Search the Community
Showing results for tags 'Padavan'.
Found 1 result
-
Initially you should have router with Padavan's firmware with OpenVPN client enabled. The main page of the firmware is https://bitbucket.org/padavan/rt-n56u There is also script Prometheus, which was developed to simplify compilation process and to expand the list of supported devices http://prometheus.freize.net Login to your router via web-interface. By default it has LAN-address 192.168.1.1 Go to VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg). Toggle the switch "Enable VPN Client", after that fill forms as shown on Scr1.png You can use servers, specified in OpenVPN configuration files with extension "ovpn". Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.com/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly. The string, containing server address, begins with the word "remote". In the example it is "remote america.vpn.airdns.org 443". The last numerical value is port number. On the screen the example of UDP-protocol is shown. To use TCP-protocol change fields "Port" to corresponding value of port number and "Transport" to TCP. Protocol is also specified in the string beginning from "proto". You can leave OpenVPN Extended Configuration, you can also comment the line "ns-cert-type server" with leading "#". Go down and fill forms as shown on Scr2.png, and press "Apply" button. In the example there is option not to obtain DNS from VPN-server. It is assumed, that WAN of router was configured to use OpenDNS (208.67.222.222, 208.67.220.220) or GoogleDNS (8.8.8.8, 8.8.4.4). Also there is option to specify DNS for LAN clients (Advanced Settings -> LAN -> tab DHCP server, http://192.168.232.1/Advanced_DHCP_Content.asp, http://my.router/Advanced_DHCP_Content.asp). However you can set this option to obtain DNS from VPN-server ("Add to existing list" or "Replace all existing"). Pay special attention to the item Restrict Access from VPN Server Site. The item controls access to router from Internet via tunnel. The safest option as shown on Scr2.png is Yes, block all connections (site is foreign). If you choose No (Site-to-Site), using NAT translation, TOTAL ACCESS TO ROUTER INCLUDING MANAGEMENT - HTTP, HTTPS, AND SSH WILL BE GRANTED FROM INTERNET VIA TUNNEL. Go to the tab "OpenVPN Certificates & Keys" with corresponding link http://192.168.1.1/vpncli.asp#ssl (http://my.router/vpncli.asp#ssl), and copy content between tags "<ca>" and "</ca>" to the field "ca.crt", content between tags "<cert>" and "</cert>" to the field "client.crt", content between tags "<key>" and "</key>" to the field "client.key", content between tags "<tls-auth>" and "</tls-auth>" to the field "ta.key", and press "Apply" button, as shown on Scr3.png Tags are always excluded from contents. Now your router should successfully connect to VPN-server. You can check it by the white word "Connected" in the green rectange to the right of VPN-server address on VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg), as shown on Scr1.png You can also visit site, displaying your IP-address, e.g. https://ipleak.net After positive result you should make your changes permanent. You can do it by three ways: run in console command "mtd_storage.sh save"; on the page Advanced Settings -> Administration -> Settings with corresponding link http://192.168.1.1/Advanced_SettingBackup_Content.asp (http://my.router/Advanced_SettingBackup_Content.asp) press button "Commit" to the right of item "Commit Internal Storage to Flash Memory Now"; reboot router by pressing Reboot button to the right of "Logout" button. To sum up, files, corresponding to filled fields, are stored in the directory /etc/storage/openvpn/client, resulting OpenVPN configuration file is stored in the directory /etc/openvpn/client. To prevent traffic leakage in case VPN-tunnel drops you should edit the contents of item "Run the Script After Connected/Disconnected to VPN Server" on VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg), which is shown on Scr2.png, to add lines to functions func_ipup and func_ipdown, the result content should be as in the file /etc/storage/vpnc_server_script.sh By the word, it is the same file where form content is saved. Also you should block traffic until tunnel is up. To do it edit the form "Run After Firewall Rules Restarted" on the page Advanced Settings -> Customization -> Scripts with corresponding link http://192.168.1.1/Advanced_Scripts_Content.asp (http://my.router/Advanced_Scripts_Content.asp), the result content should be as in the file /etc/storage/post_iptables_script.sh Addional lines serve to remove SNAT target. Finally you should make your changes permanent by the same way, as was discussed before. vpnc_server_script.sh: #!/bin/sh ### Custom user script ### Called after internal VPN client connected/disconnected to remote VPN server ### $1 - action (up/down) ### $IFNAME - tunnel interface name (e.g. ppp5 or tun0) ### $IPLOCAL - tunnel local IP address ### $IPREMOTE - tunnel remote IP address ### $DNS1 - peer DNS1 ### $DNS2 - peer DNS2 # private LAN subnet behind a remote server (example) peer_lan="192.168.9.0" peer_msk="255.255.255.0" ### example: add static route to private LAN subnet behind a remote server func_ipup() { # route add -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME # unblock traffic if blocking rule exists if iptables -C FORWARD -j REJECT; then iptables -D FORWARD -j REJECT fi return 0 } func_ipdown() { # route del -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME # block traffic leakage in case of tunnel drops if (! iptables -C FORWARD -j REJECT); then iptables -I FORWARD -j REJECT fi return 0 } logger -t vpnc-script "$IFNAME $1" case "$1" in up) func_ipup ;; down) func_ipdown ;; esac post_iptables_script.sh: #!/bin/sh ### Custom user script ### Called after internal iptables reconfig (firewall update) # prevent traffic leakage while tunnel is not up if [ -z "$(ip a s tun0 | grep 'state UP')" ] && (! iptables -C FORWARD -j REJECT); then iptables -I FORWARD -j REJECT fi ipch=$(iptables -t nat -S | grep SNAT | grep -v br0) if [ ! -z "$ipch" ]; then eval 'iptables -t nat -D'${ipch:2} fi