Setting OpenVPN on OpenWrt


Due to my home router is connected 24×7 it makes it the ideal place to install a VPN server. In my case I had installed OpenWrt on my router TP-LINK TL-WR1043ND (to install OpenWrt on this router you can read the article about Installing OpenWrt on router TP-LINK TL-WR1043ND). This post it’s general enough and explains how to install OpenVP on OpenWrt, no matter what model router with OpenWrt you have.

Installing OpenVPN on OpenWrt

On the router just install OpenVPN package:

opkg install openvpn

Certificates (PC)

Client and server certificates will be done on a PC with Linux, on Debian to be exact. The idea is to avoid installing software in the limited router’s rom.To get what will need install the following package:

aptitude install openvpn
  • Make the woring directory and the base files to use:
mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
  • Edit file  /etc/openvpn/easy-rsa/vars, which lets you make a unique certificate using the values provided:
export KEY_COUNTRY="VE" 
export KEY_PROVINCE="DC" 
export KEY_CITY="Caracas" 
export KEY_ORG="Mi organización" 
export KEY_EMAIL="[email protected]"
  • Go to the working directory and load the file you just edited:
cd /etc/openvpn/easy-rsa/
source vars

Now lets create the certificates for the server and clients.

Certificates for the server

In order to make the certificates for the server you must do the following steps:

./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key

Certificates for the clients

In order to generate the certificate for the client just do this:

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname

Here hostname is the name of the host where the certificate will be installed (random part).

Settings the VPN

Now let’s see how to set the VPN, both in the server and client side.

Setting the server (router)

  • Copy the generated certificates for the server to router:
scp server.crt server.key ca.crt dh1024.pem ta.key [email protected]:/etc/openvpn/

Here 192.168.1.1 is the router’s IP address for this example.

  • Although you can be tempted to use a config file borrow form other OpenVPN server, it’s better to use the one provided by OpenWrt and just adapt it to your needs. So, edit file /etc/config/openvpn with the followin values (I just put the not commented lines to save space).
config openvpn sample_server
    option enable 1
    option port 1194
    option proto udp
    option dev tun
    option ca /etc/openvpn/ca.crt
    option cert /etc/openvpn/server.crt
    option key /etc/openvpn/server.key
    option dh /etc/openvpn/dh1024.pem
    option server "10.8.0.0 255.255.255.0"
    option ifconfig_pool_persist /tmp/ipp.txt
    option client_to_client 1
    option keepalive "10 120"
    option tls_auth "/etc/openvpn/ta.key 0"
    option comp_lzo 1
    option persist_key 1
    option persist_tun 1
    option status /tmp/openvpn-status.log
    option verb 3

Setting the clients (PCs)

  • Copy the certificates and keys generated for each client, for example for the PC hostname, as explained next:
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/hostname.crt
/etc/openvpn/easy-rsa/keys/hostname.key
/etc/openvpn/easy-rsa/keys/ta.key
  • If you haven’t install OpenVPN on the clients, you can do it::
aptitude install openvpn
  • Copy the example file for the client’ s configuration:
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
  • Edit the file with the following values:
client 
dev tun 
proto udp 
remote 192.168.1.30 1194
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
ca /mnt/datos/OpenVpn/easy-rsa/keys/ca.crt 
cert /mnt/datos/OpenVpn/easy-rsa/keys/hostname.crt 
key /mnt/datos/OpenVpn/easy-rsa/keys/hostname.key 
ns-cert-type server 
tls-auth /mnt/datos/OpenVpn/easy-rsa/keys/ta.key 1 
comp-lzo 
verb 3

Here the remote directive has a fixed IP, but you can set a dynamic domain name on dyndns or no-ip instead of a private address.

Enabling the service

Now you must enable the service in both sides, in the server (OpenWrt) and in the clients (PCs). For each of them:

Enable the service in the server (router)

Run the following in OpenWrt:

/etc/init.d/openvpn enable
/etc/init.d/openvpn start

Enabling the service in the clients (PCs)

Now you must enable the OpenVPN service in every client. In general terms it will depen on the distro you will be using. In Debian you can enable the service as follow:

update-rc.d openvpn defaults
/etc/init.d/openvpn start

After all this your server will have a tun interface with the address 10.8.0,1 and clients will have an interface with a IP address like 10.8.0.x.

References


,

  1. #1 by Luis Gallardo on 12/07/2014 - 10:29 pm

    @Javier Mira los procesos. Deberías tener uno que diga dns. Saludos!

  2. #2 by Javier on 12/07/2014 - 6:25 am

    Hola Luis. Enhorabuena por el articulo. Yo tambien estoy montando vpn pero en mi caso en el pc.

    Tengo configurado en openwrt el servicio dns, pero realmente no se si el script se actualiza… y funciona..

    Estando en luci ¿que tengo que hacer o donde he de mirar para asegurarme de ello? Se que existe el comando grep pero no se como abrir una consola o terminal..

    Gracias

  3. #3 by Luis Gallardo on 29/04/2014 - 2:06 pm

    @Fabian siempre vas a necesitar el plan de datos para usar Internet, ya que la VPN sale por Intranet. La diferencia es que va cifrada. Ahora, si tu versión de Android no soporta VPN, puedes buscar aplicaciones como OpenVPN Connect.

    Saludos!

  4. #4 by Fabian on 29/04/2014 - 12:38 pm

    Buenas tardes, necesito configurar open vpn en mi androi que se conecta a mi servidor vpn no se como configuraralo mediante el archivo .ovpn necesito esa configuración no se como hacerla, que por medio de la red 3g se conecte sin necesidad de pagar plan de datos y compartir el Internet de mi casa a las conexiones entrantes, yo me puedo conectar a mi vpn por la opción de android pero que se conecte sin saldo seria de mucha ayuda si uested me puede colaborar gracias.

  5. #5 by Luis Gallardo on 16/04/2013 - 9:19 am

    @Boom you can use DynDns, because it will solve to an IP address. You only need to have acess to port 1194. Best regards!

  6. #6 by Boon on 16/04/2013 - 1:31 am

    Thank you for the wonderful guide on OpenVPN with OpenWrt. Appreciate if you can help me with this.

    1. To use OpenVPN do you need Static IP from ISP?
    2. If ISP cannot provide Static IP, is it okay to use DynDNS?

  7. #7 by Luis Gallardo on 02/08/2012 - 2:01 pm

    @ali just follow the article as explained. Cheers!

  8. #8 by ali on 02/08/2012 - 3:26 am

    Hi i am using overplayvpn service to bypass my ISP with DD-wrt Router i found it not stable how can i intstall openvpn on my router using openwrt firmware and connect to any von service provider if you know please help

  9. #9 by Luis Gallardo on 01/10/2011 - 9:17 pm

    @Open you are welcome. Cheers!

  10. #10 by Open VPN on 01/10/2011 - 7:24 am

    Thanks for this wonderful post. Admiring the time and effort you put into your blog and detailed information you offer.

(will not be published)