Setting up an OpenVPN server on your OpenWRT router can seem daunting, but with LuCI, OpenWRT's web interface, the process becomes surprisingly manageable. This article walks you through configuring an OpenVPN server directly on your OpenWRT router using LuCI. Not only does this enhance your network's security, but it also gives you secure access to your home network from anywhere in the world. Let's dive in and see how to get this done!

Why Run an OpenVPN Server on OpenWRT?

Before we get started, let's explore why setting up an OpenVPN server on your OpenWRT router is a great idea.

• Enhanced Security: By routing your internet traffic through your home network, you can avoid the risks associated with public Wi-Fi networks. This is particularly useful when traveling or using untrusted networks.
• Access to Home Network Resources: You can securely access devices on your home network, such as network-attached storage (NAS) devices, printers, and other services, as if you were at home.
• Bypass Geo-Restrictions: In some cases, you can bypass geo-restrictions by routing your internet traffic through your home network, making it appear as if you are accessing the internet from your home location.
• Ad Blocking: You can leverage your home network's ad-blocking setup (if you have one) when you're away.
• Cost-Effective: Using your existing OpenWRT router as an OpenVPN server eliminates the need for a separate VPN service, saving you money.

Running an OpenVPN server on your OpenWRT router is a fantastic way to enhance your online security and maintain access to your home network. It's especially useful for those who travel frequently or work remotely and need a secure connection.

Prerequisites

Before we start, ensure you have the following:

• OpenWRT Router: Obviously, you need an OpenWRT-compatible router with LuCI installed.
• Internet Connection: A stable internet connection for your router.
• LuCI Access: You should be able to access the LuCI web interface of your router.
• Sufficient Storage: Ensure your router has enough storage for the OpenVPN packages and configuration files. If necessary, consider using an external storage device.
• Basic Networking Knowledge: Familiarity with basic networking concepts such as IP addresses, subnets, and port forwarding will be helpful.

Having these prerequisites in place will ensure a smooth and successful OpenVPN server setup on your OpenWRT router. Let's move on to the configuration steps!

Step-by-Step OpenVPN Server Setup on OpenWRT using LuCI

Here’s how to set up an OpenVPN server on your OpenWRT router using LuCI. Follow these steps carefully to ensure everything is configured correctly.

Step 1: Install the OpenVPN Packages

First, you need to install the necessary OpenVPN packages on your OpenWRT router. Log in to your router’s LuCI interface and navigate to System -> Software. Click on "Update lists..." to refresh the package list. Then, in the "Download and install package" field, type the following packages one by one and click "Install" for each:

• openvpn-openssl
• luci-app-openvpn
• openvpn-easy-rsa

These packages provide the OpenVPN server software, the LuCI interface for managing OpenVPN, and the Easy-RSA scripts for generating certificates. Make sure that all packages are installed correctly before proceeding to the next step. Correct installation is crucial for the proper functioning of the VPN server.

Step 2: Generate Certificates and Keys

Next, you'll need to generate the necessary certificates and keys for your OpenVPN server and clients. This is done using the Easy-RSA scripts. Connect to your router via SSH and run the following commands:

mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh
openvpn --genkey --secret keys/ta.key

Let's break down these commands:

• mkdir /etc/openvpn/easy-rsa: Creates a directory for the Easy-RSA scripts.
• cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa: Copies the Easy-RSA scripts to the new directory.
• cd /etc/openvpn/easy-rsa: Navigates to the Easy-RSA directory.
• . ./vars: Initializes the environment variables for Easy-RSA.
• ./clean-all: Cleans up any previous certificate and key files.
• ./build-ca: Builds the Certificate Authority (CA) certificate. You'll be prompted to enter information such as country, organization, etc.
• ./build-key-server server: Builds the server key and certificate. You'll be prompted for information similar to the CA certificate.
• ./build-key client1: Builds the client key and certificate for the first client. Repeat this command for each additional client, changing the client name (e.g., client2, client3).
• ./build-dh: Generates the Diffie-Hellman parameters. This may take a few minutes.
• openvpn --genkey --secret keys/ta.key: Generates a TLS authentication key to mitigate DoS attacks.

Remember to keep these keys secure. The ta.key, server key, and CA certificate are particularly important and should be protected.

Step 3: Configure the OpenVPN Server via LuCI

Now, let's configure the OpenVPN server using the LuCI interface. Navigate to VPN -> OpenVPN. Click on "Add" to create a new OpenVPN instance. Fill in the following settings:

• Enabled: Check this box to enable the OpenVPN server.
• Description: Enter a descriptive name for the server (e.g., "MyOpenVPNServer").
• Server Mode: Select "server".
• Protocol: Choose either UDP or TCP. UDP is generally faster, but TCP can be more reliable in some network environments.
• Port: Set the port to 1194 (or any other port you prefer). Make sure this port is not blocked by your ISP.
• Local IP: Set the local IP address for the VPN server (e.g., 10.8.0.1).
• Netmask: Set the netmask to 255.255.255.0.
• CA Certificate: Copy the contents of /etc/openvpn/easy-rsa/keys/ca.crt into this field.
• Server Certificate: Copy the contents of /etc/openvpn/easy-rsa/keys/server.crt into this field.
• Server Key: Copy the contents of /etc/openvpn/easy-rsa/keys/server.key into this field.
• DH Parameters: Copy the contents of /etc/openvpn/easy-rsa/dh2048.pem into this field (or the appropriate dhXXXX.pem file you generated).
• TLS Auth Key: Copy the contents of /etc/openvpn/easy-rsa/keys/ta.key into this field.
• Cipher: AES-256-CBC (or any other secure cipher).
• Comp LZO: Yes (for compression, optional but recommended).
• Push Options: Add the following push options:
  • push "route 192.168.1.0 255.255.255.0" (replace 192.168.1.0/24 with your LAN network)
  • push "dhcp-option DNS 8.8.8.8"
  • push "dhcp-option DNS 8.8.4.4"
• Custom Configuration: Add the line tls-auth ta.key 0

Click "Save & Apply" to save the configuration. Double-check all the settings to avoid common misconfigurations.

Step 4: Configure Firewall Rules

To allow OpenVPN traffic through your firewall, you need to configure firewall rules. Navigate to Network -> Firewall in LuCI. Add a new traffic rule with the following settings:

• Name: OpenVPN
• Protocol: UDP or TCP (whichever you chose in Step 3)
• Source zone: any
• Destination zone: device (input)
• Destination port: 1194 (or the port you chose in Step 3)
• Action: Accept

Create a new traffic rule under the "General Settings" tab with the following settings:

• Name: OpenVPN_Masq
• Protocol: Any
• Source zone: VPN
• Destination zone: WAN
• Masquerade: Check this box.
• Action: Accept

Create or edit an existing zone under the "Zones" tab with the following settings:

• Name: VPN
• Input: ACCEPT
• Output: ACCEPT
• Forward: ACCEPT
• Masquerade: Checked
• Covered networks: Select the OpenVPN network you've just configured

Click "Save & Apply" to save the firewall rules. Properly configured firewall rules are essential for allowing VPN traffic and ensuring secure communication.

Step 5: Create Client Configuration Files

For each client that needs to connect to the OpenVPN server, you need to create a client configuration file. Create a file named client1.ovpn (or a similar name for each client) with the following contents:

client
dev tun
proto udp
remote your_router_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3
<ca>
PASTE_CA_CERTIFICATE_HERE
</ca>
<cert>
PASTE_CLIENT_CERTIFICATE_HERE
</cert>
<key>
PASTE_CLIENT_KEY_HERE
</key>
<tls-auth>
PASTE_TA_KEY_HERE 1
</tls-auth>

Replace your_router_ip with the public IP address or hostname of your router. Replace PASTE_CA_CERTIFICATE_HERE, PASTE_CLIENT_CERTIFICATE_HERE, PASTE_CLIENT_KEY_HERE, and PASTE_TA_KEY_HERE with the contents of the corresponding files from /etc/openvpn/easy-rsa/keys. These files are ca.crt, client1.crt, client1.key, and ta.key respectively. Securely transfer these .ovpn files to your client devices.

Step 6: Connect with Your Client

Finally, install an OpenVPN client on your device (e.g., OpenVPN Connect on Android or iOS, OpenVPN GUI on Windows, or Tunnelblick on macOS). Import the .ovpn configuration file you created in Step 5. Connect to the OpenVPN server, and you should be able to access your home network securely. Always test the connection thoroughly to ensure everything is working as expected.

Troubleshooting

If you encounter issues during the setup process, consider the following troubleshooting steps:

• Check Logs: Examine the OpenVPN logs for any error messages. You can find the logs in LuCI under Status -> System Log or via SSH using the logread command.
• Firewall Rules: Ensure that your firewall rules are correctly configured to allow OpenVPN traffic.
• Certificate and Key Issues: Verify that the certificates and keys are correctly generated and that the client configuration file contains the correct paths to these files.
• DNS Resolution: If you are having trouble accessing resources on your home network, ensure that your DNS settings are correct. You can set the DNS server in the OpenVPN server configuration or push DNS settings to the client.
• Connectivity Issues: Check your router's internet connection and ensure that the OpenVPN server is running.
• MTU Issues: Try adjusting the MTU (Maximum Transmission Unit) settings on both the server and client sides. This can sometimes resolve connectivity issues related to packet size.

Security Considerations

• Keep Your Router Firmware Updated: Regularly update your OpenWRT firmware to patch security vulnerabilities.
• Use Strong Passwords: Use strong, unique passwords for your router and OpenVPN server.
• Secure Key Management: Protect your certificates and keys by storing them securely and restricting access.
• Monitor OpenVPN Logs: Regularly monitor the OpenVPN logs for any suspicious activity.
• Disable Unnecessary Services: Disable any unnecessary services on your router to reduce the attack surface.

Conclusion

Setting up an OpenVPN server on OpenWRT using LuCI is a great way to enhance your online security and maintain access to your home network. By following the steps outlined in this article, you can configure a secure and reliable VPN server on your router. Remember to pay attention to security considerations and regularly monitor your OpenVPN server to ensure its continued operation. Now, go ahead and enjoy secure access to your home network from anywhere in the world! Setting up OpenVPN on OpenWRT provides a secure way to access your home network remotely.