OpenVPN server easy and fast

setup
openvpn

#42

I’m a bit to tired to even try to understand what to do or not to get VPN working.

I’ll check back later on when I am awake and it actually is easy and fast. :slight_smile:


#43

OK, I have regenerated, enabled certificate, but with the same result:
2017-03-18T22:24:06+01:00 err openvpn(server_turris)[2988]: Options error: Unrecognized option or missing parameter(s) in openvpn-server_turris.conf:3: ca (2.3.6)
2017-03-18T22:24:06+01:00 warning openvpn(server_turris)[2988]: Use --help for more information.


#44

Hey @shenek,

Finally I got to the openvpn configuration. I’d love to try this settings out. Unfortunately I’m struggling with routing whole traffic throught the router as well as fsteff.

What I tried so far:
/etc/config/firewall
---------------------------------------
config zone 'vpn_turris’
option name 'vpn_turris’
option input ‘ACCEPT’
#option forward 'REJECT’
option forward 'ACCEPT’
option output 'ACCEPT’
option masq ‘1’
#list network 'vpn_turris’
option network ‘vpn_turris’
---------------------------------------

/etc/config/openvpn
# My additional config parameters
list push 'redirect-gateway def1 bypass-dhcp'
list push 'dhcp-option DNS 192.168.1.1'

Doesn’t work yet. Don’t you have any idea how to make it work please?? :thinking:

EDIT:

Ping from my windows machine:
> ping google.com

Pinging google.com [216.58.201.110] with 32 bytes of data:
Reply from 10.111.111.1: Destination port unreachable.
Reply from 10.111.111.1: Destination port unreachable.
Reply from 10.111.111.1: Destination port unreachable.
Reply from 10.111.111.1: Destination port unreachable.

Ping statistics for 216.58.201.110:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)

#45

I haven’t tried OpenVPN yet, but:

Isn’t better to use push "dhcp-option DNS <router_ip>" ? (to use the same DNS servers as LAN devices use and not use different one (8.8.8.8) for VPN).

I’m disappointed that automatic setup hasn’t an option to add password :astonished: Some users use easy to beat pattern lock or even no lock for their devices and without password for VPN whole LAN is in danger if they lost the device for example.

Please

  1. add password protected cert option
  2. add redirect for all trafic through VPN option
  3. upgrade openvpn to 2.4

#46

Not in all cases, I am afraid. It works for me before, but not now


#47

This was meant in general. Maybe it’s not working now but I assume it will be one day :wink:

  1. If you use 8.8.8.8 will you able to use local DNS records?
  2. I don’t use DNS forwarding and setting DNS to 8.8.8.8 is like forwarding to this resolver.

#48
  1. Nope. It goes through google. I dont worry much about local DNS, as I can use local IPs because of route to LAN subnet. Of course using Omnias lan subnet as DNS resolver would be good way to use OpenVPN, but for me more like security reasons, than able to resolving .lan names.

Strange thing, I could swear that push DNS <router (LAN_IP)> working, before enabling native IPv6 stack (ip6assign on LAN, DHCPv6 on wan6) :unamused:


#49

Hmmm…

I just wanted to add another user to my VPN setup, but much to my surprise, if I now open the Turris easy OpenVPN page, it looks like the OpenVPN isn’t configured or that it’s not active. (Although I have full access).
I don’t really understand the options and descriptive text provided.

I guess if I press the Apply Configuration it will overwrite the current configuration which I’m currently trying to make work (See elsewhere in this thread). Or is that what the Configuration Enabled flag is there to prevent happening?

What about the users I’ve previously setup? Will their configuration survive?

Why did it change in the first place?


#50

After a few more hours of experimenting, I’m now a bit wiser, but still bewildered.

I’ve been looking through the OpenVON logs on my iOS device, and discovered that any push 'xxx' command in the server configuration is disregarded by the iOS app. To make it work, list push 'xxx' must be used.

I’ve also determined that the list of options to push (which are working with VPN Unlimited) are the following:

list push ‘route 192.168.2.0 255.255.255.0’ # My network is 192.168.2.0
list push 'dhcp-option DNS 8.8.8.8’
list push 'dhcp-option DNS 8.8.4.4’
list push ‘redirect-gateway def1’

If I do not push the redirect-gateway, my iOS device have a working network access (without the correct public IP), but if I push it, all network activity times out. Reading up on this on the net, it seems like the firewall/nat-table isn’t correctly configured - although it ought to have been by the Easy OpenVPN setup.

