Jump to content
Not connected, Your IP: 54.221.110.87
trueheadz

Configuring AirVPN on TP-LINK TL-WDR3600 w/ OpenWRT

Recommended Posts

Hey there!

 

I need a little bit of help configuring my OpenWRT Router.

 

Model: TP-LINK TL-WDR3600 N600 WLAN Dual Band Gigabit Router

 

OpenWRT Version: Chaos Calmer 15.05.1

 

I'm new to Network configuration, but eager to learn, so I'm thankful for every suggestion or tips to make my setup better.

 

 

My Setup: ISP-->fritz.box--[LAN]-->OpenWRT

 

What I want: I just want my OpenWRT as an AccessPoint with secure Wifi, i.e. with AirVPN connection.

 

 

 

The OpenWRT is configured as a DHCP-client, if you think this is bad or insecure then let me know. I'm open for better solutions.

 

So far, I followed this Guide to get openVPN working with AirVPN, though i skipped the step 4:

 

4. Unbridge the LAN interface(s). Go to "Physical Settings" of the LAN interface(s) and uncheck the "creates a bridge over specified interface(s). Check the interface button of your new wireless network.

 

 

 

this led to being my router being unresponsive and i had to reset. Another user in the thread had the same problem and he skipped too.

 

 

 

And this works, i get openVPN running and also get a connection to AirVPN when I run

 

openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf

 

or at least it tells me

 

Initialization Sequence Completed

 

Firewall is set up like the guide suggested.

 

 

But my IP is still the one of my ISP.

 

I bet i just have a thinking error, so i would appreciate every help.

 

 

I attached Screenshots of the interfaces and configurations of them, maybe they help.

 

 

Thanks for every help!

 

 

 

 

Edit:

 

I checked to logs, this is now the latest error i get:

 

Fri May 27 12:39:45 2016 daemon.warn odhcpd[866]: DHCPV6 CONFIRM IA_NA from (some address) on br-lan: not on-link 
Fri May 27 12:39:45 2016 daemon.warn odhcpd[866]: DHCPV6 SOLICIT IA_NA from (some address) on br-lan: no addresses available 
Fri May 27 12:39:46 2016 daemon.warn odhcpd[866]: DHCPV6 SOLICIT IA_NA from (some address) on br-lan: no addresses available 
Fri May 27 12:39:49 2016 daemon.warn odhcpd[866]: DHCPV6 SOLICIT IA_NA from (some address) on br-lan: no addresses available 
Fri May 27 12:39:53 2016 daemon.warn odhcpd[866]: DHCPV6 SOLICIT IA_NA from (some address) on br-lan: no addresses available 

Share this post


Link to post

You need to attach your full OpenVPN logs.

 

root@OpenWrt:/etc/openvpn# openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf
Fri May 27 14:27:43 2016 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 31 2016
Fri May 27 14:27:43 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Fri May 27 14:27:43 2016 WARNING: file 'user.key' is group or others accessible
Fri May 27 14:27:43 2016 WARNING: file 'ta.key' is group or others accessible
Fri May 27 14:27:43 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri May 27 14:27:43 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 27 14:27:43 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 27 14:27:43 2016 Socket Buffers: R=[163840->131072] S=[163840->131072]
Fri May 27 14:27:43 2016 UDPv4 link local: [undef]
Fri May 27 14:27:43 2016 UDPv4 link remote: [AF_INET]213.152.161.164:443
Fri May 27 14:27:43 2016 TLS: Initial packet from [AF_INET]213.152.161.164:443, sid=fc9aad82 8c9b59ea
Fri May 27 14:27:43 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Fri May 27 14:27:43 2016 Validating certificate key usage
Fri May 27 14:27:43 2016 ++ Certificate has key usage  00a0, expects 00a0
Fri May 27 14:27:43 2016 VERIFY KU OK
Fri May 27 14:27:43 2016 Validating certificate extended key usage
Fri May 27 14:27:43 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri May 27 14:27:43 2016 VERIFY EKU OK
Fri May 27 14:27:43 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Fri May 27 14:27:50 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri May 27 14:27:50 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 27 14:27:50 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri May 27 14:27:50 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 27 14:27:50 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Fri May 27 14:27:50 2016 [server] Peer Connection Initiated with [AF_INET]213.152.161.164:443
Fri May 27 14:27:52 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri May 27 14:27:52 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.53.200 255.255.0.0'
Fri May 27 14:27:52 2016 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 27 14:27:52 2016 OPTIONS IMPORT: LZO parms modified
Fri May 27 14:27:52 2016 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 27 14:27:52 2016 OPTIONS IMPORT: route options modified
Fri May 27 14:27:52 2016 OPTIONS IMPORT: route-related options modified
Fri May 27 14:27:52 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri May 27 14:27:52 2016 TUN/TAP device tun1 opened
Fri May 27 14:27:52 2016 TUN/TAP TX queue length set to 100
Fri May 27 14:27:52 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri May 27 14:27:52 2016 /sbin/ifconfig tun1 10.4.53.200 netmask 255.255.0.0 mtu 1500 broadcast 10.4.255.255
Fri May 27 14:27:57 2016 /sbin/route add -net 213.152.161.164 netmask 255.255.255.255 gw 192.168.178.1
Fri May 27 14:27:57 2016 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.0.1
Fri May 27 14:27:57 2016 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.0.1
Fri May 27 14:27:57 2016 Initialization Sequence Completed

Share this post


Link to post

Your tunnel works fine, you only need a postrouting rule that will direct all traffic to your tun interface.

Try this one:

/usr/sbin/iptables -t nat -A POSTROUTING -o tun+ -j SNAT --to-source $(ifconfig tun1 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}')


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

 

Your tunnel works fine, you only need a postrouting rule that will direct all traffic to your tun interface.

Try this one:

/usr/sbin/iptables -t nat -A POSTROUTING -o tun+ -j SNAT --to-source $(ifconfig tun1 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}')

 

Thanks for this!

 

Sadly it did not help.

 

 

Edit:

 

I f* up, but don't know where exactly. openVPN connects at startup, or at least the log says it.

 

But your command only works without error (though I still got my ISP IP) when I ssh in my router and manually do:

 

openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf

So I started fresh, reset router and did everything again.

 

If you look at the guide I mentioned, Step 14 is where I'm at, so I did not create Firewallrules yet.

 

This is my openVPN Output, the initializing sequence completes, but with error:

 

root@OpenWrt:~# openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf

Sat May 28 09:47:58 2016 OpenVPN 2.3.6 mips-openwrt-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [MH] [iPv6] built on Jan 31 2016

Sat May 28 09:47:58 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08

Sat May 28 09:47:58 2016 WARNING: file 'user.key' is group or others accessible

Sat May 28 09:47:58 2016 WARNING: file 'ta.key' is group or others accessible

Sat May 28 09:47:58 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

Sat May 28 09:47:58 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Sat May 28 09:47:58 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Sat May 28 09:47:58 2016 Socket Buffers: R=[163840->131072] S=[163840->131072]

Sat May 28 09:47:58 2016 UDPv4 link local: [undef]

Sat May 28 09:47:58 2016 UDPv4 link remote: [AF_INET]213.152.161.164:443

Sat May 28 09:47:58 2016 TLS: Initial packet from [AF_INET]213.152.161.164:443, sid=dc3f88bd 9603931f

Sat May 28 09:47:58 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org

Sat May 28 09:47:58 2016 Validating certificate key usage

Sat May 28 09:47:58 2016 ++ Certificate has key usage  00a0, expects 00a0

Sat May 28 09:47:58 2016 VERIFY KU OK

Sat May 28 09:47:58 2016 Validating certificate extended key usage

Sat May 28 09:47:58 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Sat May 28 09:47:58 2016 VERIFY EKU OK

