Easy VPN client option in Omnia router?

Hello everyone,

My name is Mia and I’m new to the Turris Forum. (well… not really new, I’ve been reading for two years now)

I’ve seen some post in the past about people asking for vpn client (NOT server) in floris / Luci
but did not see a clear answer from anyone within the Turris project.

Is there an ‘easy’ way to set-up the Turris Omnia as for example Openvpn client and route all traffic through it?
For example a decent and trustworthy plugin for Luci?

If not, will it come with the release of TurrisOS 4? (I would only assume because it’s based on open-wrt 18.0xxx right??)

Reason I’m asking, bought two Turris Omnia’s a while ago and was thinking it had this option right out of the box. I don’t understand why it’s not in the current SW. Anyone care to explain why people of Turris project decided to not implement this feature?

Not here to rant but seriously interested why they left this feature out.

thanks
Mia

Hello @Mia44 and welcome! I have basically the same question. I also seen people asking in the past about this but no reply from someone who is actually involed in the project itself… could be wrong but i did not see it

Hello,

I spoke with Foris developer and also with other guys about 1 or 2 months ago. I’m afraid currently there is no time and plan to have VPN client integrated to Foris.

If you want, you can help us. All source code is available on our Gitlab.
We have foris-plugin-tutorial, and you can inspire from the OpenVPN server, which we have in Foris.

For advanced administration LuCI, there is application luci-app-openvpn, which is for OpenVPN client and server, but if you created the server in Foris, there could be some collisions and incompatibility.

I tried to use it for OpenVPN client, it works.
If it is trustworthy or decent I can’t say, because it is not easy as it should be, because currently, you can’t import .ovpn extension as in Ubuntu, but there is exist a way how to do it.
When I was looking at the source code it shouldn’t be so hard to add it, but there are also there is other stuff, which I need to look first.

You’d need to upload this file to folder /etc/openvpn on your router and then edit file /etc/config/openvpn, where you need to add this code.

config openvpn 'name'
    option config '/etc/openvpn/name.ovpn'
    option enabled '1'

Once you have it, save it, refresh the page in LuCI and you should see it.

Anyway, at 18/7/2018, I wrote some notes in the documentation, but since then I didn’t look at it again. It’s almost done for Czech, so the translation shouldn’t be hard.
Once it will be finished and reviewed from colleagues I’ll let you know.

If you take a look at OpenWRT documentation, you’ll find the article for OpenVPN client.

Whilst the question has popped up frequently it would appear that the majority of TO’s OpenVPN users are deploying the server side rather than the client side.
Also LuCI (luci-app-openvpn) provides for setting up the OpenVPN client. It is not necessarily easier (and logically no less work) than doing it via SSH but that is somewhat owed to the way OpenVPN is to be configured (having to understand the implication of each option in the settings).
Certainly it would ease the client setup if there was an option to import the client setting published from the corresponding server.

Not sure what the schemantics of

decent and trustworthy

are supposed to be though?

Routing the outbound traffic from the router’s client(s) is not covered with the LuCI app, however there is VPN policy based routing possible? - #34 by stangri - SW help - Turris forum to assist with that.

I do understand why this question appears to become more frequent on this forum. As many of you know, it’s not only about security in this day and age but also about the abuse of intelligence agencies and other state actors that (illegally) intercept and collect all of our internet data. Project Turris should know that they also attract Privacy-minded individuals who want a secure, open platform. I would also like to have a decent VPN client integration. Also, it seems only logical to me that people wish to involve project Turris with that. Of course, it’s possible to do this integration in a more advanced/Do-it-yourself way.
Regarding security practices, it’s always better to have a unified approach to implementing these features. Since the devs at Turris Project know a lot about the underlying changes they applied to the software, they can (possibly) asses any security/privacy risks with implementing a VPN client a certain way. After the implementation, we as a community can further asses the implementation. I want to contribute to this. I’m even considering donating some money for this cause since I feel it’s crucial!

There is no security/privacy risk with the luci-app-openvpn for configuring the OpenVPN client. All it does is writing the configuration in a format that can be parsed by uci (backend). Such would (likely) be the same if integrated with the Foris frontend.

It still would require the user to understand the implication of the various settings, that is unless the user prefers to utilize the client settings furnished by the VPN provider without digging into the meaning of the various settings.

Foris integration would be rather a convenience by not having to login into LuCI unless it would offer the option to import client settings furnished by the VPN provider, as pointed out by @Pepe, and thus make a difference in convenience from LuCI.

If there was integration for the OpenVPN client into Foris than the other VPN client solutions should probably be intergrated too since VPN providers not only offer OpenVPN.

Hello everyone,

thanks for all the replies. They are very much appreciated! My comments where not just related to Foris, I think a good VPN client solution inside LuCi would also suffice for 99% of people.

