OpenVPN Road Warriors on OpenWRT (12.09 – 18.06.1)
Update and install OpenVPN and EasyRSA
opkg update
opkg install openvpn openvpn-easy-rsa
Edit /etc/easy-rsa/vars and at the end of the file fill the variables
Generate the keys/certificates for OpenVPN
build-ca
build-dh
build-key-server server
Generate the keys/certificates for OpenVPN (18.06.1)
cd /etc/easy-rsa/
easy-rsa init.pki
easy-rsa build-ca
easy-rsa build-dh
Build Client keys
build-key-pkcs12 client1
build-key-pkcs12 client2
etc...
Copy the needed server certificate files into /etc/openvpn/. This is the default location, so they will get picked up automatically later.
cd /etc/easy-rsa/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/
Create the config file
nano /etc/config/openvpn
config 'openvpn' 'myvpn'
option 'enable' '1'
option 'port' '1194'
option 'proto' 'udp'
option 'dev' 'tun'
option 'client_to_client' '1' #allow clients to client connections
option 'keepalive' '10 120'
option 'comp_lzo' '1'
option 'persist_key' '1'
option 'persist_tun' '1'
option 'verb' '3'
option 'mute' '20'
option 'ifconfig_pool_persist' '/tmp/ipp.txt'
option 'status' '/tmp/openvpn-status.log'
option 'ca' '/etc/openvpn/ca.crt'
option 'cert' '/etc/openvpn/server.crt'
option 'key' '/etc/openvpn/server.key'
option 'dh' '/etc/openvpn/dh1024.pem'
option 'duplicate-cn' '1' #allow same key to multiple clients
option 'server' '192.168.250.0 255.255.255.0' #VPN dhcp range
list 'push' 'route 192.168.10.0 255.255.255.0' #router LAN IP
list 'push' 'dhcp-option DNS 192.168.10.1' #router LAN IP
list 'push' 'dhcp-option DOMAIN vpn.domain.com' # DNS suffix
list 'push' 'redirect-gateway' #Force all traffic on VPN client through VPN tunnel
Enable and start the OpenVPN Service.
Go System-> Startup
Enable OpenVPN for startup and start the service
Part Creating our “VPN” interface/unmanaged switch
Go to Network -> Interfaces.
Create new Interface called VPN.
Protocol: “Unmanaged”/none
Interface: tun0
Part Create VPN Firewall Zone
Go to Network -> Firewall
Create a new zone called “VPN”.
Incoming and Outgoing Accepted. Forwarding rejected
Covered Networks: VPN
Part Create Traffic Forward Rules to allow ALL communication between LAN and VPN zones and vice versa.
Go to Network -> Firewall -> Traffic Rules
Rule 1 Name: LAN->VPN
Source Zone: LAN
Destination Zone: VPNRule 2 Name: VPN->LAN
Source Zone: VPN
Destination Zone: LANRule 3 Name: OpenVPN
Protocol: UDP
Source: WAN
Destination Port: 1194
Destination Zone: Device
Add the following to firewall.user
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
Use WinSCP to connect to the router via SCP protocol
Grab /etc/easy-rsa/keys/client1.p12 and drop it into the OpenVPN client config(s) folder.
Generate the client connection config file and save it same place you saved the client certificate. The file can be named “Connection.ovpn”.
client
proto udp
dev tun
remote [YOUR IP or Internet Accessible Address] 1194 #Edit in the brackets to fit your IP/hostname and then remove the brackets
pkcs12 client1.p12
ns-cert-type server
comp-lzo
persist-key
persist-tun
nobind
resolv-retry infinite
verb 3
mute 10
Source: OpenWRT Forums
Select comment form