OpenWRT OpenVPN bridge

Published by razvan on

OpenWrt Project is a Linux OS targeting many embedded devices. Instead of trying to create a single firmware it provides a fully writable filesystem with package management. This is free starting from the application selection and configuration provided by the vendor and allows you to customize your device through the use of packages to suit any application.

OpenVPN is a virtual private network (VPN) that implements techniques to create secure point-to-point or site-to-site connections in a routed or a bridged configuration and remote access facilities. It implements both options for client and server applications.

To configure OpenVPN in your router you need to install required packages like openvpn-openssl openvpn-easy-rsa. This can be done using CLI or WEB interface, both of them are doing the same.

After installing required packages you need to generate your SSL certificates:

# Configuration parameters
OVPN_PKI="/etc/easy-rsa/pki"
export EASYRSA_PKI="${OVPN_PKI}"
export EASYRSA_REQ_CN="ovpnca"
export EASYRSA_BATCH="1"
 
# Remove and re-initialize the PKI directory
easyrsa init-pki
 
# Generate DH parameters
easyrsa gen-dh
 
# Create a new CA
easyrsa build-ca nopass
 
# Generate a key pair and sign locally for a server
easyrsa build-server-full server nopass
 
# Generate a key pair and sign locally for a client
easyrsa build-client-full client nopass
 
# Generate TLS PSK
openvpn --genkey --secret ${OVPN_PKI}/tc.pem

Last step is to apply VPN configuration in file:

config openvpn 'home'
	option verb '3'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/my-server.crt'
	option key '/etc/openvpn/my-server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option tls_auth '/etc/openvpn/tls-auth.key 0'
	option client_to_client '1'
	option log '/tmp/openvpn.log'
	option keepalive '10 120'
	option status '/tmp/openvpn.status 5'
	option mute '20'
	option tls_server '1'
	option enabled '1'
	option persist_tun '1'
	option persist_key '1'
	option dev 'tap0'
	option dev_type 'tap'
	option port '1194'
	option tun_ipv6 '1'
	option server_bridge '192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.254'
	option duplicate_cn '1'
	option sndbuf '393216'
	option rcvbuf '393216'

With this done you need to build client VPN config like the following:

  client
  dev tap
  proto udp
  fast-io
  remote SERVER_IP 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  verb 3
  key-direction 1
  tls-client
<ca>
YOUR CA GOES HERE
</ca>
<cert>
YOUR CERT GOES HERE
</cert>
<key>
YOUR PRIVATE KEY GOES HERE
</key>
<tls-auth>
YOUR TLS KEY GOES HERE
</tls-auth>

With all done you are now ready to connect to your VPN server.

Need help building secure remote access for your infrastructure?
→ Explore our Infrastructure Support Services

Categories: Blog

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Blog

AWX building custom execution environment

AWX default execution environment is pretty strong but in some cases it is not enough. There days I wanted to run a play which require json_query for filtering out some outputs. All went well during Read more…

Blog

ESP32 temperature sensor with Zabbix

One of our clients requested us a solution to monitor temperature in their datacenters with one condition, this should send data to a Zabbix server without cloud or any other integrations directly using a WIFI Read more…

Blog

Logstash email alert

Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite “stash.” In out case we are sending logs Read more…