Search the Community
Showing results for tags 'openwrt'.
Found 13 results
-
Hi Forum, A couple of days ago I switched from my previous VPN supplier, Perfect Privacy, to AirVPN. I am not making use of Eddie, but am relying on a dedicated VPN router instead (a four port Protectli VP2420 with a Celeron J6412 processor). Connected to the switch downstream of this router are two desktops and a laptop. Since I was already using said VPN router when I was still making use of Perfect Privacy, reconfiguring it for AirVPN was a breeze: I uploaded the OpenVPN configuration files for a number of countries (Belgium, Germany, the Netherlands, Norway and Sweden), and I was good to go 👍. However, I do still have an issue now I am with AirVPN that I have not yet sorted out. This has to do with the fact that I’d like my two desktops to connect to a server in the Netherlands, whereas my laptop should connect to a server in Sweden. Previously, I managed to do this under OpenWrt by making the connection with the server in the Netherlands my default gateway, such, by adding the following two lines to the OpenVPN configuration file for the Dutch server: 1. redirect-gateway def1 2. redirect-gateway ipv6 At the same time, traffic from my laptop was routed to a server in Sweden - this, by making use of the ‘policy based routing’ package of OpenWrt, and by adding the following two lines to the OpenVPN configuration files for the Swedish server: 3. pull-filter ignore "redirect-gateway" 4. pull-filter ignore "redirect-gateway ipv6” Having switched to AirVPN, I have been trying to reach the same result by adding lines 1 and 2 to the configuration file for the Netherlands ('remote nl3.vpn.airdns.org 443’), and lines 3 and 4 to the file for Sweden (‘remote se3.vpn.airdns.org 443’). Although it would have been nice if the solution were as simple as this 😎, unfortunately it doesn’t work. The server in the Netherlands doesn’t become my default gateway, and my laptop doesn’t connect to a server in Sweden as my routing policy tells it to. My question is hence what I should change in the OpenVPN configuration file to make the connection to a server in the Netherlands my default gateway, and also, what needs to be changed in the configuration file for Sweden to make OpenWrt understand that a connection to a server in the latter country should be seen as ‘secondary gateway’, through which traffic is routed only when it is generated by the laptop for which my routing policy is in place. Any suggestions you may have will be warmly welcomed 🙏!
-
Using AirVPN with OpenWRT This guide is for users who want to set up a OpenWRT (Chaos Calmer) router and have it already up and running without modification. This guide will work with a router that has more than one network interface and at least 8 MB flash (because of the dependencies). Please backup your router first!!! 1. Set up the wan interface as a dhcp client, that way you can use your router at most of the isp boxes. 2. Set up a wireless network with the name and password of you choise, a dhcp server. (Please note that you should use WPA2-PSK). 3. Connect to your new wireless network. 4. Unbridge the LAN interface(s). Go to "Physical Settings" of the LAN interface(s) and uncheck the "creates a bridge over specified interface(s). Check the interface button of your new wireless network. 5. Connect to your router via SSH. 6. Install dependencies for the openvpn setup. First update the packages, than install openvpn and nanoopkg update opkg install openvpn-openssl opkg install nano 7. Backup the openvpn files mv /etc/config/openvpn /etc/config/openvpn_old 8. Create a new interface called airvpncat >> /etc/config/network << EOFconfig interface 'airvpn' option proto 'none' option ifname 'tun0'EOF 9. Use the "Config Generator" of Airvpn to create the openvpn files. Please select the "Advanced Mode" and check "Separate keys/certs from .ovpn file" and"Resolved hosts in .ovpn file". Save the files on your machine. 10. On the router move into the openvpn folder cd /etc/openvpn 11. Use nano to create all the required files on your router.Copy and paste the following files "AirVPN_**************.ovpn, ta.key, ca.crt, user.crt, user.key".Rename the "AirVPN_**************.ovpn" into airvpn.conf for usability.nano airvpn.conf nano ta.key nano ca.crt nano user.crt nano user.key The air.conf should look like this clientdev tunproto udpremote xxx.XXX.xxx.XXX XXXresolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls servercipher AES-256-CBCcomp-lzo noroute-delay 5verb 3ca ca.crtcert user.crtkey user.keytls-auth ta.key 1 12. Create a firewall zone for the vpn.cat >> /etc/config/firewall << EOFconfig zone option name 'air_firewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'airvpn' config forwarding option dest 'air_firewall' option src 'lan' EOF 13. Reboot router 14. Test openvpn configurationopenvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.confAt the end it should show "Initialization Sequence Completed"Stop openvpn with "Ctrl-C". 15. Use the Airvpn DNS (here Port 443 - Protocol UDP) and reboot. Please change if you use different port (https://airvpn.org/specs/)uci add_list dhcp.lan.dhcp_option="6,10.4.0.1"uci commit dhcpreboot 16. Secure against IP Leak, backup old firewall and create new firewall rules mv /etc/config/firewall /etc/config/firewall.backup cat >> /etc/config/firewall << EOF config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'wan' option output 'ACCEPT' option forward 'REJECT' option network 'wan' option input 'ACCEPT' config zone option name 'airvpn' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'airvpn' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config include option path '/etc/firewall.user' config forwarding option dest 'airvpn' option src 'lan' EOF TEST WITH ipleak.net...It worked that way with my router, i would be happy if someone else could verify my setup.
