User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:client

OpenVPN Client

Why would you want a OpenVPN client on your router?

You may want to run an OpenVPN client on your router to encrypt your connection to the internet and prevent your Internet Service Provider (ISP) from snooping on your traffic and DNS requests (which in some countries is now legal for ISPs to monetize) as well as meddling with DNS requests or HTTP traffic. In order to use an OpenVPN client on your router, you would need to obtain credentials to a corresponding OpenVPN server. Your connection to the OpenVPN server is encrypted, preventing your ISP from snooping/meddling on your traffic. A wide variety of commercial OpenVPN providers exist. Once you install/run an OpenVPN client on your router, it's best to route all your traffic via an OpenVPN tunnel. The article below contains information on setting up an OpenVPN client on your router.

Preparation

First you need to ssh into your router and then we will install some prerequisites.

opkg update
opkg install openvpn-openssl luci-app-openvpn
opkg install nano libustream-openssl ca-bundle ca-certificates

OpenVPN Config Files

You will need two files from your VPN provider, namely the ovpn client config file and the ca cert file. For example:

cd /etc/openvpn
wget http://www.ipvanish.com/software/configs/ca.ipvanish.com.crt
wget https://www.ipvanish.com/software/configs/ipvanish-US-Los-Angeles-lax-a01.ovpn

Next we need to edit the ovpn file and make a few changes:

nano ipvanish-US-Los-Angeles-lax-a01.ovpn

Modify the line that says: auth-user-pass and make it look like this:

auth-user-pass /tmp/auth.conf

Also, add the following lines somewhere to force the openvpn client to route traffic over this tunnel and avoid caching passwords in memory.

redirect-gateway def1
auth-nocache

Press “Ctrl-X” to exit, and Y to save when prompted

Next we need to create the user/password file mentioned above:

touch /tmp/auth.conf
echo "YOUR_VPN_USER_NAME" > /tmp/auth.conf
echo "YOUR_VPN_PASSWORD" >> /tmp/auth.conf

Interface and Firewall Setup

Next, I took the instructions from the following site: https://github.com/jlund/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client

# a new OpenVPN instance:
uci set openvpn.provider=openvpn
uci set openvpn.provider.enabled='1'
uci set openvpn.provider.config='/etc/openvpn/ipvanish-US-Los-Angeles-lax-a01.ovpn'  # NOTE: use whatever your file is above.

# a new network interface for tun:
uci set network.providervpn=interface
uci set network.providervpn.proto='none' #dhcp #none
uci set network.providervpn.ifname='tun0'

# a new firewall zone (for VPN):
uci add firewall zone
uci set firewall.@zone[-1].name='vpn'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='providervpn'

# enable forwarding from LAN to VPN:
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpn'

# Finally, you should commit UCI changes:
uci commit

Validation

Finally, you can now use the LuCI interface at Services → OpenVPN to start and stop the tunnel. NOTE: it will have “incorrect” information listed in the GUI, but that is fine as that config is all pulled in from the config file. You should see see that the tunnel has started and a reference number associated to it in brackets.

Validate things are working by going to Status → Systemlog and you should see something that says: Initialization Sequence Completed

Finally, do a “what's my ip” check to validate that your external IP has, in fact, changed.

docs/guide-user/services/vpn/openvpn/client.txt · Last modified: 2018/05/18 02:50 by quarter