Due to my home router is connected 24×7 it makes it the ideal place to install a VPN server. In my case I had installed OpenWrt on my router TP-LINK TL-WR1043ND (to install OpenWrt on this router you can read the article about Installing OpenWrt on router TP-LINK TL-WR1043ND). This post it’s general enough and explains how to install OpenVP on OpenWrt, no matter what model router with OpenWrt you have.
Installing OpenVPN on OpenWrt
On the router just install OpenVPN package:
opkg install openvpn
Client and server certificates will be done on a PC with Linux, on Debian to be exact. The idea is to avoid installing software in the limited router’s rom.To get what will need install the following package:
aptitude install openvpn
- Make the woring directory and the base files to use:
mkdir /etc/openvpn/easy-rsa/ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
- Edit file /etc/openvpn/easy-rsa/vars, which lets you make a unique certificate using the values provided:
export KEY_COUNTRY="VE" export KEY_PROVINCE="DC" export KEY_CITY="Caracas" export KEY_ORG="Mi organización" export KEY_EMAIL="firstname.lastname@example.org"
- Go to the working directory and load the file you just edited:
cd /etc/openvpn/easy-rsa/ source vars
Now lets create the certificates for the server and clients.
Certificates for the server
In order to make the certificates for the server you must do the following steps:
./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key
Certificates for the clients
In order to generate the certificate for the client just do this:
cd /etc/openvpn/easy-rsa/ source vars ./pkitool hostname
Here hostname is the name of the host where the certificate will be installed (random part).
Settings the VPN
Now let’s see how to set the VPN, both in the server and client side.
Setting the server (router)
- Copy the generated certificates for the server to router:
scp server.crt server.key ca.crt dh1024.pem ta.key email@example.com:/etc/openvpn/
Here 192.168.1.1 is the router’s IP address for this example.
- Although you can be tempted to use a config file borrow form other OpenVPN server, it’s better to use the one provided by OpenWrt and just adapt it to your needs. So, edit file /etc/config/openvpn with the followin values (I just put the not commented lines to save space).
config openvpn sample_server option enable 1 option port 1194 option proto udp option dev tun option ca /etc/openvpn/ca.crt option cert /etc/openvpn/server.crt option key /etc/openvpn/server.key option dh /etc/openvpn/dh1024.pem option server "10.8.0.0 255.255.255.0" option ifconfig_pool_persist /tmp/ipp.txt option client_to_client 1 option keepalive "10 120" option tls_auth "/etc/openvpn/ta.key 0" option comp_lzo 1 option persist_key 1 option persist_tun 1 option status /tmp/openvpn-status.log option verb 3
Setting the clients (PCs)
- Copy the certificates and keys generated for each client, for example for the PC hostname, as explained next:
/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/hostname.crt /etc/openvpn/easy-rsa/keys/hostname.key /etc/openvpn/easy-rsa/keys/ta.key
- If you haven’t install OpenVPN on the clients, you can do it::
aptitude install openvpn
- Copy the example file for the client’ s configuration:
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
- Edit the file with the following values:
client dev tun proto udp remote 192.168.1.30 1194 resolv-retry infinite nobind persist-key persist-tun ca /mnt/datos/OpenVpn/easy-rsa/keys/ca.crt cert /mnt/datos/OpenVpn/easy-rsa/keys/hostname.crt key /mnt/datos/OpenVpn/easy-rsa/keys/hostname.key ns-cert-type server tls-auth /mnt/datos/OpenVpn/easy-rsa/keys/ta.key 1 comp-lzo verb 3
Here the remote directive has a fixed IP, but you can set a dynamic domain name on dyndns or no-ip instead of a private address.
Enabling the service
Now you must enable the service in both sides, in the server (OpenWrt) and in the clients (PCs). For each of them:
Enable the service in the server (router)
Run the following in OpenWrt:
/etc/init.d/openvpn enable /etc/init.d/openvpn start
Enabling the service in the clients (PCs)
Now you must enable the OpenVPN service in every client. In general terms it will depen on the distro you will be using. In Debian you can enable the service as follow:
update-rc.d openvpn defaults /etc/init.d/openvpn start
After all this your server will have a tun interface with the address 10.8.0,1 and clients will have an interface with a IP address like 10.8.0.x.