OpenWrt Forum Archive

Topic: Setting up OpenVPN

The content of this topic has been archived between 7 Apr 2018 and 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
dirk1312
25 May 2016, 08:47

Hi,

I use LinkSys EA4500 router and installed OpenWrt some days ago. Now I'd like to setup a OpenVPN server on the device and therefore found an introduction https://wiki.openwrt.org/doc/howto/vpn.openvpn.

What I don't really get is, what this introduction really covers, as there is a hint "For non-beginners or real-world tunnels" to use the openvpn tutorial.

What I want to have is:
- the possibility to connect via the internet to my router
- access network devices like my rasperry pi, running in my network
- add different accounts with different permissions
- the vpn tunnel should run all requests over my router, this means, i don't want e.g. to pass through requests to the internet, but every request over my router's internet ip

Why do I not directly start with the openvpn introduction? My fear is, that there are differences in commands that are mentioned in the introduction, but perhaps cannot be executed for openwrt. In that case I'm not sure if my linux knowledge is deep enough.

Perhaps you can give me some hints.

Thanks and kind regards,

Dirk

Post #2
khain
25 May 2016, 09:37

1) You can achieve that with opening ports on WAN, but openvpn connection is more secure.
2) Yes, first reason why you want to configure openvpn
3) What do you want to achieve? You can block some IP addresses to reach subnet behind server.
4) Yes, second reason why you want to configure openvpn. When you use a unsecure hotspot and connect to openvpn server, all traffic goes through tunnel so it is save to visit e.g. bank website.
If you want to have 2 or more users connected to vpn you have to create certificates with this guide https://openvpn.net/index.php/open-sour … o.html#pki

Post #3
eduperez
25 May 2016, 12:15

What "different permissions" are you planning to give each user?

Other than that, I have my router configured to do exactly what you are asking; I cannot produce a complete guide, but can provide my configuration files.

Post #4
RangerZ
25 May 2016, 13:15

There are a large number of OpenWrt\OpenVPN documents.  Search the wiki for OpenVPN.  https://wiki.openwrt.org/start?do=search&id=openvpn
I like this one (right now).  https://wiki.openwrt.org/doc/howto/open … rver-setup
Some are oriented to UCI, some to management via a text editor (my preference).  I use WinSCP and edit the /etc/config/openvpn file directly.

The first decision you need to make is bridging vs routing.  https://openvpn.net/index.php/open-sour … dging.html (TAP vs TUN)  I use TAP, but understand that you can add some rules and gain access tot he LAN with TUN. 

This article is also good:  https://openvpn.net/index.php/open-sour … dging.html

Post #5
dirk1312
27 May 2016, 07:18

Hi all,

thanks a lot for your responses. All are very helpful. The mentioned wiki page looks quite good. I didn't expect to be more than one documentation / howto for the openvpn installation available. Sorry for that.

The permissions I'd like to give are e.g., that not all users shall be able to open luci in the browser. Some I don't want to allow to access LAN devices and only use the VPN to secure their connection when they are in a free wifi lan, e.g. So for example my parents / sister / brother could connect to my VPN when they are on vacation and ensure no one is reading their "connection contents".

Thanks and kind regards,

Dirk

Post #6
khain
27 May 2016, 07:29

Best solution for you will be TUN interface and client-config-dir option https://openvpn.net/index.php/open-sour … ml#control so you can push route to server's LAN only for user you want to and set static IP for clients, so you can block traffc from specific host to server's LAN using iptables (to be secured if someone enter route option in his openvpn client config).

(Last edited by khain on 27 May 2016, 07:30)

Post #7
dirk1312
27 May 2016, 07:40

Hi khain,

thanks, that sounds very interessting. I'll have a look at it today in the evening.

Thanks and kind regards,

Dirk

Post #8
dirk1312
28 May 2016, 20:39

Hi all,

today I followed the instructions of RangerZ' prefered wiki entry (https://wiki.openwrt.org/doc/howto/open … rver-setup) until I reached the point VPN-Clients (https://wiki.openwrt.org/doc/howto/open … pn_clients).

