Skip to content

OPENVPN on LEDE Notes

Now that we have a recent version of the operating system OpenVPN seems to work as advertised. Following the instructions at https://lede-project.org/docs/user-guide/openvpn.server. Much of the heavy lifting is done by easyRSA and MakeOpenVPN.sh.

The client setups fail if you use an empty passphrase which is good. OTOH In my initial attempts I could not get the server certificates to work with one. When in doubt read the documentation sections on the old openWRT site. It provides a little more depth but there still are some missing pieces that require more exploration (https://wiki.openwrt.org/doc/howto/vpn.openvpn#tab__using_openssl_commands_most_secure).

For the client I used tunnelblick which works well and takes the .ovpn configuration files created by this process.

Sample Install

Follow the bouncing prompt using lede user guide.

root@mullein:~# opkg update && opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn
Downloading ..... 
.....note additional dependencies.....
Configuring kmod-tun.
Configuring zlib.
Configuring libopenssl.
Configuring openssl-util.
Configuring liblzo.
Configuring openvpn-openssl.
Configuring openvpn-easy-rsa.
Configuring luci-app-openvpn.
root@mullein:~# cd /etc/easy-rsa
root@mullein:/etc/easy-rsa# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
root@mullein:/etc/easy-rsa# clean-all
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
root@mullein:/etc/easy-rsa# build-ca
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
Generating a 2048 bit RSA private key
..................+++
............................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:OR
Locality Name (eg, city) [SanFrancisco]:Portland
Organization Name (eg, company) [Fort-Funston]:SuspectDevices
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:3dAngst
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:mullein
Name [EasyRSA]:mullein
Email Address [me@myhost.mydomain]:don@suspectdevices.com

Plan on the next step taking so long you will probably have to reconnect and pick up where you were...

root@mullein:/etc/easy-rsa# build-dh
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.... 
.... They are not kidding ....
.........................................................................+.....++*++*

Continue to follow the bouncing prompt

root@mullein:/etc/easy-rsa# build-key-server mullein
..... answer the questions ....
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'OR'
localityName          :PRINTABLE:'Portland'
organizationName      :PRINTABLE:'SuspectDevices'
organizationalUnitName:PRINTABLE:'3dAngst'
commonName            :PRINTABLE:'mullein'
name                  :PRINTABLE:'mullein'
emailAddress          :IA5STRING:'don@suspectdevices.com'
Certificate is to be certified until Oct 23 23:46:35 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@mullein:/etc/easy-rsa# openvpn --genkey --secret /etc/easy-rsa/keys/ta.key

Set up the network and firewall rules.

root@mullein:/etc/easy-rsa# openvpn --genkey --secret /etc/easy-rsa/keys/ta.key
root@mullein:/etc/easy-rsa# uci set network.vpn0="interface"
root@mullein:/etc/easy-rsa# uci set network.vpn0.ifname="tun0"
root@mullein:/etc/easy-rsa# uci set network.vpn0.proto="none"
root@mullein:/etc/easy-rsa# uci set network.vpn0.auto="1"
root@mullein:/etc/easy-rsa# uci commit network
root@mullein:/etc/easy-rsa# uci add firewall rule
cfg1892bd
root@mullein:/etc/easy-rsa# uci set firewall.@rule[-1].name="Allow-OpenVPN-Inbound"
root@mullein:/etc/easy-rsa# uci set firewall.@rule[-1].target="ACCEPT"
root@mullein:/etc/easy-rsa# uci set firewall.@rule[-1].src="wan"
root@mullein:/etc/easy-rsa# uci set firewall.@rule[-1].proto="udp"
root@mullein:/etc/easy-rsa# uci set firewall.@rule[-1].dest_port="1194"
root@mullein:/etc/easy-rsa# uci add firewall zone
cfg19dc81
root@mullein:/etc/easy-rsa# uci set firewall.@zone[-1].name="vpn"
root@mullein:/etc/easy-rsa# uci set firewall.@zone[-1].input="ACCEPT"
root@mullein:/etc/easy-rsa# uci set firewall.@zone[-1].forward="ACCEPT"
root@mullein:/etc/easy-rsa# uci set firewall.@zone[-1].output="ACCEPT"
root@mullein:/etc/easy-rsa# uci set firewall.@zone[-1].masq="1"
root@mullein:/etc/easy-rsa# uci set firewall.@zone[-1].network="vpn0"
root@mullein:/etc/easy-rsa# uci add firewall forwarding
cfg1aad58
root@mullein:/etc/easy-rsa# uci set firewall.@forwarding[-1].src="vpn"
root@mullein:/etc/easy-rsa# uci set firewall.@forwarding[-1].dest="wan"
root@mullein:/etc/easy-rsa# uci add firewall forwarding
cfg1bad58
root@mullein:/etc/easy-rsa# uci set firewall.@forwarding[-1].src="vpn"
root@mullein:/etc/easy-rsa# uci set firewall.@forwarding[-1].dest="lan"
root@mullein:/etc/easy-rsa# uci commit firewall
root@mullein:/etc/easy-rsa# /etc/init.d/network reload
....
root@mullein:/etc/easy-rsa# /etc/init.d/firewall reload
....

