Jump to content
Not connected, Your IP: 35.173.48.224
Moat

Howto: Setup airvpn on DD-WRT, refreshed guide.

Recommended Posts

It's been complained about in the forum the instructions on setting up a DD-WRT router with airvpn located at https://airvpn.org/ddwrt/?hl=ddwrt is out of date. For the DD-WRT release I use, the guide is indeed a little outdated, but comprehensible.

 

Still, without warranty and strictly on your own responsibility you could try my guide below. I am unable to provide any support, but this guide hopefully can help someone.

 

For this guide I presume you know what a kill switch is, you know how to set up all other parts of your DD-WRT router such as setting up DHCP for example, and you know how to log into your dd-wrt web interface.

 

In the client area of the airvpn web site, create config files, here. Select any server location and port, it doesn't need to be the one you will use, you only need the certificates & keys. Make sure to tick "Advanced Mode", and tick "Separate certs/keys from .ovpn file", then generate and download the configuration files.

 

Log into your DD-WRT router and ...

 

Step 1. Navigate to the "Services" tab then select the "VPN" tab.

 

Step 2. Select "Enable" under OpenVPN Client.

 

Step 3. Configure the first part of the screen as per screenshot below, noting comments below the screenshot.

 

 

In the "Server IP/Name" field, indicated by a red arrow, you can either

  • enter a specific server IP ( how to find a specific server IP )
  • substitute the "XX" with the ISO code of the country you wish to connect to (for example DE for Germany, NL for the Netherlands, BE for Belgium, etc.)
  • substitute the "XX" with the continent name (america, asia, earth, europe respectively)
  • leave the field completely empty IF you wish to use random servers from a selection you specify. In this case, make sure to follow step 5.

In the "IP Address" field, indicated by a green arrow, you should put the default IP of your router ("gateway"). How to find your router address is beyond this tutorial.

 

Step 4. To configure the second part of the screen we'll need copy-paste from the config files you generated earlier. As per screenshot below, noting comments below the screenshot.

 

 

Using your favorite text editor

  • Open up "ta.key" and copy all of the contents into the "TLS Auth Key" field. (green arrow)
  • Open up the file "ca.crt" and copy all of the contents into the "CA Cert" field. (blue arrow)
  • Open up the file "user.crt" and copy only and including "----- BEGIN CERTIFICATE----- to the end of ----- END CERTIFICATE----- " into the "Public Client Cert" field. (brown arrow)
  • Open up "user.key" and copy all of the contents into the "Private Client Key" field. (red arrow)

Step 5. And the yellow arrow "Additional Config" field ? If in Step 3 you left the "Server IP/Name" field empty because you would like to connect to airvpn servers in a relatively random fashion based on a select preset of countries and/or continents and/or specific servers, this step 5 is for you. Copy-paste and amend:

 

 


remote-random
remote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)
remote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)
remote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)

...

remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)

remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)

remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)

...
resolv-retry infinite

As an example, it should look something like:

 

 


remote-random
remote AT.vpn.airdns.org 443
remote BE.vpn.airdns.org 443
remote BG.vpn.airdns.org 443

remote CA.vpn.airdns.org 443

remote asia.vpn.airdns.org 443

remote 185.156.174.114 443

remote 185.189.112.10 443

remote 91.214.169.68 443
resolv-retry infinite

Step 6. Click "Save" at the bottom of the page then "Apply Settings". It should work, but a reboot never hurts.

 

NOTE ON KILL SWITCH

 

The Kill Switch in the original instructions may work for you. They did not work for me regardless of correct TUN. I used the below kill switch which I found to be working for me, so I share it here.

 

  • Go to the "Administration" tab then select the "Commands" tab.
  • Copy the following firewall rules into the command window

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset

  • Click on "Save Firewall"

 

NOTE ON DNS

 

It's been said in the forums (not finding reference to link, search refuses "DNS") it is better to use the airvpn server IP as DNS server. On a DD-WRT router, this is hard to achieve if you do not connect to a specific pre-defined server (most users). 10.4.0.1, one of airvpn DNS, is the next best IP to use as DNS server. However ...

 

I found through trial and error - so this is only my pitiful experience - that if you do not put 10.4.0.1 as primary DNS, DD-WRT will keep using your primary DNS regardless whether connected to airvpn or not. 10.4.0.1 is not accessible outside the VPN, so you need a secondary VPN from another provider, such as opennic, find them here .

 

You will find this leads to occasional DNS fallback, leaks if you will, to the secondary/other DNS when 10.4.0.1 is slow or disfunctional. But, such a DNS leak is still through the airvpn server IP, your location should still be hidden.

 

So I would recommend in the DD-WRT control panel section "Setup" - "Basic Setup" - "Network Address Server Settings (DHCP)" to set the primary DNS as 10.4.0.1 and the secondary and further DNS as other free DNS servers, such as those from OpenNIC.


_____________________________________

A moat does not protect against pigeons!

Share this post


Link to post

Thanks for this guide!  As a DD-WRT user, I found it especially useful.  Especially the "kill switch" firewall rules you provided.

 

Maybe one thing to mention.. checking 'nsCertType verification' only gives an error in the connection log.

 

Would it be better to put 'remote-cert-tls server' under Additional Config?

Share this post


Link to post

re: KillSwitch on ddwrt router.