My clients are Windows 7 and iPhone, but I don't know, how to name the XML file quoted in the description and don't understand, which files I need else. The following sentences confuse me a little bit:

In Windows, if the p12 certificate isn't stored in the same directory as the ovpn config file, you will need to reference the path to the p12 cert

As Windows client I would use the Securepoint SSL VPN client, which I already use to connect to my companies VPN which runs also with OpenVPN on OpenWrt.

Would be very kind, if you could help me with these (temporarily) last steps.

Thanks and kind regards,

Dirk

Post #9
RangerZ
29 May 2016, 00:12

I did not use a p12 certificate, so not sure I can help with that, but the above basically says put the p12 in with all the other certs to make it easy.

As for IOS, I use the IOS openvpn app, and drag my cred files into the right side of the OpenVPN apps window in iTunes.  It uploads the files during the sync process.

As for windows, I use the OpenVPN app, all the files go in:  C:\Program Files\OpenVPN\config

Post #10
dirk1312
29 May 2016, 10:29

Thanks for your fast response.

I now created an .ovpn file in addition with ca.crt, my-client.crt and my-client.key it looks not soooo bad, even if the openvpn cannot connect to the ovpn server, as a timeout occurred.

Is it possible, that the reason is
- that I try to connect from my LAN to the ovpn server?
- for me it looks, that port 1194 is not open in my firewall settings. May this be a reason?

Thanks and kind regards,

Dirk

Post #11
RangerZ
29 May 2016, 15:41

You can not run VPN from inside your LAN.  You need to come in through the WAN.   

I have taken an "extra" router and set it up in front of my main router as a "fake" ISP.  Connect your main router and client to  the LAN, of the fake ISP and freshen up your open vpn files with the IP assigned to the server.  Connect the fake ISP WAN to the internet.

Once its working you can use http://totusoft.com/lanspeed1/ to test your speed (windows) for the LAN (as opposed to internet).  This will eliminate the isp and other factors that may impact your performance and let you measure the hardware.  Enjoy, you will never see this speed in real life, but have a clear benchmark to gauge your hardware.

Post #12
dirk1312
30 May 2016, 07:05

Hi RangerZ,

thanks. I tried it from my working place and the same error occurred:

Try to start OpenVPN connection ****************
Mon May 30 08:02:01 2016 OpenVPN 2.3.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Apr  9 2014
Mon May 30 08:02:02 2016 Socket Buffers: R=[8192->8192] S=[64512->64512]
Mon May 30 08:02:02 2016 UDPv4 link local: [undef]
Mon May 30 08:02:02 2016 UDPv4 link remote: [AF_INET]95.208.122.125:1194
ERROR: TLS error! See log for detailsMon May 30 08:03:02 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon May 30 08:03:02 2016 TLS Error: TLS handshake failed
Mon May 30 08:03:02 2016 SIGUSR1[soft,tls-error] received, process restarting
Mon May 30 08:03:02 2016 Restart pause, 2 second(s)
DisconnectedTimeout[Maybe your cetificates are not valid. Please check if it is revoked], restart pause will be ignored! Shuting down OpenVPN ...

Any idea what goes wrong?

Thanks and kind regards,

Dirk

Post #14
RangerZ
30 May 2016, 16:58

I assume this is your server.  The error refers to a log file, which you may have specified a location for in your openvpn config file.  What does it say?  Have you tried to connect the client?  What does it's log say?

If khain's suggestion does not help you will need to post your files
OpenWrt network, firewall, and openvpn.
Client openvpn
what ever logs for both
remove any personal info in your config (IP, MAC, name and email where relevant)

Post #15
dirk1312
2 Jun 2016, 10:31

Sorry for my late response. In my first test to connect from the company to my vpn, I made the mistake, that I forgot, I always unplug my router and cable modem, as they are not used, when I'm not at home. Of course, in that case it couldn't work.

