Creating a Policy-Based routed OpenVPN connection editible inside LuCI OpenVPN app

[kgursu 0]

(This is a cross-post of this site: https://forum.openwrt.org/t/creating-a-policy-based-routed-openvpn-connection-editible-inside-luci-openvpn-app/26840)

 

Hi,

 

I customized two guides on AirVPN forum (https://airvpn.org/topic/15405-using-airvpn-with-openwrt/ and https://airvpn.org/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/) regarding creating OpenVPN profiles, but couldn't achieve everything I wanted.

Here are the things I wanted:

• Creating an OpenVPN connection using Policy-Based Routing without any leakage
• Editing using OpenVPN LuCI app, when needed.

Here are the steps:

 

1) Unbridge the LAN interface(s). Go to "Physical Settings" of the LAN interface(s) and uncheck the "creates a bridge over specified interface(s). Check the interface button of your connected (new wireless) network.

 

2) Connect to your router via SSH.

 

3.1) Update the packages:

opkg update

 

3.2) Install OpenVPN and nano:

opkg install openvpn-openssl
opkg install nano

 

3.3) (Optional) Install LuCI component of OpenVPN:

opkg install luci-app-openvpn

 

4) Make it autostart, when router starts:

/etc/init.d/openvpn enable

 

5) Backup current OpenVPN files:

mv /etc/config/openvpn /etc/config/openvpn_old

 

6) Create a new interface for AirVPN:

cat >> /etc/config/network << EOF
config interface 'airvpn'
option proto 'none'
option ifname 'tun0'
EOF 

 

Alternate way:

uci set network.airvpn=interface
uci set network.airvpn.proto='none'
uci set network.airvpn.ifname='tun0'
uci commit network

 

7) Use the "Config Generator" of AirVPN to create the OpenVPN files. Please select the "Advanced Mode" and check "Separate keys/certs from .ovpn file" and
"Resolved hosts in .ovpn file". Save the files on your machine.

 

8) Move into the openvpn folder:

cd /etc/openvpn 

 

9) Use nano to create all the required files on your router.
Copy and paste the following files "AirVPN_**************.ovpn, ta.key, ca.crt, user.crt, user.key" to PuTTY folder.
Rename the "AirVPN_**************.ovpn" into airvpn.conf for usability.
Then, apply these commands:

nano airvpn.conf
nano ta.key
nano ca.crt
nano user.crt
nano user.key 

Use ^S (Control+S) on each line.

 

airvpn.conf should look like this (or just use the ovpn file):

client
dev tun
proto udp
remote xxx.XXX.xxx.XXX XXX
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
route-delay 5
verb 3
ca ca.crt
cert user.crt
key user.key
tls-auth ta.key 1

 

10) Create a firewall zone for AirVPN (air_firewall):

cat >> /etc/config/firewall << EOF
config zone
option name 'air_firewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'airvpn'

config forwarding
option dest 'air_firewall'
option src 'lan'
EOF

 

Alternate way:

uci add firewall zone
uci set firewall.@zone[-1].name='air_firewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='airvpn'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='/external_image/?url=lan'
uci set firewall.@forwarding[-1].dest='air_firewall'
uci commit firewall 

 

11) Prevent leakage outside the VPN-tunnel:

uci del firewall.@forwarding[0]
uci set firewall.@zone[1].masq=0
uci commit firewall 

 

12) The file /etc/config/openvpn should contain following appended strings:

uci set openvpn.airvpn=openvpn
uci set openvpn.airvpn.enabled='1'
****optional*****uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_XXX_UDP-443.ovpn'
uci commit openvpn

 

13) Reboot router

 

14) Test OpenVPN configuration:

openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf 

 

At the end it should show "Initialization Sequence Completed"
Stop openvpn with "Ctrl-C".

 

Important: I've got these results:
It showed me this error:

Options error: You must define TUN/TAP device (--dev) 

 

Then I tried this:

openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf --dev tun0 

 

The output is this:

Mon Dec 10 20:44:19 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Mon Dec 10 20:44:19 2018 OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Dec 10 20:44:19 2018 library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
Mon Dec 10 20:44:19 2018 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Mon Dec 10 20:44:19 2018 TUN/TAP device tun0 opened
Mon Dec 10 20:44:19 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Dec 10 20:44:19 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Dec 10 20:44:19 2018 UDPv4 link remote: [AF_UNSPEC] 

 

15) Use the AirVPN DNS:

uci add_list dhcp.lan.dhcp_option="6,10.4.0.1"
uci commit dhcp
reboot 

 

Alternate way:

uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='10.4.0.1'
uci commit

config interface 'wan'
option ifname 'eth0.2'
option force_link '1'
option proto 'dhcp'
option peerdns '0'
list dns '10.4.0.1' 

 

16) Secure against IP Leak, backup old firewall

mv /etc/config/firewall /etc/config/firewall.backup 

 

17) Create new firewall rules

cat >> /etc/config/firewall << EOF
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan'
option input 'ACCEPT'

config zone
option name 'airvpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'airvpn'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config forwarding
option dest 'airvpn'
option src 'lan'
EOF 

 

Another way:
To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then
iptables -I forwarding_lan_rule ! -o tun+ -j REJECT
fi 

 

18) You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:

#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi 

 

Use these commands:

cd /etc/hotplug.d/iface/
nano 99-prevent-leak.sh 

 

18) In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:
(Can be added through Startup page)

/etc/openvpn/reconnect.sh & 

 

The content of script reconnect.sh is like:

#!/bin/sh
n=10
while sleep 50; do
t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+')
if [ "$t" -eq 0 ]; then
/etc/init.d/openvpn restart
fi
done 

 

Test here: https://ipleak.net/

 

I messed something anywhere. So, I reset my router and start from the scratch.

