Setting OpenVPN on OpenWrt

3 minute read

Due to my home router is connected 24×7 it makes it the ideal place to install a VPN server. In my case I had installed OpenWrt on my router TP-LINK TL-WR1043ND (to install OpenWrt on this router you can read the article about Installing OpenWrt on router TP-LINK TL-WR1043ND). This post it’s general enough and explains how to install OpenVP on OpenWrt, no matter what model router with OpenWrt you have.

Installing OpenVPN on OpenWrt

On the router just install OpenVPN package:

opkg install openvpn

Certificates (PC)

Client and server certificates will be done on a PC with Linux, on Debian to be exact. The idea is to avoid installing software in the limited router’s rom.To get what will need install the following package:

aptitude install openvpn
  • Make the woring directory and the base files to use:
mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
  • Edit file  /etc/openvpn/easy-rsa/vars, which lets you make a unique certificate using the values provided:
export KEY_COUNTRY="VE" 
export KEY_CITY="Caracas" 
export KEY_ORG="Mi organización" 
export KEY_EMAIL=""
  • Go to the working directory and load the file you just edited:
cd /etc/openvpn/easy-rsa/
source vars

Now lets create the certificates for the server and clients.

Certificates for the server

In order to make the certificates for the server you must do the following steps:

./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key

Certificates for the clients

In order to generate the certificate for the client just do this:

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname

Here hostname is the name of the host where the certificate will be installed (random part).

Settings the VPN

Now let’s see how to set the VPN, both in the server and client side.

Setting the server (router)

  • Copy the generated certificates for the server to router:
scp server.crt server.key ca.crt dh1024.pem ta.key root@

Here is the router’s IP address for this example.

  • Although you can be tempted to use a config file borrow form other OpenVPN server, it’s better to use the one provided by OpenWrt and just adapt it to your needs. So, edit file /etc/config/openvpn with the followin values (I just put the not commented lines to save space).
config openvpn sample_server
    option enable 1
    option port 1194
    option proto udp
    option dev tun
    option ca /etc/openvpn/ca.crt
    option cert /etc/openvpn/server.crt
    option key /etc/openvpn/server.key
    option dh /etc/openvpn/dh1024.pem
    option server ""
    option ifconfig_pool_persist /tmp/ipp.txt
    option client_to_client 1
    option keepalive "10 120"
    option tls_auth "/etc/openvpn/ta.key 0"
    option comp_lzo 1
    option persist_key 1
    option persist_tun 1
    option status /tmp/openvpn-status.log
    option verb 3

Setting the clients (PCs)

  • Copy the certificates and keys generated for each client, for example for the PC hostname, as explained next:
  • If you haven’t install OpenVPN on the clients, you can do it::
aptitude install openvpn
  • Copy the example file for the client’ s configuration:
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
  • Edit the file with the following values:
dev tun 
proto udp 
remote 1194
resolv-retry infinite 
ca /mnt/datos/OpenVpn/easy-rsa/keys/ca.crt 
cert /mnt/datos/OpenVpn/easy-rsa/keys/hostname.crt 
key /mnt/datos/OpenVpn/easy-rsa/keys/hostname.key 
ns-cert-type server 
tls-auth /mnt/datos/OpenVpn/easy-rsa/keys/ta.key 1 
verb 3

Here the remote directive has a fixed IP, but you can set a dynamic domain name on dyndns or no-ip instead of a private address.

Enabling the service

Now you must enable the service in both sides, in the server (OpenWrt) and in the clients (PCs). For each of them:

Enable the service in the server (router)

Run the following in OpenWrt:

/etc/init.d/openvpn enable
/etc/init.d/openvpn start

Enabling the service in the clients (PCs)

Now you must enable the OpenVPN service in every client. In general terms it will depen on the distro you will be using. In Debian you can enable the service as follow:

update-rc.d openvpn defaults
/etc/init.d/openvpn start

After all this your server will have a tun interface with the address 10.8.0,1 and clients will have an interface with a IP address like 10.8.0.x.





Leave a Comment