Search the Community
Showing results for tags 'LuCI'.
Found 2 results
-
(This is a cross-post of this site: https://forum.openwrt.org/t/creating-a-policy-based-routed-openvpn-connection-editible-inside-luci-openvpn-app/26840) Hi, I customized two guides on AirVPN forum (https://airvpn.org/topic/15405-using-airvpn-with-openwrt/ and https://airvpn.org/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/) regarding creating OpenVPN profiles, but couldn't achieve everything I wanted. Here are the things I wanted: Creating an OpenVPN connection using Policy-Based Routing without any leakageEditing using OpenVPN LuCI app, when needed.Here are the steps: 1) Unbridge the LAN interface(s). Go to "Physical Settings" of the LAN interface(s) and uncheck the "creates a bridge over specified interface(s). Check the interface button of your connected (new wireless) network. 2) Connect to your router via SSH. 3.1) Update the packages: opkg update 3.2) Install OpenVPN and nano: opkg install openvpn-openssl opkg install nano 3.3) (Optional) Install LuCI component of OpenVPN: opkg install luci-app-openvpn 4) Make it autostart, when router starts: /etc/init.d/openvpn enable 5) Backup current OpenVPN files: mv /etc/config/openvpn /etc/config/openvpn_old 6) Create a new interface for AirVPN: cat >> /etc/config/network << EOF config interface 'airvpn' option proto 'none' option ifname 'tun0' EOF Alternate way: uci set network.airvpn=interface uci set network.airvpn.proto='none' uci set network.airvpn.ifname='tun0' uci commit network 7) Use the "Config Generator" of AirVPN to create the OpenVPN files. Please select the "Advanced Mode" and check "Separate keys/certs from .ovpn file" and "Resolved hosts in .ovpn file". Save the files on your machine. 8) Move into the openvpn folder: cd /etc/openvpn 9) Use nano to create all the required files on your router. Copy and paste the following files "AirVPN_**************.ovpn, ta.key, ca.crt, user.crt, user.key" to PuTTY folder. Rename the "AirVPN_**************.ovpn" into airvpn.conf for usability. Then, apply these commands: nano airvpn.conf nano ta.key nano ca.crt nano user.crt nano user.key Use ^S (Control+S) on each line. airvpn.conf should look like this (or just use the ovpn file): client dev tun proto udp remote xxx.XXX.xxx.XXX XXX resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC comp-lzo no route-delay 5 verb 3 ca ca.crt cert user.crt key user.key tls-auth ta.key 1 10) Create a firewall zone for AirVPN (air_firewall): cat >> /etc/config/firewall << EOF config zone option name 'air_firewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'airvpn' config forwarding option dest 'air_firewall' option src 'lan' EOF Alternate way: uci add firewall zone uci set firewall.@zone[-1].name='air_firewall' uci set firewall.@zone[-1].input='REJECT' uci set firewall.@zone[-1].output='ACCEPT' uci set firewall.@zone[-1].forward='REJECT' uci set firewall.@zone[-1].masq='1' uci set firewall.@zone[-1].mtu_fix='1' uci add_list firewall.@zone[-1].network='airvpn' uci add firewall forwarding uci set firewall.@forwarding[-1].src='/external_image/?url=lan' uci set firewall.@forwarding[-1].dest='air_firewall' uci commit firewall 11) Prevent leakage outside the VPN-tunnel: uci del firewall.@forwarding[0] uci set firewall.@zone[1].masq=0 uci commit firewall 12) The file /etc/config/openvpn should contain following appended strings: uci set openvpn.airvpn=openvpn uci set openvpn.airvpn.enabled='1' ****optional*****uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_XXX_UDP-443.ovpn' uci commit openvpn 13) Reboot router 14) Test OpenVPN configuration: openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf At the end it should show "Initialization Sequence Completed" Stop openvpn with "Ctrl-C". Important: I've got these results: It showed me this error: Options error: You must define TUN/TAP device (--dev) Then I tried this: openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf --dev tun0 The output is this: Mon Dec 10 20:44:19 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Mon Dec 10 20:44:19 2018 OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] Mon Dec 10 20:44:19 2018 library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10 Mon Dec 10 20:44:19 2018 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION! Mon Dec 10 20:44:19 2018 TUN/TAP device tun0 opened Mon Dec 10 20:44:19 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET Mon Dec 10 20:44:19 2018 UDPv4 link local (bound): [AF_INET][undef]:1194 Mon Dec 10 20:44:19 2018 UDPv4 link remote: [AF_UNSPEC] 15) Use the AirVPN DNS: uci add_list dhcp.lan.dhcp_option="6,10.4.0.1" uci commit dhcp reboot Alternate way: uci set network.wan.peerdns='0' uci del network.wan.dns uci add_list network.wan.dns='10.4.0.1' uci commit config interface 'wan' option ifname 'eth0.2' option force_link '1' option proto 'dhcp' option peerdns '0' list dns '10.4.0.1' 16) Secure against IP Leak, backup old firewall mv /etc/config/firewall /etc/config/firewall.backup 17) Create new firewall rules cat >> /etc/config/firewall << EOF config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'wan' option output 'ACCEPT' option forward 'REJECT' option network 'wan' option input 'ACCEPT' config zone option name 'airvpn' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'airvpn' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config include option path '/etc/firewall.user' config forwarding option dest 'airvpn' option src 'lan' EOF Another way: To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content: # This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. # Internal uci firewall chains are flushed and recreated on reload, so # put custom rules into the root chains e.g. INPUT or FORWARD or into the # special user chains, e.g. input_wan_rule or postrouting_lan_rule. if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then iptables -I forwarding_lan_rule ! -o tun+ -j REJECT fi 18) You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content: #!/bin/sh if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then iptables -D forwarding_rule -j REJECT fi if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi Use these commands: cd /etc/hotplug.d/iface/ nano 99-prevent-leak.sh 18) In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as: (Can be added through Startup page) /etc/openvpn/reconnect.sh & The content of script reconnect.sh is like: #!/bin/sh n=10 while sleep 50; do t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+') if [ "$t" -eq 0 ]; then /etc/init.d/openvpn restart fi done Test here: https://ipleak.net/ I messed something anywhere. So, I reset my router and start from the scratch. Questions: What might not be needed from the above list? What can be done to achieve further with vpn-policy-routing and luci-app-vpn-policy-routing apps? I could not find anything easily from the forum (VPN Policy-Based Routing + Web UI -- Discussion), as I need IP based exclusions for VPN on LAN. Creating a profile with OpenVPN LuCI app prevents me to upload the ta.key file, but I need apps functionality in some way. Is using cat >> /etc/config/XXX << EOF config xxx ... EOF commands risky, while restoring some settings and even reconfiguring OpenVPN? As a note, I gathered LuCI app configuration from a backup of the router. Here are the locations of uploaded files: option ca '/etc/luci-uploads/cbid.openvpn.AirVPN.ca' option cert '/etc/luci-uploads/cbid.openvpn.AirVPN.cert' option key '/etc/luci-uploads/cbid.openvpn.AirVPN.key' option tls_auth '/etc/openvpn/ta.key 1' The last one was entered manually. So, it's not valid anyway. Also, there is a line, which I did not remember entering that. Is this needed? What is its purpose? option route_gateway '10.234.1.1' Can someone help me on these please? Thanks...
-
I always get this error no matter what: Sat Dec 2 19:17:00 2017 daemon.err openvpn(LA_VPN)[4922]: Options error: specify only one of --tls-server, --tls-client, or --secret Sat Dec 2 19:17:00 2017 daemon.warn openvpn(LA_VPN)[4922]: Use --help for more information. Screenshots are attached, OpenVPN version is 2.4.4-2, is there anything I can do to fix this through LuCI?