OpenVPN on OpenWrt for iptables noob
November 09, 2010 at 08:43 AM | categories: linux | View CommentsOpenWrt is a sweet distro for wireless routers. However, doing certain stuffs with it, e.g. setting up OpenVPN, is not an easy task. There are many wiki pages, forum threads, and blog posts to help us mortal to get OpenVPN running, but most of them involves a blood sacrifice to the God of Iptables as the mandatory first step. Iptables?? Surely there must be a less painful way?
After some trials and errors, I managed to get OpenVPN to work on OpenWrt, without typing any iptables command. Not everything can be done via the Luci web interface though, so expect to get your hands dirty with the command line. With that said, here are the steps for the typical road warrior setup (tested on Backfire 10.03).
-
SSH into the router, and install the necessary packages
opkg update opkg install openvpn luci-app-openvpn openvpn-easy-rsa
-
Apply changeset 21641 manually. The change went in on 2010-05-31, so Backfire 10.03 doesn't have it. See this forum thread for more info.
nano /etc/hotplug2-common.rules # remove the "next" line in the tun/tap section
-
Generate the keys following [this excellent guide] (http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html) from OpenVPN.
nano /etc/easy-rsa/vars # Scroll to the bottom and put in the country, province, city, organization, and email build-ca build-dh build-key-server server build-key-pkcs12 client1
-
Copy the following files into /etc/openvpn/. This is the default location, so they will get picked up automatically later.
cd /etc/easy-rsa/keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/
-
Copy client1.p12 to the client machine (i.e. the road warrior). The client config file should look like this:
client dev tun proto udp remote <server address> 1194 resolv-retry infinite nobind persist-key persist-tun pkcs12 client1.p12 comp-lzo verb 3 ns-cert-type server tls-client tls-remote <the common name during the build-key-server step>
-
Open Luci web interface, go to Service -> OpenVPN, and enable sample_server. Click Save & Apply.
-
Click the edit icon for sample_server. Click the Swith to advanced configuration link. Click the VPN options tab. Select Push options to peer from the Additional Field list, and click Add. Then, select custom and type route 192.168.1.0 255.255.255.0 (change this accordingly if lan is not on 192.168.1.0/24).
-
Go to Network -> Interfaces. Type vpn in the box and click Add entry. Change Protocol to none, and change Interface to tun0. Click Save & Apply.
-
Go to Network -> Firewall -> Zones. Click Add entry, and type vpn as the Name. Change Incoming Traffic and Outgoing Traffic to accept, and select vpn in the Networks list. Click Save & Apply.
-
Go to Network -> Firewall -> Traffic Control. Click the upper Add entry button twice. Select lan as Source and vpn as Destination, and then reverse the order. Click Save & Apply.
-
Go to Network -> Firewall -> Traffic Control again. Click the lower Add entry button. Type openvpn as the Name, and change Source to wan. Then, select Protocol from the Additional Field list, and click Add. Change Protocol to UDP, and type 1194 as the Destination Port. Click Save & Apply.
We are done. Once openvpn is started on the client machine, it should be able to access all the lan machines, and vice versa.