OpenVPN server and client configuration for openwrtProblems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?openvpn multiple instances route issue?OpenVPN client ping server: eth0 works, tun0 failsAllowing SSH on a server with an active OpenVPN clientNetwork behind OpenVPN clientConfiguring OpenVPN server (Debian 8) and client (Windows 10)OpenVPN and multicast routingOpenVPN Client Local LAN AccessHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?
Unicode-math and mathrm result in missing symbols
Are double contractions formal? Eg: "couldn't've" for "could not have"
Ugin's Conjurant vs. un-preventable damage
Why are thrust reversers not used to slow down to taxi speeds?
Row vectors and column vectors (Mathematica vs Matlab)
How to handle DM constantly stealing everything from sleeping characters?
Which spells are in some way related to shadows or the Shadowfell?
Program for finding longest run of zeros from a list of 100 random integers which are either 0 or 1
What's the "magic similar to the Knock spell" referenced in the Dungeon of the Mad Mage adventure?
How long can fsck take on a 30 TB volume?
Is there any evidence to support the claim that the United States was "suckered into WW1" by Zionists, made by Benjamin Freedman in his 1961 speech
resoldering copper waste pipe
Identity of a supposed anonymous referee revealed through "Description" of the report
JSON DeSerialization Help?
Is it a good idea to copy a trader when investing?
How to get MAX value using SOQL when there are more than 50,000 rows
How can Sam Wilson fulfill his future role?
Can you turn a recording upside-down?
Has everyone forgotten about wildfire?
How did Captain Marvel know where to find these characters?
What are these round pads on the bottom of a PCB?
Locked my sa user out
Employee is self-centered and affects the team negatively
Why did Missandei say this?
OpenVPN server and client configuration for openwrt
Problems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?openvpn multiple instances route issue?OpenVPN client ping server: eth0 works, tun0 failsAllowing SSH on a server with an active OpenVPN clientNetwork behind OpenVPN clientConfiguring OpenVPN server (Debian 8) and client (Windows 10)OpenVPN and multicast routingOpenVPN Client Local LAN AccessHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have an OpenWRT router with WAN(eth1) and LAN(eth0) interface.
I wanted to install an openVPN server on this router, so I could access from the WAN side into the LAN side.
My LAN(eth0) has a DHCP server configured over, and has a static IP of 172.20.51.61/24. When I connect any PC to LAN(eth0) it gets some IP in this range 172.20.51.100/24 to 172.20.51.150/24.
I have installed openvpn easy rsa and other required utilities and also generated keys for client and server. I have copied those keys to client as well.
What I would want is a very basic steps and configuration to gain some confidence, to establish a connection from client to server.
The net based blogs mention so much extra information..it becomes difficult for networking beginners to follow.
Edit: the /etc/easy-rsa/vars file has following contents.
export EASY_RSA="/etc/easy-rsa"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
et PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="IN"
export KEY_PROVINCE="MH"
export KEY_CITY="Pune"
export KEY_ORG="My Org"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="EasyRSA"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name,
# uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config
# has the duplicate-cn option set
# export KEY_CN="CommonName"
Edit 2: I have given WAN a static IP 192.168.18.100/24 which a VPN client with IP 192.168.18.101/24 will try to access.
The server configuration is:
package openvpn
config 'openvpn' 'samplevpnconfig'
option 'enable' '1'
option 'port' '1194'
option 'proto' 'udp'
option 'dev' 'tun0'
option 'client_to_client' '1'
option 'keepalive' '10 120'
option 'comp_lzo' '1'
option 'persist_key' '1'
option 'persist_tun' '1'
option 'verb' '3'
option 'mute' '20'
option 'ifconfig_pool_persist' '/tmp/ipp.txt'
option 'status' '/tmp/openvpn-status.log'
option 'ca' '/etc/openvpn/ca.crt'
option 'cert' '/etc/openvpn/server.crt'
option 'key' '/etc/openvpn/server.key'
option 'dh' '/etc/openvpn/dh1024.pem'
#this should be on a completely different subnet than your LAN
option 'server' '192.168.18.100 255.255.255.0'
list 'push' 'route 172.20.51.61 255.255.255.0' #this should MATCH your current LAN info
list 'push' 'dhcp-option DNS 172.20.51.1' #this should MATCH your current LAN info
list 'push' 'dhcp-option DOMAIN 172.20.51.1' #this should MATCH your current LAN info
Where 172.20.51.61 is LAN (eth0) static IP address.
Honestly I have no idea what those non obvious parameters mean.
