OpenVPN
OpenVPN
A Virtual Private Network or VPN extends a private network across the Internet and enables users to send and receive data across this connection as if their devices were directly connected to the private network. The connection is encrypted for greater security and is known as a tunnel.
A VPN Server sits at one end of the tunnel with a VPN client at the other end. A VPN Server can have multiple tunnels to multiple VPN clients.
Commercial VPN Services
For many people, using a VPN means connecting to a commercial VPN Service. The main reasons for this are web browsing security and geolocation. A commercial VPN Service will provide Internet access for the client from their VPN server.
A VPN connection between your router and a commercial VPN Service is encrypted using nearly impossible to break ciphers so no one will be able to snoop on your data packets and see what you are doing or where your are looking. This means that web browsing is much more secure, anonymous and is hidden from your ISP and others.
Geolocation is another benefit of using a commercial VPN Service as any web sites you visit will think you are located where the VPN server resides and not at your actual location. This can allow you access to web sites that you normally couldn't use because you are not located in the correct country.
Private VPN Network
A private VPN network differs from a commercial VPN service as it may or may not allow its clients access to the Internet from its location. Instead, it is designed to allow remote clients secure access to the server's network through the encrypted tunnel.
OpenVPN Instances
To create an OpenVPN client or server go to the Services menu and the OpenVPN submenu. This will show the OpenVPN Instances ( clients and servers ) that have already been created.
To create a new Instance, enter the name in the box, select the type of Instance you wish to create from the dropdown recipe box and then click on the ADD button.
There are predefined recipes for a number of VPN services, recipes for VPN services that provide an ovpn file and for generic VPN clients and servers, if you wish to set up a private VPN network. After you add a new Instance you will be taken to the configuration page to setup things.
Use the links below to go to the desired section.
Creating Clients for Commercial VPN Service Providers
Creating a Client for a commercial VPN service can be done one of two ways. If there is a predefined recipe for them you can use that. Otherwise you can use the service's ovpn file.
Predefined VPN Client
In the recipe box there are a number of predefined client Instances for various VPN services that require only a few changes to complete. Currently there are client recipes for the following services.
- AirVPN
- Mullvad
- Private Internet Access
- ProtonVPN
- Windscribe
- Tunnelbear
- NordVPN
If you want to connect to a VPN service that has a predefined recipe you will have received some files and information from them. Included in this information is the Username and Password you use to access their VPN server. On your computer, create a plain text file named password.txt containing the Username on the first line and the Password on the second line. Remember where you saved this file for later.
You may have also received some certificate and key files plus the URL of the VPN server you will be connecting to. Save these files in the same location as the password.txt file. For AirVPN, Mullvad, Private Internet Access and Windscribe you don't need the certificate and key files as these are already on the router.
After clicking on the ADD button you will be taken to the Basic Settings page where you can complete the configuration.
If this is one of the VPN services where you don't require the certificates and keys because they are already present on the router then all you need to do is change remote to the URL of the VPN server and upload the password.txt file to auth_user_pass. Click on Save&Apply to complete the configuration.
If you require the certificate and key files provided by the VPN service then upload them to the appropriate entry. In general the file names associated with each entry are as follows.
- tls_auth - ta.key
- ca - ca.crt
- cert - client.crt
- key - client.key
Click on Save&Apply to complete the configuration.
OVPN Client
Many VPN services will supply you with a file that has an .ovpn extension. This, along with some certificate and key files is used to create the client VPN Instance on the router. Select Client Configuration for OVPN from the Recipes dropdown box if you have one of these. Along with this file you will have received your User Nameand Password information. On your computer, create a plain text file named password.txt containing the Username on the first line and the Password on the second line. Remember where you saved this file for later. You may have also received some certificate and key files along with the ovpn file. Save these files in the same location as the password.txt file.
Some ovpn files contain the certificate and key information inside them and they do not require external files. Others require you to upload them to the OpenVPN Instance.
Upload the password.txt file to auth_user_pass and the ovpn file to config. If you are required to supply the certificate and key files then you must add those entries to the page.
Use the -- Additional Field -- box to select the ca field and click on the ADD button.
Repeat this for the cert and key fields as well. You may be required to add the tls_auth field as well.
Upload the files to these entries. Click on Save&Apply to finish the configuration.
Creating Clients for a Home or Business OpenVPN Server
If you are creating a VPN client for a private VPN server you need to create the VPN client from scratch. There are two different types of VPN servers, TUN and TAP, so you must create the correct client for it since you can't mix different client and server types. Choose either Basic TUN VPN Client or Basic Server-Bridge TAP VPN Client from the Recipes dropdown box to configure the VPN client.
For this type of VPN client you will have received the certicate and key files along with the Username and Password, if required. Many private VPN servers do not use Usernames or Passwords. You will also have been given the URL or IP Address of the VPN server and, possibly, some special settings needed for this server.
If you require a Username and Password then, on a computer, create a plain text file named password.txt containing the Username on the first line and the Password on the second line. Remember where you saved this file. Place the certificate and key files in this location as well.
If you require additional entries for this Instance, such as tls_auth, use the -- Additional Field -- box to select them and click on the ADD button.
Set remote to the URL or IP Address of the VPN server and then upload the password, certificate and key files for each entry. Enter any other entry values that have been specified for this client and then click on Save&Apply.
Creating a Home or Business OpenVPN Server
You may wish to have a VPN server on your router to allow others a secure method of accessing your network and possibly providing them with Internet as well through your Provider.
Key and Certificate Generation
A VPN server requires a set of certificates and keys for both itself and for the clients that will be connecting to it. Before you can configure a VPN server you need these files to be generated. This can be done on the router or externally on a computer using the XCA Certificate and Key Management program.
To generate the certificates and keys needed for a VPN server on your router go to the Services menu and the OpenVPN submenu. In Advanced Options click on the Key and Certificate Generation tab.
Enter values for the Country Name, City Name and Organization Name plus any of the other fields that you wish. The more fields that are filled in the more unique the certificates and keys generated will be.
Lastly, enter the number of days you want this set of certificates and keys to be valid for in the Days to Certify for box.
Click on Save&Apply to save these settings.
To create the keys and certificates click on the Generate Certs and Keys button. This can take a long time on a router, 60 minutes or more.
The status of the generation process is shown in the Status of Key Generation box. The process can be stopped at any time by clicking on the Stop Process button. The key generation process will continue even if you leave this page and, when you return to the page, the status of the process will still be shown.
When the key generation process is finished a Download Certs and Keys button will appear at the bottom of the page. Click on this button to save the certificates and keys package to a computer.
This package is a compressed tar.gz file named certificates.tar.gz. This is the only type of archive file supported by the Lede firmware that ROOter is based on. You will need a special archiving program like 7-Zip to extract the files from this package. Files needed by the VPN client are in the client folder while the files for the VPN server are in the server folder.
Once you have the required set of certificate and key files you can start configuring your VPN server. Go to the Services menu and the OpenVPN submenu.
OpenVPN Server Type : Tun vs TAP
There are two different types of OpenVPN servers, each with their own type of client, called TUN and TAP. There are advantages and disadvantages to using each one of these types of servers.
TUN is a routed VPN while TAP is a bridged VPN. Routing ( TUN ) allows multiple different networks to communicate independently while remaining separate whilst bridging ( TAP ) connects two separate networks as if they were only one network.
When a client connects via bridging ( TAP ) to a remote network, it is assigned an IP address that is part of the remote's physical ethernet subnet and is then able to interact with other machines on the remote subnet as if it were connected locally.
When a client connects via routing ( TUN ), it uses its own separate subnet, and routes are set up on both the client machine and remote gateway so that data packets will seamlessly traverse the VPN.
You would use bridging ( TAP ) if the following conditions apply to your VPN network.
- the VPN needs to be able to handle non-IP protocols such as IPX.
- you are running applications over the VPN which rely on network broadcasts (such as LAN games).
- you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server.
Overall, routing ( TUN ) is probably a better choice for most people, as it is more efficient and easier to set up than bridging. Routing also provides a greater ability to selectively control access rights on a client-specific basis.
OpenVPN TUN Server
To create a new TUN server Instance, enter the name in the box, select Basic TUN VPN Server from the dropdown recipe box and then click on the ADD button.
The following are the entries that need or may need to be changed for the VPN server Instance configuration.
- port - the router TCP/UDP port that OpenVPN should listen on.
- server - configure server mode and supply a VPN subnet and netmask for OpenVPN to draw client addresses from.
- ca - root certificate for the server (ca.crt ) to Upload
- cert - server certificate ( server.crt ) to Upload
- dh - Diffie hellman parameters ( dh2048.pem ) to Upload
- key - private key ( server.key ) to Upload
The server entry is a VPN subnet/netmask that OpenVPN draws its client's addresses from. If the entry is 10.0.100.0 then the VPN server will take 10.0.100.1 for itself, with the rest going to clients. Each client will be able to reach the server on 10.0.100.1.
After making all the changes, click on Save&Apply to save them.
OpenVPN TAP Server
To create a new TAP server Instance, enter the name in the box, select Basic Server-Bridge TAP VPN Server from the dropdown recipe box and then click on the ADDbutton.
Finish Client or Server Setup
To return to the OpenVPN Overview page go to the Services menu and the OpenVPN submenu.
You will see your configured OpenVPN Instance ready to be used. Before it can be started you need to check the Enabled box for the Instance and click on Save&Apply. If you wish to have this Instance start automatically when the router boots up then also check the Start on Bootup box before clicking Save&Apply.
Before starting your OpenVPN Instance you should check the Advanced Options section for additional settings that may be needed. This section has 3 tabs for different settings.
On the Custom Firewall Settings tab there are three settings.
- Forward Client VPN to LAN - allow devices on the VPN server's network to access your network.
- Forward Server VPN to LAN - allow devices on the client's network to access your server's network.
- Forward Server VPN to WAN - allow clients connected to your server access to the Internet.
On the Custom DNS Settings tab there are various settings for custom DNS servers for both the LAN and the WAN.
Using a fixed DNS on the WAN or LAN can solve some problems when connecting to the VPN server. As well, using a fixed LAN DNS can stop DNS Leaks. A DNS Leak refers to a security flaw that allows DNS requests to be revealed to ISP DNS servers, despite the use of a VPN service to attempt to conceal them. It is probably a good idea to set fixed DNS on both the WAN and LAN to avoid any problems.
If you change these settings, click on Save&Apply.
Once you have finished with the Advanced Options section and have Enabled your OpenVPN Instance, you can start it running. Do this by clicking on it's Start button.
Clicking on the Stop button will terminate the Instance and the connection to the VPN server.
If the Instance fails to start check that you have Enabled it and clicked on Save&Apply. This is a common mistake that is made. You can also check the System Log to see what is happening with the connection. One problem that happens is the Instance cannot resolve the host address because it can't use the DNS server from your Internet Provider. Setting a fixed DNS on the WAN will solve this problem.