OpenWrt with OpenVPN server on TP-Link Archer C7

Introduction

I’m not going to spend any time talking about why you should be using a VPN, or how a VPN works. If you’re here, you know that already. If you need a refresher on the different types of VPNs, see below.

 PPTPL2TP/IPSecOpenVPN
Pro
  • Available in most operating systems by default
  • Available in most operating systems by default
  • More secure than PPTP
  • No known security flaws
  • Very configurable
  • Uses open source software
  • More secure than PPTP
  • No known security flaws
  • Can use any port, setting to TCP 443 makes it almost indistinguishable from HTTPS traffic
  • Con
  • Uses IP protocol 47 (GRE) and UDP port 1723, making it easily detectable and blockable by a firewall
  • Encryption is not strong
  • First on NSA's "to-hack" list
  • Uses UDP ports 50, 500, 1701, and 4500, making it easily detectable and blockable by a firewall
  • Slightly more overhead than OpenVPN, since traffic is passing through the tunnel and encryption in two separate steps
  • Not available in most operating systems by default, requires a third-party application
  • Looking at my Piwik data, my most popular posts by far are the guides about setting up an OpenVPN client on a MR3020. After that, I receive the most questions about how to setup an OpenVPN server. Until now, I’ve been running a PPTP server on an e2000 running DD-WRT, because PPTP is easy to setup in DD-WRT (assuming you have the correct build). However, PPTP has its flaws (as shown above). I’ve also setup OpenVPN Access Server on Ubuntu Server, but that is for connecting to a VPS, not your home network (though, you could build the same setup in your home).

    This tutorial is going to be about setting up your own OpenVPN server on OpenWrt. This setup is taken mainly from this guide.

    Hardware

    Since I’ve had luck with TP-Link in the past, I chose to use a TP-Link Archer C7 for my main router/OpenVPN server. I was looking for something that had dual-band technology (since the 2.4GHz spectrum is pretty crowded around my house), as well as 802.11ac technology (since it’s several times faster than 802.11n).

    If you’re purchasing a C7, make sure it is hardware version 2.0. From the C7’s wiki page:

    For the Archer C7 v1.x and WDR7500 v2.x, the 5GHz 802.11a/n/ac functionality is not supported, and likely will never be, since support for the AR1A (v1) variant of QCA9880 chip is not included in the open source ath10k driver. The Archer C7 v2.x uses the BR4A (v2) variant which is supported in ath10k.

    Software

    Obviously, I’m using OpenWrt again. In this case, I’m going to be using Chaos Calmer, even though it’s still on release candidate 3 and not a “stable” release yet. I’m choosing CC because LuCI for BB does not supporting configuring 802.11ac via the web.

    When choosing a download for OpenWrt CC RC3 on the C7, be careful which one you choose. There is a download for v1 and v2, then a file for flashing from factory or from a previous release of OpenWrt.

    Install OpenWrt

    I’m going to assume you’re running the factory firmware and want to install OpenWrt. If you haven’t already, make sure you check the MD5 hash of the file you downloaded.

    Disconnect your PC from all wired and wireless networks, then connect the LAN port of the C7 to your PC. You should pull an IP in the 192.168.0.X range, so your C7’s IP should be 192.168.0.1. Open your browser, navigate to 192.168.0.1, and enter the username/password combination of admin/admin.

    Once you’re logged into the router, go to System Tools, then Firmware Upgrade. Browse to your file and click Upgrade.

    20150825_001

    If you receive a message reading Please choose a file to upgrade!, you’ll need to rename the file to something shorter, like openwrt.bin.

    Configure OpenWrt

    Set a password

    After the router reboots, you’ll need to login via telnet (since SSH is disabled, and LuCI isn’t installed in non-final releases of CC). Check your IP address and login via telnet, as shown below.

    /home/logan
    logan@arch
    --> telnet 192.168.1.1
    Trying 192.168.1.1...
    Connected to 192.168.1.1.
    Escape character is '^]'.
     === IMPORTANT ============================
      Use 'passwd' to set your login password
      this will disable telnet and enable SSH
     ------------------------------------------
    
    
    BusyBox v1.23.2 (2015-06-18 21:35:30 CEST) built-in shell (ash)
    
      _______                     ________        __
     |       |.-----.-----.-----.|  |  |  |.----.|  |_
     |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
     |_______||   __|_____|__|__||________||__|  |____|
              |__| W I R E L E S S   F R E E D O M
     -----------------------------------------------------
     CHAOS CALMER (15.05-rc3, r46163)
     -----------------------------------------------------
      * 1 1/2 oz Gin            Shake with a glassful
      * 1/4 oz Triple Sec       of broken ice and pour
      * 3/4 oz Lime Juice       unstrained into a goblet.
      * 1 1/2 oz Orange Juice
      * 1 tsp. Grenadine Syrup
     -----------------------------------------------------
    root@OpenWrt:/#

    After you’re in through telnet, use passwd to change your password (which will enable SSH).

    root@OpenWrt:/# passwd
    Changing password for root
    New password:
    Retype password:
    Password for root changed by root

    Logout of telnet, then SSH in using root and the password you just set.

    /home/logan
    logan@arch
    --> ssh root@192.168.1.1
    root@192.168.1.1's password: 
    
    
    BusyBox v1.23.2 (2015-06-18 21:35:30 CEST) built-in shell (ash)
    
      _______                     ________        __
     |       |.-----.-----.-----.|  |  |  |.----.|  |_
     |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
     |_______||   __|_____|__|__||________||__|  |____|
              |__| W I R E L E S S   F R E E D O M
     -----------------------------------------------------
     CHAOS CALMER (15.05-rc3, r46163)
     -----------------------------------------------------
      * 1 1/2 oz Gin            Shake with a glassful
      * 1/4 oz Triple Sec       of broken ice and pour
      * 3/4 oz Lime Juice       unstrained into a goblet.
      * 1 1/2 oz Orange Juice
      * 1 tsp. Grenadine Syrup
     -----------------------------------------------------
    root@OpenWrt:~#

    After you’re in, we can start setting up OpenWrt. Most of these steps will be taken from my previous guides, as well as the OpenWrt basic config guide.

    Setup NTP

    The C7 doesn’t have a real-time clock or CMOS battery. Because of this, every time it loses power, the clock resets to a specific date. To circumvent this, we’re going to use NTP to get our time from the internet. You don’t have to setup NTP, but it makes troubleshooting easier when you’re looking at timestamped log files. Keep in mind, since the C7 is connected directly to your PC (not the internet), this won’t take effect until after we get it online.

    First, set a hostname, zone name, and time zone for your router. The list of zone names/time zones can be found here. Make note of the tick marks around the zonename.

    uci set system.@system[0].hostname="c7main"
    uci set system.@system[0].zonename="America/New York"
    uci set system.@system[0].timezone="EST5EDT,M3.2.0,M11.1.0"
    uci commit system

    Next, we’re going to enable the NTP client. I’m using US servers from the NTP Pool Project, but change your servers as needed. Again, don’t forget the tick marks.

    uci set system.ntp="timeserver"
    uci set system.ntp.enabled="1"
    uci delete system.ntp.server
    uci add_list system.ntp.server="0.us.pool.ntp.org"
    uci add_list system.ntp.server="1.us.pool.ntp.org"
    uci add_list system.ntp.server="2.us.pool.ntp.org"
    uci add_list system.ntp.server="3.us.pool.ntp.org"
    uci commit system

    Set default IP

    Next, we’re going to change the default IP of the router from 192.168.1.1 to 10.10.1.1 (or whatever scheme you want). Most devices ship with 192.168.1.1 as the default, but I like to change to a different subnet.

    uci set network.lan.ipaddr="10.10.1.1"
    uci commit network

    You can also limit the number of addresses available in the DHCP pool (optional).

    uci set dhcp.lan.start="10"
    uci set dhcp.lan.limit="50"
    uci commit dhcp
    reboot

    Verify internet access

    At this point, plug your internet connection into the WAN port of the C7. Assuming it receives an IP from your modem via DHCP, you should be able to access the internet on a client PC, as well as ping websites through SSH. If you check the date with the date command, you should see the date/time are correct because of NTP.

    Setup wireless

    Next, I’m going to setup the wireless. However, I’m going to opt to configure the wireless from the web interface, also known as LuCI. I’m choosing to do this because the C7 has two radios and it’s easier to configure through LuCI than SSH. If I lose nerd-points in your eyes, I’m sorry.

    Install LuCI

    LuCI isn’t installed in non-final releases of CC, so we need to install it.

    opkg update
    opkg install luci luci-ssl
    /etc/init.d/uhttpd start
    /etc/init.d/uhttpd enable

    After LuCI is installed, navigate to 10.10.1.1 in your browser, and enter the username/password combination you were using for SSH.

    Create wireless network

    Go to the Network dropdown, then select Wifi. Enable your radios as necessary. I enabled a 802.11n radio at 2.4GHz and a 802.11ac radio at 5GHz to test with. Press Save & Apply to continue.

    20150825_002

    Setup DDNS

    First, we’ll need to setup dynamic DNS (DDNS). We’ll be running a server out of our house, and since our ISP regularly changes our IP address, we’ll never know when the address changes. Instead, we can run a small program on OpenWrt that will reach out to a DDNS provider, tell them what our IP address currently is, and associate it to a DNS name. This way, when setting up our OpenVPN clients, we’ll use the DDNS name, not our IP.

    If you don’t have one already, you’ll need a DDNS provider. I’ve been a Dyn customer since before all the drama about discontinuing their free accounts. Make sure you choose a provider that is supported by OpenWrt. Once you choose a provider, you’ll need to register a DNS name with them.

    You’ll also need the following info about your account:

    • DDNS service name (as listed here, or in /usr/lib/ddns/services)
    • Host name/domain
    • Username
    • Password (some providers offer an updater key instead of exposing your password)
    • Interface you’ll be using to get DNS info (e.g., wan, wan6, lan, etc…)

    Start by installing the necessary DDNS packages. If you want to configure DDNS via LuCI, you’ll need the package for that as well. I’m also installing two extra packages to make DDNS requests over SSL, as described here.

    opkg update
    opkg install ddns-scripts luci-app-ddns ca-certificates wget

    I’m going to be configuring via command line, but you could perform the same steps in LuCI. Here, I’m using the IP of the eth0 interface to update my DDNS entry. Obviously, substitute your service/hostname/username/password as needed.

    uci delete ddns.myddns_ipv4
    uci delete ddns.myddns_ipv6
    uci set ddns.myddns="service"
    uci set ddns.myddns.service_name="ddnsprovider.com"
    uci set ddns.myddns.domain="yournamehere.yourproviderhere.com"
    uci set ddns.myddns.username="username"
    uci set ddns.myddns.password="p@ssw0rd"
    uci set ddns.myddns.interface="wan"
    uci set ddns.myddns.ip_source="interface"
    uci set ddns.myddns.ip_interface="eth0"
    uci set ddns.myddns.enabled="1"
    uci set ddns.myddns.use_https="1"
    uci set ddns.myddns.cacert="/etc/ssl/certs"
    uci commit ddns

    When you’re finished, be sure to start and enable the DDNS client.

    /etc/init.d/ddns start
    /etc/init.d/ddns enable

    Check your DDNS provider’s website to make sure your address is updating. If you’re having issues, run the command below to manually update your DDNS. It should give you some insight as to where the error is.

    /usr/lib/ddns/dynamic_dns_updater.sh myddns

    Setup OpenVPN

    Install packages

    Start by installing the necessary OpenVPN packages. If you want to configure OpenVPN via LuCI, you’ll need the package for that as well.

    opkg update
    opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn openssh-sftp-server

    It’s a good idea to move the /etc/easy-rsa directory to somewhere else, in case you do an upgrade and overwrite your files.

    mkdir /etc/config/openvpn-config
    mv /etc/easy-rsa/* /etc/config/openvpn-config/
    rm -rf /etc/easy-rsa/
    ln -s /etc/config/openvpn-config/ /etc/easy-rsa
    rm /etc/config/openvpn_recipes
    touch /etc/config/openvpn-config/client.ovpn

    Create certificates

    Next, we’re going to generate the certificates for the server and client(s). We need to start by editing a few lines in the /etc/easy-rsa/vars file.

    Set the key size to at least 2048 bits. A key size of 4096 is preferred, but your client has to support it, plus it adds additional encryption overhead.

    export KEY_SIZE=2048

    Fill out the certificate info as necessary.

    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="SanFrancisco"
    export KEY_ORG="Fort-Funston"
    export KEY_EMAIL="me@myhost.mydomain"
    export KEY_OU="MyOrganizationalUnit"

    Next, create your certificate authority, Diffie-Hellman parameters (this will take 40+ minutes), and certificates. If you want more client certificates, run the last command again, specifying a different name.

    cd /etc/easy-rsa
    source vars
    clean-all
    build-ca
    build-dh
    build-key-server c7
    build-key-pkcs12 user1
    

    Note – I’m choosing to use the PKCS12 format for the client certificates, since it combines the key and CA certificate into one file. Your client may want the two certificates to be separate.

    Configure network/firewall

    Next, we need to configure a new network interface and assign a firewall zone to it.

    uci set network.vpn0="interface"
    uci set network.vpn0.ifname="tun0"
    uci set network.vpn0.proto="none"
    uci set network.vpn0.auto="1"
    uci commit network
    
    uci add firewall rule
    uci set firewall.@rule[-1].name="Allow-OpenVPN-Inbound"
    uci set firewall.@rule[-1].target="ACCEPT"
    uci set firewall.@rule[-1].src="wan"
    uci set firewall.@rule[-1].proto="udp"
    uci set firewall.@rule[-1].dest_port="1194"
    uci add firewall zone
    uci set firewall.@zone[-1].name="vpn"
    uci set firewall.@zone[-1].input="ACCEPT"
    uci set firewall.@zone[-1].forward="ACCEPT"
    uci set firewall.@zone[-1].output="ACCEPT"
    uci set firewall.@zone[-1].masq="1"
    uci set firewall.@zone[-1].network="vpn0"
    uci add firewall forwarding
    uci set firewall.@forwarding[-1].src="vpn"
    uci set firewall.@forwarding[-1].dest="wan"
    uci add firewall forwarding
    uci set firewall.@forwarding[-1].src="vpn"
    uci set firewall.@forwarding[-1].dest="lan"
    uci commit firewall
    
    /etc/init.d/network reload
    /etc/init.d/firewall reload

    Enable packet forwarding

    We also need to check if packet forwarding is enabled (it should be by default).

    cat /proc/sys/net/ipv4/ip_forward

    If it is not enabled, edit the file above and set the value to 1.

    OpenVPN server config

    Here, we’re going to be configuring the OpenVPN server. See the comments in the commands below for more information.

    touch /etc/config/openvpn
    uci delete openvpn.sample_server
    uci delete openvpn.sample_client
    
    
    #set and enable vpn
    uci set openvpn.myvpn="openvpn"
    uci set openvpn.myvpn.enabled="1"
    
    #specify TUN vs. TAP (if you're not sure, you want TUN)
    uci set openvpn.myvpn.dev="tun"
    
    #specify port to use (default is 1194)
    uci set openvpn.myvpn.port="1194"
    
    #specify protocol to use (default is UDP)
    uci set openvpn.myvpn.proto="udp"
    
    #specify to use compression
    uci set openvpn.myvpn.comp_lzo="yes"
    
    #logging
    uci set openvpn.myvpn.status="/var/log/openvpn_status.log"
    uci set openvpn.myvpn.log="/tmp/openvpn.log"
    uci set openvpn.myvpn.verb="3"
    uci set openvpn.myvpn.mute="5"
    
    #ping every 10 seconds, assume not responding after 120 seconds
    uci set openvpn.myvpn.keepalive="10 120"
    
    #keep key and tunnel persistent across restarts
    uci set openvpn.myvpn.persist_key="1"
    uci set openvpn.myvpn.persist_tun="1"
    
    #set user and group to less-privileged account (UNIX/Linux only)
    uci set openvpn.myvpn.user="nobody"
    uci set openvpn.myvpn.group="nogroup"
    
    #certificate information
    uci set openvpn.myvpn.ca="/etc/easy-rsa/keys/ca.crt"
    uci set openvpn.myvpn.cert="/etc/easy-rsa/keys/c7.crt"
    uci set openvpn.myvpn.key="/etc/easy-rsa/keys/c7.key"
    uci set openvpn.myvpn.dh="/etc/easy-rsa/keys/dh2048.pem"
    
    #server settings
    uci set openvpn.myvpn.mode="server"
    uci set openvpn.myvpn.tls_server="1"
    uci set openvpn.myvpn.server="10.8.0.0 255.255.255.0"
    
    #specify topology to use
    uci set openvpn.myvpn.topology="subnet"
    
    #specify gateway to use
    uci set openvpn.myvpn.route_gateway="dhcp"
    
    #allow clients to "see" one another
    uci set openvpn.myvpn.client_to_client="1"
    
    #options to push to clients
    uci add_list openvpn.myvpn.push="comp-lzo yes"
    #keep key and tunnel persistent across restarts
    uci add_list openvpn.myvpn.push="persist-key"
    uci add_list openvpn.myvpn.push="persist-tun"
    #set user and group to less-privileged account (UNIX/Linux only)
    uci add_list openvpn.myvpn.push="user nobody"
    uci add_list openvpn.myvpn.push="user nogroup"
    #specify topology to use
    uci add_list openvpn.myvpn.push="topology subnet"
    #specify gateway to use
    uci add_list openvpn.myvpn.push="route-gateway dhcp"
    #redirect ALL traffic through the VPN server (this is IMPORTANT if you don't trust your local network)
    uci add_list openvpn.myvpn.push="redirect-gateway def1"
    #push a local route to your clients (allow your clients to access the server's network)
    uci add_list openvpn.myvpn.push="route 10.10.1.0 255.255.255.0"
    #push DNS to your clients (this is IMPORTANT if you don't trust your local network)
    uci add_list openvpn.myvpn.push="dhcp-option DNS 107.170.95.180"
    uci add_list openvpn.myvpn.push="dhcp-option DNS 50.116.40.226"
    uci commit openvpn
    

    Be sure to start and enable the OpenVPN server.

    /etc/init.d/openvpn start
    /etc/init.d/openvpn enable

    Next, look at the logfile at /tmp/openvpn.log. With any luck, you should see Initialization Sequence Completed, showing that your OpenVPN server is up!

    root@c7main:/etc/config/openvpn-config/keys# cat /tmp/openvpn.log 
    Thu Aug 20 20:49:02 2015 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 18 2015
    Thu Aug 20 20:49:02 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
    Thu Aug 20 20:49:03 2015 Diffie-Hellman initialized with 2048 bit key
    Thu Aug 20 20:49:03 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
    Thu Aug 20 20:49:03 2015 TUN/TAP device tun0 opened
    Thu Aug 20 20:49:03 2015 TUN/TAP TX queue length set to 100
    Thu Aug 20 20:49:03 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Thu Aug 20 20:49:03 2015 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
    Thu Aug 20 20:49:03 2015 GID set to nogroup
    Thu Aug 20 20:49:03 2015 UID set to nobody
    Thu Aug 20 20:49:03 2015 UDPv4 link local (bound): [undef]
    Thu Aug 20 20:49:03 2015 UDPv4 link remote: [undef]
    Thu Aug 20 20:49:03 2015 MULTI: multi_init called, r=256 v=256
    Thu Aug 20 20:49:03 2015 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
    Thu Aug 20 20:49:03 2015 Initialization Sequence Completed

    OpenVPN client config

    Edit the OpenVPN client configuration file at /etc/config/openvpn-config/client.ovpn. I’m purposely keeping the client configuration file as thin as possible, so that most settings can be setup on the server and pushed to clients.

    #specify TUN vs. TAP (if you're not sure, you want TUN)
    dev tun
    
    #specify protocol to use (default is UDP)
    proto udp
    
    #Certificate information
    ca   ca.crt
    cert user1.crt
    key  user1.key
    
    #client settings
    client
    remote-cert-tls server
    remote YOUR_DNS_ENTRY_OR_IP 1194
    

    Distribute keys

    You’ll need to move the following files from the router, to your client(s). All four files should be saved in the same folder/location on your client.

    • CA certificate (ca.crt)
    • client certificate (user1.crt)
    • client keyfile (user1.key)
    • client config file (client.ovpn)

    You can use SFTP, SSH, or copy them to a USB drive. You could email them, but I would advise against it (since the key isn’t encrypted).

    Configure OpenVPN client

    In this case, I’m going to be using the official OpenVPN Android app, but there are also clients for iOS, Windows, Mac, and Linux.

    Once installed, tap on the Option button, then tap on Import, then tap on Import Profile from SD Card.

    20150825_004 20150825_005

    Browse to the client.ovpn file and import it into the OpenVPN Connect app.

    20150825_006

    The profile should be imported successfully, and you should be able to see your server’s name or IP. Click Connect to establish a connection.

    20150825_007

    Verify your connection on the next screen.

    20150825_008

    Verify connection

    Try to browse a public site (e.g., www.google.com), then try to browse to your router’s IP (e.g., 10.10.1.1). If everything is setup correctly, both should load. You can also check your IP with an external tool, such as WhatIsMyIP, and you should see your OpenWrt router’s public IP. I’d also advise to check for DNS leaks (your DNS should be set to the DNS servers we pushed to the clients).

     

    Let me know how your setup went!

    -Logan

    104 thoughts on “OpenWrt with OpenVPN server on TP-Link Archer C7”

    1. Hello,
      An excellent guide. I was able to configure the connection to my home router via internet without any problems.
      Problem is, however, that I do not see my home PC connected to a router with “openwrt+openvpn server”. I can connect the tablet to the router but I would like to have access to files on my home computer. Kindly append notes and hints how to do it.
      Thanks.

      • Hi Campbell,

        So you’re able to startup the VPN and connect remotely? When you SSH in, can you see any connected clients?
        cat /tmp/dhcp.leases
        If you don’t see your PC getting a lease from the router, there is something else going on.
        Is the PC wireless, like the tablet? or wired?

        Logan

    2. Does openwrt affect the quality of the wi-fi signal? With my last router, I thought stock firmware was better than ddwrt, because I had a more stable signal in the far corner of my house.

      • OpenWrt should not affect wireless signal quality, but it depends on a couple things:

        1. OpenWrt does allow you to adjust the transmit power, which most stock firmwares will not allow. This can be a good and bad thing.
        2. Some custom firmwares (e.g., Asuswrt-Merlin) perform much better than OpenWrt or DD-WRT, as they only contain small changes, and still allow special vendor-specific functions (e.g., hardware acceleration).

        So yes, you may have had better wireless signal on your stock firmware than OpenWrt. I think your signal quality depends more so on your antenna setup and the positioning of the router, than anything. Most people who use a custom firmware don’t use it to increase wireless signal, they use it for features that you can’t get in stock firmware (e.g., OpenVPN, proxy, packages, etc…).

    3. Hi!
      First of all, thank you, this guide is very-very cool!
      I setted my router and the vpn server working good on my android and iphone devices, but I tried setting up the openvpn “offically” windows client… not working 🙁 connected and the ips good but the gateway is emtpy and not ping anything, I tried to set ip manually, but same 🙁
      Do you have any idea whats wrong?

      • You’re welcome, glad to help!

        I don’t have a Windows machine to test on, but here are a few suggestions:

        • Are you using the newest version of the client?
        • So you do get connected to your server? Do you have log files specified in your server config you can look at while your client is connected? Mine were stored in /tmp/openvpn.log and /var/log/openvpn_status.log.
        • What do you mean the gateway is empty? The field in the Windows OpenVPN client is not filled out?
        • Are you running OpenVPN as an admin user?
        • I could be wrong, but I’m not sure that Windows supports tun devices, only tap.
        • Again, I could be wrong, but I don’t think Windows supports pushing certain options, such as dhcp-option, that I use specifically to set DNS servers.

        I wish I could be more help, but you may need to reach out to some users on the OpenVPN forums. I’ve done my build a few times without issue, but never used a Windows client.

      • You are correct in that you want to setup a VPN client, not a server. But use this guide, it is a newer version of the one you linked to.

    4. To connect from a Windows machine you have to add “comp-lzo yes” without quotation marks on the client.ovpn file. For some reason the server doesn’t push this option on Windows machines but does on android and ios(both tested and confirmed) resulting in an error ( I think error 122 on the command window of the connection) after a couple of secs.
      I have another problem. I’ve installed on all devices and working great, except an oxygen modem router. This router supports client mode with native open on support. The problem is when I connect it to my server I only browse the Internet and cannot view the network. If I redirect all traffic through the vpn I can view the network but cannot access the Internet. Ideas?

      • In addition to the Windows connection problems, you have to go to the opnvpn install folder, right click each one of the 3 executable files and select properties-compatibility and check run as administrator. If the open pen doesn’t run as administrator then Windows doesn’t allow it to create routes to the network adapter

      • Thanks, I know there were some catches with the Windows client but haven’t used it myself. I see you also pointed that out to another reader, thanks!

        Did you push a route to your clients to allow access to the server’s network?
        #push a local route to your clients (allow your clients to access the server's network)
        uci add_list openvpn.myvpn.push="route 10.10.1.0 255.255.255.0"

        Again, I’m not sure if Windows clients can accept certain pushed options.

        • Yes the route is pushed. Maybe the router doesnt like pushed routes and needs to be in the client.ovpn file. Nice tip I’ll try that!

      • Hello Logan and Panos,
        I added “comp-lzo yes” (without quotation marks) to the very beginning of the client.ovpn file on windows.
        Running OpenVPN client 2.3.10.0. It connects to the VPN server. I do receive IP address/mask, DNS1, DNS2 addresses, DHCP address from VPN server, but not receiving Default gateway.
        In the log file of the VPN client see the following:
        Tue Feb 16 02:22:25 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb 1 2016
        Tue Feb 16 02:22:25 2016 Windows version 6.1 (Windows 7)
        Tue Feb 16 02:22:25 2016 library versions: OpenSSL 1.0.1r 28 Jan 2016, LZO 2.09
        Tue Feb 16 02:22:27 2016 UDPv4 link local (bound): [undef]
        Tue Feb 16 02:22:27 2016 UDPv4 link remote: [AF_INET]88.132.252.187:1194
        Tue Feb 16 02:22:28 2016 [Sentinel] Peer Connection Initiated with [AF_INET]88.132.252.187:1194
        Tue Feb 16 02:22:30 2016 Options error: option ‘user’ cannot be used in this context ([PUSH-OPTIONS])
        Tue Feb 16 02:22:30 2016 Options error: option ‘user’ cannot be used in this context ([PUSH-OPTIONS])
        Tue Feb 16 02:22:30 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
        Tue Feb 16 02:22:30 2016 open_tun, tt->ipv6=0
        Tue Feb 16 02:22:30 2016 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{67AFAB88-C5AB-4BD2-B9AB-759772BECE5E}.tap
        Tue Feb 16 02:22:30 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.200.2/255.255.255.0 on interface {67AFAB88-C5AB-4BD2-B9AB-759772BECE5E} [DHCP-serv: 192.168.200.0, lease-time: 31536000]
        Tue Feb 16 02:22:30 2016 Successful ARP Flush on interface [16] {67AFAB88-C5AB-4BD2-B9AB-759772BECE5E}
        Tue Feb 16 02:22:35 2016 Initialization Sequence Completed

        Should I add “comp-lzo yes” into client.ovpn file on both locations (on the windows machine and on the router as well)?
        Is it matters where do I insert it?
        Thank you for your reply

        Regards
        Viktor

        • Viktor,

          Yes, you should include comp-lzo yes in both the client and server configs. It shouldn’t matter where in the file it is.