I’m an IT guy myself but not a developer/coder. therefore I cannot asses the implications of using a third-party plugin for LuCi or relying on unknown code (to me) in terms of reliability and security of the overall system (router). I felt similar to how @Jack expressed himsef above in this topic.

So, in conclusion, there is a working luci plugin for configuring the client side, that’s good to know! Anyone reading this who currently has it up-and-running? Maybe they are able to share their experiences with it.

Manual configuring the servers in VPN client is not much of a problem to me, however it’s handy that most routers allow a .ovpn config file import function.

Not sure how familiar you are yet with the TO repo concept. In its current state it is a downstream fork of the OpenWRT repo with Foris added from the TO team and some userland modifications.

Userland is maintained/tailored by the TO team and they have admitted of being overwhelmed with the task and such resulted in quite a few outdated applications incl. apps that are patched at upstream OpenWRT.

LuCI apps are developed by the OpenWRT community and thus commonly scrutinized there which does not mean necessarily of being 100% bulletproof though, e.g. UPnProxy via NAT Injections.

luci-app-openvpn is doing its intended job as one can expect but lacking the ability of importing OpenVPN profiles, at least in the version offered in the TO repo. Maybe the upstream OpenWRT version has added that feature meantime but I am not sure.
Suppose the lack of importing an openvpn profile makes it inconvenient for a lot of users.

Can not you really do it as easily as here?
https://docs.gl-inet.com/en/2/app/openvpn/
It is also based on OpenWRT !!

That is their own frontend used for importing VPN profiles and not the OpenWRT user interface.

In the version of Turris OS 3.11, which is currently in RC, you can find something very similar. I’d like to thank @dibdot, who did the amazing work and added the option to upload ovpn file together with additional improvements to luci-app-openvpn. They’re now included in OpenWRT, so I have cherry-picked his commits.

@Pepe Thanks, please review this PR as well (https://github.com/openwrt/luci/pull/2307) … at least you should review & apply the changes in /model/cbi/openvpn.lua - to fix a possible exception in template based ovpn creation.

Thanks!

@Pepe the final PR has been applied … ready to merge!

Thanks for the info, but I have found some unexpected behavior on Turris Omnia, which is running on Turris OS 3.11., and before I will tell you them I wanted to test them on Turris MOX. Yesterday I configured it, today a little bit and hopefully tomorrow I will be looking at it if it happens also on OpenWRT. If yes, I’ll tell you them via PM.

Hello all.

This now being a year old topic, has there been any progress? I’d like to connect router to VPN to secure my home traffic, but can’t seem to find any details, whether it is now possible.

Thank you for any update!

I have this same question, How do i just upload my .ovpn file and create a simple VPN client connection? I can do this on routers that are horrible compared to turris. How do i do this??

LuCI -> luci-app-openvpn

I did follow these open wrt guides like this one

https://www.perfect-privacy.com/en/manuals/router_openwrt_openvpn_stealth_stunnel

But i cant get the vpn start button in luci to do anything once i go trough these long set ups

I did everything in the tutorial and still no vpn when i press start in the final step , there is no error log in /var/log/ for open vpn and no open vpn log in /etc/openvpn so i am stuck as to what the problem is …thoughts ?

I am up to date, on current version etc , have proper working credentials

tbh: using guide for openwrt on turris sometimes leads to issues …

In default setup, you have Foris plugin which should work(but there is only basic options), if you preffer luci (with advanced config setup), you should have openvpn module for luci installed and there you can use several templates/examples /etc/config/openvpn_recipes to build up uci config /etc/config/openvpn … Luci/Openvpn shows only valid entries from /etc/config/openvpn (co …

basically if you have own config placed in /etc/openvpn , follow this guide:
https://doc.turris.cz/doc/en/howto/openvpn#using_the_openvpn_configuration_file

During the /etc/init.d/openvpn [start|restart|reload], os reads the uci config and generate /var/etc/openvn-<your-vpn-name>.conf file which is actually used. For sure you can tell the daemon to use any other config , but you have to specify it as option/parameters directly to the openvpn binary.

Can you look at this guide and tell me if you think there is any glaring problems in their approach ?

1. You mention foris has a default openvpn plug in, yes, but it only seems to give a option for open vpn server, not client, which is what I need

2. For luci, I have seen the examples in openvpn recipes but each different vpn provider has wildly different open wrt guides that interact with all the potential options differently. So it is unclear how to reconcile the turris guide and the specific vpn guides?

3. My openvpn config file only contains, per the guide above:

config openvpn ‘Amsterdam’
option config ‘/etc/openvpn/Amsterdam.ovpn’

When I tried a different provider and a different open wrt guide they had me change the .Ovpn file to a .Conf file but you are saying the system will do it automatically on each launch ?

4. Another thing that is unclear is if I need. CRT and key files or just the. Ovpn file and the password text file , I know I have to edit the Ovpn file to look for The password txt