Search the Community

I'm looking for a comprehensive guide on how to set up AirVPN on a router running OpenWRT. I've tried following various tutorials online, but I'm still running into issues. Specifically, I'm having trouble with configuring the firewall rules to ensure that all traffic is routed through the VPN. Does anyone have a reliable configuration that they could share? I'm also interested in any tips or tricks for improving performance and stability. Any help would be greatly appreciated!

Hi everyone, I'm using AirVPN through WireGuard on my OpenWrt router (latest stable version), but I'm having trouble getting IPv6 to work properly. IPv4 traffic goes through the VPN just fine, but IPv6 traffic does not. Here are my relevant settings and config: // network: config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fdef:xxxx:xxxx::/48' option packet_steering '1' config device option name 'br-lan' option type 'bridge' list ports 'lan1' list ports 'lan2' list ports 'lan3' list ports 'lan4' config interface 'lan' option device 'br-lan' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ip6assign '60' config interface 'wan' option device 'wan.10' option proto 'dhcp' option peerdns '0' list dns '1.1.1.2' config interface 'wan6' option device 'wan.10' option proto 'dhcpv6' option reqaddress 'try' option reqprefix 'auto' option peerdns '0' list dns '2606:4700:4700::1112' config device option type '8021q' option ifname 'wan' option vid '10' option name 'wan.10' config interface 'vpn' option proto 'wireguard' option private_key '***REDACTED***' list addresses '10.x.x.x/32' list addresses 'fdxx:xxxx:xxxx:xxxx::xxxx/128' config wireguard_vpn 'wgserver' option public_key '***REDACTED***' option preshared_key '***REDACTED***' option endpoint_host 'xxx.xxx.xxx.xxx' option endpoint_port '1637' option persistent_keepalive '15' option route_allowed_ips '1' list allowed_ips '0.0.0.0/0' list allowed_ips '::/0' // firewall config defaults option syn_flood '1' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' config zone 'lan' option name 'lan' list network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone 'wan' option name 'wan' list network 'wan' list network 'wan6' list network 'vpn' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config forwarding option src 'lan' option dest 'wan' # IPv6-related firewall rules omitted for brevity but mostly default ICMPv6 & DHCPv6 Despite ::/0 being in the allowed_ips for the WireGuard interface, my IPv6 traffic still seems to go out through the regular WAN or not at all. Does anyone know what I'm missing or how to properly force all IPv6 traffic through the VPN tunnel like IPv4? Thanks in advance!

I am trying to set up my new OpenWRT router with WireGuard and PBR while keeping IPv6 enabled. I found previous threads and followed some of the instructions found there, namely the ones on this page: https://openwrt.org/docs/guide-user/services/vpn/wireguard/client and this video by Dev Odyssey: https://www.youtube.com/watch?v=04q41GEPvKA The deviation from the above I made is to add the DNS servers, which are not in the OpenWRT page. I also created a "vpn" zone and added it to the default forwarder as in the video. I installed PBR and started it with IPv6 enabled. The WireGuard connection appears to be online. However, even though DNS resolution appears to work, I have no IPv4 connectivity and can only connect to IPv6 sites with my ISP's IPv6 address. So basically even though the WireGuard connection is established and has a small amount of TX and RX I don't appear to be able to use the tunnel at all (except for DNS resolution so I can reach AirVPN's DNS). I'm at a loss how to troubleshoot this. Anybody able to assist?

SS11 I have setup Wireguard protocol on my OpenWrt One Router and I need you to guide me on LUCI Gui step by step how to do iptables firewalls to further redirect traffic from the VPN wireguard tunnel to 192.168.1.85:xxxx Best regards !

Hi Forum, A couple of days ago I switched from my previous VPN supplier, Perfect Privacy, to AirVPN. I am not making use of Eddie, but am relying on a dedicated VPN router instead (a four port Protectli VP2420 with a Celeron J6412 processor). Connected to the switch downstream of this router are two desktops and a laptop. Since I was already using said VPN router when I was still making use of Perfect Privacy, reconfiguring it for AirVPN was a breeze: I uploaded the OpenVPN configuration files for a number of countries (Belgium, Germany, the Netherlands, Norway and Sweden), and I was good to go 👍. However, I do still have an issue now I am with AirVPN that I have not yet sorted out. This has to do with the fact that I’d like my two desktops to connect to a server in the Netherlands, whereas my laptop should connect to a server in Sweden. Previously, I managed to do this under OpenWrt by making the connection with the server in the Netherlands my default gateway, such, by adding the following two lines to the OpenVPN configuration file for the Dutch server: 1. redirect-gateway def1 2. redirect-gateway ipv6 At the same time, traffic from my laptop was routed to a server in Sweden - this, by making use of the ‘policy based routing’ package of OpenWrt, and by adding the following two lines to the OpenVPN configuration files for the Swedish server: 3. pull-filter ignore "redirect-gateway" 4. pull-filter ignore "redirect-gateway ipv6” Having switched to AirVPN, I have been trying to reach the same result by adding lines 1 and 2 to the configuration file for the Netherlands ('remote nl3.vpn.airdns.org 443’), and lines 3 and 4 to the file for Sweden (‘remote se3.vpn.airdns.org 443’). Although it would have been nice if the solution were as simple as this 😎, unfortunately it doesn’t work. The server in the Netherlands doesn’t become my default gateway, and my laptop doesn’t connect to a server in Sweden as my routing policy tells it to. My question is hence what I should change in the OpenVPN configuration file to make the connection to a server in the Netherlands my default gateway, and also, what needs to be changed in the configuration file for Sweden to make OpenWrt understand that a connection to a server in the latter country should be seen as ‘secondary gateway’, through which traffic is routed only when it is generated by the laptop for which my routing policy is in place. Any suggestions you may have will be warmly welcomed 🙏!

