Table of Contents

OpenVPN command line setup

This manual does not say, how the general settings for OpenVPN work or how to generate certificates. You will find that information on the OpenVPN website. In this article you will only find details on how to get OpenVPN to work on Turris.

This is a tutorial on how to set up OpenVPN for advanced users. OpenVPN configuration with just few clicks for less advanced users will be out in March 2017.

To setup OpenVPN through the command line, follow the links: SSH or the serial link.

There are several possibilities how to set up OpenVPN, they differ in the degree of integration into the OpenWRT system.

Uploading certificates

Regardless of the method, whether you are configuring the server or the client, you will need to upload certificates and keys to the router. The easiest way is through scp. Create the folder /etc/openvpn and save the files in it.

user@localmachine $ ssh root@
root@'s password:
root@turris:~# mkdir /etc/openvpn
root@turris:~# exit
Connection to closed
user@localmachine $ scp server.key server.crt ca.crt root@
root@'s password:

Without the support of OpenWRT

This method bypasses support of OpenWRT and the service is activated by hand. It offers bigger freedom in what parameters are passed on, on the other hand the rest of the system doesn't know about the service and OpenVPN doesn't know about the changes to the web interfaces. This can cause trouble with firewall and the routing tables.

The configuration file should be saved to the folder /etc/openvpn, just like the keys. You can test if everything is working as it should be in the following way:

# cd /etc/openvpn
# openvpn vpn.conf

If the command continues running and doesn't print any errors, everything is probably as it should be. End it with CTRL+C and run it in the background.

openvpn vpn.conf >/dev/null 2>&1 &

Add the command for running openvpn to the file /etc/rc.local. This file is evaluated when the device boots. Make sure that the command exit 0 is all the way at the end.

# Put your custom commands here that should be executed once
# the system init finished. By default this file doesn't do anything.
openvpn /etc/openvpn/vpn.conf >/dev/null 2>&1 &
exit 0

Using the OpenVPN configuration file

The beginning is similar to Without the support of OpenWRT. Instead of running in the background and writing into /etc/rc.local, you add a link to the configuration file from the folder /etc/config/openvpn.

package openvpn
config openvpn custom_config
	option enabled 1
	option config /etc/openvpn/vpn.conf

After that you will have to turn on and enable the file to run after start.

$ /etc/init.d/openvpn start
$ /etc/init.d/openvpn enable

Configuring through UCI

The whole configuration is saved as UCI, there is therefore no need to upload the configuration file to the router. Keys and certificates are nevertheless still needed.

Create a section in the configuration file /etc/config/openvpn and enable it with option enabled 1. After that rewrite every item in the OpenVPN configuration as one record option in the following way:

The following configuration is desirable:

package openvpn
config openvpn lair
	option enabled 1
	option client 1
	option dev tun
	option proto udp
	option remote " 82"
	option keepalive "10 1200"
	option nobind 1
	option ca "/etc/openvpn/ca.crt"
	option cert "/etc/openvpn/client.crt"
	option key "/etc/openvpn/client.key"
	option ns_cert_type server
	option comp_lzo yes
	option verb 3
dev tun
proto udp
remote 3333
keepalive 10 1200
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
ns-cert-type server
comp-lzo yes
verb 3

The default configuration file contains annotated examples.


The number of possible sections in UCI configuration (may they refer to the OpenVPN configuration file or be directly in the syntax of UCI) is unlimited. The service will run a separate OpenVPN process for each one, which is allowed through option enabled 1.

It can be useful to include the VPN network in the LAN section in firewall. For that you will need to rename the interface in /etc/config/network and to add the interface to the desirable section in /etc/config/firewall. After that both services need to be restarted. (/etc/init.d/network restart ; /etc/init.d/firewall restart)

config interface 'vpn'
        option proto none
        option ifname 'tun0'
        option auto 1
config zone
        option name             lan
        list   network          'lan'
	list   network          'vpn'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT