AirVPN configuration on OpenWRT, preventing traffic leakage outside tunnel.

[ulmwind 6]

Initially you should have router with OpenWRT firmware with OpenVPN client enabled. The main page of the firmware is http://openwrt.org Router, flashed with OpenWRT firmware image, initially accept connection only by telnet, so you should connect to it by telnet to the IP 192.168.1.1 and change root password with command "passwd". After this command it accepts connection via ssh. By default openvpn isn't included in the firmware image, so you should install it by use of opkg:

 

# opkg update
# opkg install openvpn-openssl
 

 

You can also install luci-component of openvpn configuration, but it is optional:

 

# opkg install install luci-app-openvpn
 

 

You can also build firmware image with openvpn.
Good manual of general OpenVPN client configuration you can find on the page https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client We will follow it with modifications, specific for AirVPN.
After openvpn installation you can make it autostarting when router starts:

 

# /etc/init.d/openvpn enable
 

 

Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.org/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly.
Comment with "#" the option "explicit-exit-notify 5" in the file, because OpenVPN client in OpenWRT doesn't recognize it. In result the line should start with "#": "# explicit-exit-notify 5". Copy the file "AirVPN_America_UDP-443.ovpn" with pscp or WinSCP programs in Windows, scp command in Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems you should force using exactly scp protocol (it also can use sftp). The file itself contains contents of file "ca.crt" between tags "<ca>" and "</ca>", "user.crt" between tags "<cert>" and "</cert>", "user.key" between tags "<key>" and "</key", and contents of file "ta.key" between tags "<tls-auth>" and "</tls-auth>". You can create separate files "ca.crt", "user.crt", "user.key", and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in original file with following strings:

 

ca ca.crt
cert user.crt
key user.key
tls-auth ta.key 1
 

 

Notice, that contents of all files for different OpenVPN configuration files are identical. In other words, the significand difference of OpenVPN configuration files is string, containing server address and port, beginning with the word "remote".
Configuration of OpenVPN using the file "AirVPN_America_UDP-443.ovpn" could be implemented by two ways.
1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by extension.
2) Specify file name in /etc/config/openvpn You can use uci:

 

# uci set openvpn.airvpn=openvpn
# uci set openvpn.airvpn.enabled='1'
# uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_America_UDP-443.ovpn'
# uci commit openvpn
 

 

The file /etc/config/openvpn should contain following appended strings:

 

config openvpn 'airvpn'
        option enabled '1'    
        option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn'
 

 

You can also change extension of the file "ovpn" to "conf", and speficify it in the file /etc/config/openvpn, in this case OpenVPN will start with this configuration file just once.

You can also manually specify parameters specific for OpenVPN-connection in the file /etc/config/openvpn. In this case you don't need the file "AirVPN_America_UDP-443.ovpn", because all necessary parameters from it are specified explicitly. However, it is tiresomely.

Create new network interface:

 

# uci set network.airvpntun=interface
# uci set network.airvpntun.proto='none'
# uci set network.airvpntun.ifname='tun0'
# uci commit network
 

 

The file /etc/config/network should contain following appended strings:

 

config interface 'airvpntun'
        option proto 'none'   
        option ifname 'tun0'
 

 

Create new firewall zone and add forwarding rule from LAN to VPN:

 

# uci add firewall zone
# uci set firewall.@zone[-1].name='vpnfirewall'
# uci set firewall.@zone[-1].input='REJECT'
# uci set firewall.@zone[-1].output='ACCEPT'
# uci set firewall.@zone[-1].forward='REJECT'
# uci set firewall.@zone[-1].masq='1'
# uci set firewall.@zone[-1].mtu_fix='1'
# uci add_list firewall.@zone[-1].network='airvpntun'
# uci add firewall forwarding
# uci set firewall.@forwarding[-1].src='/external_image/?url=lan'
# uci set firewall.@forwarding[-1].dest='vpnfirewall'
# uci commit firewall
 

To prevent traffic leakage outside the VPN-tunnel you should remove forwarding rule from lan to wan. In default configuration there is single forwarding rule, so the command is:

 

# uci del firewall.@forwarding[0]
 

 

You can also set "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is:

 

# uci set firewall.@zone[1].masq=0
 

 

After configuration you should commit changes:

 

# uci commit firewall
 

 

 

The file /etc/config/firewall should contain following appended strings:

 

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'        
        option mtu_fix '1'  
        list network 'airvpntun'
           
config forwarding        
        option src 'lan'     
        option dest 'vpnfirewall'
 

Now we should configure DNS servers. The simplest approach is to use public DNS for WAN interface of router. You can add OpenDNS:

 

# uci set network.wan.peerdns='0'
# uci del network.wan.dns
# uci add_list network.wan.dns='208.67.222.222'
# uci add_list network.wan.dns='208.67.220.220'
# uci commit
 

 

The file /etc/config/network should contain section 'wan' with following strings (three bottom strings has been appended):

 

config interface 'wan'                         
        option ifname 'eth0.2'                 
        option force_link '1'                  
        option proto 'dhcp'                    
        option peerdns '0'                     
        list dns '208.67.222.222'                     
        list dns '208.67.220.220'  
 

 

You can also add GoogleDNS:

 

# uci set network.wan.peerdns='0'
# uci del network.wan.dns
# uci add_list network.wan.dns='8.8.8.8'
# uci add_list network.wan.dns='8.8.4.4'
# uci commit
 

 

The appended strings should be similar to previous one.

To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content:

 

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi
if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then
        iptables -I forwarding_lan_rule ! -o tun+ -j REJECT
fi

 

You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:

 

#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
        iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi

 

In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:

 

/etc/openvpn/reconnect.sh &
 

 

The content of script reconnect.sh is like:
 

#!/bin/sh
n=10
while sleep 50; do
        t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+')
        if [ "$t" -eq 0 ]; then
                /etc/init.d/openvpn restart
        fi
done

Update of luci-app-openvpn - git-19.256.41054-c048f23-1 tried to find file with name 'openvpn-airvpn.conf' (see section in /etc/openvpn/config). So you should rename your file 'AirVPN_America_UDP-443.ovpn' to 'openvpn-airvpn.conf', and comment or remove corresponding string:
 

config openvpn 'airvpn'
        option enabled '1'    
#        option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn'

Edited ... by ulmwind
Update of luci-app-openvpn - git-19.256.41054-c048f23-1

[satyano 0]

Hi there,

 

thanks for taking the time to document this, there's no clear tutorial for OpenWRT + Openvpn, even less so for Air's cert-based auth.

 

I managed to get Lede working on my tp link. There's one thing i dont understand though, why point to OpenDNS rather than Air's servers?

 

When i do an ipleak test after I connect on the AirVPN-ed Wifi AP I now get an exit node in Sweden and 5 DNS IPs in NL ; before when I used Eddie they were all in the same place.

 

Performance is quite poor, about 2mbit/s on a 30mbit/s line when using Eddie straight on my laptop I get 20-25mbits. The OpenVPN process used 5%cpu (700mhz) and 6% memory (out of 64) and there's space left on the Flash memory ; I don't think it's hardware-related.

So I guess next step is performance fine tuning, can you recommend steps or tutorials to get back to proper speeds?

 

Also about the last step, what's that weird filename?

 

Thanks !

[ulmwind 6]

Satyano, DNS issue is to your disposal. There is no extreme need to use only open DNS servers, you can use Air DNS as well

What is the exact model of your router? What speed do you observe while using it in standard mode? How have you measured speed? I recommend to use several methods: speedtest, popular torrents seeding and leeching.

If you mean weird file name 99-prevent-leak, you can name it as you wish, I suggest only the script to be executed after scripts in this folder.

[xero 1]

Hi there,
 
thanks for the guide, but Im still having trouble getting a connection. If Im reading the logs right, the initialization works fine, but then the server times out. The router is a Turris Omnia with a forked openwrt 15.05 - any help is appreciated...
  
