1 (edited by delicatepc 2012-05-03 03:07:30)

Topic: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

Hi,

I wrote a guide on how to setup OpenVPN on OpenWRT. The wiki didnt outline it in a way that I understood so I decided to compile the information I found here. In this guide I skip OpenVPN Luci app because after tinkering it added problems (such as generating extra configs I did not request and similar). Maybe some day when the OpenVPN Luci app has better practicality (like cert/user management/generate+download cert capability).

Tested On:
Netgear WNDR3700 v1
OpenWrt Attitude Adjustment trunk by hnyman (r30685 - latest build I could find) - arokh build didnt leave enough room for OpenVPN on my router.
Didn't feel like sleeping

References:
http://sayap.com/blog/2010/11/9/openvpn-on-openwrt-for-iptables-noob
http://wiki.openwrt.org/doc/howto/vpn.openvpn

[size=16]Step 1).[/size] SSH into the router, and install the necessary packages.

opkg update
opkg install openvpn openvpn-easy-rsa

[size=16]Step 2).[/size] Apply "push" fix in OpenVPN init.d file (may not be needed in a newer build). Reference: https://dev.openwrt.org/ticket/10835 , https://dev.openwrt.org/ticket/10518

nano /etc/init.d/openvpn
#Move "push" from "append_params_quoted" section to "append_params" section.

[size=16]Step 3).[/size] Generate the keys/certificates for OpenVPN.

Part 1: Set Certificate Variables

nano /etc/easy-rsa/vars
# Scroll to the bottom and put in the country, province, city, organization, and email

Part 2: Build the Certificates (when prompted accept the default preassigned values AND "Yes" where required - sign/commit spaces)

build-ca
build-dh
build-key-server server

Part 3: Build client key(s). As many as you wish (client1 being the client name below)

build-key-pkcs12 client1

[size=16]Step 4).[/size] Copy the needed server certificate files into /etc/openvpn/. This is the default location, so they will get picked up automatically later.

cd /etc/easy-rsa/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/

[size=16]Step 5).[/size] Create the server OpenVPN config file and creating our "tun0" physical adapter

Part 1. Create the config file

nano /etc/config/openvpn
#Remove everything in that file and add everything below, or alternatively overwrite it with a new file containing the below

[size=12]Customize (fit to your network) the below[/size]

config 'openvpn' 'samplevpnconfig'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tun'

        option 'client_to_client' '1'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'verb' '3'
        option 'mute' '20'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'status' '/tmp/openvpn-status.log'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'

        option 'server' '172.16.0.0 255.255.255.0'  #this should be on a completely different subnet than your LAN
        list 'push' 'route 192.168.1.0 255.255.255.0' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DNS 192.168.1.1' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DOMAIN 192.168.1.1' #this should MATCH your current LAN info

Part 2. Enable and start the OpenVPN Service.

Go System-> Startup
Enable OpenVPN for startup and start the service. (this generates our "tun0" adapter that we need for Step 6).

[size=16] Step 6).[/size] Create environment for our VPN traffic. Think of it as creating a virtual unmanaged switch that VPN traffic is virtually connecting to every time and then that traffic will be daisy chaining (through some traffic rules) to the LAN interface/switch.

Part 1. Creating our "VPN" interface/unmanaged switch

Go to Network -> Interfaces.
Create new Interface called VPN.
Protocol: "Unmanaged"/none
Interface: tun0

Part 2. Create VPN Firewall Zone

Go to Network -> Firewall
Create a new zone called "VPN".
Incoming and Outgoing Accepted. Forwarding rejected
Covered Networks: VPN

Part 3. Create Traffic Forward Rules to allow ALL communication between LAN and VPN zones and vice versa.

Go to Network -> Firewall -> Traffic Rules
   
Rule 1 Name: LAN->VPN
Source Zone: LAN
Destination Zone: VPN
   
Rule 2 Name:  VPN->LAN
Source Zone: VPN
Destination Zone: LAN

Rule 3 Name: OpenVPN
Protocol: UDP
Source: WAN
Destination Port: 1194
Destination Zone: Device

[size=16] Step 7).[/size] Get the Client (roadwarrior if you will) all setup and configured
Note: Make sure you have OpenVPN client installed and know where the config files are stored.

Part 1. Obtain the client1 certificate we created above (in Step 3->Part 3)

Use WinSCP to connect to the router via SCP protocol
Grab /etc/easy-rsa/keys/client1.p12 and drop it into the OpenVPN client config(s) folder.

Part 2. Generate the client connection config file and save it same place you saved the client certificate. The file can be named "Connection1.ovpn".

client
proto udp
dev tun

remote [YOUR IP or Internet Accessible Address] 1194 #Edit in the brackets to fit your IP/hostname and then remove the brackets
pkcs12 client1.p12

ns-cert-type server
comp-lzo
persist-key
persist-tun
nobind
resolv-retry infinite
verb 3
mute 10

[size=16] Step 8).[/size] Reboot your router (rebooting solved some firewall rules apply issues for me).
Once router is rebooted and back online go ahead and test VPN. Your VPN client will get an IP of 172.16.0.XXX and will be able to access resources in the 192.168.1.XXX subnet of your local network.

All done.

~
dpc

2 (edited by johan81 2012-04-08 20:38:02)

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

Thanks a lot for the write up! I have one question, I cannot connect to the openVPN server from the external IP-Address even though I opened the port in the firewall. Do you have any suggestions? Or is this not possible

EDIT:
Nevermind, it seems that when you are connecting from within the network of the router itself, connecting through the external IP address doesn't work, but from another network (which I am using now) it does work perfectly fine!

EDIT2:
Though, with this configuration, is internet browsing going through the VPN as well? Still a bit green on VPN and all that.

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

@Johan81 - No it will not route all your traffic through VPN. Only the traffic of your network.

-dpc

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

I like all my traffic to go through my VPN connection and push my domain name for easy identifying instead of my router's ip address.  I use:

list 'push' 'dhcp-option DOMAIN domain-name'
list 'push' 'redirect-gateway'

5 (edited by madmic 2012-07-03 09:37:52)

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

Hi, thanks for the great write up - followed with ease. I have one issue - when I connect from the internet 3g or another internet line I am authenticated & the openvpn client says its connected, however I cant connect to any of my LAN machines sad I can ping the address of my router, but not my server and RDP wont connect... I'm thinking it's an issue with the firewall, the file is as you described in your article... any ideas?

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'VPN'
        option network 'VPN'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'VPN'
        option name 'LAN->VPN'

config rule
        option target 'ACCEPT'
        option src 'VPN'
        option dest 'lan'
        option name 'VPN->LAN'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option name 'OpenVPN'
        option proto 'udp'
        option dest_port '1194'

***UPDATE***

I think this is to do with bridging traffic between the VPN interface and the local LAN one - I enabled a bridge across eth0.1 & VPN, rebooted but still no joy... any ideas?

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

Try the following, in /etc/firewall.user or luci>firewall>custom rules:

###OPENVPN PASS-THROUGH ENABLE RULES###
iptables -t nat -A prerouting_wan -p udp --dport 11944 -j ACCEPT
iptables -A input_wan -p udp --dport 11944 -j ACCEPT

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

7 (edited by wesleyhey 2012-10-23 18:29:36)

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

I can not get open VPN working correctly i followed thes steps but i can still not get it working. it looks like it is setup and the keys created but does not seem like it is getting through the firewall or bridge I have and bridged wireless and vlan eth0.1 and it seems ok just the client will sit on the other end trying to always connect but i get no logs on the router side to say the port was blocked

I am using wndr3700V2 and openwrt 12.09

By the way if i do a port scan it does show it is listening so it leads me to belive the Firewall or Routing is not working. on the firewall logs it never seems to see anyting come over the VPN side and port 1194

Maybe you can post the text of your files that need edited in case there is junk in ours that is blocking something.

