------------------------------------------- * **vpnserver-openwrt** * **Jonathan Haack** * **Haack's Networking** * **webmaster@haacksnetworking.org** ------------------------------------------- //vpnserver-openwrt// ------------------------------------------- This tutorial was originally designed for using openvpn with openWRT on a Netgear WNDR3800 router. My current hardware, however, is the c7 Archer v5 by TP-Link. Regardless of what you use, however, this tutorial will help you use your openWRT router as a self-hosted VPN solution. First, download the stable release for you model. It's best to find the dedicated hardware page and check your exact variant, etc. Below, I have an example of the page for the Archer. I also included the link to all openWRT downloads and the supported hardware list. * [[https://openwrt.org/toh/tp-link/archer_c7|c7Archerv5]] * [[https://downloads.openwrt.org/|Downloads]] * [[https://openwrt.org/toh/start|Table of Hardware]] It is probably best to stop network manager; after that, assign a local ip address (on the same subnet as the router) to your network interface. sudo systemctl stop network-manager ip a a 192.168.1.105/24 dev Put a paperclip in the reset button while device is off. Keeping the paperclick depressed in the reset button gently, turn the device on, keeping the paperclip in and depressed until there is a flashing green light. At this point, I usually ping the router and/or run ethtool ping 192.168.1.1 sudo ethtool In the past, you would get a "taking countermeasures" response while pinging the device. At other times, ping just hangs (but it is connected). At any rate, after you are connected, flash the image with curl and tftp: curl -T ~/Downloads/openwrt-latest.img tftp://192.168.1.1 After that, wait at least 5-10 minutes before attempting to log in to the device. In fact, before I log in, I prefer to shell into the router, update, install, and then upgrade all packages first. In order to do this, make sure to plug in an ethernet cable from your current LAN into the WAN port on the router so it can route. ssh root@192.168.1.1 opkg update opkg install gzip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump curl luci-ssl opkg list-upgradable opkg upgrade Before I get any further, I like to set up https. When you edit the config file, change the expiry dates to something large, enter your email/org, etc., and then start the service. nano /etc/config/uhttpd /etc/init.d/uhttpd restart Now, let's create custom config directories for openvpn and easy-rsa so they behave better when we are faced with upgrading packages on the router. mkdir /etc/config/openvpnconfig/ mv /etc/easy-rsa /etc/config/openvpnconfig/ cd /etc/ ln -s config/openvpnconfig/easy-rsa ./ Now, let's enter the parameters on the vars file which determines how the openvpn server will be built, and also drives the default parameters for your client keys. I suggest editing the expiration date and the organization parameters (minimally). nano /etc/config/openvpnconfig/easy-rsa/vars Now, let's rename the original config file, and then create two custom configuration files as follows: mv /etc/config/openvpn /etc/config/openvpn-original touch /etc/config/openvpn touch /etc/config/openvpnconfig/server.conf Examples of this .conf file can be found [[https://codetalkers.services|HERE]] Specify where the openvpn configuration is to be found; example provided below the text editor command. In the first configuration file, called openvpn, enter something like what is listed just below, but make sure you to change to the name you will call your server when you build it below, remove the braces, and do not use special characters: ##/etc/config/openvpn## package openvpn config openvpn option enabled 1 option config /etc/config/openvpnconfig/server.conf In the second configuration file, do something like this. Remember to change all the in triangle braces below. Remember, the last address should be the address of the lan, not the vpn's address scheme. float port 1194 proto udp dev tun cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 dh easy-rsa/pki/dh.pem ca easy-rsa/pki/ca.crt key easy-rsa/pki/private/server.key cert easy-rsa/pki/issued/server.crt ifconfig-pool-persist /tmp/ipp.txt client-config-dir clients status /var/log/openvpn-status.log mode server tls-server topology subnet push "topology subnet" ifconfig 10.66.66.1 255.255.255.0 route-gateway 10.66.66.1 push "route-gateway 10.66.66.1" ifconfig-pool 10.66.66.32 10.66.66.254 255.255.255.0 push "route 10.15.15.0 255.255.255.0" push "dhcp-option DOMAIN lan.local" push "dhcp-option DNS 10.15.15.1" client-to-client mute 5 log /tmp/openvpn.log keepalive 10 120 persist-key