This is an old revision of the document!
- vpnserver
- Jonathan Haack
- Haack's Networking
- netcmnd@jonathanhaack.com
vpnserver
This tutorial is for flashing a Netgear WNDR3800 router with openwrt and then building a vpn server on it with openvpn. The instructions here can easily be adapted to other hardware. First, download the stable release:
It is probably best to stop network manager; after that, assign a local ip address (on the same subnet as the router) to your network interface.
sudo systemctl stop network-manager ip a a 192.168.1.105/24 dev <eth0>
Put a paperclip in the reset button while device is off. Keeping the paperclick depressed in the reset button gently, turn the device on, keeping the paperclip in and depressed until there is a flashing green light. At this point, I usually ping the router and/or run ethtool
ping 192.168.1.1 sudo ethtool <eth0>
In the past, you would get a “taking countermeasures” response while pinging the device. At other times, ping just hangs (but it is connected). At any rate, after you are connected, flash the image with curl and tftp:
curl -T ~/Downloads/openwrt-latest.img tftp://192.168.1.1
After that, wait at least 5-10 minutes before attempting to log in to the device. In fact, before I log in, I prefer to shell into the router, update, install, and then upgrade all packages first. In order to do this, make sure to plug in an ethernet cable from your current LAN into the WAN port on the router so it can route.
ssh root@192.168.1.1 opkg update opkg install zip openvpn-easy-rsa openvpn-openssl nano wget nmap tcpdump curl luci-ssl opkg list-upgradable opkg upgrade <package>
Before I get any further, I like to set up https. When you edit the config file, change the expiry dates to something large, enter your email/org, etc., and then start the service.
nano /etc/config/uhttpd /etc/init.d/uhttpd restart
Now, let's create custom config directories for openvpn and easy-rsa so they behave better when we are faced with upgrading packages on the router.
mkdir /etc/config/openvpnconfig/ mv /etc/easy-rsa /etc/config/openvpnconfig/ cd /etc/ ln -s config/openvpnconfig/easy-rsa ./
Now, let's enter the parameters on the vars file which determines how the openvpn server will be built, and also drives the default parameters for your client keys. I suggest editing the expiration date and the organization parameters (minimally).
nano /etc/config/openvpnconfig/easy-rsa/vars
Now, let's rename the original config file, and then create two custom configuration files as follows:
mv /etc/config/openvpn /etc/config/openvpn-original touch /etc/config/openvpn touch /etc/config/openvpnconfig/server.conf
Examples of this .conf file can be found HERE Specify where the openvpn configuration is to be found; example provided below the text editor command. In the first configuration file, called openvpn, enter something like what is listed just below, but make sure you to change <server> to the name you will call your server when you build it below, remove the braces, and do not use special characters:
##/etc/config/openvpn## package openvpn config openvpn <server> option enabled 1 option config /etc/config/openvpnconfig/server.conf
In the second configuration file, do something like this. Remember to change all the <addresses> in triangle braces below. Remember, the last address should be the address of the lan, not the vpn's address scheme.
float port 1194 proto udp dev tun cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 dh easy-rsa/pki/pki/dh.pem ca easy-rsa/pki/pki/ca.crt key easy-rsa/pki/pki/private/server.key cert easy-rsa/pki/pki/issued/server.crt ifconfig-pool-persist /tmp/ipp.txt client-config-dir clients status /var/log/openvpn-status.log mode server tls-server topology subnet push "topology subnet" ifconfig <10.66.66.1> 255.255.255.0 route-gateway <10.66.66.1> push "route-gateway <10.66.66.1>" ifconfig-pool <10.66.66.32> <10.66.66.254> 255.255.255.0 push "route <192.168.1.0> 255.255.255.0"
Once those configuration files are built, you can now create the certificate authority, the diffie-hellman key, and certificate/private key for the server.
cd /etc/config/openvpnconfig/easy-rsa/ easyrsa --batch init-pki easyrsa --batch gen-dh easyrsa --batch build-ca nopass easyrsa --batch build-server-full <server> nopass
Make sure that the name that you enter for <server> matches the name in the second configuration file below. Also, you can optionally create the diffie-hellman key on your home machine and scp it to the router to save time as follows, thereby omitting the gen-dh command above. If you can/want to do this, then on your home machine (not the router), do the following:
sudo openssl dhparam -out /tmp/dh2048.pem 2048 scp /tmp/dh2048.pem root@192.168.1.1:/etc/easy-rsa/pki/pki/
After this, it is now time to create your keypair and ca. You do that as follows:
easyrsa --batch build-client-full <clientname> nopass
It is now time to scp the key, certificate, and authority from the router to your home device:
scp /etc/easy-rsa/pki/pki/ca.crt /etc/easy-rsa/pki/pki/server.key /etc/easy-rsa/pki/pki/server.crt root@10.10.10.100:
Obviously, I am using an example home subnet here (10.10.10.0), so change that address to match your workstation. Once you have all three of those files, create a directory on the client workstation that intends to connect to the vpn server. After you create that directory and place these files in it, you need to create a connect-to-vpn.ovpn file that openvpn will use to connect to the vpn server.
cd ~ mkdir vpn-connection cd vpn-connection mv ~/ca.crt ~/server.key ~/server.crt ~/vpn-connection/ sudo chmod 600 server.key touch connect-to-vpn.ovpn sudo chmod 640 server.crt ca.crt connect-to-vpn.ovpn nano connect-to-vpn.ovpn
In the config file, enter something like this:
nobind float cipher AES-256-CBC dev tun remote <external ip or DNS name here> 1194 udp client tls-exit ca ca.crt cert <clientname>.crt key <clientname>.key remote-cert-tls server mute 5 resolv-retry infinite #explicit-exit-notify keepalive 10 60 ping-timer-rem persist-tun persist-key #redirect-gateway def1
Now that your client workstation is ready to test the connection, we need to return to setting up the server. First, if everything above was done correctly, then you should be able to start the vpn service as follows and verify that it is running:
/etc/init.d/openvpn start ps | grep openvpn 1314 root 3896 S /usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openvpn.server.status --cd /etc/config/openvpnconfig --config /etc/config/openvpnconfig/server.conf 31296 root 1356 S grep openvpn
This is the output you want, showing that the service is running. If you do not get this, then run openvpn against the configuration files on the router and/or check the logs to determine your error. Here is a good place to start debugging:
openvpn /etc/config/openvpnconfig/server.conf
Now that the service is running, let's log in to the router and adjust the settings a bit. In your web browser, visit 192.168.1.1, and log in/change password. After that, click /Interfaces/Add/tun0/ and enter “VPN” for the name (so its parsing matches the others). Once the interface is created, go to the firewall tab within it and create a matching firewall zone, call it lower-case vpn (this just distinguishes the zones from the interfaces). Go to the /Firewall tab, and then edit the vpn zone so that it has the WAN as a source destination. It is now time to test the vpn server from your client workstation:
cd ~/vpn-connection/ sudo openvpn connect-to-vpn.ovpn
Since you did not suppress standard output, you should get the following the message, “Initialization Sequence Completed,” to indicate a successful connection. Your vpn-server is now complete, and you can repeat the steps for building client keys stated above for other workstations/users. Also, if you need to automate the setup, you can use something like these scripts, which I tweaked a lot, from OpenWrt's wiki:
– – – – –
Thanks to Jason Schaefer and Geoff Chesshire from Schaefer IT Consulting. I am very grateful for their help with all of this. I also found the source documentation, OpenWrt OpenVPN basic, to be particularly helpful, especially when/if commands and config setups change in easy-rsa/openvpn.
— oemb1905 2020/03/22 19:07
