— a humbly committed student 2019/01/19 10:31
The purpose of this wiki is to show users how to configure an OpenVPN Server on an OpenWrt 18.01 router that connects to the tor network.
This example contains one OpenWrt router configured as the OpenVPN server and having it also generate the security certs for the client files that will be given to the end user. In this example, the Linksys WRT 3200acm router with OpenWrt 18.01 was used, tested, and validated to work. It has also worked on OpenWrt 17.01.
These procedures are primarily done on the cli on the routers config files with limited configuration via the Luci GUI. Due to me not being able to attach screenshots, I have done the configuration through the routers config files via an ssh session into the router.
create-configs.sh edits the following config files:
It is recommended to be familiar with the following wiki articles to perform this task.
In this example, it is expected that the user has reviewed the recommended guides listed above and was able to successfully create a tor VLAN that connects to the tor network and in addition was able to follow the OpenVPN Basics guide and successfully create an OpenVPN server.
Link to the original cert generating that generate scripts from the OpenVPN Basic tutorial for reference:
Customized the bash script to create certs for the tor network. Upon review the reader may notice that the output of the cert files are saved to /etc/openvpn/tor, this was done for organizational purposes. The output filenaes were also change to reflect they are associated with the tor VPN we are creating.
Note: document these items' locations as they will be referred to in section 3. /etc/config/openvpn configuration file and section 7. Create the end-users torvpnclient.ovpn file.:
2. config interface 'torvpn' in this example there are multiple vlans and tor is configured as being on interface tun2. It may be tun0 if only one network was configured/created via the procedures listed in the OpenVPN Basic tutorial.
3. This configuration has multiple VPNs configured. Observe the torvpn configurations.
Important to take note of the following items: * port being used as this will be used in section 4. firewall * the location of the certs being used generated in section 1. when running the 01.create-certs.tor.sh bash script * the list network being used which is the local tor network/vlan interface
4. Configurations for the firewall to allow torvpn ports. They are very similar to the firewall configurations discussed in the Tor tutorial
5. Additional configurations for the firewall via the /etc/firewall.user file to allow torvpn and tor network port forwarders. They are very similar to the firewall configurations discussed in the Tor tutorial
6. Configuration of the /etc/tor file. The torvpn network was added at the end of the file and have been commented for your reference.
7. Create the end-users torvpnclient.ovpn file.
Note: notice that the reference files in the script were the same file locations of where the script in scetion 1. output the certs to
8. Reboot the router:
9. Verify if the
tor process is running Note: if tor is not displayed simply run tor by typing tor in the cli
ps -ef | grep -i tor
Output should resemble this:
tor 4726 1 0 Jun25 ? 00:01:23 /usr/sbin/tor --runasdaemon 0 root 13093 21825 0 02:33 pts/0 00:00:00 grep -i tor
10. Similarly you can tail the log to see the following output
tail -f /tmp/log/tor
Tor has successfully opened a circuit. Looks like client functionality is working.
11. Export the torvpnclient.ovpn file via winscp or scp command via ssh session and test it on the clients machine. How to use winscp and/or the scp command in a ssh session is beyond the scope of this tutorial.
12. Try connecting to the newly created torvpn and test its connectivity with check tor https://cdn.instructables.com/FHN/5956/IK2X86XF/FHN5956IK2X86XF.LARGE.jpg
13. If you ever need to start and stop the tor service:
/etc/init.d/tor start /etc/init.d/tor stop /etc/init.d/tor restart
14. You can also find the process number from the
ps -ef | grep -i tor and
kill ### its pid number.