Sat May 28 09:47:58 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org

Sat May 28 09:48:04 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Sat May 28 09:48:04 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sat May 28 09:48:04 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Sat May 28 09:48:04 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sat May 28 09:48:04 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA

Sat May 28 09:48:04 2016 [server] Peer Connection Initiated with [AF_INET]213.152.161.164:443

Sat May 28 09:48:06 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Sat May 28 09:48:06 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.53.200 255.255.0.0'

Sat May 28 09:48:06 2016 OPTIONS IMPORT: timers and/or timeouts modified

Sat May 28 09:48:06 2016 OPTIONS IMPORT: LZO parms modified

Sat May 28 09:48:06 2016 OPTIONS IMPORT: --ifconfig/up options modified

Sat May 28 09:48:06 2016 OPTIONS IMPORT: route options modified

Sat May 28 09:48:06 2016 OPTIONS IMPORT: route-related options modified

Sat May 28 09:48:06 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Sat May 28 09:48:06 2016 TUN/TAP device tun1 opened

Sat May 28 09:48:06 2016 TUN/TAP TX queue length set to 100

Sat May 28 09:48:06 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Sat May 28 09:48:06 2016 /sbin/ifconfig tun1 10.4.53.200 netmask 255.255.0.0 mtu 1500 broadcast 10.4.255.255

Sat May 28 09:48:12 2016 /sbin/route add -net 213.152.161.164 netmask 255.255.255.255 gw 192.168.178.1

route: SIOCADDRT: File exists

Sat May 28 09:48:12 2016 ERROR: Linux route add command failed: external program exited with error status: 1

Sat May 28 09:48:12 2016 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.0.1

route: SIOCADDRT: File exists

Sat May 28 09:48:12 2016 ERROR: Linux route add command failed: external program exited with error status: 1

Sat May 28 09:48:12 2016 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.0.1

route: SIOCADDRT: File exists

Sat May 28 09:48:12 2016 ERROR: Linux route add command failed: external program exited with error status: 1

Sat May 28 09:48:12 2016 Initialization Sequence Completed

 

Edit:

 

Okay, so there was a openvpn init script in my init.d, that's why i got the error. Fixed that by deleting it. Now, after I use

 

openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf

 

 

and then I run your command added your command to /etc/firewall.user, nothing happens.

 

Still ISP IP.

Share this post


Link to post

I don't think openvpn will work on a router functioning as an access point (ie NAT is disabled)

Ok, so why's that? not that good with networks.

 

But openVPN works, and my tun0 devices gets an IP from AirVPN. I just can't get my traffic throu it.

Share this post


Link to post

Why would you want to disable NAT in the first place? This will disable iptables rules that are in charge of routing.

 

OP says he's running the router as an access point.  Usually access point mode in routers disables NAT.  Probably why he/she is here asking why it's not working.  Disabled NAT is an unintended consequence of access point mode.

Share this post


Link to post

He can still use OpenVPN and NAT while the wireless adapter can be used in any mode, including AP.

You meant "repeater" mode probably, which can disable NAT and bridging.

But he mentioned that the goal was a standard secure access point with VPN (running on it).

This means the "default" router mode, and in order for the router to become an access point NAT is required.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

no, I meant access point mode as opposed to router mode.  Here is what my Asus AC68 says about Access point mode (bold is my emphasis).

 

"In Access Point (AP) mode, RT-AC68U connects to a wireless router through an Ethernet cable to extend the wireless signal coverage to other network clients. In this mode, the firewall, IP sharing, and NAT functions are disabled by default."

 

I would imagine access point mode in openwrt behaves the same.

 

The OP said access point because it's not the main router/gateway of his LAN.  Still, it will need NAT for openvpn to work.

Share this post


Link to post

In OpenWRT, Access Point is the default mode and it means standard wireless station with NAT clients.