This might be related to what I mentioned elsewhere in this thread: my Easy OpenVPN configuration page suddenly started looking like it’s not configured (despite the OpenVPN connection working for most purpose) . I noticed last night, and I have absolutely no idea why it happened or about how to get it back - as I understand the GUI I will have to overwrite the current configuration (and thereby risk invalidate the certificates I’ve send with my wife to China.)

The only changes I’ve made to the Turris is editing the /etc/config/openvpn file and stopping/starting the openvpn service using /etc/init.d/openvpn stop/start. Earlier today I also rebooted the Turris(, and apparently had an update pushed), but with the exception of the update I don’t see how that would affect my setup - and that update was installed after the problem occurred.

Any assistance with this is highly appreciated!


#51

Hi,

you’d probably need to add a firewall rule to connect wan and vpn zones as well.

uci set firewall.vpn_turris_forward_wan_out=forwarding
uci set firewall.vpn_turris_forward_wan_out.src=vpn_turris
uci set firewall.vpn_turris_forward_wan_out.dest=wan
uci commit
/etc/init.d/firewall reload

#52

Thank you very much. Unfortunately I’ll be able to test this settings no until upcoming weekend.
Btw @fsteff, you might try it out :wink: Look at my previous posts + adjust the firewall rule. Moreover I think it might be necessary to open UDP1194, UDP/TCP53, TCP{80, 443} to WAN.


#53

UDP1194 should be already opened. And there is no need to open other ports to WAN.

Especially it is unwise to open port 53 to WAN. You router could be abused to perform some DNS amplification attack.


#55

Not so easy and fast (for beginners)…

My attempts to use OpenVPN acces from Win10 client failed:
Mon Mar 20 14:33:15 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jan 31 2017
Mon Mar 20 14:33:15 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Mar 20 14:33:15 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Enter Management Password:
Mon Mar 20 14:33:15 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Mar 20 14:33:15 2017 Need hold release from management interface, waiting…
Mon Mar 20 14:33:15 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Mar 20 14:33:15 2017 MANAGEMENT: CMD 'state on’
Mon Mar 20 14:33:15 2017 MANAGEMENT: CMD 'log all on’
Mon Mar 20 14:33:15 2017 MANAGEMENT: CMD 'hold off’
Mon Mar 20 14:33:15 2017 MANAGEMENT: CMD 'hold release’
Mon Mar 20 14:33:15 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]88.xxx.xxx.xxx:1194
Mon Mar 20 14:33:15 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Mar 20 14:33:15 2017 UDP link local: (not bound)
Mon Mar 20 14:33:15 2017 UDP link remote: [AF_INET]88.xxx.xxx.xxx:1194
Mon Mar 20 14:33:15 2017 MANAGEMENT: >STATE:1490016795,WAIT,
Mon Mar 20 14:33:15 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Mar 20 14:33:17 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Mar 20 14:33:22 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Mar 20 14:33:31 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Mar 20 14:33:47 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Mar 20 14:34:15 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar 20 14:34:15 2017 TLS Error: TLS handshake failed
Mon Mar 20 14:34:15 2017 SIGUSR1[soft,tls-error] received, process restarting
Mon Mar 20 14:34:15 2017 MANAGEMENT: >STATE:1490016855,RECONNECTING,tls-error,
Mon Mar 20 14:34:15 2017 Restart pause, 5 second(s)
Mon Mar 20 14:34:16 2017 SIGTERM[hard,init_instance] received, process exiting
Mon Mar 20 14:34:16 2017 MANAGEMENT: >STATE:1490016856,EXITING,init_instance,

For the record: Turris Omnia, Czec Republic, O2.cz VDSL 50/5

Any clue what failed?

Thx

Michal


#56

Are you sure that the openvpn server is running on you router?

