Jump to content
Not connected, Your IP: 3.145.63.148
Moat

Howto: Setup airvpn on DD-WRT, refreshed guide.

Recommended Posts

It's been complained about in the forum the instructions on setting up a DD-WRT router with airvpn located at https://airvpn.org/ddwrt/?hl=ddwrt is out of date. For the DD-WRT release I use, the guide is indeed a little outdated, but comprehensible.

 

Still, without warranty and strictly on your own responsibility you could try my guide below. I am unable to provide any support, but this guide hopefully can help someone.

 

For this guide I presume you know what a kill switch is, you know how to set up all other parts of your DD-WRT router such as setting up DHCP for example, and you know how to log into your dd-wrt web interface.

 

In the client area of the airvpn web site, create config files, here. Select any server location and port, it doesn't need to be the one you will use, you only need the certificates & keys. Make sure to tick "Advanced Mode", and tick "Separate certs/keys from .ovpn file", then generate and download the configuration files.

 

Log into your DD-WRT router and ...

 

Step 1. Navigate to the "Services" tab then select the "VPN" tab.

 

Step 2. Select "Enable" under OpenVPN Client.

 

Step 3. Configure the first part of the screen as per screenshot below, noting comments below the screenshot.

 

 

In the "Server IP/Name" field, indicated by a red arrow, you can either

  • enter a specific server IP ( how to find a specific server IP )
  • substitute the "XX" with the ISO code of the country you wish to connect to (for example DE for Germany, NL for the Netherlands, BE for Belgium, etc.)
  • substitute the "XX" with the continent name (america, asia, earth, europe respectively)
  • leave the field completely empty IF you wish to use random servers from a selection you specify. In this case, make sure to follow step 5.

In the "IP Address" field, indicated by a green arrow, you should put the default IP of your router ("gateway"). How to find your router address is beyond this tutorial.

 

Step 4. To configure the second part of the screen we'll need copy-paste from the config files you generated earlier. As per screenshot below, noting comments below the screenshot.

 

 

Using your favorite text editor

  • Open up "ta.key" and copy all of the contents into the "TLS Auth Key" field. (green arrow)
  • Open up the file "ca.crt" and copy all of the contents into the "CA Cert" field. (blue arrow)
  • Open up the file "user.crt" and copy only and including "----- BEGIN CERTIFICATE----- to the end of ----- END CERTIFICATE----- " into the "Public Client Cert" field. (brown arrow)
  • Open up "user.key" and copy all of the contents into the "Private Client Key" field. (red arrow)

Step 5. And the yellow arrow "Additional Config" field ? If in Step 3 you left the "Server IP/Name" field empty because you would like to connect to airvpn servers in a relatively random fashion based on a select preset of countries and/or continents and/or specific servers, this step 5 is for you. Copy-paste and amend:

 

 


remote-random
remote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)
remote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)
remote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)

...

remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)

remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)

remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)

...
resolv-retry infinite

As an example, it should look something like:

 

 


remote-random
remote AT.vpn.airdns.org 443
remote BE.vpn.airdns.org 443
remote BG.vpn.airdns.org 443

remote CA.vpn.airdns.org 443

remote asia.vpn.airdns.org 443

remote 185.156.174.114 443

remote 185.189.112.10 443

remote 91.214.169.68 443
resolv-retry infinite

Step 6. Click "Save" at the bottom of the page then "Apply Settings". It should work, but a reboot never hurts.

 

NOTE ON KILL SWITCH

 

The Kill Switch in the original instructions may work for you. They did not work for me regardless of correct TUN. I used the below kill switch which I found to be working for me, so I share it here.

 

  • Go to the "Administration" tab then select the "Commands" tab.
  • Copy the following firewall rules into the command window

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset

  • Click on "Save Firewall"

 

NOTE ON DNS

 

It's been said in the forums (not finding reference to link, search refuses "DNS") it is better to use the airvpn server IP as DNS server. On a DD-WRT router, this is hard to achieve if you do not connect to a specific pre-defined server (most users). 10.4.0.1, one of airvpn DNS, is the next best IP to use as DNS server. However ...

 

I found through trial and error - so this is only my pitiful experience - that if you do not put 10.4.0.1 as primary DNS, DD-WRT will keep using your primary DNS regardless whether connected to airvpn or not. 10.4.0.1 is not accessible outside the VPN, so you need a secondary VPN from another provider, such as opennic, find them here .

 

You will find this leads to occasional DNS fallback, leaks if you will, to the secondary/other DNS when 10.4.0.1 is slow or disfunctional. But, such a DNS leak is still through the airvpn server IP, your location should still be hidden.

 

So I would recommend in the DD-WRT control panel section "Setup" - "Basic Setup" - "Network Address Server Settings (DHCP)" to set the primary DNS as 10.4.0.1 and the secondary and further DNS as other free DNS servers, such as those from OpenNIC.


_____________________________________

A moat does not protect against pigeons!

Share this post


Link to post

Thanks for this guide!  As a DD-WRT user, I found it especially useful.  Especially the "kill switch" firewall rules you provided.

 

Maybe one thing to mention.. checking 'nsCertType verification' only gives an error in the connection log.

 

Would it be better to put 'remote-cert-tls server' under Additional Config?

Share this post


Link to post

re: KillSwitch on ddwrt router.

 

Neither one of those 2 fw rules** added work for me 100% --- there will be an IP-Leak, when router is in-between start and fully loaded and simultaneously Windows10 is waiting for connect *  ... I dont think that happens with Eddies fw lock, just why cant i setup same on my router?

 

 

* for a full protocol i would have wireshark to record it ofc

** the original and yours

 

 

 

PS: Thank you very much for your effort

Share this post


Link to post

Thank you for this guide. 

 

What would be the steps necessary to use the new IPv4 + IPv6 features with tls-crypt with DD-WRT? Is it even possible at the moment?

Share this post


Link to post

Hi there , "Clientlog: 
20190610 09:40:55 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible 
20190610 09:40:55 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible 
20190610 09:40:55 I OpenVPN 2.4.3 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 11 2017 
20190610 09:40:55 I library versions: OpenSSL 1.1.0f 25 May 2017 LZO 2.09 
20190610 09:40:55 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 
20190610 09:40:55 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
20190610 09:40:55 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20190610 09:40:55 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 
20190610 09:40:55 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 
20190610 09:40:55 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 
20190610 09:40:55 Socket Buffers: R=[87380->87380] S=[16384->16384] 
20190610 09:40:55 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 
20190610 09:40:57 I TCP connection established with [AF_INET]213.152.162.106:2018 
20190610 09:40:57 I TCPv4_CLIENT link local: (not bound) 
20190610 09:40:57 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 
20190610 09:40:57 N Connection reset restarting [0] 
20190610 09:40:57 I SIGUSR1[soft connection-reset] received process restarting 
20190610 09:40:57 Restart pause 5 second(s) 
20190610 09:41:02 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
20190610 09:41:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20190610 09:41:02 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 
20190610 09:41:02 Socket Buffers: R=[87380->87380] S=[16384->16384] 
20190610 09:41:02 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 
20190610 09:41:03 I TCP connection established with [AF_INET]213.152.162.106:2018 
20190610 09:41:03 I TCPv4_CLIENT link local: (not bound) 
20190610 09:41:03 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 
20190610 09:41:03 N Connection reset restarting [0] 
20190610 09:41:03 I SIGUSR1[soft connection-reset] received process restarting 
20190610 09:41:03 Restart pause 5 second(s) 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'status 2' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'log 500' 
19691231 19:00:00 "
who can help ?? thanks in advance

Share this post


Link to post
6 minutes ago, kiltedscotsman said:

Hi there , "Clientlog: 
20190610 09:40:55 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible 
20190610 09:40:55 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible 
20190610 09:40:55 I OpenVPN 2.4.3 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 11 2017 
20190610 09:40:55 I library versions: OpenSSL 1.1.0f 25 May 2017 LZO 2.09 
20190610 09:40:55 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 
20190610 09:40:55 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
20190610 09:40:55 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20190610 09:40:55 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 
20190610 09:40:55 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 
20190610 09:40:55 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 
20190610 09:40:55 Socket Buffers: R=[87380->87380] S=[16384->16384] 
20190610 09:40:55 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 
20190610 09:40:57 I TCP connection established with [AF_INET]213.152.162.106:2018 
20190610 09:40:57 I TCPv4_CLIENT link local: (not bound) 
20190610 09:40:57 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 
20190610 09:40:57 N Connection reset restarting [0] 
20190610 09:40:57 I SIGUSR1[soft connection-reset] received process restarting 
20190610 09:40:57 Restart pause 5 second(s) 
20190610 09:41:02 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
20190610 09:41:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20190610 09:41:02 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 
20190610 09:41:02 Socket Buffers: R=[87380->87380] S=[16384->16384] 
20190610 09:41:02 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 
20190610 09:41:03 I TCP connection established with [AF_INET]213.152.162.106:2018 
20190610 09:41:03 I TCPv4_CLIENT link local: (not bound) 
20190610 09:41:03 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 
20190610 09:41:03 N Connection reset restarting [0] 
20190610 09:41:03 I SIGUSR1[soft connection-reset] received process restarting 
20190610 09:41:03 Restart pause 5 second(s) 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'status 2' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'log 500' 
19691231 19:00:00 "
who can help ?? thanks in advance

screenshot 2019-06-10 001.png

screenshot 2019-06-10 002.png

Share this post


Link to post
3 hours ago, go558a83nk said:

Try moving your static key into the static key section, not tls-auth section, especially since you're not using tls-auth but tls-crypt.

840769542_screenshot2019-06-11003.png.f0e701ed7e5044a555f1a9b001e87485.png

Share this post


Link to post
On 6/11/2019 at 7:18 AM, kiltedscotsman said:
840769542_screenshot2019-06-11003.png.f0e701ed7e5044a555f1a9b001e87485.png



Well I've tried everything and cannot get Airvpn to work under dd-wrt..... and get the same results asKScotsman....

I changed from Tomato today to dd-wrt as airvpn stopped working on tomato too, odd.

Anyone have any ideas??

 

Share this post


Link to post
14 hours ago, go558a83nk said:

I have an idea. It's your network.  AirVPN didn't just stop working.  Nothing's changed with AirVPN.



Brillant!! thanks for that!! you were no help at all...

Share this post


Link to post

I found Moat's original post at the top here very helpful.  It was the key to me getting started on setting up Air in dd-wrt.  In the end though, I decided to write my own update to it with the goal of being far more thorough and detailed.  For what it's worth then:

         
 
This is a HOW-TO: configure the OpenVPN client for AirVPN
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321856
 

Share this post


Link to post
On 10/31/2019 at 3:56 PM, SurprisedItWorks said:

I found Moat's original post at the top here very helpful.  It was the key to me getting started on setting up Air in dd-wrt.  In the end though, I decided to write my own update to it with the goal of being far more thorough and detailed.  For what it's worth then:

         
 
This is a HOW-TO: configure the OpenVPN client for AirVPN
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321856
 

I followed your detailed guide line to line and got stuck on the TLS Auth Key part. It just wont connect at all and kept me waiting. Finally I ditched the the new "TLS Auth Key" and used your version of <tls-crypt> .... </tls-crypt> instead and it worked like a charm! Thank you for an amazing guide and your are a genius! I have bookmarked your guide for future.

Share this post


Link to post
On 11/26/2019 at 11:17 AM, RAA1811 said:

I followed your detailed guide line to line and got stuck on the TLS Auth Key part. It just wont connect at all and kept me waiting. Finally I ditched the the new "TLS Auth Key" and used your version of <tls-crypt> .... </tls-crypt> instead and it worked like a charm! Thank you for an amazing guide and your are a genius! I have bookmarked your guide for future.
Glad you got there!  I just configured my fourth dd-wrt router for Air this morning myself.  My memory is so bad that I had to follow my own guide.  (Now you see why I had to write it.  :unsure: )

Just to clarify for people, tls-auth is the OLD way, and tls-crypt is the NEW, improved way.  Apparently tls-crypt is better at preventing some particular type of hypothetical attack that would overload something in the authentication system with lots of bogus traffic.  In any case, use tls-crypt if your OpenVPN system supports it.  Also, you are choosing which one to use when you run Air's configurator.  As I understand it (or don't, as the case may be), if the line you check in the big protocol table mentions tls-crypt in the rightmost column, you are committing to going with tls-crypt.  If that column is blank, it's tls-auth for you.

