this is a uci-defaults script for an openvpn client (from circa May
2018, you need to provide your own value for
openvpn.foo.remote=${your-openvpn-server}, and you need to provide
your own /etc/openvpn/keys/ca.crt, /etc/openvpn/keys/client.crt, and
/etc/openvpn/keys/client.key'):
#!/bin/sh
uci batch <<EOF
delete openvpn.custom_config
delete openvpn.sample_server
delete openvpn.sample_client
set openvpn.foo=openvpn
set openvpn.foo.enabled=1
set openvpn.foo.client='1'
set openvpn.foo.dev='tun'
set openvpn.foo.proto='udp'
set openvpn.foo.remote=${your-openvpn-server}
set openvpn.foo.resolve_retry='infinite'
set openvpn.foo.nobind='1'
set openvpn.foo.persist_key='1'
set openvpn.foo.persist_tun='0'
set openvpn.foo.keepalive='10 120'
set openvpn.foo.remote_cert_tls=server
set openvpn.foo.ca='/etc/openvpn/keys/ca.crt'
set openvpn.foo.cert='/etc/openvpn/keys/client.crt'
set openvpn.foo.key='/etc/openvpn/keys/client.key'
set openvpn.foo.compress='lzo'
commit openvpn
add firewall zone
set firewall.@zone[-1].input='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].name='vpn'
set firewall.@zone[-1].masq='1'
set firewall.@zone[-1].mtu_fix='1'
set firewall.@zone[-1].network='vpn'
add firewall forwarding
set firewall.@forwarding[-1].dest='vpn'
set firewall.@forwarding[-1].src='lan'
commit firewall
EOF
No warranty!
On Sun, Feb 20, 2022 at 7:10 PM Russell Senior
<russ...@personaltelco.net> wrote:
>
> I am not sure what it's called, tunnel maybe? It is feasible. These
> days wireguard is maybe the "cooler" option. Over at Personal Telco
> land, we are still using OpenVPN because it can handle broadcast or
> multicast traffic or something, which wireguard can't, and we need it
> for the dynamic routing protocol (OLSR) we use. But, I could probably
> give you an OpenWrt config that would work (not from memory, but
> looking at previous examples).
>
> --
> Russell Senior
> russ...@personaltelco.net
>
> On Sun, Feb 20, 2022 at 6:57 PM Eric House <eeho...@eehouse.org> wrote:
> >
> > I'm visiting my daughter in Spain next month, and thought it'd be fun to
> > leave her with a little device that takes her home, as it were: a
> > GL-MT300N-V2 that when connected via Ethernet to her ISP's WAN port becomes
> > a wifi access point that routes all its traffic through our place in
> > Corvallis.
> >
> > I've joined residences using OpenVPN before, but a quick look at the docs
> > suggests that most users of VPNs on OpenWRT are connecting to a commercial
> > VPN host rather than to another OpenWRT instance.
> >
> > First question: is what I want to do feasible/possible? (I suspect that the
> > $25 device I'm starting with will not support a heavy load very well.
> > That's ok: she can upgrade if the concept works out.)
> >
> > Second, is there a name for what I'm trying to do? Usually when I can't
> > find answers on Google it's because I don't know what to ask for.
> >
> > Thanks!
> >
> > --Eric
