urbanconcrete 14 Posted ... Using AirVPN with OpenWRT This guide is for users who want to set up a OpenWRT (Chaos Calmer) router and have it already up and running without modification.This guide will work with a router that has more than one network interface and at least 8 MB flash (because of the dependencies). Please backup your router first!!! 1. Set up the wan interface as a dhcp client, that way you can use your router at most of the isp boxes. 2. Set up a wireless network with the name and password of you choise, a dhcp server. (Please note that you should use WPA2-PSK). 3. Connect to your new wireless network. 4. Unbridge the LAN interface(s). Go to "Physical Settings" of the LAN interface(s) and uncheck the "creates a bridge over specified interface(s). Check the interface button of your new wireless network. 5. Connect to your router via SSH. 6. Install dependencies for the openvpn setup. First update the packages, than install openvpn and nanoopkg updateopkg install openvpn-opensslopkg install nano 7. Backup the openvpn files mv /etc/config/openvpn /etc/config/openvpn_old 8. Create a new interface called airvpncat >> /etc/config/network << EOFconfig interface 'airvpn' option proto 'none' option ifname 'tun0'EOF 9. Use the "Config Generator" of Airvpn to create the openvpn files. Please select the "Advanced Mode" and check "Separate keys/certs from .ovpn file" and"Resolved hosts in .ovpn file". Save the files on your machine. 10. On the router move into the openvpn folder cd /etc/openvpn 11. Use nano to create all the required files on your router.Copy and paste the following files "AirVPN_**************.ovpn, ta.key, ca.crt, user.crt, user.key".Rename the "AirVPN_**************.ovpn" into airvpn.conf for usability.nano airvpn.confnano ta.keynano ca.crtnano user.crtnano user.key The air.conf should look like this clientdev tunproto udpremote xxx.XXX.xxx.XXX XXXresolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls servercipher AES-256-CBCcomp-lzo noroute-delay 5verb 3ca ca.crtcert user.crtkey user.keytls-auth ta.key 1 12. Create a firewall zone for the vpn.cat >> /etc/config/firewall << EOFconfig zone option name 'air_firewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'airvpn' config forwarding option dest 'air_firewall' option src 'lan' EOF 13. Reboot router 14. Test openvpn configurationopenvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.confAt the end it should show "Initialization Sequence Completed"Stop openvpn with "Ctrl-C". 15. Use the Airvpn DNS (here Port 443 - Protocol UDP) and reboot. Please change if you use different port (https://airvpn.org/specs/)uci add_list dhcp.lan.dhcp_option="6,10.4.0.1"uci commit dhcpreboot 16. Secure against IP Leak, backup old firewall and create new firewall rulesmv /etc/config/firewall /etc/config/firewall.backup cat >> /etc/config/firewall << EOFconfig defaultsoption syn_flood '1'option input 'ACCEPT'option output 'ACCEPT'option forward 'REJECT'config zoneoption name 'lan'option network 'lan'option input 'ACCEPT'option output 'ACCEPT'option forward 'REJECT'config zoneoption name 'wan'option output 'ACCEPT'option forward 'REJECT'option network 'wan'option input 'ACCEPT'config zoneoption name 'airvpn'option input 'REJECT'option output 'ACCEPT'option forward 'REJECT'option masq '1'option mtu_fix '1'option network 'airvpn'config ruleoption name 'Allow-DHCP-Renew'option src 'wan'option proto 'udp'option dest_port '68'option target 'ACCEPT'option family 'ipv4'config ruleoption name 'Allow-Ping'option src 'wan'option proto 'icmp'option icmp_type 'echo-request'option family 'ipv4'option target 'ACCEPT'config ruleoption name 'Allow-DHCPv6'option src 'wan'option proto 'udp'option src_ip 'fe80::/10'option src_port '547'option dest_ip 'fe80::/10'option dest_port '546'option family 'ipv6'option target 'ACCEPT'config ruleoption name 'Allow-ICMPv6-Input'option src 'wan'option proto 'icmp'list icmp_type 'echo-request'list icmp_type 'echo-reply'list icmp_type 'destination-unreachable'list icmp_type 'packet-too-big'list icmp_type 'time-exceeded'list icmp_type 'bad-header'list icmp_type 'unknown-header-type'list icmp_type 'router-solicitation'list icmp_type 'neighbour-solicitation'list icmp_type 'router-advertisement'list icmp_type 'neighbour-advertisement'option limit '1000/sec'option family 'ipv6'option target 'ACCEPT'config ruleoption name 'Allow-ICMPv6-Forward'option src 'wan'option dest '*'option proto 'icmp'list icmp_type 'echo-request'list icmp_type 'echo-reply'list icmp_type 'destination-unreachable'list icmp_type 'packet-too-big'list icmp_type 'time-exceeded'list icmp_type 'bad-header'list icmp_type 'unknown-header-type'option limit '1000/sec'option family 'ipv6'option target 'ACCEPT'config includeoption path '/etc/firewall.user'config forwardingoption dest 'airvpn'option src 'lan'EOF TEST WITH ipleak.net...It worked that way with my router, i would be happy if someone else could verify my setup. 5 lucenera, Tayundo, Wolf666 and 2 others reacted to this Quote Share this post Link to post
ionik 0 Posted ... Thanks urbanconcrete, Your Setup instructions are working fine. Unfortunately my router hardware is too undersized for a good overall bandwidth performance. It would be awesome if instructions for making airvpn only available for a guest wlan could be added. Best, ionik Quote Share this post Link to post
