Jump to content


Photo
* * * * - 1 votes

AirVPN configuration on OpenWRT, preventing traffic leakage outside tunnel.

OpenVPN OpenWRT traffic leakage

  • Please log in to reply
11 replies to this topic

#1 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 21 posts

Posted 18 November 2016 - 05:50 PM

Initially you should have router with OpenWRT firmware with OpenVPN client enabled. The main page of the firmware is http://openwrt.org Router, flashed with OpenWRT firmware image, initially accept connection only by telnet, so you should connect to it by telnet to the IP 192.168.1.1 and change root password with command "passwd". After this command it accepts connection via ssh. By default openvpn isn't included in the firmware image, so you should install it by use of opkg:

 

# opkg update
# opkg install openvpn-openssl
 

 

You can also install luci-component of openvpn configuration, but it is optional:

 

# opkg install install luci-app-openvpn
 

 

You can also build firmware image with openvpn.
Good manual of general OpenVPN client configuration you can find on the page https://github.com/jlund/streisand/wiki/Setting-an-OpenWrt-Router-as-OpenVPN-Client We will follow it with modifications, specific for AirVPN.
After openvpn installation you can make it autostarting when router starts:

 

# /etc/init.d/openvpn enable
 

 

Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.org/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly.
Comment with "#" the option "explicit-exit-notify 5" in the file, because OpenVPN client in OpenWRT doesn't recognize it. In result the line should start with "#": "# explicit-exit-notify 5". Copy the file "AirVPN_America_UDP-443.ovpn" with pscp or WinSCP programs in Windows, scp command in Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems you should force using exactly scp protocol (it also can use sftp). The file itself contains contents of file "ca.crt" between tags "<ca>" and "</ca>", "user.crt" between tags "<cert>" and "</cert>", "user.key" between tags "<key>" and "</key", and contents of file "ta.key" between tags "<tls-auth>" and "</tls-auth>". You can create separate files "ca.crt", "user.crt", "user.key", and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in original file with following strings:

 

ca ca.crt
cert user.crt
key user.key
tls-auth ta.key 1
 

 

Notice, that contents of all files for different OpenVPN configuration files are identical. In other words, the significand difference of OpenVPN configuration files is string, containing server address and port, beginning with the word "remote".
Configuration of OpenVPN using the file "AirVPN_America_UDP-443.ovpn" could be implemented by two ways.
1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by extension.
2) Specify file name in /etc/config/openvpn You can use uci:

 

# uci set openvpn.airvpn=openvpn
# uci set openvpn.airvpn.enabled='1'
# uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_America_UDP-443.ovpn'
# uci commit openvpn
 

 

The file /etc/config/openvpn should contain following appended strings:

 

config openvpn 'airvpn'
        option enabled '1'    
        option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn'
 

 

You can also change extension of the file "ovpn" to "conf", and speficify it in the file /etc/config/openvpn, in this case OpenVPN will start with this configuration file just once.

You can also manually specify parameters specific for OpenVPN-connection in the file /etc/config/openvpn. In this case you don't need the file "AirVPN_America_UDP-443.ovpn", because all necessary parameters from it are specified explicitly. However, it is tiresomely.

Create new network interface:

 

# uci set network.airvpntun=interface
# uci set network.airvpntun.proto='none'
# uci set network.airvpntunh.ifname='tun0'
# uci commit network
 

 

The file /etc/config/network should contain following appended strings:

 

config interface 'airvpntun'
        option proto 'none'   
        option ifname 'tun0'
 

 

Create new firewall zone and add forwarding rule from LAN to VPN:

 

# uci add firewall zone
# uci set firewall.@zone[-1].name='vpnfirewall'
# uci set firewall.@zone[-1].input='REJECT'
# uci set firewall.@zone[-1].output='ACCEPT'
# uci set firewall.@zone[-1].forward='REJECT'
# uci set firewall.@zone[-1].masq='1'
# uci set firewall.@zone[-1].mtu_fix='1'
# uci add_list firewall.@zone[-1].network='airvpntun'
# uci add firewall forwarding
# uci set firewall.@forwarding[-1].src='lan'
# uci set firewall.@forwarding[-1].dest='vpnfirewall'
# uci commit firewall
 

 

The file /etc/config/firewall should contain following appended strings:

 

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'        
        option mtu_fix '1'  
        list network 'airvpntun'
           
config forwarding        
        option src 'lan'     
        option dest 'vpnfirewall'
 

Now we should configure DNS servers. The simplest approach is to use public DNS for WAN interface of router. You can add OpenDNS:

 

# uci set network.wan.peerdns='0'
# uci del network.wan.dns
# uci add_list network.wan.dns='208.67.222.222'
# uci add_list network.wan.dns='208.67.220.220'
# uci commit
 

 

The file /etc/config/network should contain section 'wan' with following strings (three bottom strings has been appended):

 

config interface 'wan'                         
        option ifname 'eth0.2'                 
        option force_link '1'                  
        option proto 'dhcp'                    
        option peerdns '0'                     
        list dns '208.67.222.222'                     
        list dns '208.67.220.220'  
 

 

You can also add GoogleDNS:

 

# uci set network.wan.peerdns='0'
# uci del network.wan.dns
# uci add_list network.wan.dns='8.8.8.8'
# uci add_list network.wan.dns='8.8.4.4'
# uci commit
 

 

The appended strings should be similar to previous one.

