Using OpenWrt as an OpenVPN server with a TAP device (with bridging)
Setup Server
First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall on OpenWRT. Edit /etc/config/firewall and add the following.
config 'rule' option 'name' 'openvpn-udp' option 'src' 'wan' option 'target' 'ACCEPT' option 'proto' 'udp' option 'dest_port' '1194'
Bridge the tap interface you will be using with your lan interface by adding the following two lines to the respective section in /etc/config/network. This assumes your lan consists of wifi interface called wlan0 that will be bridged with tap0 interface used by OpenVPN.
config interface 'lan' option type 'bridge' option ifname 'wlan0 tap0'
Next comes the OpenVPN server config file:
config 'openvpn' 'your_name' option 'enable' '1' option 'tls_server' '1' option 'port' '1194' # to bypass restrictive firewalls, you might consider running OpenVPN on port 443 or 22 option 'proto' 'udp' # TCP might be more reliable but slower; if you change this to tcp, change the firewall rule as well option 'dev' 'tap0' option 'ca' '/path/to/ca.crt' option 'cert' '/path/to/server.crt' option 'key' '/path/to/server.key' option 'dh' '/path/to/dh1024.pem' option 'server_bridge' '192.168.1.1 255.255.255.0 192.168.1.220 192.168.1.229' # this assumes the lan is 192.168.1.1/24 and will give out address in range 192.168.1.220-229 list 'push' 'dhcp-option DNS 192.168.1.1' # this will make the clients use openwrt for DNS resolution list 'push' 'redirect-gateway def1' # this redirects all traffic over vpn option 'client_to_client' '1' option 'comp_lzo' 'yes' option 'keepalive' '10 120' option 'status' '/tmp/openvpn_tap0.status' option 'persist_key' '1' option 'persist_tun' '1' option 'verb' '3' option 'mute' '20'
Configure Client
Client configuration must correspond with the server configuration. Something like this with the IP address of the VPN server should work:
dev tap proto udp remote Your.IP.Goes.Here 1194 resolv-retry infinite mute-replay-warnings comp-lzo verb 3 keepalive 10 120 persist-key persist-tun nobind
Wrap Up
If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful.
If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable:
In Backfire 10.03.1 edit /etc/init.d/openvpn and add the following above the "append_param()" function:
# Make sure tun/tap devices are present
/etc/openvpnbridge
This is not needed in Attitude Adjustment
Then enable openvpn to start on boot with:
/etc/init.d/openvpn enable
Static leases
Put this into your /etc/config/opevpn:
option topology subnet option 'ifconfig_pool_persist' '/etc/openvpn/ipp.txt 0'
/etc/openvpn/ipp.txt has this format:
CN,192.168.1.235 # CN is the COMMON NAME specified in the clients security certificate