While living outside the U.S., I, often, found myself needing a VPN connection to do stuff that made me look like I was in the U.S. I chose an OpenVPN service because it was simple to set up, but ran into trouble when I needed it for multiple devices. I installed the OpenVPN software on my computer, my children's computer, and my wife's computer, but found I couldn't connect any Streaming Device to it because I couldn't install the software on it. With the VPN service I had, I could only connect 2 devices at a time so this, quickly, became troublesome. I began thinking about what to do. I could purchase (or use) another router and configure it for an OpenVPN connection, but I would have two wifi routers and a modem sitting around. I, really, didn't want the extra cables and wires collecting dust.
Thinking through this,I had another idea. Instead of having two wifi routers, what if I could configure the OpenWRT to router to broadcast two wifi signals with one connecting to an OpenVPN server and the other one connecting locally? This way, I would only have one router and one modem sitting around. With this in mind, I went on a tech hunt and, finally, figured it out. After I configured mine, I configured many others as people learned about what I did. These routers were quite popular at one time with folks around me. For your, geeky, reading pleasure, the steps that I do to make one are below.
Enjoy!
Warning: There is a lot I don't explain in this walkthrough as these are my notes. If you are unfamiliar with what you see below, please ask in the comments or ask a trusted friend to help.
The idea: Using an OpenWRT flashed router, broadcast two wireless signals. One connecting to an OpenVPN server (ex. Witopia, StrongVPN, etc.) and the other connecting locally
The Purpose: To secure a connection for online banking, online purchasing, watching Netflix, Hulu, etc., on media devices and to have local internet access, when needed. Depending on which wireless SSID that is connected, you can either be running over a VPN or locally. For example, you can connect your media devices to the VPN SSID and run Netflix, Hulu, or to just have a secure connection all the time and/or connect to the other SSID when the VPN connection goes down or to have a faster speed
Before attempting this, I looked around on the internet and didn't find a walk through, so if there is one, please let me know. However, I did find lots of help that I picked up from different places. Some of them include:
http://wiki.openwrt.org/doc/howto/vpn.client.pptp
https://forum.openwrt.org/viewtopic.php?id=39223
There were a few more, but can't remember which ones now.
The instructions below are written for Attitude Adjustment 12.09 RC2, but they will work on any later version
Here is what I do:
Purchase OpenVPN service from a reputable company (ex. Witopia, StrongVPN, etc.)
Install OpenVPN and ip on the OpenWRT router:
-
opkg update
-
opkg install openvpn-openssl ip
Add a new Wireless controller as normal (Network->Wifi).
-
SSID: <your 'secure' name>
-
Mode: Access Point
-
Attach the network to the LAN network for now.
-
We'll test it to make sure it works and that you have internet access in a few moments...
-
Add Wireless Security and any other wireless setting you desire
-
Save and Apply
-
Click 'Enable'
Add a new interface (Network->Interfaces->Add new interface)
-
Choose Name (ex. Slan) -If you change this name (Slan), make sure to change the other references to it below
-
Select 'Static Address.'
-
Create bridge = unchecked
-
Cover the following interfaces = Choose newly created wireless Network
-
Submit
Choose IP address in another subnet, for example:
-
IPv4 address = 192.168.20.1
-
IPv4 netmask = 255.255.255.0
-
Leave Gateway blank
-
Custom DNS server = 192.168.20.1
-
Save and Apply
Firewall Settings
-
Create new Zone = <your 'secure' lan name> (needs to be different than wlan above. I choose the name of the lan. ex. slan)
-
Click 'Setup DHCP server' and use default settings unless you need something special.
-
Save and Apply
From LuCI, go to the Firewall section: Network->Firewall Section
-
Edit the LAN settings and add the newly created interface (slan) to the covered networks. There should be two now. LAN and SLAN. Wan should be checked under the Allow forward to destination zone.
-
Save and Apply.
Back to Network->Wifi section
-
Edit the newly created wireless interface and uncheck the 'lan' network. Only 'slan' or whatever you called it should be checked.
-
Save and Apply
Test the wireless connection. If you followed the above steps, you should have internet access and have an ip address in the 192.168.20.0 subnet.
Once the test is good, go to Network->Firewall and edit each setting so it matches the table below:
