OpenVPN on OpenWRT with Raspberry PI 3B

[tinigriffy 1]

This is how I configured AirVPN on a Raspberry Pi 3B for our small home network.
With this configuration I was able to use our full download speed of 100 Mbit updating the steam library on a saturday night (ger to ger - frankfurth exit node)

I took the time to write this down:
a) In the hope someone with actual knowledge might look over it and tell me my divine mistake .. go on, .. won't bite.. promise !  
b) it helps people getting their OpenWRT / AirVPN  

I use LUCI, the OpenWRT browser GUI.
I started with a clean base install, updated it and configured the pppoe uplink according to the guides on openwrt.org
Then I installed the following packages : 

 

openvpn-openssl
vpnbypass     
luci-app-vpnbypass
luci-app-openvpn

Your Router Menu should now have a new Menu Item : VPN with OpenVPN and VPN Bypass as menu items. (reload F5)

Next I created a new Interface in the Network config :  Add new Interface ..
In the General TAB -->>  Name: vpntunnel, Proto: unmanaged, Device -> custom : tun0
In the advanced TAB -->> deselect "Use DNS servers advertised by peer" , Use custom DNS servers : 10.4.0.1 (enter IP and hit +)
save  +  save and apply ! .. it should look something like this. The new tun device throws an error since nothing is connected yet, that's fine for now.


Next I created a firewall rule in Network Firewall :  Add 
In the General TAB -->> Name : vpnfirewall , input : reject, output, accept, forward : reject. Masqerading : yes , MSS clamping : yes, covered Network : vpntunnel , allowed destination : unspecified, allowed source : LAN
save + save and apply ! .. 
 
 

Next I generated the OpenVPN config : https://airvpn.org/generator/ 
Select -->>  Router ,  OpenVPN UPD 443 and your country and hit generate. You will get a file with ovpn as suffix.
This single file contains everything you need to establish a connection via VPN !!

Next I uploaded that file to my router via VPN -> OpenVPN in my router menu. Give it a Name, select the ovpn file and hit upload



After enabling and starting the configuration it should look something like this :




https://ipleak.net/ now should show only VPN ip addresses. (DNS and exit node.) for your whole LAN network.

Mission accomplished.

additionally there is the VPN Bypass plugin in case you want to exclude certain local hosts , ports, networks from you VPN connetion. 
It's usage is simple as a dream ...



Here are my network, dhcp, vpn, and firewall config for verification : 
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4f:b73d:0b1f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.1.1.1'

config interface 'WAN'
	option proto 'pppoe'
	option ipv6 'auto'
	option username 'username@provider.de'
	option password '12345678'
	option device 'eth1.7'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '7'
	option name 'eth1.7'
	option acceptlocal '1'

config interface 'vpntunnel'
	option proto 'none'
	option device 'tun0'
	option peerdns '0'
	list dns '10.4.0.1'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'
	option master '1'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/openvpn

config openvpn 'airvpnger'
	option config '/etc/openvpn/airvpnger.ovpn'
	option enabled '1'

/etc/config/firewall
 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WAN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'vpntunnel'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'vpnfirewall'