 

Questions:

1. What might not be needed from the above list?
2. What can be done to achieve further with vpn-policy-routing and luci-app-vpn-policy-routing apps? I could not find anything easily from the forum (VPN Policy-Based Routing + Web UI -- Discussion), as I need IP based exclusions for VPN on LAN.
3. Creating a profile with OpenVPN LuCI app prevents me to upload the ta.key file, but I need apps functionality in some way.
4. Is using

cat >> /etc/config/XXX << EOF
config xxx
...
EOF 

commands risky, while restoring some settings and even reconfiguring OpenVPN?

 

As a note, I gathered LuCI app configuration from a backup of the router. Here are the locations of uploaded files:

option ca '/etc/luci-uploads/cbid.openvpn.AirVPN.ca'
option cert '/etc/luci-uploads/cbid.openvpn.AirVPN.cert'
option key '/etc/luci-uploads/cbid.openvpn.AirVPN.key'
option tls_auth '/etc/openvpn/ta.key 1' 

 

The last one was entered manually. So, it's not valid anyway.

 

Also, there is a line, which I did not remember entering that. Is this needed? What is its purpose?

option route_gateway '10.234.1.1' 

 

Can someone help me on these please?

Thanks...

[Whisperer 2]

Thank you for bringing the info together in one spot. You can probably remove step 10, since you're removing and re-adding all firewall rules in step 17 anyway.

 

For a while now, I've been wanting to configure (and document) a clean install of OpenWRT/LEDE on my router, so I can easily configure any router. I want to use the functionality supplied by the basic snapshots as much as possible. Which means installing as few extra packages as possible. It also means I really didn't like the openvpn.airvpn.config='/etc/openvpn/AirVPN_XXX_UDP-443.ovpn' thing. So I distilled all the config file's options into uci commands, which comes down to this:

 

uci set openvpn.airvpn=openvpn
uci set openvpn.airvpn.enabled='1'
uci set openvpn.airvpn.client='1'
uci set openvpn.airvpn.dev='tun'
uci set openvpn.airvpn.remote='XXX.XXX.XXX.XXX XXX'
uci set openvpn.airvpn.resolv_retry='infinite'
uci set openvpn.airvpn.nobind='1'
uci set openvpn.airvpn.persist_key='1'
uci set openvpn.airvpn.persist_tun='1'
uci set openvpn.airvpn.auth_nocache='1'
uci set openvpn.airvpn.route_delay='5'
uci set openvpn.airvpn.verb='3'
uci set openvpn.airvpn.explicit_exit_notify='5'
uci set openvpn.airvpn.ca='/etc/openvpn/ca.crt'
uci set openvpn.airvpn.cert='/etc/openvpn/user.crt'
uci set openvpn.airvpn.key='/etc/openvpn/user.key'
uci set openvpn.airvpn.remote_cert_tls='server'
uci set openvpn.airvpn.cipher='AES-256-CBC'
uci set openvpn.airvpn.comp_lzo='no'
uci set openvpn.airvpn.proto='udp'
uci set openvpn.airvpn.tls_auth='/etc/openvpn/ta.key 1'
uci commit openvpn

The biggest advantage is that it becomes possible to edit this connection through LuCI.

 

There are two gotchas here. First, there doesn't seem to be a uci config option for "comp_lzo", only for "compress" (at least according to the LuCI interface). Which probably has something to do with the OpenWRT server migrating from one to the other. Leaving it out altogether will lead to two error messages about "link-mtu" and "comp-lzo" but the connection will still be established.

However, simply adding in "comp_lzo" using uci seems to work.

 

The second thing is that weird 1 after the tls_auth. Without it, the connection fails. Keeping it there works.

 

I've never needed to use the scripts myself, it's like OpenWRT is trying to keep the connection up. When it's down, there is a chance that I'd go over my ISP's connection. It wouldn't be that effective, since the DNS servers are only accessible over the VPN. Maybe it's the vpnbypass package I'm using, who knows.

 

My biggest issue right now is the firewall config. I've seen different variants. For example, this one sets a lot of drops instead of rejects and it completely removes the wan-interface from the forward. Which I think should prevent any traffic outside of the VPN (and would probably make vpnbypass useless). I just wish someone would be a bit clearer on which firewall rules to set and why.

 

By the way, the author of vpnbypass also has a policy-based routing module that you might want to look into.