The client configuration in Client machine /etc/openvpn/client.conf
client
proto udp
dev tun0
remote 192.168.18.100 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
comp-lzo
ca /etc/openvpn/ca.crt
cert /etc/openvpn/myclient.crt
key /etc/openvpn/myclient.key
WHen I try the following command: #openvpn client.conf
I get TLS error: (check your network connectivity)
and tcpdump on server gives:
13:57:19.026056 IP 192.168.18.101.34212 > 192.168.18.100.openvpn: UDP, length 14
13:57:19.026147 IP 192.168.18.100 > 192.168.18.101: ICMP 192.168.18.100 udp port openvpn unreachable, len0
But connectivity seems proper(ping, tcpdump show packet comming)
linux vpn openvpn linux-networking openwrt
edited Jul 24 '15 at 8:39
MadHatter
70.7k11146207
asked Jul 23 '15 at 13:03
RootPhoenixRootPhoenix
10838
add a comment |
I have an OpenWRT router with WAN(eth1) and LAN(eth0) interface.
I wanted to install an openVPN server on this router, so I could access from the WAN side into the LAN side.
My LAN(eth0) has a DHCP server configured over, and has a static IP of 172.20.51.61/24. When I connect any PC to LAN(eth0) it gets some IP in this range 172.20.51.100/24 to 172.20.51.150/24.
I have installed openvpn easy rsa and other required utilities and also generated keys for client and server. I have copied those keys to client as well.
What I would want is a very basic steps and configuration to gain some confidence, to establish a connection from client to server.
The net based blogs mention so much extra information..it becomes difficult for networking beginners to follow.
Edit: the /etc/easy-rsa/vars file has following contents.
export EASY_RSA="/etc/easy-rsa"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
et PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="IN"
export KEY_PROVINCE="MH"
export KEY_CITY="Pune"
export KEY_ORG="My Org"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="EasyRSA"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name,
# uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config
# has the duplicate-cn option set
# export KEY_CN="CommonName"
Edit 2: I have given WAN a static IP 192.168.18.100/24 which a VPN client with IP 192.168.18.101/24 will try to access.
The server configuration is:
package openvpn
config 'openvpn' 'samplevpnconfig'
option 'enable' '1'
option 'port' '1194'
option 'proto' 'udp'
option 'dev' 'tun0'
option 'client_to_client' '1'
option 'keepalive' '10 120'
option 'comp_lzo' '1'
option 'persist_key' '1'
option 'persist_tun' '1'
option 'verb' '3'
option 'mute' '20'
option 'ifconfig_pool_persist' '/tmp/ipp.txt'
option 'status' '/tmp/openvpn-status.log'
option 'ca' '/etc/openvpn/ca.crt'
option 'cert' '/etc/openvpn/server.crt'
option 'key' '/etc/openvpn/server.key'
option 'dh' '/etc/openvpn/dh1024.pem'
#this should be on a completely different subnet than your LAN
option 'server' '192.168.18.100 255.255.255.0'
list 'push' 'route 172.20.51.61 255.255.255.0' #this should MATCH your current LAN info
list 'push' 'dhcp-option DNS 172.20.51.1' #this should MATCH your current LAN info
list 'push' 'dhcp-option DOMAIN 172.20.51.1' #this should MATCH your current LAN info
Where 172.20.51.61 is LAN (eth0) static IP address.
Honestly I have no idea what those non obvious parameters mean.
The client configuration in Client machine /etc/openvpn/client.conf
client
proto udp
dev tun0
remote 192.168.18.100 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
comp-lzo
ca /etc/openvpn/ca.crt
cert /etc/openvpn/myclient.crt
key /etc/openvpn/myclient.key
WHen I try the following command: #openvpn client.conf
I get TLS error: (check your network connectivity)
and tcpdump on server gives:
13:57:19.026056 IP 192.168.18.101.34212 > 192.168.18.100.openvpn: UDP, length 14
13:57:19.026147 IP 192.168.18.100 > 192.168.18.101: ICMP 192.168.18.100 udp port openvpn unreachable, len0
But connectivity seems proper(ping, tcpdump show packet comming)
linux vpn openvpn linux-networking openwrt
edited Jul 24 '15 at 8:39
MadHatter
70.7k11146207
asked Jul 23 '15 at 13:03
RootPhoenixRootPhoenix
10838
Do you want bridged or routed connection? Bridged means that OpenVPN is essentially an "encrypted cable" and behaves pretty much like ethernet, VPN will be using LAN subnet, hosts managed by the LAN DHCP. Routed means a separate subnet for VPN (separate firewall zone and rules), IP management inside OpenVPN.
