Tired of no OpenVPN-nossl config details

So, if you come across with a router that is really limited on resources and a tiny flash, you may end up that the only option for running OpenVPN is the openvpn-nossl package, but then, you find out that there is close to zero explanations on how to configure OpenVPN in such way.
That's why Im posting this thread, to give some users a glimpse and hopes, these has been my personal experience from different sources, most outside OpenWrt site so I don't know if I'm totally correct or not, or if some steps are not required, so here we go:

Little glimpse I got from: https://subscription.packtpub.com/book/networking-and-servers/9781849510103/1/ch01lvl1sec15/complete-site-to-site-setup
And: https://gist.github.com/ArseniyShestakov/fd2d1ce3331b043042fa

Subject router D-Link DIR-600, Ive installed the packages: openvpn-nossl, luci-app-openvpn

:warning: :warning: :warning: DISCLAMER :warning: :warning: :warning:
This thread is about how I have configured the package openvpn-nossl and how to use it.
This is yet for testing purpose only, I share my experience with others so they don't have to search A LOT of sites about how can you get this package to work and maybe reunite all possible configs for these package to improve it!
These type of configuration present high risks on security manner since the VPN is stablished without any type of security challenge and no encryption at all!
USE IT WITH CAUTION AND AT YOU'RE OWN RISK!
:warning: :warning: :warning: DISCLAMER :warning: :warning: :warning:

And this is my config that has worked some sort of way, with the help of PuTTy or native ssh client:
Edit file: /etc/config/openvpn

config openvpn 'server'
        option dev 'tun'
        option keepalive '10 60'
        option verb '3'
        option enabled '1'
        option proto 'udp'
        option port '8443'
        option persist_tun '1'
        list push 'route 192.168.1.0 255.255.255.0'
        option ifconfig '192.0.0.1 192.0.0.2'

Keep in mind that the local network behind the router is 192.168.1.0/24
Then, go to the web interface to:

VPN > OpenVPN
Name: server
Start/Stop: start

Create the Interface OPENVPN so you can assign it to a new firewall zone as this:

Network > Interface
Name: "OPENVPN"
Adapter: "tun0"
Protocol: "Unmanaged"

Create the firewall zone openvpn as this:

Network > Firewall
Name: "openvpn"
Input: "accept"
output: "accept"
Forward: "accept"
covered networks: "OPENVPN"
Allow forward to destination zones: "lan/wan"

Create the following firewall rule to accept incoming connections:

Network > Firewall > Traffic Rules
Rule "Allow-OpenVPN"
Protocol "TCP/UDP"
Source zone "WAN"
Destination zone "Device (input)"
Destination port "8443"
Action "ACCEPT"

For the client part, create a file client.ovpn:

remote <INTERNET IP OR HOSTNAME OF THE ROUTER>
port 8443
proto udp
nobind
persist-tun
dev tun
dev-type tun
ifconfig 192.0.0.2 192.0.0.1
keepalive 10 60
resolv-retry infinite
verb 3

So, there is my config, hope it helps someone and if you find something incorrect or not needed, help would be appreciated in these matter!

:bangbang::bangbang: FURTHER NOTE: This configuration maybe a starting point also for another type of configuration of OpenVPN, I've seen some users using server-to-client config for establishing a site-to-site connection that IS NOT intended for that use! Instead this configuration IS part of the site-to-site natively use on OpenVPN, and may be well how Ubiquiti devices manage site-to-site connections, so it could be possible to establish a site-to-site VPN with this config between a Ubiquiti device on one site and a OpenWrt on the other site. :bangbang::bangbang:

So this would apply to versions < 2.5.0 right?

At least I’ve seen the package openvpn-nossl is up to 2.4.5, but that doesn’t mean that this config is not aplicable for OpenVPN in general (haven’t test that yet), but I think that this config maybe able to be set nevertheless it will not use any means of encryption.

Or.... consider Wireguard which is much higher performance and is far less resource intensive. Many commercial VPN services now support Wireguard. Or if you're running your own road-warrior (or similar) type setup and control both ends, switching to Wireguard will be easy.
I do understand that that isn't always an option, of course... but in this example, it appears that you control both ends... running an unencrypted VPN establishes connectivity but presents security risks.

:warning: This is not an RFC1918 addresses you might end up causing problems with this address.

2 Likes

With such limited resources, Wireguard didn't fit the memory space available, because it needs another packages dependencies that on the other hand openvpn-nossl doesn't (Wireguard requires in total around 302.5 KB, where as OpenVPN-nossl requires in total around 120 KB).

Yeah, one bigger down size is that there is no encryption and is a mayor security risk, but I limited the response of the server at the traffic rule to only accept connections from an specific IP and the connection done through a non-exposed internet network (through ISP internal pool IP).