8 (edited by yazcz 2012-11-23 10:49:42)

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

Thanks for great HowTo... After many days of trying to get it working i finally get it.

I could log in and see routers ip through vpn, but i couldn't get over to the internet (no matter what tutorial did i use).

To all, who can connect, but cant access internet: 
after i put these lines to /etc/config/firewall and reboot the router, i could finally get through vpn to internet

config 'forwarding'
        option 'src' 'VPN'
        option 'dest' 'wan'

Here my config files, if some1 interested:

/etc/config/firewall

config 'forwarding'
        option 'src' 'VPN'
        option 'dest' 'wan'

config 'zone'
        option 'name' 'VPN'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'lantovpn'
        option 'src' 'lan'
        option 'dest' 'VPN'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'vpntolan'
        option 'src' 'VPN'
        option 'dest' 'lan'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'openVPN'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '1194'


/etc/config/openvpn
config 'openvpn' 'samplevpnconfig'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tun'

        option 'client_to_client' '1'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'verb' '3'
        option 'mute' '20'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'status' '/tmp/openvpn-status.log'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'

        option 'server' '172.16.0.0 255.255.255.0'  #this should be on a completely different subnet than your LAN
        list 'push' 'route 192.168.1.0 255.255.255.0' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DNS 192.168.1.254' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DOMAIN 192.168.1.254' #this should MATCH your current LAN info
        list 'push' 'redirect-gateway'

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

Many thanks to the OP for this. Much simpler and easier to follow than the DD-WRT equivalent. I got a VPN working first time, following these instructions.

10 (edited by written_direcon 2012-11-23 13:38:13)

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

Nice, howto :-
You should put it in the OpenWrt Wiki!

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

Can I install openvpn without openvpn-easy-rsa module?

12 (edited by metai 2013-11-08 00:48:53)

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

synbulatov wrote:

Can I install openvpn without openvpn-easy-rsa module?

Easy-rsa is used to build the set of keys and certificates to use with OpenVPN, it is not required to run an OpenVPN server or client. So if you already have a set of keys, or build your keys on another machine, or use OpenVPN with simple "secret" password authentification (eek) then, yes, you don't need to install the easy-rsa module.

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

After much fussing with OpenVPN and the various guides on the wiki, this was ultimately the guide that worked for me.  Many thanks!

14 (edited by jbcdidgosir 2013-12-27 15:40:18)

Re: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

delicatepc wrote:

Hi,

I wrote a guide on how to setup OpenVPN on OpenWRT.

Hello, may I ask you a question on the OpenVPN based on OpenWRT?

My VPN client needs to pass through a NTLM proxy so as to continue connecting to the VPN server.

Previously I config the VPN client in PC or tomato. Only one command needed:
http-proxy <proxy ip> <proxy port> /etc/auth.txt ntlm

Then create a new file /etc/auth.txt and put my domain user name and password in this file. It works prefectly.

But in OpenWRT, I found that format of the configuration is totally different. Especially for the proxy. I tried to config:
option 'http_proxy' '192.168.1.100 80 /etc/auth.txt ntlm'

But it doesn't work. So I changed it to:
option 'http_proxy' '192.168.1.100 80'
option 'auth_user_pass' '/etc/auth.txt'
option 'http_proxy_option' 'ntlm'

After the modification, OpenVPN couldn't work at all. If I delete option 'http_proxy_option' 'ntlm', OpenVPN can be started. But the log is:
HTTP proxy returned: 'HTTP/1.0 407 Proxy Authentication Required.
Proxy requires authentication
HTTP proxy: no support for proxy authentication method
TCP/UDP: Closing socket

So I just wonder, how to config the ntlm proxy in OpenVPN on OpenWRT. Thank you very much!