redindian 0 Posted ... Thanks a lot for this! This really helped me! Couldn't find any easy OpenVPN client instructions and this one is great and it's for AirVPN. Maybe the admins should like to this one in the How To's. Although with my router with a clean OpenWRT CC 15.05 I had to skip the LAN unbridge in step 4. Otherwise I could not connect to my router in any way. Even when I still had the wifi checked. Tried 3 times, no luck. In the end all my traffic is still running over the VPN and ipleak shows no leaking. Thank again! Quote Share this post Link to post
john222 0 Posted ... I had the problem described on this post. Could you tell me how did you recover the router after you couldn't reconnect?ThanksThanks a lot for this! This really helped me! Couldn't find any easy OpenVPN client instructions and this one is great and it's for AirVPN. Maybe the admins should like to this one in the How To's. Although with my router with a clean OpenWRT CC 15.05 I had to skip the LAN unbridge in step 4. Otherwise I could not connect to my router in any way. Even when I still had the wifi checked. Tried 3 times, no luck. In the end all my traffic is still running over the VPN and ipleak shows no leaking. Thank again! Quote Share this post Link to post
urbanconcrete 14 Posted ... Hey there, great that i could help It would be awesome if instructions for making airvpn only available for a guest wlan could be added. Best, ioni Im quite busy at the moment and bricked my device (not by using my guide...), so won't make the guest wlan setup soon. Quote Share this post Link to post
johndoe_01 3 Posted ... No internet and router not accesible. Don't know what I did wrong. Is there another solution wit AirVPN ? Tried this serval times but with the same results. Need to reset router to gain access. (TP-LINK wrt1043nd - v2 - OpenWRT). Quote Share this post Link to post
johndoe_01 3 Posted ... I found the problem. In the AirVPN_Europe_UDP-443.ovpn I had to change the line explicit-exit-notify 5 to # explicit-exit-notify 5 (disable). Working like a charm. Thanks ! Quote Share this post Link to post
b3wii 1 Posted ... Hi i get this error after testing vpn connection with "openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf": Mon Aug 29 11:26:50 2016 OpenVPN 2.3.6 mips-openwrt-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [MH] [iPv6] built on Jan 31 2016Mon Aug 29 11:26:50 2016 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08Mon Aug 29 11:26:50 2016 WARNING: file 'user.key' is group or others accessibleMon Aug 29 11:26:50 2016 Cannot load CA certificate file ca.crt (no entries were read) (OpenSSL)Mon Aug 29 11:26:50 2016 Exiting due to fatal errorroot@OpenWrt:/etc/openvpn# Quote Share this post Link to post
Staff 9973 Posted ... Mon Aug 29 11:26:50 2016 Cannot load CA certificate file ca.crt (no entries were read) (OpenSSL) Hello, try to specify the full path to ca.crt in airvpn.conf file. Kind regards Quote Share this post Link to post
Staff 9973 Posted ... Mon Aug 29 17:31:23 2016 RESOLVE: Cannot resolve host address: nl.vpn.airdns.org: Name or service not known Your router can't resolve that, the message is quite self-explanatory. Check DNS or use only IP addresses to make names resolution unnecessary when not in the VPN. Kind regards Quote Share this post Link to post
b3wii 1 Posted ... @Staff Please remove my previous posts in this thread and just edit this post to: If you get this error: "Cannot load CA certificate file ca.crt (no entries were read) (OpenSSL)" => Inserting a line break after -----BEGIN CERTIFICATE----- and before -----END CERTIFICATE-----. IF you get this error: RESOLVE: Cannot resolve host address: *.vpn.airdns.org: Name or service not known => ping *.vpn.airdns.org and replace the line remote *.vpn.airdns.org with remote <IP ADDRESS> in file /etc/openvpn/airvpn.conf 1 b3wii reacted to this Quote Share this post Link to post
ulmwind 6 Posted ... You can see my manual https://airvpn.org/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/ Quote Share this post Link to post
Minder666 0 Posted ... urbanconcrete your a life saver.... There is no way I couldve set up openwrt on my linksys router without your tutorial. Thanks a million. Quote Share this post Link to post
Moat 11 Posted ... Does anyone care to creare a guide configuring airvpn on openwrt LUCI? I'm totally lost with seamingly too few options in the simple and way too many options in the advanced gui. Thanks! Quote Hide Moat's signature Hide all signatures _____________________________________A moat does not protect against pigeons! Share this post Link to post
lucenera 0 Posted ... Hi, this guide also works great with OpenWRT 18.06.2. Can anyone help me? I would like to exclude some devices from tun0 (airvpn) to make them communicate directly with the wan interface? How can I do? Quote Share this post Link to post
x119 0 Posted ... thank you, best guide ever, worked on openwrt-19.07 with usb tethering Quote Share this post Link to post
jimbobub 0 Posted ... I'm trying to setup airvpn to work on openwrt 19.07.7 router. In openvpn instances I cannot get airvpn started. I'm a newbie. The firewall setting are confusing. I'm using luci. CLI is beyond me right now unless its simple such as copy and paste. I generated the configuration files and uploaded it, it seems to have gone fine. I have a wireless network that I want to use on airvpn. The lan goes to the wan and that is working as I am here lol, fingers crossed. Any help would be appreciated. Quote Share this post Link to post
moejoe 1 Posted ... Hello @Helgurt Here is an other guide for setting up open vpn on openwrt from the wiki may this helps: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci and another one from mullvad: https://mullvad.net/de/help/openwrt-routers-and-mullvad-vpn/best regards Quote Share this post Link to post