OpenVPN server easy and fast

Yesterday I trying solve, why openvpn clients cant access internet/LAN, after enabling IPv6 on router. They got IP from 1.0.8.0 subnet, but no connections. It turns out, that this help

redirect-gateway def1 --> redirect-gateway

It was the try and see approach from my side, but I think this could be reproducible. Everything works on Ipv4, when I got Ipv6 connectivity, suddenly opevnvpn clients have problems (and I dont use ipv6 on VPN at all).

Maybe you could also tell us where foris takes it’s template for the configuration so we could modify that part, because I really like that you allow us to revoke certificates and the way we can generate new certificates with all key-material included.

I searched your git but couldn’t find anything.

1. If your router connection is slow, it would slow down your client.

2. If you change the default route you may break some networking functions of your client. (e.g. your client is behind two NATs and it is trying to access IPs in the outer LAN)

Thanks for reply. I understand.

1. Even though I think that most people will use OpenVPN mainly for security purposes (e.g. people on a business trips, while travelling, using public wifi / hotel wifi) not because of home services behind NAT.
2. And what do you think about the default cipher settings, would you mind to change it?
3. Additionally it would be pretty cool to have OpenVPN running on default port 1194 and 443 (fallback mode) at the same time. Because of port blocking policy at many free/public wifi spots.

EDIT: Here is a nice howto about 2 ports setting.

Thanks for consideration.

Well we are going to bump openvpn version to 2.4.
see openvpn/Changes.rst at release/2.4 · OpenVPN/openvpn · GitHub
But I’m not sure whether we’ll be able to put it to TurrisOS 3.6.1, but I suppose that it will be ready in 3.6.2

Well, you may rather add a port forward rule to your fw settings (you can do it via LuCI or directly from console).

config 'redirect'
        option 'name' 'openvpn backup'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'src_dport' '443'
        option 'dest_port' '1194'
        option 'target' 'DNAT'
        option 'dest' 'wan'

But again this is rather something optional, because someone might be using 443 for other purposes.

Alright, thumbs up for the update to 2.4.
And thanks for the LuCI config, I’ll get my hands dirty by the openvpn customization as soon as get home.

EDIT: What about making a fallback port (443 or any other) as optional checkbox function in Foris
Plus please consider the redirect-gateway def1

After update to 3.6.1 is situation worse. Works WIFI or OpenVPN but not both at once.

Sorry, we have no other claim for that (today). Contact please support and we will investigate the case.

First of all, thank you for the OpenVPN addition.
It makes setting up VPN a piece of cake, which is great!

I’m looking forward to an update to a more recent OpenVPN, especially because of the updated cipher.

What’s more important, though, is that not all traffic is routed through the VPN.

My wife are going on a business trip to China for the next 14 days, and I was hoping the VPN would have an option to do so.

Not so! But I see in the thread here and also in the OpenVPN howto that the option push "redirect-gateway def1" should be added to the OpenVPN configuration file to configure this - but my LuCI command-line-fu isn’t really good enough for me to try to figure it out on my own. Can any of you assist me with step-by-step description of what to execute to all that option?

Thanks in advance.

I very appreciate “easy config” of OpenVPN in Fortis and thanks for it! It would be great to have set up all traffic over VPN by default.

When I add this command to the config, I’m able to connect to VPN tunnel, I can reach machines in local network behind VPN, I can ping outside (WAN) servers, but DNS is not working. My client (notebook) is set to get IP address and DNS from DHCP server (in this mode it is not working thru VPN). When I set up DNS servers on the client machine manually (for example: 8.8.8.8 and 8.8.4.4), it is working well. What else can I set up, to get VPN working with DNS obtained automatically?

So you say that unchecked checkbox “Configuration enabled” in Fortis OpenVPN tab is normal behavior (it is unchecked and my OpenVPN is working)? And when I check it, will rewrite /etc/config/openvpn file?

Yes, I have restarted VPN client several times and it didn’t help. But always helped to restart OpenVPN service in LuCI or in CLI.

You can try to find answer at this page 192.168.1.1 There are all instructions and photos. I always check settings here.

It is possible to add a password when logging into the VPN? My automatic configuration has only a certificate.

open /etc/config/openvpn and add:

push "redirect-gateway def1"

after that just restart the server by:

/etc/init.d/openvpn start

add the following line to you server config:

push "dhcp-option DNS 8.8.8.8"

Only when you build your own certificates.

I have exact same problem. After enabling Ipv6 on router side, I am unable to serve DNS from Omnia to openvpn client.

Thanks for advice.

So I have added this:

list push 'redirect-gateway def1'
list push 'dhcp-option DNS 208.67.222.222'
list push 'dhcp-option DNS 208.67.220.220'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'

…to the /etc/config/openvpn configuration file and now it is working well (IPv4 address and DNS automatically obtained by DHCP).

Open VPN doesn’t work

system log:
2017-03-18T17:50:51+01:00 err openvpn(server_turris)[5638]: Options error: Unrecognized option or missing parameter(s) in openvpn-server_turris.conf:3: ca (2.3.6)

/tmp/etc/openvpn-server_turris.conf:

persist-key
persist-tun
ca /etc/ssl/ca/openvpn/ca.crt
cert /etc/ssl/ca/openvpn/01.crt
comp-lzo yes
crl-verify /etc/ssl/ca/openvpn/ca.crl
dev tun_turris
dh /etc/dhparam/dh-default.pem
ifconfig-pool-persist /tmp/ipp.txt
keepalive 10 120
key /etc/ssl/ca/openvpn/01.key
mute 20
port 1194
proto udp
server 10.111.111.0 255.255.255.0
status /tmp/openvpn-status.log
verb 3
push route 192.168.3.0 255.255.255.0

/tmp/ipp.txt and /tmp/openvpn-status.log do not exist

Where can be a mistake or what is the cause?

Regarding to the error message, you should check /etc/ssl/ca/openvpn/ca.crt out. Do you have one in the path?
Have you ever used OpenVPN before the 3.6 update (before the OpenVPN plugin was emerged)??

Try to regenerate the ca.crt from Forris menu.

Yes

No

I have tried it but after regenerating from Forris it is impossible to enable new certificate authority (“Failed to enable OpenVPN server configuration.”) :-/
2017-03-18T22:02:08+01:00 warning []: An error message to send: Creating whole configs is not possible, you have to live with what there is already

Thank you, @3ullit

However, it seems not to do everything that I need.

If I connect with my mobile phone (using OpenVPN Client for iOS), and then check my phone’s ip online (go to whatismyip.com, or ask Google for my ip), I’m still listed with my mobile phone providers IP, where I expected to have the VPN servers IP.

So what did I do?

I added the following lines:

list push ‘redirect-gateway def1’
push ‘dhcp-option DNS 8.8.8.8’
push ‘dhcp-option DNS 8.8.4.4’

to the end of the config openvpn 'server_turris' section in the /etc/config/openvpn file.

I verified (and used after every config change I did) that the /etc/init.d/openvpn stop / start command controls the VPN server, and that the DNS addition to the config file is necessary.

I’ve experimented with the push and list push options and it seems this specific combination works for me, wheres other mixes would not allow my DNS to work from the phone.

Any further ideas to what I can do to configure this to the VPN client is completely hidden?

Sorry to hear that. Maybe you could try /etc/init.d/openvpn stop uninstall / uncheck the OpenVPN box in Foris.
Check that /etc/ssl/ca/openvpn/ is empty, reboot Turris and install OpenVPN once again. Regenerate all confings, certificates etc.