Changes

'''Topology scheme''':

'''Topology scheme''':

[[File:OpenVpn schema.png|alt=|749x749px]]

[[File:OpenVpn schema.png|alt=|749x749px|border]]

The figure above depicts the OpenVPN traffic split scheme. A RUTxxx router acts as an OpenVPN client (virtual IP: '''172.16.0.2''') that is connected to a remote OpenVPN server (virtual IP '''172.16.0.1'''). The routers LAN/WiFi LAN IP addresses range from 192.168.1x.1 to 192.168.1x.254.

The figure above depicts the OpenVPN traffic split scheme. A RUTxxx router acts as an OpenVPN client (virtual IP: '''172.16.0.2''') that is connected to a remote OpenVPN server (virtual IP '''172.16.0.1'''). The routers LAN/WiFi LAN IP addresses range from 192.168.1x.1 to 192.168.1x.254.

Most of the router's configuration will be done via a command line interface. You can find detailed instruction on all command line interfaces supported by RUTxxx routers '''[[Command line interfaces|here]]'''. Choose one that is available or most preferred by you and you will still be able to follow the guide step-by-step regardless of which method you chose as the commands used will remain identical.

Most of the router's configuration will be done via a command line interface. You can find detailed instruction on all command line interfaces supported by RUTxxx routers '''[[Command line interfaces|here]]'''. Choose one that is available or most preferred by you and you will still be able to follow the guide step-by-step regardless of which method you chose as the commands used will remain identical.

===OpenVPN client===

=== OpenVPN client===

----

----

* First, you must create an OpenVPN client instance on your router. You can do this either via command line or from the router's WebUI, '''Services → VPN → OpenVPN''' section. We will not go into further detail on this because the client's configuration will depend on the OpenVPN server that you are connecting to. You can find detailed instructions on how to create and configure an OpenVPN client instance in our '''[[OpenVPN configuration examples]]''' article, which also contains information on how to configure an OpenVPN server on a RUTxxx router, if that is what you are using for this configuration.

*First, you must create an OpenVPN client instance on your router. You can do this either via command line or from the router's WebUI, '''Services → VPN → OpenVPN''' section. We will not go into further detail on this because the client's configuration will depend on the OpenVPN server that you are connecting to. You can find detailed instructions on how to create and configure an OpenVPN client instance in our '''[[OpenVPN configuration examples]]''' article, which also contains information on how to configure an OpenVPN server on a RUTxxx router, if that is what you are using for this configuration.

----

----

* Once you have configured your OpenVPN client, you should probably test whether the OpenVPN connection is operational as this will make troubleshooting easier later on. The easiest way to do so is to login to the router's WebUI and check OpenVPN status in '''Status → Services:''':

*Once you have configured your OpenVPN client, you should probably test whether the OpenVPN connection is operational as this will make troubleshooting easier later on. The easiest way to do so is to login to the router's WebUI and check OpenVPN status in '''Status → Services:''':

[[File:OpenVPN.png|alt=|859x859px]]

[[File:OpenVPN.png|alt=|859x859px]]

----

----

* If the connection was successful, we can start the traffic split configuration. First, we'll need to Edit LAN network to use IP address 192.168.10.1. It can be done in section '''Network''' '''→ Interfaces → General settings:''' [[File:LAN.png]]

*If the connection was successful, we can start the traffic split configuration. First, we'll need to Edit LAN network to use IP address 192.168.10.1. It can be done in section '''Network''' '''→ Interfaces → General settings:''' [[File:LAN.png]]

----

----

* Next, we'll need to create wireless interface to use a custom network (wifi_lan) and disable encryption for convenience. In order to do this, navigate '''Network''' '''→ Wireless''' and click '''edit:'''

*Next, we'll need to create wireless interface to use a custom network (wifi_lan) and disable encryption for convenience. In order to do this, navigate '''Network''' '''→ Wireless''' and click '''edit:'''

 

<ul>

<ul>

<li>

<li>

When you're finished, press the "Esc" button and type ''':wq''' to save the changes and exit the editor (''Control + Z'' to exit without saving). The values highlighted in red are dependent on your configuration and will most likely need to be changed:

In section '''Network''' select '''Custom''' and add your preferred interface name. In this example we use WIFI_LAN:

</li>

</li>

<ul>

</ul>[[File:Wifi network.png|877x877px]]

 

option ifname '<span style="color:red">tun_c_MyClient</span>' - your OpenVPN interface's name. You can check it with this command: '''ifconfig | grep tun'''. The response should look something like this:

*Disable wifi encryption in '''Wireless security''' section, by choosing encryption type '''No encryption.''' Once you're finished, press '''Save & Apply''' and interface configuration windows will appears.

*In '''general settings''' edit wifi_lan interface to specify IPv4 address (e.g. 192.168.11.1). Press '''Save & Apply.'''

 

----

'''NOTE''': if the response is empty, your OpenVPN connection might be down.

*Next, we'll need to create new interface ( e.g named VPN). In '''Physical settings''' add a tunnel interface name as custom. Tunnel interface name can be checked via ''ifconfig'' command via SSH/CLI. In this case it is named "tun_c_Testas". Don’t forget to save configuration.