          What option are you trying to push here?

          Tue Feb 16 02:22:30 2016 Options error: option ‘user’ cannot be used in this context ([PUSH-OPTIONS])
          Tue Feb 16 02:22:30 2016 Options error: option ‘user’ cannot be used in this context ([PUSH-OPTIONS])

          If you’re setting the user/group, I don’t believe that’s required on Windows.

          #set user and group to less-privileged account (UNIX/Linux only)
          uci add_list openvpn.myvpn.push="user nobody"
          uci add_list openvpn.myvpn.push="user nogroup"

          In my config, I’m pushing the default gateway and setting it to DHCP.

          uci add_list openvpn.myvpn.push="route-gateway dhcp"

          I’m not sure if that push option is available on a Windows client. You might need to try to set that in the client .ovpn file.

          You can also use the option below to push a route. Again, not sure if that’s Windows compatible…

          uci add_list openvpn.myvpn.push="route 10.10.1.0 255.255.255.0"

          • Dear Logan,

            Thank you for replying.

            I added the “comp-lzo yes” to both client.ovpn (on the router and on the PC as

            well)
            Removed the two linux client related push lines (pushing user nobody and pushing

            user nogroup)
            Now those two error messages are gone from the log of the VPN client and the

            tunel is established:
            Wed Feb 17 22:12:05 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO]

            [PKCS11] [IPv6] built on Feb 1 2016
            Wed Feb 17 22:12:05 2016 Windows version 6.1 (Windows 7)
            Wed Feb 17 22:12:05 2016 library versions: OpenSSL 1.0.1r 28 Jan 2016, LZO 2.09
            Enter Management Password:
            Wed Feb 17 22:12:05 2016 UDPv4 link local (bound): [undef]
            Wed Feb 17 22:12:05 2016 UDPv4 link remote: [AF_INET]89.132.252.181:1194
            Wed Feb 17 22:12:07 2016 [Sentinel] Peer Connection Initiated with [AF_INET]

            89.132.252.181:1194
            Wed Feb 17 22:12:09 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
            Wed Feb 17 22:12:09 2016 open_tun, tt->ipv6=0
            Wed Feb 17 22:12:09 2016 TAP-WIN32 device [Local Area Connection 3] opened: \\.

            \Global\{67AFAB88-C5AB-4BD2-B9AB-759772BECE5E}.tap
            Wed Feb 17 22:12:09 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of

            192.168.150.2/255.255.255.0 on interface {67AFAB88-C5AB-4BD2-B9AB-759772BECE5E}

            [DHCP-serv: 192.168.150.0, lease-time: 31536000]
            Wed Feb 17 22:12:09 2016 Successful ARP Flush on interface [16] {67AFAB88-C5AB-

            4BD2-B9AB-759772BECE5E}
            Wed Feb 17 22:12:14 2016 Initialization Sequence Completed

            …but still not receiving the default GW for the TAP adapter:
            Ethernet adapter Local Area Connection 3:
            Connection-specific DNS Suffix:
            Description . . . . . . . . . : TAP-Windows Adapter V9
            Physical Address. . . . . . . : 00-FF-67-AF-AB-88
            DHCP Enabled. . . . . . . . . : Yes
            Autoconfiguration Enabled . . : Yes
            Link-local IPv6 Address . . . : fe80::2584:ba1:b35c:67ca%16(Preferred)
            IPv4 Address. . . . . . . . . : 192.168.150.2(Preferred)
            Subnet Mask . . . . . . . . . : 255.255.255.0
            Lease Obtained. . . . . . . . : 17 February 2016 22:12:09
            Lease Expires . . . . . . . . : 16 February 2017 22:12:09
            Default Gateway . . . . . . . :
            DHCP Server . . . . . . . . . : 192.168.150.0
            DHCPv6 IAID . . . . . . . . . : 469827431
            DHCPv6 Client DUID. . . . . . : 00-01-00-01-19-04-61-5D-00-17-31-25-A0-83
            DNS Servers . . . . . . . . . : 213.46.246.53
            213.46.246.54
            NetBIOS over Tcpip. . . . . . : Enabled

            What is strange for me is that I never ever have seen DHCP server declared with

            network address instead of a host address

            On the router I have got:
            subnet for LAN: 192.168.140.0/24
            default GW in LAN subnet is 192.168.140.254
            subnet for VPN clients: 192.168.150.0/24

            IP config for physical NIC on PC (connected to an another hotspot to reach the

            internet via mobile net):
            Wireless LAN adapter Wireless Network Connection:
            Connection-specific DNS Suffix:
            Description . . . . . . . . . : D-Link AirPlus G DWL-G510 Wireless PCI Ad
            apter(rev.C)
            Physical Address. . . . . . . : F0-7D-68-6D-42-06
            DHCP Enabled. . . . . . . . . : Yes
            Autoconfiguration Enabled . . : Yes
            IPv4 Address. . . . . . . . . : 192.168.43.139(Preferred)
            Subnet Mask . . . . . . . . . : 255.255.255.0
            Lease Obtained. . . . . . . . : 17 February 2016 23:12:44
            Lease Expires . . . . . . . . : 18 February 2016 00:12:44
            Default Gateway . . . . . . . : 192.168.43.1
            DHCP Server . . . . . . . . . : 192.168.43.1
            DNS Servers . . . . . . . . . : 192.168.43.1
            NetBIOS over Tcpip. . . . . . : Enabled

            Have the following configuration on the router:
            #######################
            ### /etc/config/openvpn

            config openvpn ‘custom_config’
            option enabled ‘0’
            option config ‘/etc/openvpn/my-vpn.conf’

            config openvpn ‘myvpn’
            option enabled ‘1’
            option dev ‘tap’
            option port ‘1194’
            option proto ‘udp’
            option comp_lzo ‘yes’
            option status ‘/var/log/openvpn_status.log’
            option log ‘/tmp/openvpn.log’
            option verb ‘3’
            option mute ‘5’
            option keepalive ’10 120′
            option persist_key ‘1’
            option persist_tun ‘1’
            option user ‘nobody’
            option group ‘nogroup’
            option ca ‘/etc/easy-rsa/keys/ca.crt’
            option cert ‘/etc/easy-rsa/keys/Sentinel.crt’
            option key ‘/etc/easy-rsa/keys/Sentinel.key’
            option dh ‘/etc/easy-rsa/keys/dh2048.pem’
            option mode ‘server’
            option tls_server ‘1’
            option server ‘192.168.150.0 255.255.255.0’
            option topology ‘subnet’
            option route_gateway ‘dhcp’
            option client_to_client ‘1’
            list push ‘comp-lzo yes’
            list push ‘persist-key’
            list push ‘persist-tun’
            list push ‘topology subnet’
            list push ‘route-gateway dhcp’
            list push ‘redirect-gateway def1’
            list push ‘route 192.168.140.0 255.255.255.0’
            list push ‘dhcp-option DNS 213.46.246.53’
            list push ‘dhcp-option DNS 213.46.246.54’

            #########################################
            ###/etc/config/openvpn-config/client.ovpn

            comp-lzo yes
            #specify TUN vs. TAP (if you’re not sure, you want TUN)
            dev tap

            #specify protocol to use (default is UDP)
            proto udp

            #Certificate information
            ca ca.crt
            cert User1.crt
            key User1.key

            #client settings
            client
            remote-cert-tls server
            remote 89.132.252.181 1194
            route-gateway dhcp
            #the line above added as you suggested

            Even if in the IP config of the TAP interface on the PC does not show the default

            GW, I noticed that I have got route for the TAP interface (192.168.150.2/24) to

            the LAN subnet (192.168.140.0/24) in the routing table of the PC 🙂 :

            Routing table on PC
            IPv4 Route Table
            ===========================================================================
            Active Routes:
            Network Destination Netmask Gateway Interface Metric
            0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.139 25
            0.0.0.0 128.0.0.0 192.168.150.1 192.168.150.2 20
            89.132.252.181 255.255.255.255 192.168.43.1 192.168.43.139 25
            127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
            127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
            127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
            128.0.0.0 128.0.0.0 192.168.150.1 192.168.150.2 20
            192.168.140.0 255.255.255.0 192.168.150.1 192.168.150.2 20
            192.168.43.0 255.255.255.0 On-link 192.168.43.139 281
            192.168.43.139 255.255.255.255 On-link 192.168.43.139 281
            192.168.43.255 255.255.255.255 On-link 192.168.43.139 281
            192.168.150.0 255.255.255.0 On-link 192.168.150.2 276
            192.168.150.2 255.255.255.255 On-link 192.168.150.2 276
            192.168.150.255 255.255.255.255 On-link 192.168.150.2 276
            224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
            224.0.0.0 240.0.0.0 On-link 192.168.150.2 276
            224.0.0.0 240.0.0.0 On-link 192.168.43.139 281
            255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
            255.255.255.255 255.255.255.255 On-link 192.168.150.2 276
            255.255.255.255 255.255.255.255 On-link 192.168.43.139 281
            ===========================================================================
            Persistent Routes:
            None

            I am able to ping the IP address of the router on the LAN side

            (192.168.140.254/24) and even login through the luci web interface 🙂 , but when

            I ping an another host in the LAN subnet (192.168.140/24) I receive dectination

            PORT unreachable. Moreover I unable to open any website on the internet. 🙁

            C:\Users\Vik>ping 192.168.140.131

            Pinging 192.168.5.131 with 32 bytes of data:
            Reply from 192.168.150.1: Destination port unreachable.
            Reply from 192.168.150.1: Destination port unreachable.
            Reply from 192.168.150.1: Destination port unreachable.
            Reply from 192.168.150.1: Destination port unreachable.