Depending on what you're looking to do, like if you're just trying to access your own services for personal use while on the go, without opening it up to the internet take a look at tailscale. It's effectively another VPN provider (using wireguard) but it's specifically focused on creating private connections between services/machines in your own network and has a very forgiving free tier. If you have full control of your router (via OpenWRT or some such) you can even set it up on the edge for a full virtual network behavior. Though most simply would be: 1. install tailscale on your home server - register it as a server1 in a private network 2. install tailscale on your portable device - registered as client1 in the same private network 3. you should now have access to that service wherever you are without needing a public ddns or port forwarding Whelp I just realized how old this post is, hope it's still helpful for someone... (and noticed another tailscale recc)

From the AirVpn Generator I configured as follows: OS: Router -> protocol: WireGuard -> By continents (recommended): Europe -> Generate I use Wireguard via my OpenWrt router. According to my understanding, once the Wireguard interface from my router first connects, a server from Europe is chosen that doesn't have too much load. However, afterwards the server isn't change anymore. It stays there, until either the router or the interface is restarted. My question is, if /usr/bin/wireguard_watchdog is the solution? I changed the script so that it re-resolves endpoint hostname every time. I run the script every 15mins. So this way when the server becomes too loaded a different server should be resolved to, right? Custom script based on wireguard_watchdog: #!/bin/sh # SPDX-License-Identifier: GPL-2.0 # # Copyright (C) 2018 Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com>. # Copyright (C) 2015-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. # # This watchdog script tries to re-resolve hostnames for inactive WireGuard peers. # Use it for peers with a frequently changing dynamic IP. # persistent_keepalive must be set, recommended value is 25 seconds. # # Run this script from cron every 15th minute: # echo '*/15 * * * * /usr/bin/wireguard_watchdog_custom' >> /etc/crontabs/root . /lib/functions.sh check_peer_activity() { local cfg=$1 local iface=$2 local disabled local public_key local endpoint_host local endpoint_port local persistent_keepalive local last_handshake local idle_seconds config_get_bool disabled "${cfg}" "disabled" 0 config_get public_key "${cfg}" "public_key" config_get endpoint_host "${cfg}" "endpoint_host" config_get endpoint_port "${cfg}" "endpoint_port" if [ "${disabled}" -eq 1 ]; then # skip disabled peers return 0 fi persistent_keepalive=$(wg show ${iface} persistent-keepalive | grep ${public_key} | awk '{print $2}') # only process peers with endpoints and keepalive set [ -z ${endpoint_host} ] && return 0; [ -z ${persistent_keepalive} -o ${persistent_keepalive} = "off" ] && return 0; # skip IP addresses # check taken from packages/net/ddns-scripts/files/dynamic_dns_functions.sh local IPV4_REGEX="[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" local IPV6_REGEX="\(\([0-9A-Fa-f]\{1,4\}:\)\{1,\}\)\(\([0-9A-Fa-f]\{1,4\}\)\{0,1\}\)\(\(:[0-9A-Fa-f]\{1,4\}\)\{1,\}\)" local IPV4=$(echo ${endpoint_host} | grep -m 1 -o "$IPV4_REGEX$") # do not detect ip in 0.0.0.0.example.com local IPV6=$(echo ${endpoint_host} | grep -m 1 -o "$IPV6_REGEX") [ -n "${IPV4}" -o -n "${IPV6}" ] && return 0; # re-resolve endpoint hostname if not responding for too long logger -t "wireguard_monitor" "trying to re-resolve hostname: wg set ${iface} peer ${public_key} endpoint ${endpoint_host}:${endpoint_port}" echo "wireguard_monitor: trying to re-resolve hostname: wg set ${iface} peer ${public_key} endpoint ${endpoint_host}:${endpoint_port}" wg set ${iface} peer ${public_key} endpoint "${endpoint_host}:${endpoint_port}" } # query ubus for all active wireguard interfaces wg_ifaces=$(ubus -S call network.interface dump | jsonfilter -e '@.interface[@.up=true]' | jsonfilter -a -e '@[@.proto="wireguard"].interface' | tr "\n" " ") # check every peer in every active wireguard interface config_load network for iface in $wg_ifaces; do config_foreach check_peer_activity "wireguard_${iface}" "${iface}" done

If the 7530 is your router and you really like to tinker, Freetz can be used to install OpenVPN and iptables. At the same time you must get rid of some AVM tech through the Freetz config (for example, starting with Fritz!OS 5.x there's the AVM PA which ships its own versions of common Linux kernel network libs, rendering iptables useless for OpenVPN's use case; but if PA is not there you might get degraded performance). The recommendation shall be to connect a different *Wrt-capable router to the 7530 (OpenWRT, DD-WRT, AsusWrt, etc.), configure OpenVPN/Wireguard on that and henceforth connect all your devices to it. No other features than DSL and maybe telephony will be used on the Fritz!Box. Well, I think yes? Not familiar with that service. Subjective. Put it to the test with various servers, ports and protocols and see what works best. But in general, I strongly recommend against competitive gaming via VPN. Not only because you artificially increase the latency, but you also paint a big mark on your back saying "watch me closely, I'm probably up to no good".

Hi, I have created an OpenWRT router on my Proxmox server, the wireguard connection is working. I can use ping and ping6, traceroute and traceroute6 all works well, also from the LAN. Except … incoming port forwarding on IPv6 keeps failing, IPv4 is working perfectly. Any got a pointer? I am not an expert with OpenWRT, but got some basic knowledge.

