openvpn package
opkg update && opkg install openvpn
Dependencies: ancistrus-core ( >= 1.5.0 )
Binaries included: openvpn
KO modules included: tun.ko
GUI section: Management
Usage: rc openvpn < start restart stop >
openvpn_enable = 0|1 (0)
openvpn_type = 0|1|2 (0)
openvpn_protocol = udp|tcp (udp)
openvpn_port = 1-65534 (12974)
openvpn_tun_protocol = udp|tcp (udp)
openvpn_tun_port = 1-65534 (12973)
openvpn_cipher = <various> (AES-128-GCM)
openvpn_auth = <various> (sha256)
openvpn_server_opt = <various> (void)
openvpn_client_opt = <various> (void)
The openvpn.htm web GUI page is an extension of the original VPN Service menu page (still present and usable on the ADVANCED menu tag) adding some security and flexibility choice options.
Note that the original settings maintain the GUI selected language (included the bottom frame help) while the addicted ones are in English language whose on line help is viewable through this Wiki board page.
Click Cancel to discard changes.
Click Show Log to show detailed openvpn service log.
Click Delete Log to delete openvpn service log.
Click Apply to save settings, restart service & apply changes.
To Enable service type:
nvram set openvpn_enable=1
Then restart openvpn service typing:
rc openvpn restart
To Disable service type:
nvram set openvpn_enable=0
rc openvpn stop
Here's possible to setup some advanced settings: these settings are not mandatory and the defaults should match the common purposes.
Select the port and the protocol for TAP driver VPN connection typing:
nvram set openvpn_protocol=<udp|tcp>
(Default: udp).
nvram set openvpn_port=<1-65534>
(Default: 12974).
Make sure the port used is different from TUN port.
Restart openvpn service with:
rc openvpn restart
GUI: select TAP port and protocol then click Apply .
Select the port and the protocol for TUN driver VPN connection (smartphone) typing:
nvram set openvpn_tun_protocol=<udp|tcp>
(Default: udp).
nvram set openvpn_tun_port=<1-65534>
(Default: 12973).
Make sure the port used is different from TAP port.
Restart openvpn service with:
rc openvpn restart
GUI: select TUN port and protocol then click Apply .
Here it's possible to select the clients connection mode:
All sites on the Internet & Home Network : if, for example, the clients have to bypass some geographic limitations when abroad. Note that in this mode the vpn clients will use the router wan connection increasing bandwidth overhead.
Home Network only : if the clients need to connect to local network from outside only;
Auto : in this mode the router will decide itself which one of the above modes to choose basing on some embedded algorithm;
Select the VPN connection access type typing:
nvram set openvpn_type=<0|1|2>
0 = Auto
1 = All sites on the Internet & Home Network
2 = Home Network only
(Default: 0 = Auto).
Restart openvpn service with:
rc openvpn restart
GUI: select access type then click Apply .
Here's possible to choose the encryption algorithm which is used for the data channel.
The available ciphers list can be viewed typing:
openvpn --show-ciphers
Select the cipher algorithm typing:
nvram set openvpn_cipher=<...>
(Default: AES-128-GCM).
Note that not all the ciphers are recommended for the better security: prefer those with at least 128 bit key and block. The more complex/longest the cipher is the more secure the VPN connection will be, but it can also become slower.
Since Openvpn 2.4.0+ version, only AES-128-GCM and AES-256-GCM are recommended in conjunction with openssl 1.0.2.
In the future, all the AES-CBC ciphers will be automatically converted into AES-GCM.
Restart openvpn service with:
rc openvpn restart
GUI: select the cipher algorithm then click Apply .
Here's possible to choose the hash function authentication digest encryption algorithm.
The available digests list can be viewed typing:
openvpn --show-digests
Select the digest algorithm typing:
nvram set openvpn_auth=<...>
(Default: sha256).
Note that not all the digests are recommended for the better security: prefer those with at least 256 bit size. The more complex/longest the digest is the more secure the VPN connection will be, but it can also become slower.
Restart openvpn service with:
rc openvpn restart
GUI: select the digest algorithm then click Apply .
Here's it's possible to view all the config files for clients & server.
GUI: select the config file to show then click Show Config .
Here's possible to add some more personal server option in addition to those already setup.
A list of the options available can be viewed at the OPENVPN MAN PAGE or with the cmd:
openvpn --help
The option created will be added to both server & server for smartphone.
Note that no inserted option check is made: wrong or inappropriate options may cause service failure or security risks.
Add one or more server options typing:
anc nvram add openvpn_server_opt "<option1 (value)>" "<option2 (value)>" "..."
nvram commit
Restart openvpn service with:
rc openvpn restart
GUI: to add a server option type a personal server option in the box then click Add server opt . When finished, click Apply .
Here's possible to remove/clear the personal server options.
Remove one or more personal server options typing:
anc nvram del openvpn_server_opt "<option1 (value)>" "<option2 (value)>" "..."
nvram commit
Restart openvpn service with:
rc openvpn restart
GUI: select the personal server option to remove from the list below then click Delete server opt . When finished, click Apply .
Clear the personal server options list typing:
nvram unset openvpn_server_opt
Restart openvpn service with:
rc openvpn restart
GUI: To clear the personal server options list click Clear server list then click Apply .
Here's possible to add some more personal client option in addition to those already setup.
A list of the options available can be viewed at the OPENVPN MAN PAGE or with the cmd:
openvpn --help
The option created will be added to all the client config files (windows, linux, smartphone).
Note that no inserted option check is made: wrong or inappropriate options may cause service failure or security risks.
Add one or more client options typing:
anc nvram add openvpn_client_opt "<option1 (value)>" "<option2 (value)>" "..."
nvram commit
Restart openvpn service with:
rc openvpn restart
GUI: to add a client option type a personal client option in the box then click Add client opt . When finished, click Apply .
Here's possible to remove/clear the personal client options.
Remove one or more personal client options typing:
anc nvram del openvpn_client_opt "<option1 (value)>" "<option2 (value)>" "..."
nvram commit
Restart openvpn service with:
rc openvpn restart
GUI: select a personal client option to remove from the list below then click Delete client opt . When finished, click Apply .
Clear the personal client options list typing:
nvram unset openvpn_client_opt
Restart openvpn service with:
rc openvpn restart
GUI: To clear the personal client options list click Clear client list then click Apply .