            Ping statistics for 192.168.140.131:
            Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

            I also tried the DNS name resolution when I connected through VPN, but does not

            work.

            So, for me sounds like one, or more firewall rules might missing.
            For first sight I think all things are set in FW as it is in your guide.
            Top of the settings in guide I also enabled the WAN and LAN in “Allow forward

            from source zones:” section of the FW, but didnt make difference 🙁
            Please tell me if you need more details.

            Thank you for your time and effort you have done so far.

            BR
            Viktor

            • Viktor,

              Sorry for the delay. I’ve tried replicating this on a Windows device (with different IPs) and it’s not working. However, my Windows device is a work laptop, so now I’m wondering if it’s a permission setting on my machine.

              As for your case, it could be a firewall rule, but the fact that you’re not getting a default gateway makes me think there’s a setting missing somewhere. In addition, Windows uses TAP devices instead of TUN devices, so I’m not sure what else needs to change besides dev tap in your config files. At this point, I’d say you need to find a specific guide online for setting this up on a Windows machine. Sorry I’m unable to be of any help.

              Logan

            • Hi Victor,

              Hope you’ve already sorted the issue; if not please try the following:

              Instead of
              “list push ‘redirect-gateway def1’
              try using
              option push ‘redirect-gateway def1’

              Remove the following ones, mentioned twice in your config:
              list push ‘route-gateway dhcp’

    5. Thanks for the awesome tutorial!
      As a side note, it may be better disabling compression when the CPU usage becomes the limiting factor for the DL/UL speed 😉

      • Thanks! I considered it, but running htop, it didn’t seem to be maxed out on a consistent basis. However, I never tried it without compression, so I may be missing out on some speed benefits.

        • What transmission rates did you achieve on your archer c7 via openVPN? The cheaper WDR3600 seems to achieve about 15 mbit/s max. The archer c7 has a faster CPU, so maybe there is room for improvement over this?

          • I’m getting 31Mbps/15Mbps over LTE on my phone, and 12Mbps/7Mbps while connected to the VPN. My CPU usage hovers around 50% on the server. I’d be curious why my speeds are slower if the C7 has a better CPU. Maybe my config?

    6. Thank you. Your instructions worked after I failed with the openwrt instructions. Two things that I think made the difference: 1) details about the ovpn files for the android app. 2) explanation on what’s in the openvpn file. Thank you for taking the time to share the information.

    7. Hey

      its a really great article.
      My DynDNS is running, an my openVPN to…
      So every test you make, is ok on my OpenWRT.

      But if i want to connect my Smartphone to the VPN via the same app, you used too, i always stuck at “Waiting for server”…
      i can ping my dyndns adress and get an answer and all services are running :-/

      Hope you can help me

      • Is your firewall open to allow port 1194? Also, sounds silly, but make sure your DNS name is spelled correctly.

    8. Hi, thank you so much for this post… i worked out setting mine up although i’d got a bit confused about DNS and my DNS leak test says it might be leaking… could you help on how can i do better job in this point?
      Again, thank you. Very good post.

      • What kind of client are you using? Windows, Android, etc…

        Basically, with the correct config, your client should be using your VPN server (your router) for DNS queries. If it’s leaking, it means your client is using something else in place of, or in addition to, your router. This is a small security risk because even though all your traffic is encrypted and flows back to your router, the query that changes http://www.google.com to 1.2.3.4 is not. This means even though an attacker can’t see your traffic, they can see the sites you visit.

    9. hi Logan.
      I’m experiencing a 5 min delay until the connection start join the exterior (internet). Do you know what may be causing this? Thank you so much.

      • Not sure. Do you mean the a delay on your device (e.g., laptop, phone) from when you connect to the server to when you can browse?

        • yes… i connect instantly to my vpn (on tplink C7), but i only be able to surf the internet after approximately 5 min. This is a pattern i noticed… thanks for replying.

          • Hmm, weird. The only thing I can think (just guessing) is that DNS isn’t working right, and it goes through a series of timeouts until it gets a working DNS server. But even then, that should be a few seconds, not 5 minutes… I’m assuming you’re using your router (the VPN server) for DNS? What are its DNS servers?

            • i’m using the router for DNS. I setup noip account hoping to access it from outside, but still not tested… the router, uses the ISP provider DNS (187.108.48.3)… i think you point to something it worth i take closer look… All role of DNS make me a bit confused.
              thank you.

    10. When I try to upgrade the firmware I get the following:

      Error code: 18005 Upgrade unsuccessfully because the version of the upgraded file was incorrect. Please check the file name.

      This is my build:
      3.14.3 Build 151014 Rel.49676n

      I flashed it back to a previous firmware version with the TP-Link GUI version and loaded openwrt binary, and it loaded and restarted, After that the router is completely unresponsive, for all intents and purposes bricked. Not quite sure what to do now. I did buy it in march and supposedly something changed in november/december in the hardware version.

      As of now Im using an older router and trying to load the stock firmware back on the archer.

      The threads I was using:

      https://forum.openwrt.org/viewtopic.php?id=61389

      https://forum.openwrt.org/viewtopic.php?pid=315588#p315588

      any help would be wonderful. Im on mac osx.

      Kiran

      • Are you flashing from stock to OpenWrt, or upgrading OpenWrt versions?

        TP-Link recently introduced changes (I believe both hardware and software) that make OpenWrt incompatible with their products. Is your C7 a recent purchase? Wondering if it’s a newer version and is incompatible…

        Did you try the instructions for entering failsafe mode and unbricking? I’ve never had to do either of these, so I can’t speak to the process…

        • I reset the c7 to factory defaults and then tried to flash the most recent chaos calmer open wrt factory firmware, in doing so I got the error. Then I found an earlier version of the firmware and flashed that one, to roll the firmware back. After that I flashed the chaos calmer image and it took. Then the router was unresponsive completely. I tried the de-bricking with no joy and failsafe mode also with no joy….

          I did buy it in march so it maybe the problem, it appears others had a similar issue.

          not sure what to do now….

          • Sorry to say, but you may be SOL on that router. It sounds like it’s bricked. I’d suggest asking for help on the OpenWrt forums (looks like you already did), as this is out of my league…

    11. Love the guide. After some head scratching with the VPN connecting but no Internet or networking – “connectivity” – at all I got it working with enabling the lzo compression (Network manager, Ubuntu 15.10). However I only have connectivity for a few seconds, then it drops completely. Any ideas? Running OpenWRT 15.05.1 on a TP-Link wr1043nd.

      • Actually, I commented out the rows in /etc/config/openvpn:
        list push ‘route 192.168.1.0 255.255.255.0’
        list push ‘dhcp-option DNS 8.8.8.8’
        list push ‘dhcp-option DNS 107.170.95.180’
        Then I reconnected and now that works at least. However, of course, now I can’t access the other devices on the server network.

      • I generated a new cert for this client and put everything back into the configs – now it works. However “.local” domain does not. Keep searching.

        • Glad you got it working. Did you put the local route back? list push 'route 192.168.1.0 255.255.255.0'. That’s the only thing I can think of for the “.local” domains.

    12. Thanks for this guide.
      Tried latest ddwrt and openwrt builds on my archer c7 v2 but having wifi stability issues. Clients seems to be connected but can’t communicate with Lan clients.

      Anyone else having these issues?
      Any recommended build?

      Thx

      • Questions:
        1) Did you install OpenWrt from stock or an upgrade? Did you use the correct image?

        2) You say you’re having stability issues. Is there no communication between LAN and WLAN clients at all, or just sometimes? From your wording, it sounds like it’s intermittent.

        3) Did you double check that the LAN and WLAN interfaces are bridged?