EDIT (new question): Which IP address is OK to be pinged every 50 seconds and is still privacy/no log OK ? Thanks! I customized the AirVPN Openwrt config to have the reconnect.sh script point to a specific IP address. The IP address stopped responding to pings 2 days ago. For now, I changed the IP to google, all working again like charm. But I don't like Google ... So looking for an alternative. Original question "troubleshoot airvpn Interrupted system call (code=4)": Can anyone please help me troubleshoot my routers? OpenVPN is disconnecting after ±1 minute and reloading. I think the issue is: event_wait : Interrupted system call (code=4) Conscious of issue since 2-3 days, before with exact same config all seemed to be OK. Happens on OpenWrt 21.02.1 and on OpenWrt 21.02.0 Openwrt configured using ulmwind's guide Airvpn config generator specifics: using generator for "router" connect with ip layer ipv4 ip layer exit ipv4 only Log section: Sat Dec 11 09:48:07 2021 daemon.notice openvpn(OpenWRT)[1620]: Initialization Sequence Completed Sat Dec 11 09:48:40 2021 kern.info kernel: [ 91.160539] rt3050-esw 10110000.esw: link changed 0x00 Sat Dec 11 09:48:54 2021 daemon.err openvpn(OpenWRT)[1620]: event_wait : Interrupted system call (code=4) Sat Dec 11 09:48:54 2021 daemon.notice openvpn(OpenWRT)[1620]: SIGTERM received, sending exit notification to peer Sat Dec 11 09:48:59 2021 daemon.notice openvpn(OpenWRT)[1620]: net_route_v4_del: 213.152.161.248/32 via 192.168.1.1 dev [NULL] table 0 metric -1 Sat Dec 11 09:48:59 2021 daemon.notice openvpn(OpenWRT)[1620]: net_route_v4_del: 0.0.0.0/1 via 10.24.168.1 dev [NULL] table 0 metric -1 Sat Dec 11 09:48:59 2021 daemon.notice openvpn(OpenWRT)[1620]: net_route_v4_del: 128.0.0.0/1 via 10.24.168.1 dev [NULL] table 0 metric -1 Sat Dec 11 09:48:59 2021 daemon.notice openvpn(OpenWRT)[1620]: Closing TUN/TAP interface Sat Dec 11 09:48:59 2021 daemon.notice openvpn(OpenWRT)[1620]: net_addr_v4_del: 10.24.168.174 dev tun0 Sat Dec 11 09:48:59 2021 daemon.notice netifd: Network device 'tun0' link is down Sat Dec 11 09:48:59 2021 daemon.notice netifd: Interface 'OpenWRT' has link connectivity loss Sat Dec 11 09:48:59 2021 daemon.notice netifd: Interface 'OpenWRT' is now down Sat Dec 11 09:48:59 2021 daemon.notice openvpn(OpenWRT)[1620]: /usr/libexec/openvpn-hotplug down OpenWRT tun0 1500 1538 10.24.168.174 255.255.255.0 init Sat Dec 11 09:48:59 2021 daemon.notice openvpn(OpenWRT)[1620]: SIGTERM[soft,exit-with-notification] received, process exiting Sat Dec 11 09:48:59 2021 daemon.notice netifd: Interface 'OpenWRT' is disabled Sat Dec 11 09:48:59 2021 daemon.notice openvpn(OpenWRT)[2454]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] Sat Dec 11 09:48:59 2021 daemon.notice openvpn(OpenWRT)[2454]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10 Sat Dec 11 09:48:59 2021 daemon.warn openvpn(OpenWRT)[2454]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sat Dec 11 09:48:59 2021 daemon.notice openvpn(OpenWRT)[2454]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Dec 11 09:48:59 2021 daemon.notice openvpn(OpenWRT)[2454]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Dec 11 09:49:02 2021 daemon.notice openvpn(OpenWRT)[2454]: TCP/UDP: Preserving recently used remote address: [AF_INET]141.98.102.242:443 Sat Dec 11 09:49:02 2021 daemon.notice openvpn(OpenWRT)[2454]: Socket Buffers: R=[180224->180224] S=[180224->180224] Sat Dec 11 09:49:02 2021 daemon.notice openvpn(OpenWRT)[2454]: UDP link local: (not bound) Sat Dec 11 09:49:02 2021 daemon.notice openvpn(OpenWRT)[2454]: UDP link remote: [AF_INET]141.98.102.242:443 Sat Dec 11 09:49:02 2021 daemon.notice openvpn(OpenWRT)[2454]: TLS: Initial packet from [AF_INET]141.98.102.242:443, sid=2fbf3630 b63934b8 Sat Dec 11 09:49:02 2021 daemon.notice openvpn(OpenWRT)[2454]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Sat Dec 11 09:49:02 2021 daemon.notice openvpn(OpenWRT)[2454]: VERIFY KU OK Sat Dec 11 09:49:02 2021 daemon.notice openvpn(OpenWRT)[2454]: Validating certificate extended key usage Sat Dec 11 09:49:02 2021 daemon.notice openvpn(OpenWRT)[2454]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sat Dec 11 09:49:02 2021 daemon.notice openvpn(OpenWRT)[2454]: VERIFY EKU OK Sat Dec 11 09:49:02 2021 daemon.notice openvpn(OpenWRT)[2454]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Dubhe, emailAddress=info@airvpn.org Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512 Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: [Dubhe] Peer Connection Initiated with [AF_INET]141.98.102.242:443 Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.26.8.1,route-gateway 10.26.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.26.8.74 255.255.255.0,peer-id 5,cipher CHACHA20-POLY1305' Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: OPTIONS IMPORT: timers and/or timeouts modified Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: OPTIONS IMPORT: compression parms modified Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: OPTIONS IMPORT: --ifconfig/up options modified Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: OPTIONS IMPORT: route options modified Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: OPTIONS IMPORT: route-related options modified Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: OPTIONS IMPORT: peer-id set Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: OPTIONS IMPORT: adjusting link_mtu to 1625 Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: OPTIONS IMPORT: data channel crypto options modified Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: Data Channel: using negotiated cipher 'CHACHA20-POLY1305' Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: net_route_v4_best_gw query: dst 0.0.0.0 Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: net_route_v4_best_gw result: via 192.168.1.1 dev wlan0 Sat Dec 11 09:49:03 2021 daemon.notice netifd: Interface 'OpenWRT' is enabled Sat Dec 11 09:49:03 2021 daemon.notice netifd: Network device 'tun0' link is up Sat Dec 11 09:49:03 2021 daemon.notice netifd: Interface 'OpenWRT' has link connectivity Sat Dec 11 09:49:03 2021 daemon.notice netifd: Interface 'OpenWRT' is setting up now Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: TUN/TAP device tun0 opened Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: net_iface_mtu_set: mtu 1500 for tun0 Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: net_iface_up: set tun0 up Sat Dec 11 09:49:03 2021 daemon.notice netifd: Interface 'OpenWRT' is now up Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: net_addr_v4_add: 10.26.8.74/24 dev tun0 Sat Dec 11 09:49:03 2021 daemon.notice openvpn(OpenWRT)[2454]: /usr/libexec/openvpn-hotplug up OpenWRT tun0 1500 1538 10.26.8.74 255.255.255.0 init Sat Dec 11 09:49:03 2021 user.notice firewall: Reloading firewall due to ifup of OpenWRT (tun0) Sat Dec 11 09:49:08 2021 daemon.notice openvpn(OpenWRT)[2454]: net_route_v4_add: 141.98.102.242/32 via 192.168.1.1 dev [NULL] table 0 metric -1 Sat Dec 11 09:49:08 2021 daemon.notice openvpn(OpenWRT)[2454]: net_route_v4_add: 0.0.0.0/1 via 10.26.8.1 dev [NULL] table 0 metric -1 Sat Dec 11 09:49:08 2021 daemon.notice openvpn(OpenWRT)[2454]: net_route_v4_add: 128.0.0.0/1 via 10.26.8.1 dev [NULL] table 0 metric -1 Sat Dec 11 09:49:08 2021 daemon.notice openvpn(OpenWRT)[2454]: Initialization Sequence Completed

