These instructions are for getting an OpenWrt Based Router working as OpenVPN Client (should work for LEDE, Gargoyle and another distributions).Computers connected to Lan Ports of the OpenWrt Router will navigate through the Internet connection of the OpenVPN Server (in this case the Streisand one previously set up) you need a working Router with OpenWrt based firmware flashed on it (LEDE or eko.one.pl could also work) steps works well on Chaos Calmer 15.05 or 15.05.1.

• Openwrt Openvpn Client Log
• Openwrt Openvpn Server Setup Luci

1. You need to telnet 192.168.1.1 (OpenWrt Router) and set up a password using passwdYou can skip this if you already have a password and can connect using ssh.

This example demonstrates a bare-bones point-to-point OpenVPN configuration. A VPN tunnel will be created with a server endpoint of 10.8.0.1 and a client endpoint of 10.8.0.2. Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN port. Generate a static key: openvpn -genkey -secret static.key. Jan 14, 2019  I did get OpenVPN client to work with my VPN provider. I just had to clear out old broken down PPTP configs. But a client setup is not what I need for this purpose, I need to know how to set up OpenVPN as a server. Can I still use Easy RSA help files to generate the cert and keys and then put it. Sep 28, 2016  Creating OpenVPN certificates from Windows. Generate Diffie Hellman parameters (This is necessary to set up the encryption). Client certificates and keys: This will create the mike-laptop.crt and mike-laptop.key files in the keys directory. For each client, choose a name to identify that computer, such as 'mike-laptop' in this example.

I once set up OpenVPN by using 'Easy-RSA', apparently that is no longer secure enough. I've now been following this guide. How do I actually generate the client keys with OpenSSL? Does anyone know of an up-to-date step-by-step guide? Stage 4 – Generate your client certificates, keys, ovpn files. These files are required for your clients to connect to your OpenVPN server. You should generate one certificate per client e.g. If you have an iPhone, iPad, Macbook, Windows laptop then you need separate certificates, ovpn.

Now you should be able to ssh the OpenWrt Router ssh root@192.168.1.1 using the previously typed password.

2. Important: Ensure that you have at least 1MB of free space en rootfs on your OpenWrt Device, depending on the OpenWrt version flashed you may need more or less space to set up everything, if you dont have space but you have a USB port on the Router you could use ExtRoot, or try to build a custom image, or even try to write a script to download openvpn to ram on every start.

3. Install OpenVPN (you need internet connection on the OpenWrt Router)

If you want to autostart OpenVPN at router startup (in some OpenWrt releases comes enabled by default):

4. Run UCI commands to configure as VPN Client:

5. DNS: There is a tricky part with this, you have to choose one of these:

• Use your Wan port default DNS (the one that uses the OpenWrt to resolve domains currently), you could leave as is then, but be aware that your DNS queries will be done through VPN and some ISP DNS Servers are configured to blocks connections attemps from outside their network.
• Set up fixed DNS on Lan Interface (only for Lan and Wifi Clients)
• Set up fixed DNS on Wan Interface (will replace the default DNS provided to the Router on Wan Port)
• Set up two script that use the DNS provided through the VPN Tunnel on the Streisand host (recommended).

I recommend the last option, you will use same DNS Server as the Streisand host, you probably should also check if on the Streisand host are configured Fixed DNS like ones from OpenDNS or Google, you could change this to use Defaults DNS on the Streisand host.

Fixed DNS on Lan interface, Using OpenDNS:

Then test if login works. Managing SSH keysIn larger organizations, the number of SSH keys on servers and clients can easily grow to tens of thousands, in some cases to millions of keys. In large quantities, SSH keys can become a massive security risk and they can violate compliance requirements.can manage PuTTY keys in addition to OpenSSH and Tectia keys. Generate ssh rsa private key. Any larger organization should ensure they have proper provisioning and termination processes for SSH keys as part of their Identify and Access Management (IAM) practice. It works with legacy keys on traditional servers as well as dynamic andkeyless elastic environments in the cloud.

Fixed DNS on Lan interface, Using Google DNS:

Fixed DNS on Wan interface, using OpenDNS:

Fixed DNS on Wan interface, using Google DNS:

Finally, you should commit UCI changes:

6. You will need to download the OpenVPN Client file from the Streisand host [ip]-direct.ovpn or [ip]-sslh.ovpn.(first one will use port 636 (ldaps), and later 443 (standard https port), I think that exist two because some people may have restrictions in their country on some port or disallow use of ssl on another)

7. Open the .ovpn file on a PLAINTEXT text editor, as we need to perform some editings:

• Add this line at top cat<<'EOF' > /etc/openvpn/streisand.conf
• Add this line at bottom EOF

(these lines will enable us later to copy entire text content of the file and paste it on the terminal/putty window)

• You can comment or remove a line at the beggining of file that is something like: router [ip] 255.255.255.255 net_gateway, simply add # at the start of that line. This setting is already pushed from the OpenVPN Server side. If you don't do this, you will get an error on the OpenVPN logs, but should work fine too.

• Cs go steam key generator 2016. To Enable OpenVPN log and status file:

  log-append /var/log/openvpn.log # To append to log file

  status /var/log/openvpn-status.log # To mantain a status file

• If you want to use the OpenVPN Server side DNS's from Streisand host:

  script-security 2 system # needed to be able to use 'up' and 'down' scripts

  up '/etc/openvpn/updns' # FIX DNS, we will create it later

  down '/etc/openvpn/downdns' # FIX DNS, we will create it later

8. Now copy the entire content of the .ovpn file and paste on Terminal, you should have now a new file (check for it):

   ls -l /etc/openvpn/streisand.conf

9. If you choose to use the DNS provided by OpenVPN you need to create these two files, (just copy and paste and the code and files will be created):

FIX to use DNS provided by OpenVPN server:

Add execution permission to both files:

You should have now two new files (check for it):

10. All Ready!

Since we modified firewall we need to run

Since we added a new interface we need to restart network daemon (you will lost connectivity for a moment)

Start OpenVPN and see what and see what happens:

When you successfully see Initialization Sequence Completed you can press CTRL+C to exit.You can do traceroute 8.8.8.8 or some other IP to see if you pass through the VPN or check online your Public IP.

Important Remarks about testing if it works properly:

• Please always test VPN using ping, traceroute, wget or even browsing to an IP and not browsing to a domain, since you may have a working VPN but not working DNS.
• If you reboot your router allow a 30-60sec to properly boot and bring up internet (important if you have extroot or a slow router), and additional 30-60sec to bring up VPN.

11. Bonus! Enable WiFi:

If you started from scratch and you want to enable WiFi (if your router have dual-band replace [-1] with [0]:

12. Related info:Just in case the OpenVPN client file change in future:The content config at the beginning of a working .ovpn as is (doesn't include any needed modifications):

    clientremote 123.456.789.012 636dev tunproto tcpcipher AES-256-CBCauth SHA256resolv-retry infinitenobindpersist-keypersist-tunns-cert-type servercomp-lzokey-direction 1verb 3route 123.456.789.012 255.255.255.255 net_gateway

Note: 123.456.789.012 represents the Streisand host IP

Configuration Pushed by the OpenVPN Server on Streisand Host (taken from /var/log/openvpn.log)

TODO: Add necessary code to have one WiFi Network with VPN and other without (in a few days)..

braian87

13. Connecting clients behind the client router

Say you're a road warrior and have setup an OpenVPN connection to the server running Streisand. You might want to connect to clients running on the OpenWrt LAN. To do this on the server running Streisand:

• Add the following line to /etc/openvpn/server.con:

• Create the /etc/openvpn/ccd directory

• Create a client file in the /etc/openvpn/ccd/ directory corresponding to the client .opvn file you used to configure your router as a client. For example if you used: XXX-XXX-XXX-XXX-direct-2.ovpn you would create a file called /etc/openvpn/ccd/client-2.

• Add the iroute option to that file as follows:

Where 192.168.10.0 is your LAN network. So you will need to adjust appropriately.

I wound out replacing my existing router (which had a buggy NAT issue) with a TP-Link TL-WR1043ND running OpenWRT. It was pretty damned easy to get it all running and set it up as an in-place upgrade. However, I wanted more out of it.

What I want to do is to establish a VPN tunnel such that my VPS has some (highly restricted) access to my local network, and my local network has (nearly) unrestricted access to the VPS. I also want to have other devices (my phone) able to connect to my local network using VPN and have unrestricted access. And lastly, I want to do this with certificates (and not shared secrets). To do this, I used OpenVPN.

• 10.0.0.0/24 - Internal LAN
• 10.0.2.0/24 - Trusted VPN
• 10.0.3.0/24 - Untrusted (DMZ) VPN

Package Installation and TUN Configuration

First, run the following to install the required packages;

Once that’s done, edit /etc/config/network and add a declaration of a new TUN interface;

Reboot your router, and you’ll find a new interface tun0 waiting. Now you need to set up your PKI infrastructure and generate some certs.

Configure PKI

Follow the installation instructions for easy-rsa. Once that’s done, you will have a functional self-signed CA. Go and generate some certificates like this;

Take server.crt and server.key and copy them into the OpenVPN configuration;

You’ve now got a basic PKI setup, and two client certificates ready to go, along with the server certificate for OpenVPN.

Configure OpenVPN Server

Edit /etc/config/openvpn like this;

You should disable the log once you’ve got everything working. What this does is the following;

Openwrt Openvpn Client Log

• Clients must have a matching client config entry in /etc/openvpn/clients to be able to connect
• The server by default uses 10.0.2.0/24 for connecting clients, but also has a route for 10.0.3.0/24 down the TUN interface
• The server pushes a route to the client for 10.0.0.0/24, along with a couple of settings that are used by Windows clients (setting local domain and DNS servers to use)

For your trusted client, create a file /etc/openvpn/clients/trustedclient which has this line in it;

This causes the trusted client to always get the IP address 10.0.2.101. Note, as per the OpenVPN documentation, in order for the ifconfig-push’ed addresses to work with WIndows clients properly, they must come from the set;

Next, we repeat this with the DMZ client, but with a small change - we’ll also push the route for the trusted network. This is required because otherwise the router itself cannot contact anything in the DMZ due to the router’s interface IP being in the 10.0.2.0/24 range.

Create /etc/openvpn/clients/dmzclient as follows;

That concludes the OpenVPN server config. Now for the firewall.

Firewall Configuration

OpenVPN Access Port

Edit /etc/config/firewall . Up fairly high, amongst any other port forwards, add the following;

This allows your VPN to be accessible from the ‘net.

Full-Access VPN Zone

Next, we’ll create a new zone for the full-access VPN, but we’ll specify that it only applies to a specific subnet;

Openwrt Openvpn Server Setup Luci

DMZ VPN Zone

And lastly we’ll define a new zone for the DMZ VPN along with allowed traffic. Note that this does not specify a subnet, that way any traffic that comes in on the tun network that does not match the trusted VPN falls through to the DMZ zone.

Notably, there is only a forward here from lan to dmz, that way we have to specifically allow what traffic we want to be passed from dmz to lan. Here, I allow the DMZ machine to ping into my local network, and to connect to 10.0.0.15 on port tcp/80 only.

OpenVPN Server Summary

Essentially, what we’ve done is create two network zones which are pushed out by OpenVPN. The firewall controls access between them. Which user certificate lands in which zone is determined by the IP they’re assigned by OpenVPN on connect, which is defined by the configuration file in /etc/openvpn/clients. All clients must have a config file waiting for them in this setup.

IMPORTANT - Don’t forget to add /etc/openvpn and /etc/easy-rsa to your /etc/sysupgrade.conf, otherwise you’ll lose all this on upgrading your router. That would be unfortunate.

You will require the following components to configure your client;

• /etc/easy-rsa/keys/ca.crt
• /etc/easy-rsa/keys/dmzclient.crt
• /etc/easy-rsa/keys/dmzclient.key

Download those off your router and store them somewhere. Then, you’ll need to create a client.ovpn file in the same folder as follows;

In my case, the files are in /etc/openvpn, as the config shows. Notably, this config also does not pull route data from the OpenVPN server but instead sets it by itself. Then, start your VPN with

And it should all work! If not, consult the logs, and good luck!