Thursday, 12 October 2017 01:03

OpenWrt, OpenVPN, Two Signals, One Router

Rate this item
(1 Vote)

While living outside the U.S., I, often, found myself needing a VPN connection to do stuff that made me look like I was in the U.S. I chose an OpenVPN service because it was simple to set up, but ran into trouble when I needed it for multiple devices. I installed the OpenVPN software on my computer, my children's computer, and my wife's computer, but found I couldn't connect any Streaming Device to it because I couldn't install the software on it. With the VPN service I had, I could only connect 2 devices at a time so this, quickly, became troublesome. I began thinking about what to do. I could purchase (or use) another router and configure it for an OpenVPN connection, but I would have two wifi routers and a modem sitting around. I, really, didn't want the extra cables and wires collecting dust.

Thinking through this,I had another idea. Instead of having two wifi routers, what if I could configure the OpenWRT to router to broadcast two wifi signals with one connecting to an OpenVPN server and the other one connecting locally? This way, I would only have one router and one modem sitting around. With this in mind, I went on a tech hunt and, finally, figured it out. After I configured mine, I configured many others as people learned about what I did. These routers were quite popular at one time with folks around me. For your, geeky, reading pleasure, the steps that I do to make one are below.

Enjoy!

Warning:  There is a lot I don't explain in this walkthrough as these are my notes.  If you are unfamiliar with what you see below, please ask in the comments or ask a trusted friend to help.

The idea: Using an OpenWRT flashed router, broadcast two wireless signals. One connecting to an OpenVPN server (ex. Witopia, StrongVPN, etc.) and the other connecting locally

The Purpose: To secure a connection for online banking, online purchasing, watching Netflix, Hulu, etc., on media devices and to have local internet access, when needed. Depending on which wireless SSID that is connected, you can either be running over a VPN or locally. For example, you can connect your media devices to the VPN SSID and run Netflix, Hulu, or to just have a secure connection all the time and/or connect to the other SSID when the VPN connection goes down or to have a faster speed

Before attempting this, I looked around on the internet and didn't find a walk through, so if there is one, please let me know. However, I did find lots of help that I picked up from different places. Some of them include:

http://wiki.openwrt.org/doc/howto/vpn.client.pptp

https://forum.openwrt.org/viewtopic.php?id=39223

There were a few more, but can't remember which ones now.

The instructions below are written for Attitude Adjustment 12.09 RC2, but they will work on any later version

Here is what I do:

Purchase OpenVPN service from a reputable company (ex. Witopia, StrongVPN, etc.)

Install OpenVPN and ip on the OpenWRT router:

  • opkg update

  • opkg install openvpn-openssl ip

Add a new Wireless controller as normal (Network->Wifi).

  • SSID: <your 'secure' name>

  • Mode: Access Point

  • Attach the network to the LAN network for now.

  • We'll test it to make sure it works and that you have internet access in a few moments...

  • Add Wireless Security and any other wireless setting you desire

  • Save and Apply

  • Click 'Enable'

Add a new interface (Network->Interfaces->Add new interface)

  • Choose Name (ex. Slan) -If you change this name (Slan), make sure to change the other references to it below

  • Select 'Static Address.'

  • Create bridge = unchecked

  • Cover the following interfaces = Choose newly created wireless Network

  • Submit

Choose IP address in another subnet, for example:

  • IPv4 address = 192.168.20.1

  • IPv4 netmask = 255.255.255.0

  • Leave Gateway blank

  • Custom DNS server = 192.168.20.1

  • Save and Apply

Firewall Settings

  • Create new Zone = <your 'secure' lan name> (needs to be different than wlan above. I choose the name of the lan. ex. slan)

  • Click 'Setup DHCP server' and use default settings unless you need something special.

  • Save and Apply

From LuCI, go to the Firewall section: Network->Firewall Section

  • Edit the LAN settings and add the newly created interface (slan) to the covered networks. There should be two now. LAN and SLAN. Wan should be checked under the Allow forward to destination zone.

