Thursday, April 19, 2018

configure openvpn on openwrt

1- download openvpn image from link below
https://downloads.lede-project.org/releases/17.01.4/targets/x86/64/lede-17.01.4-x86-64-combined-ext4.img.gz

-unzip
$ gzip lede-17.01.4-x86-64-combined-ext4.img.gz

2- create xml file for virsh
<domain type="kvm">
  <name>openwrt1</name>
  <memory>2048576</memory>
  <clock offset="utc"/>
  <vcpu>1</vcpu>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <os>
    <type>hvm</type>
    <boot dev="hd"/>
  </os>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>destroy</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <graphics type="vnc" port="-1"/>
    <interface type="bridge">
      <source bridge="virbr0"/>
      <model type="virtio"/>
    </interface>
    <interface type="bridge">
      <source bridge="virbr1"/>
      <model type="virtio"/>
    </interface>
    <interface type="bridge">
      <source bridge="virbr2"/>
      <model type="virtio"/>
    </interface>
    <interface type="bridge">
      <source bridge="virbr3"/>
      <model type="virtio"/>
    </interface>
    <interface type="bridge">
      <source bridge="virbr4"/>
      <model type="virtio"/>
    </interface>
    <interface type="bridge">
      <source bridge="virbr5"/>
      <model type="virtio"/>
    </interface>
    <input bus="ps2" type="mouse"/>
    <serial type="pty">
      <target port="0"/>
    </serial>
    <serial type="tcp">
      <source host="127.0.0.1" mode="bind" service="39180"/>
      <protocol type="raw"/>
      <target port="1"/>
    </serial>
    <disk device="disk" type="file">
      <target bus="virtio" dev="vda"/>
      <source file="/home/user1/Downloads/openwrt/lede-17.01.4-x86-64-combined-ext4.img"/>
      <driver type="raw" name="qemu"/>
    </disk>
  </devices>
</domain>
 



3- then start the vm
$ virsh creaet openwrt.xml
$ vrish console openwrt1

4- you can use dnsmasq for providing the ip setting to openwrt wan interface
$ dnsmasq -i virbr1 --dhcp-range=192.168.2.100,192.168.2.200 --dhcp-option=3,192.168.2.1 --dhcp-option=6,8.8.8.8


5- install install the openvpn package
$ opkg update
$ opkg install openvpn-openssl luci-app-openvpn

6- create certifications
$ cd /usr/share/easy-rsa
$ mkdir keys
$ touch keys/index.txt
$ echo 01 > keys/serial
$ source ./vars
$ export PATH=$PATH:/usr/share/easy-rsa
$ pkitool --initca
$ pkitool --server server1]
$ pkitool client1

$ openssl dhparam -out keys/dh1024.pem 1024


 7- copy files to openwrt directory /etc/openvpn
keys/server1.crt
keys/server1.crt
keys/ca.frt
keys/dh1024.pem



8- execute the following command on openwrt shell
$ ssh 192.168.1.1 -l root


#!/bin/sh

# Modify /etc/config/network
  uci set network.vpnserver='interface'
  uci set network.vpnserver.proto='none'
  uci set network.vpnserver.ifname='ovpns0'
  uci set network.vpnserver.auto='1'
uci commit network

# Modify /etc/config/firewall
  uci add firewall rule
  uci set firewall.@rule[-1].name='Allow-OpenVPN-Inbound'
  uci set firewall.@rule[-1].target='ACCEPT'
  uci set firewall.@rule[-1].src='*'
  uci set firewall.@rule[-1].proto='tcpudp'
  uci set firewall.@rule[-1].dest_port='1194'

  uci add firewall zone
  uci set firewall.@zone[-1].name='vpnserver'
  uci set firewall.@zone[-1].input='ACCEPT'
  uci set firewall.@zone[-1].forward='REJECT'
  uci set firewall.@zone[-1].output='ACCEPT'
  uci set firewall.@zone[-1].masq='1'
  uci set firewall.@zone[-1].network='vpnserver'

  uci add firewall forwarding
  uci set firewall.@forwarding[-1].src='vpnserver'
  uci set firewall.@forwarding[-1].dest='wan'

  uci add firewall forwarding
  uci set firewall.@forwarding[-1].src='vpnserver'
  uci set firewall.@forwarding[-1].dest='lan'
uci commit firewall

# Modify /etc/config/openvpn
  uci set openvpn.vpnserver='openvpn'
  uci set openvpn.vpnserver.enabled='1'
  uci set openvpn.vpnserver.dev_type='tun'
  uci set openvpn.vpnserver.dev='ovpns0'
  uci set openvpn.vpnserver.port='1194'
  uci set openvpn.vpnserver.proto='udp'
  uci set openvpn.vpnserver.comp_lzo='yes'
  uci set openvpn.vpnserver.keepalive='10 120'
  uci set openvpn.vpnserver.persist_key='1'
  uci set openvpn.vpnserver.persist_tun='1'
  uci set openvpn.vpnserver.ca='/etc/openvpn/ca.crt'
  uci set openvpn.vpnserver.cert='/etc/openvpn/server1.crt'
  uci set openvpn.vpnserver.key='/etc/openvpn/server1.key'
  uci set openvpn.vpnserver.dh='/etc/openvpn/dh1024.pem'
  uci set openvpn.vpnserver.tls_auth='/etc/openvpn/tls-auth.key 0'
  uci set openvpn.vpnserver.mode='server'
  uci set openvpn.vpnserver.tls_server='1'
  uci set openvpn.vpnserver.server='192.168.200.0 255.255.255.0'
  uci set openvpn.vpnserver.topology='subnet'
  uci set openvpn.vpnserver.route_gateway='dhcp'
  uci set openvpn.vpnserver.client_to_client='1'

  uci add_list openvpn.vpnserver.push='comp-lzo yes'
  uci add_list openvpn.vpnserver.push='persist-key'
  uci add_list openvpn.vpnserver.push='persist-tun'
  uci add_list openvpn.vpnserver.push='topology subnet'
  uci add_list openvpn.vpnserver.push='route-gateway dhcp'
  uci add_list openvpn.vpnserver.push='redirect-gateway def1'
  uci add_list openvpn.vpnserver.push='route 192.168.200.0 255.255.255.0'
  uci add_list openvpn.vpnserver.push='dhcp-option DNS 192.168.1.1'
uci commit openvpn



- restart the service

$ /etc/init.d/openvpn restart


9- on client: configuration file:
client
dev tun
proto udp
remote 192.168.2.102 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
verb 3



10- run
$ openvpn --config client.conf


------tips---
if there's problem you can edit the openvpn file directly and run it as below

$ cat /tmp/etc/openvpn-vpnserver.conf
client-to-client
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server1.crt
comp-lzo yes
dev ovpns0
dev-type tun
dh /etc/openvpn/dh1024.pem
keepalive 10 120
key /etc/openvpn/server1.key
mode server
port 1194
proto udp
push "comp-lzo yes"
push "persist-key"
push "persist-tun"
push "topology subnet"
push "route-gateway dhcp"
push "redirect-gateway def1"
push "route 192.168.200.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
push "route 192.168.200.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
route-gateway dhcp
server 192.168.200.0 255.255.255.0
topology subnet



-- and run it
$ openvpn --config /tmp/etc/openvpn-vpnserver.conf


-- we can also remove firewall setting, if there's any doubt
$ iptable -F

No comments:

Post a Comment