– sam_pan_mariusz
Jul 23 '15 at 13:44
@sam_pan_mariusz I am guessing Routed connection is what is typically used...So lets say I am outside my home router WAN(eth1), and want to access lan(eth0) network devices on the LAN side, I think this should mean Routed connection. Can you please guide me on this.
– RootPhoenix
Jul 23 '15 at 14:17
add a comment |
I have an OpenWRT router with WAN(eth1) and LAN(eth0) interface.
I wanted to install an openVPN server on this router, so I could access from the WAN side into the LAN side.
My LAN(eth0) has a DHCP server configured over, and has a static IP of 172.20.51.61/24. When I connect any PC to LAN(eth0) it gets some IP in this range 172.20.51.100/24 to 172.20.51.150/24.
I have installed openvpn easy rsa and other required utilities and also generated keys for client and server. I have copied those keys to client as well.
What I would want is a very basic steps and configuration to gain some confidence, to establish a connection from client to server.
The net based blogs mention so much extra information..it becomes difficult for networking beginners to follow.
Edit: the /etc/easy-rsa/vars file has following contents.
export EASY_RSA="/etc/easy-rsa"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
et PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="IN"
export KEY_PROVINCE="MH"
export KEY_CITY="Pune"
export KEY_ORG="My Org"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="EasyRSA"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name,
# uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config
# has the duplicate-cn option set
# export KEY_CN="CommonName"
Edit 2: I have given WAN a static IP 192.168.18.100/24 which a VPN client with IP 192.168.18.101/24 will try to access.
The server configuration is:
package openvpn
config 'openvpn' 'samplevpnconfig'
option 'enable' '1'
option 'port' '1194'
option 'proto' 'udp'
option 'dev' 'tun0'
option 'client_to_client' '1'
option 'keepalive' '10 120'
option 'comp_lzo' '1'
option 'persist_key' '1'
option 'persist_tun' '1'
option 'verb' '3'
option 'mute' '20'
option 'ifconfig_pool_persist' '/tmp/ipp.txt'
option 'status' '/tmp/openvpn-status.log'
option 'ca' '/etc/openvpn/ca.crt'
option 'cert' '/etc/openvpn/server.crt'
option 'key' '/etc/openvpn/server.key'
option 'dh' '/etc/openvpn/dh1024.pem'
#this should be on a completely different subnet than your LAN
option 'server' '192.168.18.100 255.255.255.0'
list 'push' 'route 172.20.51.61 255.255.255.0' #this should MATCH your current LAN info
list 'push' 'dhcp-option DNS 172.20.51.1' #this should MATCH your current LAN info
list 'push' 'dhcp-option DOMAIN 172.20.51.1' #this should MATCH your current LAN info
Where 172.20.51.61 is LAN (eth0) static IP address.
Honestly I have no idea what those non obvious parameters mean.
The client configuration in Client machine /etc/openvpn/client.conf
client
proto udp
dev tun0
remote 192.168.18.100 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
comp-lzo
ca /etc/openvpn/ca.crt
cert /etc/openvpn/myclient.crt
key /etc/openvpn/myclient.key
WHen I try the following command: #openvpn client.conf
I get TLS error: (check your network connectivity)
and tcpdump on server gives:
13:57:19.026056 IP 192.168.18.101.34212 > 192.168.18.100.openvpn: UDP, length 14
13:57:19.026147 IP 192.168.18.100 > 192.168.18.101: ICMP 192.168.18.100 udp port openvpn unreachable, len0
But connectivity seems proper(ping, tcpdump show packet comming)
linux vpn openvpn linux-networking openwrt
edited Jul 24 '15 at 8:39
MadHatter
70.7k11146207
asked Jul 23 '15 at 13:03
RootPhoenixRootPhoenix
10838
I have an OpenWRT router with WAN(eth1) and LAN(eth0) interface.
I wanted to install an openVPN server on this router, so I could access from the WAN side into the LAN side.
My LAN(eth0) has a DHCP server configured over, and has a static IP of 172.20.51.61/24. When I connect any PC to LAN(eth0) it gets some IP in this range 172.20.51.100/24 to 172.20.51.150/24.
I have installed openvpn easy rsa and other required utilities and also generated keys for client and server. I have copied those keys to client as well.
What I would want is a very basic steps and configuration to gain some confidence, to establish a connection from client to server.
