OpenVPN and TP-LINK WDR4300 with OpenWRT

Hello everybody, it's been a while since my last post, but I'm back and today I'll show you how to configure and use OpenVPN server and TP-Link WDR4300 as a client.

The task

You have two sites, one is the headquarter, where it is running OpenVPN server and the other site is the OpenVPN client. The client should be a hardware device (TP-Link WDR4300) and the LAN computers behind the OpenVPN client should reach all the machines in the OpenVPN server network. The same should be accomplished for the machines in the OpenVPN server, they should communicate with the computers behind the OpenVPN client. Both the client and the server should route the traffic from each other subnets. For easier deployment, OpenVPN client and server are installed on the gateways of their subnets. On the picture below you can see the scenario. This solution can be used for backup, file transfer or just administration on the remote site.

 

Used software: Client and server OpenVPN 2.2.2, OpenWRT - Attitude Adjustment RC1 

Solution

Let's begin with the OpenVPN client. At first I need a distribution, which will run some kind of Linux OS and there I will install the OpenVPN and configure it as a client.

The first distribution, which I tried, was DD-WRT. Unfortunately I couldn't find anywhere on the dd-wrt website information if TP-Link WDR4300 is supported or not. In the forum there is a post from some guy, who was successfully flashed it, but the procedure was terrible and if anything goes wrong you could end with bricked router. So I decide to try another one – OpenWRT. The information  about WDR4300 on the OpenWRT page is much more, there is even a dedicated page in the wiki.

The hardware version of the device is very important. If you didn't choose the right version for your TP-Link router you will end with bricked device. This mean, that the router can't be used anymore and you should buy a new one. There are instructions on the OpenWRT wiki page for WDR4300 how to de-brick it, but they are not easy to follow. So choose carefully! In my case, the device has a hardware version 1.2 and I go straight to Attitude Adjustment RC1 build.

The installation was very easy, I log into the WDR4300 default admin page and from the menu on the left choose System Tools → Firmware Upgrade. Select the file you just download from OpenWRT download page, cross your fingers :) and hit the Upgrade button.

If everything is OK, first you will see that the upgrade was successful and then the device is going to reboot. After the reboot, most probably you will see message that the page could not be delivered. Don't panic, by default the address of the WDR4300 router is at 192.168.0.1, after the flash it will be changed to 192.168.1.1. Log in, change the password and leave it aside.

Next we will talk about the certificates needed for secure communication between the server and the client. There are a few programs for creating certificates. The first one and the most popular is the openssl command. It's a great tool, very powerful, but you will need sometime to configure it and choose the right options. Another option is the easy-rsa scripts that comes with the OpenVPN, which is located inside /usr/share/openvpn/easy-rsa/. There are two graphical tools, which will do the job too – TinyCA and xCA. If you choose to generate the needed certificates with tool different from easy-rsa, look at here. The key usage and extended key usage of the certificates should have the values specify in the table.

I generated certificates twice, first with openssl program and I didn't have any troubles and a second time with a graphical tool. Actually with the graphical program I had more problems, than with the openssl. If you use graphical interface for creating certificates don't forget to specify the right options for key usage and extended key usage otherwise the openvpn won't start. If you get errors with openvpn like “unsupported certificate purpose” and you generate certificates with openssl check this blog.

 

Besides certificates to harden the security I created a HMAC signature. As it is written in the documentation openvpn will dropped any UDP packets not bearing the correct HMAC signature. This can protected you from DoS attacks, port scanning, even buffer overflow vulnerabilities in the SSL/TLS implementation. The HMAC signature is generated with the command:

$ openvpn --genkey --secret openvpn-hmac.key

One last thing before everything is ready – generate Diffie Hellman parameters. They are needed only for the server side. You can generate them either with easy-rsa script – build-dh or with openssl:

$ openssl dhparam -outform PEM -out openvpn-srv01-dh.pem 1024

Here are the working configuration files, first for the client:

client

proto tcp

remote openvpn-srv.example.com

port 1194

dev tun

nobind

ca /etc/openvpn/CA_cert.pem

cert /etc/openvpn/vpnclient01-cert.pem

key /etc/openvpn/vpnclient01-key.pem

tls-auth /etc/openvpn/openvpn-hmac.key 1

cipher AES-256-CBC

verb 4

tls-remote openvpn-srv.example.com

and then for the server: 

proto tcp

port 1194

dev tun

server 192.168.2.0 255.255.255.0

ca /etc/openvpn/CA_cert.pem

cert /etc/openvpn/openvpn-srv-cert.pem

key /etc/openvpn/openvpn-srv-key.pem

dh /etc/openvpn/openvpn-dh.pem

tls-auth /etc/openvpn/openvpn-hmac.key 0

cipher AES-256-CBC

persist-key

persist-tun

keepalive 10 60

script-security 2

push "route 10.16.2.0 255.255.255.0"

topology subnet

user nobody

group nobody

verb 4

client-to-client

client-config-dir /etc/openvpn/ccd/

route 10.16.5.0 255.255.255.0 192.168.2.1

log-append /var/log/openvpn.log

status /var/log/openvpn.status 

I placed the configuration files and certificates on both server and client inside /etc/openvpn. 

