Jump to content


Photo
* * * * * 1 votes

AirVPN configuration on XRMWRT (Padavan), preventing traffic leakage outside tunnel.

OpenVPN XRMWRT Padavan traffic leakage

  • Please log in to reply
10 replies to this topic

#1 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 21 posts

Posted 19 November 2016 - 10:29 AM

Initially you should have router with Padavan's firmware with OpenVPN client enabled. The main page of the firmware is https://bitbucket.org/padavan/rt-n56u There is also script Prometheus, which was developed to simplify compilation process and to expand the list of supported devices http://prometheus.freize.net

Login to your router via web-interface. By default it has LAN-address 192.168.1.1 Go to VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg). Toggle the switch "Enable VPN Client", after that fill forms as shown on Scr1.png You can use servers, specified in OpenVPN configuration files with extension "ovpn". Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.com/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly. The string, containing server address, begins with the word "remote". In the example it is "remote america.vpn.airdns.org 443". The last numerical value is port number. On the screen the example of UDP-protocol is shown. To use TCP-protocol change fields "Port" to corresponding value of port number and "Transport" to TCP. Protocol is also specified in the string beginning from "proto".

 

You can leave OpenVPN Extended Configuration, you can also comment the line "ns-cert-type server" with leading "#".

Go down and fill forms as shown on Scr2.png, and press "Apply" button. In the example there is option not to obtain DNS from VPN-server. It is assumed, that WAN of router was configured to use OpenDNS (208.67.222.222, 208.67.220.220) or GoogleDNS (8.8.8.8, 8.8.4.4). Also there is option to specify DNS for LAN clients (Advanced Settings -> LAN -> tab DHCP server, http://192.168.232.1/Advanced_DHCP_Content.asp, http://my.router/Advanced_DHCP_Content.asp). However you can set this option to obtain DNS from VPN-server ("Add to existing list" or "Replace all existing"). Pay special attention to the item Restrict Access from VPN Server Site. The item controls access to router from Internet via tunnel. The safest option as shown on Scr2.png is Yes, block all connections (site is foreign). If you choose No (Site-to-Site), using NAT translation, TOTAL ACCESS TO ROUTER INCLUDING MANAGEMENT - HTTP, HTTPS, AND SSH WILL BE GRANTED FROM INTERNET VIA TUNNEL.

 

Go to the tab "OpenVPN Certificates & Keys" with corresponding link http://192.168.1.1/vpncli.asp#ssl (http://my.router/vpncli.asp#ssl), and copy content between tags "<ca>" and "</ca>" to the field "ca.crt", content between tags "<cert>" and "</cert>" to the field "client.crt", content between tags "<key>" and "</key>" to the field "client.key", content between tags "<tls-auth>" and "</tls-auth>" to the field "ta.key", and press "Apply" button, as shown on Scr3.png Tags are always excluded from contents. Now your router should successfully connect to VPN-server. You can check it by the white word "Connected" in the green rectange to the right of VPN-server address on VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg), as shown on Scr1.png You can also visit site, displaying your IP-address, e.g. https://ipleak.net

 

After positive result you should make your changes permanent. You can do it by three ways: run in console command "mtd_storage.sh save"; on the page Advanced Settings -> Administration -> Settings with corresponding link http://192.168.1.1/Advanced_SettingBackup_Content.asp (http://my.router/Advanced_SettingBackup_Content.asp) press button "Commit" to the right of item "Commit Internal Storage to Flash Memory Now"; reboot router by pressing Reboot button to the right of "Logout" button.

To sum up, files, corresponding to filled fields, are stored in the directory /etc/storage/openvpn/client, resulting OpenVPN configuration file is stored in the directory /etc/openvpn/client.

To prevent traffic leakage in case VPN-tunnel drops you should edit the contents of item "Run the Script After Connected/Disconnected to VPN Server" on VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg), which is shown on Scr2.png, to add lines to functions func_ipup and func_ipdown, the result content should be as in the file /etc/storage/vpnc_server_script.sh By the word, it is the same file where form content is saved. Also you should block traffic until tunnel is up. To do it edit the form "Run After Firewall Rules Restarted" on the page Advanced Settings -> Customization -> Scripts with corresponding link http://192.168.1.1/Advanced_Scripts_Content.asp (http://my.router/Advanced_Scripts_Content.asp), the result content should be as in the file /etc/storage/post_iptables_script.sh Finally you should make your changes permanent by the same way, as was discussed before.

