Difference between revisions of "OpenWRT"
From My Wiki
| Line 11: | Line 11: | ||
wget https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/x509-types/server | wget https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/x509-types/server | ||
wget https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/x509-types/client | wget https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/x509-types/client | ||
| + | wget https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/openssl-easyrsa.cnf | ||
mv server /etc/easy-rsa/pki/x509-types/ | mv server /etc/easy-rsa/pki/x509-types/ | ||
mv client /etc/easy-rsa/pki/x509-types/ | mv client /etc/easy-rsa/pki/x509-types/ | ||
| + | mv openssl-easyrsa.cnf /etc/easy-rsa/pki/ | ||
2. Configure firewall | 2. Configure firewall | ||
Latest revision as of 14:18, 25 April 2020
Install OpenVPN on OpenWRT
1. Install packages:
opkg update opkg install luci-app-openvpn opkg install openvpn-openssl wget https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/easyrsa chmod 755 easyrsa mv easyrsa /usr/bin mkdir -p /etc/easy-rsa/pki/x509-types wget https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/x509-types/server wget https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/x509-types/client wget https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/openssl-easyrsa.cnf mv server /etc/easy-rsa/pki/x509-types/ mv client /etc/easy-rsa/pki/x509-types/ mv openssl-easyrsa.cnf /etc/easy-rsa/pki/
2. Configure firewall
uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[1]="wan" uci rename firewall.@forwarding[0]="lan_wan" uci del_list firewall.lan.device="tun0" uci add_list firewall.lan.device="tun0" uci -q delete firewall.vpn uci set firewall.ovpn="rule" uci set firewall.ovpn.name="Allow-OpenVPN" uci set firewall.ovpn.src="wan" uci set firewall.ovpn.dest_port="1194" uci set firewall.ovpn.proto="udp" uci set firewall.ovpn.target="ACCEPT" uci commit firewall /etc/init.d/firewall restart
3. Create Certificates:
export EASYRSA_PKI="/etc/easy-rsa/pki" export EASYRSA_REQ_CN="ovpnca" # Remove and re-initialize the PKI directory easyrsa --batch init-pki # Generate DH parameters easyrsa --batch gen-dh # Create a new CA easyrsa --batch build-ca nopass # Generate a keypair and sign locally for a server easyrsa --batch build-server-full server nopass # Generate a keypair and sign locally for a client easyrsa --batch build-client-full client nopass
4. Configure VPN server:
# Generate TLS PSK
OVPN_PKI="/etc/easy-rsa/pki"
openvpn --genkey --secret ${OVPN_PKI}/tc.pem
# Configuration parameters
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_DEV="$(uci get firewall.lan.device | sed -e "s/^.*\s//")"
OVPN_PORT="$(uci get firewall.ovpn.dest_port)"
OVPN_PROTO="$(uci get firewall.ovpn.proto)"
OVPN_POOL="192.168.8.0 255.255.255.0"
OVPN_DNS="${OVPN_POOL%.* *}.1"
OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'
# Configure VPN server
umask u=rw,g=,o=
grep -l -r -e "TLS Web Server Auth" "${OVPN_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read -r OVPN_ID
do
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
cat << EOF > ${OVPN_DIR}/${OVPN_ID}.conf
verb 3
user nobody
group nogroup
dev ${OVPN_DEV}
port ${OVPN_PORT}
proto ${OVPN_PROTO}
server ${OVPN_POOL}
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS ${OVPN_DNS}"
push "dhcp-option DOMAIN ${OVPN_DOMAIN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>${NL}${OVPN_DH}${NL}</dh>
<tls-auth>${NL}${OVPN_TC}${NL}</tls-auth>
<ca>${NL}${OVPN_CA}${NL}</ca>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<key>${NL}${OVPN_KEY}${NL}</key>
EOF
done
/etc/init.d/openvpn restart
5. Create client configuration file:
# Fetch IP address or update to FQDN
#OVPN_SERV="fqdn.myhome.com"
OVPN_SERV=`wget -qO- ifconfig.co`
# Configuration parameters
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_DEV="$(uci get firewall.lan.device | sed -e "s/^.*\s//")"
OVPN_PORT="$(uci get firewall.ovpn.dest_port)"
OVPN_PROTO="$(uci get firewall.ovpn.proto)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'
# Generate VPN client profiles
umask u=rw,g=,o=
grep -l -r -e "TLS Web Client Auth" "${OVPN_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read -r OVPN_ID
do
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
cat << EOF > ${OVPN_DIR}/${OVPN_ID}.ovpn
verb 3
dev ${OVPN_DEV%%[0-9]*}
nobind
client
remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO}
auth-nocache
remote-cert-tls server
<tls-auth>${NL}${OVPN_TC}${NL}</tls-auth>
<ca>${NL}${OVPN_CA}${NL}</ca>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<key>${NL}${OVPN_KEY}${NL}</key>
EOF
done
ls ${OVPN_DIR}/*.ovpn