Hi hoping someone can guide me here. when i've connected with the specific credentials via Openwrt, Linux server or client, i always connect to the correct city and if i reconnect quickly enough, i receive the same IP address. but i been having issues with Truenas server and connecting to private tracking sites. i need to have the same IP address with Prowlarr and my torrent. It would be ideal to have my browser as well, so if anyone knows how I can get Tailscale with the exit node working, that would be great. Anyway, i am using Dockge to install qbit, prowlarr and gluetun. The VPN connection works great, ie it connects, and i have access to both apps. They communicate with each other perfectly. Also, i am using the proper port with Airvpn. (love that service) can someone please let me know what i can fix in the stack below to improve this id be very happy. so like i said the stack below works but everytime i reconnect i connect to a different country/city not even close to the IP range specified. this is supposed to be Alhena Tornonto but im connecting to 185.200.116.211 184.75.221.195 AND 146.70.76.35 those are only 3 of the many different address i get when i reconnect. services: gluetun: image: qmcgaw/gluetun container_name: gluetun # Hostname to use for container, required in some instances for the rest of the stack to each other endpoints hostname: gluetun # line above must be uncommented to allow external containers to connect. # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 6881:6881 - 6881:6881/udp - 8085:8085 # qbittorrent - 9696:9696 # Prowlarr volumes: - /mnt/mediapool/docker/stacks/gluetun:/gluetun environment: - VPN_TYPE=wireguard - VPN_SERVICE_PROVIDER=airvpn - WIREGUARD_ENDPOINT_IP=162.219.176.5 - WIREGUARD_PUBLIC_KEY=pubkey - WIREGUARD_PRIVATE_KEY=privatekey - WIREGUARD_PRESHARED_KEY=presharedkey - WIREGUARD_ADDRESSES=10.135.235.221/32 - TZ=America/Toronto restart: always qbittorrent: image: lscr.io/linuxserver/qbittorrent container_name: qbittorrent network_mode: service:gluetun environment: - PUID=1000 - PGID=1000 - TZ=America/Toronto - WEBUI_PORT=8085 volumes: - /mnt/mediapool/docker/stacks/qbit:/config - /mnt/mediapool/media/qbit/downloads/:/downloads depends_on: - gluetun restart: always prowlarr: image: lscr.io/linuxserver/prowlarr:latest container_name: prowlarr network_mode: service:gluetun environment: - PUID=1000 - PGID=1000 - TZ=America/Toronto volumes: - /mnt/mediapool/docker/stacks/prowlarr/data:/config restart: unless-stopped networks: {}

In the AirVPN router setups, there are guides for DD-WRT, Tomato, AsusWRT and pfSense, but there's nothing for OpenWrt, which I find unusual because it's the custom firmware with the largest community. Do the current router guides work similarly for OpenWrt? Are there any differences worth knowing about? Also, isn't the Tomato firmware on the AirVPN download page deprecated? I believe the current up to date fork is called FreshTomato.

Apparently you can use Amnezia on OpenWRT: https://github.com/openwrt-xiaomi/awg-openwrt/wiki/AmneziaWG-installing#установка-amneziawg-на-openwrt-устройстве. I haven't tried this myself. Be careful, these are probably precompiled binary packages and might have anything in them. Maybe a separate router just for this would make sense?

