OpenVPN solution: Debian & Raspberry Pi Openwrt - shenhaoyu/AnyGW GitHub Wiki
Server
Install OpenVPN
root@:# apt-get install openvpn easy-rsa
Prepare environment
root@:# cp -r /usr/share/easy-rsa/ /etc/openvpn/
root@:# mkdir /etc/openvpn/keys
root@:# vim /etc/openvpn/easy-rsa/vars
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrganizationalUnit"
root@:/etc/openvpn/easy-rsa# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
root@:/etc/openvpn/easy-rsa# ./clean-all
Build CA
root@:/etc/openvpn/easy-rsa# ./build-ca
Generating a 2048 bit RSA private key
.........................+++
................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Name [EasyRSA]:
Email Address [[email protected]]:
Generate server key
root@:/etc/openvpn/easy-rsa# ./build-key-server server_name
Generating a 2048 bit RSA private key
.........+++
.....................................................................+++
writing new private key to 'server_name.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [server_name]:
Name [EasyRSA]:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName :PRINTABLE:'server_name'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 9 22:10:49 2032 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Generate client key
root@:/etc/openvpn/easy-rsa# ./build-key client_name
Generating a 2048 bit RSA private key
......................................+++
.....................................+++
writing new private key to 'client_name.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [client_name]:
Name [EasyRSA]:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName :PRINTABLE:'client_name'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 9 22:15:40 2032 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@:/etc/openvpn/easy-rsa# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
....................+..............................................+........................................................................................................+.................+............................................................................................................+..........................................................+.......................................................................................................................................................................................+........................................................................................................................+....................................+.................+.....................................................................................................................................................................+............................................................................................................................................+.....................+.............................................................................................................................+.........................................................................................................................................................+........................+............................................................................................+.............................................+.........................................................................................................+.+.........+..........................................................................................................................................................................................+................................................................+.................+...................................................+....................................................................................+...............................................................................................................+.........................................................................+.+.............................................................................................................................+....................................+.....................................................................................+.........................................................................................................................................+.........................................................................................................................................................................+...........................................................................................................................................+...........................+.................................................................+............+........................................+................................................+..+.............................................................................................................................................................................................................................+...........+.....................+.............+..........................................................................................................................................................................................................................................+.................................+....................................................+..............................................................................+................................................................................................................................+.........+..............................................................................................+.............................................................+...............................................+......................................................+............................................................+....................................................................................................................................................................+...........+..........................+.......................................................+.......................+...+...............................................................................................................................................................................................................................................................................+...................+..................................+............................................................................................+..........................+.................................................................................................+.......................................................................................................................................................................................................+...........................................................................................................................................................................+..................................................................................................................+.................................................................+...............................+...............................................................................................................................................................................................................+............................................+...................+............+..................................................................................................+...+..................................................................................................................................................................................................................................................................................................................................+...........................+..............................................................................................................+............................+......+..........................................................................................................................................................................................................................................+...........................................+....................................................................+.....+.....................................................................+...................................................................................................................................................+..................................................+...................++*++*
Results
root@:/etc/openvpn/easy-rsa# ls -al keys/
total 92
drwx------ 2 root root 4096 Mar 13 06:24 .
drwxr-xr-x 3 root root 4096 Mar 13 05:27 ..
-rw-r--r-- 1 root root 5580 Mar 13 06:11 01.pem
-rw-r--r-- 1 root root 5452 Mar 13 06:15 02.pem
Root CA Certificate & Key
-rw-r--r-- 1 root root 1704 Mar 13 06:03 ca.crt
-rw------- 1 root root 1704 Mar 13 06:03 ca.key (Confidential)
Client Certificate & Key
-rw-r--r-- 1 root root 5452 Mar 13 06:15 client_name.crt
-rw-r--r-- 1 root root 1078 Mar 13 06:15 client_name.csr (Confidential)
-rw------- 1 root root 1704 Mar 13 06:15 client_name.key
-rw-r--r-- 1 root root 424 Mar 13 06:24 dh2048.pem
-rw-r--r-- 1 root root 269 Mar 13 06:15 index.txt
-rw-r--r-- 1 root root 21 Mar 13 06:15 index.txt.attr
-rw-r--r-- 1 root root 21 Mar 13 06:11 index.txt.attr.old
-rw-r--r-- 1 root root 135 Mar 13 06:11 index.txt.old
-rw-r--r-- 1 root root 3 Mar 13 06:15 serial
-rw-r--r-- 1 root root 3 Mar 13 06:11 serial.old
Client Certificate & Key
-rw-r--r-- 1 root root 5580 Mar 13 06:11 server_name.crt
-rw-r--r-- 1 root root 1082 Mar 13 06:10 server_name.csr (Confidential)
-rw------- 1 root root 1708 Mar 13 06:10 server_name.key
root@:/etc/openvpn/easy-rsa# cp keys/* /etc/openvpn/keys/
root@:/etc/openvpn# gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz> /etc/openvpn/server.conf
Mainly change keys information and some customized rules
Firewall Config
/etc/ufw/before.rules
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
root@:~# ufw allow 1194/udp
Client
Import client.conf to OpenWRT LuCi, pay attention to cipher
client
dev tun
proto udp
remote server_name 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client_name.crt
key client_name.key
cipher BF-CBC
comp-lzo
verb 3
Configure Interface and Firewall in OpenWrt via Luci (a litte bit complicated)
1 remaining issue: only can force all traffic to VPN, but can not apply route traffic by country method
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci https://www.vpnunlimited.com/fr/help/manuals/openvpn-openwrt https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWRT-CI-setup-with-NordVPN.htm
Ubuntu Server
root@:/etc/openvpn/easy-rsa# ./easyrsa build-ca nopass
root@:/etc/openvpn/easy-rsa# ./easyrsa gen-dh
Server
root@:/etc/openvpn/easy-rsa# ./easyrsa gen-req fr1.xxxxx.com nopass
root@:/etc/openvpn/easy-rsa# ./easyrsa sign-req server fr1.xxxxx.com
Certificate is to be certified until Aug 23 18:30:45 2026 GMT (825 days)
root@:/etc/openvpn/easy-rsa# openvpn --genkey --secret ta.key
root@:/etc/openvpn/easy-rsa# cp ta.key ../server/
root@:/etc/openvpn/easy-rsa# cp pki/ca.crt ../server/
root@:/etc/openvpn/easy-rsa# cp pki/dh.pem ../server/
root@:/etc/openvpn/easy-rsa# cp pki/private/fr1.xxxxx.com.key ../server/
root@:/etc/openvpn/easy-rsa# cp pki/issued/fr1.xxxxx.com.crt ../server/
Client
root@:/etc/openvpn/easy-rsa# ./easyrsa gen-req phone nopass
root@:/etc/openvpn/easy-rsa# ./easyrsa sign-req client phone
root@:/etc/openvpn/easy-rsa# cp ta.key ../server/
root@:/etc/openvpn/easy-rsa# cp pki/ca.crt ../server/ root@:/etc/openvpn/easy-rsa# cp pki/private/phone.key ../client/
root@:/etc/openvpn/easy-rsa# cp pki/issued/phone.crt ../client/
Configure OpenVPN
root@:/etc/openvpn/# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf ./server/