Name |
Input |
Output |
Forward |
Masquerade & MSS clamping |
Covered Networks |
Allow Forward To |
Allow Forward From |
Lan |
Accept |
Accept |
Reject |
Both Blank |
Lan |
wan |
|
Wan |
Reject |
Accept |
Reject |
Both Checked |
Wan |
|
lan |
Slan |
Accept |
Accept |
Reject |
Both Blank |
Slan |
Ovpn 1 |
|
Ovpn 1 |
Accept |
Accept |
Reject |
Check Masquerade MSS Blank |
Ovpn 1 |
|
Slan |
1 See below for more information about ovpn firewall zone. Just edit Lan and Wan at this point. We'll finish this below.
The rest of the setup process will be on the command line so login to the router via SSH (see Command-Line Interface(CLI))
-
Configure the network – edit file: /etc/config/network
-
Add ovpn interface
-
-
config 'interface' 'ovpn'
option 'ifname' 'tun0'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'proto' 'none'
Configure the firewall – edit file: /etc/config/firewall
- Configure Forward Zone for ovpn
-
config 'forwarding'
option 'dest' 'ovpn'
option 'src' 'slan'
- Configure OpenVPN Firewall zone
-
config zone
option name 'ovpn'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'ovpn'
Add new table to routing table – edit file: /etc/iproute2/rt_tables
-
install ip from software repo, if the iproute2 folder doesn't exist
- Add the one highlighted line below
-
# reserved values
#
255 local
254 main
253 default
10 vpn
0 unspec
#
# local
#
#1 inr.ruhep
Create route-up.sh and tunneldown.sh files in root folder with favorite editor (ex. vi). These files do not exist so they need to be created and edit the IP address as shown below
- FileName: /root/tunneldown.sh
-
#!/bin/sh
ip rule del from <ip address of slan>/24 table vpn
ip route flush table vpn
#example: ip rule del from 192.168.20.1/24 table vpn
- FileName: /root/route-up.sh
-
#!/bin/sh
ip route add $ifconfig_remote dev $dev proto kernel scope link src $ifconfig_local
ip route add $route_network_1 via $ifconfig_remote dev $dev metric 1 table vpn
ip route add 0.0.0.0/1 via $ifconfig_remote dev $dev table vpn
ip route add 128.0.0.0/1 via $ifconfig_remote dev $dev table vpn
# Add route back to local network
ip route add <ip subnet from slan>/24 via <slan Gateway> table vpn
#example : ip route add 192.168.20.0/24 via 192.168.20.1 table vpn
# Add rule from local network to VPN Gateway
ip rule add from <ip address from slan>/24 table vpn
#example: ip rule add from 192.168.20.1/24 table vpn
Create and edit the OpenVPN Config below and save it on your computer as .ovpn (ex. vpn.dallas.ovpn). Place it in the same folder where the .key, .crt, and ca.crt files are located that you received from the OpenVPN service
- Edit and/or add the yellow highlighted lines
-
#####################################
# OpenVPN configuration file
#####################################
client
route-up /root/route-up.sh
route-noexec
down /root/tunneldown.sh
script-security 3 system
dev tun
proto udp
remote <vpn.server.name> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher bf-cbc
comp-lzo
verb 3
mute 20
ca /root/ca.crt
mssfix 1300
key /root/<openvpn>.key
cert /root/<openvpn>.crt
#tls-auth ta.key 1
Copy Files to router (using favorite File transfer program)
-
In linux, use Terminal and type the following from the folder where the four files are located.
-
scp ca.crt <openvpn>.ovpn <openvpn>.crt <openvpn>.key This email address is being protected from spambots. You need JavaScript enabled to view it..x.x:/root
-
SSH back into the router
Make the files, route-up.sh and tunneldown.sh, executable
-
From the router, run:
-
chmod u=rwx /root/route-up.sh /root/tunneldown.sh
-
Make the .key and .crt non-accessible to others or OpenVPN will fuss at you
-
chmod u=rw,go= <openvpn>.key <openvpn>.crt
Now comes the fun...
- Test the connection and get the DNS number you'll use in the next section
-
Still in SSH terminal, Type: openvpn –config vpn.<whateveryoucalledit>.ovpn
-
Watch the messages scroll up the screen. If all is successful, you'll see 'Initialization Sequence Completed' on the last line.
-
If successful, scroll up and look at the lines until you see the one that reads DNS:
-
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.x.x.x,route 10.x.x.x,topology net30,ping 10,ping-restart 60,ifconfig 10.x.x.x 10.x.x.x'
-
Also watch for “RNETLINK answers: File exists.” This means the route-up file was successful.
-
Once you have the DNS address, we can modify the settings
-
Configure dnsmasq settings – edit file: /etc/dnsmasq.conf
Add the highlighted lines to the file
-
# Change the following lines if you want dnsmasq to serve SRV
# records.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# Added for OpenVPN DNS
dhcp-option=<name of network interface>, 6, <IP Address from OpenVPN Connection>
# example: dhcp-option=slan,6,10.x.x.x
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 289
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
Create and name a startup file and place it in /etc/init.d/ so it can be enabled and disabled from OpenWrt GUI
-
Create file with your favorite text editor (ex. vi /etc/init.d/openvpn-client)
-
#!/bin/sh /etc/rc.common
# Copyright (C) 2007 OpenWrt.org
START=90
start()
{
logger -t "openvpn" "starting openvpn-client"
openvpn --daemon --config /root/vpn.<whateveryoucalledit>.ovpn
}
stop()
{
logger -t "openvpn" "stopping openvpn-client"
killall openvpn
sleep 3
}
-
Make it executable: chmod u=rwx /etc/init.d/openvpn-client
-
Exit the SSH Shell!
-
From Web GUI, go to System -> Startup
-
The 'openvpn-client' and 'openvpn' show in 'Initsscripts' as disabled
-
Enable openvpn and refresh to make sure it is running
-
If it stays in the Enabled state, finish the firewall settings:
-
Name |
Input |
Output |
Forward |
Masquerade & MSS clamping |
Covered Networks |
Allow Forward To |
Allow Forward From |
Lan |
Accept |
Accept |
Reject |
Both Blank |
Lan |
wan |
|
Wan |
Reject |
Accept |
Reject |
Check Masquerade MSS Blank |
Wan |
|
lan |
Slan |
Accept |
Accept |
Reject |
Both Blank |
Slan |
Ovpn 1 |
|
Ovpn 1 |
Accept |
Accept |
Reject |
Check Masquerade MSS Blank |
Ovpn 1 |
|
Slan |
Restart the router
If everything works, when you connect to the secure wireless network, your ip address will be in the location of the vpn server.
All DONE!
Troubleshooting
-
If, after enabling the openvpn-client, it comes back disabled, there is something wrong in the configuration. The best way to debug or troubleshoot the connection is to SSH into the router and start the openvpn connection by typing:
-
openvpn --config <openvpn>.ovpn
-
Watch toward the end to see if there are any errors in the route-up.sh script
-
Press 'Ctrl C' and watch what happens to the tunneldown.sh script
-
If you forgot to make the files executable, the connection will fail.