Jump to content
Not connected, Your IP: 3.139.98.10
ulmwind

AirVPN configuration on XRMWRT (Padavan), preventing traffic leakage outside tunnel.

Recommended Posts

Initially you should have router with Padavan's firmware with OpenVPN client enabled. The main page of the firmware is https://bitbucket.org/padavan/rt-n56u There is also script Prometheus, which was developed to simplify compilation process and to expand the list of supported devices http://prometheus.freize.net

Login to your router via web-interface. By default it has LAN-address 192.168.1.1 Go to VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg). Toggle the switch "Enable VPN Client", after that fill forms as shown on Scr1.png You can use servers, specified in OpenVPN configuration files with extension "ovpn". Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.com/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly. The string, containing server address, begins with the word "remote". In the example it is "remote america.vpn.airdns.org 443". The last numerical value is port number. On the screen the example of UDP-protocol is shown. To use TCP-protocol change fields "Port" to corresponding value of port number and "Transport" to TCP. Protocol is also specified in the string beginning from "proto".

 

You can leave OpenVPN Extended Configuration, you can also comment the line "ns-cert-type server" with leading "#".

Go down and fill forms as shown on Scr2.png, and press "Apply" button. In the example there is option not to obtain DNS from VPN-server. It is assumed, that WAN of router was configured to use OpenDNS (208.67.222.222, 208.67.220.220) or GoogleDNS (8.8.8.8, 8.8.4.4). Also there is option to specify DNS for LAN clients (Advanced Settings -> LAN -> tab DHCP server, http://192.168.232.1/Advanced_DHCP_Content.asp, http://my.router/Advanced_DHCP_Content.asp). However you can set this option to obtain DNS from VPN-server ("Add to existing list" or "Replace all existing"). Pay special attention to the item Restrict Access from VPN Server Site. The item controls access to router from Internet via tunnel. The safest option as shown on Scr2.png is Yes, block all connections (site is foreign). If you choose No (Site-to-Site), using NAT translation, TOTAL ACCESS TO ROUTER INCLUDING MANAGEMENT - HTTP, HTTPS, AND SSH WILL BE GRANTED FROM INTERNET VIA TUNNEL.

 

Go to the tab "OpenVPN Certificates & Keys" with corresponding link http://192.168.1.1/vpncli.asp#ssl (http://my.router/vpncli.asp#ssl), and copy content between tags "<ca>" and "</ca>" to the field "ca.crt", content between tags "<cert>" and "</cert>" to the field "client.crt", content between tags "<key>" and "</key>" to the field "client.key", content between tags "<tls-auth>" and "</tls-auth>" to the field "ta.key", and press "Apply" button, as shown on Scr3.png Tags are always excluded from contents. Now your router should successfully connect to VPN-server. You can check it by the white word "Connected" in the green rectange to the right of VPN-server address on VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg), as shown on Scr1.png You can also visit site, displaying your IP-address, e.g. https://ipleak.net

 

After positive result you should make your changes permanent. You can do it by three ways: run in console command "mtd_storage.sh save"; on the page Advanced Settings -> Administration -> Settings with corresponding link http://192.168.1.1/Advanced_SettingBackup_Content.asp (http://my.router/Advanced_SettingBackup_Content.asp) press button "Commit" to the right of item "Commit Internal Storage to Flash Memory Now"; reboot router by pressing Reboot button to the right of "Logout" button.

To sum up, files, corresponding to filled fields, are stored in the directory /etc/storage/openvpn/client, resulting OpenVPN configuration file is stored in the directory /etc/openvpn/client.

To prevent traffic leakage in case VPN-tunnel drops you should edit the contents of item "Run the Script After Connected/Disconnected to VPN Server" on VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg), which is shown on Scr2.png, to add lines to functions func_ipup and func_ipdown, the result content should be as in the file /etc/storage/vpnc_server_script.sh By the word, it is the same file where form content is saved. Also you should block traffic until tunnel is up. To do it edit the form "Run After Firewall Rules Restarted" on the page Advanced Settings -> Customization -> Scripts with corresponding link http://192.168.1.1/Advanced_Scripts_Content.asp (http://my.router/Advanced_Scripts_Content.asp), the result content should be as in the file /etc/storage/post_iptables_script.sh Addional lines serve to remove SNAT target. Finally you should make your changes permanent by the same way, as was discussed before.

 

vpnc_server_script.sh:

 

#!/bin/sh

### Custom user script
### Called after internal VPN client connected/disconnected to remote VPN server
### $1        - action (up/down)
### $IFNAME   - tunnel interface name (e.g. ppp5 or tun0)
### $IPLOCAL  - tunnel local IP address
### $IPREMOTE - tunnel remote IP address
### $DNS1     - peer DNS1
### $DNS2     - peer DNS2

# private LAN subnet behind a remote server (example)
peer_lan="192.168.9.0"
peer_msk="255.255.255.0"

### example: add static route to private LAN subnet behind a remote server

func_ipup()
{
#  route add -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
# unblock traffic if blocking rule exists
   if iptables -C FORWARD -j REJECT; then
    iptables -D FORWARD -j REJECT
   fi
   return 0
}

func_ipdown()
{
#  route del -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
# block traffic leakage in case of tunnel drops
   if (! iptables -C FORWARD -j REJECT); then
    iptables -I FORWARD -j REJECT
   fi
   return 0
}

logger -t vpnc-script "$IFNAME $1"

case "$1" in
up)
  func_ipup
  ;;
down)
  func_ipdown
  ;;
esac

 

post_iptables_script.sh:

 

#!/bin/sh

### Custom user script
### Called after internal iptables reconfig (firewall update)

# prevent traffic leakage while tunnel is not up
if [ -z "$(ip a s tun0 | grep 'state UP')" ] && (! iptables -C FORWARD -j REJECT); then
  iptables -I FORWARD -j REJECT
fi
ipch=$(iptables -t nat -S | grep SNAT | grep -v br0)
if [ ! -z "$ipch" ]; then
  eval 'iptables -t nat -D'${ipch:2}
fi
 

Share this post


Link to post

Hello!

 

Nice stuff .

 

I think it could be formatted a little better, for more clarity and the title changed to "How To" or "Guide", to make it clear what it is.

But good effort!


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

Can't get it work. I have connection to vpn server but no access to the internet. Here is my logs:

 

