OpenWrt, OpenVPN, One Router, Two Signals

 

I am re-posting this article because the last one I wrote was deleted in error. I was updating it and, when I clicked save, it all went away. However, the previous article was based on OpenVPN version 2.0 so some of the commands didn't work. I found a backup of the old article and added two sections for OpenVPN 2.4.

As an introduction, while living overseas, I found myself needing a VPN for various reasons. I would have two routers, one with the VPN connection and one with a Local Connection. I knew there had to be a better way, so I went on a hunt to figure it out. The below information is my solution. There is plenty of information that is taken for granted, so if there are any questions that are not answered, asked a trusted friend or ask it in the Help Forum.

---

The idea: Broadcast two wireless signals. One running an OpenVPN and the other running local internet

Purpose: To watch Netflix, Hulu, etc., on media devices and have a server running that can be access from the internet (without VPN) or just to have access to the local internet. So, depending on which wireless network that is connected, you can either be running over a VPN or locally. For example, you can connect your media devices to the VPN SSID and run Netflix, Hulu, or just have a Secure Connection all the time.

Before attempting this, I looked around on the internet and didn't find a walkthrough, so if there is one, please let me know. However, I did find lots of help that I picked up from different places. Some of them include:

http://wiki.openwrt.org/doc/howto/vpn.client.pptp

https://forum.openwrt.org/viewtopic.php?id=39223

There were a few more, but can't remember which ones now.

I'm using Attitude Adjustment 12.09 RC2 with OpenVPN 2.0 and OpenVPN 2.4

 

Here is what I did:

1. Purchase OpenVPN service from a reputable company (ex. Witopia, StrongVPN, etc.)

2. Install OpenVPN on the OpenWRT router, See “Installation” section here. (Don't do anything else on this page)

3. Install ip ...yes, just two letters. It's version 3.3.0-1 as of this writing.

4. Add a new Wireless controller from the LuCi as normal (Network->Wifi).

   • SSID: <your 'secure' name>

   • Mode: Access Point

   • Attach the network it to the LAN network for now.

   • We'll test it to make sure it works and that you have internet access in a few moments...

   • Add Wireless Security and any other wireless setting you desire

   • Save and Apply

• Click 'Enable'

5. Add a new interface (Network->Interfaces->Add new interface)

   • Choose Name (ex. Slan) -If you change this name (Slan), make sure to change the other references to it below

   • Select 'Static Address.'

   • Create bridge = unchecked

   • Cover the following interfaces = Choose newly created wireless Network

   • Submit

   • Choose IP address in another subnet, for example:

     • IPv4 address = 192.168.20.1

     • IPv4 netmask = 255.255.255.0

     • Leave Gateway blank

     • Custom DNS server = 192.168.20.1

     • Save and Apply

   • From Firewall Settings

     • Create new Zone = <your 'secure' lan name> (needs to be different than wlan above. I choose the name of the lan. ex. slan)

   • Click 'Setup DHCP server' and use default settings unless you need something special.

   • Save and Apply

6. From LuCI, go to the Firewall section: Network->Firewall Section

   • Edit the LAN settings and add the newly created interface (slan) to the covered networks. There should be two now. LAN and SLAN. Wan should be checked under the Allow forward to destination zone.

   • Save and Apply.

 

5. Back to the Network->Wifi section

   • Edit the newly created wireless interface and uncheck the 'lan' network. Only 'slan' or whatever you called it should be checked.

   • Save and Apply

   • Test the wireless connection. If you followed the above steps, you should have internet access and have an ip address in the 192.168.20.0 subnet.

6. Once the test is good, go to Network->Firewall and edit each setting so it matches the table below:

Name	Input	Output	Forward	Masquerade & MSS clamping	Covered Networks	Allow Forward To	Allow Forward From
Lan	Accept	Accept	Accept	Both Blank	Lan	wan
Wan	Reject	Accept	Reject	Both Checked	Wan		lan
Slan	Accept	Accept	Reject	Both Blank	Slan	Ovpn 1
Ovpn 1	Accept	Accept	Reject	Check Masquerade MSS Blank	Ovpn 1		Slan

¹ See below for more information about ovpn firewall zone. Just edit Lan and Wan at this point. We'll finish this below.

