Setting an OpenWrt Based Router as OpenVPN Client
These instructions are for getting an OpenWrt Based Router working as OpenVPN Client (should work for LEDE, Gargoyle and another distributions). Computers connected to Lan Ports of the OpenWrt Router will navigate through the Internet connection of the OpenVPN Server (in this case the Streisand one previously set up) you need a working Router with OpenWrt based firmware flashed on it (LEDE or eko.one.pl could also work) steps works well on Chaos Calmer 15.05 or 15.05.1.
You need to
telnet 192.168.1.1(OpenWrt Router) and set up a password using
passwdYou can skip this if you already have a password and can connect using ssh.
root@OpenWrt:~# passwd Changing password for root New password: Retype password: Password for root changed by root
Now you should be able to ssh the OpenWrt Router
ssh firstname.lastname@example.org using the previously typed password.
Important: Ensure that you have at least 1MB of free space en
rootfson your OpenWrt Device, depending on the OpenWrt version flashed you may need more or less space to set up everything, if you dont have space but you have a USB port on the Router you could use ExtRoot, or try to build a custom image, or even try to write a script to download openvpn to ram on every start.
root@OpenWrt:~# df -h Filesystem Size Used Available Use% Mounted on rootfs 239.9M 15.8M 207.3M 7% /
Install OpenVPN (you need internet connection on the OpenWrt Router)
opkg update opkg install openvpn-openssl # brings openvpn kmod-tun liblzo zlib libopenssl (~1M)
If you want to autostart OpenVPN at router startup (in some OpenWrt releases comes enabled by default):
Run UCI commands to configure as VPN Client:
# a new OpenVPN instance: uci set openvpn.streisand=openvpn uci set openvpn.streisand.enabled='1' uci set openvpn.streisand.config='/etc/openvpn/streisand.conf' # a new network interface for tun: uci set network.streisandvpn=interface uci set network.streisandvpn.proto='none' #dhcp #none uci set network.streisandvpn.ifname='tun0' # a new firewall zone (for VPN): uci add firewall zone uci set firewall.@zone[-1].name='vpn' uci set firewall.@zone[-1].input='REJECT' uci set firewall.@zone[-1].output='ACCEPT' uci set firewall.@zone[-1].forward='REJECT' uci set firewall.@zone[-1].masq='1' uci set firewall.@zone[-1].mtu_fix='1' uci add_list firewall.@zone[-1].network='streisandvpn' # enable forwarding from LAN to VPN: uci add firewall forwarding uci set firewall.@forwarding[-1].src='lan' uci set firewall.@forwarding[-1].dest='vpn' # Finally, you should commit UCI changes: uci commit
DNS: There is a tricky part with this, you have to choose one of these:
- Use your Wan port default DNS (the one that uses the OpenWrt to resolve domains currently), you could leave as is then, but be aware that your DNS queries will be done through VPN and some ISP DNS Servers are configured to blocks connections attemps from outside their network.
- Set up fixed DNS on Lan Interface (only for Lan and Wifi Clients)
- Set up fixed DNS on Wan Interface (will replace the default DNS provided to the Router on Wan Port)
- Set up two script that use the DNS provided through the VPN Tunnel on the Streisand host (recommended).
I recommend the last option, you will use same DNS Server as the Streisand host, you probably should also check if on the Streisand host are configured Fixed DNS like ones from OpenDNS or Google, you could change this to use Defaults DNS on the Streisand host.
Fixed DNS on Lan interface, Using OpenDNS:
uci add_list dhcp.lan.dhcp_option='6,188.8.131.52,184.108.40.206'
Fixed DNS on Lan interface, Using Google DNS:
uci add_list dhcp.lan.dhcp_option='6,220.127.116.11,18.104.22.168'
Fixed DNS on Wan interface, using OpenDNS:
uci set network.wan.peerdns='0' # this disable the DNS provided by DHCP uci del network.wan.dns # Deletes the previous list of DNS if exist. # now add the DNS, These are from OpenDNS: uci add_list network.wan.dns='22.214.171.124' uci add_list network.wan.dns='126.96.36.199'
Fixed DNS on Wan interface, using Google DNS:
uci set network.wan.peerdns='0' # this disable the DNS provided by DHCP uci del network.wan.dns # Deletes the previous list of DNS if exist. # now add the DNS, These are from OpenDNS: uci add_list network.wan.dns='188.8.131.52' uci add_list network.wan.dns='184.108.40.206'
Finally, you should commit UCI changes:
You will need to download the OpenVPN Client file from the Streisand host
[ip]-sslh.ovpn. (first one will use port 636 (ldaps), and later 443 (standard https port), I think that exist two because some people may have restrictions in their country on some port or disallow use of ssl on another)
.ovpnfile on a PLAINTEXT text editor, as we need to perform some editings:
- Add this line at top
cat<<'EOF' > /etc/openvpn/streisand.conf
- Add this line at bottom
(these lines will enable us later to copy entire text content of the file and paste it on the terminal/putty window)
You can comment or remove a line at the beggining of file that is something like:
router [ip] 255.255.255.255 net_gateway, simply add
#at the start of that line. This setting is already pushed from the OpenVPN Server side. If you don't do this, you will get an error on the OpenVPN logs, but should work fine too.
