LAN access through OpenWRT OpenVPN server
UCI way.
Router address is 192.168.1.1 (default gateway for every PC in the network). The task is providing access for VPN client to the 192.168.1.0 LAN.
|
1 2 3 4 5 6 7 |
opkg update opkg install openvpn-openssl openvpn-easy-rsa build-ca build-dh build-key-server my-server build-key sapsd_client1 cp /etc/easy-rsa/keys/ca.crt /etc/easy-rsa/keys/my-server.* /etc/easy-rsa/keys/dh2048.pem /etc/openvpn |
Now, copy next files from openwrt router to the client (e.g. using WinSCP):
/etc/easy-rsa/keys/ca.crt
/etc/easy-rsa/keys/sapsd_client1.*
Next part are copy of wiki.openwrt.org chapter:
**
Create the VPN interface (named vpn0):
|
1 2 3 4 |
uci set network.vpn0=interface uci set network.vpn0.ifname=tun0 uci set network.vpn0.proto=none uci set network.vpn0.auto=1 |
Allow incoming client connections by opening the server port (default 1194) in our firewall:
|
1 2 3 4 5 |
uci set firewall.Allow_OpenVPN_Inbound=rule uci set firewall.Allow_OpenVPN_Inbound.target=ACCEPT uci set firewall.Allow_OpenVPN_Inbound.src=* uci set firewall.Allow_OpenVPN_Inbound.proto=udp uci set firewall.Allow_OpenVPN_Inbound.dest_port=1194 |
Create firewall zone (named vpn) for the new vpn0 network. By default, it will allow both incoming and outgoing connections being created within the VPN tunnel. Edit the defaults as required. This does not (yet) allow clients to access the LAN or WAN networks, but allows clients to communicate with services on the router and may allow connections between VPN clients if your OpenVPN server configuration allows:
|
1 2 3 4 5 6 7 |
uci set firewall.vpn=zone uci set firewall.vpn.name=vpn uci set firewall.vpn.network=vpn0 uci set firewall.vpn.input=ACCEPT uci set firewall.vpn.forward=REJECT uci set firewall.vpn.output=ACCEPT uci set firewall.vpn.masq=1 |
(Optional) If you plan to allow clients to connect to computers within your LAN, you’ll need to allow traffic to be forwarded between the vpn firewall zone and the lan firewall zone:
|
1 2 3 |
uci set firewall.vpn_forwarding_lan_in=forwarding uci set firewall.vpn_forwarding_lan_in.src=vpn uci set firewall.vpn_forwarding_lan_in.dest=lan |
And you’ll probably want to allow your LAN computers to be able to initiate connections with the clients, too.
|
1 2 3 |
uci set firewall.vpn_forwarding_lan_out=forwarding uci set firewall.vpn_forwarding_lan_out.src=lan uci set firewall.vpn_forwarding_lan_out.dest=vpn |
(Optional) Similarly, if you plan to allow clients to connect the internet (WAN) through the tunnel, you must allow traffic to be forwarded between the vpn firewall zone and the wan firewall zone:
|
1 2 3 |
uci set firewall.vpn_forwarding_wan=forwarding uci set firewall.vpn_forwarding_wan.src=vpn uci set firewall.vpn_forwarding_wan.dest=wan |
Commit the changes:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
uci commit network /etc/init.d/network reload uci commit firewall /etc/init.d/firewall reload echo > /etc/config/openvpn # clear the openvpn uci config uci set openvpn.myvpn=openvpn uci set openvpn.myvpn.enabled=1 uci set openvpn.myvpn.verb=3 uci set openvpn.myvpn.port=1194 uci set openvpn.myvpn.proto=udp uci set openvpn.myvpn.dev=tun uci set openvpn.myvpn.server='10.8.0.0 255.255.255.0' uci set openvpn.myvpn.keepalive='10 120' uci set openvpn.myvpn.ca=/etc/openvpn/ca.crt uci set openvpn.myvpn.cert=/etc/openvpn/my-server.crt uci set openvpn.myvpn.key=/etc/openvpn/my-server.key uci set openvpn.myvpn.dh=/etc/openvpn/dh2048.pem uci commit openvpn |
Now that you have finished your basic configuration, start up OpenVPN:
|
1 2 |
/etc/init.d/openvpn enable /etc/init.d/openvpn start |
**
So, your /etc/config/firewall shoud look like this (you can replace it with):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'wan' option network 'wan' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config zone option name 'vpn' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' option masq '1' option network 'vpn' config forwarding option src 'lan' option dest 'wan' config forwarding option src 'vpn' option dest 'lan' config forwarding option src 'lan' option dest 'vpn' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule 'Allow_OpenVPN_Inbound' option target 'ACCEPT' option src '*' option proto 'udp' option dest_port '1194' |
The client config:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
dev tun client proto udp log openvpn.log remote 192.168.0.20 persist-key persist-tun verb 3 pull keepalive 10 60 nobind ca C:\\vpn\\ca.crt cert C:\\vpn\\sapsd_client1.crt key C:\\vpn\\sapsd_client1.key |
Finally, I have added permanent route to the router’s subnet:
|
1 |
route add -p 192.168.1.0 mask 255.255.255.0 10.8.0.5 |
Please note, in case of every new vpn-client (I have single one) the server will provide a new gateway. Second client gets 10.8.0.9 instead of 10.8.0.5, third client will get 10.8.0.13 and so on (the mask is /30). In this way it’s strongly recommended to push the route from server as shown in the last line of server config (/etc/config/openvpn):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
config openvpn 'myvpn' option enabled '1' option verb '3' option port '1194' option proto 'udp' option dev 'tun' option server '10.8.0.0 255.255.255.0' option keepalive '10 120' option ca '/etc/openvpn/ca.crt' option cert '/etc/openvpn/my-server.crt' option key '/etc/openvpn/my-server.key' option dh '/etc/openvpn/dh2048.pem' option status 'openvpn-status.log' option log '/var/log/openvpn.log' list push 'route 192.168.1.0 255.255.255.0' |
This behaviour can be reached using uci:
|
1 2 3 |
uci add_list openvpn.myvpn.push='route 192.168.1.0 255.255.255.0' uci commit openvpn /etc/init.d/openvpn reload |
Igor
01.02.2015 @ 13:22
Здравствуйте!, не генерирует ключи для клиента на сервере, все время пишет:
…Please edit the vars script to reflect your configuration, then source it with “source ./vars”.
Как сгенерировать? чтобы не удалило существующие сертификаты и ключи?
Uchla
01.02.2015 @ 13:23
Пишет же “source ./vars”.
Перейдите в /etc/openvpn/easy-rsa2.0 и выполните команду “source ./vars”, затем снова ./build-key cliXXX
Uchla
26.03.2018 @ 20:07
Чтобы установить OpenVPN-сервер/клиент на Zyxel Keenetic Omni (Черный) по инструкции habr.ru/post/306378
распакуйте на флешку файл pkg.entware-keenetic.ru/binaries/keenle/installer/installer-keenle.tar.gz и в поле “Сценарий initrc” укажите /opt/etc/init.d/doinstall