Start with a fresh flash of firmware with the check-box to clear any previous settings.

===============================================

OpenWRT OpenVPN Server

===============================================
On Windows, install Putty.  Create log-in profile
of SSH port 22 to the IP of the router.  The user
name will be root and the password the log in of
the router.  Use line commands on the router
console as needed.

Begin by installing OpenVPN
Enter commands at the command line:
root@OpenWrt:~#
root@OpenWrt:~# opkg update 
root@OpenWrt:~# opkg install openvpn-openssl

If the package will not install, go to the login
Luci interface and Network, Interfaces, WAN
and try configuring the DNS server if it is not
specified or if that doesn't help, then add
the static IP address of the network gateway.


===============================================
On Windows, install WinSCP.   Create log-in profile
of SCP port 22 to the IP of the router.   Use
conventional Windows explorer file structure to
edit and copy files.
===============================================


Edit file /etc/config/dhcp:

config dnsmasq
# this is only for reference DO NOT CHANGE ANY OF THE DATA YOU FIND BELOW
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
# under the "dnsmasq heading", change only the following line:
# add by DJ 0 says allow other subnets to use dns
	option localservice '0'
	#option localservice '1'
# end of add DJ 

===============================================

Edit file /etc/config/firewall:

(( Use the port that YOU WISH TO USE, NOt MINE))
((ADD THIS TO THE BOTTOM OF THE FILE:))

# begin of DJ add
config rule
	option name  Allow-OpenVPN-Inbound 
	option target  ACCEPT 
	option src  * 
	option proto  udp 
	option dest_port  1194 

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
  	option network 'vpn0'

config forwarding
	option src  vpn 
	option dest  wan 

config forwarding
        option src  vpn 
        option dest  lan 

config forwarding
        option src  lan 
        option dest  vpn 

# end of DJ add

===================================================

Edit file /etc/config/network:

((ADD THIS TO THE BOTTOM OF THE FILE:))
# begin of DJ add

config interface 'vpn0'
	option ifname 'tun0'
	option proto 'none'
	option auto '1'

# end of DJ add

===================================================

Edit file /etc/config/openvpn:

((Create the file and CUSTOMIZE WITH YOUR OWN COMMANDS ))

config openvpn 'myvpn'
	option enabled '1'
	option verb '3'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option server '10.8.0.0 255.255.255.0'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/cert.crt'
	option key '/etc/openvpn/key.key'
	option tls-auth '/etc/openvpn/ta.key 0'
	option dh '/etc/openvpn/dh2048.pem'
	option keepalive '10 120'
	option status '/var/log/openvpn-status.log'
	list push 'route 192.168.8.0 255.255.255.0'
	list push 'redirect-gateway def1'
	list push 'dhcp-option DNS 192.168.8.1'
# DO NOT USE MY COMMANDS IN THIS EXAMPLE
#  - USE ONLY YOUR OWN COMMANDS HERE!!!


===================================================

Use WINSCP to copy the named files above to the following directory:

/etc/openvpn

(for example, copy the ca.crt, cert.crt, key,key an ta.key file there)

===================================================

Alternative Ending:

If you want to stick with even a closer mirror of DD-WRT and if translating the syntax of a ***.ovpn is too tedious, then you may like to use this ending instead.

===================================================
Use WINSCP to complete the following tasks:   (do this as an alternative to the ending above)

Edit file /etc/config/openvpn:

((Create the file EXACTLY as it appears here ))

config openvpn 'myvpn'
	option enabled '1'
	option config '/etc/openvpn/mydefault.ovpn'

===================================================

Use WINSCP to create a new file in the format that was used on DD-WRT with the name of "mydefault.ovpn":

/etc/openvpn/mydefault.ovpn

((Add the ****.ovpn style commands as used in the DD-WRT config:)))	
# DO NOT USE THESE COMMANDS IN THIS EXAMPLE
#  - USE ONLY YOUR OWN COMMANDS HERE!!!

push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
server 192.168.66.0 255.255.255.0
dev tun0
fragment 1400
mssfix
proto udp4
keepalive 10 120
tls-server
dh /etc/openvpn/dh.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/cert.pem
key /etc/openvpn/key.pem
tls-auth /etc/openvpn/ta.key 0

# DD-WRT are held in "tmp" and OpenWRT in "etc"
===================================================

Use WINSCP to copy the named files above to the following directory:

/etc/openvpn

(for example, copy the dh.pem, ca.crt, cert.crt, key,key and ta.key file there to the directory /etc/openvpn)

===================================================
8

I appreciate the help.

