This is an old revision of the document!
OpenVPN Client
Introduction
- This guide describes how to configure OpenWrt to run OpenVPN client.
- You can use it to connect to your own OpenVPN server or a commercial OpenVPN provider.
- Follow OpenVPN Basic for server setup and OpenVPN Extra for additional tuning.
Goals
- Encrypt your internet connection:
- Prevent data leak and traffic spoofing on the path to client-ISP.
- Escape client-ISP content-filters and internet censorship.
- Access your VPN-server LAN-services remotely without port forwarding.
- Access region-restricted services and content using commercial VPN-providers.
Requirements
- OpenWrt 18.06.1
- OpenVPN 2.4.5
Instructions
1. Preparation
2. Network
Replace client-ISP DNS-servers with public DNS-servers to prevent DNS-leak. Create a VPN-interface.
uci set network.wan.peerdns="0" uci set network.wan.dns="8.8.8.8 8.8.4.4" uci set network.wan6.peerdns="0" uci set network.wan6.dns="2001:4860:4860::8888 2001:4860:4860::8844" uci set network.vpnclient="interface" uci set network.vpnclient.ifname="tun0" uci set network.vpnclient.proto="none" uci commit network service network reload
3. Firewall
To minimize firewall setup consider VPN-network as public and assign it to WAN-zone.
uci add_list firewall.@zone[1].network="vpnclient" uci commit firewall service firewall restart
4. VPN-Client
Save your client profile. Drop VPN-service privileges and ensure VPN-interface name matches network configuration. Install and configure OpenVPN client.
cat << "EOF" > /etc/openvpn/vpnclient.ovpn COPY_PASTE_CLIENT_PROFILE_HERE EOF chmod 600 /etc/openvpn/vpnclient.ovpn sed -i -e " s/\r//g \$a user nobody \$a group nogroup /^\s*dev/d \$a dev $(uci get network.vpnclient.ifname) " /etc/openvpn/vpnclient.ovpn opkg update opkg install openvpn-openssl uci set openvpn.vpnclient="openvpn" uci set openvpn.vpnclient.enabled="1" uci set openvpn.vpnclient.config="/etc/openvpn/vpnclient.ovpn" uci commit openvpn service openvpn restart vpnclient
If using a commercial VPN-provider, set up credentials for username/password authentication and enforce gateway redirect.
cat << "EOF" > /etc/openvpn/vpnclient.auth YOUR_VPN_USERNAME YOUR_VPN_PASSWORD EOF chmod 600 /etc/openvpn/vpnclient.auth sed -i -e " /^\s*auth-user-pass/d \$a auth-user-pass /etc/openvpn/vpnclient.auth /^\s*redirect-gateway/d \$a redirect-gateway def1 ipv6 " /etc/openvpn/vpnclient.ovpn service openvpn restart vpnclient