Hey guys! Today, we're diving into how to set up an OpenVPN server on OpenWrt using LuCI, the web interface. Setting up a VPN can seem daunting, but with OpenWrt and LuCI, it becomes a whole lot easier. Whether you're looking to secure your home network, bypass geo-restrictions, or just want an extra layer of privacy, this guide will walk you through the process step by step. So, grab your coffee, and let’s get started!

Why Use OpenVPN on OpenWrt?

Before we jump into the setup, let’s quickly cover why you might want to use OpenVPN on OpenWrt. OpenWrt is a fantastic open-source firmware that can turn your router into a powerhouse of customization. OpenVPN is a robust and highly configurable VPN protocol, known for its security and reliability. Combining these two gives you a secure, private tunnel for your internet traffic directly from your router.

• Security: OpenVPN uses strong encryption to protect your data from prying eyes.
• Privacy: By routing your traffic through a VPN server, you can mask your IP address and location.
• Access Geo-Restricted Content: Bypass regional restrictions and access content from anywhere in the world.
• Secure Public Wi-Fi: Protect your data when using public Wi-Fi networks.
• Centralized VPN: Secure all devices on your home network without needing to install VPN software on each device.

Prerequisites

Before beginning, make sure you have the following:

• An OpenWrt Router: Obviously! Make sure it's flashed with the latest version of OpenWrt.
• LuCI Installed: LuCI is the web interface for OpenWrt. If you don't have it, you’ll need to install it via the command line.
• Internet Connection: A stable internet connection for your router.
• Basic Networking Knowledge: A general understanding of IP addresses, subnets, and routing will be helpful.

Step-by-Step Guide to Setting Up OpenVPN on OpenWrt with LuCI

Step 1: Install the Necessary Packages

First things first, we need to install the OpenVPN packages. Open up your SSH client (like PuTTY on Windows or Terminal on macOS/Linux) and connect to your OpenWrt router. Use the following commands to update the package list and install the required packages:

opkg update
opkg install openvpn-openssl luci-app-openvpn

• opkg update: This command updates the list of available packages. It's always a good idea to run this before installing anything.
• opkg install openvpn-openssl: This installs the OpenVPN package with OpenSSL support, which is crucial for encryption.
• luci-app-openvpn: This installs the LuCI app, which provides a web interface for configuring OpenVPN. This is what makes the whole process user-friendly.

After running these commands, LuCI might need a restart to recognize the new application. You can restart LuCI using the following command:

/etc/init.d/uhttpd restart

Step 2: Generate Server Keys and Certificates

Next, we need to generate the keys and certificates for the OpenVPN server. This is the most important part for the security of your VPN. We'll use the easy-rsa scripts for this. First, install the easy-rsa package:

opkg install easy-rsa

Once installed, copy the easy-rsa scripts to a working directory:

mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa

Now, initialize the PKI (Public Key Infrastructure):

./easyrsa init-pki

Build the Certificate Authority (CA):

./easyrsa build-ca nopass

This command creates the CA certificate, which is the root of trust for your VPN. The nopass option skips setting a password for the CA key, but for enhanced security, it’s recommended to use a password.

Now, build the server certificate and key:

./easyrsa build-server-full server nopass

This creates the server certificate and key. Again, the nopass option is used for simplicity, but consider using a password in a production environment.

Finally, generate the Diffie-Hellman parameters. This can take a while, so be patient:

./easyrsa gen-dh

Step 3: Configure the OpenVPN Server via LuCI

Now that we have our keys and certificates, let's configure the OpenVPN server using LuCI. Open your web browser and navigate to your router’s IP address. Log in to LuCI, then go to VPN -> OpenVPN.

Click on the “Add” button to create a new OpenVPN instance. Give it a name (e.g., “MyVPNServer”) and set the following parameters:

• Enabled: Check this box to enable the OpenVPN server.
• Server Mode: Select “server”.
• Protocol: Choose between UDP and TCP. UDP is generally faster, but TCP might be more reliable in some network conditions. UDP is the recommended protocol
• Port: The default OpenVPN port is 1194, but you can change it if you like. Just make sure it’s not a commonly used port.
• Local IP: This is the IP address that the OpenVPN server will listen on. Usually, it's the router’s LAN IP address.
• Virtual Tunnel IP: This is the IP address of the VPN server's tunnel interface. Choose an address within a private IP range that doesn't conflict with your existing network (e.g., 10.8.0.1).
• Virtual Network: This is the IP network that will be used for VPN clients. Choose a network that doesn't conflict with your existing network (e.g., 10.8.0.0/24).
• Netmask: Set the netmask for the virtual network (e.g., 255.255.255.0).
• CA Certificate: Copy the contents of /etc/openvpn/easy-rsa/pki/ca.crt into this field.
• Server Certificate: Copy the contents of /etc/openvpn/easy-rsa/pki/issued/server.crt into this field.
• Server Key: Copy the contents of /etc/openvpn/easy-rsa/pki/private/server.key into this field.
• DH Parameters: Copy the contents of /etc/openvpn/easy-rsa/pki/dh.pem into this field.

Under the Advanced Settings tab, you might want to adjust the following:

• Compression: Enable compression to improve performance, especially on slower networks.
• Keepalive: Set keepalive intervals to ensure the connection stays alive.
• Cipher: The default cipher is usually fine, but you can choose a stronger cipher if you prefer.

Save and apply the settings. The OpenVPN server should now be running.

Step 4: Create Client Configuration Files

Now that the server is set up, we need to create configuration files for our clients. These files contain the necessary information for the client to connect to the VPN server.

First, generate a client certificate and key for each client. On the router, run:

./easyrsa build-client-full client1 nopass

Replace client1 with the desired name for the client. Repeat this for each client.

Next, create the OpenVPN client configuration file. A basic configuration file looks like this:

client
dev tun
proto udp
remote your_router_ip 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
verb 3

Replace your_router_ip with your router’s public IP address or domain name. Also, replace client1 with the actual client name. The ca.crt, client1.crt, and client1.key files need to be included in the same directory as the configuration file or embedded directly into the configuration file.

Copy the following files from the router to your client machine:

• /etc/openvpn/easy-rsa/pki/ca.crt
• /etc/openvpn/easy-rsa/pki/issued/client1.crt
• /etc/openvpn/easy-rsa/pki/private/client1.key

You can use scp or any other file transfer method to copy these files.

Step 5: Configure Your Firewall

To allow VPN traffic, you need to configure your firewall. Go to Network -> Firewall in LuCI. Add a new rule with the following settings:

• Name: OpenVPN
• Protocol: UDP or TCP (depending on your OpenVPN configuration)
• Source Zone: wan
• Destination Zone: Device (input)
• Destination Port: 1194 (or your chosen port)
• Action: Accept

This rule allows incoming OpenVPN traffic. You also need to configure port forwarding if your router is behind another NAT device. Forward the OpenVPN port (e.g., 1194) from the external IP address to your router’s LAN IP address.

Additionally, you might need to configure masquerading to allow VPN clients to access the internet through the VPN. Go to Network -> Firewall -> General Settings and make sure that masquerading is enabled for the VPN zone.

Step 6: Connect to the VPN

Now that everything is set up, you can connect to the VPN. Install an OpenVPN client on your device (e.g., OpenVPN Connect for Windows, macOS, Android, or iOS). Import the client configuration file you created earlier and connect to the VPN.

If everything is configured correctly, you should be able to connect to the VPN and access the internet through your router. Verify your IP address to ensure that you are using the VPN.

Troubleshooting

If you encounter any issues, here are a few things to check:

• Firewall Rules: Make sure your firewall rules are configured correctly.
• Routing: Ensure that routing is set up correctly, especially if you have multiple network interfaces.
• Logs: Check the OpenVPN logs for any errors. You can find the logs in LuCI under Status -> System Log.
• Client Configuration: Double-check your client configuration file for any typos or incorrect settings.
• DNS: Make sure your clients are using the correct DNS servers. You can configure DNS settings in the OpenVPN server configuration.

Conclusion

And that’s it! You’ve successfully set up an OpenVPN server on OpenWrt using LuCI. This setup provides a secure and private way to access the internet, protect your data, and bypass geo-restrictions. Remember to keep your keys and certificates safe and secure, and regularly update your OpenWrt firmware to protect against vulnerabilities. Enjoy your newfound privacy, and happy networking!