-
Still "scratching my head" on which one to get? @Members of AirVPN. What is your suggestion? https://www.amazon.ca/gp/offer-listing/B01MG47OY3/ref=dp_olp_new_mbc?ie=UTF8&condition=new https://www.amazon.ca/gp/offer-listing/B07JBWRQ3K/ref=dp_olp_new_mbc?ie=UTF8&condition=new
-
Initially you should have router with OpenWRT firmware with OpenVPN client enabled. The main page of the firmware is http://openwrt.org Router, flashed with OpenWRT firmware image, initially accept connection only by telnet, so you should connect to it by telnet to the IP 192.168.1.1 and change root password with command "passwd". After this command it accepts connection via ssh. By default openvpn isn't included in the firmware image, so you should install it by use of opkg: # opkg update # opkg install openvpn-openssl You can also install luci-component of openvpn configuration, but it is optional: # opkg install install luci-app-openvpn You can also build firmware image with openvpn. Good manual of general OpenVPN client configuration you can find on the page https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client We will follow it with modifications, specific for AirVPN. After openvpn installation you can make it autostarting when router starts: # /etc/init.d/openvpn enable Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.org/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly. Comment with "#" the option "explicit-exit-notify 5" in the file, because OpenVPN client in OpenWRT doesn't recognize it. In result the line should start with "#": "# explicit-exit-notify 5". Copy the file "AirVPN_America_UDP-443.ovpn" with pscp or WinSCP programs in Windows, scp command in Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems you should force using exactly scp protocol (it also can use sftp). The file itself contains contents of file "ca.crt" between tags "<ca>" and "</ca>", "user.crt" between tags "<cert>" and "</cert>", "user.key" between tags "<key>" and "</key", and contents of file "ta.key" between tags "<tls-auth>" and "</tls-auth>". You can create separate files "ca.crt", "user.crt", "user.key", and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in original file with following strings: ca ca.crt cert user.crt key user.key tls-auth ta.key 1 Notice, that contents of all files for different OpenVPN configuration files are identical. In other words, the significand difference of OpenVPN configuration files is string, containing server address and port, beginning with the word "remote". Configuration of OpenVPN using the file "AirVPN_America_UDP-443.ovpn" could be implemented by two ways. 1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by extension. 2) Specify file name in /etc/config/openvpn You can use uci: # uci set openvpn.airvpn=openvpn # uci set openvpn.airvpn.enabled='1' # uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_America_UDP-443.ovpn' # uci commit openvpn The file /etc/config/openvpn should contain following appended strings: config openvpn 'airvpn' option enabled '1' option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn' You can also change extension of the file "ovpn" to "conf", and speficify it in the file /etc/config/openvpn, in this case OpenVPN will start with this configuration file just once. You can also manually specify parameters specific for OpenVPN-connection in the file /etc/config/openvpn. In this case you don't need the file "AirVPN_America_UDP-443.ovpn", because all necessary parameters from it are specified explicitly. However, it is tiresomely. Create new network interface: # uci set network.airvpntun=interface # uci set network.airvpntun.proto='none' # uci set network.airvpntun.ifname='tun0' # uci commit network The file /etc/config/network should contain following appended strings: config interface 'airvpntun' option proto 'none' option ifname 'tun0' Create new firewall zone and add forwarding rule from LAN to VPN: # uci add firewall zone # uci set firewall.@zone[-1].name='vpnfirewall' # uci set firewall.@zone[-1].input='REJECT' # uci set firewall.@zone[-1].output='ACCEPT' # uci set firewall.@zone[-1].forward='REJECT' # uci set firewall.