meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
linux:openwrt [2015/06/30 14:37] – created niziaklinux:openwrt [2021/03/05 14:09] (current) niziak
Line 1: Line 1:
-====== OpenVPN ======+====== OpenWRT ======
  
-<code bash>opkg install openvpn-openssl luci-app-openvpn openvpn-easy-rsa</code>+====== First steps ====== 
 +To use SSH, first telnet to router and set root password.
  
-Enable incoming OpenVPN connections:+====== Enable SSH on WAN ======
  
 <code bash> <code bash>
 uci add firewall rule uci add firewall rule
-uci set firewall.@rule[-1]._name=openvpn 
 uci set firewall.@rule[-1].src=wan uci set firewall.@rule[-1].src=wan
 uci set firewall.@rule[-1].target=ACCEPT uci set firewall.@rule[-1].target=ACCEPT
-uci set firewall.@rule[-1].proto=udp +uci set firewall.@rule[-1].proto=tcp 
-uci set firewall.@rule[-1].dest_port=1194+uci set firewall.@rule[-1].dest_port=22
 uci commit firewall uci commit firewall
 +/etc/init.d/firewall restart
 +</code>
  
-echo "iptables -I OUTPUT -o tap+ -j ACCEPT>> /etc/firewall.user +====== Multiple WAN IP ====== 
-echo "iptables -I INPUT -i tap+ -j ACCEPT" >> /etc/firewall.user +===== same provider ==== 
-echo "iptables -I FORWARD -o tap+ -j ACCEPT" >> /etc/firewall.user +There are two method defining multiple WAN IP [[https://wiki.openwrt.org/doc/uci/network#multiple_ip_addresses]]. 
-echo "iptables -I FORWARD -i tap+ -j ACCEPT" >> /etc/firewall.user+In both cases, addresses are added to the same interface. 
 +It is not possible to create 2nd firewall zone, like WAN2, because all iptables rules are using physical interface name to connect iptables chain, and physical interface is the same. 
 + 
 +Better is to create second OpenWRT interface "WAN2" but assign it to firewall zone "WAN".  
 +To use other external IP firewall needs to be configured manually by: 
 +<file bash | /etc/firewall.user> 
 +iptables -A input_wan_rule -d $WAN2_NET/29 -j reject 
 +iptables -t nat -A prerouting_wan_rule -p tcp -d $WAN2_IP3 --dport 80  -j DNAT --to-destination 192.168.0.90:80  -m comment --comment "Web server" 
 + 
 +# goal is to do not pass into default WAN rules 
 +iptables -t nat -A prerouting_wan_rule -d $WAN2_NET/29 -j ACCEPT 
 +</file> 
 + 
 + 
 +====== PXE boot ====== 
 + 
 +<file | /etc/dnsmasq.conf> 
 + 
 +# set tag "ENH" if request comes from iPXE ("iPXE" user class) 
 +dhcp-userclass=set:ENH,iPXE 
 + 
 +# alternative way, look for option 175 
 +#dhcp-match=set:ENH,175 
 + 
 +# UNDI 
 +dhcp-boot=tag:!ENH,netboot.xyz-undionly.kpxe,myserver,192.168.0.231 
 + 
 +# PXE 
 +dhcp-boot=tag:ENH,netboot.xyz.kpxe,myserver,192.168.0.231 
 +</file> 
 + 
 + 
 + 
 + 
 +====== Backup ====== 
 +[[https://wiki.openwrt.org/doc/howto/generic.backup]] 
 + 
 +====== Periodic reboot ====== 
 + 
 +===== cron job ===== 
 +<code> 
 +# Reboot at 4:30am every day 
 +# Note: To avoid infinite reboot loop, wait 70 seconds 
 +# and touch a file in /etc so clock will be set 
 +# properly to 4:31 on reboot before cron starts. 
 +30 4 * * * sleep 70 && touch /etc/banner && reboot
 </code> </code>
  
-<code bash+or independent on system time 
-mkdir -o /etc/openvpn +<code> 
-uci set openvpn.uservpn=openvpn +30 4 * * *  [ $( cat /proc/uptime | cut -d '.-) -gt 3600 ] && reboot
-uci set openvpn.uservpn.config=/etc/openvpn/user-vpn.conf +
-uci set openvpn.uservpn.enable=1 +
-uci commit openvpn+
 </code> </code>
  
-cat /etc/openvpn/user-vpn.conf+===== watchcat ===== 
 +<code bash> 
 +opkg install watchcat luci-app-watchcat 
 +</code>
  
-   port 1194 +And ''luci'' menu will be available under ''Services''
-   proto udp +
-   dev tap0 +
-   keepalive 10 120 +
-   status /tmp/openvpn-status.log +
-   verb 3 +
-   secret /etc/openvpn/secret.key+
  
 +====== Issues ======
 +Problem: Port-forwarded traffic are always from router local IP instead of real external IP address.
 +Solution: Disable masq option for LAN zone (should be only on WAN) zone