Check ip forwarding

root@mullein:/etc/easy-rsa# cat /proc/sys/net/ipv4/ip_forward
1

Edit /etc/config/openvpn, enable and restart daemon.

root@mullein:/etc/easy-rsa# nano /etc/config/openvpn
... add the following (change name, cert, and key to match your server) ...
##########################################################
# https://lede-project.org/docs/user-guide/openvpn.server
##########################################################
config openvpn 'mullein'
    option enabled '1'
    option dev 'tun'
    option port '1194'
    option proto 'udp'
    option status '/var/log/openvpn_status.log'
    option log '/tmp/openvpn.log'
    option verb '3'
    option mute '5'
    option keepalive '10 120'
    option persist_key '1'
    option persist_tun '1'
    option user 'nobody'
    option group 'nogroup'
    option ca '/etc/easy-rsa/keys/ca.crt'
    option cert '/etc/easy-rsa/keys/mullein.crt'
    option key '/etc/easy-rsa/keys/mullein.key'
    option dh '/etc/easy-rsa/keys/dh2048.pem'
    option mode 'server'
    option tls_server '1'
    option tls_auth '/etc/easy-rsa/keys/ta.key 0'
    option server '10.9.0.0 255.255.255.0'
    option topology 'subnet'
    option route_gateway 'dhcp'
    option client_to_client '1'
    list push 'persist-key'
    list push 'persist-tun'
    list push 'redirect-gateway def1'
    # allow your clients to access to your network
    list push 'route 192.168.2.0 255.255.255.0'
    # push DNS to your clients
    list push 'dhcp-option DNS 192.168.2.1'
    option comp_lzo 'no'


root@mullein:/etc/easy-rsa# /etc/init.d/openvpn start
root@mullein:/etc/easy-rsa# /etc/init.d/openvpn enable
root@mullein:/etc/easy-rsa# cat  /tmp/openvpn.log
...
Thu Oct 26 00:22:46 2017 OpenVPN 2.4.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
....
Thu Oct 26 00:22:46 2017 MULTI: multi_init called, r=256 v=256
Thu Oct 26 00:22:46 2017 IFCONFIG POOL: base=10.9.0.2 size=252, ipv6=0
Thu Oct 26 00:22:46 2017 Initialization Sequence Completed
...

Create client cert.

root@mullein:~# cd /etc/easy-rsa/
root@mullein:/etc/easy-rsa# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
root@mullein:/etc/easy-rsa# build-key-pkcs12 donathome
...
writing new private key to 'donathome.key'
....
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:OR
Locality Name (eg, city) [SanFrancisco]:Portland
Organization Name (eg, company) [Fort-Funston]:SuspectDevices
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:3dAngst
Common Name (eg, your name or your server's hostname) [donathome]:viscious
Name [EasyRSA]:DonAtHome
Email Address [me@myhost.mydomain]:don@suspectdevices.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:XXXXXXXXXXXX
An optional company name []:Its Late
...
Certificate is to be certified until Oct 24 02:49:46 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Enter Export Password:
Verifying - Enter Export Password:
root@mullein:/etc/easy-rsa# openssl rsa -in /etc/easy-rsa/keys/donathome.key -des3 -out /etc/easy-rsa/keys/donathome.3des.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
root@mullein:/etc/easy-rsa#

