1

I have an OpenWRT router with WAN(eth1) and LAN(eth0) interface.

I wanted to install an openVPN server on this router, so I could access from the WAN side into the LAN side.

My LAN(eth0) has a DHCP server configured over, and has a static IP of 172.20.51.61/24. When I connect any PC to LAN(eth0) it gets some IP in this range 172.20.51.100/24 to 172.20.51.150/24.

I have installed openvpn easy rsa and other required utilities and also generated keys for client and server. I have copied those keys to client as well.

What I would want is a very basic steps and configuration to gain some confidence, to establish a connection from client to server.

The net based blogs mention so much extra information..it becomes difficult for networking beginners to follow.

Edit: the /etc/easy-rsa/vars file has following contents.

export EASY_RSA="/etc/easy-rsa"
export OPENSSL="openssl"          
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"

export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
et PKCS11_MODULE_PATH="dummy"                                          
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="IN"                                                
export KEY_PROVINCE="MH"                                               
export KEY_CITY="Pune"                                                 
export KEY_ORG="My Org"                                                              
export KEY_EMAIL="me@myhost.mydomain"                                                       
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="EasyRSA"
# PKCS11 Smart Card                                                    
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"                     
# export PKCS11_PIN=1234                                               

# If you'd like to sign all keys with the same Common Name, 
# uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config 
# has the duplicate-cn option set 
# export KEY_CN="CommonName"

Edit 2: I have given WAN a static IP 192.168.18.100/24 which a VPN client with IP 192.168.18.101/24 will try to access.

The server configuration is:

package openvpn
config 'openvpn' 'samplevpnconfig'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tun0'

        option 'client_to_client' '1'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'verb' '3'
        option 'mute' '20'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'status' '/tmp/openvpn-status.log'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'

        #this should be on a completely different subnet than your LAN
        option 'server' '192.168.18.100 255.255.255.0'
        list 'push' 'route 172.20.51.61 255.255.255.0' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DNS 172.20.51.1' #this should MATCH your current LAN info
        list 'push' 'dhcp-option DOMAIN 172.20.51.1' #this should MATCH your current LAN info

Where 172.20.51.61 is LAN (eth0) static IP address. Honestly I have no idea what those non obvious parameters mean.

The client configuration in Client machine /etc/openvpn/client.conf

client
proto udp
dev tun0

remote 192.168.18.100 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
comp-lzo
ca /etc/openvpn/ca.crt
cert /etc/openvpn/myclient.crt
key /etc/openvpn/myclient.key

WHen I try the following command: #openvpn client.conf

I get TLS error: (check your network connectivity)

and tcpdump on server gives:

13:57:19.026056 IP 192.168.18.101.34212 > 192.168.18.100.openvpn: UDP, length 14
13:57:19.026147 IP 192.168.18.100 > 192.168.18.101: ICMP 192.168.18.100 udp port openvpn unreachable, len0

But connectivity seems proper(ping, tcpdump show packet comming)

MadHatter
  • 79,770
  • 20
  • 184
  • 232
RootPhoenix
  • 115
  • 3
  • 8
  • Do you want **bridged** or **routed** connection? Bridged means that OpenVPN is essentially an "encrypted cable" and behaves pretty much like ethernet, VPN will be using LAN subnet, hosts managed by the LAN DHCP. Routed means a separate subnet for VPN (separate firewall zone and rules), IP management inside OpenVPN. – sam_pan_mariusz Jul 23 '15 at 13:44
  • @sam_pan_mariusz I am guessing Routed connection is what is typically used...So lets say I am outside my home router WAN(eth1), and want to access lan(eth0) network devices on the LAN side, I think this should mean Routed connection. Can you please guide me on this. – RootPhoenix Jul 23 '15 at 14:17

1 Answers1

0

First, I never recommend keeping SSL CA private key on a device directly connected to WAN. This is insecure.

In OpenWRT a configuration for OpenVPN is in /etc/config/openvpn - option names are almost identical as in OpenVPN original config, except for in OpenWRT hyphens (-) should be converted to underscores (_).

Follow this howto. Remove ifconfig_pool_persist if you don't need static addresses, or use ccd option for this (more reliable) with /etc/openvpn/ccd. Replace IP subnet and routes with your own. Add a digit in the end of interface name to avoid firewall configuration problems. I also recommend using tap interface (more flexible), not tun, but it's up to you. Add tls_auth to better protect against DoS attacks, in OpenVPN manual there's an example how to generate a key (search for --genkey).

To enable service autostart, use /etc/init.d/openvpn enable.

When you have OpenVPN up, configure firewall.

sam_pan_mariusz
  • 2,133
  • 1
  • 14
  • 15
  • My /etc/easy-rsa/keys folder contains a file called serial which has "01" as entry. Also while generating certificates I found that "01.pem" file is getting created in the keys directory...however on the blogs they have mentioned dh2048.pem or dh1024.pem file. Does my setup have something wrong ? – RootPhoenix Jul 24 '15 at 04:26
  • The dh????.pem files contain Diffie–Hellman pairs, they have little to do with actual certs. Read OpenVPN manual on *--dh*. Your certificate and key files can have any name, just edit paths in config. If you find any troubles using easy-rsa, switch to a GUI application, XCA being a nice, free example (it employs openssl internally, just like easy-rsa). – sam_pan_mariusz Jul 24 '15 at 04:52
  • When I generate keys for client using build-key client_name, it does not ask for "ENTER EXPORT PASSWORD" but when i generate using build-key-pkcs12 client_name... it asks for EXPORT PASSWORD.. will this be used later on..which one should I use.? – RootPhoenix Jul 24 '15 at 05:22
  • Check OpenVPN manual for *--askpass*. PKCS12 file contains (among others) a certificate private key. Key password can be empty, and I believe it's the only reasonable way to go for you. – sam_pan_mariusz Jul 24 '15 at 06:18
  • I did the steps mentioned in link. Adding tun0 interface. COnfiguring firewall zones etc. But when I try to connect the server using #openvpn client.conf I get unreachable error even though I am able to ping it. – RootPhoenix Jul 24 '15 at 09:57
  • You're mixing LAN and VPN addressing here. How can your client connect to remote 192.168.18.100, if it's to be available **after** VPN is up (as indicated by *server* line in server config)? Chosen routed setup, use **separate** subnets for LAN and VPN. At this time, your connection works on plain old LAN, without VPN. – sam_pan_mariusz Jul 24 '15 at 10:24
  • Sorry if this sounds harsh, but at this time, as the discussion becomes too long on basic topics and thus pointless, I recommend you to find a local IT guy/gal who's can configure the things for you and explain the basics. You can then learn from analyzing a working config and changing it. I can't help you anymore. – sam_pan_mariusz Jul 24 '15 at 10:28
  • The _CA private key_ does not need to be online at all, and should not be. – Michael Hampton Jul 24 '15 at 13:14