OpenWrt Forum Archive

Topic: OpenVPN Howto

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello Everyone
I recently setup OpenVPN (again) and threw together a howto. Please let me know if there are any changes that should be made. Hope it helps:

    This is a quick howto for getting OpenVPN v2.0 up and running on OpenWRT. There are many possible ways to configure OpenVPN; the one we will use here is designed for ease of setup and one server with a few clients. To that end we will use bridged mode with static keys.

But first some words of caution. This setup works for me. I do not claim to be an OpenVPN expert and this may have gaping security holes or hose your system.

Step 1: Install Software
    This howto assumes an OpenWRT machine will be the OpenVPN server and a Windows client machine, however, client setup should be basically the same no matter which OS is used.

    For the OpenWRT, only a simple:

ipkg install openvpn

is all that is needed. Windows users can either download the standard OpenVPN distribution or get the GUI version from here:

http://openvpn.se/

Non-Windows clients just follow the OpenVPN install instructions.

Step 2: Generate Static Key
    Windows users click the icon to generate a static key. Everyone else run:

openvpn --genkey --secret static.key

This only needs to be done once and then copied to all machines to be part of the VPN. I suggest placing the key file in /etc on the OpenWRT computer and leaving in the default place on Windows.

Step 3: Setup Server
    First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall on OpenWRT. Add the following two lines after the section allowing WAN SSH access:

### Allow SSH from WAN
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT

### Allow OpenVPN connections
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT
iptables        -A input_rule      -i $WAN -p udp --dport 1194 -j ACCEPT


### Port forwarding

Next we need to add the script to start the bridge:

#!/bin/sh

#/etc/openvpnbridge
# OpenVPN Bridge Config File
# Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge
# Taken from http://openvpn.net/bridge.html

# Make sure module is loaded
insmod tun

# Define Bridge Interface
# Preexisting on OpenWRT
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Build tap devices
for t in $tap; do
    openvpn --mktun --dev $t
done

# Add TAP interfaces to OpenWRT bridge

for t in $tap; do
    brctl addif $br $t
done

#Configure bridged interfaces

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

This file will create the OpenVPN tap devices and add them to the default OpenWRT ethernet/wifi bridge. As indicated I call it /etc/openvpnbridge. Make sure to chmod +x to ensure that it is executable.

Next comes the OpenVPN server config file:


# Which TCP/UDP port should OpenVPN listen on?
port 1194

# TCP or UDP server?
proto udp

# "dev tap" will create an ethernet tunnel.
dev tap


# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
;persist-key
;persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

#Static Key
secret /etc/openvpn.key

I call this file /etc/server.ovpn. At this point you can start OpenVPN for testing:

openvpn /etc/server.ovpn

With logread you should be able to see if it started up normally.

Step 4: Configure Client

Client configuration is pretty simple. Just place the following file in the config directory and remember to change the server IP address to match:

dev tap

proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote Your.IP.Goes.Here 1194


# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
;persist-key
;persist-tun


# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings


secret secret.key


# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

Now that should be it. Start the OpenVPN client either through the GUI or command line and it should link up.

Step 5: Wrap Up
If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful.

If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable:

#!/bin/sh
#/etc/init.d/S46openvpn
/etc/openvpnbridge
openvpn /etc/server.ovpn &

Now on a restart, the server should come up.

I got OpenVPN 2.0 going with pretty much the same config:

the WRT54G's

/etc/init.d/S50openvpn

        #!/bin/sh
        /ust/sbin/openvpn --config /etc/openvpn

/etc/openvpn:

        dev tun
        local 192.168.1.1
        remote 192.168.1.130
        port 5150
        ifconfig 10.0.0.1 10.0.0.2
        secret /etc/vpnkey.key
        daemon

the laptop's /etc/openvpn

       dev tun
        remote 192.168.1.1
        port 5150
        ifconfig 10.0.0.2 10.0.0.1
        secret /etc/vpn.key
        daemon

here's a cool screen shot:

        http://widge.no-ip.org/widge/pic/computer/openvpn1.png

(Last edited by widge on 12 Aug 2005, 22:24)

hi

is this a solution for connecting wlan-clients to the local network/internet or to connect from somewhere through the internet to the local network?

regards,
jan

I used my config to connect wireless clients to my wireless router. I use it as an alternative to WEP.