Hello all, This is collection from different tutorials which I will refer here, but usually changed since some things changed. Setting up VPN on Synology is modified neolefort tutorial from here and reconnect script if from sundi which you can find here, which probably modified this script, plus my iptables for blocking Synology on router level when VPN fails. Other contributions: foobar666 - you no longer need to enter variables manually _sinnerman_ - fixed script for DS 6.1 I'm doing this mostly because I usually forget things I managed to solve after year or two, so this is way to have constant reminder how it was solved and also help others. 1. Get your certificates from AirVPN. Go to the https://airvpn.org/generator/ page to generate the configuration file. (1) SELECT the Advanced Mode (under "Config generator" title ) (2) SELECT LINUX OS (3) Under "Protocols" section select one with protocol UDP, port 443 and tls-auth in the right column (at the time of writing, it was in middle of the list). You can choose any combination of protocol/port, but then also change iptables accordingly if you are using failsafe script. Don't choose any combination which has tls-crypt in the right column. (4) Under "Advanced - OpenVPN only" section (right part of page), toggle "Separate keys/certs from .ovpn file" button and change/leave OpenVPN version to 2.5 (This works in DSM 7.2.1. For older versions you will maybe have to select OpenVPN version 2.4). (5) SELECT 1 SERVER (refer to section "by single servers") OR COUNTRY OR ANYTHING ELSE YOU WANT In original tutorial, neolefort said to choose 1 server, because in that case you will get IP instead of xxx.airvpn.org domain. Choosing 1 server is safe because it doesn't need working DNS when you want to connect to VPN. If you choose anything else, you need working DNS on your router when establishing VPN connection. (6) Click "GENERATE" at the bottom. (7) Page will reload with links on top to your files, save them to you computer. Following files will be generated: -AirVPN_XXXXX_UDP-443.ovpn -ca.crt -user.crt -user.key -ta.key 2. Setup AirVPN on Synology. - Login as admin or with user from Administrator group. - Open Control panel. - Go "Network" and click on tab "Network Interface" - Click on button "Create" - "Create VPN profile" - Choose "OpenVPN (via importing .ovpn file)" - Click "Advanced options" so it shows all options - Profile name: anything you want, but please keep is short and if you can without spaces " ", for example "AirVPN". - User name: LEAVE EMPTY (for DSM 7+ just put anything here) - Password: LEAVE EMPTY (for DSM 7+ just put anything here) - Import .ovpn file: click button and import your AirVPN_XXXXX_UDP-443.ovpn - CA certificate: click button and import your ca.crt - Client certificate: click button and import your user.crt - Client key: click button and import your user.key - Certificate revocation: LEAVE EMPTY - TLS-auth key: click button and import your ta.key - Click "Next" - Select all options and click "Done" Now you have working OpenVPN link on your Synology. You just need to start it from "Control panel" - "Network" - "Network Interface". If you want to make your connection faster, you can remove some ciphers. Look for this line in .ovpn file: data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC And change it to this: data-ciphers AES-128-GCM Then save file and create new connection with it. After some testing I found out AES-128-GCM is fastest from all other mentioned in settings. You can also test other ciphers your self and leave one you find fastest. EXTRAS!!! 3. Setting up external access to your Synology. First what you will notice is, "I CAN'T ACCESS MY SYNOLOGY FROM OUTSIDE OF MY LAN!!!!!!! OMG OMG OMG!!!!" I will not explain port fowards on your router here, if you don't know how to make one, learn! (1) You can port forward trough AirVPN webpage and access your Syno via VPN exit IP. This sometimes works, most of times it doesn't since Syno has some ports you cannot change. Anyway, change your default HTTP / HTTPS port on Syno to your forwarded AirVPN port and you should be fine. But forget about Cloudstation and similliar things. (2) If you want to access Syno via you ISP IP (WAN), then problem is, your Syno is receiving your connection, but it's replying trough VPN. That's a security risk and those connections get droped. But there is solution! - Access "Control panel" - "Network" - "General" - Click "Advanced Settings" button - Mark "Enable multiple gateways" and click "OK" and then "Apply" You're done! It's working now (if you forwarded good ports on your router). 4. Prevent leaks when VPN connection on Synology fails. There will be time, when you VPN will fail, drop, disconnect, and your ISP IP will become visible to world. This is one of ways you can prevent it, on router level. For this you need Tomato, Merlin, DD-WRT or OpenWRT firmware on your router. I will tell you steps for Tomato router. If you are using different firmware, then you need to learn alone how to input this code into your router. Since Shibby version 129 for ARM routers, syntax of iptables changed and depending on which version of iptables you are using, apply that code. - Login to your router (usually just by entering 192.168.1.1 into your browser, if your IP is different, find out which is your gateway IP). - Click on "Administration" - Click on "Scripts" - Choose tab "Firewall" For Shibby v129 for ARM and later (iptables 1.4.x) us this: #Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport ! --sports 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT For earlier Shibby versions and later for MIPS routers: #Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport --sports ! 