persist-tun Once those configuration files are built, you can now create the certificate authority, the diffie-hellman key, and certificate/private key for the server. cd /etc/config/openvpnconfig/easy-rsa/ easyrsa --batch init-pki easyrsa --batch gen-dh easyrsa --batch build-ca nopass easyrsa --batch build-server-full nopass Make sure that the name that you enter for matches the name in the second configuration file below. Also, you can optionally create the diffie-hellman key on your home machine and scp it to the router to //save time// as follows, thereby omitting the gen-dh command above. If you can/want to do this, then on your home machine (not the router), do the following: sudo openssl dhparam -out /tmp/dh2048.pem 2048 scp /tmp/dh2048.pem root@192.168.1.1:/etc/easy-rsa/pki/pki/ After this, it is now time to create your keypair and ca. You do that as follows: easyrsa --batch build-client-full nopass It is now time to scp the key, certificate, and authority from the router to your home device: scp /etc/easy-rsa/pki/ca.crt /etc/easy-rsa/pki/private/clientname.key /etc/easy-rsa/pki/issued/clientname.crt root@10.10.10.100: Obviously, I am using an example home subnet here (10.10.10.0), so change that address to match your workstation. Once you have all three of those files, create a directory on the client workstation that intends to connect to the vpn server. After you create that directory and place these files in it, you need to create a connect-to-vpn.ovpn file that openvpn will use to connect to the vpn server. cd ~ mkdir vpn-connection cd vpn-connection mv ~/ca.crt ~/server.key ~/server.crt ~/vpn-connection/ sudo chmod 600 server.key touch connect-to-vpn.ovpn sudo chmod 640 server.crt ca.crt connect-to-vpn.ovpn nano connect-to-vpn.ovpn In the config file, enter something like this: nobind float cipher AES-256-CBC dev tun remote 1194 udp client tls-exit ca ca.crt cert .crt key .key remote-cert-tls server mute 5 resolv-retry infinite #explicit-exit-notify keepalive 10 60 ping-timer-rem persist-tun persist-key #redirect-gateway def1 Now that your client workstation is ready to test the connection, we need to return to setting up the server. First, if everything above was done correctly, then you should be able to start the vpn service as follows and verify that it is running: /etc/init.d/openvpn start ps | grep openvpn 1314 root 3896 S /usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openvpn.server.status --cd /etc/config/openvpnconfig --config /etc/config/openvpnconfig/server.conf 31296 root 1356 S grep openvpn This is the output you want, showing that the service is running. If you do not get this, then run openvpn against the configuration files on the router and/or check the logs to determine your error. Here is a good place to start debugging: openvpn /etc/config/openvpnconfig/server.conf Now that the service is running, let's log in to the router and adjust the settings a bit. In your web browser, visit 192.168.1.1, and log in/change password. After that, click /Interfaces/Add/tun0/ and enter "VPN" for the name (so its parsing matches the others). Once the interface is created, go to the firewall tab within it and create a matching firewall zone, call it lower-case vpn (this just distinguishes the zones from the interfaces). Go to the /Firewall tab, and then edit the vpn zone so that it has the WAN as a source destination. Everyone's zones will differ according to use-case, but here's a common lan-wan-vpn interface setup: {{ :computing:firewall.png?600 |}} It is now time to test the vpn server //from your client workstation//: cd ~/vpn-connection/ sudo openvpn connect-to-vpn.ovpn Since you did not suppress standard output, you should get the following the message, "Initialization Sequence Completed," to indicate a successful connection. Your vpn-server is now complete, and you can repeat the steps for building client keys stated above for other workstations/users. Also, if you need to automate the setup, you can use something like these scripts, which I tweaked a lot, from OpenWrt's wiki: * [[https://repo.haacksnetworking.org/haacknet/haackingclub/-/tree/main/scripts/openvpn/openvpn-openwrt?ref_type=heads|openWRT VPN client-server scripts]] -- -- -- -- -- Thanks to Jason Schaefer and Geoff Chesshire from [[http://schaeferconsulting.com|Schaefer IT Consulting]]. I am very grateful for their help with all of this. I also found the source documentation, [[https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic|OpenWrt OpenVPN basic]], to be particularly helpful, especially when/if commands and config setups change in easy-rsa/openvpn. --- //[[webmaster@haacksnetworking.org|oemb1905]] 2024/02/17 19:26//