 
 
 
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: OpenVPN 2.3.6 arm-openwrt-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [MH] [iPv6] built on Sep  5 2016
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
2016-12-14T18:39:30+01:00 warning openvpn(airnether)[8808]: WARNING: file 'user.key' is group or others accessible
2016-12-14T18:39:30+01:00 warning openvpn(airnether)[8808]: WARNING: file 'ta.key' is group or others accessible
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Socket Buffers: R=[163840->131072] S=[163840->131072]
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link local: [undef]
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link remote: [AF_INET]109.232.227.137:443
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: TLS: Initial packet from [AF_INET]109.232.227.137:443, sid=8d86ce97 cacfbf5f
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Validating certificate key usage
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: ++ Certificate has key usage  00a0, expects 00a0
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY KU OK
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Validating certificate extended key usage
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY EKU OK
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: [server] Peer Connection Initiated with [AF_INET]109.232.227.137:443
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.60.48 255.255.0.0'
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: timers and/or timeouts modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: LZO parms modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: --ifconfig/up options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: route options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: route-related options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: TUN/TAP device tun0 opened
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: TUN/TAP TX queue length set to 100
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: /sbin/ifconfig tun0 10.4.60.48 netmask 255.255.0.0 mtu 1500 broadcast 10.4.255.255
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' is enabled
2016-12-14T18:39:36+01:00 notice netifd[]: Network device 'tun0' link is up
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' has link connectivity 
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' is setting up now
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' is now up
2016-12-14T18:39:36+01:00 notice firewall[]: Reloading firewall due to ifup of airvpntun (tun0)
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: /sbin/route add -net 109.232.227.137 netmask 255.255.255.255 gw 192.168.1.1
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.0.1
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.0.1
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: Initialization Sequence Completed
2016-12-14T18:42:28+01:00 notice openvpn(airnether)[8808]: [server] Inactivity timeout (--ping-restart), restarting
2016-12-14T18:42:28+01:00 notice openvpn(airnether)[8808]: SIGUSR1[soft,ping-restart] received, process restarting
2016-12-14T18:42:28+01:00 notice openvpn(airnether)[8808]: Restart pause, 2 second(s)
2016-12-14T18:42:30+01:00 notice openvpn(airnether)[8808]: Socket Buffers: R=[163840->131072] S=[163840->131072]
2016-12-14T18:42:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link local: [undef]
2016-12-14T18:42:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link remote: [AF_INET]109.232.227.137:443
2016-12-14T18:43:30+01:00 notice openvpn(airnether)[8808]: [uNDEF] Inactivity timeout (--ping-restart), restarting
2016-12-14T18:43:30+01:00 notice openvpn(airnether)[8808]: SIGUSR1[soft,ping-restart] received, process restarting
2016-12-14T18:43:30+01:00 notice openvpn(airnether)[8808]: Restart pause, 2 second(s)
2016-12-14T18:43:32+01:00 notice openvpn(airnether)[8808]: Socket Buffers: R=[163840->131072] S=[163840->131072]
2016-12-14T18:43:32+01:00 notice openvpn(airnether)[8808]: UDPv4 link local: [undef]
2016-12-14T18:43:32+01:00 notice openvpn(airnether)[8808]: UDPv4 link remote: [AF_INET]109.232.227.137:443

[ulmwind 6]

xero, try to add option

 

keepalive 10 60
 

 

to *.ovpn file.

[LZ1 672]

Hello!

 

I think Air would recommend OpenNIC as Air donates to them and they align with AirVPN values .

[regulator 2]

Hi,

 

applied this to my travel router and works fine for free hotspots. However every time when connecting to a non-free hotspot, the router cant be used since Internet connectivity needs to be established by signing in before a VPN tunnel can be established. Unfortunately the router drops all traffic if the VPN tunnel is not established.

Is there a way to hibernate the VPN for a minute or so, just enough to let me log in?

 

Another aspect: sometimes specific ports are blocked by the provider. While it is not a big issue for Eddie, working with OpenWRT is a pain. Is there a configuration that checks which port is open and then picks a VPN server with the right port number?

[htpc 9]

thanks ulmwind for this guide!!!