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT Port TCP 5000 = HTTP for for Synology web access (change to your if it's not default) Port TCP 5001 = HTTPS for for Synology web access (change to your it's not default) Port TCP 6690 = Cloud Station port Port UDP 443 = AirVPN connection port which you defined in step 1 of this tutorial. If you are using TCP port, then you need to change "-p udp" to "-p tcp" in that line. If you need more ports, just add them separated by comma ",". If you want port range, for example 123,124,125,126,127, you can add it like this 123:127. Change IP 192.168.1.100 to your Synology LAN IP. Be careful NOT TO assign those ports to your Download Station on Synology. This isn't perfect, you can still leak your IP through UDP 443, but since torrent uses mostly TCP, those chances are minimal. If you use TCP port for VPN, then those chances increase. If you really want to be sure nothing leaks even on UDP 443 (or your custom port), you need to choose 1 (ONE) AirVPN server. You need to find that server entry IP and change last IPTABLES rule to something like this: iptables -I FORWARD -p udp -s 192.168.1.100 -d 123.456.789.123 -m multiport --dports 443 -j ACCEPT Where 123.456.789.123 is AirVPN server entry IP. This will allow UDP 443 only for that server, rest will be rejected by router. These are all my opinions, from my very limited knowledge, which may be right and may be wrong. 5. Auto reconnection when VPN is down. Since when you made your VPN connection on your Synology, you checked "Reconnect" option, Syno will try to reconnect automaticly when connection fails. But in some cases, your network will be offline long enough and Syno will stop trying to reconnect, or will hang with VPN connection established, but not working. In those cases you can use this auto reconnect script. This is reconnect script. Just select all script text and copy it. #VPN Check script modified Sep 11, 2016 #Script checks if VPN is up, and if it is, it checks if it's working or not. It provides details like VPN is up since, data #received/sent, VPN IP & WAN IP. #If VPN is not up it will report it in the log file and start it #Change LogFile path to your own location. #Save this script to file of your choosing (for example "synovpn_reconnect"). Store it in one of your Synology shared folders and chmod it: "chmod +x /volume1/shared_folder_name/your_path/synovpn_reconnect" #Edit "/etc/crontab" and add this line without quotes for starting script every 10 minutes: "*/10 * * * * root /volume1/shared_folder_name/your_path/synovpn_reconnect" #After that restart cron with: "/usr/syno/sbin/synoservicectl --restart crond" #!/bin/sh DATE=$(date +"%F") TIME=$(date +"%T") VPNID=$(grep "\[.*\]" /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "[" | cut -f 1 -d "]") VPNNAME=$(grep conf_name /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "=") LogFile="/volume1/filmovi/Backup/airvpn/check_airvpn_$DATE.log" PUBIP=$(curl -s -m 5 icanhazip.com) #PUBIP=$(curl -s -m 5 ipinfo.io/ip) #PUBIP=$(curl -s -m 5 ifconfig.me) CHECKIP=$(echo $PUBIP | grep -c ".") start_vpn() { echo "VPN is down. Attempting to (re)start now." >> $LogFile # /usr/syno/bin/synovpnc kill_client --protocol=openvpn --name=$VPNNAME /usr/syno/bin/synovpnc kill_client /bin/kill `cat /var/run/ovpn_client.pid` 2>/dev/null sleep 35 echo 1 > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_id=$VPNID > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_name=$VPNNAME >> /usr/syno/etc/synovpnclient/vpnc_connecting echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting /usr/syno/bin/synovpnc reconnect --protocol=openvpn --name=$VPNNAME >> $LogFile } sleep 6 echo "======================================" >> $LogFile echo "$DATE $TIME" >> $LogFile if ifconfig tun0 | grep -q "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00" then if [ "$CHECKIP" == 1 ] then IPADDR=$(/sbin/ifconfig tun0 | grep 'inet addr' | cut -d: -f2 | awk '{print $1}') RXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f2 | awk '{print $1,$2,$3}') TXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f3 | awk '{print $1,$2,$3}') UPTIME=$(cat /var/log/messages | grep "$IPADDR" | awk '{print $1}' | tail -1) UPTIME=$(date -d"$UPTIME" +"%Y/%m/%d %H:%M:%S") echo "VPN is up since: $UPTIME" >> $LogFile echo "Session Data RX: $RXDATA" >> $LogFile echo "Session Data TX: $TXDATA" >> $LogFile echo "VPN IP is: $IPADDR" >> $LogFile echo "WAN IP is: $PUBIP" >> $LogFile else start_vpn fi else start_vpn fi exit 0 (1) Login to you Synology DSM web interface as admin. - As admin go to "Control panel" - "Task Scheduler" (you need to enable advanced mode in top right corner of control panel for this) - Click "Create" button near top of page, then select "Scheduled Task" and then "User-defined script" (2) New popup window will open. - under "Task:" enter task name - under "User:" select "root" if it's not already selected - switch to "Schedule" tab and select how often you want this task to run, my settings are: - "Run of following days" - "Daily" - "First run time" - 00:00 - "Frequency" - "Every 10 minutes" - "Last run time" - 23:50 - switch to "Task settings" tab - paste script you copied into empty box under "User-defined script" title - press OK and you're done I tested this on DSM 6.2.2 and it works without problems for now. Still, I'm keeping old instructions in next post, if someone wants to do it like that. Tip: If you don't want logfile, you can comment out those lines, or remove ">> $LogFile" code from whole script. That's all. If you entered everything correctly, you should be fine and ready to go! Comments are welcome. If you find mistakes, please correct me.

