OpenVPN server on OpenWRT box

While you are away from home it is sometime needed to access some files on the home file server. To protect it it is not directly available from the web. We will see here how to create a secure connexion to connect from the web on your OpenWRT box to be able be like at home.

Installation of OpenVPN

For this we will install an OpenVPN server that will allow us to create a Virtual Private Network. Just install the openvpn package with the web interface or the help of opkg on command line.

To work, OpenVPN need several keys and certificates. To handle it, OpenVPN community provide a set of script to easily create all what is needed. It is called easy-rsa. You can install the openvpn-easy-rsa package on your OpenWRT box or download easy-rsa from the web on your unix computer to save place on OpenWRT.

Keys and certificates creation

Go inside the easy-rsa folder (/etc/easy-rsa/ on OpenWRT). First edit vars file inside easy-rsa to fit your requirements:

export KEY_COUNTRY="FR"
export KEY_PROVINCE="FR"
export KEY_CITY="Paris"
export KEY_ORG="At Home"

Then creates the keys that are needed to signed all the key and certificates generated:

./clean-all
./build-ca
./build-dh

Create the server key and certificate:

./build-key-server my_server_name

Copy on the OpenVPN folder of the OpenWRT box the server files that where generated in the keys folder:

cp ca.crt ca.key dh1024.pem my_servername_.crt my_server_name.key /etc/openvpn/

ca.crt is the Certificate Authority (CA) certificate. The corresponding key is used to sign all the certificates and keys and it all to check the validity of provided certificate.
dh1024.pem contains the Diffie-Hellman parameters for the server side of an SSL/TLS connection.
my_server_name.key is the key used by the server to decrypt the messages from the client.
my_server_name.crt is the certificate that the server provide to the client to allow it to crypt the conection. It is signed by the CA to prove that it is coming from the server.

Then for each user create the corresponding key and certificate:

./build-key user1
./build-key user2

Give to each user the generated files: ca.crt, user_name.key user.name.crt. They are the only needed files for them

Open the correct port in your firewall

You must open the 1194 port in the firewall to all the OpenVPN connection from the WAN. You can do it through the web interface or by editing the /etc/config/firewall file:

config 'rule'
        option 'target' 'ACCEPT'
        option 'dest_port' '1194'
        option 'src' 'wan'
        option 'proto' 'tcpudp'
        option 'family' 'ipv4'

Do not forget to reload the firewall rules if you modify it on command line:

/etc/init.d/firewall restart

Server configuration

The configuration of OpenVPN is set in /etc/config/openvpn file:

config 'openvpn' 'lan'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tap0'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'status' '/tmp/openvpn-status.log'
        option 'verb' '3'
        option 'server_bridge' '192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.219'

This configuration will allow the client to be part of the network handled by the OpenWRT box. It will grab a IP i the range 192.168.1.200 to 192.168.1.219.

To prevent that a local client to have an IP in that range we can modify the /etc/config/dhcp file to restrict the attribution of the IP in an non overlapping range. Modify the lan section of that file like following:

config 'dhcp' 'lan'
        option 'interface' 'lan'
        option 'ignore' '0'
        option 'start' '50'
        option 'limit' '150'

The local client will only have an IP in the range of 192.168.1.50 to 192.168.1.150. Restart dnsmasq to take it into account:

/etc/init.d/dnsmasq restart

You can start the server with the following command:

/etc/init.d/openvpn start

To have it start automaticaly when the OpenWT box starts just run the following command:

/etc/init.d/openvpn enable

Bridging of the interfaces

To be able to link the OpenVPN tunnel, we need to bridge the interfaces. It an be done in the web interface or in the /etc/config/network file. In the lan section add tap0 to the ifname option:

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'
        option '_orig_ifname' 'eth0.0 wl0'
        option '_orig_bridge' 'true'
        option 'ifname' 'eth0.0 tap0'

Client configuration

Now that the OpenVPN server is running we just have to connect to it. In addition to the personal key and certificate and of the CA certificate the user will need also a configuration file. They should look like the following:

# OpenVPN on bridge OpenWRT

client
tls-client
# Which device to use
dev tap
# Which protocol
proto udp
# The OpenWRT external address
remote x.x.x.x 1194

resolv-retry infinite
nobind

persist-tun
persist-key

# The different used keys
ca ca.crt
cert user1.crt
key user1.key

# Use compression
comp-lzo
; verb 3

Now you should be able to connect to your home network from the web.

Source

Easy OpenVPN server setup guide