@zone[-1].masq='1' # uci set firewall.@zone[-1].mtu_fix='1' # uci add_list firewall.@zone[-1].network='airvpntun' # uci add firewall forwarding # uci set firewall.@forwarding[-1].src='/external_image/?url=lan' # uci set firewall.@forwarding[-1].dest='vpnfirewall' # uci commit firewall To prevent traffic leakage outside the VPN-tunnel you should remove forwarding rule from lan to wan. In default configuration there is single forwarding rule, so the command is: # uci del firewall.@forwarding[0] You can also set "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is: # uci set firewall.@zone[1].masq=0 After configuration you should commit changes: # uci commit firewall The file /etc/config/firewall should contain following appended strings: config zone option name 'vpnfirewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' list network 'airvpntun' config forwarding option src 'lan' option dest 'vpnfirewall' Now we should configure DNS servers. The simplest approach is to use public DNS for WAN interface of router. You can add OpenDNS: # uci set network.wan.peerdns='0' # uci del network.wan.dns # uci add_list network.wan.dns='208.67.222.222' # uci add_list network.wan.dns='208.67.220.220' # uci commit The file /etc/config/network should contain section 'wan' with following strings (three bottom strings has been appended): config interface 'wan' option ifname 'eth0.2' option force_link '1' option proto 'dhcp' option peerdns '0' list dns '208.67.222.222' list dns '208.67.220.220' You can also add GoogleDNS: # uci set network.wan.peerdns='0' # uci del network.wan.dns # uci add_list network.wan.dns='8.8.8.8' # uci add_list network.wan.dns='8.8.4.4' # uci commit The appended strings should be similar to previous one. To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content: # This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. # Internal uci firewall chains are flushed and recreated on reload, so # put custom rules into the root chains e.g. INPUT or FORWARD or into the # special user chains, e.g. input_wan_rule or postrouting_lan_rule. if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then iptables -I forwarding_lan_rule ! -o tun+ -j REJECT fi You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content: #!/bin/sh if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then iptables -D forwarding_rule -j REJECT fi if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as: /etc/openvpn/reconnect.sh & The content of script reconnect.sh is like: #!/bin/sh n=10 while sleep 50; do t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+') if [ "$t" -eq 0 ]; then /etc/init.d/openvpn restart fi done Update of luci-app-openvpn - git-19.256.41054-c048f23-1 tried to find file with name 'openvpn-airvpn.conf' (see section in /etc/openvpn/config). So you should rename your file 'AirVPN_America_UDP-443.ovpn' to 'openvpn-airvpn.conf', and comment or remove corresponding string: config openvpn 'airvpn' option enabled '1' # option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn'
-
(This is a cross-post of this site: https://forum.openwrt.org/t/creating-a-policy-based-routed-openvpn-connection-editible-inside-luci-openvpn-app/26840) Hi, I customized two guides on AirVPN forum (https://airvpn.org/topic/15405-using-airvpn-with-openwrt/ and https://airvpn.org/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/) regarding creating OpenVPN profiles, but couldn't achieve everything I wanted. Here are the things I wanted: Creating an OpenVPN connection using Policy-Based Routing without any leakageEditing using OpenVPN LuCI app, when needed.Here are the steps: 1) Unbridge the LAN interface(s). Go to "Physical Settings" of the LAN interface(s) and uncheck the "creates a bridge over specified interface(s). Check the interface button of your connected (new wireless) network. 