OpenVPN on OpenWrt

openvpnopenwrt

I have a step-by-step guide for OpenVPN on an OpenWRT 10.03 router: (wl500gpv2)

Needed packages

opkg install openvpn_2.1.1-1_brcm-2.4.ipk kmod-tun_2.4.37.9-1_brcm-2.4.ipk libopenssl_0.9.8m-3_brcm-2.4.ipk liblzo_2.03-3_brcm-2.4.ipk openssl-util_0.9.8m-3_brcm-2.4.ipk ntpd_4.2.6-4_brcm-2.4.ipk

Generate certs

# 0)
mkdir -p /etc/ssl/certs/demoCA/newcerts /etc/ssl/certs/demoCA/private /etc/ssl/private; touch /etc/ssl/certs/demoCA/index.txt; echo "01" >> /etc/ssl/certs/demoCA/serial; cd /etc/ssl/certs

# 1)
# cakey.pem: CA's private key - needed by key signing machine only, purpose: Root CA key, keep it in SECRET!!
# cacert.pem: CA's cert - needed by server + all clients, purpose: Root CA certificate, not secret
# common name: "vpnserver" - in every other case just hit enter
time openssl req -nodes -new -x509 -days 3650 -keyout /etc/ssl/certs/demoCA/private/cakey.pem -out demoCA/cacert.pem

# 2)
# server.key: needed by server only, purpose: Server Key, keep it in SECRET!!
# server.csr: [???]
# common name: "vpnserver" - in every other case just hit enter
time openssl req -nodes -new -keyout /etc/ssl/private/server.key -out server.csr # password not advised - only if you're paranoic..

# 3)
# server.crt: needed by server only, purpose: Server Certificate, not secret
# Sign the certificate? [y/n]:y
# 1 out of 1 certificate requests certified, commit? [y/n]y
time openssl ca -cert demoCA/cacert.pem -keyfile /etc/ssl/certs/demoCA/private/cakey.pem -out server.crt -in server.csr -days 3650

# 4)
# shared.key: [???]
time openvpn --genkey --secret shared.key

# 5)
# dh.pem: Diffie-Hellman file for secure SSL/TLS negotiation, identical on the server and all clients
time openssl dhparam -out dh.pem 1024

# 6)
# give a common name! it will be the user name
# client1.key: needed at client1 only, purpose: Client1 Key, keep it in SECRET!
# client1.csr: [???]
# client1.crt: needed at client1 only, purpose: Client1 Certificate, not secret
# Give the client's key file a password for better security.
time openssl req -nodes -new -keyout /etc/ssl/private/client1.key -out client1.csr
# Sign the certificate? [y/n]:y
# 1 out of 1 certificate requests certified, commit? [y/n]y
time openssl ca -out client1.crt -in client1.csr

copy the certs

# on the router
mkdir -p /etc/ssl/certs/client1; cp demoCA/cacert.pem client1.crt /etc/ssl/private/client1.key shared.key dh.pem client1; tar -cvf /root/client1.tar client1; rm -fr /etc/ssl/certs/client1

# on the pc [with a normal user]
mkdir ~/.cert/; rm ~/.cert/*; cd ~/.cert/; scp root@192.168.1.1:/root/client1.tar ~/.cert/; tar -xvf ~/.cert/client1.tar; mv ~/.cert/client1/* .; rm -fr client1; chmod 600 ~/.cert/*

# if you're using e.g.: Fedora/SELinux, then
restorecon -Rv ~/.cert*

OpenVPN server config

mkdir /etc/openvpn; vim /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca /etc/ssl/certs/demoCA/cacert.pem
cert /etc/ssl/certs/server.crt
key /etc/ssl/private/server.key
dh /etc/ssl/certs/dh.pem
tls-auth /etc/ssl/certs/shared.key 0
server 192.168.80.0 255.255.255.0
push "redirect-gateway"
comp-lzo
keepalive 10 120
status /tmp/openvpn.status