<li> option gateway '<span style="color:red">10.0.0.5</span>' - your virtual remote endpoint (or ''P-t-P''). You can check it with this command: '''ifconfig tun_c_MyClient'''. Replace the ''MyClient'' part with your own OpenVPN interface name. The response should look something like this:

tun_c_MyClient Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

              RX bytes:53341014 (50.8 MiB) TX bytes:11974147 (11.4 MiB)

</pre>

option src '<span style="color:red">192.168.1.128/25</span>' - devices from this IP range will use the OpenVPN server as the default gateway to the Internet.

----

----

* Next, we'll need to create short custom script ''/etc/openvpn/up.sh'', that would add a route which makes the specified LAN range reach the Internet via the OpenVPN server:

*When your done with the configuration run SSH client or CLI and connect to the router. Once connected execute these commands:

  echo -e '#!/bin/ash'"\n"'ip route add default via 10.0.0.5 table rt' > /etc/openvpn/up.sh

  opkg update

 

* Next, we'll need to grant executable permissions to newly created script:

*This command will update all opkg packages in router. Once update is finished install VPN policy routing using command:

  chmod +x /etc/openvpn/up.sh

  opkg install vpn-policy-routing

----

* After successful installation time to configure VPN traffic splitting. In order to do so '''one by one''' execute the following uci commands (be aware that your configuration may vary):

        .....

        <span style="color:red">echo 'script-security 2' >> $OPENVPN_CONFIG</span>

        <span style="color:red">echo 'up /etc/openvpn/up.sh' >> $OPENVPN_CONFIG</span>

When you're finished, press the "Esc" button and type ''':wq''' to save the changes and exit the editor (''Control + Z'' to exit without saving).

* When your done with the configuration, don't forget to restart the relevant services. You can do this by restarting the entire router ('''reboot''' command) or just restart the '''network''' and '''openvpn''' services:

  /etc/init.d/network restart

  uci set vpn-policy-routing.config.enabled="1"

  /etc/init.d/openvpn restart

uci set vpn-policy-routing.@policy[-1].dest_addr="192.168.10.0/24 192.168.11.0/24"

uci set vpn-policy-routing.@policy[-1].interface="ignore"

uci set vpn-policy-routing.@policy[-1].src_addr="192.168.11.0/24"

  uci set vpn-policy-routing.@policy[-1].interface="VPN"

'''NOTE''': restarting the network service will cause a brief '''data connection loss'''.

* When your done with the configuration, restart VPN policy routing service using:

==Testing the setup==

==Testing the setup==

If you've followed the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly. In order to test this particular configuration, a few steps have to be taken:

If you've followed the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly. In order to test this particular configuration, a few steps have to be taken:

* Check the newly created routing table with the '''ip route show table rt''' command (where ''rt'' is table's name). If everything is in order, the response should contain this line (values highlighted in red should be from your own configuration):

*Check the newly created routing table with the '''ip route show table rt''' command (where ''rt'' is table's name). If everything is in order, the response should contain this line (values highlighted in red should be from your own configuration):

 

* Check whether the correct IP rule has been added. You can do this with the '''ip rule'''. The response should look something like this (the rule from our configuration is highlighted in red):

  0: from all lookup local

  d

*Check whether devices with IPs from different interfaces reach the Internet through the default gateway. According to our configuration, if a device are connected to WAN interface, its Public IP should be that of the router's or SIM; if the device connected to WiFi LAN, its Public IP should be that of the OpenVPN server. You can check the Public IP address in '''[http://www.whatsmyip.org/ this website].'''

* Check whether devices with IPs from different ranges reach the Internet through the default gateway. If you only have one device at your disposal at the time, you can configure a static IP address (guide for Linux users '''[[Setting up a Static IP address on a Ubuntu 16.04 PC|here]]'''; for Windows '''[[Setting up a Static IP address on a Windows 10 PC|here]]''') for that device in one range and later in the other. According to our configuration, if a device's IP falls in the range of 192.168.1.1 - 192.168.1.127, its Public IP should be that of the router's; if the IP falls in the range of 192.168.1.128 - 192.168.1.254, its Public IP should be that of the OpenVPN server. You can check the Public IP address in '''[http://www.whatsmyip.org/ this website].

----

----

If all of the above is in order, congratulations, your configuration works!

If all of the above is in order, congratulations, your configuration works!

==See also==

==See also ==

* Other OpenVPN related articles from our wiki:

*Other OpenVPN related articles from our wiki:

** [[How to generate TLS certificates (Windows)?]] - a guide on generating TLS certificates for Windows users

**[[How to generate TLS certificates (Windows)?]] - a guide on generating TLS certificates for Windows users

** [[VPN#OpenVPN|OpenVPN Manual section]] - OpenVPN section of the router's manual

**[[VPN#OpenVPN|OpenVPN Manual section]] - OpenVPN section of the router's manual

** [[OpenVPN configuration examples]] - basic OpenVPN configuration scenarios with detailed examples

**[[OpenVPN configuration examples]] - basic OpenVPN configuration scenarios with detailed examples

** [[OpenVPN client on Windows]] - an example describing how to configure an OpenVPN client on a Windows computer

**[[OpenVPN client on Windows]] - an example describing how to configure an OpenVPN client on a Windows computer

** [[OpenVPN server on Windows]] - an example describing how to configure an OpenVPN server on a Windows computer

**[[OpenVPN server on Windows]] - an example describing how to configure an OpenVPN server on a Windows computer

==External links==

==External links==

* http://www.whatsmyip.org/ - for checking your Public IP address

*http://www.whatsmyip.org/ - for checking your Public IP address