 

Neither one of those 2 fw rules** added work for me 100% --- there will be an IP-Leak, when router is in-between start and fully loaded and simultaneously Windows10 is waiting for connect *  ... I dont think that happens with Eddies fw lock, just why cant i setup same on my router?

 

 

* for a full protocol i would have wireshark to record it ofc

** the original and yours

 

 

 

PS: Thank you very much for your effort

Share this post


Link to post

Thank you for this guide. 

 

What would be the steps necessary to use the new IPv4 + IPv6 features with tls-crypt with DD-WRT? Is it even possible at the moment?

Share this post


Link to post

Hi there , "Clientlog: 
20190610 09:40:55 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible 
20190610 09:40:55 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible 
20190610 09:40:55 I OpenVPN 2.4.3 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 11 2017 
20190610 09:40:55 I library versions: OpenSSL 1.1.0f 25 May 2017 LZO 2.09 
20190610 09:40:55 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 
20190610 09:40:55 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
20190610 09:40:55 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20190610 09:40:55 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 
20190610 09:40:55 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 
20190610 09:40:55 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 
20190610 09:40:55 Socket Buffers: R=[87380->87380] S=[16384->16384] 
20190610 09:40:55 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 
20190610 09:40:57 I TCP connection established with [AF_INET]213.152.162.106:2018 
20190610 09:40:57 I TCPv4_CLIENT link local: (not bound) 
20190610 09:40:57 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 
20190610 09:40:57 N Connection reset restarting [0] 
20190610 09:40:57 I SIGUSR1[soft connection-reset] received process restarting 
20190610 09:40:57 Restart pause 5 second(s) 
20190610 09:41:02 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
20190610 09:41:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20190610 09:41:02 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 
20190610 09:41:02 Socket Buffers: R=[87380->87380] S=[16384->16384] 
20190610 09:41:02 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 
20190610 09:41:03 I TCP connection established with [AF_INET]213.152.162.106:2018 
20190610 09:41:03 I TCPv4_CLIENT link local: (not bound) 
20190610 09:41:03 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 
20190610 09:41:03 N Connection reset restarting [0] 
20190610 09:41:03 I SIGUSR1[soft connection-reset] received process restarting 
20190610 09:41:03 Restart pause 5 second(s) 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'status 2' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'log 500' 
19691231 19:00:00 "
who can help ?? thanks in advance

Share this post


Link to post
6 minutes ago, kiltedscotsman said:

Hi there , "Clientlog: 
20190610 09:40:55 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible 
20190610 09:40:55 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible 
20190610 09:40:55 I OpenVPN 2.4.3 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 11 2017 
20190610 09:40:55 I library versions: OpenSSL 1.1.0f 25 May 2017 LZO 2.09 
20190610 09:40:55 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 
20190610 09:40:55 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
20190610 09:40:55 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20190610 09:40:55 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 
20190610 09:40:55 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 
20190610 09:40:55 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 
20190610 09:40:55 Socket Buffers: R=[87380->87380] S=[16384->16384] 
20190610 09:40:55 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 
20190610 09:40:57 I TCP connection established with [AF_INET]213.152.162.106:2018 
20190610 09:40:57 I TCPv4_CLIENT link local: (not bound) 
20190610 09:40:57 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 
20190610 09:40:57 N Connection reset restarting [0] 
20190610 09:40:57 I SIGUSR1[soft connection-reset] received process restarting 
20190610 09:40:57 Restart pause 5 second(s) 
20190610 09:41:02 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
20190610 09:41:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20190610 09:41:02 I TCP/UDP: Preserving recently used remote address: [AF_INET]213.152.162.106:2018 
20190610 09:41:02 Socket Buffers: R=[87380->87380] S=[16384->16384] 
20190610 09:41:02 I Attempting to establish TCP connection with [AF_INET]213.152.162.106:2018 [nonblock] 
20190610 09:41:03 I TCP connection established with [AF_INET]213.152.162.106:2018 
20190610 09:41:03 I TCPv4_CLIENT link local: (not bound) 
20190610 09:41:03 I TCPv4_CLIENT link remote: [AF_INET]213.152.162.106:2018 
20190610 09:41:03 N Connection reset restarting [0] 
20190610 09:41:03 I SIGUSR1[soft connection-reset] received process restarting 
20190610 09:41:03 Restart pause 5 second(s) 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'state' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'status 2' 
20190610 09:41:05 MANAGEMENT: Client disconnected 
20190610 09:41:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20190610 09:41:05 D MANAGEMENT: CMD 'log 500' 
19691231 19:00:00 "
who can help ?? thanks in advance

screenshot 2019-06-10 001.png

screenshot 2019-06-10 002.png

Share this post


Link to post
On 6/11/2019 at 7:18 AM, kiltedscotsman said:
840769542_screenshot2019-06-11003.png.f0e701ed7e5044a555f1a9b001e87485.png



Well I've tried everything and cannot get Airvpn to work under dd-wrt..... and get the same results asKScotsman....

I changed from Tomato today to dd-wrt as airvpn stopped working on tomato too, odd.

Anyone have any ideas??

 

Share this post


Link to post
14 hours ago, go558a83nk said:

I have an idea. It's your network.  AirVPN didn't just stop working.  Nothing's changed with AirVPN.



Brillant!! thanks for that!! you were no help at all...

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...