January 27

OpenVPN Road Warriors on OpenWRT (12.09 – 18.06.1)

Update and install OpenVPN and EasyRSA

opkg update
opkg install openvpn openvpn-easy-rsa

Edit /etc/easy-rsa/vars and at the end of the file fill the variables

Generate the keys/certificates for OpenVPN

build-key-server server

Generate the keys/certificates for OpenVPN (18.06.1)

cd /etc/easy-rsa/
easy-rsa init.pki
easy-rsa build-ca
easy-rsa build-dh

Build Client keys

build-key-pkcs12 client1
build-key-pkcs12 client2

Copy the needed server certificate files into /etc/openvpn/. This is the default location, so they will get picked up automatically later.

cd /etc/easy-rsa/keys 
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/ 


Create the config file

 nano /etc/config/openvpn 

config 'openvpn' 'myvpn'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tun'
        option 'client_to_client' '1' #allow clients to client connections
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'verb' '3'
        option 'mute' '20'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'status' '/tmp/openvpn-status.log'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'
	option 'duplicate-cn' '1' #allow same key to multiple clients
        option 'server' '' #VPN dhcp range
        list 'push' 'route' #router LAN IP
        list 'push' 'dhcp-option DNS' #router LAN IP
        list 'push' 'dhcp-option DOMAIN vpn.domain.com' # DNS suffix
        list 'push' 'redirect-gateway' #Force all traffic on VPN client through VPN tunnel

Enable and start the OpenVPN Service.

Go System-> Startup
Enable OpenVPN for startup and start the service


Part  Creating our “VPN” interface/unmanaged switch

Go to Network -> Interfaces.
Create new Interface called VPN.
Protocol: “Unmanaged”/none
Interface: tun0

Part  Create VPN Firewall Zone

Go to Network -> Firewall
Create a new zone called “VPN”.
Incoming and Outgoing Accepted. Forwarding rejected
Covered Networks: VPN

Part  Create Traffic Forward Rules to allow ALL communication between LAN and VPN zones and vice versa.

Go to Network -> Firewall -> Traffic Rules

Rule 1 Name: LAN->VPN
Source Zone: LAN
Destination Zone: VPN

Rule 2 Name:  VPN->LAN
Source Zone: VPN
Destination Zone: LAN

Rule 3 Name: OpenVPN
Protocol: UDP
Source: WAN
Destination Port: 1194
Destination Zone: Device


Add the following to firewall.user

iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT


Use WinSCP to connect to the router via SCP protocol
Grab /etc/easy-rsa/keys/client1.p12 and drop it into the OpenVPN client config(s) folder.

Generate the client connection config file and save it same place you saved the client certificate. The file can be named “Connection.ovpn”.

proto udp
dev tun

remote [YOUR IP or Internet Accessible Address] 1194 #Edit in the brackets to fit your IP/hostname and then remove the brackets
pkcs12 client1.p12

ns-cert-type server
resolv-retry infinite
verb 3
mute 10



Source:  OpenWRT Forums


Tags: , ,
Copyright © 1998. All rights reserved.

Posted January 27, 2014 by RaNd in category "Uncategorized

Select comment form

Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *

20 − 6 =