Knowledgebase: OpenVPN Setup
How to setup with a OpenWRT router?
Posted by Max Biggavelli on 22 March 2015 12:14

A nice member of us wrote a tutorial for OpenWRT setup.

I wrote this little How-To on base of the "Barrier Breaker"(r42801) OpenWRT-Version.
I use my OpenWRT TP-Link Router behind a fritzbox (router) via WAN.
You have to use secure DNS on the First Router(in my case Fritzbox).
After you flash the OpenWRT on your Router, you have to set the root-password, you need it for the SSH-connection.

I recommended you to delete all IPv6 Settings.

Go to the Web-Interface of OpenWRT(example 192.168.1.1) with Your Browser
Network->Interfaces->LAN->Edit->scroll down to "DHCP Server"->IPv6 Settings->disable all
and
Network->Interfaces->WAN6->Delete


1. Install OpenVPN. Connect via SSH(recommended with Putty):

opkg update
opkg install openvpn-openssl
 
2. Create Tunnel-Device:
cat >> /etc/config/network << EOF
config interface 'nVPN'
  option proto 'none'
  option ifname 'tun0'
EOF

3. Set your nVPN username and password:
cat >> /etc/openvpn/authuser << EOF
nVPN-USERNAME
nVPN-PASSWORD
EOF

4. Set nVPN-config (simply Copy & Paste your downloaded config file):
cat >> /etc/openvpn/nvpn.ovpn << EOF
client
dev tun
auth-user-pass authuser
proto udp
remote "your-nVPN-Hostname, something like uXXXXX.nvpn.so" 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
ca nVPN.crt
verb 3
reneg-sec 0
tun-mtu 1500
EOF


5. Set nVPN-certifacate

cat >> /etc/openvpn/nVPN.crt << EOF
"the nVPN certificate - see below on how to obtain (do NOT paste just this)"
EOF

To get the nVPN certificate, open up the "nVPN.crt" file (it's in the same directory as the config listed above) in notepad

and copy the contents. Make sure there are line breaks in the cert and that it includes the ----BEGIN---- and ----END---- tags.


6. Now Check if Your Config is right:

openvpn --cd /etc/openvpn --config /etc/openvpn/nvpn.ovpn
If you see "Initialization Sequence Complete" your config is correct! Close this putty-window now and start a new.

Type "ifconfig" an check if You See a "Tun0"-Interface to confirm that the openvpn create successfully the Tunnel-Device:
killall openvpn


7. Firewall-Settings

There are two ways to set the firewall. Option 1 allows outgoing connections only with an active VPN connection.
Option 2 allows them even with inactive VPN connection. Follow either option 1 or option 2.

Option 1: All connections on the VPN-Network are limited. To be safe, backup the existing firewall rules with this first command: 

mv /etc/config/firewall /etc/config/firewall.old


And then add a new firewall rule:
 

cat >> /etc/config/firewall << EOF
config defaults
  option syn_flood '1'
  option input 'ACCEPT'
  option output 'ACCEPT'
  option forward 'REJECT'

config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT'
config zone option name 'wan' option output 'ACCEPT' option forward 'REJECT' option network 'wan' option input 'ACCEPT'
config zone option name 'vpn' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'nVPN'
config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4'
config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT'
config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT'
config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT'
config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT'
config include option path '/etc/firewall.user'
config forwarding option dest 'vpn' option src 'lan' EOF

Option 2: Allow Internet connections without VPN:
cp /etc/config/firewall /etc/config/firewall-backup


cat >> /etc/config/firewall << EOF config zone option name 'vpn' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'nVPN' EOF

AUTOSTART:
mv /etc/config/openvpn /etc/config/openvpn.old

cat >> /etc/config/openvpn << EOF config openvpn nVPN option enable 1 option config /etc/openvpn/nvpn.ovpn EOF

/etc/init.d/openvpn enable


Now Reboot, wait for 30 secs and verify your new Public-IP ( http://check.nvpn.net or http://www.whoer.net )
Thats is it! :)


Sometimes, for example when your first Router does the provider typical 24h-reconnect, it would drop the VPN-Connection.
This script below checks every 2 minutes, if the VPN-connection is still established and incase not it will perform a reconnect
to the VPN-connection:

mkdir /root/scripts
 
cat >> /root/scripts/check-online.sh << EOF
#!/bin/sh
IP=8.8.4.4
LOG="/root/log_online.log"
LOG_FAIL="/root/log_offline.log"
HIDE_RUNS=false
DEV="tun0"
######################
# TUN device online? #
######################
  ping -c 1 -I $DEV $IP > /dev/null
  if [ $? == 0 ]
  then
  echo "`date` - OpenVPN(nVPN) up and I can ping through it." > $LOG
  else
  echo "`date` - OpenVPN(nVPN) up, but no ping! RESTARTING OPENVPN AND NETWORK." >> $LOG_FAIL
  /etc/init.d/openvpn stop
  sleep 1
  /etc/init.d/network restart
  sleep 4
  /etc/init.d/openvpn start
  sleep 15
  /etc/init.d/openvpn start
  fi
EOF

Go to Open-WRT Webinterface System->Sheduled Tasks and add this line:
*/2 * * * * /bin/sh /root/scripts/check-online.sh
and below line to delete every Sunday at 01:00 the log:
0 1 * * 7 rm /root/log_offline.log
If you want to See the Log connect to your Router via SFTP (example with WinSCP) and browse to /root/scripts/

Then click submit and your connection is properly secured incase of a VPN connection loss, thats it. Incase of any problems with this tutorial, feel free to contact the writer of the tutorial at this email jendy@secure-mail.biz
(14 vote(s))
Helpful
Not helpful