I was able to get my old certificates working, but I made them back in 2014. I wanted to create new ones with better encryption. I have a spare router and am playing with this until I feel comfortable to put this on our (now) mission critical system.

Like I did back in 2014, I installed openvpn/openssh/easyrsa on a linux machine and went through and created certificates and keys. I run Arch Linux and it is running easyrsa 3 today, so some commands are a bit different. I am certain I am doing something wrong because when I put the newly generated certificates and keys in the same format and put them on the server and try to connect, I cannot.

These are the commands I used to create the certificates and keys:

easyrsa clean-all
easyrsa build-ca nopass
openssl dhparam -out dh2048.pem 2048
easyrsa gen-req server nopass
easyrsa sign-req server server nopass
easyrsa gen-req client_1 nopass
openvpn --genkey --secret ta.key
openssl dhparam -out dh2048.pem 2048

this generates my files that I sftp onto the router:

-rw-r--r--    1 root     root          1204 May 19 20:33 ca.crt
-rw-r--r--    1 root     root          1679 May 19 20:33 ca.key
-rw-r--r--    1 root     root           424 May 19 20:33 dh2048.pem
-rw-r--r--    1 root     root          4608 May 19 20:46 server.crt
-rw-r--r--    1 root     root          1704 May 19 20:33 server.key
-rw-r--r--    1 root     root           636 May 19 20:33 ta.key

I make sure all the files are linked back up in teh GUI (the pem was 1024 and now it is 2048) and restart the ovpn server. Server comes up no errors and I try to connect and cannot. I get a timeout on the client end.

5/19/2020, 4:28:38 PM OpenVPN core 3.git::f225fcd0 win x86_64 64-bit PT_PROXY built on Mar 19 2020 21:16:20
⏎5/19/2020, 4:28:38 PM Frame=512/2048/512 mssfix-ctrl=1250
⏎5/19/2020, 4:28:38 PM UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
10 [auth-nocache] 
⏎5/19/2020, 4:28:38 PM Contacting 192.168.2.2:1194 via UDP
⏎5/19/2020, 4:28:38 PM Connecting to [192.168.2.2]:1194 (192.168.2.2) via UDPv4
⏎5/19/2020, 4:28:38 PM Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
⏎5/19/2020, 4:28:38 PM Creds: UsernameEmpty/PasswordEmpty
⏎5/19/2020, 4:28:38 PM Peer Info:
IV_GUI_VER=OCmacOS_3.1.3-713
IV_VER=3.git::f225fcd0
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_BS64DL=1

⏎5/19/2020, 4:28:38 PM EVENT: RESOLVE ⏎5/19/2020, 4:28:38 PM EVENT: WAIT ⏎5/19/2020, 4:28:38 PM EVENT: CONNECTING ⏎5/19/2020, 4:28:38 PM VERIFY OK : depth=1
cert. version     : 3
serial number     : 0C:7E:B4:7E:F6:EC:F6:6C:C3:78:FE:C6:2C:84:A1:2C:EB:7E:EE:1D
issuer name       : CN=Easy-RSA CA
subject name      : CN=Easy-RSA CA
issued  on        : 2020-05-19 20:18:10
expires on        : 2030-05-17 20:18:10
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign

⏎5/19/2020, 4:28:38 PM VERIFY OK : depth=0
cert. version     : 3
serial number     : 37:1D:FE:8E:4D:3A:E6:9F:33:41:07:08:01:5E:E5:C6
issuer name       : CN=Easy-RSA CA
subject name      : CN=server
issued  on        : 2020-05-19 20:39:44
expires on        : 2022-08-22 20:39:44
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : server
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication

⏎5/19/2020, 4:29:18 PM Session invalidated: KEEPALIVE_TIMEOUT
⏎5/19/2020, 4:29:18 PM Client terminated, restarting in 2000 ms...
⏎5/19/2020, 4:29:20 PM EVENT: RECONNECTING