To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content:

 

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi

 

You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:

 

#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
        iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi

 

In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:

 

/etc/openvpn/reconnect.sh &
 

 

The content of script reconnect.sh is like:

 

#!/bin/sh
n=10
while sleep 50; do
        t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+')
        if [ "$t" -eq 0 ]; then
                /etc/init.d/openvpn restart
        fi
done
 


#2 satyano

satyano

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 09 December 2016 - 08:42 PM

Hi there,

 

thanks for taking the time to document this, there's no clear tutorial for OpenWRT + Openvpn, even less so for Air's cert-based auth.

 

I managed to get Lede working on my tp link. There's one thing i dont understand though, why point to OpenDNS rather than Air's servers?

 

When i do an ipleak test after I connect on the AirVPN-ed Wifi AP I now get an exit node in Sweden and 5 DNS IPs in NL ; before when I used Eddie they were all in the same place.

 

Performance is quite poor, about 2mbit/s on a 30mbit/s line when using Eddie straight on my laptop I get 20-25mbits. The OpenVPN process used 5%cpu (700mhz) and 6% memory (out of 64) and there's space left on the Flash memory ; I don't think it's hardware-related.

So I guess next step is performance fine tuning, can you recommend steps or tutorials to get back to proper speeds?

 

Also about the last step, what's that weird filename?

 

Thanks !



#3 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 21 posts

Posted 11 December 2016 - 09:54 AM

Satyano, DNS issue is to your disposal. There is no extreme need to use only open DNS servers, you can use Air DNS as well

What is the exact model of your router? What speed do you observe while using it in standard mode? How have you measured speed? I recommend to use several methods: speedtest, popular torrents seeding and leeching.

If you mean weird file name 99-prevent-leak, you can name it as you wish, I suggest only the script to be executed after scripts in this folder.



#4 xero

xero

    Newbie

  • New Members
  • Pip
  • 2 posts

Posted 14 December 2016 - 07:42 PM

Hi there,
 
thanks for the guide, but Im still having trouble getting a connection. If Im reading the logs right, the initialization works fine, but then the server times out. The router is a Turris Omnia with a forked openwrt 15.05 - any help is appreciated...
  
 
 
 
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: OpenVPN 2.3.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep  5 2016
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
2016-12-14T18:39:30+01:00 warning openvpn(airnether)[8808]: WARNING: file 'user.key' is group or others accessible
2016-12-14T18:39:30+01:00 warning openvpn(airnether)[8808]: WARNING: file 'ta.key' is group or others accessible
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Socket Buffers: R=[163840->131072] S=[163840->131072]
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link local: [undef]
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link remote: [AF_INET]109.232.227.137:443
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: TLS: Initial packet from [AF_INET]109.232.227.137:443, sid=8d86ce97 cacfbf5f
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Validating certificate key usage
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: ++ Certificate has key usage  00a0, expects 00a0
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY KU OK
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Validating certificate extended key usage
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY EKU OK
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: [server] Peer Connection Initiated with [AF_INET]109.232.227.137:443
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.60.48 255.255.0.0'
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: timers and/or timeouts modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: LZO parms modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: --ifconfig/up options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: route options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: route-related options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: TUN/TAP device tun0 opened
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: TUN/TAP TX queue length set to 100
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: /sbin/ifconfig tun0 10.4.60.48 netmask 255.255.0.0 mtu 1500 broadcast 10.4.255.255
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' is enabled
2016-12-14T18:39:36+01:00 notice netifd[]: Network device 'tun0' link is up
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' has link connectivity 
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' is setting up now
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' is now up
2016-12-14T18:39:36+01:00 notice firewall[]: Reloading firewall due to ifup of airvpntun (tun0)
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: /sbin/route add -net 109.232.227.137 netmask 255.255.255.255 gw 192.168.1.1
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.0.1
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.0.1
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: Initialization Sequence Completed
2016-12-14T18:42:28+01:00 notice openvpn(airnether)[8808]: [server] Inactivity timeout (--ping-restart), restarting
2016-12-14T18:42:28+01:00 notice openvpn(airnether)[8808]: SIGUSR1[soft,ping-restart] received, process restarting
2016-12-14T18:42:28+01:00 notice openvpn(airnether)[8808]: Restart pause, 2 second(s)
2016-12-14T18:42:30+01:00 notice openvpn(airnether)[8808]: Socket Buffers: R=[163840->131072] S=[163840->131072]
2016-12-14T18:42:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link local: [undef]
2016-12-14T18:42:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link remote: [AF_INET]109.232.227.137:443
2016-12-14T18:43:30+01:00 notice openvpn(airnether)[8808]: [UNDEF] Inactivity timeout (--ping-restart), restarting
2016-12-14T18:43:30+01:00 notice openvpn(airnether)[8808]: SIGUSR1[soft,ping-restart] received, process restarting
2016-12-14T18:43:30+01:00 notice openvpn(airnether)[8808]: Restart pause, 2 second(s)
2016-12-14T18:43:32+01:00 notice openvpn(airnether)[8808]: Socket Buffers: R=[163840->131072] S=[163840->131072]
2016-12-14T18:43:32+01:00 notice openvpn(airnether)[8808]: UDPv4 link local: [undef]
2016-12-14T18:43:32+01:00 notice openvpn(airnether)[8808]: UDPv4 link remote: [AF_INET]109.232.227.137:443