9. The rest of the setup process will be on the command line so login to the router via SSH (see this page)

   • Configure the network – edit file: /etc/config/network

     • Add ovpn interface

config 'interface' 'ovpn' option 'ifname' 'tun0' option 'defaultroute' '0' option 'peerdns' '0' option 'proto' 'none'

• Configure the firewall – edit file: /etc/config/firewall

  • Configure forward zones (firewall)

config 'forwarding' option 'dest' 'ovpn' option 'src' 'slan'

 

• Configure OpenVPN zone (firewall)

config zone option name 'ovpn' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' option network 'ovpn'

 

• Add new table to routing table – edit file: /etc/iproute2/rt_tables

• install ip from software repo, if the iproute2 folder doesn't exist

Add the one highlighted line below

# reserved values # 255 local 254 main 253 default 10 vpn 0 unspec # # local # #1 inr.ruhep

 

 

• Create route-up and tunneldown files in root folder with favorite editor (ex. vi)

FileName: /root/tunneldown.sh

#!/bin/sh ip rule del from <ip address of slan>/24 table vpn ip route flush table vpn #example: ip rule del from 192.168.20.1/24 table vpn

_____OPENVPN 2.0 - Route Up File_____

FileName: /root/route-up.sh

#!/bin/sh # Route Up for OpenVPN 2.0 ip route add $ifconfig_remote dev $dev proto kernel scope link src $ifconfig_local ip route add $route_network_1 via $ifconfig_remote dev $dev metric 1 table vpn ip route add 0.0.0.0/1 via $ifconfig_remote dev $dev table vpn ip route add 128.0.0.0/1 via $ifconfig_remote dev $dev table vpn # Add route back to local network ip route add <ip subnet from slan>/24 via <slan Gateway> table vpn #example : ip route add 192.168.20.0/24 via 192.168.20.1 table vpn # Add rule from local network to VPN Gateway ip rule add from <ip address from slan>/24 table vpn #example: ip rule add from 192.168.20.1/24 table vpn

 

_____OPENVPN 2.0 - Config File_____

• Edit OpenVPN Config file and save it on your computer as .ovpn (ex. vpn.dallas.ovpn). Place it in the same folder where your .key, .crt, and ca.crt files are located.

##################################### # OpenVPN 2.0 configuration file ##################################### client route-up /root/route-up.sh route-noexec down /root/tunneldown.sh script-security 3 system dev tun proto udp remote <vpn.server.name> 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server cipher bf-cbc (Change to Current Cipher) comp-lzo verb 3 mute 20 ca /root/ca.crt mssfix 1300 key /root/<openvpn>.key cert /root/<openvpn>.crt #tls-auth ta.key 1

 

_____OPENVPN 2.4 - Route Up File_____

FileName: /root/route-up.sh

#!/bin/sh # Route Up for OpenVPN 2.4 ip route add $route_vpn_gateway dev $dev proto kernel scope link src $ifconfig_local ip route add $route_network_1 via $route_vpn_gateway dev $dev metric 1 table vpn ip route add 0.0.0.0/1 via $route_vpn_gateway dev $dev table vpn ip route add 128.0.0.0/1 via $route_vpn_gateway dev $dev table vpn # Add route back to local network ip route add <ip subnet from slan>/24 via <slan Gateway> table vpn #example : ip route add 192.168.20.0/24 via 192.168.20.1 table vpn # Add rule from local network to VPN Gateway ip rule add from <ip address from slan>/24 table vpn #example: ip rule add from 192.168.20.1/24 table vpn

_____OPENVPN 2.4 - Config File_____

• Edit OpenVPN Config file and save it on your computer as .ovpn (ex. vpn.dallas.ovpn). Place it in the same folder where your .key, .crt, and ca.crt files are located.

