How to set up Openvpn client on Turris Omnia?

I’m a noob and I’m a little lost… because there are different tutorials on the Internet with different commands to configure the firewall, interfaces, etc… There is no easy graphical interface to configure a client vpn, only on the command line.

I give you my configuration :
WAN : 192.168.1.2
LAN : 192.168.2.1

My file openvpn : https://github.com/cryptostorm/cryptostorm_client_configuration_files/blob/master/linux/cstorm_linux-paris_tcp.ovpn

client
dev tun
#randomly select a node from the list below, for redundancy against DNS blacklisting-based session blocking attacks.
#see https://openvpn.net/archive/openvpn-users/2004-12/msg00055.html
resolv-retry 16
remote-random
remote linux-paris.cryptostorm.net 443 tcp
remote linux-paris.cryptostorm.nu 443 tcp
remote linux-paris.cryptostorm.org 443 tcp
remote linux-paris.cstorm.pw 443 tcp
nobind
comp-lzo
down-pre
reneg-sec 0
hand-window 17
verb 4
mute 3
auth-user-pass
ns-cert-type server
auth SHA512
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
tls-client
key-method 2
ca ca.crt
# specification & location of server-verification PKI materials
# for details, see https://cryptostorm.org/pki
<ca>
-----BEGIN CERTIFICATE-----
MIIFIDCCBAigAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMCAXDTE3MTIxNjA3
NTk0MloYDzIwNjcxMjE2MDc1OTQyWjCBujELMAkGA1UEBhMCQ0ExCzAJBgNVBAgT
AlFDMREwDwYDVQQHEwhNb250cmVhbDE2MDQGA1UEChQtS2F0YW5hIEhvbGRpbmdz
IExpbWl0ZSAvICBjcnlwdG9zdG9ybV9kYXJrbmV0MREwDwYDVQQLEwhUZWNoIE9w
czEXMBUGA1UEAxQOY3J5cHRvc3Rvcm1faXMxJzAlBgkqhkiG9w0BCQEWGGNlcnRh
ZG1pbkBjcnlwdG9zdG9ybS5pczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMlo5Jghf+yb7j86QKDIA9gH9U+MOj1gFz7POcobF3UXx8CR6py4+kY0LEwE
s66YuwF3Et1Haymkrxy72RjHqD58FRC1KGg6PzhDr6foXgOpuOweUvBTLS6WR5Ba
TW+8oqSkFWIZUWxnk4N1npxonZRjYLjU4AJNB1uUKpp5uwtC+n9UYpNZ2H1SwZDc
tpJNzG3Q+ySqkaJYRR44YbeYoTQpbK/G3o7H2Kz1BsNck5h2SVBo9f3JS4gjTcaP
fGb6+Lqra/MPlXKY55MzKTLsZ5q1t3ZTjn0vDO7+D7xXoRCXyq9atcRJf9ldm80b
xABw5dTiS00E6hm3CzpPOSelAXcCAwEAAaOCASMwggEfMAwGA1UdEwQFMAMBAf8w
HQYDVR0OBBYEFDhY4fdfMy+L0fMdat75Kep6cFElMIHvBgNVHSMEgecwgeSAFDhY
4fdfMy+L0fMdat75Kep6cFEloYHApIG9MIG6MQswCQYDVQQGEwJDQTELMAkGA1UE
CBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQKFC1LYXRhbmEgSG9sZGlu
Z3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQxETAPBgNVBAsTCFRlY2gg
T3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUGCSqGSIb3DQEJARYYY2Vy
dGFkbWluQGNyeXB0b3N0b3JtLmlzggkAp6SkZfFe+FswDQYJKoZIhvcNAQELBQAD
ggEBABrPLmFpugICgUKyJ+6q5h8ZKfoV3S0RtTfrwtobNSFf7H4ZQvCXF2bOuhyc
g00ffreEGZN2uwtiLh38ncB/BFhHfgkITfTe88m08pJ45PkrpeBfrFbZ+ckXVhV/
aCnUKkIZgmCNKnn1RIbUt4mzTzggwtN3GamoTzSWqSwCEO9Ig1AJKi5Ms/5Awtdz
nr95qaqI0ih0NGnfC/yIGYvt1Yay0hCil3jIUT9Ogdw6DW6RqUdJaPrwm58fTwIR
U33KzBqGs8r3UEIMWXuIGc6eXOm2Br08iFgOsUPGqp1ulvD52pFH1o1vT21v3aXl
D9Ier/83JLMnBGctT1Kzs9OP/U0=
-----END CERTIFICATE-----
</ca>
# uncomment the line below to enable TrackerSmacker,
# our DNS-based intrusive ad/tracker blocking service
#dhcp-option DNS 10.31.33.7

(The last line of the opvn file is uncomment).

PS: Sorry, my english is bad.

Up :

I followed this great tutorial : https://openwrt.org/docs/guide-user/services/vpn/openvpn/client

My router is connected to the VPN with the command : curl ifconfig.me or traceroute ifconfig.me

Except for my clients… It’s not working. I don’t ping outside. What to do about it?

Up :

I followed this great tutorial : https://openwrt.org/docs/guide-user/services/vpn/openvpn/client

My router is connected to the VPN with the command : curl ifconfig.me or traceroute ifconfig.me

Except for my clients… It’s not working. I don’t ping outside. What to do about it?

The router’s clients would not know about the VPN and their traffic thus taking the default route - via the ISP.

Either change the default route to the VPN or selectively with VPN policy based routing possible?

And if not yet in place a firewall rule for the VPN interface with Masquerading in case of an IPv4 setup.

I think you need “tap” (layer 2) vpn if you want your clients traffic routed through the vpn. You can also remove the duplicate “ca” section from your config file.

That is not necessary for routing, TUN works fine for client routing. Besides the VPN provider appears to supply a TUN interface.


Yes, you’re right. TUN should also work. I confused it.

What you’re probably looking for is redirect-gateway local in your client settings. This will make a new default route instead of using a specific route for your VPN. From ServerFault