Using OpenWrt as an OpenVPN server with a TAP device (with bridging)

Setup Server

First we need to make sure that OpenVPN connections to port 1194 are not blocked by the firewall on OpenWRT. Edit /etc/config/firewall and add the following.

config 'rule'
        option 'name' 'openvpn-udp'
        option 'src' 'wan' 
        option 'target' 'ACCEPT'
        option 'proto' 'udp'   
        option 'dest_port' '1194'

Bridge the tap interface you will be using with your lan interface by adding the following two lines to the respective section in /etc/config/network. This assumes your lan consists of wifi interface called wlan0 that will be bridged with tap0 interface used by OpenVPN.

config interface 'lan'
	option type 'bridge'
	option ifname 'wlan0 tap0'

Next comes the OpenVPN server config file:

config 'openvpn' 'your_name'
        option 'enable' '1'
	option 'tls_server' '1'
	option 'port' '1194' # to bypass restrictive firewalls, you might consider running OpenVPN on port 443 or 22
	option 'proto' 'udp' # TCP might be more reliable but slower; if you change this to tcp, change the firewall rule as well
	option 'dev' 'tap0'
	option 'ca' '/path/to/ca.crt'
	option 'cert' '/path/to/server.crt'
	option 'key' '/path/to/server.key'
	option 'dh' '/path/to/dh1024.pem'
	option 'server_bridge' '' # this assumes the lan is and will give out address in range
	list 'push' 'dhcp-option DNS' # this will make the clients use openwrt for DNS resolution
	list 'push' 'redirect-gateway def1' # this redirects all traffic over vpn
	option 'client_to_client' '1'
	option 'comp_lzo' 'yes'
	option 'keepalive' '10 120'
	option 'status' '/tmp/openvpn_tap0.status'
	option 'persist_key' '1'
	option 'persist_tun' '1'
	option 'verb' '3'
	option 'mute' '20'

Configure Client

Client configuration must correspond with the server configuration. Something like this with the IP address of the VPN server should work:

dev tap
proto udp
remote Your.IP.Goes.Here 1194
resolv-retry infinite
verb 3
keepalive 10 120

Wrap Up

If your setup did not work then it is time to start reading the quite excellent OpenVPN documentation. The #openvpn channel on Freenode is also quite helpful.

If your setup is working fine then the only remaining step is to automate the startup of the OpenVPN server on the OpenWRT machine. To this end create the following file and make sure it is executable:

In Backfire 10.03.1 edit /etc/init.d/openvpn and add the following above the "append_param()" function:

# Make sure tun/tap devices are present /etc/openvpnbridge

This is not needed in Attitude Adjustment

Then enable openvpn to start on boot with:

/etc/init.d/openvpn enable

Static leases

Put this into your /etc/config/opevpn:

option topology subnet
option 'ifconfig_pool_persist' '/etc/openvpn/ipp.txt 0'

/etc/openvpn/ipp.txt has this format:

CN, # CN is the COMMON NAME specified in the clients security certificate

Powered By Z-BlogPHP 1.5.2 Zero

. theme by Plat together