I've just been successful in setting up a basic openvpn client-to-LAN tunnel
following the 'OpenVPN Setup Guide for Beginners' page on the wiki. It took me
three tries, as I almost bricked my expensive WRT1900AC twice in the process. I
had to recover by 'switching to the alternate flash' as described on the
hardware page.
While its all fresh in my mind, I felt I should document the pits I fell into,
and suggest some edits to the above mentioned page:
1) 'Scenario 0' is too trivial to even be considered. https and ssh provide
encrypted point-to-point links from a client on the LAN to the router. You're
just confusing the newbies by even mentioning an openvpn solution.
2) 'Scenario 1', providing access to the router alone from the WAN, could also
be accomplished by simply enabling sshd on the WAN interface. The simplest
implementation of openvpn would be access from a client on WAN to the entire LAN
behind the openwrt, as described in the first 'tuning' recipe, "Route Only Local
LAN Client Traffic Through the Tunnel" near the end of the article. I believe
this recipe should be incorporated in the basic HOWTO.
3) Install the required software:
When I got to the end of the basic HOWTO, and went to commit the firewall
changes, I received an error 'Unable to locate the ipset utility', so I had to
go back, find ipset in the list of available packages, and install it, before
proceeding.
Also, I discovered that a package 'luci-app-openvpn' has recently reappeared
in the repositories, after having been marked 'broken' for several years. I
installed it only to find that its way too cryptic and incomplete for a newbie.
I certainly appreciate having GUI access to all those parameters, if I
understood them, but I feel that luci should have a simple one-page, no more
than three-step, easy enabler similar to the one that the stock Linksys firmware
(as of v1.1.10) provides. I seem to remember it being that easy on AA or an
earlier release...
4) Configure the network on the OpenWrt server:
This section contains instructions for both tun and tap implementations,
interleaved, and without clear distinctions, so that I messed up and executed
some tap-only commands when I was trying to follow the tun path. This resulted
in one of my bricks, when I screwed up the lan interface, and lost connectivity
to my router entirely. Thank goodness for the alternate flash containing
another copy of the stock firmware, so I could start all over again!
I would suggest recoding this section for a tun interface only, incorporating
the push routing for the local LAN, and leave an explanation of why one might
prefer tap, and how to implement it, to the 'Tunings' section or another
article.
When I finally got the vpn up and running, and made the edits for access to
the local LAN, I found that I could ping a host on the LAN, but I could not ssh
to the same host. Stopping the firewall on the server did open this up, so I
poked about and discovered that the forwarding rule for the vpn zone was
incorrectly defined. I had to change "dest='wan'" to "dest='lan'" in that
forwarding rule in /etc/config/firewall, then reload the firewall rules. Now I
can ssh to a workstation on the LAN. So I believe the last line in step 4 of
this section should be changed accordingly. (OR, does the comment 'this section
was added' mean that a additional forwarding section must be added, rather than
edit the forwarding section which was added in the basic howto? The rule
forwarding traffic from vpn to wan is really only necessary for the next
'tuning', where you reroute the client's default route thru the VPN)
5) Configure the network on the OpenWrt client:
Again, this section is overly complicated for a beginner. It also mixes tun
and tap styles. Also, I believe that an openwrt to openwrt VPN is really a
special case, and a beginner howto should stick to a single scenario of remote
access from a laptop or other workstation to a protected LAN behind the openwrt
router. So this entire section should be moved to another article, and this
section stripped back to the 'Configure other clients' paragraph alone.
--
Rick Green
We, the People of the United States of America, reject the U.S. Supreme Court's
Citizens United ruling, and move to amend our Constitution to firmly establish
that money is not speech, and that human beings, not corporations, are persons
entitled to constitutional rights.
http://www.MoveToAmend.org
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