Today I let both plugged-in in the power socket, but it didn't work neither.

As written earlier, I guess / fear the error is, that port 1194 is not opened, even if one of the firewall rules in the tutorial are about that. I'll check this at home and will open it manually, if not yet open.

Which config files would you need to see, so I can post them tomorrow, if my test tomorrow will fail or today in the evening, if the port is already open.

Thanks and kind regards,

Dirk

Post #16
khain
2 Jun 2016, 10:40
dirk1312 wrote:

Which config files would you need to see...

/etc/config/network
/etc/config/firewall
/etc/config/openvpn

and log from server and client, but first check if the port is opened.

Post #17
dirk1312
2 Jun 2016, 18:39

Port seems to be open (regarding the firewall settings). My networks IP addresses are 10.50.50.x (only, because I had to configure in Firewall settings src_ip and dest_ip.

/etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd49:8e60:7962::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '10.50.50.1'

config interface 'wan'
    option ifname 'eth1'
    option proto 'dhcp'

config interface 'wan6'
    option ifname 'eth1'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 3 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '4 6'

config interface 'guest'
    option type 'bridge'
    option _orig_ifname 'radio0.network2 wlan1-1'
    option _orig_bridge 'true'
    option proto 'static'
    option ipaddr '192.168.3.1'
    option netmask '255.255.255.0'
    option gateway '192.168.3.1'
    option dns '8.8.8.8 8.8.4.4'

config interface 'vpn0'
    option ifname 'tun0'
    option proto 'none'

/etc/config/firewall

config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option family 'ipv4'
    option src '*'
    option dest_port '1194'
    option name 'Allow Inbound VPN0'

config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option family 'ipv4'
    option src '*'
    option src_ip '10.1.1.0/24'
    option dest_ip '192.168.1.0/26'
    option name 'Allow Inbound VPN0 Traffic to LAN'

config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option family 'ipv4'
    option src '*'
    option src_ip '10.1.1.0/24'
    option dest '*'
    option dest_ip '192.168.1.0/26'
    option name 'Allow Forwarded VPN0 Traffic to LAN'

config rule
    option target 'ACCEPT'
    option proto 'icmp'
    option src_ip '10.1.1.0/24'
    option src '*'
    option dest 'lan'
    option name 'Allow Inbound ICMP Traffic from VPN0 to LAN'

config rule
    option target 'ACCEPT'
    option proto 'icmp'
    option src '*'
    option src_ip '10.1.1.0/24'
    option dest 'wan'
    option name 'Allow Outbound ICMP Echo Request (8) from VPN0'
    list icmp_type 'echo-request'

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option drop_invalid '1'
    option forward 'DROP'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option network 'lan'
    option forward 'DROP'

config zone
    option name 'vpn'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option network 'vpn0'
    option family 'ipv4'

config zone
    option name 'wan'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'
    option input 'DROP'
    option forward 'DROP'

config include
    option path '/etc/firewall.user'

config forwarding
    option dest 'wan'
    option src 'lan'

config forwarding
    option dest 'lan'
    option src 'vpn'

config forwarding
    option dest 'vpn'
    option src 'lan'

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config zone
    option name 'guest'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option network 'guest'
    option masq '1'

config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option dest_port '53'
    option name 'Guest DNS'
    option src 'guest'

config rule
    option target 'ACCEPT'
    option proto 'udp'
    option dest_port '67-68'
    option name 'Guest DHCP'
    option src 'guest'

config zone
    option name 'vpn'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option network 'vpn0'

config forwarding
    option src 'vpn'
    option dest 'lan'

config forwarding
    option src 'lan'
    option dest 'vpn'

config forwarding
    option dest 'lan'
    option src 'guest'

config redirect
    option target 'SNAT'
    option src 'guest'
    option dest 'lan'
    option proto 'all'
    option src_dip '10.50.50.1'
    option name 'allow-guest-INTERNET'
    option enabled '0'

config rule
    option src 'guest'
    option dest 'lan'
    option name 'reject-guest-any-lan'
    option proto 'all'
    option target 'REJECT'
    option enabled '0'

/etc/config/openvpn

config openvpn 'VPNserver'
 
        option enabled     '1'
 
    # --- Protocol ---#
        option dev         'tun'
        option dev         'tun0'
        option topology    'subnet'
        option proto       'udp'
        option port        '1194'
 
    #--- Routes ---#
        option server    '10.1.1.0 255.255.255.0'
        option ifconfig  '10.1.1.1 255.255.255.0'
 
    #--- Client Config ---#
#       option ccd_exclusive           '1'
#       option ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
#       option client_config_dir       '/etc/openvpn/clients/'
 
    #--- Pushed Routes ---#
        list push    'route 192.168.1.0 255.255.255.0'
        list push    'dhcp-option DNS 192.168.1.1'
        list push    'dhcp-option WINS 192.168.1.1'
        list push    'dhcp-option DNS 8.8.8.8'
        list push    'dhcp-option DNS 8.8.4.4'
        list push    'dhcp-option NTP 129.6.15.30'
 
    #--- Encryption ---#
        option cipher     'AES-256-CBC'
        option dh         '/etc/openvpn/keys/dh2048.pem'
        option pkcs12     '/etc/openvpn/keys/my-server.p12'
        option tls_auth   '/etc/openvpn/keys/ta.key 0'
 
    #--- Logging ---#
        option log           '/tmp/openvpn.log'
        option status        '/tmp/openvpn-status.log'
        option verb          '7'
 
    #--- Connection Options ---#
        option keepalive        '10 120'
        option comp_lzo         'yes'
 
    #--- Connection Reliability ---#
        option client_to_client '1'
        option persist_key      '1'
        option persist_tun      '1'
 
    #--- Connection Speed ---#    
        option sndbuf            '393216'
        option rcvbuf            '393216'
        option fragment          '0'
        option mssfix            '0'
        option tun_mtu           '24000'
 
    #--- Pushed Buffers ---#
        list push    'sndbuf 393216'
        list push    'rcvbuf 393216'
 
    #--- Permissions ---#
        option user     'nobody'
        option group    'nogroup'

/etc/openvpn.log

Thu Jun  2 19:04:56 2016 us=165289 OpenVPN 2.3.10 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Jun  2 19:04:56 2016 us=166868 library versions: OpenSSL 1.0.2h  3 May 2016, LZO 2.09
Thu Jun  2 19:04:56 2016 us=239441 Diffie-Hellman initialized with 2048 bit key
Thu Jun  2 19:04:56 2016 us=523622 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Thu Jun  2 19:04:56 2016 us=523841 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun  2 19:04:56 2016 us=523995 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun  2 19:04:56 2016 us=524118 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes
Thu Jun  2 19:04:56 2016 us=524235 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 28 bytes
Thu Jun  2 19:04:56 2016 us=525496 TLS-Auth MTU parms [ L:24058 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Thu Jun  2 19:04:56 2016 us=526208 Socket Buffers: R=[163840->327680] S=[163840->327680]
Thu Jun  2 19:04:56 2016 us=541231 TUN/TAP device tun0 opened
Thu Jun  2 19:04:56 2016 us=541447 TUN/TAP TX queue length set to 100
Thu Jun  2 19:04:56 2016 us=541604 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jun  2 19:04:56 2016 us=541833 /sbin/ifconfig tun0 10.1.1.1 netmask 255.255.255.0 mtu 24000 broadcast 10.1.1.255
Thu Jun  2 19:04:56 2016 us=567508 Data Channel MTU parms [ L:24058 D:24058 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Jun  2 19:04:56 2016 us=567822 GID set to nogroup
Thu Jun  2 19:04:56 2016 us=567970 UID set to nobody
Thu Jun  2 19:04:56 2016 us=568102 UDPv4 link local (bound): [undef]
Thu Jun  2 19:04:56 2016 us=568222 UDPv4 link remote: [undef]
Thu Jun  2 19:04:56 2016 us=568879 MULTI: multi_init called, r=256 v=256
Thu Jun  2 19:04:56 2016 us=569666 IFCONFIG POOL: base=10.1.1.2 size=252, ipv6=0
Thu Jun  2 19:04:56 2016 us=571047 Initialization Sequence Completed