With my old certificates, I get immediate connection and no errors:

5/19/2020, 4:19:31 PM OpenVPN core 3.git::f225fcd0 win x86_64 64-bit PT_PROXY built on Mar 19 2020 21:16:20
⏎5/19/2020, 4:19:31 PM Frame=512/2048/512 mssfix-ctrl=1250
⏎5/19/2020, 4:19:31 PM UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
10 [auth-nocache] 
⏎5/19/2020, 4:19:31 PM Contacting 192.168.2.2:1194 via UDP
⏎5/19/2020, 4:19:31 PM Connecting to [192.168.2.2]:1194 (192.168.2.2) via UDPv4
⏎5/19/2020, 4:19:31 PM Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
⏎5/19/2020, 4:19:31 PM Creds: UsernameEmpty/PasswordEmpty
⏎5/19/2020, 4:19:31 PM Peer Info:
IV_GUI_VER=OCmacOS_3.1.3-713
IV_VER=3.git::f225fcd0
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_BS64DL=1

⏎5/19/2020, 4:19:31 PM EVENT: RESOLVE ⏎5/19/2020, 4:19:31 PM EVENT: WAIT ⏎5/19/2020, 4:19:31 PM EVENT: CONNECTING ⏎5/19/2020, 4:19:31 PM VERIFY OK : depth=0
cert. version     : 3
serial number     : 01
issuer name       : C=US, ST=IL, L=Chicago, O=Griders, OU=changeme, CN=changeme, ??=changeme, emailAddress=grider.4@osu.edu
subject name      : C=US, ST=IL, L=Chicago, O=Griders, OU=changeme, CN=changeme, ??=changeme, emailAddress=grider.4@osu.edu
issued  on        : 2014-04-13 15:19:02
expires on        : 2024-04-10 15:19:02
signed using      : RSA with SHA1
RSA key size      : 1024 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication

⏎5/19/2020, 4:19:31 PM SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
⏎5/19/2020, 4:19:31 PM Session is ACTIVE
⏎5/19/2020, 4:19:31 PM Sending PUSH_REQUEST to server...
⏎5/19/2020, 4:19:31 PM EVENT: GET_CONFIG ⏎5/19/2020, 4:19:31 PM OPTIONS:
0 [comp-lzo] [no] 
1 [dhcp-option] [DNS] [192.168.2.1] 
2 [route] [192.168.66.0] [255.255.255.0] 
3 [topology] [net30] 
4 [ping] [10] 
5 [ping-restart] [120] 
6 [ifconfig] [192.168.66.6] [192.168.66.5] 
7 [peer-id] [0] 
8 [cipher] [AES-256-GCM] 

⏎5/19/2020, 4:19:31 PM PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: LZO_STUB
  peer ID: 0
⏎5/19/2020, 4:19:31 PM CAPTURED OPTIONS:
Session Name: 192.168.2.2
Layer: OSI_LAYER_3
Remote Address: 192.168.2.2
Tunnel Addresses:
  192.168.66.6/30 -> 192.168.66.5 [net30]
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
  192.168.66.0/24
Exclude Routes:
DNS Servers:
  192.168.2.1

Any ideas as to what is going on? The rest of the settings are the same (maybe the problem?) The only one that I think may be related is the Cipher which doesn't change at AES-256-CBC. I do not know what else I would change it to, though.

In the meantime, I'll run the certificate generation recipe on the router and see how it goes.

TIA

9

I went through the openvpn setup:
[https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic](http://OpenWRT OVPN setup)
and was confused first time through as it really doesn't explain a lot. This method creates a server.conf which is actually an opvn file with all the certificates inline. To install it, I had to copy the server.conf file on my workstation, then open the openWRT UI to openvpn and then type in a name then select 'all files' then select server.conf and upload. Only after this did the server show up in my UI. To make it work, I had to edit the server.conf probably because of how I was setting this up and testing it. Just make sure that the conf and all ovpn files you create have these set:
dev tun
port 1194
proto udp

After that, I was able to test it out and it appears to work just fine.

Gearhead

1 Like
10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.