Installing OpenVPN on OpenWRT
With lots of open access points these days, it’s tempting to just connect and forget. But so much of browsing is still transmitted in the clear, without HTTPS or other forms of security, and that data is vulnerable to sniffing. One easy solution, a VPN. But why pay for a service that you can provide yourself for free?
Many people have an off-the-shelf wireless router at home, and the firmware for many of these routers can be easily upgraded in a way that adds tremendous additional functionality. Some common choices are OpenWRT, DDWRT, and Tomato. I prefer OpenWRT for ease of use and lots of functional options. In this case, I’m going to go through the steps I took to install OpenVPN on a home router running OpenWRT 14.07 (Barrier Breaker).
Here are my notes on the process.
Generating the keys
First, SSH into the server as root (you probably need to login via HTTP initially and set a root password). Then, install the relevant packages.
opkg update; opkg install openvpn-openssl openvpn-easy-rsa openssh-sftp-server
Create a clean install:
source /etc/easy-rsa/vars; clean-all
Update your information (optional).
Next, generate and install the server certificates, the TLS-auth key, the Diffie-Hellman parameters (takes forever).
build-ca build-dh build-key-server server_name openvpn --genkey --secret ta.key
And for each client, generate a new certificate.
build-key my-client1 build-key my-client2
Copy the server certs to /etc/openvpn:
cd /etc/easy-rsa/key cp ca.crt my-server.* dh*.pem ta.key /etc/openvpn
Next, transfer the client certificates to the clients. Easiest way is to SFTP into the server.
sftp firstname.lastname@example.org (or your server address) cd /etc/easy-rsa/keys get ca.crt my-client1.key my-client1.crt ta.key
Configuring the Server Network Interface
I ended up modifying a lot of these settings by hand, in the config files. Here are the important changes, but you can also see the final config files.
Create VPN interface (tunnel, tun0) via /etc/config/network.
config interface 'vpn0' option ifname 'tun0' option proto 'none' option auto '1'
Ensure that the inbound connection to the VPN can arrive, and that VPN members can communicate with the LAN and the WAN, /etc/config/firewall.
config rule option name 'Allow-OpenVPN-Inbound' option target 'ACCEPT' option src 'wan' option proto 'udp' option dest_port '1194' config forwarding option dest 'wan' option src 'vpn' config forwarding option dest 'vpn' option src 'wan' config forwarding option dest 'vpn' option src 'lan' config forwarding option dest 'wan' option src 'lan' config forwarding option dest 'lan' option src 'vpn'
OpenVPN options are configured in /etc/config/openvpn.
config openvpn 'myvpn' option enabled '1' option dev 'tun' option proto 'udp' option log '/tmp/openvpn.log' option verb '3' option ca '/etc/openvpn/ca.crt' option cert '/etc/openvpn/server.crt' option key '/etc/openvpn/server.key' option tls-auth '/etc/openvpn/ta.key' option server '10.8.0.0 255.255.255.0' option port '1194' option keepalive '10 120' option dh '/etc/openvpn/dh2048.pem' option persist_tun 1 option persist_key 1 option comp_lzo adaptive option fast_io on list 'push' 'route 192.168.100.1 255.255.255.0' list 'push' 'redirect-gateway' list 'push' 'dhcp-option DNS 188.8.131.52' list 'push' 'dhcp-option DNS 184.108.40.206' list 'push' 'dhcp-option DNS 220.127.116.11' list 'push' 'dhcp-option DNS 18.104.22.168' option 'status' '/tmp/openvpn.status'
/etc/init.d/network reload /etc/init.d/firewall reload /etc/init.d/openvpn start /etc/init.d/openvpn enable ps -w | grep openvpn ifconfig | grep tun0
Lastly, if there are any additional layers of security on top of your router, make sure port 1194 (UDP) is open to the world.
Configuring OpenVPN with a GUI in Ubuntu is relatively painless. Make sure you have the following files available on the client: ca.crt, my-client1.crt, and my-client1.key. On the main screen, enter the keys and the address in the appropriate places, the go to the advanced screen options (left right). Be sure LZO data compression is enabled, and under TLS authentication tab click the “Use additional TLS authentication,” enter ta.key as the key file, and the direction can be left blank.
For my Android based cell phone, I downloaded the “OpenVPN for Android” app, which is the not official, but I found it a little easier to configure. Create a new VPN, put in the appropriate certificates, enable LZO compression, add the server name (UDP), enable pull settings, and “Expect TLS server certificate,” and it was ready to go.
Once that is all done, you’re set and ready. Whenever you connect to an open network (or even an encrypted network with a freely available password), connect to the VPN, and everything between you and your server is encrypted and authenticated.
One other thing, if you are using a home OpenWRT router, then you’ll need a human-readable address (ie myhouse.com) for the server address. The easiest and cheapest way to do this is with a dynamic DNS address, I recommend checking out afraid.org as a place to start).