It seems that you can’t connect to the server. The success sequence should continue like this:

Mon Mar 20 16:21:06 2017 UDP link local: (not bound)
Mon Mar 20 16:21:06 2017 UDP link remote: [AF_INET]172.20.6.149:1194
Mon Mar 20 16:21:06 2017 TLS: Initial packet from [AF_INET]172.20.6.149:1194, sid=cf489b9d 01ec35be
Mon Mar 20 16:21:06 2017 VERIFY OK: depth=1, CN=openvpn
Mon Mar 20 16:21:06 2017 Validating certificate key usage
...

#57

shenek: Are you sure that the openvpn server is running on you router?
BINGO! I didn´t realize the service IS NOT running - and that´s not easy and foolproof :slight_smile: Service enabled and start in LuCi + 1 restart. Now I can use my LTE stick to connect to my home network.
(There´s some work to do - for example to connect my W10 PC. And not only satelite receiver, simple NAS and Turris. But so far so good.)
Many thanks!

Michal


#58

Thank you for the suggestion.
I modified /etc/config/firewall, with your suggestion, so the forwarding rules now look like this:

config forwarding 'vpn_turris_forward_lan_in'
	option src 'vpn_turris'
	option dest 'lan'

config forwarding 'vpn_turris_forward_lan_out'
	option src 'lan'
	option dest 'vpn_turris'

config forwarding 'vpn_turris_forward_wan_out'
	option src 'vpn_turris'
	option dest 'wan'

and also edited /etc/config/openvpn to ensure it contained the following:

list push 'route 192.168.2.0 255.255.255.0'     # My network is 192.168.2.0
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'redirect-gateway def1'

Then tested on my iPhone with `OpenVpn Client App, and lo and behold, the public IP on the iPhone had changed to my WAN’s public IP. Web surfing also worked, but with a slight, but noticeable, lag compared to before. (A local DNS cache will probably help a lot).

Whats even stranger, the Turris OpenVPN Server configuration, which wasn’t showing any entries the last two days, and really had me worried, now suddenly shows everything as if nothing happened.

I’m a really happy man now! :relaxed::relaxed::relaxed:

Thank you very much for your help!!!


#59

I’ve posted instructions on how to compile openvpn 2.4 for the turris omnia here:

Haven’t tested it out yet functionality-wise, but will later in the week.


#60

As the devs weren’t very helpful, here is the template:

git Template

You wanna at your options after line 327, when I have time I’ll test some necessary commands, if somebody is faster, input is always welcome.


#61

I will summarize how to setup OpenVPN the same way as basically @Koleon wanted (route all traffic with local DNS resolving). I was experimenting with it for two hours before I’ve finally make it work.

Prerequisites:

  1. You obviously have to enable OpenVPN through Foris interface
  2. I’ve also enabled OpenVPN to start automatically by running /etc/init.d/openvpn enable
  3. Go to LuCI http://192.168.1.1/cgi-bin/luci/admin/network/dhcp and uncheck/disable option Local Service Only under General settings tab (this was the thing I was missing in this discussion but it makes local name resolving working for me finally)

Then there are two ways how to do the other steps. By editing config files manually or through uci.

Manually:
Edit /etc/config/firewall, add those lines to the end:

config forwarding 'vpn_turris_forward_wan_out'
	option src 'vpn_turris'
	option dest 'wan'

Reload firewall’s config: /etc/init.d/firewall reload

Edit /etc/config/openvpn, add those lines to the end of config openvpn 'server_turris' section:

	list push 'redirect-gateway def1'
	list push 'dhcp-option DNS 192.168.1.1'

Restart openvpn server: /etc/init.d/openvpn restart

With UCI:

uci set firewall.vpn_turris_forward_wan_out=forwarding
uci set firewall.vpn_turris_forward_wan_out.src=vpn_turris
uci set firewall.vpn_turris_forward_wan_out.dest=wan
uci add_list openvpn.server_turris.push='redirect-gateway def1'
uci add_list openvpn.server_turris.push='dhcp-option DNS 192.168.1.1'
uci commit
/etc/init.d/firewall reload
/etc/init.d/openvpn restart

OpenVPN setup & usage
#62

Unfortunatelly localservice doesnt help me with DNS, still the same results, google DNS works, router DNS doesnt :frowning:

I see this option under dnsmasq, did you use it instead kresd?