#5 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 21 posts

Posted 27 December 2016 - 08:27 AM

xero, try to add option

 

keepalive 10 60
 

 

to *.ovpn file.



#6 LZ1

LZ1

    It's nice to be nice to nice people

  • Members
  • PipPipPip
  • 1481 posts

Posted 05 January 2017 - 04:09 PM

Hello!

 

I think Air would recommend OpenNIC as Air donates to them and they align with AirVPN values :).


Open This Spoiler If: A Website Is Blocked, You Want To Help AirVPN, Find The Beta/Experimental Client Or You're A New User Wanting Help/Information

Spoiler

Did you make a guide or how-to for something? Then contact me if you want me to index it in my new user guide, so that the community can find it more easily.

Tired of Windows? Why Linux Is Better.


#7 regulator

regulator

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 22 May 2017 - 06:52 PM

Hi,

 

applied this to my travel router and works fine for free hotspots. However every time when connecting to a non-free hotspot, the router cant be used since Internet connectivity needs to be established by signing in before a VPN tunnel can be established. Unfortunately the router drops all traffic if the VPN tunnel is not established.

Is there a way to hibernate the VPN for a minute or so, just enough to let me log in?

 

Another aspect: sometimes specific ports are blocked by the provider. While it is not a big issue for Eddie, working with OpenWRT is a pain. Is there a configuration that checks which port is open and then picks a VPN server with the right port number?



#8 htpc

htpc

    Advanced Member

  • Members
  • PipPipPip
  • 67 posts

Posted 04 August 2017 - 01:04 PM

thanks ulmwind for this guide!!!

 

I do have a question though regarding disconnects. I'm on an LTE connection and they have a forced disconnect every 24h that also result in a new public IP (LTE router). Unfortunately this seems to break the setup and I have to manually restart OpenVPN in OpenWRT to re-gain connection. Is this expected behavior? Can this be avoided somehow?

 

I followed this guide for the setup to the point.

 

Thanks!

 

Edit: I also found and followed your advice over at OpenWRT forums https://forum.openwrt.org/viewtopic.php?id=70245 and replaced

ip a s tun0 up with ifconfig tun0

I'm still having the same issue!?



#9 htpc

htpc

    Advanced Member

  • Members
  • PipPipPip
  • 67 posts

Posted 06 August 2017 - 02:50 PM

Update: After a restart of the router the problem seems to be resolved and everything is working as expected!



#10 htpc

htpc

    Advanced Member

  • Members
  • PipPipPip
  • 67 posts

Posted 25 October 2017 - 07:58 AM

Is it safe to run a firmware upgrade without loosing all those settings? I'm on LEDE 17.01.2. and want to upgrade to LEDE 17.01.4 as they have addressed the Krack vulnerability with the update.

 

Thanks for your help!



#11 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 21 posts

Posted 19 November 2017 - 09:51 PM

Yes, but files in /etc/hotplug.d/iface are not saved. You should to recreate them.



#12 klebek255

klebek255

    Newbie

  • New Members
  • Pip
  • 4 posts

Posted 13 January 2018 - 05:52 PM

great tutorial. I´ve tested it with linksys wrt3200 and it works like a charm. Thanks. There is a small typoin the line # uci set network.airvpntunh.ifname='tun0' it should be # uci set network.airvpntun.ifname='tun0'.







Similar Topics Collapse


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 13602 - BW: 46756 Mbit/sYour IP: 54.91.16.95Guest Access.