Share this post


Link to post
@SurprisedItWorks

tls-crypt will encrypt the whole OpenVPN Control Channel since the very beginning, tls-auth will not. tls-crypt and tls-auth are mutually exclusive. tls-auth is offere on VPN servers entry-IP addresses 1 and 2, tls-crypt on VPN servers entry-IP addresses 3 and 4. tls-crypt is particularly good at bypassing different block types agains OpenVPN. If combined with TCP and port 443, it is quite effective against most blocking techniques targeting OpenVPN and/or UDP.

Kind regards
 

Share this post


Link to post
On 10/31/2019 at 8:56 PM, SurprisedItWorks said:

I found Moat's original post at the top here very helpful.  It was the key to me getting started on setting up Air in dd-wrt.  In the end though, I decided to write my own update to it with the goal of being far more thorough and detailed.  For what it's worth then:

         
 
This is a HOW-TO: configure the OpenVPN client for AirVPN
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321856
 

This guide was excellent! Thanks so much for your efforts!
Cheers

Share this post


Link to post

Can anyone update this guide?  I have been unable to get DDWRT working since the upgrade from 2.4 to 2.5.
 

Share this post


Link to post

yes, PLEASE, I am suffering similarly. Had working VPN setup on FreshTomato but opted to switch to ddwrt for stronger PBR options. However, now I am totally unable to get the vpn client to work. Any pointers most appreciated, especially concerning whether to allow password auth, whether to select a hashing algorithm and whether to use TLS or static key fields for the static key.
 

Share this post


Link to post

I've had Air/OpenVPN up on five dd-wrt routers for several years, currently on build 49081, which uses OpenVPN version 2.5.6.  Below is what I see when I walk through the dd-wrt GUI page (Services>VPN) for the OpenVPN client on one of those routers, a Linksys WRT1900ACSv2.  Not saying these are the only settings choices, but it does seem to work.  (Note MTU and mssfix numbers are specific to WAN MTU 1500 and using the CHACHA20-POLY1305 cipher, so the default MTU of 1400 and omitting mssfix altogether may be a safer choice in general.)

The official dd-wrt guide on OpenVPN is at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398, authored by dd-wrt's OpenVPN maintainer egc,

Start OpenVPN Client, CVE-2019-14899 Mitigation both enabled.
Server IP/Name: us3.vpn.airdns.org.  Port 443.
Set Multiple Servers disabled
Tunnel Device: TUN
Tunnel Protocol: udp4
Encryption Cipher (matches 3rd data cipher below): AES-256-CBC
Hash Algorithm:  SHA512
First Data Cipher: CHACHA20-POLY1305
Second Data Cipher: AES-256-GCM
Third Data Cipher: AES-256-CBC
User Pass Authentication disabled.
Advanced Options enabled.
TLS Cipher: None (a good one will be negotiated)
Compression: No
NAT enabled.
Inbound Firewall on TUN checked.
Killswitch enabled.
Watchdog disabled.
Source routing (PBR): Route selected sources via VPN
Split DNS unchecked
Policy based Routing: 192.168.1.128/26
 (to match DHCP range starting 192.168.1.128 with 64 addresses max)
IP Address and Subnet Mask both blank.
Tunnel MTU setting: 1434
Tunnel UDP Fragment blank.
Tunnel UDP MSS Fix disabled
Verify Server Certificate checked
TLS Key Choice: TLS Crypt

Air config info goes in TLS Key, CA Certificate, Public Client Certificate, and Private Client Key.  (I hope its obvious which item goes where, as I'd have to be less lazy and dig for that!)

Additional Config (note maintainer egc consistently advises to start with this window empty, as defaults are pretty good these days):

#comment out if you ever change to TCP
mssfix 1406
explicit-exit-notify 5

#suppress warning (not really necessary)
auth-nocache

route-delay 5

#more detail in log, with easier CLI access
verb 4
log-append /tmp/vpn.log
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...