To Enable OpenVPN log and status file:
log-append /var/log/openvpn.log # To append to log file
status /var/log/openvpn-status.log # To mantain a status file
If you want to use the OpenVPN Server side DNS's from Streisand host:
script-security 2 system # needed to be able to use 'up' and 'down' scripts
up "/etc/openvpn/updns" # FIX DNS, we will create it later
down "/etc/openvpn/downdns" # FIX DNS, we will create it later
Now copy the entire content of the
.ovpnfile and paste on Terminal, you should have now a new file (check for it):
ls -l /etc/openvpn/streisand.conf
If you choose to use the DNS provided by OpenVPN you need to create these two files, (just copy and paste and the code and files will be created):
FIX to use DNS provided by OpenVPN server:
cat<<'EOF' > /etc/openvpn/updns #!/bin/sh mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >/tmp/resolv.conf.auto echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto EOF cat<<'EOF' > /etc/openvpn/downdns #!/bin/sh mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto EOF
Add execution permission to both files:
chmod 755 /etc/openvpn/updns chmod 755 /etc/openvpn/downdns
You should have now two new files (check for it):
ls -l /etc/openvpn/*dns
- All Ready!
Since we modified firewall we need to run
Since we added a new interface we need to restart network daemon (you will lost connectivity for a moment)
Start OpenVPN and see what and see what happens:
/etc/init.d/openvpn stop # stop daemon in case that is currently running rm /var/log/openvpn.log # delete previous OpenVPN log /etc/init.d/openvpn start # start OpenVPN sleep 1 # wait a second. tail -f /var/log/openvpn.log # monitor log.
When you successfully see
Initialization Sequence Completed you can press
CTRL+C to exit.
You can do
traceroute 220.127.116.11 or some other IP to see if you pass through the VPN or check online your Public IP.
Important Remarks about testing if it works properly:
- Please always test VPN using
wgetor even browsing to an IP and not browsing to a domain, since you may have a working VPN but not working DNS.
- If you reboot your router allow a 30-60sec to properly boot and bring up internet (important if you have extroot or a slow router), and additional 30-60sec to bring up VPN.
- Bonus! Enable WiFi:
If you started from scratch and you want to enable WiFi (if your router have dual-band replace
uci set wireless.@wifi-iface[-1].ssid='OpenWrt With OpenVPN' uci set wireless.@wifi-iface[-1].encryption='psk2+aes' uci set wireless.@wifi-iface[-1].key='put here a password' # this should be more than 8 chars uci commit wireless wifi reload
Related info: Just in case the OpenVPN client file change in future: The content config at the beginning of a working .ovpn as is (doesn't include any needed modifications):
client remote 123.456.789.012 636 dev tun proto tcp cipher AES-256-CBC auth SHA256 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server comp-lzo key-direction 1 verb 3 route 123.456.789.012 255.255.255.255 net_gateway
Note: 123.456.789.012 represents the Streisand host IP
Configuration Pushed by the OpenVPN Server on Streisand Host (taken from
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
TODO: Add necessary code to have one WiFi Network with VPN and other without (in a few days)...
- Connecting clients behind the client router
Say you're a road warrior and have setup an OpenVPN connection to the server running Streisand. You might want to connect to clients running on the OpenWrt LAN. To do this on the server running Streisand:
- Add the following line to
Create a client file in the
/etc/openvpn/ccd/directory corresponding to the client
.opvnfile you used to configure your router as a client. For example if you used:
XXX-XXX-XXX-XXX-direct-2.ovpnyou would create a file called
irouteoption to that file as follows:
iroute 192.168.10.0 255.255.255.0
192.168.10.0 is your LAN network. So you will need to adjust appropriately.