    13. Thanks for the excellent instructions, that are working for me … mostly … Using windows and openvpn client connects quickly and i get an ip right away. However i cannot access the remote vpn right away, then after a few minutes i get automagically disconnected and reconnected, and things start working correctly

      below is a snippit of the connection log

      Wed May 11 18:16:16 2016 user1/184.69.209.234:62141 TLS: new session incoming connection from [AF_INET]184.69.209.234:62141
      Wed May 11 18:16:17 2016 user1/184.69.209.234:62141 VERIFY OK: depth=1, C=CA, ST=AB, L=Calgary, O=ComputerKing, OU=computerking.ca, CN=925.redwingshoes.ca, name=EasyRSA,
      emailAddress=admin@computerking.ca
      Wed May 11 18:16:17 2016 user1/184.69.209.234:62141 VERIFY OK: depth=0, C=CA, ST=AB, L=Calgary, O=ComputerKing, OU=computerking.ca, CN=user1, name=EasyRSA, emailAddress=a
      dmin@computerking.ca
      Wed May 11 18:16:18 2016 user1/184.69.209.234:62141 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
      Wed May 11 18:16:18 2016 user1/184.69.209.234:62141 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
      Wed May 11 18:16:18 2016 user1/184.69.209.234:62141 NOTE: –mute triggered…
      Wed May 11 18:16:20 2016 user1/184.69.209.234:62141 5 variation(s) on previous 5 message(s) suppressed by –mute
      Wed May 11 18:16:20 2016 user1/184.69.209.234:62141 PUSH: Received control message: ‘PUSH_REQUEST’
      Wed May 11 18:16:20 2016 user1/184.69.209.234:62141 send_push_reply(): safe_cap=940
      Wed May 11 18:16:20 2016 user1/184.69.209.234:62141 SENT CONTROL [user1]: ‘PUSH_REPLY,comp-lzo yes,persist-key,persist-tun,user nobody,user nogroup,topology subnet,route-
      gateway dhcp,redirect-gateway def1,route 10.22.1.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-resta
      rt 120,ifconfig 10.8.0.2 255.255.255.0’ (status=1)

      • Are you running the windows client as an administrator? Unfortunately, I don’t use Windows, so check for a couple Windows comments from users here and here.

    14. These are great instructions! I have an issue though, I run OpenWRT on an Archer C7 configured as ab Access Point _behind_ a different router. Can you help me with how to forward the ports properly so the OpenVPN server is accessible from the „outside“ (Internet)? Sincerely, Martin

      • So you have this setup? Router1—->Archer C7—->OpenVPN server

        If that is the case, only router1 should have DHCP/DNS/firewall setup. The Archer C7 should be acting as a switch/AP only. In that case, you’d need to forward your OpenVPN port (e.g., 1194/UDP) from router1 to the IP of the OpenVPN server (assuming it’s a different device like a Raspberry Pi). There would be no configuration on the Archer C7 needed.

        Is the Archer C7 running it’s own DHCP/DNS/firewall? In that case, you’re double-NATed and you’ll need to forward your port (e.g., 1194/UDP) from router1 to the Archer C7, then forward that from the Archer C7 to your device IP. I can’t provide instructions for router1, since I’m not sure of the make/model. I’m sure you could Google it though.

        • Thank you for this great guide, Logan!

          I was able to successfully set up an OpenVPN Server using OpenWRT on an Archer C7 and confirmed that the server is up by obtaining the ‘Initialization Sequence Completed’ prompt when looking at the logfile.

          However, I am unable to successfully connect the OpenVPN Server to the outside internet because, similarly to @Martin, I have the Archer C7 connected behind/to another router provided by my ISP:

          Router 1 > Archer C7 [on which OpenVPN Server is running];

          although, unlike @Martin, the OpenVPN Server is internal to the Archer C7 and not as [presumably] in @Martin’s situation on a separate device behind the Archer C7.

          On Router 1, whose internal IP Address is the standard 192.168.1.1, I set up DynamicDNS [which seems to be successfully updating my DynamicDNS Provider] and am forwarding Port 1194 to a Static IP Address that I set up for the Archer C7 that is within the subnet of Router 1 [192.168.1.x].

          On the Archer C7, whose internal IP Address, as suggested in your guide, I set up to be 10.10.1.1, I set up the IP Address of the OpenVPN Server, also as suggested in your guide, to be 10.8.0.0.

          How do I get the OpenVPN Server on the Archer C7 to successfully connect to the outside internet?

          I’ve attempted to Forward Port 1194 the WAN of the Archer C7 to [the ‘vpn’ Internal Zone of] both [one at a time] the IP Address of the OpenVPN Server, 10.8.0.0, as well as the the IP Address of the ‘VPN0/tun0’ Network, 10.8.0.1, but receive a ‘Port 1194 is not open’ prompt on my DynamicDNS Provider’s website.

          I’m able to confirm that the OpenVPN Server is unable to connect to the outside internet by navigating to the Network > Interface page of the OpenWRT LuCI and noticing that the Status of the ‘VPN0/tun0’ Network contains neither an IP Address, MAC-Address, nor any Received/Transmitted Packets.

          I also noticed that the ‘Allow-OpenVPN-Inbound’ Firewall Traffic Rule [visible when navigating to the Network > Firewall > Traffic Rules page of the OpenWRT LuCI] that you suggested in your guide be set up to ‘Accept [‘Any udp’] input’ ‘From any host in wan’ ‘To any router IP at port 1194 _on this device_.’

          Do I need to Forward Port 1194 on the Archer C7 in order for the OpenVPN Server to connect to the outside internet or does the OpenVPN Server obtain its’ connection directly from the WAN of the Archer C7?

          If so, to which IP Address should I Port Forward; to which IP Address is the OpenVPN Server supposed to connect to the outside internet?

          Thank you again for a great guide and in advance for your advice!

          • Hey Chris,

            Unfortunately, I switched to Ubiquiti gear, so I no longer have my OpenWrt VPN server. I would have guessed that forwarding 1194 from Router1 to Archer C7 would have done the trick. I’d advise you to ask on the OpenWrt forums, they’d probably be able to help you better than I could.

          • @ Logan — maybe you could alert Chris to this reply, just in case they aren’t checking back frequently. Also, you can offer to connect us offline if Chris would like. Thanks

            Chris –

            Sounds like you may have a number of different issues, but let’s start from the outside->in. I’ll describe it in terms of the LuCI interface, although you could just as easily do this via the command line.

            1) On your ISP router (the one connecting to the internet), be sure that the port forward is setup properly, in your case UDP 1194 > static ip in the 192.168.1.0/24 subnet. Keep in mind that some routers will not work for a “u-turn” connection (and may not expose the control to change this)… so even when everything else is configured properly, you might need to be on an outside network to properly connect or even see that the port is open (if this is the case, it should work on a cellular network or from any other network (assuming no firewalls are blocking the outbound traffic), and an external site that can at test for open ports should have visibility).

            2) Connect the C7 WAN port to one of the LAN ports on your main (ISP provided) router. In order to administer the OpenWRT C7 in this configuration, you’ll probably need to plug a computer into the C7 LAN port. Alternatively, I recommend opening web (80) and/or ssh (22) ports on the C7’s OpenWRT firewall — more on this in a sec. When this is done, you can access your C7 via the static IP on the 192.168.1.0/24 network. DO NOT forward these ports from the internet (ISP router) to the C7 — you really only need these services available on your main LAN.

            3) Open the relevant ports in the OpenVPN firewall (on the C7). If you have setup port-forwards, delete those. You want to do this under Network > Firewall > Traffic Rules. Create a new rule under the “Open ports on router” section (name it, select UDP and click ‘Add’, then in the next page select Source zone = Any zone, Destination zone = Device (input), and Destination port = 1194. Click ‘Save & Apply’. Same thing for port 80 and 22 (but use TCP + UDP) if you want to access the C7 via its WAN port on your internal network (LAN) ad described previously.

            3a) While you’re in the firewall settings, make sure you have a defined firewall zone for the VPN and that it is set to accept/accept/reject (input/output/forward), and that the inter-zone forwarding “Allow forward to destination zones” has your wan zone selected.

            4) The way I configure the LAN and VPN subnets on the VPN device (in this case, your C7) is possibly a bit odd and is contrary to what they will tell you in the OpenVPN documentation, but it works perfectly and I’ve done this many times… Use the overlapping subnets for C7-LAN and VPN, but make sure it is different than your main LAN. You can use different network/subnet values, but follow the same logic. Your main LAN (from the ISP provided router) is 192.168.1.0/24, the WAN port of the C7 has an address in this subnet. On the C7, set Network > Interfaces > LAN to 192.168.2.1 255.255.255.0 (192.168.2.0/24).

            4a) Now, in your OpenVPN config, set the network to 192.168.2.192 255.255.255.240 (192.168.2.192/28 –> OpenVPN server will take 192.168.2.193, and up to 12 client IPs can be assigned). You can use a subnet calculator to select other ranges or mask bits, but it is critical that the OpenVPN server does not collide with the C7’s LAN IP (there are a bunch of possible combinations that could cause this conflict, but the calculators will help you here — key thing is that the first host in the network/mask defined must not be 192.168.2.1).

            5) Presumably you have the OpenVPN config to setup dev tun0. From there, make sure your Network > Interfaces is setup properly. The name is not critical, but I use VPN0. Protocol should be ‘Unmanaged’; under Physical Settings should be a radio button for ‘Ethernet Adapter: ‘tun0’; and finally in the Firewall Settings, it should be assigned to the firewall zone that represents your VPN (in my case it is ‘vpn’).

            At this point, you may want to reboot your router to ensure that everything has taken effect. There are still OpenVPN config things you might need to check if you want to be able to access devices on your main LAN (192.168.1.0/24 network) or access the internet through your VPN (i.e. when you’re out of the house and want to connect through for privacy on a public network, or to tunnel through your home to the internet to bypass geographical restrictions or certain types of firewalls, etc.). But if everything is configured properly for the basic connections, you should have the appropriate ports open and you should at least be able to connect to the VPN from the internet.

            Let me know how this works.

            • Thank you for your response, Logan!

