Guide to setting up OpenVPN on an OpenWrt router
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
README.md Add reboot script if wrong IP Feb 19, 2017

README.md

OpenVPN on OpenWrt Barrier Breaker

Steps stolen from Logan Marchione's blog post.

ssh root@192.168.1.1

Install packages:

opkg update
opkg install openvpn-openssl wget unzip

Create a new interface for the VPN:

cat >> /etc/config/network << EOF
config interface 'PIA_VPN'
    option proto 'none'
    option ifname 'tun0'
EOF

Download OpenVPN config from privateinternetaccess.com:

cd /etc/openvpn
wget --no-check-certificate https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
unzip openvpn-strong.zip
rm openvpn-strong.zip

Create file with your privateinternetaccess.com credentials:

cat >> /etc/openvpn/authuser << EOF
$username
$password
EOF

Set permissions on authuser file:

chmod 400 /etc/openvpn/authuser

Create a generic OpenVPN config:

cat >> /etc/openvpn/piageneric.ovpn << EOF
client
dev tun
proto udp
remote nl.privateinternetaccess.com 1197
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
auth-user-pass authuser
auth-nocache
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.4096.pem
ca ca.rsa.4096.crt
disable-occ
EOF

Create firewall zone for new VPN connection:

cat >> /etc/config/firewall << EOF
config zone
    option name 'VPN_FW'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'PIA_VPN'
 
config forwarding                               
        option dest 'VPN_FW'                    
        option src 'lan' 
EOF

If you want a kill switch, comment out:

config forwarding
        option dest 'wan'
        option src 'lan'

to reboot after the connection is down, create (fill in your own IP at IP_ISP):

cat >> /etc/openvpn/checkvpn.sh << EOF
IP_ISP="87.1.1.1"
IP=`wget -qO- ifconfig.co`
if [ $IP == $IP_ISP ]; then
  echo `date` >> reboot.log
  reboot
fi
EOF
chmod +x /etc/openvpn/checkvpn.sh

open crontab -e and add */2 * * * * /root/checkvpn.sh

Reboot:

reboot

Log back in:

ssh root@192.168.1.1

Start the VPN:

openvpn --cd /etc/openvpn --config /etc/openvpn/piageneric.ovpn

Confirm that output looks something like this:

root@OpenWrt:~# openvpn --cd /etc/openvpn --config /etc/openvpn/piageneric.ovpn
Mon Nov 17 23:08:56 2014 OpenVPN 2.3.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 20 2014
Mon Nov 17 23:08:56 2014 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Mon Nov 17 23:08:56 2014 UDPv4 link local: [undef]
Mon Nov 17 23:08:56 2014 UDPv4 link remote: [AF_INET]108.61.57.214:1194
Mon Nov 17 23:09:00 2014 [Private Internet Access] Peer Connection Initiated with [AF_INET]108.61.57.214:1194
Mon Nov 17 23:09:02 2014 TUN/TAP device tun0 opened
Mon Nov 17 23:09:02 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Nov 17 23:09:02 2014 /sbin/ifconfig tun0 10.198.1.10 pointopoint 10.198.1.9 mtu 1500
Mon Nov 17 23:09:02 2014 Initialization Sequence Completed

Check to see if tunnel interface exists (You will have to open a second SSH connection because the openvpn command above must be running):

ifconfig tun0
root@OpenWrt:~# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.132.1.6  P-t-P:10.132.1.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:588 errors:0 dropped:0 overruns:0 frame:0
          TX packets:789 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:281373 (274.7 KiB)  TX bytes:159631 (155.8 KiB)

Close OpenVPN

ctrl+c

Force router to use privateinternetaccess.com's DNS servers:

uci add_list dhcp.lan.dhcp_option="6,209.222.18.222,209.222.18.218"
uci commit dhcp

Run VPN at startup. Go to Luci web interface, go to System -> Startup and add this before the exit 0:

openvpn --cd /etc/openvpn --config /etc/openvpn/piageneric.ovpn &

Reboot for DHCP and startup changes to take effect:

reboot