The net based blogs mention so much extra information..it becomes difficult for networking beginners to follow.
Edit: the /etc/easy-rsa/vars file has following contents.
export EASY_RSA="/etc/easy-rsa"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
et PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="IN"
export KEY_PROVINCE="MH"
export KEY_CITY="Pune"
export KEY_ORG="My Org"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="EasyRSA"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name,
# uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config
# has the duplicate-cn option set
# export KEY_CN="CommonName"
Edit 2: I have given WAN a static IP 192.168.18.100/24 which a VPN client with IP 192.168.18.101/24 will try to access.
The server configuration is:
package openvpn
config 'openvpn' 'samplevpnconfig'
option 'enable' '1'
option 'port' '1194'
option 'proto' 'udp'
option 'dev' 'tun0'
option 'client_to_client' '1'
option 'keepalive' '10 120'
option 'comp_lzo' '1'
option 'persist_key' '1'
option 'persist_tun' '1'
option 'verb' '3'
option 'mute' '20'
option 'ifconfig_pool_persist' '/tmp/ipp.txt'
option 'status' '/tmp/openvpn-status.log'
option 'ca' '/etc/openvpn/ca.crt'
option 'cert' '/etc/openvpn/server.crt'
option 'key' '/etc/openvpn/server.key'
option 'dh' '/etc/openvpn/dh1024.pem'
#this should be on a completely different subnet than your LAN
option 'server' '192.168.18.100 255.255.255.0'
list 'push' 'route 172.20.51.61 255.255.255.0' #this should MATCH your current LAN info
list 'push' 'dhcp-option DNS 172.20.51.1' #this should MATCH your current LAN info
list 'push' 'dhcp-option DOMAIN 172.20.51.1' #this should MATCH your current LAN info
Where 172.20.51.61 is LAN (eth0) static IP address.
Honestly I have no idea what those non obvious parameters mean.
The client configuration in Client machine /etc/openvpn/client.conf
client
proto udp
dev tun0
remote 192.168.18.100 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
comp-lzo
ca /etc/openvpn/ca.crt
cert /etc/openvpn/myclient.crt
key /etc/openvpn/myclient.key
WHen I try the following command: #openvpn client.conf
I get TLS error: (check your network connectivity)
and tcpdump on server gives:
13:57:19.026056 IP 192.168.18.101.34212 > 192.168.18.100.openvpn: UDP, length 14
13:57:19.026147 IP 192.168.18.100 > 192.168.18.101: ICMP 192.168.18.100 udp port openvpn unreachable, len0
But connectivity seems proper(ping, tcpdump show packet comming)
linux vpn openvpn linux-networking openwrt
linux vpn openvpn linux-networking openwrt
edited Jul 24 '15 at 8:39
MadHatter
70.7k11146207
asked Jul 23 '15 at 13:03
RootPhoenixRootPhoenix
10838
edited Jul 24 '15 at 8:39
MadHatter
70.7k11146207
asked Jul 23 '15 at 13:03
RootPhoenixRootPhoenix
10838
edited Jul 24 '15 at 8:39
MadHatter
70.7k11146207
edited Jul 24 '15 at 8:39
MadHatter
70.7k11146207
edited Jul 24 '15 at 8:39
MadHatter
70.7k11146207
70.7k11146207
asked Jul 23 '15 at 13:03
RootPhoenixRootPhoenix
10838
asked Jul 23 '15 at 13:03
RootPhoenixRootPhoenix
10838
asked Jul 23 '15 at 13:03
RootPhoenixRootPhoenix
10838
10838
Do you want bridged or routed connection? Bridged means that OpenVPN is essentially an "encrypted cable" and behaves pretty much like ethernet, VPN will be using LAN subnet, hosts managed by the LAN DHCP. Routed means a separate subnet for VPN (separate firewall zone and rules), IP management inside OpenVPN.
– sam_pan_mariusz
Jul 23 '15 at 13:44
@sam_pan_mariusz I am guessing Routed connection is what is typically used...So lets say I am outside my home router WAN(eth1), and want to access lan(eth0) network devices on the LAN side, I think this should mean Routed connection. Can you please guide me on this.
– RootPhoenix
Jul 23 '15 at 14:17
add a comment |
Do you want bridged or routed connection? Bridged means that OpenVPN is essentially an "encrypted cable" and behaves pretty much like ethernet, VPN will be using LAN subnet, hosts managed by the LAN DHCP. Routed means a separate subnet for VPN (separate firewall zone and rules), IP management inside OpenVPN.