 

I do have a question though regarding disconnects. I'm on an LTE connection and they have a forced disconnect every 24h that also result in a new public IP (LTE router). Unfortunately this seems to break the setup and I have to manually restart OpenVPN in OpenWRT to re-gain connection. Is this expected behavior? Can this be avoided somehow?

 

I followed this guide for the setup to the point.

 

Thanks!

 

Edit: I also found and followed your advice over at OpenWRT forums https://forum.openwrt.org/viewtopic.php?id=70245 and replaced

ip a s tun0 up with ifconfig tun0

I'm still having the same issue!?

[htpc 9]

Update: After a restart of the router the problem seems to be resolved and everything is working as expected!

[htpc 9]

Is it safe to run a firmware upgrade without loosing all those settings? I'm on LEDE 17.01.2. and want to upgrade to LEDE 17.01.4 as they have addressed the Krack vulnerability with the update.

 

Thanks for your help!

[ulmwind 6]

Yes, but files in /etc/hotplug.d/iface are not saved. You should to recreate them.

[klebek255 0]

great tutorial. I´ve tested it with linksys wrt3200 and it works like a charm. Thanks. There is a small typoin the line # uci set network.airvpntunh.ifname='tun0' it should be # uci set network.airvpntun.ifname='tun0'.

[klebek255 0]

Do not forget to block ipv6 DNS request otherwise you will be leaking dns. I did it in firewall setting in UI.

[phikoen 0]

Dear ulmwind,

 

first of all many thanks for writing this tutorial.

 

As this tutorial is pretty old, I still tried to use it with airvpn. I was able to ping any server on the router itself (connected via ssh) - However - On my laptop it was not working. I tried to visit google.com and airvpn.org and I always received ERR_NAME_NOT_RESOLVED.

 

Any help would be appreciated.

 

Best regards

[Whisperer 2]

I was able to configure following these instructions and am able to start the tunnel. It would be nice if at one point we could use LuCi as well, it has made such great progress.

 

Concerning the firewall rules: I want my gaming/netflix/work traffic to go outside of the VPN, so I need to establish a split-tunnel configuration where only certain clients/IP's or certain ports are rerouted through the tunnel. Could somebody tell me which uci firewall commands I can use to create that config?

 

My thinking is would just have to change the forwarding rule from src=lan to src_ip while keeping the default forwarding rule. But would that prevent the src_ip from connecting if the tunnel is down?

 

Also, I lose all DNS resolution the instant I bring up the tunnel, even with the default forwarding rule present. Probably my fault.

After I entered the AirVPN DNS server (as listed in the specs-page) into the wan-interface, I got my resolution back. Apparently, the DNS push doesn't work with this configuration.

Also makes me wonder what happens in my split tunnel config. I'm guessing as long as the tunnel is up, it'll work. If it goes down, the DNS server becomes unreachable. Maybe I should add a Public DNS as a secondary .

[k0lovratok 5]

​

Dear ulmwind,

 

first of all many thanks for writing this tutorial.

 

As this tutorial is pretty old, I still tried to use it with airvpn. I was able to ping any server on the router itself (connected via ssh) - However - On my laptop it was not working. I tried to visit google.com and airvpn.org and I always received ERR_NAME_NOT_RESOLVED.

 

Any help would be appreciated.

 

Best regards

 

​This is probably because you configured your DNS with AirVPN's DNS, thus when your VPN tunnel is down, you need to connect again to get DNS resolution, but you won't be able to connect, because Air's hostnames will not resolve until VPN tunnel is up.... Chatch 22.

​There are 2 possible resolutions (as I see it) :

​1. use some public or your provider's DNS outside of VPN (I use public OpenNIC DNS with dnscrypt).

​2. use ip addresses in your opvn file instead of hostnames.

​

[crazyjoe 0]

Thank you for this! Works fine with OpenWrt 18.06.0.

[Moat 11]

thanks for the guide

in my case I end up with openvpn internet on wifi and no internet on lan, onle the openwrt router is accessible on lan with this set-up.

how do I also get internet on the lan?

