Hi,
I installed openvpn using this script:
#!/bin/sh
#
# Self-contained script to setup/remove VPN configs
#
# Modifications to this script were inspired by: https://youtu.be/-a1VAole01s
#
# That guy, Dave Eddy, knows what he's doing
#
#***************************
#*** Functions commence here
#***************************
# Install packages – could check to see if already installed
# OpenWRT specific – could check OS and change to suit?
install_packages(){
echo
echo "Installing software..."
echo
opkg update
opkg install openvpn-openssl openvpn-easy-rsa kmod-tun luci-app-openvpn
echo
echo "Software Installed ..."
echo
} # End of install_packages
# Re-initialise the firewall
initialise_the_firewall(){
echo
echo "Updating firewall configuration .."
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="tun+"
uci add_list firewall.lan.device="tun+"
uci -q delete firewall.ovpn
uci set firewall.ovpn="rule"
uci set firewall.ovpn.name="Allow-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.dest_port="${VPN_PORT}"
uci set firewall.ovpn.proto="${VPN_PROTO}"
uci set firewall.ovpn.target="ACCEPT"
service firewall restart
echo "Updated firewall configuration .."
} # End of initialise_the_firewall
undo_the_firewall_changes(){
uci -q delete firewall.rule="ovpn"
uci del_list firewall.lan.device="tun+"
uci -q delete firewall.ovpn
}
undo_vpn_interface(){
uci del network.vpn
}
# All VPN Services are determined, configured and started here
setup_vpn_definitions(){
echo "Configuring VPNs ..."
umask go=
VPN_DH="$(cat ${VPN_PKI}/dh.pem)"
VPN_CA="$(openssl x509 -in ${VPN_PKI}/ca.crt)"
# Loop through the issued config files and define the services
ls ${VPN_PKI}/issued \
| sed -e "s/\.\w*$//" \
| while read -r VPN_ID
do
VPN_TC="$(cat ${VPN_PKI}/private/${VPN_ID}.pem)"
VPN_KEY="$(cat ${VPN_PKI}/private/${VPN_ID}.key)"
VPN_CERT="$(openssl x509 -in ${VPN_PKI}/issued/${VPN_ID}.crt)"
VPN_EKU="$(echo "${VPN_CERT}" | openssl x509 -noout -purpose)"
# Generate the servers and clients as defined in each issue
case ${VPN_EKU} in
(*"SSL server : Yes"*)
VPN_CONF="${VPN_DIR}/${VPN_ID}.conf"
echo "Server: ${VPN_CONF}"
cat <<- EOFSVR > ${VPN_CONF} ;;
user nobody
group nogroup
dev tun
port ${VPN_PORT}
proto ${VPN_PROTO}
server ${VPN_POOL}
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
${VPN_DH}
</dh>
EOF
(*"SSL client : Yes"*)
VPN_CONF="${VPN_DIR}/${VPN_ID}.ovpn"
echo "Client: ${VPN_CONF}"
cat <<- EOFCLNT > ${VPN_CONF} ;;
user nobody
group nogroup
dev tun
nobind
client
remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}
auth-nocache
remote-cert-tls server
EOF
esac # Client or server def
echo "Keys and Certs"
cat <<- EOFVCNF >> ${VPN_CONF}
<tls-crypt-v2>
${VPN_TC}
</tls-crypt-v2>
<key>
${VPN_KEY}
</key>
<cert>
${VPN_CERT}
</cert>
<ca>
${VPN_CA}
</ca>
EOF
done # All the definitions
# All configs were read and are now defined. Restart VPN system service with these configs
echo "Configs done. Restarting the VPN Service..."
service openvpn restart
echo "Restart Service completed."
} # End of setup_vpn_definitions
# This routine lists what was done and takes a copy to the Admin's vault.
list_and_save_results(){
# Show what we did and take a copy
ls ${VPN_DIR}/*.ovpn
scp ${VPN_DIR}/*.ovpn aaron@192.168.1.30:/home/aaron/Downloads
} # End of list_and_save_results
# It's probably a good idea to finish this routine properly for a CLEAN removal
}
restart_openwrt(){
#reboot the system
reboot
}
uninstall_vpn_sw_and_setup(){
echo
echo "Uninstalling..."