May 26 16:52:02 MI-MINI: starting OpenVPN client...
May 26 16:52:02 openvpn-cli[4274]: OpenVPN 2.3.12 mipsel-unknown-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [MH] [iPv6] built on May 26 2017
May 26 16:52:02 openvpn-cli[4274]: library versions: OpenSSL 1.0.1u  22 Sep 2016, LZO 2.09
May 26 16:52:02 openvpn-cli[4275]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 26 16:52:02 openvpn-cli[4275]: Control Channel Authentication: using '/etc/storage/openvpn/client/ta.key' as a OpenVPN static key file
May 26 16:52:02 openvpn-cli[4275]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 26 16:52:02 openvpn-cli[4275]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 26 16:52:02 openvpn-cli[4275]: Socket Buffers: R=[155648->155648] S=[155648->155648]
May 26 16:52:02 openvpn-cli[4275]: UDPv4 link local: [undef]
May 26 16:52:02 openvpn-cli[4275]: UDPv4 link remote: [AF_INET]62.102.148.147:443
May 26 16:52:04 openvpn-cli[4275]: TLS: Initial packet from [AF_INET]62.102.148.147:443, sid=544570f2 ef98e295
May 26 16:52:05 openvpn-cli[4275]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
May 26 16:52:05 openvpn-cli[4275]: Validating certificate key usage
May 26 16:52:05 openvpn-cli[4275]: ++ Certificate has key usage  00a0, expects 00a0
May 26 16:52:05 openvpn-cli[4275]: VERIFY KU OK
May 26 16:52:05 openvpn-cli[4275]: Validating certificate extended key usage
May 26 16:52:05 openvpn-cli[4275]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May 26 16:52:05 openvpn-cli[4275]: VERIFY EKU OK
May 26 16:52:05 openvpn-cli[4275]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
May 26 16:52:13 openvpn-cli[4275]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
May 26 16:52:13 openvpn-cli[4275]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 26 16:52:13 openvpn-cli[4275]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
May 26 16:52:13 openvpn-cli[4275]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 26 16:52:13 openvpn-cli[4275]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
May 26 16:52:13 openvpn-cli[4275]: [server] Peer Connection Initiated with [AF_INET]62.102.148.147:443
May 26 16:52:16 openvpn-cli[4275]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
May 26 16:52:16 openvpn-cli[4275]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.9.56 255.255.0.0'
May 26 16:52:16 openvpn-cli[4275]: OPTIONS IMPORT: timers and/or timeouts modified
May 26 16:52:16 openvpn-cli[4275]: OPTIONS IMPORT: --ifconfig/up options modified
May 26 16:52:16 openvpn-cli[4275]: OPTIONS IMPORT: route options modified
May 26 16:52:16 openvpn-cli[4275]: OPTIONS IMPORT: route-related options modified
May 26 16:52:16 openvpn-cli[4275]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
May 26 16:52:16 openvpn-cli[4275]: TUN/TAP device tun0 opened
May 26 16:52:16 openvpn-cli[4275]: TUN/TAP TX queue length set to 100
May 26 16:52:16 openvpn-cli[4275]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 26 16:52:16 openvpn-cli[4275]: /sbin/ifconfig tun0 10.4.9.56 netmask 255.255.0.0 mtu 1500 broadcast 10.4.255.255
May 26 16:52:16 openvpn-cli[4275]: ovpnc.script tun0 1500 1557 10.4.9.56 255.255.0.0 init
May 26 16:52:16 dnsmasq[379]: read /etc/hosts - 3 addresses
May 26 16:52:16 dnsmasq[379]: read /etc/storage/dnsmasq/hosts - 0 addresses
May 26 16:52:16 dnsmasq-dhcp[379]: read /etc/dnsmasq/dhcp/dhcp-hosts.rc
May 26 16:52:16 dnsmasq[379]: using nameserver 195.66.65.12#53 for domain example.org
May 26 16:52:16 dnsmasq[379]: using nameserver 10.4.0.1#53
May 26 16:52:16 vpnc-script: tun0 up
May 26 16:52:21 openvpn-cli[4275]: /sbin/route add -net 62.102.148.147 netmask 255.255.255.255 gw 192.162.116.1
May 26 16:52:21 openvpn-cli[4275]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.0.1
May 26 16:52:21 openvpn-cli[4275]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.0.1
May 26 16:52:21 openvpn-cli[4275]: Initialization Sequence Completed


Share this post


Link to post

Azgort2, it is interesting. Please, check following:

  1. ping 8.8.8.8 from your computer, connected to router;
  2. ping 8.8.8.8 from ssh-command line of router.

Share this post


Link to post

 

Azgort2, it is interesting. Please, check following:

  1. ping 8.8.8.8 from your computer, connected to router;
  2. ping 8.8.8.8 from ssh-command line of router.

I have already figured out what was the problem. LZO compression needs to be enabled in order to get AirVPN work on my router.

Share this post


Link to post

Azgort2, would you be so kind as to generate config files according my manual above, and check, whether string

 

comp-lzo
 

 

exists.

Share this post


Link to post

Azgort2, would you be so kind as to generate config files according my manual above, and check, whether string

 

comp-lzo
 

 

exists.

There is string "comp-lzo no".

Share this post


Link to post

Nice article.

 

Is the port forwaring works well? What settings do you use?

Yes, it works. I don't use them, what is your question?

 

Thanks for the guide! I've been thinking lately about using VPN on my Netgear router but honestly been lazy and also, lack of knowledge. This is great, I'll try it out.

 

-Invictus-

I don't know about Netgear router (http://prometheus.freize.net/), I think, you should use my OpenWRT Guide.

Share this post


Link to post

My transmission client in the OMV still shown the port is closed.(OMV is a linux based NAS)

I tried a lot settings, and of course , I opened a port in the airVPN surface.

Share this post


Link to post

My transmission client in the OMV still shown the port is closed.(OMV is a linux based NAS)

I tried a lot settings, and of course , I opened a port in the airVPN surface.

Try to change option on Scr2.png from "Yes, block all connections (site is foregn)" to "No (Site-to-Site), using NAT translation", see effect. DO NOT LEAVE LAST OPTION!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...