Thursday, April 19, 2018

configure openvpn on openwrt

1- download openvpn image from link below

$ gzip lede-17.01.4-x86-64-combined-ext4.img.gz

2- create xml file for virsh
<domain type="kvm">
  <clock offset="utc"/>
    <boot dev="hd"/>
    <graphics type="vnc" port="-1"/>
    <interface type="bridge">
      <source bridge="virbr0"/>
      <model type="virtio"/>
    <interface type="bridge">
      <source bridge="virbr1"/>
      <model type="virtio"/>
    <interface type="bridge">
      <source bridge="virbr2"/>
      <model type="virtio"/>
    <interface type="bridge">
      <source bridge="virbr3"/>
      <model type="virtio"/>
    <interface type="bridge">
      <source bridge="virbr4"/>
      <model type="virtio"/>
    <interface type="bridge">
      <source bridge="virbr5"/>
      <model type="virtio"/>
    <input bus="ps2" type="mouse"/>
    <serial type="pty">
      <target port="0"/>
    <serial type="tcp">
      <source host="" mode="bind" service="39180"/>
      <protocol type="raw"/>
      <target port="1"/>
    <disk device="disk" type="file">
      <target bus="virtio" dev="vda"/>
      <source file="/home/user1/Downloads/openwrt/lede-17.01.4-x86-64-combined-ext4.img"/>
      <driver type="raw" name="qemu"/>

3- then start the vm
$ virsh creaet openwrt.xml
$ vrish console openwrt1

4- you can use dnsmasq for providing the ip setting to openwrt wan interface
$ dnsmasq -i virbr1 --dhcp-range=, --dhcp-option=3, --dhcp-option=6,

5- install install the openvpn package
$ opkg update
$ opkg install openvpn-openssl luci-app-openvpn

6- create certifications
$ cd /usr/share/easy-rsa
$ mkdir keys
$ touch keys/index.txt
$ echo 01 > keys/serial
$ source ./vars
$ export PATH=$PATH:/usr/share/easy-rsa
$ pkitool --initca
$ pkitool --server server1]
$ pkitool client1

$ openssl dhparam -out keys/dh1024.pem 1024

 7- copy files to openwrt directory /etc/openvpn

8- execute the following command on openwrt shell
$ ssh -l root


# Modify /etc/config/network
  uci set network.vpnserver='interface'
  uci set network.vpnserver.proto='none'
  uci set network.vpnserver.ifname='ovpns0'
  uci set'1'
uci commit network

# Modify /etc/config/firewall
  uci add firewall rule
  uci set firewall.@rule[-1].name='Allow-OpenVPN-Inbound'
  uci set firewall.@rule[-1].target='ACCEPT'
  uci set firewall.@rule[-1].src='*'
  uci set firewall.@rule[-1].proto='tcpudp'
  uci set firewall.@rule[-1].dest_port='1194'

  uci add firewall zone
  uci set firewall.@zone[-1].name='vpnserver'
  uci set firewall.@zone[-1].input='ACCEPT'
  uci set firewall.@zone[-1].forward='REJECT'
  uci set firewall.@zone[-1].output='ACCEPT'
  uci set firewall.@zone[-1].masq='1'
  uci set firewall.@zone[-1].network='vpnserver'

  uci add firewall forwarding
  uci set firewall.@forwarding[-1].src='vpnserver'
  uci set firewall.@forwarding[-1].dest='wan'

  uci add firewall forwarding
  uci set firewall.@forwarding[-1].src='vpnserver'
  uci set firewall.@forwarding[-1].dest='lan'
uci commit firewall

# Modify /etc/config/openvpn
  uci set openvpn.vpnserver='openvpn'
  uci set openvpn.vpnserver.enabled='1'
  uci set openvpn.vpnserver.dev_type='tun'
  uci set'ovpns0'
  uci set openvpn.vpnserver.port='1194'
  uci set openvpn.vpnserver.proto='udp'
  uci set openvpn.vpnserver.comp_lzo='yes'
  uci set openvpn.vpnserver.keepalive='10 120'
  uci set openvpn.vpnserver.persist_key='1'
  uci set openvpn.vpnserver.persist_tun='1'
  uci set'/etc/openvpn/ca.crt'
  uci set openvpn.vpnserver.cert='/etc/openvpn/server1.crt'
  uci set openvpn.vpnserver.key='/etc/openvpn/server1.key'
  uci set openvpn.vpnserver.dh='/etc/openvpn/dh1024.pem'
  uci set openvpn.vpnserver.tls_auth='/etc/openvpn/tls-auth.key 0'
  uci set openvpn.vpnserver.mode='server'
  uci set openvpn.vpnserver.tls_server='1'
  uci set openvpn.vpnserver.server=''
  uci set openvpn.vpnserver.topology='subnet'
  uci set openvpn.vpnserver.route_gateway='dhcp'
  uci set openvpn.vpnserver.client_to_client='1'

  uci add_list openvpn.vpnserver.push='comp-lzo yes'
  uci add_list openvpn.vpnserver.push='persist-key'
  uci add_list openvpn.vpnserver.push='persist-tun'
  uci add_list openvpn.vpnserver.push='topology subnet'
  uci add_list openvpn.vpnserver.push='route-gateway dhcp'
  uci add_list openvpn.vpnserver.push='redirect-gateway def1'
  uci add_list openvpn.vpnserver.push='route'
  uci add_list openvpn.vpnserver.push='dhcp-option DNS'
uci commit openvpn

- restart the service

$ /etc/init.d/openvpn restart

9- on client: configuration file:
dev tun
proto udp
remote 1194
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
verb 3

10- run
$ openvpn --config client.conf

if there's problem you can edit the openvpn file directly and run it as below

$ cat /tmp/etc/openvpn-vpnserver.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server1.crt
comp-lzo yes
dev ovpns0
dev-type tun
dh /etc/openvpn/dh1024.pem
keepalive 10 120
key /etc/openvpn/server1.key
mode server
port 1194
proto udp
push "comp-lzo yes"
push "persist-key"
push "persist-tun"
push "topology subnet"
push "route-gateway dhcp"
push "redirect-gateway def1"
push "route"
push "dhcp-option DNS"
push "route"
push "dhcp-option DNS"
route-gateway dhcp
topology subnet

-- and run it
$ openvpn --config /tmp/etc/openvpn-vpnserver.conf

-- we can also remove firewall setting, if there's any doubt
$ iptable -F

No comments:

Post a Comment