– sam_pan_mariusz
Jul 23 '15 at 13:44
@sam_pan_mariusz I am guessing Routed connection is what is typically used...So lets say I am outside my home router WAN(eth1), and want to access lan(eth0) network devices on the LAN side, I think this should mean Routed connection. Can you please guide me on this.
– RootPhoenix
Jul 23 '15 at 14:17
Do you want bridged or routed connection? Bridged means that OpenVPN is essentially an "encrypted cable" and behaves pretty much like ethernet, VPN will be using LAN subnet, hosts managed by the LAN DHCP. Routed means a separate subnet for VPN (separate firewall zone and rules), IP management inside OpenVPN.
– sam_pan_mariusz
Jul 23 '15 at 13:44
Do you want bridged or routed connection? Bridged means that OpenVPN is essentially an "encrypted cable" and behaves pretty much like ethernet, VPN will be using LAN subnet, hosts managed by the LAN DHCP. Routed means a separate subnet for VPN (separate firewall zone and rules), IP management inside OpenVPN.
– sam_pan_mariusz
Jul 23 '15 at 13:44
@sam_pan_mariusz I am guessing Routed connection is what is typically used...So lets say I am outside my home router WAN(eth1), and want to access lan(eth0) network devices on the LAN side, I think this should mean Routed connection. Can you please guide me on this.
– RootPhoenix
Jul 23 '15 at 14:17
@sam_pan_mariusz I am guessing Routed connection is what is typically used...So lets say I am outside my home router WAN(eth1), and want to access lan(eth0) network devices on the LAN side, I think this should mean Routed connection. Can you please guide me on this.
– RootPhoenix
Jul 23 '15 at 14:17
add a comment |
1 Answer
1
active
oldest
votes
First, I never recommend keeping SSL CA private key on a device directly connected to WAN. This is insecure.
In OpenWRT a configuration for OpenVPN is in /etc/config/openvpn - option names are almost identical as in OpenVPN original config, except for in OpenWRT hyphens (-) should be converted to underscores (_).
Follow this howto. Remove ifconfig_pool_persist if you don't need static addresses, or use ccd option for this (more reliable) with /etc/openvpn/ccd. Replace IP subnet and routes with your own. Add a digit in the end of interface name to avoid firewall configuration problems. I also recommend using tap interface (more flexible), not tun, but it's up to you. Add tls_auth to better protect against DoS attacks, in OpenVPN manual there's an example how to generate a key (search for --genkey).
To enable service autostart, use /etc/init.d/openvpn enable.
When you have OpenVPN up, configure firewall.
answered Jul 23 '15 at 18:06
sam_pan_mariuszsam_pan_mariusz
1,6731614
My /etc/easy-rsa/keys folder contains a file called serial which has "01" as entry. Also while generating certificates I found that "01.pem" file is getting created in the keys directory...however on the blogs they have mentioned dh2048.pem or dh1024.pem file. Does my setup have something wrong ?
– RootPhoenix
Jul 24 '15 at 4:26
The dh????.pem files contain Diffie–Hellman pairs, they have little to do with actual certs. Read OpenVPN manual on --dh. Your certificate and key files can have any name, just edit paths in config. If you find any troubles using easy-rsa, switch to a GUI application, XCA being a nice, free example (it employs openssl internally, just like easy-rsa).
– sam_pan_mariusz
Jul 24 '15 at 4:52
When I generate keys for client using build-key client_name, it does not ask for "ENTER EXPORT PASSWORD" but when i generate using build-key-pkcs12 client_name... it asks for EXPORT PASSWORD.. will this be used later on..which one should I use.?
– RootPhoenix
Jul 24 '15 at 5:22
Check OpenVPN manual for --askpass. PKCS12 file contains (among others) a certificate private key. Key password can be empty, and I believe it's the only reasonable way to go for you.
– sam_pan_mariusz
Jul 24 '15 at 6:18
I did the steps mentioned in link. Adding tun0 interface. COnfiguring firewall zones etc. But when I try to connect the server using #openvpn client.conf I get unreachable error even though I am able to ping it.
– RootPhoenix
Jul 24 '15 at 9:57
|
show 3 more comments
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f707926%2fopenvpn-server-and-client-configuration-for-openwrt%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
First, I never recommend keeping SSL CA private key on a device directly connected to WAN. This is insecure.
In OpenWRT a configuration for OpenVPN is in /etc/config/openvpn - option names are almost identical as in OpenVPN original config, except for in OpenWRT hyphens (-) should be converted to underscores (_).
Follow this howto. Remove ifconfig_pool_persist if you don't need static addresses, or use ccd option for this (more reliable) with /etc/openvpn/ccd. Replace IP subnet and routes with your own. Add a digit in the end of interface name to avoid firewall configuration problems. I also recommend using tap interface (more flexible), not tun, but it's up to you. Add tls_auth to better protect against DoS attacks, in OpenVPN manual there's an example how to generate a key (search for --genkey).
To enable service autostart, use /etc/init.d/openvpn enable.
When you have OpenVPN up, configure firewall.
answered Jul 23 '15 at 18:06
sam_pan_mariuszsam_pan_mariusz
1,6731614
My /etc/easy-rsa/keys folder contains a file called serial which has "01" as entry. Also while generating certificates I found that "01.pem" file is getting created in the keys directory...however on the blogs they have mentioned dh2048.pem or dh1024.pem file. Does my setup have something wrong ?
– RootPhoenix
Jul 24 '15 at 4:26
The dh????.pem files contain Diffie–Hellman pairs, they have little to do with actual certs. Read OpenVPN manual on --dh. Your certificate and key files can have any name, just edit paths in config. If you find any troubles using easy-rsa, switch to a GUI application, XCA being a nice, free example (it employs openssl internally, just like easy-rsa).
– sam_pan_mariusz
Jul 24 '15 at 4:52
When I generate keys for client using build-key client_name, it does not ask for "ENTER EXPORT PASSWORD" but when i generate using build-key-pkcs12 client_name... it asks for EXPORT PASSWORD.. will this be used later on..which one should I use.?
– RootPhoenix
Jul 24 '15 at 5:22
Check OpenVPN manual for --askpass. PKCS12 file contains (among others) a certificate private key. Key password can be empty, and I believe it's the only reasonable way to go for you.
– sam_pan_mariusz
Jul 24 '15 at 6:18
I did the steps mentioned in link. Adding tun0 interface. COnfiguring firewall zones etc. But when I try to connect the server using #openvpn client.conf I get unreachable error even though I am able to ping it.
– RootPhoenix
Jul 24 '15 at 9:57
|
show 3 more comments
First, I never recommend keeping SSL CA private key on a device directly connected to WAN. This is insecure.
In OpenWRT a configuration for OpenVPN is in /etc/config/openvpn - option names are almost identical as in OpenVPN original config, except for in OpenWRT hyphens (-) should be converted to underscores (_).
Follow this howto. Remove ifconfig_pool_persist if you don't need static addresses, or use ccd option for this (more reliable) with /etc/openvpn/ccd. Replace IP subnet and routes with your own. Add a digit in the end of interface name to avoid firewall configuration problems. I also recommend using tap interface (more flexible), not tun, but it's up to you. Add tls_auth to better protect against DoS attacks, in OpenVPN manual there's an example how to generate a key (search for --genkey).
To enable service autostart, use /etc/init.d/openvpn enable.
When you have OpenVPN up, configure firewall.
answered Jul 23 '15 at 18:06
sam_pan_mariuszsam_pan_mariusz
1,6731614
My /etc/easy-rsa/keys folder contains a file called serial which has "01" as entry. Also while generating certificates I found that "01.pem" file is getting created in the keys directory...however on the blogs they have mentioned dh2048.pem or dh1024.pem file. Does my setup have something wrong ?
– RootPhoenix
Jul 24 '15 at 4:26
The dh????.pem files contain Diffie–Hellman pairs, they have little to do with actual certs. Read OpenVPN manual on --dh. Your certificate and key files can have any name, just edit paths in config. If you find any troubles using easy-rsa, switch to a GUI application, XCA being a nice, free example (it employs openssl internally, just like easy-rsa).
– sam_pan_mariusz
Jul 24 '15 at 4:52
When I generate keys for client using build-key client_name, it does not ask for "ENTER EXPORT PASSWORD" but when i generate using build-key-pkcs12 client_name... it asks for EXPORT PASSWORD.. will this be used later on..which one should I use.?
– RootPhoenix
Jul 24 '15 at 5:22
Check OpenVPN manual for --askpass. PKCS12 file contains (among others) a certificate private key. Key password can be empty, and I believe it's the only reasonable way to go for you.
– sam_pan_mariusz
Jul 24 '15 at 6:18
I did the steps mentioned in link. Adding tun0 interface. COnfiguring firewall zones etc. But when I try to connect the server using #openvpn client.conf I get unreachable error even though I am able to ping it.