2) Connect to your router via SSH. 3.1) Update the packages: opkg update 3.2) Install OpenVPN and nano: opkg install openvpn-openssl opkg install nano 3.3) (Optional) Install LuCI component of OpenVPN: opkg install luci-app-openvpn 4) Make it autostart, when router starts: /etc/init.d/openvpn enable 5) Backup current OpenVPN files: mv /etc/config/openvpn /etc/config/openvpn_old 6) Create a new interface for AirVPN: cat >> /etc/config/network << EOF config interface 'airvpn' option proto 'none' option ifname 'tun0' EOF Alternate way: uci set network.airvpn=interface uci set network.airvpn.proto='none' uci set network.airvpn.ifname='tun0' uci commit network 7) Use the "Config Generator" of AirVPN to create the OpenVPN files. Please select the "Advanced Mode" and check "Separate keys/certs from .ovpn file" and "Resolved hosts in .ovpn file". Save the files on your machine. 8) Move into the openvpn folder: cd /etc/openvpn 9) Use nano to create all the required files on your router. Copy and paste the following files "AirVPN_**************.ovpn, ta.key, ca.crt, user.crt, user.key" to PuTTY folder. Rename the "AirVPN_**************.ovpn" into airvpn.conf for usability. Then, apply these commands: nano airvpn.conf nano ta.key nano ca.crt nano user.crt nano user.key Use ^S (Control+S) on each line. airvpn.conf should look like this (or just use the ovpn file): client dev tun proto udp remote xxx.XXX.xxx.XXX XXX resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC comp-lzo no route-delay 5 verb 3 ca ca.crt cert user.crt key user.key tls-auth ta.key 1 10) Create a firewall zone for AirVPN (air_firewall): cat >> /etc/config/firewall << EOF config zone option name 'air_firewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'airvpn' config forwarding option dest 'air_firewall' option src 'lan' EOF Alternate way: uci add firewall zone uci set firewall.@zone[-1].name='air_firewall' uci set firewall.@zone[-1].input='REJECT' uci set firewall.@zone[-1].output='ACCEPT' uci set firewall.@zone[-1].forward='REJECT' uci set firewall.@zone[-1].masq='1' uci set firewall.@zone[-1].mtu_fix='1' uci add_list firewall.@zone[-1].network='airvpn' uci add firewall forwarding uci set firewall.@forwarding[-1].src='/external_image/?url=lan' uci set firewall.@forwarding[-1].dest='air_firewall' uci commit firewall 11) Prevent leakage outside the VPN-tunnel: uci del firewall.@forwarding[0] uci set firewall.@zone[1].masq=0 uci commit firewall 12) The file /etc/config/openvpn should contain following appended strings: uci set openvpn.airvpn=openvpn uci set openvpn.airvpn.enabled='1' ****optional*****uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_XXX_UDP-443.ovpn' uci commit openvpn 13) Reboot router 14) Test OpenVPN configuration: openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf At the end it should show "Initialization Sequence Completed" Stop openvpn with "Ctrl-C". Important: I've got these results: It showed me this error: Options error: You must define TUN/TAP device (--dev) Then I tried this: openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf --dev tun0 The output is this: Mon Dec 10 20:44:19 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Mon Dec 10 20:44:19 2018 OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] Mon Dec 10 20:44:19 2018 library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10 Mon Dec 10 20:44:19 2018 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION! Mon Dec 10 20:44:19 2018 TUN/TAP device tun0 opened Mon Dec 10 20:44:19 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET Mon Dec 10 20:44:19 2018 UDPv4 link local (bound): [AF_INET][undef]:1194 Mon Dec 10 20:44:19 2018 UDPv4 link remote: [AF_UNSPEC] 15) Use the AirVPN DNS: uci add_list dhcp.lan.dhcp_option="6,10.4.0.1" uci commit dhcp reboot Alternate way: uci set network.wan.peerdns='0' uci del network.wan.dns uci add_list network.wan.dns='10.4.0.1' uci commit config interface 'wan' option ifname 'eth0.2' option force_link '1' option proto 'dhcp' option peerdns '0' list dns '10.4.0.1' 16) Secure against IP Leak, backup old firewall mv /etc/config/firewall /etc/config/firewall.backup 17) Create new firewall rules cat >> /etc/config/firewall << EOF config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'wan' option output 'ACCEPT' option forward 'REJECT' option network 'wan' option input 'ACCEPT' config zone option name 