Connect Subnets with OpenWRT & OpenVPN
See 3. Certificate creation of http://wiki.openwrt.org/OpenVPNTunHowTo for key and cert generating.At server side, the new init script mentioned in the previous wiki page is required. I placed it at /etc/init.d/openvpn.new, and symbol link it to /etc/init.d/S50openvpn . My init.d script:
#!/bin/sh
case "$1" in
start)
openvpn --daemon --config /etc/openvpn/openvpn_peer.conf
;;
restart)
$0 stop
sleep 3
$0 start
;;
reload)
killall -SIGHUP openvpn
;;
stop)
killall openvpn
;;
For route to server subnet, it's pretty simple, just follow OpenWRT wiki for it. But for route to the client subnet, some changes in OpenVPN server configuration file are required. My /etc/openvpn/openvpn_peer.conf .
### network options
port 1194
#proto udp
proto tcp
dev tun
### certificate and key files
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
### (optional) use a shared key to initialize TLS negotiation
#tls-auth /etc/openvpn/shared.key
### VPN subnet
server 10.8.0.0 255.255.255.0
### (optional) make local network behind the VPN server accessible for the VPN clients
push "route 192.168.1.0 255.255.255.0"
### (optional) make the VPN server a gateway for the internet for the VPN clients
#push "redirect-gateway"
### (optional) compression (might make your WRT sluggish or not, depending on the model and what you have running...)
comp-lzo
keepalive 10 120
status /tmp/openvpn.status
# route to peer subnets
client-config-dir /etc/openvpn/ccd
route 192.168.3.0 255.255.255.0
Notice:
- I used TCP instead of UDP, since some firewalls blocks UDP.
- client-config-dir is important for route to client subnet, see following ccd file description.
- route is also important, which must match the iroute settings in ccd file.
iroute 192.168.3.0 255.255.255.0
Then, when the peers were connected, routes were added.
Labels: OpenWRT
posted by Yale Huang @ 9:18 AM
0 Comments
