OpenWrt Forum Archive

Topic: HowTo: Simple OpenVPN Setup on OpenWrt for Road Warriors - 8 Steps 1hr

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,

I wrote a guide on how to setup OpenVPN on OpenWRT. The wiki didnt outline it in a way that I understood so I decided to compile the information I found here. In this guide I skip OpenVPN Luci app because after tinkering it added problems (such as generating extra configs I did not request and similar). Maybe some day when the OpenVPN Luci app has better practicality (like cert/user management/generate+download cert capability).

Tested On:
Netgear WNDR3700 v1
OpenWrt Attitude Adjustment trunk by hnyman (r30685 - latest build I could find) - arokh build didnt leave enough room for OpenVPN on my router.
Didn't feel like sleeping

References:
http://sayap.com/blog/2010/11/9/openvpn … ables-noob
http://wiki.openwrt.org/doc/howto/vpn.openvpn

[size=16]Step 1).[/size] SSH into the router, and install the necessary packages.

opkg update
opkg install openvpn openvpn-easy-rsa

[size=16]Step 2).[/size] Apply "push" fix in OpenVPN init.d file (may not be needed in a newer build). Reference: https://dev.openwrt.org/ticket/10835 , https://dev.openwrt.org/ticket/10518

nano /etc/init.d/openvpn
#Move "push" from "append_params_quoted" section to "append_params" section.

[size=16]Step 3).[/size] Generate the keys/certificates for OpenVPN.

Part 1: Set Certificate Variables

nano /etc/easy-rsa/vars
# Scroll to the bottom and put in the country, province, city, organization, and email

Part 2: Build the Certificates (when prompted accept the default preassigned values AND "Yes" where required - sign/commit spaces)

build-ca
build-dh
build-key-server server

Part 3: Build client key(s). As many as you wish (client1 being the client name below)

build-key-pkcs12 client1

[size=16]Step 4).[/size] Copy the needed server certificate files into /etc/openvpn/. This is the default location, so they will get picked up automatically later.

cd /etc/easy-rsa/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/

[size=16]Step 5).[/size] Create the server OpenVPN config file and creating our "tun0" physical adapter

Part 1. Create the config file

nano /etc/config/openvpn
#Remove everything in that file and add everything below, or alternatively overwrite it with a new file containing the below

[size=12]Customize (fit to your network) the below[/size]

config 'openvpn' 'samplevpnconfig'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tun'

        option 'client_to_client' '1'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'verb' '3'
        option 'mute' '20'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'status' '/tmp/openvpn-status.log'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'

        option 'server' '172.16.0.0 255.255.255.0'  #this should be on a completely different subnet than your LAN
        list 'push' 'route 192.168.1.0 255.255.255.0' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DNS 192.168.1.1' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DOMAIN 192.168.1.1' #this should MATCH your current LAN info

Part 2. Enable and start the OpenVPN Service.

Go System-> Startup
Enable OpenVPN for startup and start the service. (this generates our "tun0" adapter that we need for Step 6).

[size=16] Step 6).[/size] Create environment for our VPN traffic. Think of it as creating a virtual unmanaged switch that VPN traffic is virtually connecting to every time and then that traffic will be daisy chaining (through some traffic rules) to the LAN interface/switch.

Part 1. Creating our "VPN" interface/unmanaged switch

Go to Network -> Interfaces.
Create new Interface called VPN.
Protocol: "Unmanaged"/none
Interface: tun0

Part 2. Create VPN Firewall Zone

Go to Network -> Firewall
Create a new zone called "VPN".
Incoming and Outgoing Accepted. Forwarding rejected
Covered Networks: VPN

Part 3. Create Traffic Forward Rules to allow ALL communication between LAN and VPN zones and vice versa.

Go to Network -> Firewall -> Traffic Rules
   
Rule 1 Name: LAN->VPN
Source Zone: LAN
Destination Zone: VPN
   
Rule 2 Name:  VPN->LAN
Source Zone: VPN
Destination Zone: LAN

Rule 3 Name: OpenVPN
Protocol: UDP
Source: WAN
Destination Port: 1194
Destination Zone: Device

[size=16] Step 7).[/size] Get the Client (roadwarrior if you will) all setup and configured
Note: Make sure you have OpenVPN client installed and know where the config files are stored.

Part 1. Obtain the client1 certificate we created above (in Step 3->Part 3)

Use WinSCP to connect to the router via SCP protocol
Grab /etc/easy-rsa/keys/client1.p12 and drop it into the OpenVPN client config(s) folder.

Part 2. Generate the client connection config file and save it same place you saved the client certificate. The file can be named "Connection1.ovpn".

client
proto udp
dev tun

remote [YOUR IP or Internet Accessible Address] 1194 #Edit in the brackets to fit your IP/hostname and then remove the brackets
pkcs12 client1.p12

ns-cert-type server
comp-lzo
persist-key
persist-tun
nobind
resolv-retry infinite
verb 3
mute 10

[size=16] Step 8).[/size] Reboot your router (rebooting solved some firewall rules apply issues for me).
Once router is rebooted and back online go ahead and test VPN. Your VPN client will get an IP of 172.16.0.XXX and will be able to access resources in the 192.168.1.XXX subnet of your local network.

