alirz wrote:How is a VPN server running on my home router going to hide my torrent traffic traffic at home.... Please enlighten me...
So, when you create a vpn server on the router, it's separated into two main steps: setting up the vpn interface [tun0, tun1, tun2, etc.] and configuring the config files. Using redirect-gateway it redirects all vpn client traffic through the vpn tunnel, which has a gateway, if subnet is 10.1.1.0/28, of 10.1.1.2 (.2 because .1 is the openvpn server). So instead of your WAN IP, it would show the gateway IP of the VPN to traffic coming in, and being transported over, the VPN.
If you refer back to my reply with the links to two posts I made, it explains the two main steps. Since it appears you didn't read them, I've pasted the post regarding creating the server interface below:
Server Interface Creation
Five things are needed to make a ssl vpn work: Certificates, Server Config, Client Config, VPN Interface creation, and Firewall rules to allow the VPN Traffic.
We need to create the VPN interface via uci (it can just as easily be done via luci, however most of what we need to do is faster if done in uci):
Create the VPN interface:
uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none
Allow OpenVPN tunnel utilization:
uci add firewall zone
uci set firewall.@zone[-1].name=OpenVPN
uci set firewall.@zone[-1].input=ACCEPT
uci set firewall.@zone[-1].forward=ACCEPT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].network=vpn0
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpn'
uci set firewall.@forwarding[-1].dest='wan'
Commit the changes:
uci commit network ; /etc/init.d/network reload ; uci commit firewall ; /etc/init.d/firewall reload
Now, we need to allow forwarding from vpn -> wan and wan -> vpn (you can copy and paste; paste in vi via right click):
Add to the top:
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option dest_port '1194'
option name 'Allow Inbound OpenVPN Traffic'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option name 'Allow Forwarded OpenVPN Traffic'
option src '*'
option dest '*'
option dest_port '1194'
option src_ip '*'
(The Inbound and Forwarding rules are TCP and UDP for troubleshooting purposes, as unless troubleshooting, the config files will utilize udp)
Add to the bottom:
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'wan'
Save the changes via :wq then:
/etc/init.d/firewall restart
These zone forwarding rules will show as colored boxes under the Network - General Settings - Zones; however, for wan, Input and Forward should still be listed as drop and Output as accept. To change the zone forwarding we put in place, click edit under Zone => Forwardings and at the bottom of the Zone Settings will be Inter-Zone Forwarding.
redirect-gateway is only utilized in the server config and is the option that controls routing all traffic over the vpn. For most options, the server and client configs must mirror one another (if you add udp to one, udp must be added to the other, or if you adjust the mtu value, the same must be mirrored in the other, etc.); however, there are certain options that are server or client specific and are not mutually exclusive (all possible options for the client and server configs can be found at the OpenVPN man page.
Now, the Server and Client config step...
Server and Client Config Creation
opkg update ; opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn
OpenVPN config file is located at /etc/config/openvpn
OpenVPN root folder is located at /etc/openvpn/
OpenWRT Wikis:
OpenVPN Setup Guide for Beginners
OpenVPN Server HowTo
Using OpenWrt as an OpenVPN server with a TUN device
If you plan on accessing the VPN from a cell phone/tablet, this is worth a read (especially the part about p12 certs):
OpenVPN Connect Android FAQ
OpenVPN Man Page & HowTo from OpenVPN.net
OpenVPN Man Page
OpenVPN HowTo
Here are my config and client files for my OpenVPN Server:
Server Config (two servers from the same config file)
config openvpn 'VPN-Server'
option enabled '1'
# --- Protocol ---#
option dev 'tun'
option topology 'subnet'