@loswillios: hi, i'm searching for a solution to connect from somewhere through the internet to the local network, too!

I use this for connecting to my home network when I am elsewhere. (IE, when I am at library one wireless and want to get a file from home I start up the VPN)

Mike

OK. That is what i want.
Do you use inadyn to find your router in the internet?
Can you access to the router itself or to the network behind the router?

Thanks

I'm sure you can use dyndns or any such service for finding the router. When connected it is exactly like your client computer is plugged into one of the network ports on the WRT. You can access router, network, and even god. Hope this helps.

hello,
im facing problems using openvpn.
configuration is point-to-point, where my friend (win-20003) behind his nat is running the server.
i do configure openvpn to connect to specified port and use as remote dyndns host, with preshared key.
we use routing ("dev tun" in both configs)
openvpn connects allright and i can ping his peer-IP but he can not ping my peer-IP at all, also i can not ping his peer-IP from any of my internal machines behind the router. on the router dd-wrt is running which has tun module precompiled (at least i an see /dev/net/tun).
then, when i do put

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

and nothing happens. when i do iptables --list then i do not see these two rules above just entered.
then i started thinking smth wrong with tun device.

$ insmod /jffs/lib/modules/2.4.30/tun.o
Using /jffs/lib/modules/2.4.30/tun.o
insmod: init_module: tun: Input/output error

looks NOK from my point of view...
somebody from dd-wrt told me that i must not use kmod-tun at all due to fact that dd-wrt is supporting these.
ok, i did re-flash the router with dd-wrt and installed only openvpn/openssllib/lzolib but behaviour is the same (except there is no tun.0 anywhere) when i run openvpn and put these firewall rules.

any idea is highly appreciated!

hi,

i am running edimax br6104k with a version of openwrt. openvpn is installed and i wrote a server.conf file. but when trying to start openvpn server, my router is just rebooting.

i guess the package is corrupt or doesn't work for me for some reasons, would anyone post the url of a repository with a working openvpn package, please?

thanks in advance,
kampfpizza

Why not put HowTo in Wiki?

vincentfox wrote:

Why not put HowTo in Wiki?

why are you not doing it?

to make this work in kamikaze 7.09 you have to modify the bridge script with replacing "br0" with "br-lan" and, the most important thing, you have to delete the "127.0.0.1 locahost." line from /etc/hosts, otherwise somehow dnsmasq will not provide dhcp services on tap0 (the bridge is not done correctly? )

oh, and the openvpn config file should relate directly to tap0, i've seen places where in examples it just says "tap". in this situation openvpn will create another tap device (eg. tap1) which we did not add to the br-lan bridge.

Bogdan Dumitru

Resurrecting thread with a dumb question: isn't br defined as lan + wifi? Can I add the tap to the lan instead of br?

sure

Other question: if I, say, use it for wireless as someone else here did, could I have two different ways to access the wireless: the normal one which is configured to only go straight to the wan and the vpn, which then goes to the lan?

Yet another question: doesn't the openvn server, i.e. the router, also have to provide a cert? I am trying the above, trying to connect using openvpn for windows as the client, and that is its complaint right now.

Hi

I have this situation, I want to connect my OpenWRT as a VPN client to an OpenVPN server already up'n'running, it does connect indeed, and routes are added (it's a bridged mode server setup), but I can only ping hosts on the other network from the router, whenever I try to ping from a client PC connected to my router it reports Destination pot unreachable.

Can anyone help?.

Thanks

I pushed howto to wiki.

Hi,

I have a project in my University about Olsr + VPN
I'm trying to mount this:

First:
Internet ---> Router 1 ---vpn---> Router 2

Second:
Internet ---> Router 1 ---vpn---> Router 2 <---vpn--- Client 1
                       |
                    vpn
                       |
                   Client 2

What do you think? Is possible?

The discussion might have continued from here.