MakeOpenVPN.sh script (install missing dependencies)

root@mullein:/etc/easy-rsa# cd keys
root@mullein:/etc/easy-rsa/keys# wget https://gist.githubusercontent.com/ivanmarban/57561e2bacf3b3a709426d353d2b6584/raw/30bf3c86fbc95a0a
5d53d0aac348bcebdc9aa2eb/MakeOpenVPN.sh -O /etc/easy-rsa/keys/MakeOpenVPN.sh
wget: SSL support not available, please install one of the libustream-ssl-* libraries as well as the ca-bundle and ca-certificates packages.
root@mullein:/etc/easy-rsa/keys# opkg update && opkg install libustream-openssl ca-certificates 
...
root@mullein:/etc/easy-rsa/keys# wget https://gist.githubusercontent.com/ivanmarban/57561e2bacf3b3a709426d353d2b6584/raw/30bf3c86fbc95a0a
5d53d0aac348bcebdc9aa2eb/MakeOpenVPN.sh -O /etc/easy-rsa/keys/MakeOpenVPN.sh
Downloading 'https://gist.githubusercontent.com/ivanmarban/57561e2bacf3b3a709426d353d2b6584/raw/30bf3c86fbc95a0a5d53d0aac348bcebdc9aa2eb/MakeOpenVPN.sh'
Connecting to 151.101.52.133:443
Writing to '/etc/easy-rsa/keys/MakeOpenVPN.sh'
/etc/easy-rsa/keys/M 100% |*******************************|  1839   0:00:00 ETA
Download completed (1839 bytes)
root@mullein:/etc/easy-rsa/keys# chmod oug+x MakeOpenVPN.sh

Configure and run script.

root@mullein:/etc/easy-rsa/keys# nano Default.txt
... Add the following, Adjust host name accordingly ....
client
dev tun
proto udp
remote mullein.suspectdevices.com 1194
resolv-retry infinite
nobind
mute-replay-warnings
ns-cert-type server
key-direction 1
verb 1
mute 20
comp-lzo no
root@mullein:/etc/easy-rsa/keys# ./MakeOpenVPN.sh 
Please enter an existing Client Name:
donathome
Client's cert found: donathome
Client's Private Key found: donathome.3des.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key
Done! donathome.ovpn Successfully Created.
root@mullein:/etc/easy-rsa/keys# ls
01.pem              ca.crt              donathome.key       index.txt.old       mullein.key         myvpn.key
02.pem              ca.key              donathome.ovpn      knight.crt          mullien.crt         serial
03.pem              dh2048.pem          donathome.p12       knight.csr          mullien.csr         serial.old
04.pem              donathome.3des.key  index.txt           knight.key          mullien.key         ta.key
Default.txt         donathome.crt       index.txt.attr      mullein.crt         myvpn.crt
MakeOpenVPN.sh      donathome.csr       index.txt.attr.old  mullein.csr         myvpn.csr
root@mullein:/etc/easy-rsa/keys# ./MakeOpenVPN.sh 
Please enter an existing Client Name:
donathome
Client's cert found: donathome
Client's Private Key found: donathome.3des.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key
Done! donathome.ovpn Successfully Created.
  • https://help.my-private-network.co.uk/support/solutions/articles/24000005597-openwrt-lede-openvpn-setup
  • https://lede-project.org/docs/user-guide/openvpn.server#setup_clients
  • https://steemit.com/openwrt/@rbrthnk/vpn-pptp-router-with-openwrt-lede-tutorial-super-easy
  • https://lede-project.org/docs/user-guide/tunneling_interface_protocols
  • https://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server
  • https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server
  • http://connect.rbhs.rutgers.edu/vpn/Mac_OSX_Native_VPN_Client_Overview.pdf
  • http://cookbook.fortinet.com/ipsec-vpn-native-mac-os-client-54/
  • https://www.howtogeek.com/216209/how-to-connect-your-mac-to-any-vpn-and-automatically-reconnect/
  • https://tunnelblick.net/cInstall.html
  • https://forum.lede-project.org/t/configuring-lede-router-with-a-pppoe-modem-router/5348/2
  • https://wiki.openwrt.org/doc/howto/openconnect-setup
  • https://wiki.gavowen.ninja/doku.php?id=lede:openconnect#tab__pki_templates
  • https://lede-project.org/docs/user-guide/openvpn.server
  • https://wiki.openwrt.org/doc/howto/vpn.openvpn#tab__traditional_tun_client