User Tools

Site Tools

This documentation is no longer maintained by the Turris team (although it can be used by the community to share content). The current official documentation is at docs.turris.cz.

This documentation applies only Turris OS 3.x that is no longer present in newly sold routers. The new documentation is located at https://docs.turris.cz/.

OpenVPN command line setup

This manual does not say, how the general settings for OpenVPN work or how to generate certificates. You will find that information on the OpenVPN website. In this article you will only find details on how to get OpenVPN to work on Turris.

This is a tutorial on how to set up OpenVPN for advanced users. OpenVPN configuration with just few clicks for less advanced users will be out in March 2017.

To setup OpenVPN through the command line, follow the links: SSH or the serial link.

There are several possibilities how to set up OpenVPN, they differ in the degree of integration into the OpenWRT system.

Uploading certificates

Regardless of the method, whether you are configuring the server or the client, you will need to upload certificates and keys to the router. The easiest way is through scp. Create the folder /etc/openvpn and save the files in it.

user@localmachine $ ssh root@192.168.1.1
root@192.168.1.1's password:
root@turris:~# mkdir /etc/openvpn
root@turris:~# exit
Connection to 192.168.1.1 closed
user@localmachine $ scp server.key server.crt ca.crt root@192.168.1.1:/etc/openvpn
root@192.168.1.1's password:

Without the support of OpenWRT

  • + The settings are the same as in other systems.
  • + Biggest flexibility in passed parameters.
  • - Does not depend on turning network interfaces on/off.
  • - It cannot be turned on and off like a service.

This method bypasses support of OpenWRT and the service is activated by hand. It offers bigger freedom in what parameters are passed on, on the other hand the rest of the system doesn't know about the service and OpenVPN doesn't know about the changes to the web interfaces. This can cause trouble with firewall and the routing tables.

The configuration file should be saved to the folder /etc/openvpn, just like the keys. You can test if everything is working as it should be in the following way:

# cd /etc/openvpn
# openvpn vpn.conf

If the command continues running and doesn't print any errors, everything is probably as it should be. End it with CTRL+C and run it in the background.

openvpn vpn.conf >/dev/null 2>&1 &

Add the command for running openvpn to the file /etc/rc.local. This file is evaluated when the device boots. Make sure that the command exit 0 is all the way at the end.

/etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file doesn't do anything.
 
openvpn /etc/openvpn/vpn.conf >/dev/null 2>&1 &
 
exit 0

Using the OpenVPN configuration file

  • + Settings are the same as on other systems.
  • + Is integrated into the system, can be treated as a service.
  • - It is not possible to add pass all parameters over the command line.

The beginning is similar to Without the support of OpenWRT. Instead of running in the background and writing into /etc/rc.local, you add a link to the configuration file from the folder /etc/config/openvpn.

/etc/config/openvpn
package openvpn
 
config openvpn custom_config
	option enabled 1
	option config /etc/openvpn/vpn.conf

After that you will have to turn on and enable the file to run after start.

$ /etc/init.d/openvpn start
$ /etc/init.d/openvpn enable

Configuring through UCI

  • + Is integrated into the system.
  • + Can be set through UCI commands.
  • - The configuration file has to be written into the syntax of UCI.

The whole configuration is saved as UCI, there is therefore no need to upload the configuration file to the router. Keys and certificates are nevertheless still needed.

Create a section in the configuration file /etc/config/openvpn and enable it with option enabled 1. After that rewrite every item in the OpenVPN configuration as one record option in the following way:

  • The name is derived from the name of the item in the OpenVPN configuration.
  • Hyphens are replaced by underscores.
  • If the item is without parameters, the value in the UCI configuration is 1.
  • If there is more than one parameter, all parameters have to be in quotation marks.

The following configuration is desirable:

/etc/config/openvpn
package openvpn
 
config openvpn lair
	option enabled 1
	option client 1
	option dev tun
	option proto udp
	option remote "1.2.3.4 82"
	option keepalive "10 1200"
	option nobind 1
	option ca "/etc/openvpn/ca.crt"
	option cert "/etc/openvpn/client.crt"
	option key "/etc/openvpn/client.key"
	option ns_cert_type server
	option comp_lzo yes
	option verb 3
/etc/openvpn/vpn.config
client
dev tun
proto udp
remote 37.157.194.139 3333
keepalive 10 1200
nobind
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
ns-cert-type server
comp-lzo yes
verb 3

The default configuration file contains annotated examples.

Tips

The number of possible sections in UCI configuration (may they refer to the OpenVPN configuration file or be directly in the syntax of UCI) is unlimited. The service will run a separate OpenVPN process for each one, which is allowed through option enabled 1.

It can be useful to include the VPN network in the LAN section in firewall. For that you will need to rename the interface in /etc/config/network and to add the interface to the desirable section in /etc/config/firewall. After that both services need to be restarted. (/etc/init.d/network restart ; /etc/init.d/firewall restart)

/etc/config/network
config interface 'vpn'
        option proto none
        option ifname 'tun0'
        option auto 1
/etc/config/firewall
config zone
        option name             lan
        list   network          'lan'
	list   network          'vpn'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT