Skip to content

Instantly share code, notes, and snippets.

@openfnord
Forked from hydrz/README
Created June 9, 2022 21:30
Show Gist options
  • Save openfnord/c6555fcfe19423b0eb8f89849f057c03 to your computer and use it in GitHub Desktop.
Save openfnord/c6555fcfe19423b0eb8f89849f057c03 to your computer and use it in GitHub Desktop.
OpenWrt Setup Multiple OpenVPN Server to Different VLANs
# How to Setup Multiple OpenVPN Server to Different VLANs
## Server Configs
The directories and configuration files that will be used:
- /etc/config/firewall
- /etc/config/network
- /etc/config/openvpn
- /etc/openvpn
## This is a network topology for this example:
https://creately.com/diagram/jqvt7mog/XMLuTm22lf8t2ZGA2XqaZx0sSn8%3D
### Network VLAN Configuration Breakdown
There are three VLANs created in this example. Each Network interface was added to their own specific VLAN ID with a respective VPN server configured to connect to them.
List of VLANs:
- Private: VLAN1 (eth0.1) = Magick Mushroom, Gaming (Private network)
- Guest: VLAN3 (eth0.3) = Slave (Guest network)
- Tor: VLAN4 (eth0.4) = tor (annonymity network)
#!/bin/sh
#This script will create a VPN Server to connect to private lan network.
# Installing packages
opkg update
opkg install openssl-util openvpn-openssl
# Creating Directory Structure
VPN_DIR="/etc/openvpn/lan"
PKI_DIR="$VPN_DIR/ssl"
if [ -d "$PKI_DIR" ]
then
rm -rf "$PKI_DIR"
fi
mkdir -p "$PKI_DIR"
chmod -R 600 "$PKI_DIR"
cd "$PKI_DIR"
touch index.txt index
echo 1000 > serial
cp -f /etc/ssl/openssl.cnf "$PKI_DIR"
# Customizing openssl.cnf
PKI_CONF="$PKI_DIR/openssl.cnf"
sed -i "
s:\\\\:/:g
/^dir/ s:=.*:= $PKI_DIR:
/^new_certs_dir/ s:=.*:= $PKI_DIR:
/.*Name/ s:= match:= optional:
/organizationName_default/ s:= .*:= FXFT:
/stateOrProvinceName_default/ s:= .*:= FJ:
/countryName_default/ s:= .*:= CN:
/default_days/ s:=.*:= 3650:
/default_bits/ s:=.*:= 4096:
" "$PKI_CONF"
cat << "EOF" >> "$PKI_CONF"
[ lanvpnserver ]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ lanvpnclient ]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
EOF
# Generating Server PSK and CA, Server, & Client Certs
# Generating Certifcate Authority Cert & Key
openssl req -batch -nodes -new -keyout "ca.key" -out "ca.crt" -x509 -config "$PKI_CONF" -days "3650"
# Generating Server Cert & Key
openssl req -batch -nodes -new -keyout "lanvpnserver.key" -out "lanvpnserver.csr" -subj "/CN=lanvpnserver" -config "$PKI_CONF"
# Signing Server Cert
openssl ca -batch -keyfile "ca.key" -cert "ca.crt" -in "lanvpnserver.csr" -out "lanvpnserver.crt" -config "$PKI_CONF" -extensions "lanvpnserver"
# Generating Client Cert & Key
# PASSPHRASE MUST BE SET (4 chars minimum, 16+ chars recommended)
openssl req -batch -new -keyout "lanvpnclient.key" -out "lanvpnclient.csr" -subj "/CN=lanvpnclient" -config "$PKI_CONF"
# Signing Client Cert
openssl ca -batch -keyfile "ca.key" -cert "ca.crt" -in "lanvpnclient.csr" -out "lanvpnclient.crt" -config "$PKI_CONF" -extensions "lanvpnclient"
# Generating OpenVPN TLS PSK
openvpn --genkey --secret "tc.pem"
# Generating Diffie-Hellman Cert
# May take a while to complete (~25m on WRT3200ACM)
openssl dhparam -out "dh.pem" 2048
# Correcting Permissions
chmod 600 tc.pem dh.pem ca.key lanvpnserver.key lanvpnclient.key
# Copying Certs & Keys to $VPN_DIR
cp tc.pem dh.pem ca.crt lanvpnserver.* lanvpnclient.* "$VPN_DIR"
# Returning to initial working directory
cd -
# Don
#!/bin/sh
# Installing packages
#opkg update
#opkg install openssl-util openvpn-openssl
# Creating Directory Structure
VPN_DIR="/etc/openvpn/slave"
PKI_DIR="$VPN_DIR/ssl"
if [ -d "$PKI_DIR" ]
then
rm -rf "$PKI_DIR"
fi
mkdir -p "$PKI_DIR"
chmod -R 600 "$PKI_DIR"
cd "$PKI_DIR"
touch index.txt index
echo 1000 > serial
cp -f /etc/ssl/openssl.cnf "$PKI_DIR"
# Customizing openssl.cnf
PKI_CONF="$PKI_DIR/openssl.cnf"
sed -i "
s:\\\\:/:g
/^dir/ s:=.*:= $PKI_DIR:
/^new_certs_dir/ s:=.*:= $PKI_DIR:
/.*Name/ s:= match:= optional:
/organizationName_default/ s:= .*:= slave.Infraverse:
/stateOrProvinceName_default/ s:= .*:= Yorkshire:
/countryName_default/ s:= .*:= UK:
/default_days/ s:=.*:= 3650:
/default_bits/ s:=.*:= 4096:
" "$PKI_CONF"
cat << "EOF" >> "$PKI_CONF"
[ slavevpnserver ]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ slavevpnclient ]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
EOF
# Generating Server PSK and CA, Server, & Client Certs
# Generating Certifcate Authority Cert & Key
openssl req -batch -nodes -new -keyout "ca.key" -out "ca.crt" -x509 -config "$PKI_CONF" -days "3650"
# Generating Server Cert & Key
openssl req -batch -nodes -new -keyout "slavevpnserver.key" -out "slavevpnserver.csr" -subj "/CN=slavevpnserver" -config "$PKI_CONF"
# Signing Server Cert
openssl ca -batch -keyfile "ca.key" -cert "ca.crt" -in "slavevpnserver.csr" -out "slavevpnserver.crt" -config "$PKI_CONF" -extensions "slavevpnserver"
# Generating Client Cert & Key
# PASSPHRASE MUST BE SET (4 chars minimum, 16+ chars recommended)
openssl req -batch -new -keyout "slavevpnclient.key" -out "slavevpnclient.csr" -subj "/CN=slavevpnclient" -config "$PKI_CONF"
# Signing Client Cert
openssl ca -batch -keyfile "ca.key" -cert "ca.crt" -in "slavevpnclient.csr" -out "slavevpnclient.crt" -config "$PKI_CONF" -extensions "slavevpnclient"
# Generating OpenVPN TLS PSK
openvpn --genkey --secret "tc.pem"
# Generating Diffie-Hellman Cert
# May take a while to complete (~25m on WRT3200ACM)
openssl dhparam -out "dh.pem" 2048
# Correcting Permissions
chmod 600 tc.pem dh.pem ca.key slavevpnserver.key slavevpnclient.key
# Copying Certs & Keys to $VPN_DIR
cp tc.pem dh.pem ca.crt slavevpnserver.* slavevpnclient.* "$VPN_DIR"
# Returning to initial working directory
cd -
# Done
#!/bin/sh
# Installing packages
#opkg update
#opkg install openssl-util openvpn-openssl
# Creating Directory Structure
VPN_DIR="/etc/openvpn/tor"
PKI_DIR="$VPN_DIR/ssl"
if [ -d "$PKI_DIR" ]
then
rm -rf "$PKI_DIR"
fi
mkdir -p "$PKI_DIR"
chmod -R 600 "$PKI_DIR"
cd "$PKI_DIR"
touch index.txt index
echo 1000 > serial
cp -f /etc/ssl/openssl.cnf "$PKI_DIR"
# Customizing openssl.cnf
PKI_CONF="$PKI_DIR/openssl.cnf"
sed -i "
s:\\\\:/:g
/^dir/ s:=.*:= $PKI_DIR:
/^new_certs_dir/ s:=.*:= $PKI_DIR:
/.*Name/ s:= match:= optional:
/organizationName_default/ s:= .*:= tor-Infraverse:
/stateOrProvinceName_default/ s:= .*:= Yorkshire:
/countryName_default/ s:= .*:= UK:
/default_days/ s:=.*:= 3650:
/default_bits/ s:=.*:= 4096:
" "$PKI_CONF"
cat << "EOF" >> "$PKI_CONF"
[ torvpnserver ]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ torvpnclient ]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
EOF
# Generating Server PSK and CA, Server, & Client Certs
# Generating Certifcate Authority Cert & Key
openssl req -batch -nodes -new -keyout "ca.key" -out "ca.crt" -x509 -config "$PKI_CONF" -days "3650"
# Generating Server Cert & Key
openssl req -batch -nodes -new -keyout "torvpnserver.key" -out "torvpnserver.csr" -subj "/CN=torvpnserver" -config "$PKI_CONF"
# Signing Server Cert
openssl ca -batch -keyfile "ca.key" -cert "ca.crt" -in "torvpnserver.csr" -out "torvpnserver.crt" -config "$PKI_CONF" -extensions "torvpnserver"
# Generating Client Cert & Key
# PASSPHRASE MUST BE SET (4 chars minimum, 16+ chars recommended)
openssl req -batch -new -keyout "torvpnclient.key" -out "torvpnclient.csr" -subj "/CN=torvpnclient" -config "$PKI_CONF"
# Signing Client Cert
openssl ca -batch -keyfile "ca.key" -cert "ca.crt" -in "torvpnclient.csr" -out "torvpnclient.crt" -config "$PKI_CONF" -extensions "torvpnclient"
# Generating OpenVPN TLS PSK
openvpn --genkey --secret "tc.pem"
# Generating Diffie-Hellman Cert
# May take a while to complete (~25m on WRT3200ACM)
openssl dhparam -out "dh.pem" 2048
# Correcting Permissions
chmod 600 tc.pem dh.pem ca.key torvpnserver.key torvpnclient.key
# Copying Certs & Keys to $VPN_DIR
cp tc.pem dh.pem ca.crt torvpnserver.* torvpnclient.* "$VPN_DIR"
# Returning to initial working directory
cd -
# Done
#!/bin/sh
# Obtaining server address from WAN-interface IP
source /lib/functions/network.sh
network_find_wan WAN_IF
network_get_ipaddr SERVER_ADDR "$WAN_IF"
# Obtaining server address from DDNS client service
SERVER_FQDN="$(uci -q get $(uci -q show ddns \
| sed -n -e "s/^\(.*\)\.enabled='1'$/\1/p" \
| head -n 1).lookup_host)"
if [ -n "$SERVER_FQDN" ]
then
SERVER_ADDR="$SERVER_FQDN"
fi
# Setting configuration parameters
SERVER_PORT="$(uci get openvpn.lanvpn.port)"
SERVER_PROTO="$(uci get openvpn.lanvpn.proto)"
CLIENT_DEV="$(uci get openvpn.lanvpn.dev | sed -e "s/\d*$//")"
CLIENT_COMPR="$(uci get openvpn.lanvpn.compress)"
VPN_DIR="/etc/openvpn/lan"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "$VPN_DIR/tc.pem")"
CA_CERT="$(openssl x509 -in "$VPN_DIR/ca.crt")"
# Generating .ovpn-files
grep -l -e "TLS Web Client Authentication" "$VPN_DIR"/*.crt \
| sed -e "s/^.*\///;s/\.[^.]*$//" \
| while read CLIENT_ID
do
CLIENT_CERT="$(openssl x509 -in "$VPN_DIR/$CLIENT_ID.crt")"
CLIENT_KEY="$(cat "$VPN_DIR/$CLIENT_ID.key")"
CLIENT_CONF="$VPN_DIR/$CLIENT_ID.ovpn"
cat << EOF > "$CLIENT_CONF"
verb 3
nobind
dev $CLIENT_DEV
client
remote $SERVER_ADDR $SERVER_PORT $SERVER_PROTO
fast-io
compress $CLIENT_COMPR
auth-nocache
remote-cert-tls server
<tls-crypt>
$TC_KEY
</tls-crypt>
<ca>
$CA_CERT
</ca>
<cert>
$CLIENT_CERT
</cert>
<key>
$CLIENT_KEY
</key>
EOF
done
# Setting permissions
chmod 600 "$VPN_DIR"/*.ovpn
# Showing generated .ovpn-files
head -v -n -0 "$VPN_DIR"/*.ovpn
# Done
#!/bin/sh
# Obtaining server address from WAN-interface IP
source /lib/functions/network.sh
network_find_wan WAN_IF
network_get_ipaddr SERVER_ADDR "$WAN_IF"
# Obtaining server address from DDNS client service
SERVER_FQDN="$(uci -q get $(uci -q show ddns \
| sed -n -e "s/^\(.*\)\.enabled='1'$/\1/p" \
| head -n 1).lookup_host)"
if [ -n "$SERVER_FQDN" ]
then
SERVER_ADDR="$SERVER_FQDN"
fi
# Setting configuration parameters
SERVER_PORT="$(uci get openvpn.slavevpn.port)"
SERVER_PROTO="$(uci get openvpn.slavevpn.proto)"
CLIENT_DEV="$(uci get openvpn.slavevpn.dev | sed -e "s/\d*$//")"
CLIENT_COMPR="$(uci get openvpn.slavevpn.compress)"
VPN_DIR="/etc/openvpn/slave"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "$VPN_DIR/tc.pem")"
CA_CERT="$(openssl x509 -in "$VPN_DIR/ca.crt")"
# Generating .ovpn-files
grep -l -e "TLS Web Client Authentication" "$VPN_DIR"/*.crt \
| sed -e "s/^.*\///;s/\.[^.]*$//" \
| while read CLIENT_ID
do
CLIENT_CERT="$(openssl x509 -in "$VPN_DIR/$CLIENT_ID.crt")"
CLIENT_KEY="$(cat "$VPN_DIR/$CLIENT_ID.key")"
CLIENT_CONF="$VPN_DIR/$CLIENT_ID.ovpn"
cat << EOF > "$CLIENT_CONF"
verb 3
nobind
dev $CLIENT_DEV
client
remote $SERVER_ADDR $SERVER_PORT $SERVER_PROTO
fast-io
compress $CLIENT_COMPR
auth-nocache
remote-cert-tls server
<tls-crypt>
$TC_KEY
</tls-crypt>
<ca>
$CA_CERT
</ca>
<cert>
$CLIENT_CERT
</cert>
<key>
$CLIENT_KEY
</key>
EOF
done
# Setting permissions
chmod 600 "$VPN_DIR"/*.ovpn
# Showing generated .ovpn-files
head -v -n -0 "$VPN_DIR"/*.ovpn
# Done
#!/bin/sh
# Obtaining server address from WAN-interface IP
source /lib/functions/network.sh
network_find_wan WAN_IF
network_get_ipaddr SERVER_ADDR "$WAN_IF"
# Obtaining server address from DDNS client service
SERVER_FQDN="$(uci -q get $(uci -q show ddns \
| sed -n -e "s/^\(.*\)\.enabled='1'$/\1/p" \
| head -n 1).lookup_host)"
if [ -n "$SERVER_FQDN" ]
then
SERVER_ADDR="$SERVER_FQDN"
fi
# Setting configuration parameters
SERVER_PORT="$(uci get openvpn.torvpn.port)"
SERVER_PROTO="$(uci get openvpn.torvpn.proto)"
CLIENT_DEV="$(uci get openvpn.torvpn.dev | sed -e "s/\d*$//")"
CLIENT_COMPR="$(uci get openvpn.torvpn.compress)"
VPN_DIR="/etc/openvpn/tor"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "$VPN_DIR/tc.pem")"
CA_CERT="$(openssl x509 -in "$VPN_DIR/ca.crt")"
# Generating .ovpn-files
grep -l -e "TLS Web Client Authentication" "$VPN_DIR"/*.crt \
| sed -e "s/^.*\///;s/\.[^.]*$//" \
| while read CLIENT_ID
do
CLIENT_CERT="$(openssl x509 -in "$VPN_DIR/$CLIENT_ID.crt")"
CLIENT_KEY="$(cat "$VPN_DIR/$CLIENT_ID.key")"
CLIENT_CONF="$VPN_DIR/$CLIENT_ID.ovpn"
cat << EOF > "$CLIENT_CONF"
verb 3
nobind
dev $CLIENT_DEV
client
remote $SERVER_ADDR $SERVER_PORT $SERVER_PROTO
fast-io
compress $CLIENT_COMPR
auth-nocache
remote-cert-tls server
<tls-crypt>
$TC_KEY
</tls-crypt>
<ca>
$CA_CERT
</ca>
<cert>
$CLIENT_CERT
</cert>
<key>
$CLIENT_KEY
</key>
EOF
done
# Setting permissions
chmod 600 "$VPN_DIR"/*.ovpn
# Showing generated .ovpn-files
head -v -n -0 "$VPN_DIR"/*.ovpn
# Done
# /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option name 'slave'
option forward 'REJECT'
option output 'ACCEPT'
option network 'slave'
option input 'REJECT'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Slave dns'
option src 'slave'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'slave dhcp'
option src 'slave'
config zone
option name 'tor'
option forward 'REJECT'
option output 'ACCEPT'
option network 'tor'
option input 'ACCEPT'
option syn_flood '1'
option conntrack '1'
config rule
option src 'tor'
option proto 'udp'
option dest_port '67'
option target 'ACCEPT'
option name 'tor DHCP'
config rule
option src 'tor'
option proto 'tcp'
option dest_port '9040'
option target 'ACCEPT'
option name 'tor transport'
config rule
option src 'tor'
option proto 'udp'
option dest_port '9053'
option target 'ACCEPT'
option name 'tor dns'
config redirect
option name 'Redirect-Tor-Traffic'
option src 'tor'
option src_dip '!10.1.1.1'
option dest_port '9040'
option proto 'tcp'
option target 'DNAT'
config redirect
option name 'Redirect-Tor-DNS'
option src 'tor'
option src_dport '53'
option dest_port '9053'
option proto 'udp'
option target 'DNAT'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'wan'
option src 'tor'
config forwarding
option dest 'tor'
option src 'wan'
config forwarding
option dest 'wan'
option src 'slave'
# /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdfb:7e04:aca7::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
option gateway '192.168.0.1'
option broadcast '192.168.0.255'
option dns '8.8.8.8'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option hostname 'infraverse.network'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option vid '2'
config interface 'slave'
option type 'bridge'
option proto 'static'
option ipaddr '172.16.0.1'
option netmask '255.255.0.0'
option ifname 'eth0.3 radio1'
option gateway '172.16.0.1'
option broadcast '172.16.255.255'
config interface 'tor'
option proto 'static'
option ipaddr '10.1.1.1'
option netmask '255.0.0.0'
option type 'bridge'
option ifname 'eth0.4'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 5t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option ports '0t 5t'
config interface 'lanvpn'
option proto 'none'
option ifname 'tun0'
config interface 'slavevpn'
option proto 'none'
option ifname 'tun1'
config interface 'torvpn'
option proto 'none'
option ifname 'tun2'
# /etc/config/openvpn
# Configure the OpenVPN config file with the following configurations to match the network interfaces created.
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh1024.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option compress 'lzo'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option compress 'lzo'
option verb '3'
config openvpn 'lanvpn'
option enabled '1'
option verb '11'
option log '/var/log/openvpn/openvpn.log'
option log_append '/var/log/openvpn/openvpn.log'
option dev 'tun0'
option port '1999'
option proto 'udp'
option server '192.168.200.0 255.255.255.0'
option client_to_client '1'
option compress 'lzo'
option keepalive '10 120'
option persist_tun '1'
option persist_key '1'
option dh '/etc/openvpn/lan/dh.pem'
option tls_crypt '/etc/openvpn/lan/tc.pem'
option ca '/etc/openvpn/lan/ca.crt'
option cert '/etc/openvpn/lan/lanvpnserver.crt'
option key '/etc/openvpn/lan/lanvpnserver.key'
list push 'redirect-gateway def1'
list push 'route 192.168.0.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.0.1'
list push 'compress lzo'
list push 'persist-tun'
list push 'persist-key'
list push 'dhcp-option DOMAIN lan'
config openvpn 'slavevpn'
option enabled '1'
option verb '3'
option port '1111'
option proto 'udp'
option server '172.16.200.0 255.255.255.0'
option client_to_client '1'
option compress 'lzo'
option keepalive '10 120'
option persist_tun '1'
option persist_key '1'
option dh '/etc/openvpn/slave/dh.pem'
option tls_crypt '/etc/openvpn/slave/tc.pem'
option ca '/etc/openvpn/slave/ca.crt'
option cert '/etc/openvpn/slave/slavevpnserver.crt'
option key '/etc/openvpn/slave/slavevpnserver.key'
list push 'redirect-gateway def1'
list push 'route 172.16.0.0 255.255.0.0'
list push 'dhcp-option DNS 192.168.0.1'
list push 'compress lzo'
list push 'persist-tun'
list push 'persist-key'
list push 'dhcp-option DOMAIN lan'
option dev 'tun1'
config openvpn 'torvpn'
option enabled '1'
option verb '3'
option port '666'
option proto 'udp'
option server '10.1.200.0 255.255.255.0'
option client_to_client '1'
option compress 'lzo'
option keepalive '10 120'
option persist_tun '1'
option persist_key '1'
option dh '/etc/openvpn/tor/dh.pem'
option tls_crypt '/etc/openvpn/tor/tc.pem'
option ca '/etc/openvpn/tor/ca.crt'
option cert '/etc/openvpn/tor/torvpnserver.crt'
option key '/etc/openvpn/tor/torvpnserver.key'
list push 'redirect-gateway def1'
list push 'route 10.1.1.0 255.0.0.0'
list push 'dhcp-option DNS 10.1.1.1'
list push 'compress lzo'
list push 'persist-tun'
list push 'persist-key'
list push 'dhcp-option DOMAIN lan'
option dev 'tun2'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment