Easy VPN client option in Omnia router?

There is no security/privacy risk with the luci-app-openvpn for configuring the OpenVPN client. All it does is writing the configuration in a format that can be parsed by uci (backend). Such would (likely) be the same if integrated with the Foris frontend.

It still would require the user to understand the implication of the various settings, that is unless the user prefers to utilize the client settings furnished by the VPN provider without digging into the meaning of the various settings.

Foris integration would be rather a convenience by not having to login into LuCI unless it would offer the option to import client settings furnished by the VPN provider, as pointed out by @Pepe, and thus make a difference in convenience from LuCI.

If there was integration for the OpenVPN client into Foris than the other VPN client solutions should probably be intergrated too since VPN providers not only offer OpenVPN.

1 Like

Hello everyone,

thanks for all the replies. They are very much appreciated! My comments where not just related to Foris, I think a good VPN client solution inside LuCi would also suffice for 99% of people.

I’m an IT guy myself but not a developer/coder. therefore I cannot asses the implications of using a third-party plugin for LuCi or relying on unknown code (to me) in terms of reliability and security of the overall system (router). I felt similar to how @Jack expressed himsef above in this topic.

So, in conclusion, there is a working luci plugin for configuring the client side, that’s good to know! Anyone reading this who currently has it up-and-running? Maybe they are able to share their experiences with it.

Manual configuring the servers in VPN client is not much of a problem to me, however it’s handy that most routers allow a .ovpn config file import function.

Not sure how familiar you are yet with the TO repo concept. In its current state it is a downstream fork of the OpenWRT repo with Foris added from the TO team and some userland modifications.

Userland is maintained/tailored by the TO team and they have admitted of being overwhelmed with the task and such resulted in quite a few outdated applications incl. apps that are patched at upstream OpenWRT.

LuCI apps are developed by the OpenWRT community and thus commonly scrutinized there which does not mean necessarily of being 100% bulletproof though, e.g. UPnProxy via NAT Injections.

luci-app-openvpn is doing its intended job as one can expect but lacking the ability of importing OpenVPN profiles, at least in the version offered in the TO repo. Maybe the upstream OpenWRT version has added that feature meantime but I am not sure.
Suppose the lack of importing an openvpn profile makes it inconvenient for a lot of users.

Can not you really do it as easily as here?
https://docs.gl-inet.com/en/2/app/openvpn/
It is also based on OpenWRT !!

That is their own frontend used for importing VPN profiles and not the OpenWRT user interface.

In the version of Turris OS 3.11, which is currently in RC, you can find something very similar. I’d like to thank @dibdot, who did the amazing work and added the option to upload ovpn file together with additional improvements to luci-app-openvpn. They’re now included in OpenWRT, so I have cherry-picked his commits.

@Pepe Thanks, please review this PR as well (https://github.com/openwrt/luci/pull/2307) … at least you should review & apply the changes in /model/cbi/openvpn.lua - to fix a possible exception in template based ovpn creation.

Thanks!

@Pepe the final PR has been applied … ready to merge! :wink:

Thanks for the info, but I have found some unexpected behavior on Turris Omnia, which is running on Turris OS 3.11., and before I will tell you them I wanted to test them on Turris MOX. Yesterday I configured it, today a little bit and hopefully tomorrow I will be looking at it if it happens also on OpenWRT. If yes, I’ll tell you them via PM.

2 Likes

Hello all.

This now being a year old topic, has there been any progress? I’d like to connect router to VPN to secure my home traffic, but can’t seem to find any details, whether it is now possible.

Thank you for any update!

I have this same question, How do i just upload my .ovpn file and create a simple VPN client connection? I can do this on routers that are horrible compared to turris. How do i do this??