/etc/openvpn-status.log

OpenVPN CLIENT LIST
Updated,Thu Jun  2 19:35:02 2016
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

Additional info: The tutorial's command

build-key-server my-server
 
#--- Converts Server certificate to a PKCS12 certificate (DO NOT set a password for THIS SPECIFIC certificate) ---#
openssl pkcs12 -export -in keys/my-server.crt -inkey keys/my-server.key -certfile keys/ca.crt -name My-Server -out keys/my-server.p12 ; chmod 0600 keys/my-server.p12

was adjusted to run as

build-key-server my-server
 
#--- Converts Server certificate to a PKCS12 certificate (DO NOT set a password for THIS SPECIFIC certificate) ---#
openssl pkcs12 -export -in keys/my-server.crt -inkey keys/my-server.key -certfile keys/ca.crt -name [b][color=red]MY_LAST_NAME[/color][/b] -out keys/my-server.p12 ; chmod 0600 keys/my-server.p12

No clue, if that's a problem. For one of the steps being asked to set a password, I set one, but when I try to connect via VPN, I'm not asked to enter a password.

Thanks and kind regards,

Dirk

(Last edited by dirk1312 on 2 Jun 2016, 18:39)

Post #18
RangerZ
2 Jun 2016, 19:58

Your OpenVPN file has two lines for option dev.  Should only be 1, I think the tun0.

It also looks like you have duplicate zones for LAN, WAN and VPN.

Post #19
khain
2 Jun 2016, 20:08

And most important, you didn't put path for certificates in openvpn config!
For static key use secret option
and for multi-client certificates use ca, cert and key option.

Post #20
dirk1312
2 Jun 2016, 21:09

Thanks a lot for your responses.

RangerZ wrote:

Your OpenVPN file has two lines for option dev.  Should only be 1, I think the tun0.

It also looks like you have duplicate zones for LAN, WAN and VPN.

I commented the tun option. Both were in the tutorial I used (the one you mentioned). Not sure, what you exactly mean with the duplicate zones for LAN, WAN and VPN. In the /etc/config/network?

khain wrote:

And most important, you didn't put path for certificates in openvpn config!
For static key use secret option
and for multi-client certificates use ca, cert and key option.

I changed my file /etc/config/openvpn to use the options "ca", "cert" and "key" instead of "dh", "pkcs12" and "tls_auth". Please see below. Is that, what you meant? Or are there still other changes I have to do?

Do both of you perhaps think it would make more sense to restart my openvpn installation with another tutorial that supports multi-client? Perhaps one that uses LUCI and its openvpn plugin?

...
    # --- Protocol ---#
#        option dev         'tun'
        option dev         'tun0'
        option topology    'subnet'
...
    #--- Encryption ---#
        option cipher     'AES-256-CBC'
        option dh         '/etc/openvpn/keys/dh2048.pem'
#        option pkcs12     '/etc/openvpn/keys/my-server.p12'
        option tls_auth   '/etc/openvpn/keys/ta.key 0'
        option ca         '/etc/openvpn/keys/ca.crt'
        option cert       '/etc/openvpn/keys/my-server.crt'
        option key        '/etc/openvpn/keys/my-server.key'
...

I restarted my router, but can only test it tomorrow in the morning.

