OpenVPN Server

As prerequisite make sure the router has correct date an time (use the “date” command to verify it). OpenVPN needs the router real time clock (RTC) to be accurate.

Install the necessary OpenVPN packages.

opkg update && opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn

Create your certificate authority, Diffie-Hellman parameters (this will take long time), TLS key, and certificates.

cd /etc/easy-rsa
source vars
clean-all
build-ca
build-dh
build-key-server myvpn
openvpn --genkey --secret /etc/easy-rsa/keys/ta.key

Configure network and firewall:

uci set network.vpn0="interface"
uci set network.vpn0.ifname="tun0"
uci set network.vpn0.proto="none"
uci set network.vpn0.auto="1"
uci commit network
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-OpenVPN-Inbound"
uci set firewall.@rule[-1].target="ACCEPT"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].dest_port="1194"
uci add firewall zone
uci set firewall.@zone[-1].name="vpn"
uci set firewall.@zone[-1].input="ACCEPT"
uci set firewall.@zone[-1].forward="ACCEPT"
uci set firewall.@zone[-1].output="ACCEPT"
uci set firewall.@zone[-1].masq="1"
uci set firewall.@zone[-1].network="vpn0"
uci add firewall forwarding
uci set firewall.@forwarding[-1].src="vpn"
uci set firewall.@forwarding[-1].dest="wan"
uci add firewall forwarding
uci set firewall.@forwarding[-1].src="vpn"
uci set firewall.@forwarding[-1].dest="lan"
uci commit firewall

Reload network and firewall configurations.

/etc/init.d/network reload
/etc/init.d/firewall reload

Check if packet forwarding is enabled. If it's not enabled, edit the file above and set the value to 1.

cat /proc/sys/net/ipv4/ip_forward

Create OpenVPN server configuration by editing /etc/config/openvpn file.

config openvpn 'myvpn'
	option enabled '1'
	option dev 'tun'
	option port '1194'
	option proto 'udp'
	option status '/var/log/openvpn_status.log'
	option log '/tmp/openvpn.log'
	option verb '3'
	option mute '5'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option group 'nogroup'
	option ca '/etc/easy-rsa/keys/ca.crt'
	option cert '/etc/easy-rsa/keys/myvpn.crt'
	option key '/etc/easy-rsa/keys/myvpn.key'
	option dh '/etc/easy-rsa/keys/dh2048.pem'
	option mode 'server'
	option tls_server '1'
	option tls_auth '/etc/easy-rsa/keys/ta.key 0'
	option server '10.8.0.0 255.255.255.0'
	option topology 'subnet'
	option route_gateway 'dhcp'
	option client_to_client '1'
	list push 'persist-key'
	list push 'persist-tun'
	list push 'redirect-gateway def1'
	# allow your clients to access to your network
	list push 'route 192.168.1.0 255.255.255.0'
	# push DNS to your clients
	list push 'dhcp-option DNS 192.168.1.1'
	option comp_lzo 'no'

Start and enable OpenVPN server.

/etc/init.d/openvpn start
/etc/init.d/openvpn enable

Take a look at the logfile at /tmp/openvpn.log to check if server is up.

Wed Mar 15 22:41:23 2017 OpenVPN 2.4.0 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Mar 15 22:41:23 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Wed Mar 15 22:41:23 2017 Diffie-Hellman initialized with 2048 bit key
Wed Mar 15 22:41:23 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 15 22:41:23 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 15 22:41:24 2017 TUN/TAP device tun0 opened
Wed Mar 15 22:41:24 2017 TUN/TAP TX queue length set to 100
Wed Mar 15 22:41:24 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Mar 15 22:41:24 2017 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Wed Mar 15 22:41:24 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Mar 15 22:41:24 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Mar 15 22:41:24 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Mar 15 22:41:24 2017 UDPv4 link remote: [AF_UNSPEC]
Wed Mar 15 22:41:24 2017 GID set to nogroup
Wed Mar 15 22:41:24 2017 UID set to nobody
Wed Mar 15 22:41:24 2017 MULTI: multi_init called, r=256 v=256
Wed Mar 15 22:41:24 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Wed Mar 15 22:41:24 2017 Initialization Sequence Completed

Make a /etc/easy-rsa/keys/Default.txt file with next content. Modify HOST_NAME according to your needs.

client
dev tun
proto udp
remote HOST_NAME 1194
resolv-retry infinite
nobind
mute-replay-warnings
ns-cert-type server
key-direction 1
verb 1
mute 20
comp-lzo
# uncomment for Windows 7 clients
#route-method exe
#route-delay 2

Download this script to /etc/easy-rsa/keys/ and make it executable.

wget https://gist.githubusercontent.com/ivanmarban/57561e2bacf3b3a709426d353d2b6584/raw/30bf3c86fbc95a0a5d53d0aac348bcebdc9aa2eb/MakeOpenVPN.sh -O /etc/easy-rsa/keys/MakeOpenVPN.sh
chmod +x /etc/easy-rsa/keys/MakeOpenVPN.sh

For each client, create a key with unique name. This generates the following files: myuser.crt myuser.key myuser.p12 myuser.3des.key

cd /etc/easy-rsa
source vars
build-key-pkcs12 myuser
openssl rsa -in /etc/easy-rsa/keys/myuser.key -des3 -out /etc/easy-rsa/keys/myuser.3des.key

Finally, create the OpenVPN profile by executing MakeOpenVPN.sh script. You will be asked for existing clients.

/etc/easy-rsa/keys/MakeOpenVPN.sh
  • If you're pushing to your clients your router as DNS server, as explained in this howto, you need to allow lookups from connected VPN networks: Network → DHCP and DNS , then uncheck Local Service Only
  • Get wget work with SSL
    opkg update && opkg install libustream-openssl ca-certificates