This documentation applies only Turris OS 3.x that is no longer present in newly sold routers. The new documentation is located at https://docs.turris.cz/.
This manual does not say, how the general settings for OpenVPN work or how to generate certificates. You will find that information on the OpenVPN website. In this article you will only find details on how to get OpenVPN to work on Turris.
This is a tutorial on how to set up OpenVPN for advanced users. OpenVPN configuration with just few clicks for less advanced users will be out in March 2017.
There are several possibilities how to set up OpenVPN, they differ in the degree of integration into the OpenWRT system.
Regardless of the method, whether you are configuring the server or the client, you will need to upload certificates and keys to the router. The easiest way is through scp. Create the folder
/etc/openvpn and save the files in it.
user@localmachine $ ssh email@example.com firstname.lastname@example.org's password: root@turris:~# mkdir /etc/openvpn root@turris:~# exit Connection to 192.168.1.1 closed user@localmachine $ scp server.key server.crt ca.crt email@example.com:/etc/openvpn firstname.lastname@example.org's password:
This method bypasses support of OpenWRT and the service is activated by hand. It offers bigger freedom in what parameters are passed on, on the other hand the rest of the system doesn't know about the service and OpenVPN doesn't know about the changes to the web interfaces. This can cause trouble with firewall and the routing tables.
The configuration file should be saved to the folder
/etc/openvpn, just like the keys. You can test if everything is working as it should be in the following way:
# cd /etc/openvpn # openvpn vpn.conf
If the command continues running and doesn't print any errors, everything is probably as it should be.
End it with
CTRL+C and run it in the background.
openvpn vpn.conf >/dev/null 2>&1 &
Add the command for running openvpn to the file
/etc/rc.local. This file is evaluated when the device boots. Make sure that the command
exit 0 is all the way at the end.
# Put your custom commands here that should be executed once # the system init finished. By default this file doesn't do anything. openvpn /etc/openvpn/vpn.conf >/dev/null 2>&1 & exit 0
The beginning is similar to Without the support of OpenWRT. Instead of running in the background and writing into
/etc/rc.local, you add a link to the configuration file from the folder
package openvpn config openvpn custom_config option enabled 1 option config /etc/openvpn/vpn.conf
After that you will have to turn on and enable the file to run after start.
$ /etc/init.d/openvpn start $ /etc/init.d/openvpn enable
The whole configuration is saved as UCI, there is therefore no need to upload the configuration file to the router. Keys and certificates are nevertheless still needed.
Create a section in the configuration file
/etc/config/openvpn and enable it with
option enabled 1. After that rewrite every item in the OpenVPN configuration as one record
option in the following way:
The following configuration is desirable:
package openvpn config openvpn lair option enabled 1 option client 1 option dev tun option proto udp option remote "126.96.36.199 82" option keepalive "10 1200" option nobind 1 option ca "/etc/openvpn/ca.crt" option cert "/etc/openvpn/client.crt" option key "/etc/openvpn/client.key" option ns_cert_type server option comp_lzo yes option verb 3
client dev tun proto udp remote 188.8.131.52 3333 keepalive 10 1200 nobind ca /etc/openvpn/ca.crt cert /etc/openvpn/client.crt key /etc/openvpn/client.key ns-cert-type server comp-lzo yes verb 3
The default configuration file contains annotated examples.
The number of possible sections in UCI configuration (may they refer to the OpenVPN configuration file or be directly in the syntax of UCI) is unlimited. The service will run a separate OpenVPN process for each one, which is allowed through
option enabled 1.
It can be useful to include the VPN network in the LAN section in firewall. For that you will need to rename the interface in
/etc/config/network and to add the interface to the desirable section in
/etc/config/firewall. After that both services need to be restarted. (
/etc/init.d/network restart ; /etc/init.d/firewall restart)
config interface 'vpn' option proto none option ifname 'tun0' option auto 1
config zone option name lan list network 'lan' list network 'vpn' option input ACCEPT option output ACCEPT option forward ACCEPT