This article relies on the following:<\/p>\n
tls-crypt-v2<\/code>.\n\n- OpenWrt 19.07 users with OpenVPN 2.4 should refer to an older revision<\/a><\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Goals<\/h2>\n\n- Encrypt your internet connection to enforce security and privacy.\n
\n- Prevent traffic leaks and spoofing on the client side.<\/li>\n<\/ul>\n<\/li>\n
- Bypass regional restrictions using commercial providers.\n
\n- Escape client side content filters and internet censorship.<\/li>\n<\/ul>\n<\/li>\n
- Access your LAN services remotely without port forwarding.<\/li>\n<\/ul>\n
Command-line instructions<\/h2>\n1. Preparation<\/h3>\n# for iStoreOS:\necho \"src\/gz openwrt_base https:\/\/downloads.openwrt.org\/releases\/24.10.2\/packages\/aarch64_cortex-a53\/base\" > \/etc\/opkg\/compatfeeds.conf\necho \"src\/gz openwrt_luci https:\/\/downloads.openwrt.org\/releases\/24.10.2\/packages\/aarch64_cortex-a53\/luci\" >> \/etc\/opkg\/compatfeeds.conf\necho \"src\/gz openwrt_packages https:\/\/downloads.openwrt.org\/releases\/24.10.2\/packages\/aarch64_cortex-a53\/packages\" >> \/etc\/opkg\/compatfeeds.conf\necho \"src\/gz openwrt_routing https:\/\/downloads.openwrt.org\/releases\/24.10.2\/packages\/aarch64_cortex-a53\/routing\" >> \/etc\/opkg\/compatfeeds.conf\necho \"src\/gz openwrt_telephony https:\/\/downloads.openwrt.org\/releases\/24.10.2\/packages\/aarch64_cortex-a53\/telephony\" >> \/etc\/opkg\/compatfeeds.conf\n\n#opkg update\n#opkg install openvpn-easy-rsa openvpn-mbedtls luci-app-openvpn <\/code><\/pre>\nInstall the required packages. Specify configuration parameters for VPN server.<\/p>\n
# Install packages\nopkg update\nopkg install openvpn-openssl openvpn-easy-rsa\n\n# Configuration parameters\nexport VPN_DIR=\"\/etc\/openvpn\"\nexport VPN_PKI=\"\/etc\/easy-rsa\/pki\"\nexport VPN_PORT=\"8100\"\nexport VPN_PROTO=\"udp\"\nexport VPN_POOL=\"192.168.9.0 255.255.255.0\"\nexport VPN_DNS=\"${VPN_POOL%.* *}.1\"\nexport VPN_DN=\"$(uci -q get dhcp.@dnsmasq[0].domain)\"\n\n# Fetch server address\nexport NET_FQDN=\"$(uci -q get ddns.@service[0].lookup_host)\"\n. \/lib\/functions\/network.sh\nnetwork_flush_cache\nnetwork_find_wan NET_IF\nnetwork_get_ipaddr NET_ADDR \"${NET_IF}\"\nif [ -n \"${NET_FQDN}\" ]\nthen export VPN_SERV=\"${NET_FQDN}\"\nelse export VPN_SERV=\"${NET_ADDR}\"\nfi<\/code><\/pre>\n2. Key management<\/h3>\n
Use EasyRSA<\/a> to manage the PKI. Utilize private key password protection if necessary.<\/p>\n# Configuration parameters\nexport EASYRSA_PKI=\"${VPN_PKI}\"\nexport EASYRSA_TEMP_DIR=\"\/tmp\"\nexport EASYRSA_CERT_EXPIRE=\"36500\"\nexport EASYRSA_BATCH=\"1\"\n\n# Remove and re-initialize PKI directory\neasyrsa init-pki\n\n# Generate DH parameters\neasyrsa gen-dh\n\n# Create a new CA\neasyrsa build-ca nopass\n\n# Generate server keys and certificate\neasyrsa build-server-full server nopass\nopenvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}\/private\/server.pem\n\n# Generate client keys and certificate\n#easyrsa build-client-full client nopass\n#openvpn --tls-crypt-v2 ${EASYRSA_PKI}\/private\/server.pem \\\n#--genkey tls-crypt-v2-client ${EASYRSA_PKI}\/private\/client.pem\n\nfor u in cyue cyuePC cyueMBP cyuePad tony tonyPC tonyMBP tonyPad shari shariPC shariPad shariMBP johnny johnnyPC johnnyPad johnnyMBP yezi yuhan yuhanPC yuhanSamsung yuchen yuchenPC yuchenPad\ndo\n echo $u\n #easyrsa build-client-full $u nopass\n easyrsa build-client-full $u nopass\n openvpn --tls-crypt-v2 ${EASYRSA_PKI}\/private\/server.pem \\\n --genkey tls-crypt-v2-client ${EASYRSA_PKI}\/private\/$u.pem\ndone<\/code><\/pre>\n3. Firewall<\/h3>\n
Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.<\/p>\n
# Configure firewall\nuci rename firewall.@zone[0]=\"lan\"\nuci rename firewall.@zone[1]=\"wan\"\nuci del_list firewall.lan.device=\"tun+\"\nuci add_list firewall.lan.device=\"tun+\"\nuci -q delete firewall.ovpn\nuci set firewall.ovpn=\"rule\"\nuci set firewall.ovpn.name=\"Allow-OpenVPN\"\nuci set firewall.ovpn.src=\"wan\"\nuci set firewall.ovpn.dest_port=\"${VPN_PORT}\"\nuci set firewall.ovpn.proto=\"${VPN_PROTO}\"\nuci set firewall.ovpn.target=\"ACCEPT\"\nuci commit firewall\nservice firewall restart<\/code><\/pre>\n4. VPN service<\/h3>\n
Configure VPN service and generate client profiles.<\/p>\n
