Thursday, April 19, 2018

configure openvpn on openwrt

1- download openvpn image from link below
https://downloads.lede-project.org/releases/17.01.4/targets/x86/64/lede-17.01.4-x86-64-combined-ext4.img.gz

-unzip
$ gzip lede-17.01.4-x86-64-combined-ext4.img.gz

2- create xml file for virsh
<domain type="kvm">
  <name>openwrt1</name>
  <memory>2048576</memory>
  <clock offset="utc"/>
  <vcpu>1</vcpu>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <os>
    <type>hvm</type>
    <boot dev="hd"/>
  </os>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>destroy</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <graphics type="vnc" port="-1"/>
    <interface type="bridge">
      <source bridge="virbr0"/>
      <model type="virtio"/>
    </interface>
    <interface type="bridge">
      <source bridge="virbr1"/>
      <model type="virtio"/>
    </interface>
    <interface type="bridge">
      <source bridge="virbr2"/>
      <model type="virtio"/>
    </interface>
    <interface type="bridge">
      <source bridge="virbr3"/>
      <model type="virtio"/>
    </interface>
    <interface type="bridge">
      <source bridge="virbr4"/>
      <model type="virtio"/>
    </interface>
    <interface type="bridge">
      <source bridge="virbr5"/>
      <model type="virtio"/>
    </interface>
    <input bus="ps2" type="mouse"/>
    <serial type="pty">
      <target port="0"/>
    </serial>
    <serial type="tcp">
      <source host="127.0.0.1" mode="bind" service="39180"/>
      <protocol type="raw"/>
      <target port="1"/>
    </serial>
    <disk device="disk" type="file">
      <target bus="virtio" dev="vda"/>
      <source file="/home/user1/Downloads/openwrt/lede-17.01.4-x86-64-combined-ext4.img"/>
      <driver type="raw" name="qemu"/>
    </disk>
  </devices>
</domain>
 



3- then start the vm
$ virsh creaet openwrt.xml
$ vrish console openwrt1

4- you can use dnsmasq for providing the ip setting to openwrt wan interface
$ dnsmasq -i virbr1 --dhcp-range=192.168.2.100,192.168.2.200 --dhcp-option=3,192.168.2.1 --dhcp-option=6,8.8.8.8


5- install install the openvpn package
$ opkg update
$ opkg install openvpn-openssl luci-app-openvpn

6- create certifications
$ cd /usr/share/easy-rsa
$ mkdir keys
$ touch keys/index.txt
$ echo 01 > keys/serial
$ source ./vars
$ export PATH=$PATH:/usr/share/easy-rsa
$ pkitool --initca
$ pkitool --server server1]
$ pkitool client1

$ openssl dhparam -out keys/dh1024.pem 1024


 7- copy files to openwrt directory /etc/openvpn
keys/server1.crt
keys/server1.crt
keys/ca.frt
keys/dh1024.pem



8- execute the following command on openwrt shell
$ ssh 192.168.1.1 -l root


#!/bin/sh

# Modify /etc/config/network
  uci set network.vpnserver='interface'
  uci set network.vpnserver.proto='none'
  uci set network.vpnserver.ifname='ovpns0'
  uci set network.vpnserver.auto='1'
uci commit network

# Modify /etc/config/firewall
  uci add firewall rule
  uci set firewall.@rule[-1].name='Allow-OpenVPN-Inbound'
  uci set firewall.@rule[-1].target='ACCEPT'
  uci set firewall.@rule[-1].src='*'
  uci set firewall.@rule[-1].proto='tcpudp'
  uci set firewall.@rule[-1].dest_port='1194'

  uci add firewall zone
  uci set firewall.@zone[-1].name='vpnserver'
  uci set firewall.@zone[-1].input='ACCEPT'
  uci set firewall.@zone[-1].forward='REJECT'
  uci set firewall.@zone[-1].output='ACCEPT'
  uci set firewall.@zone[-1].masq='1'
  uci set firewall.@zone[-1].network='vpnserver'

  uci add firewall forwarding
  uci set firewall.@forwarding[-1].src='vpnserver'
  uci set firewall.@forwarding[-1].dest='wan'

  uci add firewall forwarding
  uci set firewall.@forwarding[-1].src='vpnserver'
  uci set firewall.@forwarding[-1].dest='lan'
uci commit firewall

