Linux – OpenVPN server and client configuration for openwrt

I have an OpenWRT router with WAN(eth1) and LAN(eth0) interface.

I wanted to install an openVPN server on this router, so I could access from the WAN side into the LAN side.

My LAN(eth0) has a DHCP server configured over, and has a static IP of 172.20.51.61/24. When I connect any PC to LAN(eth0) it gets some IP in this range 172.20.51.100/24 to 172.20.51.150/24.

I have installed openvpn easy rsa and other required utilities and also generated keys for client and server. I have copied those keys to client as well.

What I would want is a very basic steps and configuration to gain some confidence, to establish a connection from client to server.

The net based blogs mention so much extra information..it becomes difficult for networking beginners to follow.

Edit: the /etc/easy-rsa/vars file has following contents.

export EASY_RSA="/etc/easy-rsa"
export OPENSSL="openssl"          
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"

export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
et PKCS11_MODULE_PATH="dummy"                                          
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="IN"                                                
export KEY_PROVINCE="MH"                                               
export KEY_CITY="Pune"                                                 
export KEY_ORG="My Org"                                                              
export KEY_EMAIL="me@myhost.mydomain"                                                       
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="EasyRSA"
# PKCS11 Smart Card                                                    
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"                     
# export PKCS11_PIN=1234                                               

# If you'd like to sign all keys with the same Common Name, 
# uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config 
# has the duplicate-cn option set 
# export KEY_CN="CommonName"

Edit 2: I have given WAN a static IP 192.168.18.100/24 which a VPN client with IP 192.168.18.101/24 will try to access.

The server configuration is:

package openvpn
config 'openvpn' 'samplevpnconfig'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tun0'

        option 'client_to_client' '1'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'verb' '3'
        option 'mute' '20'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'status' '/tmp/openvpn-status.log'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'

        #this should be on a completely different subnet than your LAN
        option 'server' '192.168.18.100 255.255.255.0'
        list 'push' 'route 172.20.51.61 255.255.255.0' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DNS 172.20.51.1' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DOMAIN 172.20.51.1' #this should MATCH your current LAN info

Where 172.20.51.61 is LAN (eth0) static IP address.
Honestly I have no idea what those non obvious parameters mean.

The client configuration in Client machine /etc/openvpn/client.conf

client
proto udp
dev tun0

remote 192.168.18.100 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
comp-lzo
ca /etc/openvpn/ca.crt
cert /etc/openvpn/myclient.crt
key /etc/openvpn/myclient.key

WHen I try the following command: #openvpn client.conf

I get TLS error: (check your network connectivity)

and tcpdump on server gives:

13:57:19.026056 IP 192.168.18.101.34212 > 192.168.18.100.openvpn: UDP, length 14
13:57:19.026147 IP 192.168.18.100 > 192.168.18.101: ICMP 192.168.18.100 udp port openvpn unreachable, len0

But connectivity seems proper(ping, tcpdump show packet comming)

Best Answer

First, I never recommend keeping SSL CA private key on a device directly connected to WAN. This is insecure.

In OpenWRT a configuration for OpenVPN is in /etc/config/openvpn - option names are almost identical as in OpenVPN original config, except for in OpenWRT hyphens (-) should be converted to underscores (_).

Follow this howto. Remove ifconfig_pool_persist if you don't need static addresses, or use ccd option for this (more reliable) with /etc/openvpn/ccd. Replace IP subnet and routes with your own. Add a digit in the end of interface name to avoid firewall configuration problems. I also recommend using tap interface (more flexible), not tun, but it's up to you. Add tls_auth to better protect against DoS attacks, in OpenVPN manual there's an example how to generate a key (search for --genkey).

To enable service autostart, use /etc/init.d/openvpn enable.

When you have OpenVPN up, configure firewall.

Best Answer

Related Solutions

Openvpn – Problems setting up a VPN: can connect but can’t ping anyone

OpenVPN connection from within 2nd subnet in office

Related Topic