 

vpnc_server_script.sh:

 

#!/bin/sh

### Custom user script
### Called after internal VPN client connected/disconnected to remote VPN server
### $1        - action (up/down)
### $IFNAME   - tunnel interface name (e.g. ppp5 or tun0)
### $IPLOCAL  - tunnel local IP address
### $IPREMOTE - tunnel remote IP address
### $DNS1     - peer DNS1
### $DNS2     - peer DNS2

# private LAN subnet behind a remote server (example)
peer_lan="192.168.9.0"
peer_msk="255.255.255.0"

### example: add static route to private LAN subnet behind a remote server

func_ipup()
{
#  route add -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
# unblock traffic if blocking rule exists
   if iptables -C FORWARD -j REJECT; then
    iptables -D FORWARD -j REJECT
   fi
   return 0
}

func_ipdown()
{
#  route del -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
# block traffic leakage in case of tunnel drops
   if (! iptables -C FORWARD -j REJECT); then
    iptables -I FORWARD -j REJECT
   fi
   return 0
}

logger -t vpnc-script "$IFNAME $1"

case "$1" in
up)
  func_ipup
  ;;
down)
  func_ipdown
  ;;
esac

 

post_iptables_script.sh:

 

#!/bin/sh

### Custom user script
### Called after internal iptables reconfig (firewall update)

# prevent traffic leakage while tunnel is not up
if [ -z "$(ip a s tun0 | grep 'state UP')" ] && (! iptables -C FORWARD -j REJECT); then
  iptables -I FORWARD -j REJECT
fi

 

Scr1.png Scr2.png Scr3.png



#2 LZ1

LZ1

    It's nice to be nice to nice people

  • Members
  • PipPipPip
  • 1487 posts

Posted 19 November 2016 - 01:53 PM

Hello!

 

Nice stuff :).

 

I think it could be formatted a little better, for more clarity and the title changed to "How To" or "Guide", to make it clear what it is.

But good effort!


Open This Spoiler If: A Website Is Blocked, You Want To Help AirVPN, Find The Beta/Experimental Client Or You're A New User Wanting Help/Information

Spoiler

Did you make a guide or how-to for something? Then contact me if you want me to index it in my new user guide, so that the community can find it more easily.

Tired of Windows? Why Linux Is Better.


#3 Azgort2

Azgort2

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 26 May 2017 - 04:39 PM

Can't get it work. I have connection to vpn server but no access to the internet. Here is my logs:

 

Spoiler



#4 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 21 posts

Posted 29 May 2017 - 01:39 PM

Azgort2, it is interesting. Please, check following:

  1. ping 8.8.8.8 from your computer, connected to router;
  2. ping 8.8.8.8 from ssh-command line of router.


#5 Azgort2

Azgort2

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 01 June 2017 - 10:23 AM

Azgort2, it is interesting. Please, check following:

  1. ping 8.8.8.8 from your computer, connected to router;
  2. ping 8.8.8.8 from ssh-command line of router.

I have already figured out what was the problem. LZO compression needs to be enabled in order to get AirVPN work on my router.



#6 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 21 posts

Posted 01 June 2017 - 09:01 PM

Azgort2, would you be so kind as to generate config files according my manual above, and check, whether string

 

comp-lzo
 

 

exists.



#7 Azgort2

Azgort2

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 02 June 2017 - 11:17 AM

Azgort2, would you be so kind as to generate config files according my manual above, and check, whether string

 

comp-lzo
 

 

exists.

There is string "comp-lzo no".



#8 Ptesza

Ptesza

    Newbie

  • New Members
  • Pip
  • 2 posts

Posted 05 November 2017 - 08:00 AM

Nice article.

 

Is the port forwaring works well? What settings do you use?



#9 therion

therion

    Member

  • Members
  • PipPip
  • 15 posts

Posted 05 November 2017 - 01:48 PM

Thanks for the guide! I've been thinking lately about using VPN on my Netgear router but honestly been lazy and also, lack of knowledge. This is great, I'll try it out.

-Invictus-

-Veritas


#10 ulmwind

ulmwind

    Member

  • Members
  • PipPip
  • 21 posts

Posted 19 November 2017 - 09:54 PM

Nice article.

 

Is the port forwaring works well? What settings do you use?

Yes, it works. I don't use them, what is your question?

 

Thanks for the guide! I've been thinking lately about using VPN on my Netgear router but honestly been lazy and also, lack of knowledge. This is great, I'll try it out.

-Invictus-

I don't know about Netgear router (http://prometheus.freize.net/), I think, you should use my OpenWRT Guide.



#11 Ptesza

Ptesza

    Newbie

  • New Members
  • Pip
  • 2 posts

Posted 20 November 2017 - 04:11 AM

My transmission client in the OMV still shown the port is closed.(OMV is a linux based NAS)

I tried a lot settings, and of course , I opened a port in the airVPN surface.







Similar Topics Collapse


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 14888 - BW: 42250 Mbit/sYour IP: 54.167.126.106Guest Access.