              I will give your suggestions a try and let you know how they work!

              Thanks again!

    15. Hi Logan,

      Thx for this how to . After many nights i got my vpn working with your instructions. I have openvpn running on a wdr4900 with Chaos Calmer. I can surf the internet with out any problems, but the only problem i have is that can not ping any other pc our server on my local network. I have no problems with pinging of the vpnserver ( 192.168.0.1) and my router (192.168.40.1).
      I am connecting with Ubuntu and an Iphone.

      I push the route 192.168.40.0 255.255.255.0

      Can you help out? I want to be able to connect to my server our workstations.

      Here is my server config

      config openvpn ‘myvpn’
      option enabled ‘1’
      option dev ‘tun’
      option port ‘1194’
      option proto ‘udp’
      option comp_lzo ‘yes’
      option status ‘/var/log/openvpn_status.log’
      option log ‘/tmp/openvpn.log’
      option verb ‘3’
      option mute ‘5’
      option keepalive ’10 120′
      option persist_key ‘1’
      option persist_tun ‘1’
      option user ‘nobody’
      option group ‘nogroup’
      option ca ‘/etc/easy-rsa/keys/ca.crt’
      option cert ‘/etc/easy-rsa/keys/server.crt’
      option key ‘/etc/easy-rsa/keys/server.key’
      option dh ‘/etc/easy-rsa/keys/dh2048.pem’
      option mode ‘server’
      option tls_server ‘1’
      option server ‘192.168.0.0 255.255.255.0’
      option topology ‘subnet’
      option route_gateway ‘dhcp’
      option client_to_client ‘1’
      list push ‘comp-lzo yes’
      list push ‘persist-key’
      list push ‘persist-tun’
      list push ‘user nobody’
      list push ‘user nogroup’
      list push ‘topology subnet’
      list push ‘route-gateway dhcp’
      list push ‘redirect-gateway def1’
      list push ‘route 192.168.40.0 255.255.255.0’
      list push ‘dhcp-option DNS 8.8.8.8’
      list push ‘dhcp-option DNS 8.8.4.4’

      • Unfortunately, I don’t have the Archer C7 anymore, so I can’t test your config. I can’t recall if my pings used to work or not (I assume they did). Possibly a firewall issue? Sorry I can’t be of more help.

      • @Buzcuz35 — how is your VPN connected to your network? I have the following configuration that allows me to access all devices on my local network:
        Internet > main router WAN; main router LAN > VPN server – router w/ OpenWRT, using WAN port; main router LAN > all other devices on the internal network.

        Obviously the internet connects to the main router WAN port and uses an internet routable IP. The router sets up the LAN subnet of 10.0.1.0/24 (all devices in my network exist on this subnet). The VPN server lives on an OpenWRT router, the WAN port has a 10.0.1.x IP address. That VPN router is configured with a LAN 10.0.2.0/24 (I don’t have any physical devices on that subnet — they would be double-NAT’d and not reachable from the rest of the .1 LAN).

        The VPN server is configured with 10.0.2.176 255.255.255.240 (that is a /28 subnet) and topology subnet. This makes the server IP 10.0.2.177 and the VPN clients get 10.0.2.178-191. I then push the route 10.0.1.0 255.255.255.0.

        This setup works because the OpenWRT VPN router ‘knows’ how to route from the OpenVPN subnet up to the main subnet of my normal network using NAT through the WAN port. This provides access to resources on the 10.0.1.0/24 network but also can get to the internet via the main router’s NAT. This will fail to work properly if my VPN client connection is initiated from a remote network that also operates on the 10.0.1.0/24 subnet (in your case, 192.168.40.0/24). Devices on my main network cannot initiate connections to VPN clients, as they are essentially behind another NAT… but this isn’t an issue in my case. Also, remember that you need to use IP addresses, not mDNS type names (“.local” will not work through the tunnel, and likely other internal DNS type configurations will also fail).

        FWIW, I do not push the other things (‘route-gateway dhcp’, ‘dhcp option DNS’, and ‘redirect-gateway def1’). I actually have the redirect-gateway defined on my client side configs — this way I can easily have a config that gives me access to my LAN from outside but doesn’t push all traffic through it (useful if I’m doing tech-support) or alternately I can use the redirect-gateway def1 on the client to send all traffic through the tunnel.

        Finally, I’d remove most of the push directives. Some of those lines would be better suited on the client config file, and you can always add them back to the server side one at a time to see what is required and what breaks things. I recommend the following:

        Server:

        config openvpn ‘myvpn’
        option enabled ‘1’
        option dev ‘tun’
        option port ‘1194’
        option proto ‘udp’
        option comp_lzo ‘yes’
        option status ‘/var/log/openvpn_status.log’
        option log ‘/tmp/openvpn.log’
        option verb ‘3’
        option mute ‘5’
        option keepalive ’10 120′
        option persist_key ‘1’
        option persist_tun ‘1’
        option user ‘nobody’
        option group ‘nogroup’
        option ca ‘/etc/easy-rsa/keys/ca.crt’
        option cert ‘/etc/easy-rsa/keys/server.crt’
        option key ‘/etc/easy-rsa/keys/server.key’
        option dh ‘/etc/easy-rsa/keys/dh2048.pem’
        option mode ‘server’
        option tls_server ‘1’
        option server ‘192.168.0.0 255.255.255.0’
        option topology ‘subnet’
        option client_to_client ‘1’
        list push ‘route 192.168.40.0 255.255.255.0’

        Client (the syntax may vary depending on the specific client config environment)
        … normal preamble with the server address, port, protocol, crypto keys, etc…
        option comp-lzo ‘1’
        option persist-key ‘1’
        option persist-tun ‘1’
        option ‘redirect-gateway def1’

        Good luck! Let us know if it works.

        • Peter, are you using tap or tun device on your client? And it is a Windows client?
          I’m using Windows and tap. But I cannot ping hosts on the local lan network (e.g. 192.168.1.10)
          I can ping the VPN interface on the VPN server (in my case 192.168.2.1) and the router’s LAN interface (192.168.1.1)
          Maybe it will only work if you use bridging…

          • Brian –
            I am using TUN on both sides (they must be the same) with topology subnet.

            As I mentioned in my earlier response, the VPN is physically running on a 2nd router (internet > main router > VPN router @ WAN port). The IP address that the VPN router gets at its WAN port is in the same subnet as my regular LAN (10.0.1.x). The “LAN” IP address of the VPN router is set to 10.0.2.1 (subnet mask 255.255.255.0), and the OpenVPN server network is set to 10.0.2.192/28 (subnet mask 255.255.255.240; this makes the server @ 10.0.2.193, clients from .194-.206, broadcast .207). Note that the OpenVPN network technically overlaps the IP space of the VPN router’s “LAN” network. Also note the server-side OpenVPN configuration of the push route directive (push route 10.0.1.0 255.255.255.0) and I’ve also pushed the DNS for my main router (push dhcp-option DNS 10.0.1.1).

            I’ve put the VPN router’s “LAN” in quotes because nothing uses that [double-NAT’d] network, it is a configuration detail — I think it may be part of the reason this setup actually works, though. Many people also setup custom ‘static routes’ on their main router, but I did not need to do that (which is fortunate since I use an Apple Time Capsule and it is not possible to configure it in this way — there are obviously routing tables internally, but that functionality is entirely hidden from the user and there is absolutely no way to add custom routes to Apple’s wifi devices).

            With this configuration, I can ping and connect to all the devices on my network as if I was locally connected.

            • Also make sure your firewall is configured to pass the VPN traffic.

              config zone
              option name ‘vpn’
              option input ‘ACCEPT’
              option output ‘ACCEPT’
              option forward ‘REJECT’
              option network ‘vpn0’

              config forwarding
              option src ‘vpn’
              option dest ‘wan’

              • And just for completeness… my network config file includes:

                config interface ‘vpn0’
                option ifname ‘tun0’
                option proto ‘none’
                option auto ‘1’

                and the OpenVPN server config file has tun0 defined like this:
                option dev ‘tun0’

                • But it seems if you use Windows as a client you have to use tap, which is different than tun.
                  I got it working but only by bridging tap0 and LAN on the server.

                  • Glad you got it working.

                    I guess that is one of the limitations of Windows clients, although ironically I had originally thought that TAP interfaces would work better for my application (ultimately TUN has worked flawlessly).

                    I did forget to mention that I am using everything but Windows based client systems (iOS which supports TUN only; MacOS with TunnelBlick; Linux – OpenWRT on an MR3020 configured as an OpenVPN client).

    16. Excellent guide – great work! I’m just curious about the download and upload speeds with the VPN running on the Archer C7?

    17. Thank you for good manual.
      But what about connecting with password? I can’t find any settings about this.

      • I would not recommend using just username/password, you should really be using certificates. However, it can be done (see example here). Looks like it is using PAM, so I’m assuming the username/password you need are required to be local accounts on the server…
        # Username and Password authentication.
        client-cert-not-required
        plugin /usr/lib/openvpn/openvpn-auth-pam.so login

    18. I want to use certificates and username/password. By this manual I need to have just certificate on my phone and connection works. But if I lose my phone, my network will be in danger.

      • Unfortunately, I don’t know how to do username/password in addition to certificates. However, if you control the server, you could revoke that certificate if you lose your phone.

    19. Hi thank you for the tutorial.

      I have one question please. I have just purchased an AC1750 Wireless Dual Band Gigabit Router
      Model No. Archer C7
      Hardware Version:Archer C7 v2 00000000

      If I will flush Archer C7 with openwrt will I be able to use third party VPN server .ovpn

      Thank you
      Vasya

      • No, in this tutorial, I’m turning the C7 into a VPN server. If you want to use a third party .ovpn file, you probably want the C7 to be a VPN client.

    20. Thank you for this great guide, Logan!

      I posted this in response to your Reply to @Martin, but wasn’t sure if you would be notified of it, so here it is again:

      I was able to successfully set up an OpenVPN Server using OpenWRT on an Archer C7 and confirmed that the server is up by obtaining the ‘Initialization Sequence Completed’ prompt when looking at the logfile.

      However, I am unable to successfully connect the OpenVPN Server to the outside internet because, similarly to @Martin, I have the Archer C7 connected behind/to another router provided by my ISP:

      Router 1 > Archer C7 [on which OpenVPN Server is running];

      although, unlike @Martin, the OpenVPN Server is internal to the Archer C7 and not as [presumably] in @Martin’s situation on a separate device behind the Archer C7.

      On Router 1, whose internal IP Address is the standard 192.168.1.1, I set up DynamicDNS [which seems to be successfully updating my DynamicDNS Provider] and am forwarding Port 1194 to a Static IP Address that I set up for the Archer C7 that is within the subnet of Router 1 [192.168.1.x].

      On the Archer C7, whose internal IP Address, as suggested in your guide, I set up to be 10.10.1.1, I set up the IP Address of the OpenVPN Server, also as suggested in your guide, to be 10.8.0.0.

      How do I get the OpenVPN Server on the Archer C7 to successfully connect to the outside internet?

      I’ve attempted to Forward Port 1194 the WAN of the Archer C7 to [the ‘vpn’ Internal Zone of] both [one at a time] the IP Address of the OpenVPN Server, 10.8.0.0, as well as the the IP Address of the ‘VPN0/tun0’ Network, 10.8.0.1, but receive a ‘Port 1194 is not open’ prompt on my DynamicDNS Provider’s website.

      I’m able to confirm that the OpenVPN Server is unable to connect to the outside internet by navigating to the Network > Interface page of the OpenWRT LuCI and noticing that the Status of the ‘VPN0/tun0’ Network contains neither an IP Address, MAC-Address, nor any Received/Transmitted Packets.

      I also noticed that the ‘Allow-OpenVPN-Inbound’ Firewall Traffic Rule [visible when navigating to the Network > Firewall > Traffic Rules page of the OpenWRT LuCI] that you suggested in your guide be set up to ‘Accept [‘Any udp’] input’ ‘From any host in wan’ ‘To any router IP at port 1194 _on this device_.’

      Do I need to Forward Port 1194 on the Archer C7 in order for the OpenVPN Server to connect to the outside internet or does the OpenVPN Server obtain its’ connection directly from the WAN of the Archer C7?

      If so, to which IP Address should I Port Forward; to which IP Address is the OpenVPN Server supposed to connect to the outside internet?

      Thank you again for a great guide and in advance for your advice!

    21. Hi Logan. Thank you for the great guide!

      I’ve worked through all of the steps and have a partially functioning VPN. I am able to successfully establish a VPN connection from my client (Android phone’s cellular connection) to the OpenVPN server on my home network’s Archer C7. Once established, I can ping my home router from an Android terminal app and can even login via Luci in a web browser.

      But I cannot access any web pages or ping other devices on my home network. Interestingly, Facebook Messenger works fine.

      Any idea what could be causing this?

      • Brad, unfortunately, I don’t use the Archer C7 anymore, so I won’t be much help to you.

        Did you make sure this was set?
        #push a local route to your clients (allow your clients to access the server’s network)
        uci add_list openvpn.myvpn.push=”route 10.10.1.0 255.255.255.0″

    22. Hi Logan,

      My ISP uses double NAT. Like my public IP is in range of 139.5.XXX.XXX and then assign my router in range of 10.2.XXX.XXX. Both are dynamic in nature. So what do you think will your method work for me?

      • That’s a good question. Do you have access to both routers? If so, you can forward the port on both.

        If not, you may need to setup a VPS and tunnel your traffic to the VPS (letting the VPS be the OpenVPN server). Unfortunately, I don’t know how to set that up.

        I would recommend you do some Google-ing and also post to r/OpenVPN.

    23. Thanks Logan! Great guide.

      I followed the OpenVPN section loosely to get an OpenVPN server setup on my own Archer C7 a few weeks ago.

      I’m also happy to report that the config basically survives a firmware upgrade with the keep my config checkbox checked. The only step I had to do post-firmware upgrade to make my server work again is recreating the link between the openvpn-config directory and easy-rsa dir, then restarting the OpenVPN service.

      ln -s /etc/config/openvpn-config/ /etc/easy-rsa

    24. Hey great Tutorial!

      Bute i got a little Problem. I can Connect from my iPhone to my VPNServer with no problems, but i dont get a internet connection on it. I also tryed to add 2 other Traffic rules for the VPN:

      Allow-OpenVPN-Inbound
      Any udp
      From any host in wan
      To any router IP at port 1194 on this device
      Accept input

      VPN-HTTPS
      Any traffic
      From any host in vpn with source port 443
      To any host, port 443 in wan
      Accept forward

      VPN-HTTP
      Any traffic
      From any host in vpn with source port 80
      To any host, port 80 in wan

      But it doenst Work.

      Can anyone help me out here?

      • Its also weired that Apps like What’s App and Facebook can use Internet, but the Browsers dont work..

      • Unfortunately, I don’t use OpenWrt anymore, so I won’t be of much help. Hopefully someone here will be able to assist.

    25. I have only today (21Feb18) realized that the post is for those who want the TP-Link as a server. I want a client. That is, the C7 sits behind the modem and handles all net traffic, with OpenVPN.

      With router’s admin page showing both CS & provider” in “off” state. Clicking radio button for “Start” shows CS & provider do not start. Below is last part of syslog.

      code]Wed Feb 21 08:51:40 2018 daemon.notice openvpn(CRYPTOSTORM)[1637]: OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
      Wed Feb 21 08:51:40 2018 daemon.notice openvpn(CRYPTOSTORM)[1637]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
      Wed Feb 21 08:51:40 2018 daemon.err openvpn(CRYPTOSTORM)[1637]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd – can’t ask for ‘Enter Auth Username:’. If you used –daemon, you need to use –askpass to make passphrase-protected keys work, and you can not use –auth-nocache.
      Wed Feb 21 08:51:40 2018 daemon.notice openvpn(CRYPTOSTORM)[1637]: Exiting due to fatal error
      Wed Feb 21 08:51:45 2018 daemon.err openvpn(provider)[1638]: Options error: In [CMD-LINE]:1: Error opening configuration file: openvpn-provider.conf
      Wed Feb 21 08:51:45 2018 daemon.warn openvpn(provider)[1638]: Use –help for more information.[/code]

      • I don’t run the client on my router, but I’m assuming you’re trying to use a username/password to authenticate and the client isn’t liking that.

    26. I’ve used four different posts by gearheads to get an OpenVPN tunnel up and running. I want to finalize the work by securing the ca certificates. As it is now, when I login to the router’s webUI I’m asked to click Continue as the certificate is untrusted. I’m desperate to not blow up the running device and have to start all over. (I’m in my 70s). Would chaning the easy-rsa stuff above matter other than to the cert check?

      • Glad you got it working! The error you’re seeing in your browser is because the certificate is self-signed by the router (as opposed to a CA your browser trusts). You could try to setup a valid certificate (e.g., from Let’s Encrypt), however, I just proceed through the warnings.

    27. Hello,
      This is a very good guide. I got my server to run, i can see the start sequence complete. Also I am able to get the client files and load the profile in my client openvpn.
      There is a problem i cannot get passed. I am getting a “Server poll timeout” message and then my connection is not established. Is there any reason why this is happening. I have checked my files and I dont know where else to check to get it connected.

      • I don’t use my C7 anymore, so I probably won’t be much help. However, that means that your client (e.g., phone, laptop, etc…) can’t reach the server. Are you sure your IP didn’t change, or are you using dynamic DNS? Are you sure your firewall is allowing traffic?

    28. Thank you for the help. It turned out being an issue with the firewall, I managed to fix it and now the connection is working pretty good. Just have a couple or more questions that maybe you can help me with.

      1. Is there a way to auto start the OpenVpn service in a power lose event?, I need to manually start the service when that happens.
      2. Once the connection is established, I do not have web access (e.g. Navigate the internet when connected, in case of cell phone apps some of them not working); I am probably missing something but not able to find the issue.

      Thanks,

      • Glad you got it figured out!

        1) You need to enable the service.
        /etc/init.d/openvpn enable
        2) You may need to push a route. Did you add this to your server config?
        #specify gateway to use
        uci add_list openvpn.myvpn.push="route-gateway dhcp"
        #redirect ALL traffic through the VPN server (this is IMPORTANT if you don't trust your local network)
        uci add_list openvpn.myvpn.push="redirect-gateway def1"

    Leave a Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.