I am posting my working OpenVPN server configuration, and client configuration for Linux, Android and iOS. First a little background.
I have an OpenWRT (14.07) router running OpenVPN server. This router has a public IP address and thanks to dyn.com/dns it can be resolved using a domain name (ROUTER.PUBLIC in all configuration examples below).
My router LAN address is 192.168.8.1, the LAN network is 192.168.8.*, and the OpenVPN network is 192.168.9.* (in this range OpenVPN-clients will be given an address to their vpn/dun-device). I run OpenVPN on TCP 1143.
What I want to achieve is
1) to access local services (like ownCloud and ssh) of computers on the LAN
2) to access internet as if I were at home, when I have an internet access that is somehow restricted
Essentially, this OpenWRT OpenVPN Setup Guide is very good. Follow it. I am not going to repeat everything, just post my working configurations.
root@breidablick:/etc/config# cat openvpn config openvpn 'myvpn' option enabled '1' option dev 'tun' option proto 'tcp' option status '/tmp/openvpn.clients' option log '/tmp/openvpn.log' option verb '3' option ca '/etc/openvpn/ca.crt' option cert '/etc/openvpn/my-server.crt' option key '/etc/openvpn/my-server.key' option server '192.168.9.0 255.255.255.0' option port '1143' option keepalive '10 120' option dh '/etc/openvpn/dh2048.pem' option push 'redirect-gateway def1' option push 'dhcp-option DNS 192.168.8.1' option push 'route 192.168.8.0 255.255.255.0'
It is a little unclear if the last three options really work for all clients. I also have:
root@breidablick:/etc/config# cat network . . . config interface 'vpn0' option ifname 'tun0' option proto 'none'
root@breidablick:/etc/config# cat firewall . . . config zone option name 'vpn' option input 'ACCEPT' option forward 'ACCEPT' option output 'ACCEPT' list network 'vpn0' . . . config forwarding option src 'lan' option dest 'vpn' config forwarding option src 'vpn' option dest 'wan' . . . # may not be needed depending on your lan policys (2 next) config rule option name 'Allow-lan-vpn' option src 'lan' option dest 'vpn' option target ACCEPT option family 'ipv4' config rule option name 'Allow-vpn-lan' option src 'vpn' option dest 'lan' option target ACCEPT option family 'ipv4' . . . # may not be needed depending on your wan policy config rule option name 'Allow-OpenVPN-from-Internet' option src 'wan' option proto 'tcp' option dest_port '1143' option target 'ACCEPT' option family 'ipv4'
You need to install OpenVPN client for iOS from the app store. The client configuration is prepared on your computer, and synced with iOS using iTunes (brilliant or braindead?). This is my working configuration:
client dev tun ca ca.crt cert iphone.crt key iphone.key remote ROUTER.PUBLIC 1143 tcp-client route 0.0.0.0 0.0.0.0 vpn_gateway dhcp-option DNS 192.168.8.1 redirect-gateway def1
This route and redirect-gateway configuration makes all traffic go via VPN. Omit those lines if you want direct internet access.
For Android, you also need to install the OpenVPN client from the Store. My client is the “OpenVPN for Android” by Arne Schwabe. This client has a GUI that allows you to configure everything (but you need to get the certificate files to your Android device somehow). You can watch the entire Generated Config in the GUI and mine looks like this (omitting GUI and Android-specific stuff, and the certificates):
ifconfig-nowarn client verb 4 connect-retry-max 5 connect-retry 5 resolv-retry 60 dev tun remote ROUTER.PUBLIC 1143 tcp-client route 0.0.0.0 0.0.0.0 vpn_gateway dhcp-option DNS 192.168.8.1 remote-cert-tls server management-query-proxy
I also connect linux computers occationally. The configuration is:
client remote ROUTER.PUBLIC 1194 ca ca.crt cert linux.crt key linux.key dev tun proto tcp nobind auth-nocache script-security 2 persist-key persist-tun user nobody group nogroup verb 5 # redirect-gateway local def1 log log.txt
Here the redirect-gateway is commented away, so internet traffic is not going via VPN.
The easy-rsa package and instructions in the OpenWRT guide above are excellent. You should have different certificates for different clients. One certificate can only be used for one connection at a time.
I dont say this is the optimal or best way to configure OpenVPN – but it works for me. You may prefer UDP over TCP, and may reasons for running TCP are perhaps not valid for you. You may want different encryption or data compressions options, different logging options and so on.