– RootPhoenix
Jul 24 '15 at 9:57
|
show 3 more comments
First, I never recommend keeping SSL CA private key on a device directly connected to WAN. This is insecure.
In OpenWRT a configuration for OpenVPN is in /etc/config/openvpn - option names are almost identical as in OpenVPN original config, except for in OpenWRT hyphens (-) should be converted to underscores (_).
Follow this howto. Remove ifconfig_pool_persist if you don't need static addresses, or use ccd option for this (more reliable) with /etc/openvpn/ccd. Replace IP subnet and routes with your own. Add a digit in the end of interface name to avoid firewall configuration problems. I also recommend using tap interface (more flexible), not tun, but it's up to you. Add tls_auth to better protect against DoS attacks, in OpenVPN manual there's an example how to generate a key (search for --genkey).
To enable service autostart, use /etc/init.d/openvpn enable.
When you have OpenVPN up, configure firewall.
answered Jul 23 '15 at 18:06
sam_pan_mariuszsam_pan_mariusz
1,6731614
First, I never recommend keeping SSL CA private key on a device directly connected to WAN. This is insecure.
In OpenWRT a configuration for OpenVPN is in /etc/config/openvpn - option names are almost identical as in OpenVPN original config, except for in OpenWRT hyphens (-) should be converted to underscores (_).
Follow this howto. Remove ifconfig_pool_persist if you don't need static addresses, or use ccd option for this (more reliable) with /etc/openvpn/ccd. Replace IP subnet and routes with your own. Add a digit in the end of interface name to avoid firewall configuration problems. I also recommend using tap interface (more flexible), not tun, but it's up to you. Add tls_auth to better protect against DoS attacks, in OpenVPN manual there's an example how to generate a key (search for --genkey).
To enable service autostart, use /etc/init.d/openvpn enable.
When you have OpenVPN up, configure firewall.
answered Jul 23 '15 at 18:06
sam_pan_mariuszsam_pan_mariusz
1,6731614
answered Jul 23 '15 at 18:06
sam_pan_mariuszsam_pan_mariusz
1,6731614
answered Jul 23 '15 at 18:06
sam_pan_mariuszsam_pan_mariusz
1,6731614
answered Jul 23 '15 at 18:06
sam_pan_mariuszsam_pan_mariusz
1,6731614
1,6731614
My /etc/easy-rsa/keys folder contains a file called serial which has "01" as entry. Also while generating certificates I found that "01.pem" file is getting created in the keys directory...however on the blogs they have mentioned dh2048.pem or dh1024.pem file. Does my setup have something wrong ?
– RootPhoenix
Jul 24 '15 at 4:26
The dh????.pem files contain Diffie–Hellman pairs, they have little to do with actual certs. Read OpenVPN manual on --dh. Your certificate and key files can have any name, just edit paths in config. If you find any troubles using easy-rsa, switch to a GUI application, XCA being a nice, free example (it employs openssl internally, just like easy-rsa).
– sam_pan_mariusz
Jul 24 '15 at 4:52
When I generate keys for client using build-key client_name, it does not ask for "ENTER EXPORT PASSWORD" but when i generate using build-key-pkcs12 client_name... it asks for EXPORT PASSWORD.. will this be used later on..which one should I use.?
– RootPhoenix
Jul 24 '15 at 5:22
Check OpenVPN manual for --askpass. PKCS12 file contains (among others) a certificate private key. Key password can be empty, and I believe it's the only reasonable way to go for you.
– sam_pan_mariusz
Jul 24 '15 at 6:18
I did the steps mentioned in link. Adding tun0 interface. COnfiguring firewall zones etc. But when I try to connect the server using #openvpn client.conf I get unreachable error even though I am able to ping it.
– RootPhoenix
Jul 24 '15 at 9:57
|
show 3 more comments
My /etc/easy-rsa/keys folder contains a file called serial which has "01" as entry. Also while generating certificates I found that "01.pem" file is getting created in the keys directory...however on the blogs they have mentioned dh2048.pem or dh1024.pem file. Does my setup have something wrong ?
– RootPhoenix
Jul 24 '15 at 4:26
The dh????.pem files contain Diffie–Hellman pairs, they have little to do with actual certs. Read OpenVPN manual on --dh. Your certificate and key files can have any name, just edit paths in config. If you find any troubles using easy-rsa, switch to a GUI application, XCA being a nice, free example (it employs openssl internally, just like easy-rsa).
