[copy-past] Настройка OpenVPN server в ОС OpenWRT

This guide is based on the use of a stable OpenWrt «Backfire» 10.03.1 OpenVPN. The aim is to show how secure Internet sharing is setup in 7 steps.

As prerequisite make sure you the router has correct date an time (use the «date» command to verify it). OpenVPN needs the router real time clock (RTC)to be accurate. The RTC accurate configuration can be achieved with ntpclient. Check the wiki on how to install and configure ntpclient.

Installation

opkg update
opkg install openvpn openvpn-easy-rsa

Configure certificates

cd /etc/easy-rsa
vi vars

*OPTIONAL* (Comment out the following lines if you do not want your certificates to expire)

export CA_EXPIRE=3650
export KEY_EXPIRE=3650

(Change these last lines to suit your own country etc)

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

Generate certificates

  1. OPTIONAL: Clean out the /etc/easy-rsa/keys directory and start fresh.

    clean-all
  2. Build certificates

    build-ca
    build-dh
  3. Create the server key

    build-key-server server
  4. Create client keys. Include a password since many clients may balk at a key without a password.
    Normal Keys:

    build-key client

    Alternatively, create client keys in PKCS12 Format (combines the key and ca certificate in one file)

    build-key-pkcs12 client
  5. Copy the important files to the /etc/openvpn directory, so that they are duplicated

    cd /etc/easy-rsa/keys
    cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/

Note — if a dh2048.pem file was generated — remember to change 1024 to 2048 on the configuration files below. It’s a good idea to make an offline backup of all the generated files in the /etc/easy-rsa/keys directory. Use a utility like WinSCP to transfer the files from the router to your computer. For SFTP support, install the SFTP server on the router:

opkg update
opkg install openssh-sftp-server

That way a SFTP client like Filezilla can be used to transfer files to and from the router.

Create OpenVPN configuration

If you are using UCI to configure your system, use this configuration file:

vi /etc/config/openvpn
config 'openvpn' 'lan'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tun'
        option 'ca' '/etc/easy-rsa/keys/ca.crt'
        option 'cert' '/etc/easy-rsa/keys/server.crt'
        option 'key' '/etc/easy-rsa/keys/server.key'
        option 'dh' '/etc/easy-rsa/keys/dh1024.pem'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'keepalive' '10 120'
        option 'comp_lzo' 'no'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'status' '/var/log/openvpn-status.log' 
        option 'verb' '3'
        option 'server' '10.0.0.0 255.255.255.0'
        option 'client_to_client' '1'
        list 'push' 'redirect-gateway def1'
        list 'push' 'dhcp-option DNS 192.168.1.1'
	list 'push' 'route 192.168.1.0 255.255.255.0'

If there are revoked cerficates add also

option 'crl_verify' '/etc/easy-rsa/keys/crl.pem'

This will create a VPN on the 10.0.0.x IP range. If you’d like to choose a different IP range, edit it accordingly. Also change the 192.168.1.1 DNS entry to the IP address of your router if different.

If you are not using UCI configuration, use this configuration file:

vi /etc/openvpn/openvpn.conf
mode server
tls-server

### network options
port 1194
proto udp
dev tun

### Certificate and key files
ca /etc/easy-rsa/keys/ca.crt
cert /etc/easy-rsa/keys/server.crt
key /etc/easy-rsa/keys/server.key
dh /etc/easy-rsa/keys/dh1024.pem

client-to-client
server 10.0.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1" # Change this to your router's LAN IP Address
push "route 192.168.1.0 255.255.255.0" # Change this to your network

### (optional) compression (Can be slow)
#comp-lzo

persist-key
persist-tun

verb 3
keepalive 10 120
log-append /var/log/openvpn/openvpn.log

Configure the firewall

vi /etc/config/firewall
config 'include'

option 'path' '/etc/firewall.user'

config 'rule'

option 'target' 'ACCEPT'

option 'name' 'VPN'

option 'src' 'wan'

option 'proto' 'udp'

option 'dest_port' '1194'

vi /etc/firewall.user
iptables -t nat -A prerouting_wan -p udp —dport 1194 -j ACCEPT
iptables -A input_wan -p udp —dport 1194 -j ACCEPT

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

Autostart needed?

— Start openvpn:

/etc/init.d/openvpn start

— Enable openvpn to let it be automatically loaded by init at startup

/etc/init.d/openvpn enable

Configure the client

GNU/Linux

mkdir ~/VirtualNet

Windows # Create a folder called example VirtualNet in C:/Program Files

Download ca.crt, client.crt, client.key, and dh1024.pem located in /etc/easy-rsa/keys/ on the router, and place them in the VirtualNet dir

# Open up a text editor and add the following lines… # Save the file as client.ovpn in VirtualNet

client
tls-client
dev tun
proto udp
remote SERVER-IP 1194 # Change to your router’s External IP
resolv-retry infinite
nobind
ca ca.crt
cert client.crt
key client.key
dh dh1024.pem
#comp-lzo

persist-tun
persist-key
verb 3