  • Save and Apply.

Back to Network->Wifi section

  • Edit the newly created wireless interface and uncheck the 'lan' network. Only 'slan' or whatever you called it should be checked.

  • Save and Apply

Test the wireless connection. If you followed the above steps, you should have internet access and have an ip address in the 192.168.20.0 subnet.

 

 Once the test is good, go to Network->Firewall and edit each setting so it matches the table below: 

Name

Input

Output

Forward

Masquerade & MSS clamping

Covered Networks

Allow Forward To

Allow Forward From

Lan

Accept

Accept

Reject

Both Blank

Lan

wan

 

Wan

Reject

Accept

Reject

Both Checked

Wan

 

lan

Slan

Accept

Accept

Reject

Both Blank

Slan

Ovpn 1

 

Ovpn 1

Accept

Accept

Reject

Check Masquerade

MSS Blank

Ovpn 1

 

Slan

1 See below for more information about ovpn firewall zone. Just edit Lan and Wan at this point. We'll finish this below.

 

The rest of the setup process will be on the command line so login to the router via SSH (see Command-Line Interface(CLI))

  • Configure the network – edit file: /etc/config/network

    • Add ovpn interface

config 'interface' 'ovpn'

option 'ifname' 'tun0'

option 'defaultroute' '0'

option 'peerdns' '0'

option 'proto' 'none'

 

Configure the firewall – edit file: /etc/config/firewall

  • Configure Forward Zone for ovpn

config 'forwarding'

option 'dest' 'ovpn'

option 'src' 'slan'

 

  • Configure OpenVPN Firewall zone

config zone

option name 'ovpn'

option input 'ACCEPT'

option forward 'REJECT'

option output 'ACCEPT'

option network 'ovpn'

 

Add new table to routing table – edit file: /etc/iproute2/rt_tables

  • install ip from software repo, if the iproute2 folder doesn't exist

  • Add the one highlighted line below

# reserved values

#

255 local

254 main

253 default

10 vpn

0 unspec

#

# local

#

#1 inr.ruhep

 

Create route-up.sh and tunneldown.sh files in root folder with favorite editor (ex. vi).  These files do not exist so they need to be created and edit the IP address as shown below

  • FileName: /root/tunneldown.sh

#!/bin/sh

ip rule del from <ip address of slan>/24 table vpn

ip route flush table vpn

#example: ip rule del from 192.168.20.1/24 table vpn

  • FileName: /root/route-up.sh

#!/bin/sh

ip route add $ifconfig_remote dev $dev proto kernel scope link src $ifconfig_local

ip route add $route_network_1 via $ifconfig_remote dev $dev metric 1 table vpn

ip route add 0.0.0.0/1 via $ifconfig_remote dev $dev table vpn

ip route add 128.0.0.0/1 via $ifconfig_remote dev $dev table vpn

# Add route back to local network

ip route add <ip subnet from slan>/24 via <slan Gateway> table vpn

#example : ip route add 192.168.20.0/24 via 192.168.20.1 table vpn

# Add rule from local network to VPN Gateway

ip rule add from <ip address from slan>/24 table vpn

#example: ip rule add from 192.168.20.1/24 table vpn


Create and edit the OpenVPN Config below and save it on your computer as .ovpn (ex. vpn.dallas.ovpn). Place it in the same folder where the .key, .crt, and ca.crt files are located that you received from the OpenVPN service

  • Edit and/or add the yellow highlighted lines

#####################################

# OpenVPN configuration file

#####################################

client

route-up /root/route-up.sh

route-noexec

down /root/tunneldown.sh

script-security 3 system

dev tun

proto udp

remote <vpn.server.name> 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ns-cert-type server

cipher bf-cbc

comp-lzo

verb 3

mute 20

ca /root/ca.crt

mssfix 1300

key /root/<openvpn>.key

cert /root/<openvpn>.crt

#tls-auth ta.key 1

 

Copy Files to router (using favorite File transfer program)

  • In linux, use Terminal and type the following from the folder where the four files are located.

