Jump to content


Photo
* * * * * 3 votes

AirVPN configuration on OpenWRT, preventing traffic leakage outside tunnel.

OpenVPN OpenWRT traffic leakage

  • Please log in to reply
18 replies to this topic

#1 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 24 posts

Posted 18 November 2016 - 05:50 PM

Initially you should have router with OpenWRT firmware with OpenVPN client enabled. The main page of the firmware is http://openwrt.org Router, flashed with OpenWRT firmware image, initially accept connection only by telnet, so you should connect to it by telnet to the IP 192.168.1.1 and change root password with command "passwd". After this command it accepts connection via ssh. By default openvpn isn't included in the firmware image, so you should install it by use of opkg:

 

# opkg update
# opkg install openvpn-openssl
 

 

You can also install luci-component of openvpn configuration, but it is optional:

 

# opkg install install luci-app-openvpn
 

 

You can also build firmware image with openvpn.
Good manual of general OpenVPN client configuration you can find on the page https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client We will follow it with modifications, specific for AirVPN.
After openvpn installation you can make it autostarting when router starts:

 

# /etc/init.d/openvpn enable
 

 

Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.org/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly.
Comment with "#" the option "explicit-exit-notify 5" in the file, because OpenVPN client in OpenWRT doesn't recognize it. In result the line should start with "#": "# explicit-exit-notify 5". Copy the file "AirVPN_America_UDP-443.ovpn" with pscp or WinSCP programs in Windows, scp command in Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems you should force using exactly scp protocol (it also can use sftp). The file itself contains contents of file "ca.crt" between tags "<ca>" and "</ca>", "user.crt" between tags "<cert>" and "</cert>", "user.key" between tags "<key>" and "</key", and contents of file "ta.key" between tags "<tls-auth>" and "</tls-auth>". You can create separate files "ca.crt", "user.crt", "user.key", and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in original file with following strings:

 

ca ca.crt
cert user.crt
key user.key
tls-auth ta.key 1
 

 

Notice, that contents of all files for different OpenVPN configuration files are identical. In other words, the significand difference of OpenVPN configuration files is string, containing server address and port, beginning with the word "remote".
Configuration of OpenVPN using the file "AirVPN_America_UDP-443.ovpn" could be implemented by two ways.
1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by extension.
2) Specify file name in /etc/config/openvpn You can use uci:

 

# uci set openvpn.airvpn=openvpn
# uci set openvpn.airvpn.enabled='1'
# uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_America_UDP-443.ovpn'
# uci commit openvpn
 

 

The file /etc/config/openvpn should contain following appended strings:

 

config openvpn 'airvpn'
        option enabled '1'    
        option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn'
 

 

You can also change extension of the file "ovpn" to "conf", and speficify it in the file /etc/config/openvpn, in this case OpenVPN will start with this configuration file just once.

You can also manually specify parameters specific for OpenVPN-connection in the file /etc/config/openvpn. In this case you don't need the file "AirVPN_America_UDP-443.ovpn", because all necessary parameters from it are specified explicitly. However, it is tiresomely.

Create new network interface:

 

# uci set network.airvpntun=interface
# uci set network.airvpntun.proto='none'
# uci set network.airvpntun.ifname='tun0'
# uci commit network
 

 

The file /etc/config/network should contain following appended strings:

 

config interface 'airvpntun'
        option proto 'none'   
        option ifname 'tun0'
 

 

Create new firewall zone and add forwarding rule from LAN to VPN:

 

# uci add firewall zone
# uci set firewall.@zone[-1].name='vpnfirewall'
# uci set firewall.@zone[-1].input='REJECT'
# uci set firewall.@zone[-1].output='ACCEPT'
# uci set firewall.@zone[-1].forward='REJECT'
# uci set firewall.@zone[-1].masq='1'
# uci set firewall.@zone[-1].mtu_fix='1'
# uci add_list firewall.@zone[-1].network='airvpntun'
# uci add firewall forwarding
# uci set firewall.@forwarding[-1].src='lan'
# uci set firewall.@forwarding[-1].dest='vpnfirewall'
# uci commit firewall
 

To prevent traffic leakage outside the VPN-tunnel you should remove forwarding rule from lan to wan. In default configuration there is single forwarding rule, so the command is:

 

# uci del firewall.@forwarding[0]
 

 

You can also set "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is:

 

# uci set firewall.@zone[1].masq=0
 

 

After configuration you should commit changes:

 

# uci commit firewall
 

 

 

The file /etc/config/firewall should contain following appended strings:

 

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'        
        option mtu_fix '1'  
        list network 'airvpntun'
           
config forwarding        
        option src 'lan'     
        option dest 'vpnfirewall'
 

Now we should configure DNS servers. The simplest approach is to use public DNS for WAN interface of router. You can add OpenDNS:

 

# uci set network.wan.peerdns='0'
# uci del network.wan.dns
# uci add_list network.wan.dns='208.67.222.222'
# uci add_list network.wan.dns='208.67.220.220'
# uci commit
 

 

The file /etc/config/network should contain section 'wan' with following strings (three bottom strings has been appended):

 

config interface 'wan'                         
        option ifname 'eth0.2'                 
        option force_link '1'                  
        option proto 'dhcp'                    
        option peerdns '0'                     
        list dns '208.67.222.222'                     
        list dns '208.67.220.220'  
 

 

You can also add GoogleDNS:

 

# uci set network.wan.peerdns='0'
# uci del network.wan.dns
# uci add_list network.wan.dns='8.8.8.8'
# uci add_list network.wan.dns='8.8.4.4'
# uci commit
 

 

The appended strings should be similar to previous one.

To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content:

 

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi
if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then
        iptables -I forwarding_lan_rule ! -o tun+ -j REJECT
fi

 

You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:

 

#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
        iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi

 

In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:

 

/etc/openvpn/reconnect.sh &
 

 

The content of script reconnect.sh is like:

 

#!/bin/sh
n=10
while sleep 50; do
        t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+')
        if [ "$t" -eq 0 ]; then
                /etc/init.d/openvpn restart
        fi
done
 


#2 satyano

satyano

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 09 December 2016 - 08:42 PM

Hi there,

 

thanks for taking the time to document this, there's no clear tutorial for OpenWRT + Openvpn, even less so for Air's cert-based auth.

 

I managed to get Lede working on my tp link. There's one thing i dont understand though, why point to OpenDNS rather than Air's servers?

 

When i do an ipleak test after I connect on the AirVPN-ed Wifi AP I now get an exit node in Sweden and 5 DNS IPs in NL ; before when I used Eddie they were all in the same place.

 

Performance is quite poor, about 2mbit/s on a 30mbit/s line when using Eddie straight on my laptop I get 20-25mbits. The OpenVPN process used 5%cpu (700mhz) and 6% memory (out of 64) and there's space left on the Flash memory ; I don't think it's hardware-related.

So I guess next step is performance fine tuning, can you recommend steps or tutorials to get back to proper speeds?

 

Also about the last step, what's that weird filename?

 

Thanks !



#3 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 24 posts

Posted 11 December 2016 - 09:54 AM

Satyano, DNS issue is to your disposal. There is no extreme need to use only open DNS servers, you can use Air DNS as well

What is the exact model of your router? What speed do you observe while using it in standard mode? How have you measured speed? I recommend to use several methods: speedtest, popular torrents seeding and leeching.

If you mean weird file name 99-prevent-leak, you can name it as you wish, I suggest only the script to be executed after scripts in this folder.



#4 xero

xero

    Newbie

  • New Members
  • Pip
  • 2 posts

Posted 14 December 2016 - 07:42 PM

Hi there,
 
thanks for the guide, but Im still having trouble getting a connection. If Im reading the logs right, the initialization works fine, but then the server times out. The router is a Turris Omnia with a forked openwrt 15.05 - any help is appreciated...
  
 
 
 
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: OpenVPN 2.3.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep  5 2016
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
2016-12-14T18:39:30+01:00 warning openvpn(airnether)[8808]: WARNING: file 'user.key' is group or others accessible
2016-12-14T18:39:30+01:00 warning openvpn(airnether)[8808]: WARNING: file 'ta.key' is group or others accessible
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Socket Buffers: R=[163840->131072] S=[163840->131072]
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link local: [undef]
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link remote: [AF_INET]109.232.227.137:443
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: TLS: Initial packet from [AF_INET]109.232.227.137:443, sid=8d86ce97 cacfbf5f
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Validating certificate key usage
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: ++ Certificate has key usage  00a0, expects 00a0
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY KU OK
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: Validating certificate extended key usage
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY EKU OK
2016-12-14T18:39:30+01:00 notice openvpn(airnether)[8808]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
2016-12-14T18:39:34+01:00 notice openvpn(airnether)[8808]: [server] Peer Connection Initiated with [AF_INET]109.232.227.137:443
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.60.48 255.255.0.0'
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: timers and/or timeouts modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: LZO parms modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: --ifconfig/up options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: route options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: route-related options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: TUN/TAP device tun0 opened
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: TUN/TAP TX queue length set to 100
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016-12-14T18:39:36+01:00 notice openvpn(airnether)[8808]: /sbin/ifconfig tun0 10.4.60.48 netmask 255.255.0.0 mtu 1500 broadcast 10.4.255.255
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' is enabled
2016-12-14T18:39:36+01:00 notice netifd[]: Network device 'tun0' link is up
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' has link connectivity 
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' is setting up now
2016-12-14T18:39:36+01:00 notice netifd[]: Interface 'airvpntun' is now up
2016-12-14T18:39:36+01:00 notice firewall[]: Reloading firewall due to ifup of airvpntun (tun0)
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: /sbin/route add -net 109.232.227.137 netmask 255.255.255.255 gw 192.168.1.1
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.0.1
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.0.1
2016-12-14T18:39:41+01:00 notice openvpn(airnether)[8808]: Initialization Sequence Completed
2016-12-14T18:42:28+01:00 notice openvpn(airnether)[8808]: [server] Inactivity timeout (--ping-restart), restarting
2016-12-14T18:42:28+01:00 notice openvpn(airnether)[8808]: SIGUSR1[soft,ping-restart] received, process restarting
2016-12-14T18:42:28+01:00 notice openvpn(airnether)[8808]: Restart pause, 2 second(s)
2016-12-14T18:42:30+01:00 notice openvpn(airnether)[8808]: Socket Buffers: R=[163840->131072] S=[163840->131072]
2016-12-14T18:42:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link local: [undef]
2016-12-14T18:42:30+01:00 notice openvpn(airnether)[8808]: UDPv4 link remote: [AF_INET]109.232.227.137:443
2016-12-14T18:43:30+01:00 notice openvpn(airnether)[8808]: [UNDEF] Inactivity timeout (--ping-restart), restarting
2016-12-14T18:43:30+01:00 notice openvpn(airnether)[8808]: SIGUSR1[soft,ping-restart] received, process restarting
2016-12-14T18:43:30+01:00 notice openvpn(airnether)[8808]: Restart pause, 2 second(s)
2016-12-14T18:43:32+01:00 notice openvpn(airnether)[8808]: Socket Buffers: R=[163840->131072] S=[163840->131072]
2016-12-14T18:43:32+01:00 notice openvpn(airnether)[8808]: UDPv4 link local: [undef]
2016-12-14T18:43:32+01:00 notice openvpn(airnether)[8808]: UDPv4 link remote: [AF_INET]109.232.227.137:443



#5 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 24 posts

Posted 27 December 2016 - 08:27 AM

xero, try to add option

 

keepalive 10 60
 

 

to *.ovpn file.



#6 LZ1

LZ1

    It's nice to be nice to nice people

  • Moderators
  • 1839 posts

Posted 05 January 2017 - 04:09 PM

Hello!

 

I think Air would recommend OpenNIC as Air donates to them and they align with AirVPN values :).


Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. Its Guides Section has guides on Linux/Torrenting/Blocked sites & many other topics too.
Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please read the First Questions section in the link above for more details, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Tired of Windows? Why Linux Is Better.

#7 regulator

regulator

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 22 May 2017 - 06:52 PM

Hi,

 

applied this to my travel router and works fine for free hotspots. However every time when connecting to a non-free hotspot, the router cant be used since Internet connectivity needs to be established by signing in before a VPN tunnel can be established. Unfortunately the router drops all traffic if the VPN tunnel is not established.

Is there a way to hibernate the VPN for a minute or so, just enough to let me log in?

 

Another aspect: sometimes specific ports are blocked by the provider. While it is not a big issue for Eddie, working with OpenWRT is a pain. Is there a configuration that checks which port is open and then picks a VPN server with the right port number?



#8 htpc

htpc

    Advanced Member

  • Members
  • PipPipPip
  • 74 posts

Posted 04 August 2017 - 01:04 PM

thanks ulmwind for this guide!!!

 

I do have a question though regarding disconnects. I'm on an LTE connection and they have a forced disconnect every 24h that also result in a new public IP (LTE router). Unfortunately this seems to break the setup and I have to manually restart OpenVPN in OpenWRT to re-gain connection. Is this expected behavior? Can this be avoided somehow?

 

I followed this guide for the setup to the point.

 

Thanks!

 

Edit: I also found and followed your advice over at OpenWRT forums https://forum.openwrt.org/viewtopic.php?id=70245 and replaced

ip a s tun0 up with ifconfig tun0

I'm still having the same issue!?



#9 htpc

htpc

    Advanced Member

  • Members
  • PipPipPip
  • 74 posts

Posted 06 August 2017 - 02:50 PM

Update: After a restart of the router the problem seems to be resolved and everything is working as expected!



#10 htpc

htpc

    Advanced Member

  • Members
  • PipPipPip
  • 74 posts

Posted 25 October 2017 - 07:58 AM

Is it safe to run a firmware upgrade without loosing all those settings? I'm on LEDE 17.01.2. and want to upgrade to LEDE 17.01.4 as they have addressed the Krack vulnerability with the update.

 

Thanks for your help!



#11 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 24 posts

Posted 19 November 2017 - 09:51 PM

Yes, but files in /etc/hotplug.d/iface are not saved. You should to recreate them.



#12 klebek255

klebek255

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 13 January 2018 - 05:52 PM

great tutorial. I´ve tested it with linksys wrt3200 and it works like a charm. Thanks. There is a small typoin the line # uci set network.airvpntunh.ifname='tun0' it should be # uci set network.airvpntun.ifname='tun0'.



#13 klebek255

klebek255

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 29 January 2018 - 06:25 PM

Do not forget to block ipv6 DNS request otherwise you will be leaking dns. I did it in firewall setting in UI.



#14 phikoen

phikoen

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 26 April 2018 - 02:38 PM

Dear ulmwind,

 

first of all many thanks for writing this tutorial.

 

As this tutorial is pretty old, I still tried to use it with airvpn. I was able to ping any server on the router itself (connected via ssh) - However - On my laptop it was not working. I tried to visit google.com and airvpn.org and I always received ERR_NAME_NOT_RESOLVED.

 

Any help would be appreciated.

 

Best regards



#15 Whisperer

Whisperer

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 27 April 2018 - 04:51 PM

I was able to configure following these instructions and am able to start the tunnel. It would be nice if at one point we could use LuCi as well, it has made such great progress.

 

Concerning the firewall rules: I want my gaming/netflix/work traffic to go outside of the VPN, so I need to establish a split-tunnel configuration where only certain clients/IP's or certain ports are rerouted through the tunnel. Could somebody tell me which uci firewall commands I can use to create that config?

 

My thinking is would just have to change the forwarding rule from src=lan to src_ip while keeping the default forwarding rule. But would that prevent the src_ip from connecting if the tunnel is down?

 

Also, I lose all DNS resolution the instant I bring up the tunnel, even with the default forwarding rule present. Probably my fault.

After I entered the AirVPN DNS server (as listed in the specs-page) into the wan-interface, I got my resolution back. Apparently, the DNS push doesn't work with this configuration.

Also makes me wonder what happens in my split tunnel config. I'm guessing as long as the tunnel is up, it'll work. If it goes down, the DNS server becomes unreachable. Maybe I should add a Public DNS as a secondary .



#16 k0lovratok

k0lovratok

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 30 April 2018 - 10:46 AM

Dear ulmwind,

 

first of all many thanks for writing this tutorial.