Thanks and kind regards,

Dirk

(Last edited by dirk1312 on 2 Jun 2016, 21:25)

Post #21
RangerZ
2 Jun 2016, 22:36

you also need
     list push    'redirect-gateway def1 local'
in your openvpn file.  I would comment out the last 3 sections of the openvpn config for now in both the server and client (speed, buffer, permissions).  They are performance tweaks.  Looks like you have different parameters for buffers on your server and client.  Rationalize your  server and client openvpn files for consistency.

Do you have your crt files in the /etc/openvpn/ folder?  I do not think you need the ta.key file, but not sure it's a problem. pem file is still needed on the server.   Not clear on your key issues.  I find it's easier to build them on a real PC (i use windows) and then upload them. 

Zones are in your firewall file.  Notice how the reference wiki has rules organized into sections.  https://wiki.openwrt.org/doc/howto/open … rver-setup

Please include full files going forward and not that they are for client or server.  Include your client openvpn file.

Post #22
khain
3 Jun 2016, 07:12
RangerZ wrote:

I do not think you need the ta.key file, but not sure it's a problem.

Tls-auth it's an additional authentication to all SSL/TLS handshake packets, so it is optional, but when you use it you have to set proper directions. If you have '0' in server conf, you need to put '1' in the client conf.

Post #23
dirk1312
3 Jun 2016, 21:16
RangerZ wrote:

you also need
     list push    'redirect-gateway def1 local'
in your openvpn file.  I would comment out the last 3 sections of the openvpn config for now in both the server and client (speed, buffer, permissions).  They are performance tweaks.  Looks like you have different parameters for buffers on your server and client.  Rationalize your  server and client openvpn files for consistency.

Thanks. I did so (please find current state of /etc/config/openvpn file at the end of the post).

RangerZ wrote:

Do you have your crt files in the /etc/openvpn/ folder?  I do not think you need the ta.key file, but not sure it's a problem. pem file is still needed on the server.   Not clear on your key issues.  I find it's easier to build them on a real PC (i use windows) and then upload them.

No. The files are located in /etc/openvpn/keys folder. The tls_auth option is now, after khain said it's only optional, commented. Not sure what you want to tell me with the "key issues". Do you think the keys generated on the router may not be valid?

RangerZ wrote:

Zones are in your firewall file.  Notice how the reference wiki has rules organized into sections.  https://wiki.openwrt.org/doc/howto/open … rver-setup

Thanks for that hint. I'll read it.

config openvpn 'VPNserver'
 
        option enabled     '1'
 
    # --- Protocol ---#
#        option dev         'tun'
        option dev         'tun0'
        option topology    'subnet'
        option proto       'udp'
        option port        '1194'
 
    #--- Routes ---#
        option server    '10.1.1.0 255.255.255.0'
        option ifconfig  '10.1.1.1 255.255.255.0'
 
    #--- Client Config ---#
#       option ccd_exclusive           '1'
#       option ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
#       option client_config_dir       '/etc/openvpn/clients/'
 
    #--- Pushed Routes ---#
        list push    'route 192.168.1.0 255.255.255.0'
        list push    'dhcp-option DNS 192.168.1.1'
        list push    'dhcp-option WINS 192.168.1.1'
        list push    'dhcp-option DNS 8.8.8.8'
        list push    'dhcp-option DNS 8.8.4.4'
        list push    'dhcp-option NTP 129.6.15.30'
        list push    'redirect-gateway def1 local' 
 
    #--- Encryption ---#
        option cipher     'AES-256-CBC'
        option dh         '/etc/openvpn/keys/dh2048.pem'
#        option pkcs12     '/etc/openvpn/keys/my-server.p12'
#        option tls_auth   '/etc/openvpn/keys/ta.key 0'
        option ca         '/etc/openvpn/keys/ca.crt'
        option cert       '/etc/openvpn/keys/my-server.crt'
        option key        '/etc/openvpn/keys/my-server.key'
 
    #--- Logging ---#
        option log           '/tmp/openvpn.log'
        option status        '/tmp/openvpn-status.log'
        option verb          '7'
 
