Jump to content
Not connected, Your IP: 54.86.132.30

Recommended Posts

Using AirVPN with OpenWRT
 
This guide is for users who want to set up a OpenWRT (Chaos Calmer) router and have it already up and running without modification.
This guide will work with a router that has more than one network interface and at least 8 MB flash (because of the dependencies).
Please backup your router first!!!
 
1. Set up the wan interface as a dhcp client, that way you can use your router at most of the isp boxes.
 
2. Set up a wireless network with the name and password of you choise, a dhcp server. (Please note that you should use WPA2-PSK). 
 
3. Connect to your new wireless network.
 
4. Unbridge the LAN interface(s). Go to "Physical Settings" of the LAN interface(s) and uncheck the "creates a bridge over specified interface(s). Check the interface button of your new wireless network.
 
5. Connect to your router via SSH.
 
6. Install dependencies for the openvpn setup. First update the packages, than install openvpn and nano
opkg update
opkg install openvpn-openssl
opkg install nano
 
7. Backup the openvpn files
mv /etc/config/openvpn /etc/config/openvpn_old
 
8. Create a new interface called airvpn
cat >> /etc/config/network << EOF
config interface 'airvpn'
    option proto 'none'
    option ifname 'tun0'
EOF

 
9. Use the "Config Generator" of Airvpn to create the openvpn files. Please select the "Advanced Mode" and check "Separate keys/certs from .ovpn file" and
"Resolved hosts in .ovpn file". Save the files on your machine.
 
10. On the router move into the openvpn folder
cd /etc/openvpn
 
11. Use nano to create all the required files on your router.
Copy and paste the following files "AirVPN_**************.ovpn, ta.key, ca.crt, user.crt, user.key".
Rename the "AirVPN_**************.ovpn" into airvpn.conf for usability.
nano airvpn.conf
nano ta.key
nano ca.crt
nano user.crt
nano user.key
 
The air.conf should look like this 
client
dev tun
proto udp
remote xxx.XXX.xxx.XXX XXX
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
route-delay 5
verb 3
ca ca.crt
cert user.crt
key user.key
tls-auth ta.key 1
 
12. Create a firewall zone for the vpn.
cat >> /etc/config/firewall << EOF
config zone
    option name 'air_firewall'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'airvpn'
 
config forwarding                               
        option dest 'air_firewall'                    
        option src 'lan' 
EOF
 
13. Reboot router
 
14. Test openvpn configuration
openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf
At the end it should show "Initialization Sequence Completed"
Stop openvpn with "Ctrl-C".
 
15. Use the Airvpn DNS (here Port 443 - Protocol UDP) and reboot. Please change if you use different port (https://airvpn.org/specs/)
uci add_list dhcp.lan.dhcp_option="6,10.4.0.1"
uci commit dhcp
reboot

 

16. Secure against IP Leak, backup old firewall and create new firewall rules

mv /etc/config/firewall /etc/config/firewall.backup

 

cat >> /etc/config/firewall << EOF
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan'
option input 'ACCEPT'

config zone
option name 'airvpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'airvpn'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config forwarding
option dest 'airvpn'
option src 'lan'
EOF
 
TEST WITH ipleak.net...

It worked that way with my router, i would be happy if someone else could verify my setup.

 

 

Share this post


Link to post

Thanks urbanconcrete,

 

Your Setup instructions are working fine.

 

Unfortunately my router hardware is too undersized for a good overall bandwidth performance.

 

It would be awesome if instructions for making airvpn only available for a guest wlan could be added.

 

 

Best,

ionik

 

Share this post


Link to post

Thanks a lot for this! This really helped me!

 

Couldn't find any easy OpenVPN client instructions and this one is great and it's for AirVPN. Maybe the admins should like to this one in the How To's.

 

Although with my router with a clean OpenWRT CC 15.05 I had to skip the LAN unbridge in step 4. Otherwise I could not connect to my router in any way. Even when I still had the wifi checked. Tried 3 times, no luck. In the end all my traffic is still running over the VPN and ipleak shows no leaking.

 

Thank again!

Share this post


Link to post

I had the problem described on this post. Could you tell me how did you recover the router after you couldn't reconnect?

Thanks

Thanks a lot for this! This really helped me!

 

Couldn't find any easy OpenVPN client instructions and this one is great and it's for AirVPN. Maybe the admins should like to this one in the How To's.

 

Although with my router with a clean OpenWRT CC 15.05 I had to skip the LAN unbridge in step 4. Otherwise I could not connect to my router in any way. Even when I still had the wifi checked. Tried 3 times, no luck. In the end all my traffic is still running over the VPN and ipleak shows no leaking.

 

Thank again!

Share this post


Link to post

Hey there, great that i could help

 

 

 

 

It would be awesome if instructions for making airvpn only available for a guest wlan could be added. Best, ioni 

 

Im quite busy at the moment and bricked my device   (not by using my guide...), so won't make the guest wlan setup soon. 

Share this post


Link to post

No internet and router not accesible. Don't know what I did wrong. Is there another solution wit AirVPN ? Tried this serval times but with the same results. Need to reset router to gain access. (TP-LINK wrt1043nd - v2 - OpenWRT).

Share this post


Link to post

I found the problem. In the AirVPN_Europe_UDP-443.ovpn I had to change the line explicit-exit-notify 5 to # explicit-exit-notify 5 (disable). Working like a charm. Thanks ! 

Share this post


Link to post

Hi i get this error after testing vpn connection with "openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf":

 

Mon Aug 29 11:26:50 2016 OpenVPN 2.3.6 mips-openwrt-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [MH] [iPv6] built on Jan 31 2016
Mon Aug 29 11:26:50 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Mon Aug 29 11:26:50 2016 WARNING: file 'user.key' is group or others accessible
Mon Aug 29 11:26:50 2016 Cannot load CA certificate file ca.crt (no entries were read) (OpenSSL)
Mon Aug 29 11:26:50 2016 Exiting due to fatal error
root@OpenWrt:/etc/openvpn#

Share this post


Link to post

 

Mon Aug 29 11:26:50 2016 Cannot load CA certificate file ca.crt (no entries were read) (OpenSSL)

 

Hello,

 

try to specify the full path to ca.crt in airvpn.conf file.

 

Kind regards

Share this post


Link to post

Mon Aug 29 17:31:23 2016 RESOLVE: Cannot resolve host address: nl.vpn.airdns.org: Name or service not known

 

Your router can't resolve that, the message is quite self-explanatory. Check DNS or use only IP addresses to make names resolution unnecessary when not in the VPN.

 

Kind regards

Share this post


Link to post

@Staff

 

Please remove my previous posts in this thread and just edit this post to:

 

If you get this error: "Cannot load CA certificate file ca.crt (no entries were read) (OpenSSL)"

 

 => Inserting a line break after -----BEGIN CERTIFICATE----- and before -----END CERTIFICATE-----.

 

IF you get this error: RESOLVE: Cannot resolve host address: *.vpn.airdns.org: Name or service not known

 

 => ping *.vpn.airdns.org and replace the line

 

    remote *.vpn.airdns.org with

    remote <IP ADDRESS>

 

in file /etc/openvpn/airvpn.conf

Share this post


Link to post

Hi, this guide also works great with OpenWRT 18.06.2.  Can anyone help me?  I would like to exclude some devices from tun0 (airvpn) to make them communicate directly with the wan interface?  How can I do?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...