OpenWrt Forum Archive

Topic: OpenVPN Server. Multiple users/devices set up. Assistance Required

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Cjfox
11 Apr 2018, 10:53

Good Evening All,

Firstly, great software, it’s resurrected my old router and allowed me to condense down my network appliances. Money and power saving for the win!

I’ve configured my TP-Link TL-WDR3600 v1 with LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch and it’s all gone well. Got my security and firewall up and running. Access through port forwards to my web servers, DDNS, HTTPS web GUI and locked down my access rules, so all happy there.

I have an internal LAN, which includes the WiFi and Ethernet port 1
I have a DMZ, which is on Ethernet port 2
And my external connection on the WAN port.
Each interface is of course, separated from the others, and firewall rules allow the LAN to contact the DMZ and get external access, but the DMZ can only get external access.

My next goal - which I am struggling with is the setting up of OpenVPN server on the system.

I’ve gone over the Wiki document a number of times:
(Cannot post URL, but its on the openers.org site, under documentation > VPN section >> OpenVPN >> OpenVPN (server setup)

Makes sense, I can follow that through, but I don’t think it’s providing the entire functionality I want.

I’m aiming to (and humour me here!):

Create an OpenVPN tunnel which I can use on my:
Personal iPad (using OpenVPN app from App store)
Personal iPhone (using OpenVPN app from App store)
Personal Laptop (Using OpenVPN software download)
Devices *
Devices +
Devices -
Potentially other devices if needed (* or + or -)
The goal is that each device can connect in (and eventually get a static IP address (once I have configured up that setting)) and depending on what IP address they are, depends on what they can get to. (On previous Firewalls, I could make my rules based on username and group membership based on a local users directory on the firewall).

So my iOS devices and my laptop, each would connect in and have access to all devices on my LAN and DMZ.

Devices of a certain IP address(es) - which I class as “Devices *” above will have access to one internal server on the LAN only (Media Server)
Devices of a certain IP address(es) - which I class as “Devices +” above will have access to one internal server on the DMZ only (Game Server)
Devices of a certain IP address(es) - which I class as “Devices -” above will have access to potentially one internal server on the internal LAN and one internal on DMZ. (Media Server + Game Server)

The instructions in the Wiki I linked earlier, appear to let me create one client set of certificate and key, which I would hand out with the .ovpn file etc. I am of the assumption that the Wiki is for a single user to make a connection back to the OpenVPN server, so there is no need for multiple client certs,

Is it possible to make more than one client set of certificates/keys - for example, each client gets a cert with a common name so that I can work on the extra settings to make them have static IP addresses when they connect to the VPN? If so, how would I go about this based on the guide in the Wiki?

I look forward to your help and once again, great software.

With Kindest Regards,

Post #2
600cc
11 Apr 2018, 19:30

You can configure the OpenVPN server to issue the same IP address each time to the same client. That will help with configuring rules to permit certain clients access to certain resources.

It is indeed possible to create multiple certs and keys, and it is recommended that you do so for better security.

If you assign the same cert and key to multiple devices, every device will be able to connect, so it's very convenient. And it's also very insecure. In addition, if one device is compromised then you have to issue a new cert/key pair and reconfigure every device which uses that cert and key, which is time-consuming.

Instead, create a separate cert/key pair for each device. Then, if one is compromised, all you have to do is revoke the cert only for that client, which is much easier.

It's not difficult to do. I recently set up my own internal CA and started issuing my own keys and certificates precisely for this. https://jamielinux.com/docs/openssl-cer … authority/ is an excellent guide to the process. If you've already issued one cert/key pair then you're familiar with the process; all you need to do is adapt it for the common names of additional devices.

The discussion might have continued from here.