Topic: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr
I wrote a guide on how to setup OpenVPN on OpenWRT. The wiki didnt outline it in a way that I understood so I decided to compile the information I found here. In this guide I skip OpenVPN Luci app because after tinkering it added problems (such as generating extra configs I did not request and similar). Maybe some day when the OpenVPN Luci app has better practicality (like cert/user management/generate+download cert capability).
Netgear WNDR3700 v1
OpenWrt Attitude Adjustment trunk by hnyman (r30685 - latest build I could find) - arokh build didnt leave enough room for OpenVPN on my router.
Didn't feel like sleeping
[size=16]Step 1).[/size] SSH into the router, and install the necessary packages.
opkg install openvpn openvpn-easy-rsa
#Move "push" from "append_params_quoted" section to "append_params" section.
[size=16]Step 3).[/size] Generate the keys/certificates for OpenVPN.
Part 1: Set Certificate Variables
# Scroll to the bottom and put in the country, province, city, organization, and email
Part 2: Build the Certificates (when prompted accept the default preassigned values AND "Yes" where required - sign/commit spaces)
Part 3: Build client key(s). As many as you wish (client1 being the client name below)
[size=16]Step 4).[/size] Copy the needed server certificate files into /etc/openvpn/. This is the default location, so they will get picked up automatically later.
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/
[size=16]Step 5).[/size] Create the server OpenVPN config file and creating our "tun0" physical adapter
Part 1. Create the config file
#Remove everything in that file and add everything below, or alternatively overwrite it with a new file containing the below
[size=12]Customize (fit to your network) the below[/size]
config 'openvpn' 'samplevpnconfig' option 'enable' '1' option 'port' '1194' option 'proto' 'udp' option 'dev' 'tun' option 'client_to_client' '1' option 'keepalive' '10 120' option 'comp_lzo' '1' option 'persist_key' '1' option 'persist_tun' '1' option 'verb' '3' option 'mute' '20' option 'ifconfig_pool_persist' '/tmp/ipp.txt' option 'status' '/tmp/openvpn-status.log' option 'ca' '/etc/openvpn/ca.crt' option 'cert' '/etc/openvpn/server.crt' option 'key' '/etc/openvpn/server.key' option 'dh' '/etc/openvpn/dh1024.pem' option 'server' '172.16.0.0 255.255.255.0' #this should be on a completely different subnet than your LAN list 'push' 'route 192.168.1.0 255.255.255.0' #this should MATCH your current LAN info list 'push' 'dhcp-option DNS 192.168.1.1' #this should MATCH your current LAN info list 'push' 'dhcp-option DOMAIN 192.168.1.1' #this should MATCH your current LAN info
Part 2. Enable and start the OpenVPN Service.
Go System-> Startup
Enable OpenVPN for startup and start the service. (this generates our "tun0" adapter that we need for Step 6).
[size=16] Step 6).[/size] Create environment for our VPN traffic. Think of it as creating a virtual unmanaged switch that VPN traffic is virtually connecting to every time and then that traffic will be daisy chaining (through some traffic rules) to the LAN interface/switch.
Part 1. Creating our "VPN" interface/unmanaged switch
Go to Network -> Interfaces.
Create new Interface called VPN.
Part 2. Create VPN Firewall Zone
Go to Network -> Firewall
Create a new zone called "VPN".
Incoming and Outgoing Accepted. Forwarding rejected
Covered Networks: VPN
Part 3. Create Traffic Forward Rules to allow ALL communication between LAN and VPN zones and vice versa.
Go to Network -> Firewall -> Traffic Rules
Rule 1 Name: LAN->VPN
Source Zone: LAN
Destination Zone: VPN
Rule 2 Name: VPN->LAN
Source Zone: VPN
Destination Zone: LAN
Rule 3 Name: OpenVPN
Destination Port: 1194
Destination Zone: Device
[size=16] Step 7).[/size] Get the Client (roadwarrior if you will) all setup and configured
Note: Make sure you have OpenVPN client installed and know where the config files are stored.
Part 1. Obtain the client1 certificate we created above (in Step 3->Part 3)
Use WinSCP to connect to the router via SCP protocol
Grab /etc/easy-rsa/keys/client1.p12 and drop it into the OpenVPN client config(s) folder.
Part 2. Generate the client connection config file and save it same place you saved the client certificate. The file can be named "Connection1.ovpn".
client proto udp dev tun remote [YOUR IP or Internet Accessible Address] 1194 #Edit in the brackets to fit your IP/hostname and then remove the brackets pkcs12 client1.p12 ns-cert-type server comp-lzo persist-key persist-tun nobind resolv-retry infinite verb 3 mute 10
[size=16] Step 8).[/size] Reboot your router (rebooting solved some firewall rules apply issues for me).
Once router is rebooted and back online go ahead and test VPN. Your VPN client will get an IP of 172.16.0.XXX and will be able to access resources in the 192.168.1.XXX subnet of your local network.