Hello,
I'm out of my mind, it's 3rd day with configuring openvpn on my openwrt.
I have TP-Link WR841N, it has only 4MB of flash.
I'm trying to run OpenVPN server on it installing packages in RAM.
Besides the clean Chaos Calmer I have only ddns installed - it works.
I installed OpenVPN using tokyobreeze.wordpress.com/2015/01/15/install-openvpn-in-a-router-with-4mb-flash/
tutorial, but I modified it a little bit - for now I have only installation script done, not a startup one
According to this tutorial i installed kmod-tun zlib liblzo packages in flash
install script:
root@cebrouter:/etc/openvpn# cat /etc/openvpn/install_ovpn
#!/bin/sh /etc/rc.common
# This script installs packages into RAM
RAM_ROOT=/tmp
PACKAGES='openvpn-easy-rsa openvpn-openssl'
start() {
echo Updating package list...
opkg update
[ ! -d $RAM_ROOT ] && mkdir $RAM_ROOT
cd $RAM_ROOT
for PACKAGE in $PACKAGES
do
echo Installing $PACKAGE...
tar xzf $(opkg download $PACKAGE | grep Downloaded | cut -d\ -f4 | sed '$s/.$//')
tar xzf data.tar.gz
find . -maxdepth 1 -type f -exec rm {} \;
done
}I changed environmental variables in /etc/profile:
root@cebrouter:/etc/openvpn# cat /etc/profile
#!/bin/sh
[ -f /etc/banner ] && cat /etc/banner
[ -e /tmp/.failsafe ] && cat /etc/banner.failsafe
export PATH=/tmp/usr/bin:/tmp/usr/sbin:/tmp/sbin:/tmp/bin:/usr/sbin:/usr/bin:/sbin:/bin
export HOME=$(grep -e "^${USER:-root}:" /etc/passwd | cut -d ":" -f 6)
export HOME=${HOME:-/root}
export PS1='\u@\h:\w\$ '
export LD_LIBRARY_PATH=/tmp/lib:/tmp/usr/lib:$LD_LIBRARY_PATH
[ -x /bin/more ] || alias more=less
[ -x /usr/bin/vim ] && alias vi=vim || alias vim=vi
[ -z "$KSH_VERSION" -o \! -s /etc/mkshrc ] || . /etc/mkshrc
[ -x /usr/bin/arp ] || arp() { cat /proc/net/arp; }
[ -x /usr/bin/ldd ] || ldd() { LD_TRACE_LOADED_OBJECTS=1 $*; }I configured server with OpenWRT Guide - wiki.openwrt.org/doc/howto/vpn.openvpn
I also linked /etc/init.d/openvpn to /tmp/etc/init.d/openvpn usin symlink
ps shows that process is running:
root@cebrouter:/etc/openvpn# ps | grep "openvpn"
3504 root 1356 S grep openvpnBUT... there's no tap interface...
root@cebrouter:/etc/openvpn# ifconfig | grep "tap"
root@cebrouter:/etc/openvpn#Even if I turn off firewall completely - client can't connect with server. (I tried to test if my router is available from WAN - SSH works)
log from windows openvpn GUI:
Thu Sep 14 19:13:31 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jul 14 2017
Thu Sep 14 19:13:31 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Sep 14 19:13:31 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Thu Sep 14 19:13:31 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Sep 14 19:13:31 2017 Need hold release from management interface, waiting...
Thu Sep 14 19:13:32 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Sep 14 19:13:32 2017 MANAGEMENT: CMD 'state on'
Thu Sep 14 19:13:32 2017 MANAGEMENT: CMD 'log all on'
Thu Sep 14 19:13:32 2017 MANAGEMENT: CMD 'echo all on'
Thu Sep 14 19:13:32 2017 MANAGEMENT: CMD 'hold off'
Thu Sep 14 19:13:32 2017 MANAGEMENT: CMD 'hold release'
Thu Sep 14 19:13:32 2017 MANAGEMENT: >STATE:1505409212,RESOLVE,,,,,,
Thu Sep 14 19:13:32 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_IP:11194
Thu Sep 14 19:13:32 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Sep 14 19:13:32 2017 UDP link local (bound): [AF_INET][undef]:1194
Thu Sep 14 19:13:32 2017 UDP link remote: [AF_INET]MY_IP:11194
Thu Sep 14 19:13:32 2017 MANAGEMENT: >STATE:1505409212,WAIT,,,,,,
Thu Sep 14 19:14:33 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 14 19:14:33 2017 TLS Error: TLS handshake failed
Thu Sep 14 19:14:33 2017 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 14 19:14:33 2017 MANAGEMENT: >STATE:1505409273,RECONNECTING,tls-error,,,,,
Thu Sep 14 19:14:33 2017 Restart pause, 5 second(s)I generated certificates few times, now these are generated with CentOS 7 x64 according to its guide.
My files:
openvpn.log
root@cebrouter:/etc/openvpn# cat /tmp/openvpn.log
cat: can't open '/tmp/openvpn.log': No such file or directory/etc/config/network
root@cebrouter:/etc/openvpn# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd06:bdd3:3c48::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.50.99'
option ifname 'eth0 tap0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 4'
config interface 'vpn0'
option ifname 'tap0'
option proto 'none'
option auto '1'/etc/config/network
root@cebrouter:/etc/openvpn# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd06:bdd3:3c48::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.50.99'
option ifname 'eth0 tap0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 4'
config interface 'vpn0'
option ifname 'tap0'
option proto 'none'
option auto '1'
root@cebrouter:/etc/openvpn#
root@cebrouter:/etc/openvpn# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'Allow_OpenVPN_Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '11194'root@cebrouter:/etc/openvpn# cat /etc/config/openvpn
config openvpn 'myvpn'
option enabled '1'
option verb '3'
option proto 'udp'
option port '11194'
option dev 'tap'
option mode 'server'
option tls_server '1'
list push 'route-gateway dhcp'
list push 'redirect-gateway def1'
option keepalive '10 120'
option ca '/etc/openvpn/server/ca.crt'
option cert '/etc/openvpn/server/server.crt'
option key '/etc/openvpn/sever/server.key'
option dh '/etc/openvpn/server/dh2048.pem'