You are here: OpenWrt Wiki » The "oldwiki" namespace » Introduction

OpenVPN server config file
- Make VPN accessible through proxy and/or restrictive firewall
Firewall
Automatic OpenVPN startup
"Certificate not yet valid" error
LAN behind VPN server not accesible

OpenVPN via TUN HowTo

Introduction

The intention of this guide is to enable a TUN-based (routed) tunnel with SSL/TLS certificates on your OpenWRT installation. It was based (and largely copied from :) ) on the OpenVPNHowTo, which in turn talks about a slightly different (TAP-based) approach.

For more information regarding the differences between bridging (TAP) and routing (TUN) and which solution is more appropriate in your case please see http://openvpn.net/faq.html#bridge2.

The desired final setup is an OpenVPN server running on your OpenWRT which will receive OpenVPN client connections and optionally forward them (so you can you the internet through your new tunnel).

Install Software

To install OpenVPN on OpenWRT, only a simple command is needed:

ipkg install openvpn

Windows users can either download the standard OpenVPN distribution or get the OpenVPN GUI for Windows from Mathias Sundman.

Non-Windows clients just follow the OpenVPN install instructions.

Certificate creation

Without delving too deeply in that incredibly annoying process of Certificate creation, you need to generate the following files (the names can be changed to suit your personal organizational preferences).

file	description	example of command to create it
ca.crt	the Root Certificate for your Certificate Authority. Should be on the server and all clients. Should be used to sign all the other certificates (both server and client)

server.crt, client.crt

the certificate for your server or client, signed using the Root Certificate

#openssl ca -cert ca.crt -keyfile ca.key -out server.crt -in server.csr; *

#openssl req -nodes -new -keyout client.key -out client.csr;

#openssl ca -cert ca.crt -keyfile ca.key -out client.crt -in client.csr; *

server.key, client.key	the private key generated with your server or client's certificate	same as above, created on the same run
dh.pem	the Diffie-Hellman file for secure SSL/TLS negotiation, identical on the server and all clients

(change 1024 to the size of the key you want) ^ | shared.key(optional) ^ a shared key file, identical on the server and all clients |

#openvpn --genkey --secret shared.key;

* If you receive an error like

I am unable to access the ./demoCA/newcerts directory. /demoCA/newcerts: No such file or directory

, take a look at your

openssl.cnf

file. For instance, in Ubuntu and OpenWRT RC9 openssl expect a

demoCA

directory with a

newcerts

and a

private

subdirectory. Run these commands to create everything in Ubuntu:

mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
touch demoCA/index.txt
echo "01" >> demoCA/serial

For more details check out the PKI part of the OpenVPN 2.0 HowTo which uses the

EASY-RSA

package. Another useful tool to generate the certificates is cascript.

At last the server key has to be made inaccessible for others:

chmod 0600 /etc/openvpn/server.key

Server Setup

OpenVPN server config file

Change the addresses for your specific setup, if needed.

/etc/openvpn/server.conf:

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
tls-auth /etc/openvpn/shared.key
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway"
comp-lzo
keepalive 10 120
status /tmp/openvpn.status

Note: on the merits of tls-auth, please read this.

At this point you can start OpenVPN for testing:

openvpn /etc/openvpn/server.conf

Make VPN accessible through proxy and/or restrictive firewall

If access to the VPN through a proxy and/or a restrictive firewall is needed, then using the TCP protocol for the proxy and port 443 for the firewall will be the solution for nearly all cases.

port 443
proto tcp

It is possible to keep port 1194, but then you have to redirect port 443 with a firewall rule.

Firewall

To access the VPN from the internet (WAN) the firewall rules must accept outside connections for your VPN port (e.g. udp-1194). The firewall rules are stored in

/etc/firewall.user

. There is already an example (WR 0.9) for accepting SSH connections from outside, which can be copied and changed to:

iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables        -A input_wan      -p udp --dport 1194 -j ACCEPT

Also as mentioned in the OpenVPN FAQ ip_foward must be enabled (default in WR 0.9) and packets for the OpenVPN interfaces have to be allowed/forwarded. It turned out that the OpenVPN FAQ about iptables (as of 2007-07) is not 100% correct, as the rules for output packets are missing (forum thread) and TAP devices may not need extra rules:

iptables -A INPUT   -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT  -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

If you want to block DoS attacks then have a look at this forum thread. It is based on the information of the documents IPTables and ThrottleConnectionsHowTo. It also provides an example how to access SSH via a non-standard port (e.g. 443 for restrictive firewalls) although SSH is still running on the standard port 22. You can easily adopt it to VPN.

If it is intended that keys are sent via SSH across the WAN, then also enable accepting SSH connections from outside:

iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT

Automatic OpenVPN startup

If the manual startup and configuration worked fine, the only missing step is to automate OpenVPN's startup on the server side. Simply add the following file and it should start automatically on the next boot process.

/etc/init.d/S46openvpn:

#!/bin/sh
case "$1" in
        start)
                openvpn --daemon --config /etc/openvpn/server.conf
        ;;
        restart)
                $0 stop
                sleep 3
                $0 start
        ;;
        reload)
                killall -SIGHUP openvpn
        ;;
        stop)
                killall openvpn
        ;;
esac

At last the script has to be made executable:

chmod 0755 /etc/init.d/S46openvpn

Client Setup

Copy shared.key, ca.crt, client.crt, client.key and dh.pem to your openvpn directory on your client (/etc/openvpn/ in Linux). You can copy them securely via

scp

, with:

scp :/etc/openvpn/ /etc/openvpn/

And use this as a client configuration file:

client
dev tun
proto udp
remote your.domain.com 1194
nobind
#user nobody
#group nogroup
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
dh /etc/openvpn/dh.pem
tls-auth /etc/openvpn/shared.key
comp-lzo

Note: your.domain.com should be set to your static IP or to your dynamic DNS configured with ez-ipupdate.

Now that should be it. Start the OpenVPN client either through the GUI or command line and it should link up.

Troubleshooting

"Certificate not yet valid" error

This is probably the first problem you'll encounter and it's related to the server date. To fix it, just:

ipkg install ntpclient

And start it after installation.

LAN behind VPN server not accesible

First check your firewall rules and your server config that it pushes a route to the VPN clients.

Second make sure that all LAN clients use the VPN server as their default gateway or have a route for the VPN subnet to the VPN server.

CategoryHowTo

oldwiki/openvpntunhowto.txt · Last modified: 2009/04/23 12:38 (external edit)

OpenWrt

Wiki Search

Actions