Firewall on the OpenWrt router

vim /etc/firewall.user

iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

Reboot

sync; sync; sync
reboot

Start and check

openvpn --daemon --config /etc/openvpn/server.conf

root@OpenWrt:/etc/ssl/certs# ps aux | fgrep -i openvpn
941 root      2876 S    openvpn --daemon --config /etc/openvpn/server.conf 
root@OpenWrt:/etc/ssl/certs# netstat -tulpn | fgrep -i 1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           941/openvpn
root@OpenWrt:/etc/ssl#

Client config

yum install openvpn
vim /etc/openvpn/client.conf

client
dev tun
proto udp
remote 192.168.1.1 1194
nobind
ca /home/USERNAME/.cert/cacert.pem
cert /home/USERNAME/.cert/client1.crt
key /home/USERNAME/.cert/client1.key
dh /home/USERNAME/.cert/dh.pem
tls-auth /home/USERNAME/.cert/shared.key 1
comp-lzo

Go!

openvpn /etc/openvpn/client.conf

But after I try it out, the client gives an error: (and when I use the VPN, I can't ping google.com from the client.. just the router)

Sat Jul  9 13:14:19 2011 OpenVPN 2.1.1 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan  5 2010
Sat Jul  9 13:14:19 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Jul  9 13:14:19 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jul  9 13:14:19 2011 Control Channel Authentication: using '/home/USERNAME/.cert/shared.key' as a OpenVPN static key file
Sat Jul  9 13:14:19 2011 LZO compression initialized
Sat Jul  9 13:14:19 2011 UDPv4 link local: [undef]
Sat Jul  9 13:14:19 2011 UDPv4 link remote: 192.168.1.1:1194
Sat Jul  9 13:14:19 2011 [vpnserver] Peer Connection Initiated with 192.168.1.1:1194
Sat Jul  9 13:14:21 2011 TUN/TAP device tun0 opened
Sat Jul  9 13:14:21 2011 /sbin/ip link set dev tun0 up mtu 1500
Sat Jul  9 13:14:21 2011 /sbin/ip addr add dev tun0 local 192.168.80.6 peer 192.168.80.5
Sat Jul  9 13:14:21 2011 OpenVPN ROUTE: omitted no-op route: 192.168.1.1/255.255.255.255 -> 192.168.1.1

Sat Jul  9 13:14:21 2011 WARNING: potential route subnet conflict between local LAN [192.168.80.0/255.255.255.0] and remote VPN [192.168.80.1/255.255.255.255]

Sat Jul  9 13:14:21 2011 Initialization Sequence Completed
^CSat Jul  9 13:16:10 2011 event_wait : Interrupted system call (code=4)
RTNETLINK answers: No such process
Sat Jul  9 13:16:10 2011 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul  9 13:16:10 2011 /sbin/ip addr del dev tun0 local 192.168.80.6 peer 192.168.80.5
Sat Jul  9 13:16:10 2011 SIGINT[hard,] received, process exiting

The question is, what am I doing wrong? Why doesn't it work? Am I giving wrong subnets? How can I give good ones? (e.g.: bad "server" line in the "openvpn server config"?)

Topology:

ISP -> OPENWRT ROUTER(giving 192.168.1.0/24) -> MYPC(dhcp, not static ip)

Thanks for any help/tips. I already googled for hours and asked many experts, but no luck. My purpose is to openvpn to this openwrt router from my PC to have a secured "channel" (from a netcafe, or from the mentioned topology, etc.). The "MYPC" is runing Fedora 14

UPDATE Q:
Can somebody explain what are these files?:

server.csr: [???]

shared.key: [???]

client1.csr: [???]

Best Answer

Sat Jul 9 13:14:21 2011 WARNING: potential route subnet conflict between local LAN [192.168.80.0/255.255.255.0] and remote VPN [192.168.80.1/255.255.255.255]

For some reason, your configuration seems to be sharing ip address space. Your VPN is selecting addresses from the 192.168.80.x address space, and your local LAN is selecting addresses from the 192.168.80.x address space. If this happens, then when traffic from the VPN is routed to your MyPC, it won't know which router to get the address resolution, and everything will break.

Also, you need to use iptables in the router. It should be in-built, but it will need a rule to tell it to redirect all the traffic from your MyPC through the VPN. There's a pretty good article here that should help.

Related Question