All done.

~
dpc

(Last edited by delicatepc on 3 May 2012, 03:07)

Thanks a lot for the write up! I have one question, I cannot connect to the openVPN server from the external IP-Address even though I opened the port in the firewall. Do you have any suggestions? Or is this not possible

EDIT:
Nevermind, it seems that when you are connecting from within the network of the router itself, connecting through the external IP address doesn't work, but from another network (which I am using now) it does work perfectly fine!

EDIT2:
Though, with this configuration, is internet browsing going through the VPN as well? Still a bit green on VPN and all that.

(Last edited by johan81 on 8 Apr 2012, 20:38)

@Johan81 - No it will not route all your traffic through VPN. Only the traffic of your network.

-dpc

I like all my traffic to go through my VPN connection and push my domain name for easy identifying instead of my router's ip address.  I use:

list 'push' 'dhcp-option DOMAIN domain-name'
list 'push' 'redirect-gateway'

Hi, thanks for the great write up - followed with ease. I have one issue - when I connect from the internet 3g or another internet line I am authenticated & the openvpn client says its connected, however I cant connect to any of my LAN machines sad I can ping the address of my router, but not my server and RDP wont connect... I'm thinking it's an issue with the firewall, the file is as you described in your article... any ideas?

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'VPN'
        option network 'VPN'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'VPN'
        option name 'LAN->VPN'

config rule
        option target 'ACCEPT'
        option src 'VPN'
        option dest 'lan'
        option name 'VPN->LAN'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option name 'OpenVPN'
        option proto 'udp'
        option dest_port '1194'

***UPDATE***

I think this is to do with bridging traffic between the VPN interface and the local LAN one - I enabled a bridge across eth0.1 & VPN, rebooted but still no joy... any ideas?

(Last edited by madmic on 3 Jul 2012, 09:37)

Try the following, in /etc/firewall.user or luci>firewall>custom rules:

###OPENVPN PASS-THROUGH ENABLE RULES###
iptables -t nat -A prerouting_wan -p udp --dport 11944 -j ACCEPT
iptables -A input_wan -p udp --dport 11944 -j ACCEPT

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

I can not get open VPN working correctly i followed thes steps but i can still not get it working. it looks like it is setup and the keys created but does not seem like it is getting through the firewall or bridge I have and bridged wireless and vlan eth0.1 and it seems ok just the client will sit on the other end trying to always connect but i get no logs on the router side to say the port was blocked

I am using wndr3700V2 and openwrt 12.09

By the way if i do a port scan it does show it is listening so it leads me to belive the Firewall or Routing is not working. on the firewall logs it never seems to see anyting come over the VPN side and port 1194

Maybe you can post the text of your files that need edited in case there is junk in ours that is blocking something.

(Last edited by wesleyhey on 23 Oct 2012, 18:29)

Thanks for great HowTo... After many days of trying to get it working i finally get it.

I could log in and see routers ip through vpn, but i couldn't get over to the internet (no matter what tutorial did i use).

To all, who can connect, but cant access internet: 
after i put these lines to /etc/config/firewall and reboot the router, i could finally get through vpn to internet

config 'forwarding'
        option 'src' 'VPN'
        option 'dest' 'wan'

Here my config files, if some1 interested:

/etc/config/firewall

config 'forwarding'
        option 'src' 'VPN'
        option 'dest' 'wan'

config 'zone'
        option 'name' 'VPN'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'lantovpn'
        option 'src' 'lan'
        option 'dest' 'VPN'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'vpntolan'
        option 'src' 'VPN'
        option 'dest' 'lan'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'openVPN'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '1194'


/etc/config/openvpn
config 'openvpn' 'samplevpnconfig'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tun'

        option 'client_to_client' '1'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'verb' '3'
        option 'mute' '20'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'status' '/tmp/openvpn-status.log'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'

        option 'server' '172.16.0.0 255.255.255.0'  #this should be on a completely different subnet than your LAN
        list 'push' 'route 192.168.1.0 255.255.255.0' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DNS 192.168.1.254' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DOMAIN 192.168.1.254' #this should MATCH your current LAN info
        list 'push' 'redirect-gateway'

(Last edited by yazcz on 23 Nov 2012, 10:49)

Many thanks to the OP for this. Much simpler and easier to follow than the DD-WRT equivalent. I got a VPN working first time, following these instructions.

Nice, howto :-
You should put it in the OpenWrt Wiki!

(Last edited by written_direcon on 23 Nov 2012, 13:38)

Can I install openvpn without openvpn-easy-rsa module?

synbulatov wrote:

Can I install openvpn without openvpn-easy-rsa module?

Easy-rsa is used to build the set of keys and certificates to use with OpenVPN, it is not required to run an OpenVPN server or client. So if you already have a set of keys, or build your keys on another machine, or use OpenVPN with simple "secret" password authentification (eek) then, yes, you don't need to install the easy-rsa module.