 

As this tutorial is pretty old, I still tried to use it with airvpn. I was able to ping any server on the router itself (connected via ssh) - However - On my laptop it was not working. I tried to visit google.com and airvpn.org and I always received ERR_NAME_NOT_RESOLVED.

 

Any help would be appreciated.

 

Best regards

 

​This is probably because you configured your DNS with AirVPN's DNS, thus when your VPN tunnel is down, you need to connect again to get DNS resolution, but you won't be able to connect, because Air's hostnames will not resolve until VPN tunnel is up.... Chatch 22.

​There are 2 possible resolutions (as I see it) :

​1. use some public or your provider's DNS outside of VPN (I use public OpenNIC DNS with dnscrypt).

​2. use ip addresses in your opvn file instead of hostnames.



#17 crazyjoe

crazyjoe

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 04 August 2018 - 05:57 PM

Thank you for this! Works fine with OpenWrt 18.06.0.



#18 Moat

Moat

    Member

  • Members
  • PipPip
  • 16 posts

Posted 16 August 2018 - 12:43 PM

thanks for the guide

in my case I end up with openvpn internet on wifi and no internet on lan, onle the openwrt router is accessible on lan with this set-up.

how do I also get internet on the lan?

 

And also, this setup does not play nice with changing the WIFI mac address. when changing the wifi mac address wifi is not associated

uci set wireless.@wifi-iface[0].macaddr='xx:xx:xx:xx:xx:xx'
 


_____________________________________

A moat does not protect against pigeons!


#19 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 24 posts

Posted 16 September 2018 - 12:18 PM

Dear ulmwind,

 

first of all many thanks for writing this tutorial.

 

As this tutorial is pretty old, I still tried to use it with airvpn. I was able to ping any server on the router itself (connected via ssh) - However - On my laptop it was not working. I tried to visit google.com and airvpn.org and I always received ERR_NAME_NOT_RESOLVED.

 

Any help would be appreciated.

 

Best regards

Thank you for nice feedback. The tutorial is still up-to-date. Try to ping any site by IP, you have DNS problems. What are DNS of you laptop?

 

I was able to configure following these instructions and am able to start the tunnel. It would be nice if at one point we could use LuCi as well, it has made such great progress.

 

Concerning the firewall rules: I want my gaming/netflix/work traffic to go outside of the VPN, so I need to establish a split-tunnel configuration where only certain clients/IP's or certain ports are rerouted through the tunnel. Could somebody tell me which uci firewall commands I can use to create that config?

 

My thinking is would just have to change the forwarding rule from src=lan to src_ip while keeping the default forwarding rule. But would that prevent the src_ip from connecting if the tunnel is down?

 

Also, I lose all DNS resolution the instant I bring up the tunnel, even with the default forwarding rule present. Probably my fault.

After I entered the AirVPN DNS server (as listed in the specs-page) into the wan-interface, I got my resolution back. Apparently, the DNS push doesn't work with this configuration.

Also makes me wonder what happens in my split tunnel config. I'm guessing as long as the tunnel is up, it'll work. If it goes down, the DNS server becomes unreachable. Maybe I should add a Public DNS as a secondary .

I use public DNS, so it is not issue for me. You can also use specific DNS depending on tunnel is up or down. It is executed by modifying the file in /tmp folder triggered by ifup-ifdown event of tun0 in hotplug script or OpenVPN-config itself (it is described in full version of manual, see the link). No, pure firewall rules are not sufficient in your case. You should create additional routing table, mark packets from specific IPs, and direct them into additional table.

 

thanks for the guide

in my case I end up with openvpn internet on wifi and no internet on lan, onle the openwrt router is accessible on lan with this set-up.

how do I also get internet on the lan?

 

And also, this setup does not play nice with changing the WIFI mac address. when changing the wifi mac address wifi is not associated

uci set wireless.@wifi-iface[0].macaddr='xx:xx:xx:xx:xx:xx'
 

Sorry, I don't understand your issues.







Similar Topics Collapse


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 14814 - BW: 49511 Mbit/sYour IP: 54.198.55.167Guest Access.