OP, if this is the case, NAT should be enabled.

If you are unsure, just restore OpenWRT to it's default settings and don't disable NAT/Firewall.

 

3wUw2aE.png


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

In OpenWRT, Access Point is the default mode and it means standard wireless station with NAT clients.

OP, if this is the case, NAT should be enabled.

If you are unsure, just restore OpenWRT to it's default settings and don't disable NAT/Firewall.

 

3wUw2aE.png

I did not disable NAT, it's the same configuration you described: Just the WiFi in AP mode.

 

I did not change anything, the WiFi is pretty vanilla after I reset this morning.

 

Gesendet von meinem Nexus 5 mit Tapatalk

Share this post


Link to post

Could I get some explanation? I'm trying to understand this OpenWRT Interface stuff.

 

I have Interfaces, i understand that. And I can attach several network Interfaces to this Interface. What does the attaching do?

 

The thing is, my tun0 Interface (AirVPN) does get an AirVPN IP (or at least I think, as it is not my ISPs, and it's in the ballpark of 10.4.x.x, also i see the connection in my AirVPN profile on this site).

 

So, to my understanding, all I need to do would be to "attach" my wifi to my AirVPN.

 

Now, I checked my configuration again after the guide, and maybe I don't get it, and that's why I need some info:

 

Not one device is attached to my AirVPN. In fact, AirVPN is attached to itself. I added screenshots, please check them.

 

I don't get this. Now again, I'm a layman when it comes to networks, but to my understanding it should look something like this (sorry for this stupid visualization):

 

 

fritz.box(with internet access, and my DHCP server)---[LAN CABLE]--->OpenWRT(LAN Interface, as DHCP client)

 

 

 

And inside the OpenWRT:

 

 

OpenWRTs LAN Interface <-------[OpenVPN]------> tun0 Interface(AirVPN)<---->Secured Wifi.

 

 

 

Now everything except the last step works. I have Internet Access on the wifi of my OpenWRT, but it is not linked up with my tun0

 

 

Basically, to stay with this stupid visualisation, i get:

 

 

 

OpenWRTs LAN Interface <----> Wifi                     and               OpenWRTs LAN Interface <------[OpenVPN]------> tun0 Interface(AirVPN)

 

 

 

 

Please look at my attached screens, as i don't see any connection between my Wifi and the AirVPN.

 

Now I tried to just link my wifi to the tun0 device, but then my OpenWRT gets unresponsive and I have to reset again i have to give my wifi card an static ip to connect to the network and don't have any internet whatsoever, can't connect to openwrt either..

 

Edit:

I think the command provided by zhang888

/usr/sbin/iptables -t nat -A POSTROUTING -o tun+ -j SNAT --to-source $(ifconfig tun1 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}')

 

 

should resolve that issue, as it's there to route my traffic throuh my tun0 interface, but sadly it does not work. (also i had to change tun1 to tun0, as there is no tun1 device)

Share this post


Link to post

Ok I'm back at square 1. just reset openwrt for the millionths time. so somebody got a step-by-step guide? apparently the ones here in the forum don't work for me.

Share this post


Link to post

Ok I'm back at square 1. just reset openwrt for the millionths time. so somebody got a step-by-step guide? apparently the ones here in the forum don't work for me.

 

I just looked up the specifications of that router.  I'd say don't bother trying to run openvpn on it.  It'll be too slow.  It has a 560MHz MIPS single core CPU.  That's just not enough CPU.

Share this post


Link to post

 

 

 

 

Ok I'm back at square 1. just reset openwrt for the millionths time. so somebody got a step-by-step guide? apparently the ones here in the forum don't work for me.

I just looked up the specifications of that router.  I'd say don't bother trying to run openvpn on it.  It'll be too slow.  It has a 560MHz MIPS single core CPU.  That's just not enough CPU.

 

Really? At least i want to try.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...