'airvpn' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'airvpn' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config include option path '/etc/firewall.user' config forwarding option dest 'airvpn' option src 'lan' EOF Another way: To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content: # This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. # Internal uci firewall chains are flushed and recreated on reload, so # put custom rules into the root chains e.g. INPUT or FORWARD or into the # special user chains, e.g. input_wan_rule or postrouting_lan_rule. if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then iptables -I forwarding_lan_rule ! -o tun+ -j REJECT fi 18) You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content: #!/bin/sh if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then iptables -D forwarding_rule -j REJECT fi if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi Use these commands: cd /etc/hotplug.d/iface/ nano 99-prevent-leak.sh 18) In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as: (Can be added through Startup page) /etc/openvpn/reconnect.sh & The content of script reconnect.sh is like: #!/bin/sh n=10 while sleep 50; do t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+') if [ "$t" -eq 0 ]; then /etc/init.d/openvpn restart fi done Test here: https://ipleak.net/ I messed something anywhere. So, I reset my router and start from the scratch. Questions: What might not be needed from the above list? What can be done to achieve further with vpn-policy-routing and luci-app-vpn-policy-routing apps? I could not find anything easily from the forum (VPN Policy-Based Routing + Web UI -- Discussion), as I need IP based exclusions for VPN on LAN. Creating a profile with OpenVPN LuCI app prevents me to upload the ta.key file, but I need apps functionality in some way. Is using cat >> /etc/config/XXX << EOF config xxx ... EOF commands risky, while restoring some settings and even reconfiguring OpenVPN? As a note, I gathered LuCI app configuration from a backup of the router. Here are the locations of uploaded files: option ca '/etc/luci-uploads/cbid.openvpn.AirVPN.ca' option cert '/etc/luci-uploads/cbid.openvpn.AirVPN.cert' option key '/etc/luci-uploads/cbid.openvpn.AirVPN.key' option tls_auth '/etc/openvpn/ta.key 1' The last one was entered manually. So, it's not valid anyway. Also, there is a line, which I did not remember entering that. Is this needed? What is its purpose? option route_gateway '10.234.1.1' Can someone help me on these please? Thanks...
-
I always get this error no matter what: Sat Dec 2 19:17:00 2017 daemon.err openvpn(LA_VPN)[4922]: Options error: specify only one of --tls-server, --tls-client, or --secret Sat Dec 2 19:17:00 2017 daemon.warn openvpn(LA_VPN)[4922]: Use --help for more information. Screenshots are attached, OpenVPN version is 2.4.4-2, is there anything I can do to fix this through LuCI?
-
I normally use AirVPN with openvpn in my computer, with openresolv to allow openvpn to connect to the server then change the DNS so it is tunnelled through the VPN connection. The openvpn config file I downloaded specifies a country, not a particular server, so DNS resolution is needed initially to make the connection. However I am interested in putting the VPN inside a router instead, and I have been experimenting. Looking at the instructions for ddrwt and here: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses/ it seems it will not be possible to continue using my existing per-country configuration, as I need to give a specific IP address, ie choose just one server (and edit the .ovpn file accordingly). At the moment, I am using an OpenNIC DNS server in parallel with the VPN one instead, but I'd rather not continue to do this. Am I right in thinking each query goes to both DNS servers (rather than using the second one only if the first doesn't return an IP address)? Is there a way to select a country or region, rather than a specific AirVPN server, in this situation? I want to continue using openvpn manually as I understand and trust this method. I am also more familiar with the command line (ssh into the router) than LEDE/OpenWRT, which is new to me.
