Memorial Day Weekend VPN Hell

When my friend wanted access to services I’ve built behind my lan to his lan at his new house, I figured I could do it without much of a problem.  I have never been a linux guru, but I’ve always been able to get by quite well by finding solutions through google searches, forum posts, and (gasp) documentation.  But this time was harder then I could have thought…

The first thing I should mention, both the VPN server and client are Ubiquiti RouterStation Pro’s running on OpenWRT (backfire), these are beastly routers with low power consumption and at such a reletively low price ($80 MSRP), I recommend these to anyone thinking of a new router.  The VPN software I’m using is OpenVPN.  My first thought was using the luci-app-openvpn I’ve seen in from the package repo, but after asking around #openwrt they mentioned this package has never really worked well as a config gui, which is unfortunate since nearly all of the other luci gui’s work very well.

After discovering that, it was time to start reading, reading, reading, trying, and erroring.  I couldn’t just read OpenVPN documentation, because I have a horrible memory, I also had to bush up on routing, iptables, firewalls and scripting.  Not full blown bash scripting either, since OpenWRT uses BusyBox.  Which was a small problem, seeing how nearly all the documentation assumed the clients would be a full linux distro, or windows, never mind the fact it was neither really and the VPN machines were the same as the gateway.

The first attempt was a simple client-to-client setup, which worked well at first.  Both routers were able to see eachother, but neither of the lans behind them.  The second attempt was a very simple client-server setup, which unfortunately worked but at the same time was more of a headache for other reasons.  To help ease creating certificates directly from the routers, I recommend the easy-rsa package from the openwrt repo’s.  It’s a very handy wrapper for all of the semi-complicated OpenSSL commands.  The third, fourth, fifth and etc setup’s were all variations of eachother, sometimes gaining functionality, sometimes not.  A very nice resource I came across was krzee’s OpenVPN config generator which was useful.

The last (current) setup is a semi working VPN connection.  The client’s lan is able to access the server’s lan, but not the other way around.  Even though it’s pretty much the desired goal, it’s still lacking the ability for the server to access the client lan, very frustrating.  Hopefully this will be fixed later in the week.   Below are the final VPN configs, hopefully this can be of use to anyone.

 

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
tls-auth ta.key 0
server 10.8.1.0 255.255.255.0
persist-key
persist-tun
topology subnet
keepalive 10 120
verb 4
local 0.0.0.0
client-config-dir “/etc/openvpn/clients/”
client-to-client
comp-lzo
push “route 192.168.1.0 255.255.255.0”  # Lan behind server
push “route 192.168.6.0 255.255.255.0”  # Lan behind a client
route 192.168.6.0 255.255.255.0  # Lan behind a client
daemon
ping-timer-rem

========================================================================

client
dev tun
remote xxx.yyy.com 1194 udp
resolv-retry infinite
nobind
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
tls-auth /etc/openvpn/ta.key 1
persist-key
persist-tun
verb 4
comp-lzo
daemon

 

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

WordPress Appliance - Powered by TurnKey Linux