There a couple of things to mention about client and server configurations. Why did I choose the tcp protocol, instead of the default and recommended UDP? Unfortunately a router in the way between the openvpn client and the openvpn server is configure to drop UDP packets and because of that the communication between them failed. That's the reason I chose to use UDP, if you are lucky and don't have such a case go with UDP, it is recommended one.

The other interesting thing is the client configuration. Part of the problem is that I need a static IP of the VPN network for the client after it is connected to the openvpn server. This can be accomplished with client configuration directory. In this directory we create a file with name like the client certificate's common name. If you forget your client's certificate common name you can check it with the command: 

$ openssl x509 -subject -noout -in vpnclient01-cert.pem

So let's say the command give an output:

CN=openvpn-client.example.com

The file should be named “openvpn-client.example.net” and I placed it in /etc/openvpn/ccd.

The file should look like:

 

iroute 10.16.5.0 255.255.255.0

ifconfig-push 192.168.2.3 255.255.255.0 

The 10.16.5.0/24 is the subnet of the openvpn client and 192.168.2.3 is the IP address of the tun0 interface.

Now we are ready with the OpenVPN and it's time to finish openWRT configuration.

To set the IP address of the LAN go to the login of the router and when you log click the Network tab → Interfaces → LAN → Edit. After that from the Interface page edit the settings for configure WAN interface.

You can install openvpn software either from the web interface or from the command line. I prefer to install it from the command line, if there is a problem I can see it and debug it. To use the command line you should connect to the router with ssh. Once you have logged into openwrt, install openvpn with command:

# opkg update

# opkg install openvpn

More info on installing openvpn can be found here and here.

It's time to check if the configuration of the openvpn is working properly. On the openvpn server start the openvpn with the following command:

# openvpn --daemon --config /etc/openvpn/openvpn.conf

You can track the process of establishing connection with the client:

# tailf /var/log/openvpn.log

Next connect to the OpenVPN client (OpenWRT) over ssh and type:

# openvpn --config /etc/openvpn/openvpn.conf

You will see in both server and client bunch of messages and if everything is ok, finally you will see “Initialization Sequence Completed”. If something goes wrong you will see an error message, try to google it or post it in the comments.

When the connection is established, on the client command line type the following command and look for a device with name “tun0” and IP address “192.168.2.3”:

# ifconfig -a 

If “tun0” is listed and has the right address try to ping the server (192.168.2.1). Depending of your firewall configuration on the openvpn server, you will succeed, but you will have trouble pinging the 10.16.2.0/24 clients.

Before I clear this out, it's recommended to add this connection as an interface and create a firewall zone in OpenWRT. Adding interface is done through the OpenWRT web interface Network tab → Interfaces → Add. Named the interface with “VPN” or something and choose “tun0” device in “Cover the following interface”. In the field ”Protocol of the new interface” choose Static address. Then go to "Edit" and populate the IP address (192.168.2.3), the network mask and the gateway (192.168.2.1). Next click on the Advanced Settings tab and uncheck the “Bring up on boot” option.

Go to Firewall page under Network tab and click “Add”. Check all the chains within the new zone “allow” to pass the traffic, associate the new zone with the VPN interface and allow traffic to be forwarded from and to the LAN zone.

Now you can try again to ping machines in 10.16.2.0/24 network and most probably without result. To make this work add this 4 iptable rules to the /etc/firewall.user on the OpenWRT.

/usr/sbin/iptables -I INPUT -i tun0 -d 10.16.5.0/24 -s 10.16.2.0/24 -j ACCEPT

/usr/sbin/iptables -I OUTPUT -o tun0 -s 10.16.5.0/24 -d 10.16.2.0/24 -j ACCEPT

/usr/sbin/iptables -I FORWARD -i tun0 -d 10.16.5.0/24 -o br-lan -s 10.16.2.0/24 -j ACCEPT

/usr/sbin/iptables -I FORWARD -o tun0 -s 10.16.5.0/24 -i br-lan -d 10.16.2.0/24 -j ACCEPT

Reboot the device and try again to ping computers on 10.16.2.0/24 network, they should respond. The same should be true in the reverse direction.

I know it will take you sometime to read the whole instructions, don't be shy use the comments to ask question is something is not clear to you or if you have better ideas to make the whole thing work more easily or securely. In this case I use the TP-Link WDR4300 router, but should be the same on anything else that run the OpenWRT.

If you are interested in OpenVPN and want to learn more scenarios and check other options I highly recommend the OpenVPN 2 Cookbook. For more info about OpenVPN check the manual page.