Moat 11 Posted ... It's been complained about in the forum the instructions on setting up a DD-WRT router with airvpn located at https://airvpn.org/ddwrt/?hl=ddwrt is out of date. For the DD-WRT release I use, the guide is indeed a little outdated, but comprehensible. Still, without warranty and strictly on your own responsibility you could try my guide below. I am unable to provide any support, but this guide hopefully can help someone. For this guide I presume you know what a kill switch is, you know how to set up all other parts of your DD-WRT router such as setting up DHCP for example, and you know how to log into your dd-wrt web interface. In the client area of the airvpn web site, create config files, here. Select any server location and port, it doesn't need to be the one you will use, you only need the certificates & keys. Make sure to tick "Advanced Mode", and tick "Separate certs/keys from .ovpn file", then generate and download the configuration files. Log into your DD-WRT router and ... Step 1. Navigate to the "Services" tab then select the "VPN" tab. Step 2. Select "Enable" under OpenVPN Client. Step 3. Configure the first part of the screen as per screenshot below, noting comments below the screenshot. In the "Server IP/Name" field, indicated by a red arrow, you can eitherenter a specific server IP ( how to find a specific server IP )substitute the "XX" with the ISO code of the country you wish to connect to (for example DE for Germany, NL for the Netherlands, BE for Belgium, etc.)substitute the "XX" with the continent name (america, asia, earth, europe respectively)leave the field completely empty IF you wish to use random servers from a selection you specify. In this case, make sure to follow step 5.In the "IP Address" field, indicated by a green arrow, you should put the default IP of your router ("gateway"). How to find your router address is beyond this tutorial. Step 4. To configure the second part of the screen we'll need copy-paste from the config files you generated earlier. As per screenshot below, noting comments below the screenshot. Using your favorite text editorOpen up "ta.key" and copy all of the contents into the "TLS Auth Key" field. (green arrow)Open up the file "ca.crt" and copy all of the contents into the "CA Cert" field. (blue arrow)Open up the file "user.crt" and copy only and including "----- BEGIN CERTIFICATE----- to the end of ----- END CERTIFICATE----- " into the "Public Client Cert" field. (brown arrow)Open up "user.key" and copy all of the contents into the "Private Client Key" field. (red arrow)Step 5. And the yellow arrow "Additional Config" field ? If in Step 3 you left the "Server IP/Name" field empty because you would like to connect to airvpn servers in a relatively random fashion based on a select preset of countries and/or continents and/or specific servers, this step 5 is for you. Copy-paste and amend: remote-randomremote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)remote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)remote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)...remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)...resolv-retry infiniteAs an example, it should look something like: remote-randomremote AT.vpn.airdns.org 443remote BE.vpn.airdns.org 443remote BG.vpn.airdns.org 443remote CA.vpn.airdns.org 443remote asia.vpn.airdns.org 443remote 185.156.174.114 443remote 185.189.112.10 443remote 91.214.169.68 443resolv-retry infiniteStep 6. Click "Save" at the bottom of the page then "Apply Settings". It should work, but a reboot never hurts. NOTE ON KILL SWITCH The Kill Switch in the original instructions may work for you. They did not work for me regardless of correct TUN. I used the below kill switch which I found to be working for me, so I share it here. Go to the "Administration" tab then select the "Commands" tab.Copy the following firewall rules into the command windowWAN_IF="$(ip route | awk '/^default/{print $NF}')"iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibitediptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-resetClick on "Save Firewall" NOTE ON DNS It's been said in the forums (not finding reference to link, search refuses "DNS") it is better to use the airvpn server IP as DNS server. On a DD-WRT router, this is hard to achieve if you do not connect to a specific pre-defined server (most users). 