Hello! We post the reply to your ticket by the support team for the reader's comfort. ==== Hello and thank you for your choice! We do not think that the problem can be approached and resolved through OpenVPN configuration files. We would consider policy based routing on the router. In this way you can configure each specific device behind the router to have its traffic routed through the proper tun interface or even through the WAN (outside the VPN, therefore). Please check the documentation. An overview of the Policy Based Routing (PBR) utility: https://openwrt.org/docs/guide-user/network/routing/pbr A specific approach to achieve the setup: https://search.brave.com/search?q=openwrt+policy+routing+for+multiple+OpenVPN+client+connections&summary=1&conversation=f943dbcf532434cd689c65 Kind regards AirVPN Support Team ==== Kind regards

hello guys, tell me how to set up a vpn client so that I can connect to openwrt from a mobile phone. now only airvpn or wg server works for me how do i allow wg client to connect to airvpn tunnel

https://www.speedtest.net/result/17110029766 715.99 / 407.80 Between France with wireguard client on openwrt (europe3.vpn.airdns.org) and NL server through NL airvpn server.

Hi everyone, i want to use the Wireguard Protocol from AirVPN on a Openwrt Router behind my ISP Router. Is there any Guide for this solution? I found many Guides from other VPN Services but it doesn't work for me. Can anybody help me with this problem?

Using AirVPN with OpenWRT This guide is for users who want to set up a OpenWRT (Chaos Calmer) router and have it already up and running without modification. This guide will work with a router that has more than one network interface and at least 8 MB flash (because of the dependencies). Please backup your router first!!! 1. Set up the wan interface as a dhcp client, that way you can use your router at most of the isp boxes. 2. Set up a wireless network with the name and password of you choise, a dhcp server. (Please note that you should use WPA2-PSK). 3. Connect to your new wireless network. 4. Unbridge the LAN interface(s). Go to "Physical Settings" of the LAN interface(s) and uncheck the "creates a bridge over specified interface(s). Check the interface button of your new wireless network. 5. Connect to your router via SSH. 6. Install dependencies for the openvpn setup. First update the packages, than install openvpn and nanoopkg update opkg install openvpn-openssl opkg install nano 7. Backup the openvpn files mv /etc/config/openvpn /etc/config/openvpn_old 8. Create a new interface called airvpncat >> /etc/config/network << EOFconfig interface 'airvpn' option proto 'none' option ifname 'tun0'EOF 9. Use the "Config Generator" of Airvpn to create the openvpn files. Please select the "Advanced Mode" and check "Separate keys/certs from .ovpn file" and"Resolved hosts in .ovpn file". Save the files on your machine. 10. On the router move into the openvpn folder cd /etc/openvpn 11. Use nano to create all the required files on your router.Copy and paste the following files "AirVPN_**************.ovpn, ta.key, ca.crt, user.crt, user.key".Rename the "AirVPN_**************.ovpn" into airvpn.conf for usability.nano airvpn.conf nano ta.key nano ca.crt nano user.crt nano user.key The air.conf should look like this clientdev tunproto udpremote xxx.XXX.xxx.XXX XXXresolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls servercipher AES-256-CBCcomp-lzo noroute-delay 5verb 3ca ca.crtcert user.crtkey user.keytls-auth ta.key 1 12. Create a firewall zone for the vpn.cat >> /etc/config/firewall << EOFconfig zone option name 'air_firewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'airvpn' config forwarding option dest 'air_firewall' option src 'lan' EOF 13. Reboot router 14. Test openvpn configurationopenvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.confAt the end it should show "Initialization Sequence Completed"Stop openvpn with "Ctrl-C". 15. Use the Airvpn DNS (here Port 443 - Protocol UDP) and reboot. Please change if you use different port (https://airvpn.org/specs/)uci add_list dhcp.lan.dhcp_option="6,10.4.0.1"uci commit dhcpreboot 16. Secure against IP Leak, backup old firewall and create new firewall rules mv /etc/config/firewall /etc/config/firewall.backup cat >> /etc/config/firewall << EOF config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'wan' option output 'ACCEPT' option forward 'REJECT' option network 'wan' option input 'ACCEPT' config zone option name 'airvpn' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'airvpn' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config include option path '/etc/firewall.user' config forwarding option dest 'airvpn' option src 'lan' EOF TEST WITH ipleak.net...It worked that way with my router, i would be happy if someone else could verify my setup.