Also, 192.0.0.0/24 range is support under RFC 5735, as for testing purposes.

If you're this limited, are you running a recent version of OpenWrt (such as one of the tiny builds)?

1 Like
  • Then just route across the ISP's network, if possible?
  • Could simply use IPENCAP (IP-in-IP) tunneling

Wrong subnet - and it's actually "example".

Wireguard is built into the kernel on recent versions.

As being a DIR-600 rev B1 has a Flash chip of 4 MiB (Macronix MX29LV320DBTI-70G), that actually can run OpenWrt 19.0.7 but with that version, the router will have 0% (around 60 Kb of free space) on overlay and by that the router suffers amnesia (every time its reboots the config is lost).

So I had to downgrade to LEDE 17.01 so I can have IPv6 stack and some little free space (around 370 Kb).

:warning: So basically, you are suggesting using a ~5 year old firmware build that is entirely obsolete, unsupported, and has many potential security vulnerabilities, including some that may be actively exploited.

:warning: You are also suggesting the use of a non-encrypted VPN solution which, as you admit, carries a significant security risk.

Coupled together, this really seems like a VERY BAD IDEA.

I would highly suggest that you consider upgrading your hardware such that you can run a current (and secure) version of OpenWrt as well as secure VPN protocols.

:warning: :warning: :warning: NOTE TO ALL READERS OF THIS THREAD :warning: :warning: :warning:
Please consider the very significant security risks involved with using the versions and methods as described by the OP. As I have stated above, this is a highly risky configuration and it is advisable to upgrade hardware instead of taking these risks. You have been warned.

1 Like

Not possible by contract restrictions!

I needed some sort of VPN so I can connect remotely from a macOS/Windows machine to the router.

Ok, I run as main network equipments Ubiquiti, so either is compatible StrongSwan/OpenVPN solutions (thinking on implementing this solution on a Ubiquiti device in the future).
Main network (site A), has varios VLANS, for management 192.168.0.0/24, for VPN users 172.16.0.0/24, for main network 10.0.0.0/16 and guests 10.128.0.0/24
Main network (site B), has also varios VLANS, for management 192.168.1.0/24, for VPN users 172.16.1.0/24, for main network 10.1.0.0/16 and guests 10.128.1.0/24
So, for not overlapping networks, I though using that range and hasn't presented me any problems so far. Nevertheless, it could be changed without any problems.

As of LEDE 17.01, it wasn't built into the kernel yet.

1 Like

And yet another reason not to be using something so old.

THIS THREAD IS ABOUT THE PACKAGE!! NOT ABOUT THE FIRMWARE!! And the package I don't know how far in firmware versions was supported!

All that Im saying is that there isn't any kind of information about the package openvpn-nossl, on how you can configure it, this thread its just an starting point for configuring it.

These was for testing purpose only and I share my experience with others so they don't have to search A LOT of sites about how can you get this package to work and maybe reunite all possible configs for these package to improve it!

Anyways, Im not suggesting to use this solution by all means, these is totally at users own risks and if they are looking about these solution most probably that user may already know about security concerns!

Probably because it is not recommended due to the security landscape in which we live.

I do appreciate what it is that you are doing here (legitimately). And thank you for your contributions.

Actually, there are many users who may not be aware of the security risks... some may not even be aware that LEDE 17.01 is, in its own way, a potential security risk.

I feel that it would be best to put a big warning (similar to what I have done) at the top of your first post stating that this is a post to document the process, but that these methods are not recommended due to the lack of encryption and other possible security vulnerabilities.

Ok, so still doing some research and this is what I have come across:

As @psherman suggested WireGuard, this are the full install package weight so far:

  1. openvpn-nossl: 490 Kb, additional packages to be installed:
    • kmod-tun
    • liblzo
    • luci-app-opevpn
  2. openvpn-mbedtls: 1140 Kb, additional packages to be installed:
    • kmod-tun
    • libmbedtls
    • liblzo
    • luci-app-opevpn
  3. openvpn-openssl: 3110 Kb, additional packages to be installed:
    • kmod-tun
    • liblzo
    • zlib
    • libopenssl
    • luci-app-opevpn
  4. luci-app-wireguard: 830 Kb, additional packages to be installed:
    • libmnl
    • ip-tiny
    • wireguard-tools
    • kmod-udptunnel6
    • kmod-udptunnel4
    • kmod-wireguard
    • luci-proto-wireguard

:warning: :warning: DISCLAMER :warning: :warning:
This configuration is still being improved, stability problems may be expected!!
This type of configuration present high risks on security manner since the VPN is stablished without any type of security challenge and no encryption at all!
USE IT WITH CAUTION AND AT YOU'RE OWN RISK!
:warning: :warning: DISCLAMER :warning: :warning:

Further more, for openvpn-nossl config pretty much a lot of config options are cut off and I made an error on the previous one that may end up with the router not responding, so please change the config to:

config openvpn 'server'
        option dev 'tun'
        option keepalive '10 60'
        option verb '3'
        option enabled '1'
        option proto 'udp'
        option port '8443'
        option persist_tun '1'
        option ifconfig '192.0.0.1 192.0.0.2'

And the client config should be:

remote <INTERNET IP OR HOSTNAME OF THE ROUTER>
port 8443
proto udp
persist-tun
dev tun
ifconfig 192.0.0.2 192.0.0.1
route 192.168.1.0 255.255.255.0
keepalive 10 60
resolv-retry infinite
verb 3

As 192.168.1.0/24 block is the local network.
Also, by the way, keep in mind that I got rid off firewall zone/interface configuration, this is because it made the connection some sort of unstable. The major problem is that you may not be able to access the server local network (whatever device is behind OpenWrt), but you may be able to access all OpenWrt local resources like LuCI/droppbear. Whatever firewall rule I create, ends up blocking the VPN client.

:bangbang: :bangbang: MORE SECURE OPTION :bangbang: :bangbang:
Regarding on openvpn-mbedtls, the config is the same as openvpn-openssl option BUT the certs ARE GENERATED FOR TLS.
The config of the server on openvpn-mbedtls should look like this:

config openvpn 'server'
              option dev_type 'tun'
              option dev 'tun'
              option keep alive '10 60'
              option verb '3'
              option ca /etc/openvpn/ca.crt'
              option enable '1'
              option proto 'udp'
              option port '8443'
              option persist_key '1'
              option persist_tun '1'
              option topology 'subnet'
              option client_to_client '1'
              option server '192.0.0.0 255.255.255.0'
              option cert '/etc/openvpn/server.crt'
              option key '/etc/openvpn/server.key'
              option dh '/etc/openvpn/dh2048.pem'
              list push 'redirect-gateway'
              list push 'route 192.168.1.0 255.255.255.0'
              list push 'dhcp-option DNS 192.0.0.1'
              list push 'dhcp-option WINS 192.0.00.1'

Generating the cert with you're own root certificate authority:

openssl genrsa -des3 -out ca.key 2048
openssl req -new -days 3650 -key ca.key -out ca.pem

Then create this files, with its content:
ca.ext

basicConstraints=CA:true

csr.cnf

[req]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = OpenWrt Root CA

[OpenWrt Root CA]
C                  = <TWO DIGITS COUNTRY CODE, SAME AS WHEN CREATED THE PEM>
ST                 = <STATE/PROVINCE, SAME AS WHEN CREATED THE PEM>
L                  = <CITY, SAME AS WHEN CREATED THE PEM>
O                  = Personal
OU                 = <MY NAME>
emailAddress       = <MY EMAIL>
CN                 = <ROUTER HOSTNAME>

server.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:false
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = <LOCAL DOMAIN>
DNS.2 = <ROUTER HOSTNAME>.<LOCAL DOMAIN>
DNS.3 = <EXTERNAL HOSTNAME IF YOU USE SERVICES LIKE NOIP>

Then continue with the commands:

openssl x509 -req -days 3650 -in ca.pem -signkey ca.key -extfile ca.ext -out ca.crt
openssl x509 -inform PEM -outform DER -in ca.crt -out ca.der.crt
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config csr.cnf
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile server.ext

So the files goes like this:

ca.crt > ca
server.crt > cert 
server.key > key
ca.pem > dh

Generating the client certificates, this example is for client1 (you can create more by changing the number):
First create the file for each client like client1.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:false
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = <MACHINE HOSTNAME>
DNS.2 = <EXTERNAL HOSTNAME IF YOURE ISP ASSINGS YOU ONE, OR DELETE THIS LINE>

Then this commands:

openssl req -new -sha256 -nodes -out client1.csr -newkey rsa:2048 -keyout client1.key -config csr.cnf
openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 3650 -sha256 -extfile client1.ext

Then continue with the same way you create the .ovpn files like:

client
dev tun
proto tcp-client
float

resolv-retry infinite
remote-cert-tls server
persist-key
persist-tun
remote <WAN IP OR HOSTNAME OF YOUR OpenWrt DEVICE> 8443

<ca>
-----BEGIN CERTIFICATE-----
<CONTENT ON ca.crt FILE BETWEEN THIS LINES>
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
<CONTENT ON client1.crt FILE BETWEEN THIS LINES>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
<CONTENT ON client1.key FILE BETWEEN THIS LINES>
-----END PRIVATE KEY-----
</key>

PS: All interface/firewall rules are needed!

The first thing to do trying to use a 4M flash would be to drop Luci.

OpenVPN has poor interoperability between old and new versions-- though a lot of that is related to it forcing deprecation of older encryption standards, which may not be an issue here.

1 Like