User Tools

Site Tools


computing:vpnserver-openwrt

  • vpnserver-openwrt
  • Jonathan Haack
  • Haack's Networking
  • webmaster@haacksnetworking.org

vpnserver-openwrt


This tutorial was originally designed for using openvpn with openWRT on a Netgear WNDR3800 router. My current hardware, however, is the c7 Archer v5 by TP-Link. Regardless of what you use, however, this tutorial will help you use your openWRT router as a self-hosted VPN solution. First, download the stable release for you model. It's best to find the dedicated hardware page and check your exact variant, etc. Below, I have an example of the page for the Archer. I also included the link to all openWRT downloads and the supported hardware list.

It is probably best to stop network manager; after that, assign a local ip address (on the same subnet as the router) to your network interface.

sudo systemctl stop network-manager
ip a a 192.168.1.105/24 dev <eth0>

Put a paperclip in the reset button while device is off. Keeping the paperclick depressed in the reset button gently, turn the device on, keeping the paperclip in and depressed until there is a flashing green light. At this point, I usually ping the router and/or run ethtool

ping 192.168.1.1 
sudo ethtool <eth0>

In the past, you would get a “taking countermeasures” response while pinging the device. At other times, ping just hangs (but it is connected). At any rate, after you are connected, flash the image with curl and tftp:

curl -T ~/Downloads/openwrt-latest.img tftp://192.168.1.1

After that, wait at least 5-10 minutes before attempting to log in to the device. In fact, before I log in, I prefer to shell into the router, update, install, and then upgrade all packages first. In order to do this, make sure to plug in an ethernet cable from your current LAN into the WAN port on the router so it can route.

ssh root@192.168.1.1
opkg update
opkg install gzip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump curl luci-ssl
opkg list-upgradable
opkg upgrade <package>

Before I get any further, I like to set up https. When you edit the config file, change the expiry dates to something large, enter your email/org, etc., and then start the service.

nano /etc/config/uhttpd   
/etc/init.d/uhttpd restart 

Now, let's create custom config directories for openvpn and easy-rsa so they behave better when we are faced with upgrading packages on the router.

mkdir /etc/config/openvpnconfig/
mv /etc/easy-rsa /etc/config/openvpnconfig/
cd /etc/
ln -s config/openvpnconfig/easy-rsa ./

Now, let's enter the parameters on the vars file which determines how the openvpn server will be built, and also drives the default parameters for your client keys. I suggest editing the expiration date and the organization parameters (minimally).

nano /etc/config/openvpnconfig/easy-rsa/vars 

Now, let's rename the original config file, and then create two custom configuration files as follows:

mv /etc/config/openvpn /etc/config/openvpn-original
touch /etc/config/openvpn
touch /etc/config/openvpnconfig/server.conf

Examples of this .conf file can be found HERE Specify where the openvpn configuration is to be found; example provided below the text editor command. In the first configuration file, called openvpn, enter something like what is listed just below, but make sure you to change <server> to the name you will call your server when you build it below, remove the braces, and do not use special characters:

##/etc/config/openvpn##
package openvpn
config openvpn <server>
option enabled 1
option config /etc/config/openvpnconfig/server.conf

In the second configuration file, do something like this. Remember to change all the <addresses> in triangle braces below. Remember, the last address should be the address of the lan, not the vpn's address scheme.

float
port 1194
proto udp
dev tun
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
dh   easy-rsa/pki/dh.pem
ca   easy-rsa/pki/ca.crt
key  easy-rsa/pki/private/server.key
cert easy-rsa/pki/issued/server.crt
ifconfig-pool-persist /tmp/ipp.txt
client-config-dir clients
status /var/log/openvpn-status.log
mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.66.66.1 255.255.255.0
route-gateway 10.66.66.1
push "route-gateway 10.66.66.1"
ifconfig-pool 10.66.66.32 10.66.66.254 255.255.255.0
push "route 10.15.15.0 255.255.255.0"
push "dhcp-option DOMAIN lan.local"
push "dhcp-option DNS 10.15.15.1"
client-to-client
mute 5
log /tmp/openvpn.log
keepalive 10 120
persist-key
persist-tun

Once those configuration files are built, you can now create the certificate authority, the diffie-hellman key, and certificate/private key for the server.

cd /etc/config/openvpnconfig/easy-rsa/
easyrsa --batch init-pki
easyrsa --batch gen-dh
easyrsa --batch build-ca <ca-name> nopass
easyrsa --batch build-server-full <server> nopass

Make sure that the name that you enter for <server> matches the name in the second configuration file below. Also, you can optionally create the diffie-hellman key on your home machine and scp it to the router to save time as follows, thereby omitting the gen-dh command above. If you can/want to do this, then on your home machine (not the router), do the following:

sudo openssl dhparam -out /tmp/dh2048.pem 2048 
scp /tmp/dh2048.pem root@192.168.1.1:/etc/easy-rsa/pki/pki/

After this, it is now time to create your keypair and ca. You do that as follows:

easyrsa --batch build-client-full <clientname> nopass

It is now time to scp the key, certificate, and authority from the router to your home device:

scp /etc/easy-rsa/pki/ca.crt /etc/easy-rsa/pki/private/clientname.key /etc/easy-rsa/pki/issued/clientname.crt root@10.10.10.100:

Obviously, I am using an example home subnet here (10.10.10.0), so change that address to match your workstation. Once you have all three of those files, create a directory on the client workstation that intends to connect to the vpn server. After you create that directory and place these files in it, you need to create a connect-to-vpn.ovpn file that openvpn will use to connect to the vpn server.

cd ~
mkdir vpn-connection
cd vpn-connection
mv ~/ca.crt ~/server.key ~/server.crt ~/vpn-connection/
sudo chmod 600 server.key 
touch connect-to-vpn.ovpn
sudo chmod 640 server.crt ca.crt connect-to-vpn.ovpn
nano connect-to-vpn.ovpn

In the config file, enter something like this:

nobind
float
cipher AES-256-CBC
dev tun
remote <external ip or DNS name here> 1194 udp
client
tls-exit
ca ca.crt
cert <clientname>.crt
key <clientname>.key
remote-cert-tls server
mute 5
resolv-retry infinite 
#explicit-exit-notify
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
#redirect-gateway def1

Now that your client workstation is ready to test the connection, we need to return to setting up the server. First, if everything above was done correctly, then you should be able to start the vpn service as follows and verify that it is running:

/etc/init.d/openvpn start
ps | grep openvpn
1314 root      3896 S    /usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openvpn.server.status --cd /etc/config/openvpnconfig --config /etc/config/openvpnconfig/server.conf
31296 root     1356 S    grep openvpn

This is the output you want, showing that the service is running. If you do not get this, then run openvpn against the configuration files on the router and/or check the logs to determine your error. Here is a good place to start debugging:

openvpn /etc/config/openvpnconfig/server.conf

Now that the service is running, let's log in to the router and adjust the settings a bit. In your web browser, visit 192.168.1.1, and log in/change password. After that, click /Interfaces/Add/tun0/ and enter “VPN” for the name (so its parsing matches the others). Once the interface is created, go to the firewall tab within it and create a matching firewall zone, call it lower-case vpn (this just distinguishes the zones from the interfaces). Go to the /Firewall tab, and then edit the vpn zone so that it has the WAN as a source destination. Everyone's zones will differ according to use-case, but here's a common lan-wan-vpn interface setup:

It is now time to test the vpn server from your client workstation:

cd ~/vpn-connection/
sudo openvpn connect-to-vpn.ovpn

Since you did not suppress standard output, you should get the following the message, “Initialization Sequence Completed,” to indicate a successful connection. Your vpn-server is now complete, and you can repeat the steps for building client keys stated above for other workstations/users. Also, if you need to automate the setup, you can use something like these scripts, which I tweaked a lot, from OpenWrt's wiki:

– – – – –

Thanks to Jason Schaefer and Geoff Chesshire from Schaefer IT Consulting. I am very grateful for their help with all of this. I also found the source documentation, OpenWrt OpenVPN basic, to be particularly helpful, especially when/if commands and config setups change in easy-rsa/openvpn.

oemb1905 2024/02/17 19:26

computing/vpnserver-openwrt.txt · Last modified: 2024/07/01 23:09 by oemb1905