option proto 'udp'
option port '1194'
#--- Routes ---#
option server '10.1.1.0 255.255.255.192'
#--- Client Config ---#
option ccd_exclusive '1'
option ifconfig_pool_persist '/etc/openvpn/clients/private/ipp.txt'
option client_config_dir '/etc/openvpn/clients/private'
option ifconfig '10.1.1.1 255.255.255.192'
#--- Pushed Routes ---#
list push 'route 192.168.1.0 255.255.255.224'
list push 'dhcp-option DNS 192.168.1.1'
list push 'dhcp-option WINS 192.168.1.1'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'dhcp-option NTP 129.6.15.30'
#--- Encryption ---#
option cipher 'AES-256-CBC'
option dh '/etc/openvpn/keys/VPN-Server/dh2048.pem'
option pkcs12 '/etc/openvpn/keys/VPN-Server/VPN-Server.p12'
option tls_auth '/etc/openvpn/keys/VPN-Server/ta.key 0'
#--- Logging ---#
option log '/tmp/openvpn-private.log'
option status '/tmp/openvpn-private-status.log'
option verb '7'
#--- Connection Options ---#
option keepalive '10 120'
option comp_lzo 'yes'
#--- Connection Reliability ---#
option client_to_client '1'
option persist_key '1'
option persist_tun '1'
#--- Connection Speed ---#
option sndbuf '393216'
option rcvbuf '393216'
option fragment '0'
option mssfix '0'
option tun_mtu '48000'
#--- Pushed Buffers ---#
list push 'sndbuf 393216'
list push 'rcvbuf 393216'
#--- Permissions ---#
option user 'nobody'
option group 'nogroup'
config openvpn 'NAS-Server'
option enabled '1'
# --- Protocol ---#
option dev 'tun'
option topology 'subnet'
option proto 'udp'
option port '1195'
#--- Routes ---#
option server '10.1.2.0 255.255.255.192'
option route '192.168.2.0 255.255.255.224'
#--- Client Config ---#
option ccd_exclusive '1'
option ifconfig_pool_persist '/etc/openvpn/clients/nas/ipp.txt'
option client_config_dir '/etc/openvpn/clients/nas'
option ifconfig '10.1.2.1 255.255.255.240'
#--- Pushed Routes ---#
list push 'route 192.168.1.0 255.255.255.192'
list push 'route 192.168.2.0 255.255.255.224'
list push 'dhcp-option DNS 192.168.2.1'
list push 'dhcp-option WINS 192.168.2.1'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'dhcp-option NTP 129.6.15.30'
#--- Encryption ---#
option cipher 'AES-256-CBC'
option dh '/etc/openvpn/keys/NAS-Server/dh2048.pem'
option pkcs12 '/etc/openvpn/keys/NAS-Server/NAS-Server.p12'
option tls_auth '/etc/openvpn/keys/NAS-Server/ta.key 0'
#--- Logging ---#
option log '/tmp/openvpn-nas.log'
option status '/tmp/openvpn-nas-status.log'
option verb '7'
#--- Connection Options ---#
option keepalive '10 120'
option comp_lzo 'yes'
#--- Connection Reliability ---#
option client_to_client '1'
option persist_key '1'
option persist_tun '1'
#--- Connection Speed ---#
option sndbuf '393216'
option rcvbuf '393216'
option fragment '0'
option mssfix '0'
option tun_mtu '48000'
#--- Pushed Buffers ---#
list push 'sndbuf 393216'
list push 'rcvbuf 393216'
#--- Permissions ---#
option user 'nobody'
option group 'nogroup'
Client Config - Windows
client
dev tun
tun-mtu 48000
fragment 0
mssfix 0
proto udp
remote your.ddns.com 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 VPN-Server-Client-1.p12
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
remote-cert-tls server
cipher AES-256-CBC
auth-nocache
verb 5
comp-lzo
In Windows, if the p12 isn't stored in the same directory as the ovpn config file, you will need to reference the path to the p12 cert (don't forget, in Windows you must use double backslashes, i.e. "C:\\Program Files\\OpenVPN\\Config\\").
You must also allow access through your firewall, and while you can do it through uci, it's almost always more convenient and faster to do so via luci.
The only things not provided here are the firewall rules for your setup (do not use port 1194) and certificates (created via easy-rsa, tutorial in "OpenVPN Setup Guide for Beginners"), and while I'd recommend reading through the links above, I'd take my config and tailor it to your needs . The OpenVPN man page is vital to getting the most of your VPN as it, in combination with the OpenVPN HowTo, provides all available server and client configuration options.
(Last edited by JW0914 on 13 Jun 2015, 23:06)