10.4.0.1, one of airvpn DNS, is the next best IP to use as DNS server. However ... I found through trial and error - so this is only my pitiful experience - that if you do not put 10.4.0.1 as primary DNS, DD-WRT will keep using your primary DNS regardless whether connected to airvpn or not. 10.4.0.1 is not accessible outside the VPN, so you need a secondary VPN from another provider, such as opennic, find them here . You will find this leads to occasional DNS fallback, leaks if you will, to the secondary/other DNS when 10.4.0.1 is slow or disfunctional. But, such a DNS leak is still through the airvpn server IP, your location should still be hidden. So I would recommend in the DD-WRT control panel section "Setup" - "Basic Setup" - "Network Address Server Settings (DHCP)" to set the primary DNS as 10.4.0.1 and the secondary and further DNS as other free DNS servers, such as those from OpenNIC. 5 MeNoNo, Staff, soban880 and 2 others reacted to this Quote Hide Moat's signature Hide all signatures _____________________________________A moat does not protect against pigeons! Share this post Link to post
anixs 0 Posted ... Thanks for this guide! As a DD-WRT user, I found it especially useful. Especially the "kill switch" firewall rules you provided. Maybe one thing to mention.. checking 'nsCertType verification' only gives an error in the connection log. Would it be better to put 'remote-cert-tls server' under Additional Config? Quote Share this post Link to post
win8 7 Posted ... re: KillSwitch on ddwrt router. Neither one of those 2 fw rules** added work for me 100% --- there will be an IP-Leak, when router is in-between start and fully loaded and simultaneously Windows10 is waiting for connect * ... I dont think that happens with Eddies fw lock, just why cant i setup same on my router? * for a full protocol i would have wireshark to record it ofc** the original and yours PS: Thank you very much for your effort Quote Share this post Link to post
htpc 9 Posted ... Thank you for this guide. What would be the steps necessary to use the new IPv4 + IPv6 features with tls-crypt with DD-WRT? Is it even possible at the moment? Quote Share this post Link to post
kiltedscotsman 0 Posted ... Hi there , "Clientlog: 20190610 09:40:55 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible 20190610 09:40:55 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible 20190610 09:40:55 I OpenVPN 2.4.3 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 11 2017 20190610 09:40:55 I library versions: OpenSSL 1.1.0f 25 May 2017 LZO 2.09 20190610 09:40:55 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 20190610 09:40:55 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 20190610 09:40:55 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20190610 09:40:55 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 20190610 09:40:55 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 20190610 09:40:55 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 20190610 09:40:55 Socket Buffers: R=[87380->87380] S=[16384->16384] 20190610 09:40:55 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 20190610 09:40:57 I TCP connection established with [AF_INET]213.152.162.106:2018 20190610 09:40:57 I TCPv4_CLIENT link local: (not bound) 20190610 09:40:57 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 20190610 09:40:57 N Connection reset restarting [0] 20190610 09:40:57 I SIGUSR1[soft connection-reset] received process restarting 20190610 09:40:57 Restart pause 5 second(s) 20190610 09:41:02 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 20190610 09:41:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20190610 09:41:02 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 20190610 09:41:02 Socket Buffers: R=[87380->87380] S=[16384->16384] 20190610 09:41:02 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 20190610 09:41:03 I TCP connection established with [AF_INET]213.152.162.106:2018 20190610 09:41:03 I TCPv4_CLIENT link local: (not bound) 20190610 09:41:03 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 20190610 09:41:03 N Connection reset restarting [0] 20190610 09:41:03 I SIGUSR1[soft connection-reset] received process restarting 20190610 09:41:03 Restart pause 5 second(s) 20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20190610 09:41:05 D MANAGEMENT: CMD 'state' 20190610 09:41:05 MANAGEMENT: Client disconnected 20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20190610 09:41:05 D MANAGEMENT: CMD 'state' 20190610 09:41:05 MANAGEMENT: Client disconnected 20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20190610 09:41:05 D MANAGEMENT: CMD 'state' 20190610 09:41:05 MANAGEMENT: Client disconnected 20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20190610 09:41:05 D MANAGEMENT: CMD 'status 2' 20190610 09:41:05 MANAGEMENT: Client disconnected 20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20190610 09:41:05 D MANAGEMENT: CMD 'log 500' 19691231 19:00:00 " who can help ?? thanks in advance Quote Share this post Link to post
kiltedscotsman 0 Posted ... 6 minutes ago, kiltedscotsman said: Hi there , "Clientlog: 20190610 09:40:55 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible 20190610 09:40:55 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible 20190610 09:40:55 I OpenVPN 2.4.3 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 11 2017 20190610 09:40:55 I library versions: OpenSSL 1.1.0f 25 May 2017 LZO 2.09 20190610 09:40:55 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 20190610 09:40:55 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 20190610 09:40:55 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20190610 09:40:55 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 20190610 09:40:55 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 20190610 09:40:55 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 20190610 09:40:55 Socket Buffers: R=[87380->87380] S=[16384->16384] 20190610 09:40:55 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 20190610 09:40:57 I TCP connection established with [AF_INET]213.152.162.106:2018 20190610 09:40:57 I TCPv4_CLIENT link local: (not bound) 20190610 09:40:57 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 20190610 09:40:57 N Connection reset restarting [0] 20190610 09:40:57 I SIGUSR1[soft connection-reset] received process restarting 20190610 09:40:57 Restart pause 5 second(s) 20190610 09:41:02 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 20190610 09:41:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20190610 09:41:02 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 20190610 09:41:02 Socket Buffers: R=[87380->87380] S=[16384->16384] 20190610 09:41:02 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 20190610 09:41:03 I TCP connection established with [AF_INET]213.152.162.106:2018 20190610 09:41:03 I TCPv4_CLIENT link local: (not bound) 20190610 09:41:03 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 20190610 09:41:03 N Connection reset restarting [0] 20190610 09:41:03 I SIGUSR1[soft connection-reset] received process restarting 20190610 09:41:03 Restart pause 5 second(s) 20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20190610 09:41:05 D MANAGEMENT: CMD 'state' 20190610 09:41:05 MANAGEMENT: Client disconnected 20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20190610 09:41:05 D MANAGEMENT: CMD 'state' 20190610 09:41:05 MANAGEMENT: Client disconnected 20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20190610 09:41:05 D MANAGEMENT: CMD 'state' 20190610 09:41:05 MANAGEMENT: Client disconnected 20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20190610 09:41:05 D MANAGEMENT: CMD 'status 2' 20190610 09:41:05 MANAGEMENT: Client disconnected 20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20190610 09:41:05 D MANAGEMENT: CMD 'log 500' 19691231 19:00:00 " who can help ?? thanks in advance Quote Share this post Link to post
go558a83nk 364 Posted ... Try moving your static key into the static key section, not tls-auth section, especially since you're not using tls-auth but tls-crypt. 1 kiltedscotsman reacted to this Quote Share this post Link to post
kiltedscotsman 0 Posted ... 3 hours ago, go558a83nk said: Try moving your static key into the static key section, not tls-auth section, especially since you're not using tls-auth but tls-crypt. Quote Share this post Link to post
badasss 0 Posted ... (edited) Thanks for the detailed guide. Now i am gonna enjoy setting up airvpn alogwith article on soundcloud. Thanks for this information. Edited ... by badasss Quote Share this post Link to post
