Bitbull Tech Notes - home of free minds ...

Provide Static Routes via DNSMasq on OpenWRT

OpenWRT ist great for creating simple Site2Site VPNs by OpenVPN.

I often use this settings (example) for Site2Site VPN:

  • Local Network: 192.168.1.0/24
  • Local ADSL Gateway: 192.168.1.1
  • Local OpenWRT VPN Gateway: 192.168.1.2
  • Remote Network: 192.168.9.0/24
  • Remote ADSL Gateway: 192.168.9.1
  • Remote OpenWRT VPN Gateway: 192.168.9.2

To Configure Local Gateway DNSMasq (DHCP Server) providing static routes for its clients, you can make this config:

/etc/config/dhcp

config dhcp 'lan'
	[...]
	list dhcp_option '249,192.168.9.0/24,192.168.1.2'
	list dhcp_option '121,192.168.9.0/24,192.168.1.2'

You can also set this options on luci web interface:

Network > Interfaces > LAN > Edit > DHCP Server > Advanced Settings > Dhcp-Options

  • 249,192.168.9.0/24,192.168.1.2
  • 121,192.168.9.0/24,192.168.1.2

I use 2 different options for the same route, that is not really needed.
Windows clients are reading option 249 (old clients) and linux clients are reading both options.
But I did only few tests, so you have to test what is the best way for you to implement.

https://tools.ietf.org/html/rfc3442

https://msdn.microsoft.com/en-us/library/cc227282.aspx


 PS: For ISC Dhcp Server, you can do it this way

option rfc3442-classless-routes code 121 = array of unsigned integer 8;
option ms-classless-routes code 249 = array of unsigned integer 8;
subnet 192.168.1.0 netmask 255.255.255.0 {
   option rfc3442-classless-static-routes 24, 192,168,9, 192,168,1,2;
   option ms-classless-static-routes 24, 192,168,9, 192,168,1,2;
}

 

 

 

 

OpenVPN Server on OpenWRT

http://wiki.openwrt.org/doc/howto/vpn.openvpn

Remote Network: 192.168.11.0/24
Transport Network: 10.8.0.0/24
WAN IP: myvpn.bitbull.ch

opkg update
opkg install openvpn-openssl openvpn-easy-rsa
  • /etc/easy-rsa/vars
export KEY_COUNTRY="CH"
export KEY_PROVINCE="SG"
export KEY_CITY="St. Gall"
export KEY_ORG="Bitbull Tech"
export KEY_EMAIL="crn@bitbull.ch"
export KEY_OU="Office"
export KEY_NAME="work.bitbull.ch" 
cd /etc/easy-rsa/

source /etc/easy-rsa/keys
clean-all

pkitool --initca ## equivalent to the 'build-ca' script
pkitool --server fw3 ## equivalent to the 'build-key-server' script

build-dh ## and grab some coffee

cd $KEY_DIR
mkdir -p /etc/openvpn
cp ca.crt fw3.* dh2048.pem /etc/openvpn/

uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci commit network; /etc/init.d/network reload

uci add firewall rule
uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].src=*
uci set firewall.@rule[-1].proto=udp
uci set firewall.@rule[-1].dest_port=1194

uci add firewall zone
uci set firewall.@zone[-1].name=vpn
uci set firewall.@zone[-1].input=ACCEPT
uci set firewall.@zone[-1].forward=ACCEPT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].network=vpn0

uci commit firewall
/etc/init.d/firewall reload
  • /etc/config/openvpn
config openvpn 'myvpn'
option enabled '1'
option dev 'tun'
option proto 'udp'
option log '/tmp/openvpn.log'
option verb '3'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/fw3.crt'
option key '/etc/openvpn/fw3.key'
option clr_verify '/etc/easy-rsa/keys/clr.pem'
option server '10.8.0.0 255.255.255.0'
option port '1194'
option keepalive '10 120'
option dh '/etc/openvpn/dh2048.pem'
option comp_lzo 'adaptive'
list push 'route 192.168.11.0 255.255.255.0'
/etc/init.d/openvpn start
sleep 3
ps -w | grep openvpn
ifconfig | grep tun0
netstat -an | grep 1194
cat /tmp/openvpn.log
  • /etc/easy-rsa/keys/client-ovpn-create.sh
#!/bin/sh
[ $# -ne 1 ] && exit 1
CONF=$1.ovpn
test -r $CONF && exit 1
echo "client
dev tun
proto udp
remote myvpn.bitbull.ch 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
<ca>
$(cat ca.crt)
</ca>
<cert>
$(cat $1.crt)
</cert>
<key>
$(cat $1.key)
</key>" > $PWD/$CONF
pkitool user1.bitbull.ch ## equivalent to the 'build-key' script
pkitool user2.bitbull.ch ## equivalent to the 'build-key' script

sh client-ovpn-create.sh user1.bitbull.ch
sh client-ovpn-create.sh user2.bitbull.ch

ls -l *.ovpn

 

OpenVPN Site to Site with CentOS 7

OpenVPN site to site with centos7 and symmetric encryption

OFFICE:
Network: 192.168.10.0/24

HOME:
Network: 192.168.20.0/24


DO THIS ON ALL MACHINES:

yum install https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install openvpn

DO THIS ON OFFICE MACHINE:

vi /etc/openvpn/office-home.conf
------
remote home.compress.to
port 4001
float
proto udp
dev tun1
ifconfig 172.10.0.1 172.10.0.2
persist-tun
persist-local-ip
persist-remote-ip
comp-lzo
ping 15
secret /etc/openvpn/office-home.key
route 192.168.20.0 255.255.255.0
user openvpn
group openvpn
syslog office-home
verb 1
------

vi /etc/sysconfig/iptables
------
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# openvpn
-A INPUT -p udp --dport 8001 -j ACCEPT
# do not allow anything else
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# openvpn
-A FORWARD -s 192.168.10.0/24 -d 192.168.20.0/24 -j ACCEPT
-A FORWARD -s 192.168.20.0/24 -d 192.168.10.0/24 -j ACCEPT
# do not allow anything else
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
------

openvpn --genkey --secret /etc/openvpn/office-home.key
chmod 600 /etc/openvpn/office-home.conf
chmod 400 /etc/openvpn/office-home.key
scp /etc/openvpn/office-home.key root@vpn-home:/etc/openvpn/office-home.key

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

systemctl enable iptables
systemctl restart iptables

systemctl enable openvpn@office-home
systemctl restart openvpn@office-home

DO THIS ON HOME MACHINE:

vi /etc/openvpn/home-office.conf
------
remote office.compress.to
port 4001
float
proto udp
dev tun1
ifconfig 172.10.0.2 172.10.0.1
persist-tun
persist-local-ip
persist-remote-ip
comp-lzo
ping 15
secret /etc/openvpn/office-home.key
route 192.168.10.0 255.255.255.0
user openvpn
group openvpn
syslog office-home
verb 1
------

vi /etc/sysconfig/iptables
------
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# openvpn
-A INPUT -p udp --dport 8001 -j ACCEPT
# do not allow anything else
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# openvpn
-A FORWARD -s 192.168.10.0/24 -d 192.168.20.0/24 -j ACCEPT
-A FORWARD -s 192.168.20.0/24 -d 192.168.10.0/24 -j ACCEPT
# do not allow anything else
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
------

chmod 600 /etc/openvpn/home-office.conf
chmod 400 /etc/openvpn/home-office.key

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

systemctl enable iptables
systemctl restart iptables

systemctl enable openvpn@home-office
systemctl restart openvpn@home-office


DO NOT FORGETT DO SET STATIC ROUTES ON DEFAULT GATEWAYS

Home