# Configure VPN service and generate client profiles\numask go=\nVPN_DH=\"$(cat ${VPN_PKI}\/dh.pem)\"\nVPN_CA=\"$(openssl x509 -in ${VPN_PKI}\/ca.crt)\"\nls ${VPN_PKI}\/issued \\\n| sed -e \"s\/\\.\\w*$\/\/\" \\\n| while read -r VPN_ID\ndo\nVPN_TC=\"$(cat ${VPN_PKI}\/private\/${VPN_ID}.pem)\"\nVPN_KEY=\"$(cat ${VPN_PKI}\/private\/${VPN_ID}.key)\"\nVPN_CERT=\"$(openssl x509 -in ${VPN_PKI}\/issued\/${VPN_ID}.crt)\"\nVPN_EKU=\"$(echo \"${VPN_CERT}\" | openssl x509 -noout -purpose)\"\ncase ${VPN_EKU} in\n(*\"SSL server : Yes\"*)\nVPN_CONF=\"${VPN_DIR}\/${VPN_ID}.conf\"\ncat << EOF > ${VPN_CONF} ;;\nuser nobody\ngroup nogroup\ndev tun\nport ${VPN_PORT}\nproto ${VPN_PROTO}\nserver ${VPN_POOL}\ntopology subnet\nclient-to-client\nkeepalive 10 60\npersist-tun\npersist-key\npush \"dhcp-option DNS ${VPN_DNS}\"\npush \"dhcp-option DOMAIN ${VPN_DN}\"\npush \"redirect-gateway def1\"\npush \"persist-tun\"\npush \"persist-key\"\n\n${VPN_DH}\n<\/dh>\nEOF\n(*\"SSL client : Yes\"*)\nVPN_CONF=\"${VPN_DIR}\/${VPN_ID}.ovpn\"\ncat << EOF > ${VPN_CONF} ;;\nuser nobody\ngroup nogroup\ndev tun\nnobind\nclient\nremote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}\nauth-nocache\nremote-cert-tls server\nEOF\nesac\ncat << EOF >> ${VPN_CONF}\n\n${VPN_TC}\n<\/tls-crypt-v2>\n\n${VPN_KEY}\n<\/key>\n\n${VPN_CERT}\n<\/cert>\n\n${VPN_CA}\n<\/ca>\nEOF\ndone\nservice openvpn restart\nls ${VPN_DIR}\/*.ovpn<\/code><\/pre>\n# \u6539ovpn\u4e2d\u7684 server addr \u5230\u771f\u6b63\u7684 addr\uff1a\ncd \/etc\/openvpn\nsed -i 's|yourhost.example.com|192.168.0.100|g' $(find . -name \\*.ovpn)\n<\/code><\/pre>\nBasic openvpn server configuration is now complete.<\/p>\n
\n- Perform OpenWrt backup<\/a>.<\/li>\n
- Either extract client profile from the archive file, or use SCP to retrieve the \/etc\/openvpn\/client.ovpn file from the router.<\/li>\n
- Review\/edit the IP address for the ‘remote’ line contained within the client.ovpn file.<\/li>\n
- Import the client.ovpn profile into your clients.<\/li>\n<\/ol>\n
For an additional .ovpn after completing the above:<\/p>\n
\n- Run this multi-client<\/a> script.<\/li>\n
- Now make a script consisting of the \u201cConfiguration parameters\u201d of Part 1 above and all of Part 4 above and run it. Note that the \u201cremote\u201d line may be missing in the new ovpn (use the original as a reference for that).<\/li>\n<\/ol>\n
Testing<\/h2>\n
Establish the VPN connection. Verify your routing with traceroute<\/a> and traceroute6<\/a>.<\/p>\n<\/code><\/pre>\nCheck your IP and DNS provider.<\/p>\n
\n- ipleak.net<\/a><\/li>\n
- dnsleaktest.com<\/a><\/li>\n<\/ul>\n
On router:<\/p>\n
\n- Go to LuCI > Status > Wireguard<\/strong> and look for peer device connected with an IPv4 or IPv6 address and with a recent handshake time<\/li>\n
- Go to LuCI > Network > Diagnostics<\/strong> and ipv4 ping<\/strong> client device IP eg. 10.0.0.10<\/li>\n<\/ul>\n
On client device depending on wireguard software:<\/p>\n
\n- Check transfer traffic for tx & rx<\/li>\n
- Ping router internal lan IP<\/li>\n
- Check public IP address in a browser \u2013 https:\/\/whatsmyip.com<\/a> \u2013 should see public IP address of ISP for the router<\/li>\n<\/ul>\n
Troubleshooting<\/h2>\n
Collect and analyze the following information.<\/p>\n
# Restart services\nservice log restart; service openvpn restart; sleep 10\n\n# Log and status\nlogread -e openvpn; netstat -l -n -p | grep -e openvpn\n\n# Runtime configuration\npgrep -f -a openvpn\nip address show; ip route show table all\nip rule show; ip -6 rule show; nft list ruleset\n\n# Persistent configuration\nuci show network; uci show firewall; uci show openvpn\nhead -v -n -0 \/etc\/openvpn\/*.conf<\/code><\/pre>\nNotes<\/h2>\n
For beginners to OpenVPN server, this PDF guide may be helpful. It is based on above cli instructions with additional note and tips. [OpenVPN server setup guide for BT Home Hub 5A](https:\/\/www.dropbox.com\/s\/idjzqs3cyyb1zai\/7-OpenVPN<\/a> Server for HH5A.pdf?dl=0)<\/p>\n","protected":false},"excerpt":{"rendered":"