LAN access through OpenWRT OpenVPN server

UCI way.
openvpn_logo
Router address is 192.168.1.1 (default gateway for every PC in the network). The task is providing access for VPN client to the 192.168.1.0 LAN.

Now, copy next files from openwrt router to the client (e.g. using WinSCP):
/etc/easy-rsa/keys/ca.crt
/etc/easy-rsa/keys/sapsd_client1.*
Next part are copy of wiki.openwrt.org chapter:
**
Create the VPN interface (named vpn0):

Allow incoming client connections by opening the server port (default 1194) in our firewall:

Create firewall zone (named vpn) for the new vpn0 network. By default, it will allow both incoming and outgoing connections being created within the VPN tunnel. Edit the defaults as required. This does not (yet) allow clients to access the LAN or WAN networks, but allows clients to communicate with services on the router and may allow connections between VPN clients if your OpenVPN server configuration allows:

(Optional) If you plan to allow clients to connect to computers within your LAN, you’ll need to allow traffic to be forwarded between the vpn firewall zone and the lan firewall zone:

And you’ll probably want to allow your LAN computers to be able to initiate connections with the clients, too.

(Optional) Similarly, if you plan to allow clients to connect the internet (WAN) through the tunnel, you must allow traffic to be forwarded between the vpn firewall zone and the wan firewall zone:

Commit the changes:

Now that you have finished your basic configuration, start up OpenVPN:

**
So, your /etc/config/firewall shoud look like this (you can replace it with):

The client config:

Finally, I have added permanent route to the router’s subnet:


Please note, in case of every new vpn-client (I have single one) the server will provide a new gateway. Second client gets 10.8.0.9 instead of 10.8.0.5, third client will get 10.8.0.13 and so on (the mask is /30). In this way it’s strongly recommended to push the route from server as shown in the last line of server config (/etc/config/openvpn):

This behaviour can be reached using uci:

Discussion

Igor
01.02.2015
Здравствуйте!, не генерирует ключи для клиента на сервере, все время пишет: ...Please edit the vars script to reflect your configuration, then source it with "source ./vars". Как сгенерировать? чтобы не удалило существующие сертификаты и ключи?
Uchla
01.02.2015
Пишет же "source ./vars". Перейдите в /etc/openvpn/easy-rsa2.0 и выполните команду "source ./vars", затем снова ./build-key cliXXX
Uchla
26.03.2018
Чтобы установить OpenVPN-сервер/клиент на Zyxel Keenetic Omni (Черный) по инструкции habr.ru/post/306378 распакуйте на флешку файл pkg.entware-keenetic.ru/binaries/keenle/installer/installer-keenle.tar.gz и в поле "Сценарий initrc" укажите /opt/etc/init.d/doinstall

Җавап калдыру



All fields are required. Your email address will not be published.