 

And also, this setup does not play nice with changing the WIFI mac address. when changing the wifi mac address wifi is not associated

uci set wireless.@wifi-iface[0].macaddr='xx:xx:xx:xx:xx:xx'
 

[ulmwind 6]

Dear ulmwind,

 

first of all many thanks for writing this tutorial.

 

As this tutorial is pretty old, I still tried to use it with airvpn. I was able to ping any server on the router itself (connected via ssh) - However - On my laptop it was not working. I tried to visit google.com and airvpn.org and I always received ERR_NAME_NOT_RESOLVED.

 

Any help would be appreciated.

 

Best regards

Thank you for nice feedback. The tutorial is still up-to-date. Try to ping any site by IP, you have DNS problems. What are DNS of you laptop?

 

I was able to configure following these instructions and am able to start the tunnel. It would be nice if at one point we could use LuCi as well, it has made such great progress.

 

Concerning the firewall rules: I want my gaming/netflix/work traffic to go outside of the VPN, so I need to establish a split-tunnel configuration where only certain clients/IP's or certain ports are rerouted through the tunnel. Could somebody tell me which uci firewall commands I can use to create that config?

 

My thinking is would just have to change the forwarding rule from src=lan to src_ip while keeping the default forwarding rule. But would that prevent the src_ip from connecting if the tunnel is down?

 

Also, I lose all DNS resolution the instant I bring up the tunnel, even with the default forwarding rule present. Probably my fault.

After I entered the AirVPN DNS server (as listed in the specs-page) into the wan-interface, I got my resolution back. Apparently, the DNS push doesn't work with this configuration.

Also makes me wonder what happens in my split tunnel config. I'm guessing as long as the tunnel is up, it'll work. If it goes down, the DNS server becomes unreachable. Maybe I should add a Public DNS as a secondary .

I use public DNS, so it is not issue for me. You can also use specific DNS depending on tunnel is up or down. It is executed by modifying the file in /tmp folder triggered by ifup-ifdown event of tun0 in hotplug script or OpenVPN-config itself (it is described in full version of manual, see the link). No, pure firewall rules are not sufficient in your case. You should create additional routing table, mark packets from specific IPs, and direct them into additional table.

 

thanks for the guide

in my case I end up with openvpn internet on wifi and no internet on lan, onle the openwrt router is accessible on lan with this set-up.

how do I also get internet on the lan?

 

And also, this setup does not play nice with changing the WIFI mac address. when changing the wifi mac address wifi is not associated

uci set wireless.@wifi-iface[0].macaddr='xx:xx:xx:xx:xx:xx'

 

Sorry, I don't understand your issues.

[Jeremyx3 2]

So how does one get ipv6 now? I'm connected to a server that supports it. So what more do I need to do? I also made sure to click advanced settings and yes I need ipv6 and to connect over ipv4. So how do I get ipv6?

[Moat 11]

Question ulmwind:

I see in the system log file the following line:

Thu Jan 17 20:38:32 2019 daemon.notice procd: /etc/rc.d/S95done: /etc/rc.local: line 4: /etc/openvpn/reconnect.sh: Permission denied

 

Line 4 has:

        if [ "$t" -eq 0 ]; then
 

as per copy-paste from your guide.

 

 

Do you have a suggestion how I may solve this error?

Thanks!

[Moat 11]

Do not forget to block ipv6 DNS request otherwise you will be leaking dns. I did it in firewall setting in UI.

Can you please show us how to block ipv6 DNS requests in the firewall UI ? Thanks!

[ulmwind 6]

On 1/17/2019 at 8:45 PM, Moat said:

Question ulmwind:

I see in the system log file the following line:

Thu Jan 17 20:38:32 2019 daemon.notice procd: /etc/rc.d/S95done: /etc/rc.local: line 4: /etc/openvpn/reconnect.sh: Permission denied

 

Line 4 has:

        if [ "$t" -eq 0 ]; then
 

as per copy-paste from your guide.

 

 

Do you have a suggestion how I may solve this error?

Thanks!

You should initially try to run the script from command line; I think, you should just make it executable: # chmod +x /etc/openvpn/reconnect.sh Check also spaces in script, they are significant.