-
Hi, I'm determined to buy a router to run openvpn with airvpn account. Specifically I will have only one device, or at the maximum one other, which should pass in the tunnel.The speed must not deviate much from the real 30mb. I wondered what characteristics must have the cpu, basically I will use the vpn for media streams
-
Hey there! I need a little bit of help configuring my OpenWRT Router. Model: TP-LINK TL-WDR3600 N600 WLAN Dual Band Gigabit Router OpenWRT Version: Chaos Calmer 15.05.1 I'm new to Network configuration, but eager to learn, so I'm thankful for every suggestion or tips to make my setup better. My Setup: ISP-->fritz.box--[LAN]-->OpenWRT What I want: I just want my OpenWRT as an AccessPoint with secure Wifi, i.e. with AirVPN connection. The OpenWRT is configured as a DHCP-client, if you think this is bad or insecure then let me know. I'm open for better solutions. So far, I followed this Guide to get openVPN working with AirVPN, though i skipped the step 4: this led to being my router being unresponsive and i had to reset. Another user in the thread had the same problem and he skipped too. And this works, i get openVPN running and also get a connection to AirVPN when I run openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf or at least it tells me Initialization Sequence Completed Firewall is set up like the guide suggested. But my IP is still the one of my ISP. I bet i just have a thinking error, so i would appreciate every help. I attached Screenshots of the interfaces and configurations of them, maybe they help. Thanks for every help! Edit: I checked to logs, this is now the latest error i get: Fri May 27 12:39:45 2016 daemon.warn odhcpd[866]: DHCPV6 CONFIRM IA_NA from (some address) on br-lan: not on-link Fri May 27 12:39:45 2016 daemon.warn odhcpd[866]: DHCPV6 SOLICIT IA_NA from (some address) on br-lan: no addresses available Fri May 27 12:39:46 2016 daemon.warn odhcpd[866]: DHCPV6 SOLICIT IA_NA from (some address) on br-lan: no addresses available Fri May 27 12:39:49 2016 daemon.warn odhcpd[866]: DHCPV6 SOLICIT IA_NA from (some address) on br-lan: no addresses available Fri May 27 12:39:53 2016 daemon.warn odhcpd[866]: DHCPV6 SOLICIT IA_NA from (some address) on br-lan: no addresses available
-
I upgraded my router to the latest nightly (see title), I'm coming from Chaos Chalmer. I upgraded because I was having some other (non-vpn) related issues with CC builds. I've configured my router with OpenVPN. I generated a config for routers, separate certs, resolve ticked. Copied to my router and renamed the AirVPN...ovpn to airvpn.ovpn. The problem is, it takes AAAGES for something to load. It does eventually load, though. DNS resolving is quick, I can use dig or nslookup and response is instant. When I telnet to a websites IP address on port 80 it just takes minutes and finally connects. Browser sometimes simply stops loading because it's taking too long. Not sure what's going on, can anyone help? Here's the output: root@myrouter:/etc/openvpn# openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.ovpn Mon Jan 18 22:11:47 2016 OpenVPN 2.3.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] Mon Jan 18 22:11:47 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.08 Mon Jan 18 22:11:47 2016 WARNING: file 'user.key' is group or others accessible Mon Jan 18 22:11:47 2016 WARNING: file 'ta.key' is group or others accessible Mon Jan 18 22:11:47 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Mon Jan 18 22:11:47 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jan 18 22:11:47 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jan 18 22:11:47 2016 Socket Buffers: R=[163840->131072] S=[163840->131072] Mon Jan 18 22:11:47 2016 UDPv4 link local: [undef] Mon Jan 18 22:11:47 2016 UDPv4 link remote: [AF_INET]213.152.162.148:443 Mon Jan 18 22:11:47 2016 TLS: Initial packet from [AF_INET]213.152.162.148:443, sid=a579b56c daba3750 Mon Jan 18 22:11:47 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Mon Jan 18 22:11:47 2016 Validating certificate key usage Mon Jan 18 22:11:47 2016 ++ Certificate has key usage 00a0, expects 00a0 Mon Jan 18 22:11:47 2016 VERIFY KU OK Mon Jan 18 22:11:47 2016 Validating certificate extended key usage Mon Jan 18 22:11:47 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Jan 18 22:11:47 2016 VERIFY EKU OK Mon Jan 18 22:11:47 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org Mon Jan 18 22:11:54 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mon Jan 18 22:11:54 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jan 18 22:11:54 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mon Jan 18 22:11:54 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jan 