echo
# ** Does the firewall need to be changed?
# ** Does the VPN service need to be stopped disabled?
# ** What else needs to be undone here?
# ** Check if software is installed
# ** Check if VPN directory exists
# ** Stuff like that
# ** If anything complex, create a new function (routine) for it??
opkg remove openvpn-openssl openvpn-easy-rsa kmod-tun luci-app-openvpn
#if [ -d /etc/config/openvpn ]; then
# mv /etc/config/openvpn /tmp
#fi
#mv ${VPN_DIR} /tmp
#undo_vpn_interface
#undo_the_firewall_changes
echo
echo "Uninstalled openvpn"
echo
} # End of uninstall_vpn_sw_and_setup()
#*****************************
#*** Functions end. Main Start
#*****************************
# Some global Configuration parameters
VPN_DIR="/etc/openvpn"
VPN_PKI="/etc/easy-rsa/pki"
VPN_PORT="1194"
DDNS="" #through afraid.org
VPN_PROTO="udp"
VPN_POOL="192.168.9.0 255.255.255.0"
VPN_DNS="${VPN_POOL%.* *}.1"
VPN_DN="$(uci -q get dhcp.@dnsmasq[0].domain)"
echo
echo "openvpn installer script V0.4"
echo
# Allow the user to command the VPN actions they want – sometimes more than once
while true; do
# User will tell us what he wants
read -p "Do you wish to install/uninstall this VPN program [y/n/u]? " ynu
# And we'll do what they say (sometimes).
case ${ynu} in
# In this case, user said Yes. Do the install/setup things. Do ALL the things
[Yy]* )
# Install the VPN software
install_packages
echo "Fetch server address"
if [ ! ${DDNS}="" ]; then
VPN_SERV="${DDNS}"
else
NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
if [ -n "${NET_FQDN}" ]
then VPN_SERV="${NET_FQDN}"
else VPN_SERV="${NET_ADDR}"
fi
fi
echo "Exporting configuration variables – should these be saved somewhere?"
export EASYRSA_PKI="${VPN_PKI}"
export EASYRSA_TEMP_DIR="/tmp"
export EASYRSA_CERT_EXPIRE="3650"
export EASYRSA_BATCH="1"
echo "Remove and re-initialize PKI directory"
easyrsa init-pki
echo "Generate DH parameters"
easyrsa gen-dh
echo "Create a new CA"
easyrsa build-ca nopass
echo "Generate server keys and certificate"
easyrsa build-server-full server nopass
openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
echo "Generate client keys and certificate"
easyrsa build-client-full client nopass
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem
#
initialise_the_firewall
# Configure VPN services and generate all client profiles
setup_vpn_definitions
# List and save the config results (to a vault, perhaps?)
list_and_save_results
restart_openwrt;;
# And in this case, user said No. Just Leave
[Nn]* ) echo "No? Okay. Exiting openVPN script"
exit;;
# User said Uninstall. Remove packages and possibly stuff we need and stop?
[Uu]* ) uninstall_vpn_sw_and_setup undo_the_firewall_changes restart_openwrt;;
esac
done
}
The installation goes fine but when I try to run the client it connects for maybe a minute then disconnects. I can not figure out what is wrong!
Here are the config on the server that might be required:
dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'hp-probook-4420s'
option mac '3c:4a:92:56:2e:56'
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wwan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'relay'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'relay'
config redirect
option dest 'wan'
option target 'DNAT'
option name 'printer'
option src 'lan'
option src_dport '631'
option dest_port '631'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'vpn'
option src 'wan'
option dest_ip '192.168.1.30'
list proto 'udp'
option src_dport '1194'
option dest_port '1194'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh'
list proto 'tcp'
option src 'wan'
option src_dport '227'
option dest_ip '192.168.1.30'
option dest_port '22'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'vnc'
list proto 'tcp'
option src 'wan'
option src_dport '6443'
option dest_port '6443'
option dest_ip '192.168.1.30'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'npm'
list proto 'tcp'
option src 'wan'
option src_dport '810'
option dest_ip '192.168.1.30'
option dest_port '81'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'agh'
option src 'wan'
option src_dport '530'
option dest_ip '192.168.1.30'
option dest_port '53'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'udp'
option src 'wan'
option src_dport '19132'
option dest_ip '192.168.1.30'
option dest_port '19132'
option name 'minecraft'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'plex'
list proto 'tcp'
option src 'wan'
option src_dport '32400'
option dest_ip '192.168.1.30'
option dest_port '32400'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vpn'
config wan_https_allow
config rule 'wan_https_allow'
option name 'Allow HTTP, HTTPS'
option src 'wan'
option proto 'tcp'
option dest_port '80 443'
option target 'ACCEPT'
config forwarding
option src 'relay'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'relay'
config forwarding
option src 'relay'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'relay'
config forwarding
option src 'wan'
option dest 'relay'
config forwarding
option src 'wan'
option dest 'vpn'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd4e:d1a1:ffd8::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wwan'
option proto 'dhcp'
option device 'wl0-sta0'
config interface 'relay'
option proto 'relay'
option ipaddr '192.168.1.2'
list network 'lan'
list network 'wwan'
config interface 'vpn'
option proto 'none'
option device 'tun0'
list dns '1.1.1.1'
wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/18000000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option country 'AU'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan wwan'
option mode 'sta'
option ssid 'ssid'
option encryption 'sae-mixed'
option macaddr 'mac addr'
option key 'network password'
Any advice is appreciated!
Thanks,
Nightwalker