Set Up OpenVPN Server on GL.iNet Routers¶
OpenVPN is an open-source VPN protocol that makes use of virtual private network (VPN) techniques to establish safe site-to-site or point-to-point connections.
We recommend WireGuard over OpenVPN because it is much faster. For setup a WireGuard Server, please check out here.
Make sure you have a public IP address¶
Please check if your Internet Service Provider assigns you a public IP address here.
If not, your router cannot be set as the OpenVPN Server.
Alternative methods:
- If you have a main router, you shall login to it and check if it gets the Public IP from your ISP.
- Ask your ISP for a Public IP address. It may require an extra fee.
- If the above two ways don't work, for example, if you are in a CGNAT, you can take the reverse proxy method such as Astrorelay. Alternatively, you may try an SDWAN solution - AstroWarp.
Confirm if Port Forwarding is required¶
Network Topology
GL.iNet is the Main Router
- If GL.iNet router is the main router in your network, this is simple, please move to the next step.
GL.iNet is the Sub-Router
-
If you already have a main router, then the GL.iNet router is under the main router, you may need to setup a port forwarding on the main router.
-
If you already have a main router, the GL.iNet router is several levels below it and you need to set up port forwarding on each level.
Setup OpenVPN Server¶
-
Click Generate Configuration (for vpn server initial setup only).
-
Apply the configuration.
The default configuration works for most cases.
If you do not need to modify the configuration, click on Export Client Configuration at the bottom directly and turn to the step 3.
If you have modified the configuration, click on Apply before exporting client configuration.
-
Device Mode: TAP-S2S or Tun. To find out what the difference is, check out TAP-S2S vs Tun.
-
Protocol: UDP or TCP. To find out what the difference is, check out TCP vs UDP.
-
Authentication Mode: This determines the authentication method used when the client connects. There are three options.
-
Certificate Only: If selected, the router will automatically generate a server and client certificate keys and embed them in the client configuration file. When you upload the configuration to the client, no additional credentials are required.
-
Username/Password Only: If selected, the router will generate client configuration without certificate keys. You must first add a username and password in the Users tab before exporting the client configuration. When uploading the configuration to the client, you need to enter these credentials for authentication.
-
Username/Password and Certificate: If selected, you must first add a username and password in the Users tab before exporting the client configuration; second, the router will automatically generate server and client certificate keys and embed them in the configuration file. When uploading the configuration to the client, the certificate-key will be verified first, followed by username/password authentication for two-factor security.
Here is an example of creating a user.
Please check here for Advanced Configuration.
-
-
-
Export Client Configuration.
Click on Export Client Configuration at the bottom of Configuration tab, or apply the modified configuration then it will pop up this dialog.
If your network's public IP changes from time to time, you can enable DDNS by using DDNS domain in the configuration. Click Download to export the configuration for further setup.
-
Start OpenVPN server.
Click the Start button in the upper right corner on OpenVPN Server page to start the server. Then go to VPN Dashboard page to check its status and other settings.
Check if OpenVPN Server is working properly¶
Many people assume that the server has been successfully established as soon as they see it started, but in fact, it is not.
Even if you forward the wrong port or address, the server can still run.
To verify if the OpenVPN Server is functioning properly, use another device on a separate network and import the previously exported OpenVPN configuration to test connectivity and check the assigned IP address.
The simplest method is to use a smartphone with the official OpenVPN App installed. First, disable the phone’s Wi-Fi and connect exclusively to the internet via cellular data (3G/4G/5G). Then launch the OpenVPN app, import the pre-exported configuration file, and initiate the connection. Confirm whether the phone gains internet access and whether its IP address matches the OpenVPN Server’s IP.
When importing the configuration file into the OpenVPN app, a reminder may appear as shown below. Click CONTINUE to proceed, as the certificate is already embedded in the configuration file.
If the connection fails, there are several common reasons:
- The Internet Service Provider doesn't assign you a public IP address. Please check here.
- You may need to set up port forwarding. Please check here.
- The port you are using for OpenVPN Server is blocked by the Internet Service Provider. Change to another port, or contact the Internet Service Provider for further assistance.
- Some countries/regions may block the VPN connection.
Advanced Configuration¶
In the Configuration tab of the OpenVPN server page, you can modify the configuration of your own Server.
Client to client access¶
Network Topology
Enable the client to client toggle and export a new configuration to clients, your clients can access to each other now.
OpenVPN Client App¶
Please refer to OpenVPN Official Website: https://openvpn.net/vpn-client/
Still have questions? Visit our Community Forum or Contact us.