18 22:11:54 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Mon Jan 18 22:11:54 2016 [server] Peer Connection Initiated with [AF_INET]213.152.162.148:443 Mon Jan 18 22:11:56 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Mon Jan 18 22:11:56 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.21.34 255.255.0.0' Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: timers and/or timeouts modified Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: LZO parms modified Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: --ifconfig/up options modified Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: route options modified Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: route-related options modified Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Mon Jan 18 22:11:56 2016 TUN/TAP device tun0 opened Mon Jan 18 22:11:56 2016 TUN/TAP TX queue length set to 100 Mon Jan 18 22:11:56 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon Jan 18 22:11:56 2016 /sbin/ifconfig tun0 10.4.21.34 netmask 255.255.0.0 mtu 1500 broadcast 10.4.255.255 Mon Jan 18 22:12:01 2016 /sbin/route add -net 213.152.162.148 netmask 255.255.255.255 gw 83.84.6.1 Mon Jan 18 22:12:01 2016 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.0.1 Mon Jan 18 22:12:01 2016 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.0.1 Mon Jan 18 22:12:01 2016 Initialization Sequence Completed ^CMon Jan 18 22:14:42 2016 event_wait : Interrupted system call (code=4) Mon Jan 18 22:14:42 2016 SIGTERM received, sending exit notification to peer Mon Jan 18 22:14:47 2016 /sbin/route del -net 213.152.162.148 netmask 255.255.255.255 Mon Jan 18 22:14:47 2016 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0 Mon Jan 18 22:14:47 2016 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0 Mon Jan 18 22:14:47 2016 Closing TUN/TAP interface Mon Jan 18 22:14:47 2016 /sbin/ifconfig tun0 0.0.0.0 Mon Jan 18 22:14:47 2016 SIGTERM[soft,exit-with-notification] received, process exiting If you need anything else, let me know I'll post it.
-
Hello, Im trying to get my airvpn connection working within OpenWRT. When I try to connect I get the following error :- http://pastebin.com/mQqagc7y Any ideas ? VPN Config is as followed :- config openvpn 'myvpn' option enabled '1' option dev 'tun' option proto 'udp' option port '443' option ca '/etc/openvpn/ca.crt' option cert '/etc/openvpn/client.crt' option key '/etc/openvpn/client.key' option client '1' option remote_cert_tls 'server' option remote '46.165.208.69' option persist_tun '1' option persist_key '1' option nobind '1' option tls_auth '/etc/openvpn/ta.key' option log '/tmp/openvpn.log' option cipher 'AES-256-CBC' option verb '7' option route_delay '5' option comp_lzo 'no' option explicit_exit_notify '5' option resolv_retry 'infinite' any ideas ?
-
Hello, I have installed and configured OpenVPN on OpenWRT and it works with the interface tun0 configured such that OpenVPN automatically starts on bootup of OpenWRT and if there is no VPN connection then the Lan-network cannot access the WAN, only OpenVPN when it is up and running. But I have a problem with Port Forwarding. I have "made" a forwarded port in the Client area of Airvpn. But when I have my program up and running using that port it is not accessable and also clicking on the "check" button from Aivpn of the port shows it is not accessible. Does anybody know and can help we with setting up a correct port forwarding in OpenWRT for the VPN? I have tried but nothing did succeed
-
HOW TO FORWARD PORTS TO YOUR DEVICES WITH IPTABLES You need to create a basic DNAT on your router. Remember that the router GUI forwards ports from the WAN to LAN. When connected to the VPN you must forward ports from TUN to LAN. Therefore, it is imperative that you do NOT forward ports in the GUI of the router. Assuming that: destIP is the IP address of the destination deviceport is the port you wish to forward to that devicetun1 is the tun interface of your router (please check! on some routers it can be tun0, on Tomato it can be tun11)you need to forward both TCP and UDP packetsyou need to add the following rules. Please note that the following rules do NOT replace your already existing rules, you just have to add them. iptables -I FORWARD -i tun1 -p udp -d destIP --dport port -j ACCEPT iptables -I FORWARD -i tun1 -p tcp -d destIP --dport port -j ACCEPT iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIP Note: if your router firmware iptables supports the multiport module you can use --match option to make your rules set more compact. Please see here, thanks to Mikeyy https://airvpn.org/topic/14991-asuswrt-merlin-multiple-ports/?do=findComment&comment=31221 Kind regards