This is an old revision of the document!
#vpnserver
In this tutorial, you will create a vpn server on a WNDR3800 router running openWRT. Download the image for openWRT. I used the following site:
https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/openwrt-15.05.1-ar71xx-generic-wndr3800-squashfs-factory.img
Get on the proper subnet, and stop the network-manager from hijacking connection. Run `ip a` to obtain your interface name, as it may not be eth0.
sudo systemctl stop network-manager ip a a 192.168.1.105/24 dev eth0
Put a paperclip in the reset button while device is off. Keeping it in, turn the device on, wait for flashing green. First, ping the router.
ping 192.168.1.1
If you cannot successfully ping the router, then re-add your interface to the proper sub net and try again. If you can, then the curl command below should work. Wait for the router to reboot after running the curl command.
curl -T ~/Downloads/openwrt-15.05.1-ar71xx-generic-wndr3800-squashfs-factory.img tftp://192.168.1.1
Now that we have openWRT on the router, we should enable https for the web admin panel. First, verify that you completed the above steps correctly by visiting `192.168.1.1` in your web browser of choice.
opkg update opkg install luci-ssl nano /etc/config/uhttpd
In the config file, comment out the port 80 lines to prohibit using the router with https. Additionally, enter the parameters for the self-signed cert using the options at the bottom of the configuration file. Once you are done, restart the service and build the cert.
/etc/init.d/uhttpd restart
Now that we have https, we can begin to set up the vpn server on the WNDR. Using the template files in the directory openvpnconfig, migrating them over to the router for ease. If you would like this template, email me at netcmnd@jonathanhaack.com. This is, of course, optional. If you would like to view the default templates, rename the original files with `mv` before executing the commands below.
scp -r openvpnconfig root@[openwrt]:/etc/config/ ssh root@[openwrt]
Simplified instructions, using the template files in the directory openvpnconfig. The template files can be downloaded with the wget command below directly from the router. If you use this template and the key and config building script inside it, be aware of what it is doing for you; it is zipping the two keys and certificate authority together with the client config together in one file for easy downloading using scp. It also uses stock configuration options that can be adjusted as needed.
wget https://educationaction.biz/vpn/openvpnconfig.zip
opkg update opkg install zip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump
mv /etc/config/openvpnconfig/openvpn /etc/config/ mv /etc/easy-rsa /etc/config/openvpnconfig/ cd /etc/ ln -s config/openvpnconfig/easy-rsa ./ nano /etc/config/openvpnconfig/easy-rsa/vars nano /etc/config/openvpnconfig/openvpnWRT.conf nano /etc/config/openvpn
build-ca build-dh [takes a long time] build-key-server server
You can alternately choose to build the dh key on the host machine you are administering from and then scp it to the router when it completes as follows. Do not forget to symlink easy-rsa properly so this works.
sudo openssl dhparam -out /tmp/dh2048.pem 2048 scp /tmp/dh2048.pem root@xx.xx.xx.xx:/etc/config/openvpnconfig/easy-rsa/keys/
You can now use the script contained in the template directory that you zipped earlier to create your client keys and config file; you are back on the router now.
/etc/config/openvpnconfig/easyrsa-user-setup-openwrt.sh [username] [server.com]
Or, if you did not use the template directory and the script, then change the vars file each time you need a key with the parameters that you desire, and then build the key, crt, and ca manually:
nano /etc/config/openvpnconfig/easy-rsa/vars pkitool [username]
If you chose not to use the template and script, then on each client you will need to create a config file with something like the following parameters; adjust these parameters as needed:
nano /directory/to/keep/openvpn/keys/clientconfigname.ovpn nobind float comp-lzo cipher AES-256-CBC dev tun remote xx.xx.xx.xx 1194 udp client tls-exit ca ca.crt cert <client>.crt key <client>.key remote-cert-tls server mute 5 resolv-retry infinite #explicit-exit-notify keepalive 10 60 ping-timer-rem persist-tun persist-key #redirect-gateway def1
You are now ready to set up the interfaces and firewall zones for the router using the web panel. Before you do this, you need to start the vpn service and ensure it is working. You should get two processes, one for the openvpn grep you just ran, and another for the service running:
/etc/init.d/openvpn start ps | grep openvpn 1314 root 3896 S /usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openvpn.server.status --cd /etc/config/openvpnconfig --config /etc/config/openvpnconfig/server.conf 31296 root 1356 S grep openvpn
If you did not get this output, then you should debug your configuration by running openvpn against your server configuration as follows, and use the output it provides to determine what you did wrong.
openvpn /etc/config/openvpnconfig/server.conf
Now that the service is running and you have a client config, you can use the openWRT web page to create an interface and a firewall zone. Go to interfaces, add interface and name it VPN, select tun0 (unmanaged). Set up a fw zone at the same time or separately, and name it vpn_zone. Navigate to Network/Firewall, select the tab for traffic rules, and then add a rule that allows incoming vpn connections on udp 1194 to device, i.e., your router which is your vpn server. In the firewall zone, make sure to allow forwarding to the lan and wan, and from the lan.
Now that you have a client configuration file set up, and the interfaces and firewall zones set up, you can install openvpn on your host; and be aware of how to execute the client - server handshake, thus initiating the openvpn connection.
sudo apt install openvpn cd ~/directory/where/thekeys/youmade/above/are/ sudo openvpn clientconfigname.ovpn
To enable TLS and separately to enable a strong cipher, use these settings on the server configuration. The cipher setting matches the setting in the client configuration above.
/etc/config/openvpnconfig/nameofvpnserver.conf tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES- 128-GCM-SHA256 cipher AES-256-CBC
Key permissions
640 for everything except the private key and 600 for that …
