http://wiki.openwrt.org/doc/howto/vpn.openvpn
opkg update
opkg install openvpn openvpn-easy-rsaOr if you prefer configure openvpn via GUI:
opkg install luci-app-openvpn
/etc/easy-rsa/vars
export EASY_RSA="/etc/easy-rsa"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CZ"
export KEY_PROVINCE=""
export KEY_CITY="Praha"
export KEY_ORG=""
export KEY_EMAIL="jan.faix@gmail.com"
export KEY_CN=home-router
export KEY_NAME="Jan Faix"
export KEY_OU=""Build your certificates:
clean-all
build-ca
build-dhCreate the server key:
build-key-server server
Create as many client keys for each person who will connect:
build-key jan
PKCS12 Format (combines the key and ca certificate in one file):
build-key-pkcs12 jan
Copy the important files to the /etc/openvpn directory, so that they are duplicated:
cd /etc/easy-rsa/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/Copy ca.crt and the client crt/key files off the router and onto the machines that will be connecting.
Client Config
client
remote faix.homelinux.net
port 1194
proto udp
dev tap
ns-cert-type server
persist-key
persist-tun
ca ca.crt
cert jan.crt
key jan.key
comp-lzo
verb 4
auth-user-passModify your firewall
/etc/config/firewall
config 'rule'
option 'target' 'ACCEPT'
option 'dest_port' '1194'
option 'src' 'wan'
option 'proto' 'tcpudp'
option 'family' 'ipv4'
option '_name' 'openvpn'/etc/init.d/firewall restart
Restrict your DHCP leases
/etc/config/dhcp
config 'dhcp' 'lan'
option 'interface' 'lan'
option 'start' '11'
option 'limit' '20'
option 'leasetime' '12h'
list 'dhcp_option' '6,8.8.8.8,8.8.4.4'/etc/init.d/dnsmasq restart
Create the server configuration
/etc/config/openvpn
config 'openvpn' 'lan'
option 'enable' '1'
option 'port' '1194'
option 'proto' 'udp'
option 'dev' 'tap0'
option 'ca' '/etc/openvpn/ca.crt'
option 'cert' '/etc/openvpn/server.crt'
option 'key' '/etc/openvpn/server.key'
option 'dh' '/etc/openvpn/dh1024.pem'
option 'keepalive' '10 120'
option 'comp_lzo' '1'
option 'persist_key' '1'
option 'persist_tun' '1'
option 'status' '/tmp/openvpn-status.log'
option 'log_append' '/var/log/openvpn.log'
option 'verb' '4'
option 'up' '/etc/openvpn/bridge-start.sh'
option 'down_pre' '1'
option 'server_bridge' '192.168.122.30 255.255.255.224 192.168.122.22 192.168.122.29'
option 'down' '/etc/openvpn/bridge-stop.sh'Note that addresses 192.168.122.22 to 192.168.122.29 are reserved for your VPN clients.
Bridged VPN Configuration
/etc/config/network
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'lan'
option 'type' 'bridge'
option 'proto' 'static'
option 'netmask' '255.255.255.224'
option 'dns' '8.8.8.8 8.8.4.4'
option 'ipaddr' '192.168.122.30'
option 'ifname' 'eth0.1'
option 'broadcast' '192.168.122.31'
config 'interface' 'wan'
option 'ifname' 'eth0.2'
option 'proto' 'static'
option 'ipaddr' 'x.x.x.x'
option 'netmask' '255.255.255.240'
option 'gateway' 'x.x.x.x'
option 'broadcast' 'x.x.x.x'
option 'dns' '8.8.8.8 8.8.4.4'Configure OpenVPN init script:
/etc/init.d/openvpn
In section start_service() add following:
ARGS="--script-security 2"
Troubleshooting
Show brigde status:
brctl show
bridge name bridge id STP enabled interfaces
br-lan 8000.f8d111adbf84 no eth0.1 wlan0 tap0
Check system log:
logread
