====== OpenWRT's OpenVPN ======

===== Client setup =====

==== replace DNS from VPN server connection ====

<file /etc/openvpn/client.ovpn>
script-security 2
up /etc/openvpn/client.sh
down /etc/openvpn/client.sh
</file>

<file /etc/openvpn/client.sh>
#!/bin/sh
env | sed -n -e "
/^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p
/^foreign_option_.*=dhcp-option.*DOMAIN/s//search/p
" | sort -u > /tmp/resolv.conf.vpn
case ${script_type} in
(up) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn" ;;
(down) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.auto" ;;
esac
/etc/init.d/dnsmasq restart &
</file>

<code bash>chmod +x /etc/openvpn/client.sh</code>

NOTE: In case of VPN failure, default DNS server will be set to server behind VPN which is unreachable. If VPN client is set to connect to domain names, it will also fail.
Either set VPN client to use remote IP addressess or add some remote VPN domains to `/etc/hosts` file.


===== Server setup =====

<code bash>opkg install openvpn-openssl luci-app-openvpn openvpn-easy-rsa</code>

Enable incoming OpenVPN connections:

<code bash>
uci add firewall rule
uci set firewall.@rule[-1]._name=openvpn
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].proto=udp
uci set firewall.@rule[-1].dest_port=1194
uci commit firewall

echo "iptables -I OUTPUT -o tap+ -j ACCEPT" >> /etc/firewall.user
echo "iptables -I INPUT -i tap+ -j ACCEPT" >> /etc/firewall.user
echo "iptables -I FORWARD -o tap+ -j ACCEPT" >> /etc/firewall.user
echo "iptables -I FORWARD -i tap+ -j ACCEPT" >> /etc/firewall.user
</code>

<code bash>
mkdir -o /etc/openvpn
uci set openvpn.uservpn=openvpn
uci set openvpn.uservpn.config=/etc/openvpn/user-vpn.conf
uci set openvpn.uservpn.enable=1
uci commit openvpn
</code>

cat > /etc/openvpn/user-vpn.conf

   port 1194
   proto udp
   dev tap0
   keepalive 10 120
   status /tmp/openvpn-status.log
   verb 3
   secret /etc/openvpn/secret.key

Add VPN to local LAN bridge:

<code bash>
cat > /etc/init.d/openvpn-bridge
#!/bin/sh /etc/rc.common
    
    START=94
    
    start() {
        openvpn --mktun --dev tap0
        brctl addif br-lan tap0
        ifconfig tap0 0.0.0.0 promisc up
    }
                                                                                	                        
    stop() {
        ifconfig tap0 0.0.0.0 down
        brctl delif br-lan tap0
        openvpn --rmtun --dev tap0
    }


chmod 755 /etc/init.d/openvpn-bridge 
/etc/init.d/openvpn-bridge enable
/etc/init.d/openvpn-bridge start
</code>

<code bash>
openvpn --genkey --secret /etc/openvpn/secret.key
</code>

Start VPN:
<code bash>
/etc/init.d/openvpn enable
/etc/init.d/openvpn start
</code>