    #--- Connection Options ---#
        option keepalive        '10 120'
        option comp_lzo         'yes'
 
    #--- Connection Reliability ---#
        option client_to_client '1'
        option persist_key      '1'
        option persist_tun      '1'
 
    #--- Connection Speed ---#    
#        option sndbuf            '393216'
#        option rcvbuf            '393216'
#        option fragment          '0'
#        option mssfix            '0'
#        option tun_mtu           '24000'
  
    #--- Pushed Buffers ---#
#        list push    'sndbuf 393216'
#        list push    'rcvbuf 393216'

    #--- Permissions ---#
#        option user     'nobody'
#        option group    'nogroup'
Post #24
RangerZ
4 Jun 2016, 01:53

All i was trying to validate was that the keys were where they were suppose to be.

The above looks OK.  What happens?

Post #25
dirk1312
6 Jun 2016, 08:32

Sorry for my missing response. I was on a "city trip"(?) over the week-end and could test it again, today.

For me it looks, now it worked. The Securepoint SSL client shows green "connected" state, the logs show the following (all personal data replaced with MYCITY, MYLASTNAME, MYSERVER,...):

Try to start OpenVPN connection MYSERVER 
Mon Jun 06 09:19:43 2016 OpenVPN 2.3.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Apr  9 2014
Mon Jun 06 09:19:43 2016 Socket Buffers: R=[8192->8192] S=[64512->64512]
Mon Jun 06 09:19:43 2016 UDPv4 link local: [undef]
Mon Jun 06 09:19:43 2016 UDPv4 link remote: [AF_INET]95.208.243.202:1194
Mon Jun 06 09:19:43 2016 TLS: Initial packet from [AF_INET]95.208.243.202:1194, sid=00a977e1 0bdc3b9f
Mon Jun 06 09:19:44 2016 VERIFY OK: depth=1, C=DE, ST=MYSTATE, L=MYCITY, O=MYLASTNAME, OU=MYLASTNAME, CN=MYLASTNAME.local, name=vpnserver, emailAddress=me@web.de
Mon Jun 06 09:19:44 2016 VERIFY OK: nsCertType=SERVER
Mon Jun 06 09:19:44 2016 VERIFY OK: depth=0, C=DE, ST=MYSTATE, L=MYCITY, O=MYLASTNAME, OU=MYLASTNAME, CN=MYLASTNAME.local, name=vpnserver, emailAddress=me@web.de
Mon Jun 06 09:19:44 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jun 06 09:19:44 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 06 09:19:44 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jun 06 09:19:44 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 06 09:19:44 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Jun 06 09:19:44 2016 [MYSERVER.local] Peer Connection Initiated with [AF_INET]95.208.243.202:1194
Mon Jun 06 09:19:47 2016 SENT CONTROL [MYSERVER.local]: 'PUSH_REQUEST' (status=1)
Mon Jun 06 09:19:47 2016 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,dhcp-option WINS 192.168.1.1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,dhcp-option NTP 129.6.15.30,redirect-gateway def1 local,route-gateway 10.1.1.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.1.1.2 255.255.255.0'
Mon Jun 06 09:19:47 2016 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jun 06 09:19:47 2016 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jun 06 09:19:47 2016 OPTIONS IMPORT: route options modified
Mon Jun 06 09:19:47 2016 OPTIONS IMPORT: route-related options modified
Mon Jun 06 09:19:47 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jun 06 09:19:47 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jun 06 09:19:47 2016 open_tun, tt->ipv6=0
Mon Jun 06 09:19:47 2016 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{EE773150-51AB-4DFF-A3CA-B17D2E7BF6CF}.tap
Mon Jun 06 09:19:47 2016 TAP-Windows Driver Version 9.9 
Mon Jun 06 09:19:47 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.1.1.0/10.1.1.2/255.255.255.0 [SUCCEEDED]
Mon Jun 06 09:19:47 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.1.1.2/255.255.255.0 on interface {EE773150-51AB-4DFF-A3CA-B17D2E7BF6CF} [DHCP-serv: 10.1.1.254, lease-time: 31536000]
Mon Jun 06 09:19:47 2016 Successful ARP Flush on interface [77] {EE773150-51AB-4DFF-A3CA-B17D2E7BF6CF}
Mon Jun 06 09:19:52 2016 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Mon Jun 06 09:19:52 2016 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.1.1.1
Mon Jun 06 09:19:52 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon Jun 06 09:19:52 2016 Route addition via IPAPI succeeded [adaptive]
Mon Jun 06 09:19:52 2016 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.1.1.1
Mon Jun 06 09:19:52 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon Jun 06 09:19:52 2016 Route addition via IPAPI succeeded [adaptive]
Mon Jun 06 09:19:52 2016 C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.1.1.1
Mon Jun 06 09:19:52 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon Jun 06 09:19:52 2016 Route addition via IPAPI succeeded [adaptive]
Mon Jun 06 09:19:52 2016 Initialization Sequence Completed
Mon Jun 06 09:19:47 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jun 06 09:19:47 2016 open_tun, tt->ipv6=0
Mon Jun 06 09:19:47 2016 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{EE773150-51AB-4DFF-A3CA-B17D2E7BF6CF}.tap
Mon Jun 06 09:19:47 2016 TAP-Windows Driver Version 9.9 
Mon Jun 06 09:19:47 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.1.1.0/10.1.1.2/255.255.255.0 [SUCCEEDED]
Mon Jun 06 09:19:47 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.1.1.2/255.255.255.0 on interface {EE773150-51AB-4DFF-A3CA-B17D2E7BF6CF} [DHCP-serv: 10.1.1.254, lease-time: 31536000]
Mon Jun 06 09:19:47 2016 Successful ARP Flush on interface [77] {EE773150-51AB-4DFF-A3CA-B17D2E7BF6CF}