This is how I configured AirVPN on a Raspberry Pi 3B for our small home network. With this configuration I was able to use our full download speed of 100 Mbit updating the steam library on a saturday night (ger to ger - frankfurth exit node) I took the time to write this down: a) In the hope someone with actual knowledge might look over it and tell me my divine mistake .. go on, .. won't bite.. promise ! b) it helps people getting their OpenWRT / AirVPN I use LUCI, the OpenWRT browser GUI. I started with a clean base install, updated it and configured the pppoe uplink according to the guides on openwrt.org Then I installed the following packages : openvpn-openssl vpnbypass luci-app-vpnbypass luci-app-openvpn Your Router Menu should now have a new Menu Item : VPN with OpenVPN and VPN Bypass as menu items. (reload F5) Next I created a new Interface in the Network config : Add new Interface .. In the General TAB -->> Name: vpntunnel, Proto: unmanaged, Device -> custom : tun0 In the advanced TAB -->> deselect "Use DNS servers advertised by peer" , Use custom DNS servers : 10.4.0.1 (enter IP and hit +) save + save and apply ! .. it should look something like this. The new tun device throws an error since nothing is connected yet, that's fine for now. Next I created a firewall rule in Network Firewall : Add In the General TAB -->> Name : vpnfirewall , input : reject, output, accept, forward : reject. Masqerading : yes , MSS clamping : yes, covered Network : vpntunnel , allowed destination : unspecified, allowed source : LAN save + save and apply ! .. Next I generated the OpenVPN config : https://airvpn.org/generator/ Select -->> Router , OpenVPN UPD 443 and your country and hit generate. You will get a file with ovpn as suffix. This single file contains everything you need to establish a connection via VPN !! Next I uploaded that file to my router via VPN -> OpenVPN in my router menu. Give it a Name, select the ovpn file and hit upload After enabling and starting the configuration it should look something like this : https://ipleak.net/ now should show only VPN ip addresses. (DNS and exit node.) for your whole LAN network. Mission accomplished. additionally there is the VPN Bypass plugin in case you want to exclude certain local hosts , ports, networks from you VPN connetion. It's usage is simple as a dream ... Here are my network, dhcp, vpn, and firewall config for verification : /etc/config/network config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fd4f:b73d:0b1f::/48' config device option name 'br-lan' option type 'bridge' list ports 'eth0' config interface 'lan' option device 'br-lan' option proto 'static' option netmask '255.255.255.0' option ip6assign '60' option ipaddr '10.1.1.1' config interface 'WAN' option proto 'pppoe' option ipv6 'auto' option username 'username@provider.de' option password '12345678' option device 'eth1.7' config device option type '8021q' option ifname 'eth1' option vid '7' option name 'eth1.7' option acceptlocal '1' config interface 'vpntunnel' option proto 'none' option device 'tun0' option peerdns '0' list dns '10.4.0.1' /etc/config/dhcp config dnsmasq option domainneeded '1' option boguspriv '1' option filterwin2k '0' option localise_queries '1' option rebind_protection '1' option rebind_localhost '1' option local '/lan/' option domain 'lan' option expandhosts '1' option nonegcache '0' option authoritative '1' option readethers '1' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' option nonwildcard '1' option localservice '1' option ednspacket_max '1232' config dhcp 'lan' option interface 'lan' option start '100' option limit '150' option leasetime '12h' option dhcpv4 'server' option force '1' option master '1' list ra_flags 'none' config dhcp 'wan' option interface 'wan' option ignore '1' config odhcpd 'odhcpd' option maindhcp '0' option leasefile '/tmp/hosts/odhcpd' option leasetrigger '/usr/sbin/odhcpd-update' option loglevel '4' /etc/config/openvpn config openvpn 'airvpnger' option config '/etc/openvpn/airvpnger.ovpn' option enabled '1' /etc/config/firewall config defaults option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' option synflood_protect '1' config zone option name 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' list network 'lan' config zone option name 'wan' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' list network 'wan' list network 'wan6' list network 'WAN' config forwarding option src 'lan' option dest 'wan' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-IGMP' option src 'wan' option proto 'igmp' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fc00::/6' option dest_ip 'fc00::/6' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-MLD' option src 'wan' option proto 'icmp' option src_ip 'fe80::/10' list icmp_type '130/0' list icmp_type '131/0' list icmp_type '132/0' list icmp_type '143/0' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-IPSec-ESP' option src 'wan' option dest 'lan' option proto 'esp' option target 'ACCEPT' config rule option name 'Allow-ISAKMP' option src 'wan' option dest 'lan' option dest_port '500' option proto 'udp' option target 'ACCEPT' config rule option name 'Support-UDP-Traceroute' option src 'wan' option dest_port '33434:33689' option proto 'udp' option family 'ipv4' option target 'REJECT' option enabled 'false' config include option path '/etc/firewall.user' config zone option name 'vpnfirewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option mtu_fix '1' list network 'vpntunnel' option masq '1' config forwarding option src 'lan' option dest 'vpnfirewall'

No. I moved to OpenWrt and installed Amnezia, working great now with no DPI detection and full ISP speed.

Thanks. I tried Amnezia with the specific params on Iphone and It had successfully passed the aggressive DPI in Egypt. Unfortunately, Amnezia is not supported on DDWRT, will check if Openwrt supports.

@pipox9 Take a look at this video: https://www.youtube.com/watch?v=04q41GEPvKA This channel has many other very good OpenWrt content. I'd recommend you use WireGuard instead of OpenVPN for performance reasons. Going further, I'd recommend to use https://docs.openwrt.melmac.net/pbr/ if you want some traffic to go via clearnet and rest through VPN. There's a video showing how to setup it on that page. pbr guide recommends you start from a fresh OpenWrt installation, especially if you have made any significant modifications besides adding WiFi networks. Just remember to backup your configuration before making any changes. It's a good idea to do frequent backups with short description what did you change in the filename.

Hello, CHACHA20 is being rolled out. I would like to know how to best upgrade my system to improve performance. OPENWRT I use AirVPN on OpenWRT powered routers which do not have AES-NI. Apparently CHACHA20 and OpenVPN 2.5 are supposed to be in OpenWRT ? But officially OpenVPN in OpenWRT is at 2.4.7-2 ? Is there a specific library or package I need for OpenWRT to run AirVPN CHACHA20 ? What is the to be expected performance boost switching to AirVPN's CHACHA20 on an OpenWRT router without AES-NI ? APPS I also use AirVPN on mac through Tunnelblick. Tunnelblick stable supports OpenVPN 2.5 Beta 3. Tunnelblick latest beta supports OpenVPN 2.5 Can Tunnelblick do AirVPN CHACHA20 ? What is the speed difference using AirVPN CHACHA20 through Hummingbird, Eddy and Tunnelblick on a mac Intel Core i5 AES-NI chip ? What is the influence on battery/power drain using AirVPN CHACHA20 through Hummingbird, Eddy and Tunnelblick on a mac Intel Core i5 AES-NI chip ? Thanks.

Ooh, I see. Wireguard > OpenWrt > AirVPN. You want to be able to use the VPN connection when connecting to OpenWrt. I'm guessing so that you may use devices in your local network while making sure everything else is routed through the VPN. Post your iptables rules, the configs of the Wireguard server, OpenVPN client, and OpenWrt configs of the networks and/or interfaces. I'll see what I can find but I'm not too acquainted with OpenWrt, so maybe others can answer in more detail, then.