##################################### # OpenVPN 2.4 configuration file ##################################### client route-up /root/route-up.sh route-noexec down /root/tunneldown.sh script-security 3 dev tun proto udp remote <vpn.server.name> 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher bf-cbc (Change to Current Cipher) comp-lzo verb 3 mute 20 ca /root/ca.crt mssfix 1300 tun-mtu 1500 auth-nocache key /root/<openvpn>.key cert /root/<openvpn>.crt

 

• Copy Files to router (using favorite File transfer program)

  In linux, use Terminal and type the following from the folder where the four files are located.

  scp ca.crt <openvpn>.ovpn <openvpn>.crt <openvpn>.key This email address is being protected from spambots. You need JavaScript enabled to view it..x.x:/root

• SSH back into the router

• Make these two files executable

  • route-up.sh

  • tunnel-down.sh

    From the router, run:

    chmod u=rwx /root/route-up.sh /root/tunneldown.sh

• Make the key and crt non-accessible to others or OpenVPN will fuss at you

  chmod u=rw,go= <openvpn>.key <openvpn>.crt

 

9. Now comes the fun....

   • Test the connection and get the DNS number you'll use in the next section.

   • Disable and Stop any Current OpenVPN Process/Service
     • /etc/init.d/openvpn stop
     • /etc/init.d/openvpn disable

   • Type: openvpn –config vpn.<whateveryoucalledit>.ovpn

     • Watch the messages scroll up the screen. If all is successful, you'll see 'Initialization Sequence Completed' on the last line.

     • If successful, look at the lines until you see the line that reads DNS:

       PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.x.x.x,route 10.x.x.x,topology net30,ping 10,ping-restart 60,ifconfig 10.x.x.x 10.x.x.x'

     • Also watch for “RNETLINK answers: File exists.” This means the route-up file was successful.

10. Once you have the DNS address, we can modify the settings

• Configure dnsmasq settings – edit file: /etc/dnsmasq.conf

# Add the highlighted lines to the file

# Change the following lines if you want dnsmasq to serve SRV # records. # You may add multiple srv-host lines. # The fields are <name>,<target>,<port>,<priority>,<weight> # Added for OpenVPN DNS dhcp-option=<name of network interface>, 6, <IP Address from OpenVPN Connection> # example: dhcp-option=slan,6,10.x.x.x # A SRV record sending LDAP for the example.com domain to # ldapserver.example.com port 289 #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389

9. Create and name a startup file and place it in /etc/init.d/ so it can be enabled and disabled from OpenWrt GUI

Create file with favorite text editor (ex. vi /etc/init.d/openvpn-client)

#!/bin/sh /etc/rc.common # Copyright (C) 2007 OpenWrt.org START=90 start() { logger -t "openvpn" "starting openvpn-client" openvpn --daemon --config /root/vpn.<whateveryoucalledit>.ovpn } stop() { logger -t "openvpn" "stopping openvpn-client" killall openvpn sleep 3 }

Make it executable: chmod u=rwx /etc/init.d/openvpn-client

Exit the SSH Shell

7. From Web GUI, go to System -> Startup

The 'openvpn-client' and 'openvpn' show be shown in 'Initsscripts' as disabled

Enable openvpn and refresh to make sure it is running

If it stays in the Enabled state, finish the firewall settings:

Name	Input	Output	Forward	Masquerade & MSS clamping	Covered Networks	Allow Forward To	Allow Forward From
Lan	Accept	Accept	Accept	Both Blank	Lan	wan
Wan	Reject	Accept	Reject	Check Masquerade MSS Blank	Wan		lan
Slan	Accept	Accept	Reject	Both Blank	Slan	Ovpn 1
Ovpn 1	Accept	Accept	Reject	Check Masquerade MSS Blank	Ovpn 1		Slan

restart the router

If everything works, when you connect to the secure wireless network, your ip address will be in the location of the vpn server.

8. Troubleshooting

If, after enabling the openvpn-client, it comes back disabled, there is something wrong in the configuration. The best way to debug or troubleshoot the connection is to SSH into the router and start the openvpn connection by typing:

/etc/init.d/openvpn-client restart

Watch toward the end to see if there are any errors in the route-up.sh script

Press 'Ctrl C' and watch what happens to the tunneldown.sh script

If you forgot to make the files executable, the connection will fail.

Ask a question in the Forum