# Modify /etc/config/openvpn
  uci set openvpn.vpnserver='openvpn'
  uci set openvpn.vpnserver.enabled='1'
  uci set openvpn.vpnserver.dev_type='tun'
  uci set openvpn.vpnserver.dev='ovpns0'
  uci set openvpn.vpnserver.port='1194'
  uci set openvpn.vpnserver.proto='udp'
  uci set openvpn.vpnserver.comp_lzo='yes'
  uci set openvpn.vpnserver.keepalive='10 120'
  uci set openvpn.vpnserver.persist_key='1'
  uci set openvpn.vpnserver.persist_tun='1'
  uci set openvpn.vpnserver.ca='/etc/openvpn/ca.crt'
  uci set openvpn.vpnserver.cert='/etc/openvpn/server1.crt'
  uci set openvpn.vpnserver.key='/etc/openvpn/server1.key'
  uci set openvpn.vpnserver.dh='/etc/openvpn/dh1024.pem'
  uci set openvpn.vpnserver.tls_auth='/etc/openvpn/tls-auth.key 0'
  uci set openvpn.vpnserver.mode='server'
  uci set openvpn.vpnserver.tls_server='1'
  uci set openvpn.vpnserver.server='192.168.200.0 255.255.255.0'
  uci set openvpn.vpnserver.topology='subnet'
  uci set openvpn.vpnserver.route_gateway='dhcp'
  uci set openvpn.vpnserver.client_to_client='1'

  uci add_list openvpn.vpnserver.push='comp-lzo yes'
  uci add_list openvpn.vpnserver.push='persist-key'
  uci add_list openvpn.vpnserver.push='persist-tun'
  uci add_list openvpn.vpnserver.push='topology subnet'
  uci add_list openvpn.vpnserver.push='route-gateway dhcp'
  uci add_list openvpn.vpnserver.push='redirect-gateway def1'
  uci add_list openvpn.vpnserver.push='route 192.168.200.0 255.255.255.0'
  uci add_list openvpn.vpnserver.push='dhcp-option DNS 192.168.1.1'
uci commit openvpn



- restart the service

$ /etc/init.d/openvpn restart


9- on client: configuration file:
client
dev tun
proto udp
remote 192.168.2.102 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
verb 3



10- run
$ openvpn --config client.conf


------tips---
if there's problem you can edit the openvpn file directly and run it as below

$ cat /tmp/etc/openvpn-vpnserver.conf
client-to-client
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server1.crt
comp-lzo yes
dev ovpns0
dev-type tun
dh /etc/openvpn/dh1024.pem
keepalive 10 120
key /etc/openvpn/server1.key
mode server
port 1194
proto udp
push "comp-lzo yes"
push "persist-key"
push "persist-tun"
push "topology subnet"
push "route-gateway dhcp"
push "redirect-gateway def1"
push "route 192.168.200.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
push "route 192.168.200.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
route-gateway dhcp
server 192.168.200.0 255.255.255.0
topology subnet



-- and run it
$ openvpn --config /tmp/etc/openvpn-vpnserver.conf


-- we can also remove firewall setting, if there's any doubt
$ iptable -F

10 comments:

  1. Information is power. So when you are talking about the quality of your health, more information is way better. You might find out that solving your sleeping problem is the best weight loss plan you can find.
    Keto X Factor

    ReplyDelete
  2. The 2018 Country Music Association has announced that the 52nd annual CMA Awards Live Stream. Country Music Association it's called CMA. annual music awards program on network broadcast here.

    ReplyDelete