Initially you should have router with OpenWRT firmware with OpenVPN client enabled. The main page of the firmware is http://openwrt.org Router, flashed with OpenWRT firmware image, initially accept connection only by telnet, so you should connect to it by telnet to the IP 192.168.1.1 and change root password with command "passwd". After this command it accepts connection via ssh. By default openvpn isn't included in the firmware image, so you should install it by use of opkg:
# opkg update # opkg install openvpn-openssl
You can also install luci-component of openvpn configuration, but it is optional:
# opkg install install luci-app-openvpn
You can also build firmware image with openvpn.
Good manual of general OpenVPN client configuration you can find on the page https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client We will follow it with modifications, specific for AirVPN.
After openvpn installation you can make it autostarting when router starts:
# /etc/init.d/openvpn enable
Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.org/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly.
Comment with "#" the option "explicit-exit-notify 5" in the file, because OpenVPN client in OpenWRT doesn't recognize it. In result the line should start with "#": "# explicit-exit-notify 5". Copy the file "AirVPN_America_UDP-443.ovpn" with pscp or WinSCP programs in Windows, scp command in Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems you should force using exactly scp protocol (it also can use sftp). The file itself contains contents of file "ca.crt" between tags "<ca>" and "</ca>", "user.crt" between tags "<cert>" and "</cert>", "user.key" between tags "<key>" and "</key", and contents of file "ta.key" between tags "<tls-auth>" and "</tls-auth>". You can create separate files "ca.crt", "user.crt", "user.key", and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in original file with following strings:
ca ca.crt cert user.crt key user.key tls-auth ta.key 1
Notice, that contents of all files for different OpenVPN configuration files are identical. In other words, the significand difference of OpenVPN configuration files is string, containing server address and port, beginning with the word "remote".
Configuration of OpenVPN using the file "AirVPN_America_UDP-443.ovpn" could be implemented by two ways.
1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by extension.
2) Specify file name in /etc/config/openvpn You can use uci:
# uci set openvpn.airvpn=openvpn # uci set openvpn.airvpn.enabled='1' # uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_America_UDP-443.ovpn' # uci commit openvpn
The file /etc/config/openvpn should contain following appended strings:
config openvpn 'airvpn' option enabled '1' option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn'
You can also change extension of the file "ovpn" to "conf", and speficify it in the file /etc/config/openvpn, in this case OpenVPN will start with this configuration file just once.
You can also manually specify parameters specific for OpenVPN-connection in the file /etc/config/openvpn. In this case you don't need the file "AirVPN_America_UDP-443.ovpn", because all necessary parameters from it are specified explicitly. However, it is tiresomely.
Create new network interface:
# uci set network.airvpntun=interface # uci set network.airvpntun.proto='none' # uci set network.airvpntun.ifname='tun0' # uci commit network
The file /etc/config/network should contain following appended strings:
config interface 'airvpntun' option proto 'none' option ifname 'tun0'
Create new firewall zone and add forwarding rule from LAN to VPN:
# uci add firewall zone # uci set firewall.@zone[-1].name='vpnfirewall' # uci set firewall.@zone[-1].input='REJECT' # uci set firewall.@zone[-1].output='ACCEPT' # uci set firewall.@zone[-1].forward='REJECT' # uci set firewall.@zone[-1].masq='1' # uci set firewall.@zone[-1].mtu_fix='1' # uci add_list firewall.@zone[-1].network='airvpntun' # uci add firewall forwarding # uci set firewall.@forwarding[-1].src='lan' # uci set firewall.@forwarding[-1].dest='vpnfirewall' # uci commit firewall
To prevent traffic leakage outside the VPN-tunnel you should remove forwarding rule from lan to wan. In default configuration there is single forwarding rule, so the command is:
# uci del firewall.@forwarding
You can also set "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is:
# uci set firewall.@zone.masq=0
After configuration you should commit changes:
# uci commit firewall
The file /etc/config/firewall should contain following appended strings:
config zone option name 'vpnfirewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' list network 'airvpntun' config forwarding option src 'lan' option dest 'vpnfirewall'
Now we should configure DNS servers. The simplest approach is to use public DNS for WAN interface of router. You can add OpenDNS:
# uci set network.wan.peerdns='0' # uci del network.wan.dns # uci add_list network.wan.dns='126.96.36.199' # uci add_list network.wan.dns='188.8.131.52' # uci commit
The file /etc/config/network should contain section 'wan' with following strings (three bottom strings has been appended):
config interface 'wan' option ifname 'eth0.2' option force_link '1' option proto 'dhcp' option peerdns '0' list dns '184.108.40.206' list dns '220.127.116.11'
You can also add GoogleDNS:
# uci set network.wan.peerdns='0' # uci del network.wan.dns # uci add_list network.wan.dns='18.104.22.168' # uci add_list network.wan.dns='22.214.171.124' # uci commit
The appended strings should be similar to previous one.
To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content:
# This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. # Internal uci firewall chains are flushed and recreated on reload, so # put custom rules into the root chains e.g. INPUT or FORWARD or into the # special user chains, e.g. input_wan_rule or postrouting_lan_rule. if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then iptables -I forwarding_lan_rule ! -o tun+ -j REJECT fi
You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:
#!/bin/sh if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then iptables -D forwarding_rule -j REJECT fi if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi
In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:
The content of script reconnect.sh is like:
#!/bin/sh n=10 while sleep 50; do t=$(ping -c $n 126.96.36.199 | grep -o -E '\d+ packets r' | grep -o -E '\d+') if [ "$t" -eq 0 ]; then /etc/init.d/openvpn restart fi done