(Last edited by metai on 8 Nov 2013, 00:48)

After much fussing with OpenVPN and the various guides on the wiki, this was ultimately the guide that worked for me.  Many thanks!

delicatepc wrote:

Hi,

I wrote a guide on how to setup OpenVPN on OpenWRT.

Hello, may I ask you a question on the OpenVPN based on OpenWRT?

My VPN client needs to pass through a NTLM proxy so as to continue connecting to the VPN server.

Previously I config the VPN client in PC or tomato. Only one command needed:
http-proxy <proxy ip> <proxy port> /etc/auth.txt ntlm

Then create a new file /etc/auth.txt and put my domain user name and password in this file. It works prefectly.

But in OpenWRT, I found that format of the configuration is totally different. Especially for the proxy. I tried to config:
option 'http_proxy' '192.168.1.100 80 /etc/auth.txt ntlm'

But it doesn't work. So I changed it to:
option 'http_proxy' '192.168.1.100 80'
option 'auth_user_pass' '/etc/auth.txt'
option 'http_proxy_option' 'ntlm'

After the modification, OpenVPN couldn't work at all. If I delete option 'http_proxy_option' 'ntlm', OpenVPN can be started. But the log is:
HTTP proxy returned: 'HTTP/1.0 407 Proxy Authentication Required.
Proxy requires authentication
HTTP proxy: no support for proxy authentication method
TCP/UDP: Closing socket

So I just wonder, how to config the ntlm proxy in OpenVPN on OpenWRT. Thank you very much!

(Last edited by jbcdidgosir on 27 Dec 2013, 15:40)

Thank you delicatepc,

very nice tutorial after i followed the other tutorials that might be outdated a bit, luckely i found yours. It works like i imagine it should work smile almost need to set up dns for the vpn client somehow.

Additional information from my side, maybe it's not correct but it solved for me the problem with pinging other hosts behind the router. Before i was only able to ping the router ip itself.

kelxon wrote:

Try the following, in /etc/firewall.user or luci>firewall>custom rules:

###OPENVPN PASS-THROUGH ENABLE RULES###
iptables -t nat -A prerouting_wan -p udp --dport 11944 -j ACCEPT
iptables -A input_wan -p udp --dport 11944 -j ACCEPT

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

It's the same rules like in the wiki tutorial or other in the forum instead of port that should be 1194 and not 11944 but that's not the point. I had always an error when putting stuff there even if the iptables are installed and xt_tcpudp module was always loaded. My OpenWRT Router with Barrier Braker said always then -> "iptables: No chain/target/match by that name."

Enable NAT for my vlan bridge interface eth0.1 where the lan and wlan ports are included solved the problem for me to ping the devices behind my router during a connected vpn session. Maybe it's wrong but it works. When DNS pings would be possible as well then it would be a great for me but not a must have.

best regards

fosphatic

p.s. thanks for great thread again!

Great tutorial, thank you! Works perfect on Barrier Breaker RC2.

This evening I had to install OpenVPN on Barrier Breaker 14.07, so came back to this trusty guide.

I had to make one change, after examining the router's System Log: in the file /etc/config/openvpn the line option 'comp_lzo' '1' had to be changed to option 'comp_lzo' 'yes'

For some reason option 'comp_lzo' '1' triggered the error message "Options error: bad comp-lzo option: 1 -- must be 'yes', 'no', or 'adaptive'", but changing "1" to "yes" got everything working again.

(Last edited by 600cc on 31 Mar 2015, 20:47)

I tried and it does not seems to be working adding network interface as well Firewall rules ,I'm running openvpn through command line

Ok i tried and it seems like its working on my connected Odroid connected via router but PC , Mobile are not connectable to internet

You may have the same or similar issue to what I have.  Following this guide worked perfectly fine in Barrier Breaker, but in Chaos Calmer, the DNS lookup is not working, making access to Internet and local LAN devices inaccessible using device names or URL.

To resolve this issue, in /etc/config/openvpn, any route or DHCP options you're pushing to the vpn client, make sure to remove the "list" wordings, like:

push "route 192.168.1.0 255.255.255.0"    #this should MATCH your current LAN info
push "dhcp-option DNS 192.168.1.1"      #this should MATCH your current LAN info
push "dhcp-option DOMAIN LOCALDOMAIN.LAN"       #this should MATCH your current LAN info
push redirect-gateway lan def1

This seems to resolve the issue for me in Chaos Calmer.

Thanks Folks for replying back to peers who had issues.

Since writing this guide its likely some of the values have been tweaked. As an example: @600cc the switch from [0/1] to [no/yes] as parameter value is likely a change in OpenVPN software itself. The guide is ~4 years old but the principle concepts should be similar.

Some work this guide needs:
- Update/testing to be in line with current versions.
- Testing to see if LuCi interface has matured enough to deal with Cert issuing, distribution and revoking.
- 2 Factor Authentication (integrating the Duo Platform looks to be a quick way)
- Notification on client connection to OpenVPN server (shell scripts look to be the way)
- Performance results on a modern SOC (something like Linksys AC1900/ACS)
- Integration into Wiki page if desired.

The discussion might have continued from here.