MPson 0 Posted ... On 6/11/2019 at 7:18 AM, kiltedscotsman said: Well I've tried everything and cannot get Airvpn to work under dd-wrt..... and get the same results asKScotsman.... I changed from Tomato today to dd-wrt as airvpn stopped working on tomato too, odd. Anyone have any ideas?? Quote Share this post Link to post
go558a83nk 364 Posted ... I have an idea. It's your network. AirVPN didn't just stop working. Nothing's changed with AirVPN. Quote Share this post Link to post
MPson 0 Posted ... 14 hours ago, go558a83nk said: I have an idea. It's your network. AirVPN didn't just stop working. Nothing's changed with AirVPN. Brillant!! thanks for that!! you were no help at all... Quote Share this post Link to post
SurprisedItWorks 49 Posted ... I found Moat's original post at the top here very helpful. It was the key to me getting started on setting up Air in dd-wrt. In the end though, I decided to write my own update to it with the goal of being far more thorough and detailed. For what it's worth then: This is a HOW-TO: configure the OpenVPN client for AirVPNhttps://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321856 Quote Share this post Link to post
RAA1811 0 Posted ... On 10/31/2019 at 3:56 PM, SurprisedItWorks said: I found Moat's original post at the top here very helpful. It was the key to me getting started on setting up Air in dd-wrt. In the end though, I decided to write my own update to it with the goal of being far more thorough and detailed. For what it's worth then: This is a HOW-TO: configure the OpenVPN client for AirVPNhttps://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321856 I followed your detailed guide line to line and got stuck on the TLS Auth Key part. It just wont connect at all and kept me waiting. Finally I ditched the the new "TLS Auth Key" and used your version of <tls-crypt> .... </tls-crypt> instead and it worked like a charm! Thank you for an amazing guide and your are a genius! I have bookmarked your guide for future. Quote Share this post Link to post
SurprisedItWorks 49 Posted ... On 11/26/2019 at 11:17 AM, RAA1811 said: I followed your detailed guide line to line and got stuck on the TLS Auth Key part. It just wont connect at all and kept me waiting. Finally I ditched the the new "TLS Auth Key" and used your version of <tls-crypt> .... </tls-crypt> instead and it worked like a charm! Thank you for an amazing guide and your are a genius! I have bookmarked your guide for future. Glad you got there! I just configured my fourth dd-wrt router for Air this morning myself. My memory is so bad that I had to follow my own guide. (Now you see why I had to write it. ) Just to clarify for people, tls-auth is the OLD way, and tls-crypt is the NEW, improved way. Apparently tls-crypt is better at preventing some particular type of hypothetical attack that would overload something in the authentication system with lots of bogus traffic. In any case, use tls-crypt if your OpenVPN system supports it. Also, you are choosing which one to use when you run Air's configurator. As I understand it (or don't, as the case may be), if the line you check in the big protocol table mentions tls-crypt in the rightmost column, you are committing to going with tls-crypt. If that column is blank, it's tls-auth for you. Quote Share this post Link to post
Staff 10014 Posted ... @SurprisedItWorks tls-crypt will encrypt the whole OpenVPN Control Channel since the very beginning, tls-auth will not. tls-crypt and tls-auth are mutually exclusive. tls-auth is offere on VPN servers entry-IP addresses 1 and 2, tls-crypt on VPN servers entry-IP addresses 3 and 4. tls-crypt is particularly good at bypassing different block types agains OpenVPN. If combined with TCP and port 443, it is quite effective against most blocking techniques targeting OpenVPN and/or UDP. Kind regards Quote Share this post Link to post
Background 0 Posted ... Would it be better to put 'remote-cert-tls server' under Additional Config? Quote Share this post Link to post
Donned 0 Posted ... On 10/31/2019 at 8:56 PM, SurprisedItWorks said: I found Moat's original post at the top here very helpful. It was the key to me getting started on setting up Air in dd-wrt. In the end though, I decided to write my own update to it with the goal of being far more thorough and detailed. For what it's worth then: This is a HOW-TO: configure the OpenVPN client for AirVPNhttps://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321856 This guide was excellent! Thanks so much for your efforts! Cheers Quote Share this post Link to post
SurprisedItWorks 49 Posted ... Many thanks. Of note though is that I have not updated it for OpenVPN 2.5, which is in the latest dd-wrt builds. It's still aimed at 2.4.7 to 2.4.9. If "openvn --version" in the dd-wrt CLI is telling you that you are on 2.5, have a look at this re possible tweaks you may need: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326913 Quote Share this post Link to post
pseudotimestretch 2 Posted ... The screenshots are not working anymore, would anyone be kind enough to guide me to another tutorial? Quote Share this post Link to post
Uberhare 0 Posted ... Can anyone update this guide? I have been unable to get DDWRT working since the upgrade from 2.4 to 2.5. Quote Share this post Link to post
khalfdan 1 Posted ... yes, PLEASE, I am suffering similarly. Had working VPN setup on FreshTomato but opted to switch to ddwrt for stronger PBR options. However, now I am totally unable to get the vpn client to work. Any pointers most appreciated, especially concerning whether to allow password auth, whether to select a hashing algorithm and whether to use TLS or static key fields for the static key. Quote Share this post Link to post
SurprisedItWorks 49 Posted ... (edited) I've had Air/OpenVPN up on five dd-wrt routers for several years, currently on build 49081, which uses OpenVPN version 2.5.6. Below is what I see when I walk through the dd-wrt GUI page (Services>VPN) for the OpenVPN client on one of those routers, a Linksys WRT1900ACSv2. Not saying these are the only settings choices, but it does seem to work. (Note MTU and mssfix numbers are specific to WAN MTU 1500 and using the CHACHA20-POLY1305 cipher, so the default MTU of 1400 and omitting mssfix altogether may be a safer choice in general.) The official dd-wrt guide on OpenVPN is at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398, authored by dd-wrt's OpenVPN maintainer egc, Start OpenVPN Client, CVE-2019-14899 Mitigation both enabled. Server IP/Name: us3.vpn.airdns.org. Port 443. Set Multiple Servers disabled Tunnel Device: TUN Tunnel Protocol: udp4 Encryption Cipher (matches 3rd data cipher below): AES-256-CBC Hash Algorithm: SHA512 First Data Cipher: CHACHA20-POLY1305 Second Data Cipher: AES-256-GCM Third Data Cipher: AES-256-CBC User Pass Authentication disabled. Advanced Options enabled. TLS Cipher: None (a good one will be negotiated) Compression: No NAT enabled. Inbound Firewall on TUN checked. Killswitch enabled. Watchdog disabled. Source routing (PBR): Route selected sources via VPN Split DNS unchecked Policy based Routing: 192.168.1.128/26 (to match DHCP range starting 192.168.1.128 with 64 addresses max) IP Address and Subnet Mask both blank. Tunnel MTU setting: 1434 Tunnel UDP Fragment blank. Tunnel UDP MSS Fix disabled Verify Server Certificate checked TLS Key Choice: TLS Crypt Air config info goes in TLS Key, CA Certificate, Public Client Certificate, and Private Client Key. (I hope its obvious which item goes where, as I'd have to be less lazy and dig for that!) Additional Config (note maintainer egc consistently advises to start with this window empty, as defaults are pretty good these days): #comment out if you ever change to TCP mssfix 1406 explicit-exit-notify 5 #suppress warning (not really necessary) auth-nocache route-delay 5 #more detail in log, with easier CLI access verb 4 log-append /tmp/vpn.log Update 18 December 2024: The above still works as of dd-wrt build 58753 on a Dynalink DL-WRX36 and build 57200 on the Linksys WRT1900ACSv2 and Netgear XR500. (That Linksys does NOT play nice with Air in 58753.) The changes I've made from the above, none essential, are setting Encryption Cipher to "Not Set" (as this setting is being deprecated in OpenVPN), Compression to "Disabled" (though "No" works also), and in Additional Config adding disable-dco (relevant currently on only one particular Air server) and removing "route-delay 5" (as Air's config generator no longer uses it). I also include "rcvbuf 524288" and "sndbuf 524288" in Additional Config in hopes of speed gains and noting that the OpenVPN log shows that for some routers the numbers are hard limited to lower values internally. Edited ... by SurprisedItWorks Update Quote Share this post Link to post
Niels Bahnsen 0 Posted ... (edited) Edited ... by Niels Bahnsen regret Quote Share this post Link to post