    • scp ca.crt <openvpn>.ovpn <openvpn>.crt <openvpn>.key This email address is being protected from spambots. You need JavaScript enabled to view it..x.x:/root

  • SSH back into the router

 

Make the files, route-up.sh and tunneldown.sh, executable

  • From the router, run:

    • chmod u=rwx /root/route-up.sh /root/tunneldown.sh

 

Make the .key and .crt non-accessible to others or OpenVPN will fuss at you

  • chmod u=rw,go= <openvpn>.key <openvpn>.crt

 

Now comes the fun...

  • Test the connection and get the DNS number you'll use in the next section

  •  Still in SSH terminal, Type: openvpn –config vpn.<whateveryoucalledit>.ovpn

  •  Watch the messages scroll up the screen. If all is successful, you'll see 'Initialization Sequence Completed' on the last line.

  •  If successful, scroll up and look at the lines until you see the one that reads DNS:

  •  PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.x.x.x,route 10.x.x.x,topology net30,ping 10,ping-restart 60,ifconfig 10.x.x.x 10.x.x.x'

  •  Also watch for “RNETLINK answers: File exists.” This means the route-up file was successful.

  •  Once you have the DNS address, we can modify the settings

  •  Configure dnsmasq settings – edit file: /etc/dnsmasq.conf

 Add the highlighted lines to the file

# Change the following lines if you want dnsmasq to serve SRV

# records.

# You may add multiple srv-host lines.

# The fields are <name>,<target>,<port>,<priority>,<weight>

# Added for OpenVPN DNS

dhcp-option=<name of network interface>, 6, <IP Address from OpenVPN Connection>

# example: dhcp-option=slan,6,10.x.x.x

# A SRV record sending LDAP for the example.com domain to

# ldapserver.example.com port 289

#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389

 

Create and name a startup file and place it in /etc/init.d/ so it can be enabled and disabled from OpenWrt GUI

  • Create file with your favorite text editor (ex. vi /etc/init.d/openvpn-client)

#!/bin/sh /etc/rc.common

# Copyright (C) 2007 OpenWrt.org

START=90

start()

{

logger -t "openvpn" "starting openvpn-client"

openvpn --daemon --config /root/vpn.<whateveryoucalledit>.ovpn

}

stop()

{

logger -t "openvpn" "stopping openvpn-client"

killall openvpn

sleep 3

}

  • Make it executable: chmod u=rwx /etc/init.d/openvpn-client

  • Exit the SSH Shell!

 

  • From Web GUI, go to System -> Startup

    • The 'openvpn-client' and 'openvpn' show in 'Initsscripts' as disabled

    • Enable openvpn and refresh to make sure it is running

    • If it stays in the Enabled state, finish the firewall settings:

Name

Input

Output

Forward

Masquerade & MSS clamping

Covered Networks

Allow Forward To

Allow Forward From

Lan

Accept

Accept

Reject

Both Blank

Lan

wan

 

Wan

Reject

Accept

Reject

Check Masquerade

MSS Blank

Wan

 

lan

Slan

Accept

Accept

Reject

Both Blank

Slan

Ovpn 1

 

Ovpn 1

Accept

Accept

Reject

Check Masquerade

MSS Blank

Ovpn 1

 

Slan


Restart the router

If everything works, when you connect to the secure wireless network, your ip address will be in the location of the vpn server.

All DONE!

Troubleshooting

  • If, after enabling the openvpn-client, it comes back disabled, there is something wrong in the configuration. The best way to debug or troubleshoot the connection is to SSH into the router and start the openvpn connection by typing:

  • openvpn --config <openvpn>.ovpn

  • Watch toward the end to see if there are any errors in the route-up.sh script

  • Press 'Ctrl C' and watch what happens to the tunneldown.sh script

  • If you forgot to make the files executable, the connection will fail.



 

Read 594 times Last modified on Saturday, 14 October 2017 03:36

Related items

More in this category: « K2 Comment Notification Fix Corrupted Windows Profile »

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top