Central Seven

Science is fun!

1

Installing OpenVPN on OpenWRT

With lots of open access points these days, it’s tempting to just connect and forget. But so much of browsing is still transmitted in the clear, without HTTPS or other forms of security, and that data is vulnerable to sniffing. One easy solution, a VPN. But why pay for a service that you can provide yourself for free?

Many people have an off-the-shelf wireless router at home, and the firmware for many of these routers can be easily upgraded in a way that adds tremendous additional functionality. Some common choices are OpenWRT, DDWRT, and Tomato. I prefer OpenWRT for ease of use and lots of functional options. In this case, I’m going to go through the steps I took to install OpenVPN on a home router running OpenWRT 14.07 (Barrier Breaker).

I based on the install on OpenWRT OpenVPN Install Guide, OpenWRT OpenVPN HowTo, and OpenVPN Documentation.

Here are my notes on the process.

Generating the keys

First, SSH into the server as root (you probably need to login via HTTP initially and set a root password). Then, install the relevant packages.

opkg update; opkg install openvpn-openssl openvpn-easy-rsa openssh-sftp-server

Create a clean install:

source /etc/easy-rsa/vars; clean-all

Update your information (optional).

vi /etc/easy-rsa/vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

Next, generate and install the server certificates, the TLS-auth key, the Diffie-Hellman parameters (takes forever).

build-ca
build-dh
build-key-server server_name
openvpn --genkey --secret ta.key

And for each client, generate a new certificate.

build-key my-client1
build-key my-client2

Copy the server certs to /etc/openvpn:

cd /etc/easy-rsa/key
cp ca.crt my-server.* dh*.pem ta.key /etc/openvpn

Next, transfer the client certificates to the clients. Easiest way is to SFTP into the server.

sftp root@192.168.1.1 (or your server address)
cd /etc/easy-rsa/keys
get ca.crt my-client1.key my-client1.crt ta.key

Configuring the Server Network Interface

I ended up modifying a lot of these settings by hand, in the config files. Here are the important changes, but you can also see the final config files.

Create VPN interface (tunnel, tun0) via /etc/config/network.

config interface 'vpn0'
	option ifname 'tun0'
	option proto 'none'
	option auto '1'

Ensure that the inbound connection to the VPN can arrive, and that VPN members can communicate with the LAN and the WAN, /etc/config/firewall.

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '1194'

config forwarding                       
        option dest 'wan'               
        option src 'vpn'                        
                                        
config forwarding                       
        option dest 'vpn'               
        option src 'wan'                    
                                        
config forwarding                       
        option dest 'vpn'               
        option src 'lan'                
                                        
config forwarding                       
        option dest 'wan'               
        option src 'lan'                
                                        
config forwarding                       
        option dest 'lan'               
        option src 'vpn'  

OpenVPN options are configured in /etc/config/openvpn.

config openvpn 'myvpn'
        option enabled '1'
        option dev 'tun'
        option proto 'udp'
        option log '/tmp/openvpn.log'
        option verb '3'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option tls-auth '/etc/openvpn/ta.key'   
        option server '10.8.0.0 255.255.255.0'
        option port '1194'
        option keepalive '10 120'
        option dh '/etc/openvpn/dh2048.pem'
        option persist_tun 1
        option persist_key 1
        option comp_lzo adaptive
        option fast_io on
        list 'push' 'route 192.168.100.1 255.255.255.0'
        list 'push' 'redirect-gateway'
        list 'push' 'dhcp-option DNS 8.8.8.8'
        list 'push' 'dhcp-option DNS 8.8.4.4'
        list 'push' 'dhcp-option DNS 208.67.222.222'
        list 'push' 'dhcp-option DNS 208.67.220.220'
        option 'status' '/tmp/openvpn.status'
/etc/init.d/network reload
/etc/init.d/firewall reload
/etc/init.d/openvpn start
/etc/init.d/openvpn enable
ps -w | grep openvpn
ifconfig | grep tun0

Lastly, if there are any additional layers of security on top of your router, make sure port 1194 (UDP) is open to the world.

Client Configuration

Configuring OpenVPN with a GUI in Ubuntu is relatively painless. Make sure you have the following files available on the client: ca.crt, my-client1.crt, and my-client1.key. On the main screen, enter the keys and the address in the appropriate places, the go to the advanced screen options (left right). Be sure LZO data compression is enabled, and under TLS authentication tab click the “Use additional TLS authentication,” enter ta.key as the key file, and the direction can be left blank.

Screenshot-Editing My_VPN

For my Android based cell phone, I downloaded the “OpenVPN for Android” app, which is the not official, but I found it a little easier to configure. Create a new VPN, put in the appropriate certificates, enable LZO compression, add the server name (UDP), enable pull settings, and “Expect TLS server certificate,” and it was ready to go.

Once that is all done, you’re set and ready. Whenever you connect to an open network (or even an encrypted network with a freely available password), connect to the VPN, and everything between you and your server is encrypted and authenticated.

One other thing, if you are using a home OpenWRT router, then you’ll need a human-readable address (ie myhouse.com) for the server address. The easiest and cheapest way to do this is with a dynamic DNS address, I recommend checking out afraid.org as a place to start).

Dantana • November 29, 2014


Next Post

Comments

  1. john May 13, 2017 - 10:22 pm Reply

    Really nice tutorial. How can i create a single file eg ovpn so it would be easier for windows or android machines to connect?

Leave a Reply

Your email address will not be published / Required fields are marked *