– sam_pan_mariusz
Jul 24 '15 at 4:52
When I generate keys for client using build-key client_name, it does not ask for "ENTER EXPORT PASSWORD" but when i generate using build-key-pkcs12 client_name... it asks for EXPORT PASSWORD.. will this be used later on..which one should I use.?
– RootPhoenix
Jul 24 '15 at 5:22
Check OpenVPN manual for --askpass. PKCS12 file contains (among others) a certificate private key. Key password can be empty, and I believe it's the only reasonable way to go for you.
– sam_pan_mariusz
Jul 24 '15 at 6:18
I did the steps mentioned in link. Adding tun0 interface. COnfiguring firewall zones etc. But when I try to connect the server using #openvpn client.conf I get unreachable error even though I am able to ping it.
– RootPhoenix
Jul 24 '15 at 9:57
My /etc/easy-rsa/keys folder contains a file called serial which has "01" as entry. Also while generating certificates I found that "01.pem" file is getting created in the keys directory...however on the blogs they have mentioned dh2048.pem or dh1024.pem file. Does my setup have something wrong ?
– RootPhoenix
Jul 24 '15 at 4:26
My /etc/easy-rsa/keys folder contains a file called serial which has "01" as entry. Also while generating certificates I found that "01.pem" file is getting created in the keys directory...however on the blogs they have mentioned dh2048.pem or dh1024.pem file. Does my setup have something wrong ?
– RootPhoenix
Jul 24 '15 at 4:26
The dh????.pem files contain Diffie–Hellman pairs, they have little to do with actual certs. Read OpenVPN manual on --dh. Your certificate and key files can have any name, just edit paths in config. If you find any troubles using easy-rsa, switch to a GUI application, XCA being a nice, free example (it employs openssl internally, just like easy-rsa).
– sam_pan_mariusz
Jul 24 '15 at 4:52
The dh????.pem files contain Diffie–Hellman pairs, they have little to do with actual certs. Read OpenVPN manual on --dh. Your certificate and key files can have any name, just edit paths in config. If you find any troubles using easy-rsa, switch to a GUI application, XCA being a nice, free example (it employs openssl internally, just like easy-rsa).
– sam_pan_mariusz
Jul 24 '15 at 4:52
When I generate keys for client using build-key client_name, it does not ask for "ENTER EXPORT PASSWORD" but when i generate using build-key-pkcs12 client_name... it asks for EXPORT PASSWORD.. will this be used later on..which one should I use.?
– RootPhoenix
Jul 24 '15 at 5:22
When I generate keys for client using build-key client_name, it does not ask for "ENTER EXPORT PASSWORD" but when i generate using build-key-pkcs12 client_name... it asks for EXPORT PASSWORD.. will this be used later on..which one should I use.?
– RootPhoenix
Jul 24 '15 at 5:22
Check OpenVPN manual for --askpass. PKCS12 file contains (among others) a certificate private key. Key password can be empty, and I believe it's the only reasonable way to go for you.
– sam_pan_mariusz
Jul 24 '15 at 6:18
Check OpenVPN manual for --askpass. PKCS12 file contains (among others) a certificate private key. Key password can be empty, and I believe it's the only reasonable way to go for you.
– sam_pan_mariusz
Jul 24 '15 at 6:18
I did the steps mentioned in link. Adding tun0 interface. COnfiguring firewall zones etc. But when I try to connect the server using #openvpn client.conf I get unreachable error even though I am able to ping it.
– RootPhoenix
Jul 24 '15 at 9:57
I did the steps mentioned in link. Adding tun0 interface. COnfiguring firewall zones etc. But when I try to connect the server using #openvpn client.conf I get unreachable error even though I am able to ping it.
– RootPhoenix
Jul 24 '15 at 9:57
|
show 3 more comments
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f707926%2fopenvpn-server-and-client-configuration-for-openwrt%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Do you want bridged or routed connection? Bridged means that OpenVPN is essentially an "encrypted cable" and behaves pretty much like ethernet, VPN will be using LAN subnet, hosts managed by the LAN DHCP. Routed means a separate subnet for VPN (separate firewall zone and rules), IP management inside OpenVPN.
– sam_pan_mariusz
Jul 23 '15 at 13:44
@sam_pan_mariusz I am guessing Routed connection is what is typically used...So lets say I am outside my home router WAN(eth1), and want to access lan(eth0) network devices on the LAN side, I think this should mean Routed connection. Can you please guide me on this.
– RootPhoenix
Jul 23 '15 at 14:17