OpenVPN Server/Client Install

I am trying to set up a pair of AR300-M’s as an OpenVPN Server/Client pair. I have used the instructions at https://wiki.openwrt.org/doc/howto/vpn.openvpn.

I am doing this after using the stock GLI firmware and the LuCi installation that comes with it. I am adding luci-app-openvpn.

I go through the OpenWrt instructions and then use LuCi-OpenVPN-app to learn about and observe the changes.

It isn’t working. I am trying to set up a TUN configuration with both of my 300M’s on the LAN side of my home router. My eventual goal is to be able to use the GLI DDNS and take my client router on the road as a TAP. (I may have this wrong) (I may have all of this wrong)

Does anyone have anything like this working? How? Is there a tutorial or a HOWTO I can follow? Advice appreciated.

I have no experience to set up as server.

The router works as client right away. You don’t need Luci-app-openvpn, which is client as well.

To set up as server, you may need to refer to general openvpn guide to do this. You need to generate ovpn files and certs. Maybe you need a Linux PC to do this.

You can not build the test environment with both devices behind the “Home Router”, at least I was never able to find any instructions to do so.

You want to have openvpn-ssl and luci-openvpn-app on both devices. You will probably not be able to use the GLI tools.

Lets call the devices AR300-M-client, AR300-M-server and Home-router. Assume both AR300 are set to default other than the the above packages and IPs. Set the AR300-M-client DHCP range to 192.168.10.x and the AR300-M-server to 192.168.20.x (choose your own, but make sure they are not the same and differ from the Home-router which we will assume is 192.168.1.1).

Connect the Ethernet cable from your ISP to the WAN of the AR300-M-client
Connect the Ethernet cable from your AR300-M-client’s LAN to the WAN of your Home-router
Connect the Ethernet Cable from your Home-router’s LAN to the AR300-M-server’s WAN
Connect the Ethernet cable from your AR300-M-server’s LAN to a PC’s Ethernet port.

You will need to connect to the AR300-M-client via wireless with a second PC or add a dumb switch in between the AR300-M-client and Home-router (suggested). Avoid wireless for now.

Your AR300-M-client is acting as a pass through for the outside world as well as your future client.
The Home-router is your faux-ISP (You may actually be able to eliminate this, but I did not test it that way). I did no specific config to the Home-router.

In your AR300-M-server OpenVPN config file, the IP for the OpenVPN config will be the IP address the Home-server assigns to the WAN port of your AR300-M-server (192.168.1.x). If you can set a static IP on your Home-router, do that.

Any other devices connected to the Home-router will not be able to talk to devices on either AR-300, but should be able to talk to the internet. As you have a double-nat setup you may have some issues with some services working through this setup.

The resulting config will assume you use the AR300-M-server as your primary router, but if you want the server hanging off the back of your home router, you need to be able to configure some rules on the home router to forward traffic to the AR300-M-server behind it and set it on the same subnet similar to a dumb AP. Do not worry about that until you have all working vanilla. There is no wiki for this that I know of, but are some OpenWrt forum posts.

You should read all the OpenWrt wikis, though I prefer the once called streamlined
https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup

Here is another reference I like.
http://www.frogiswrong.com/blog/articles/8/openvpn-on-openwrt-a-little-more-detail

And the OpenVPN site itself has good content to help you understand parameters, but little config support for OpenWrt.

You can run multiple TAP and TUN servers and clients from the Luci App. You can enable or disable an instance in the GUI.

I also suggest you create all your certs directly from PC based tools and just copy the files to the router via WinSCp (Windows) or similar. Create enough certificates that you cover all your devices and make sure you save the parameters requested if you ever want to make more. You do not need to use your real name or email, indeed if you use your email it will display in OpenWrt log files for OpenVPN.

Set your logs to verbose=5.

I am keen to learn your performance results. Know that the higher you set the encryption and keys the slower your performance. These CPUs are not barn burners and do NOT have HW encryption like the PCs do. I think you should be able to do close to 15Mbps in test, but will see a drop in the real world.

Note that there are two ways to manage openvon config files. One has the file in the etc\config\ folder called openvpn and the other has a file called [name].conf (I think) in the etc\openvpn folder. The former is in OpenWrt format, the later is in openvpn format. Most tutorials use the former, some along with GLI the later. I expect you will need to use the former if you want to use the Luci app, but I have no experience here.

I did this 2 years ago and probably not a good resource for helping resolve specific config issues.

Thanks RangerZ. This is golden.