Before it worked I still had to adjust my .ovpn file to use the same cipher as the server:

Mon Jun 06 09:10:38 2016 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
...
Mon Jun 06 09:11:01 2016 Authenticate/Decrypt packet error: cipher final failed

I decided to use AES-256-CBC - or would you recommend another one? I found on the openvpn website, there are quite many. This warning does not appear any more and the connection contains no warnings / errors.

Nevertheless there's At least one problem left: When I connect to my VPN server, I can neither surf in the internet, nor connect to local network devices (I tried my router's luci to connect to).

For me it looks on the one hand, the network address is out of my network scope and the standard gateway is missing (sorry, the information is in english):

Ethernet-Adapter LAN-Verbindung 2:

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : TAP-Windows Adapter V9
   Physikalische Adresse . . . . . . : 00-FF-EE-77-31-50
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse  . : fe80::59b7:a1da:6a9c:faf3%77(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 10.1.1.2(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Lease erhalten. . . . . . . . . . : Montag, 6. Juni 2016 09:19:53
   Lease läuft ab. . . . . . . . . . : Dienstag, 6. Juni 2017 09:19:52
   Standardgateway . . . . . . . . . :
   DHCP-Server . . . . . . . . . . . : 10.1.1.254
   DHCPv6-IAID . . . . . . . . . . . : 1291911150
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-1C-94-CE-94-5C-51-4F-56-26-BF

   DNS-Server  . . . . . . . . . . . : 192.168.1.1
                                       8.8.8.8
                                       8.8.4.4
   Primärer WINS-Server. . . . . . . : 192.168.1.1
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

My network address is now 10.1.1.2, the DHCP-Server address is 10.1.1.254 and the first DNS-Server is 192.168.1.1. I would expect the DHCP-Server to be my router's ip (10.50.50.1), as well as the DNS-Server?!
The ip address I'm not sure, if it has to be something like 10.50.50.X.

Thanks and kind regards,

Dirk

(Last edited by dirk1312 on 6 Jun 2016, 08:34)