Install OpenVPN packet

opkg install openvpn-easy-rsa openvpn-openssl

To support configuration OpenVPN in luci you should install the corresponding luci-app

opkg install luci-app-openvpn

Create CA and keys

The actions are similar to actions described in CA preparation for CentOS 7, except the location of CA is hardcoded in the “vars” script as /etc/easy-rsa/.

There are configuration files openssl-1.0.0.cnf and vars.

Set default parameters for certificates in vars file:

export KEY_CITY="Hermosa Beach"
export KEY_ORG="Adventurer"
export KEY_EMAIL=""
export KEY_OU="Core"

Load the variables from file vars to env:

source ./vars

Create CA:


Creating keys for OpenVPN server and clients


Generate and sign the server keys:

./build-key-server VPN_SRV_KEY

Say “YES” on question about signing key and add key to DB.

Create the Diffie-Hellman key:


Create key for tls-authentication:

openvpn --genkey --secret keys/ta.key


Generate and sign client(s) keys:

source ./vars
./build-key CLIENT_NAME

Say “YES” on question about signing key and add key to DB.

Configure the network on the OpenWrt router

Create the VPN interface (named vpn0):

uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci set

Allow incoming client connections by opening the server port (default 1194) in our firewall:

uci set firewall.Allow_OpenVPN_Inbound=rule
uci set
uci set firewall.Allow_OpenVPN_Inbound.src=*
uci set firewall.Allow_OpenVPN_Inbound.proto=udp
uci set firewall.Allow_OpenVPN_Inbound.dest_port=1194

Create firewall zone (named vpn) for the new vpn0 network. This allows clients to communicate with services on the router and may allow connections between VPN clients if your OpenVPN server configuration allows:

uci set firewall.vpn=zone
uci set
uci set
uci set firewall.vpn.input=ACCEPT
uci set firewall.vpn.forward=REJECT
uci set firewall.vpn.output=ACCEPT
uci set firewall.vpn.masq=1

(Optional) If you plan to allow clients to connect to computers within your LAN, you’ll need to allow traffic to be forwarded between the vpn firewall zone and the lan firewall zone:

uci set firewall.vpn_forwarding_lan_in=forwarding
uci set firewall.vpn_forwarding_lan_in.src=vpn
uci set firewall.vpn_forwarding_lan_in.dest=lan

And you’ll probably want to allow your LAN computers to be able to initiate connections with the clients, too.

uci set firewall.vpn_forwarding_lan_out=forwarding
uci set firewall.vpn_forwarding_lan_out.src=lan
uci set firewall.vpn_forwarding_lan_out.dest=vpn

(Optional) Similarly, if you plan to allow clients to connect the internet (WAN) through the tunnel, you must allow traffic to be forwarded between the vpn firewall zone and the wan firewall zone:

uci set firewall.vpn_forwarding_wan=forwarding
uci set firewall.vpn_forwarding_wan.src=vpn
uci set firewall.vpn_forwarding_wan.dest=wan

Commit the changes:

uci commit network
/etc/init.d/network reload
uci commit firewall
/etc/init.d/firewall reload

Configure OpenVPN server

Copy cert/keys to OpenVPN dir

mkdir /etc/openvpn/keys
cd /etc/easy-rsa/keys
cp VPN_SRV_KEY.* ca.crt dh2048.pem ta.key /etc/openvpn/keys/

Create config for OpenVPN service

echo > /etc/config/openvpn # clear the openvpn uci config
uci set openvpn.myvpn=openvpn
uci set openvpn.myvpn.enabled=1
uci set openvpn.myvpn.verb=3
uci set openvpn.myvpn.port=1194
uci set openvpn.myvpn.proto=udp
uci set
uci set openvpn.myvpn.server=''
uci set openvpn.myvpn.keepalive='10 120'
uci set
uci set openvpn.myvpn.cert=/etc/openvpn/keys/my-server.crt
uci set openvpn.myvpn.key=/etc/openvpn/keys/my-server.key
uci set openvpn.myvpn.dh=/etc/openvpn/keys/dh2048.pem
uci set openvpn.myvpn.ifconfig_pool_persist /etc/openvpn/ipp.txt
uci set openvpn.myvpn.tls_auth='/etc/openvpn/keys/ta.key 0'
uci set openvpn.myvpn.client_to_client=1
uci set openvpn.myvpn.cipher=AES-256-CBC
uci set openvpn.myvpn.compress=lz4-v2
uci add_list openvpn.myvpn.push='compress lz4-v2'

(Optional) If you wont to use router as gateway to LAN/WAN:

uci add_list openvpn.myvpn.push='redirect-gateway def1 bypass-dhcp'

Set a DNS servers for VPN clients:

uci add_list openvpn.myvpn.push='dhcp-option DNS'

Commit the changes: uci commit openvpn

Enable and start OpenVPN service: /etc/init.d/openvpn enable /etc/init.d/openvpn start