LuCI -> luci-app-openvpn

I did follow these open wrt guides like this one

https://www.perfect-privacy.com/en/manuals/router_openwrt_openvpn_stealth_stunnel

But i cant get the vpn start button in luci to do anything once i go trough these long set ups

I did everything in the tutorial and still no vpn when i press start in the final step , there is no error log in /var/log/ for open vpn and no open vpn log in /etc/openvpn so i am stuck as to what the problem is …thoughts ?

I am up to date, on current version etc , have proper working credentials

tbh: using guide for openwrt on turris sometimes leads to issues …

In default setup, you have Foris plugin which should work(but there is only basic options), if you preffer luci (with advanced config setup), you should have openvpn module for luci installed and there you can use several templates/examples /etc/config/openvpn_recipes to build up uci config /etc/config/openvpn … Luci/Openvpn shows only valid entries from /etc/config/openvpn (co …

basically if you have own config placed in /etc/openvpn , follow this guide:
https://doc.turris.cz/doc/en/howto/openvpn#using_the_openvpn_configuration_file

During the /etc/init.d/openvpn [start|restart|reload], os reads the uci config and generate /var/etc/openvn-<your-vpn-name>.conf file which is actually used. For sure you can tell the daemon to use any other config , but you have to specify it as option/parameters directly to the openvpn binary.

Can you look at this guide and tell me if you think there is any glaring problems in their approach ?

  1. You mention foris has a default openvpn plug in, yes, but it only seems to give a option for open vpn server, not client, which is what I need

  2. For luci, I have seen the examples in openvpn recipes but each different vpn provider has wildly different open wrt guides that interact with all the potential options differently. So it is unclear how to reconcile the turris guide and the specific vpn guides?

  3. My openvpn config file only contains, per the guide above:

config openvpn ‘Amsterdam’
option config ‘/etc/openvpn/Amsterdam.ovpn’

When I tried a different provider and a different open wrt guide they had me change the .Ovpn file to a .Conf file but you are saying the system will do it automatically on each launch ?

  1. Another thing that is unclear is if I need. CRT and key files or just the. Ovpn file and the password text file , I know I have to edit the Ovpn file to look for The password txt

UPDATE: got it working

  1. That guide definitely is missing some very important settings like changing the. Ovpn file line " user auth pass (filename of authentication txt)"
  2. FIREWALL for VPN needs to be incoming AND outgoing Accept

How do I make a setting where there will be no internet if the connection drops ?

The guide says to :
Navigate to Network=>Firewall and underneath Zones open lan using the Edit button.

Scroll down to Inter-Zone Forwarding and next to Allow forward to destination zones activate only PP_Firewall . Then click on the button Save & Apply .

If you want to disable the firewall protection (“kill switch”) again, next to Allow forward to destination zones : PP-Firewall additionally activate WAN and WAN6 .

Will this be sufficient as a no vpn killswitch ?

How would Iroute vpn only on certain lan outputs in the back of the router ?

Also, should i worry about these warnings in the output of the VPN start up in sys log ? Warnings about inconsistent usage, Permission denied etc

my ISP does not allow ipv6 and i added option enabled ipv6 ‘0’ to everything in network config, in order to get opkg to download corrrectly

Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1581’, remote=‘link-mtu 1633’ Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘keydir’ is present in local config but missing in remote config, local=‘keydir 0’ Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘cipher’ is used inconsistently, local=‘cipher AES-256-GCM’, remote=‘cipher AES-256-CBC’ Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘auth’ is used inconsistently, local=‘auth [null-digest]’, remote=‘auth SHA512’ Jan 16 03:28:51 turris openvpn(PP_ZURICH)[12884]: GDG6: remote_host_ipv6=n/a Jan 16 03:28:51 turris openvpn(PP_ZURICH)[12884]: GDG6: NLMSG_ERROR: error Permission denied Jan 16 03:28:51 turris odhcp6c[11010]: Failed to send DHCPV6 message to ff02::1:2 (Permission denied) Jan 16 03:28:52 turris firewall: Reloading firewall due to ifup of PP_VPN (tun0) Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route add -net 152.89.162.226 netmask 255.255.255.255 gw 192.168.8.1 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.5.96.1 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.5.96.1 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: add_route_ipv6(2000::/3 -> fdbf:1d37:bbe0:0:86::1 metric -1) dev tun0 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route -A inet6 add 2000::/3 dev tun0 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: add_route_ipv6(::/3 -> fdbf:1d37:bbe0:0:86::1 metric -1) dev tun0 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route -A inet6 add ::/3 dev tun0 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: add_route_ipv6(2000::/4 -> fdbf:1d37:bbe0:0:86::1 metric -1) dev tun0 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route -A inet6 add 2000::/4 dev tun0 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: add_route_ipv6(3000::/4 -> fdbf:1d37:bbe0:0:86::1 metric -1) dev tun0 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route -A inet6 add 3000::/4 dev tun0 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: add_route_ipv6(fc00::/7 -> fdbf:1d37:bbe0:0:86::1 metric -1) dev tun0 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route -A inet6 add fc00::/7 dev tun0 Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: Initialization Sequence Completed Jan 16 03:29:01 turris /usr/sbin/cron[13399]: (root) CMD (/usr/bin/rainbow_button_sync.sh) Jan 16 03:29:10 turris kresd[13274]: [ ta ] active refresh failed for . with rcode: 2 Jan 16 03:29:10 turris kresd[13274]: [ ta ] next refresh for . in 2.1712222222222 hours

ad_guide: on first look that guide is doing something openwrt specific since very start, so i would stick with turris guides for openvpn and use luci-opevpn to build config or use supplied ones(which is kind of openwrt way). In other words, why not use official doku?

I think for you, you just need to do somthing like this to have your config (whatever type) visible in luci

sample

`/etc/config/openvpn
package openvpn

config openvpn custom_config
option enabled 1
option config /etc/openvpn/vpn.conf`

for sure that config must be valid , openvpn --config /etc/openvpn/vpn.conf should validate that config. once you edit it, use “uci commit openvpn” and that should populate it to luci so you can enable/disable(Start/stop) that instance …

in luci there are all possible templates (tunell, routed, bridged) so you can build copy/clone of your vpn.conf so instead in /etc/openvpn you will have it in uci format in /etc/config/openvpn …

you can have two types of configs …(okey three if you count uci itself).
one where you have path to cert/key/ca/tls files (usually named .conf and used for server or/and client) ,
second where you have all needed in one file (preffed variant) (usually named .ovpn used mainly for client >> resp. maybe for both i am not sure, but i never seen server .ovpn file so far on any of my managed servers at home/work)

ad_networking(routing): that is far from my knowledge :slight_smile: …i am glad that foris did something automatically and i don’t need to dig into it (in previous versions of TOS there was no foris plugin, only luci module and you have to do the ca by your own, routing rules in firewall and so on…for me that was so “headache maker” evenings :slight_smile:

Maybe i didnt make it clear in my previous post but i do have the Openvpn Luci client working now, showing correct IP and everything. Only things i had to change from the guide were the few things mentioned above.

What i was asking was if i need to worry / change anything to fix these WARNINGS in the log

WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1581’, remote=‘link-mtu 1633’ Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘keydir’ is present in local config but missing in remote config, local=‘keydir 0’ Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘cipher’ is used inconsistently, local=‘cipher AES-256-GCM’, remote=‘cipher AES-256-CBC’ Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘auth’ is used inconsistently, local=‘auth [null-digest]’,

thank you for your help and i hear you on the routing rabbit hole, it is my next deep dive on this router

you should not specify mtu , you can use “mtu-fix 1” directive … , if you have mtu value higher then your link-mtu (1500) you will have problems…(remove any directive specifying mtu value)
, when i played with cipher directive, it is better to keep default (so better to remove own during testing)

if you look around this forum i have quite a lot of post related to openvpn (in czech, but sources and snipets might help if you will have some other issues …



good luck, if anything, feel free to “pm me” :slight_smile: