These instructions are for getting an OpenWrt Based Router working as OpenVPN Client (should work for LEDE, Gargoyle and another distributions).Computers connected to Lan Ports of the OpenWrt Router will navigate through the Internet connection of the OpenVPN Server (in this case the Streisand one previously set up) you need a working Router with OpenWrt based firmware flashed on it (LEDE or eko.one.pl could also work) steps works well on Chaos Calmer 15.05 or 15.05.1.
Router with OpenWRT and LuCI GUI. Currently running OpenWrt 18.06.1. The router is assigned the address 192.168.1.1. Dnsmasq installed on the router. By default this should be installed but you can check for it in the system - software - installed packages section. I disabled IPv6 as my ISP does not support it. Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question.Provide details and share your research! Asking for help, clarification, or responding to other answers.
- You need to
telnet 192.168.1.1
(OpenWrt Router) and set up a password usingpasswd
You can skip this if you already have a password and can connect using ssh.
Now you should be able to ssh the OpenWrt Router
ssh [email protected]
using the previously typed password.- Important: Ensure that you have at least 1MB of free space en
rootfs
on your OpenWrt Device, depending on the OpenWrt version flashed you may need more or less space to set up everything, if you dont have space but you have a USB port on the Router you could use ExtRoot, or try to build a custom image, or even try to write a script to download openvpn to ram on every start. - Install OpenVPN (you need internet connection on the OpenWrt Router)
If you want to autostart OpenVPN at router startup (in some OpenWrt releases comes enabled by default):
- Run UCI commands to configure as VPN Client:
- DNS: There is a tricky part with this, you have to choose one of these:
- Use your Wan port default DNS (the one that uses the OpenWrt to resolve domains currently), you could leave as is then, but be aware that your DNS queries will be done through VPN and some ISP DNS Servers are configured to blocks connections attemps from outside their network.
- Set up fixed DNS on Lan Interface (only for Lan and Wifi Clients)
- Set up fixed DNS on Wan Interface (will replace the default DNS provided to the Router on Wan Port)
- Set up two script that use the DNS provided through the VPN Tunnel on the Streisand host (recommended).
I recommend the last option, you will use same DNS Server as the Streisand host, you probably should also check if on the Streisand host are configured Fixed DNS like ones from OpenDNS or Google, you could change this to use Defaults DNS on the Streisand host.
Fixed DNS on Lan interface, Using OpenDNS:
Fixed DNS on Lan interface, Using Google DNS:
Fixed DNS on Wan interface, using OpenDNS:
Fixed DNS on Wan interface, using Google DNS:
Finally, you should commit UCI changes:
- You will need to download the OpenVPN Client file from the Streisand host
[ip]-direct.ovpn
or[ip]-sslh.ovpn
.(first one will use port 636 (ldaps), and later 443 (standard https port), I think that exist two because some people may have restrictions in their country on some port or disallow use of ssl on another) - Open the
.ovpn
file on a PLAINTEXT text editor, as we need to perform some editings:
- Add this line at top
cat<<'EOF' > /etc/openvpn/streisand.conf
- Add this line at bottom
EOF
(these lines will enable us later to copy entire text content of the file and paste it on the terminal/putty window)
- You can comment or remove a line at the beggining of file that is something like:
router [ip] 255.255.255.255 net_gateway
, simply add#
at the start of that line. This setting is already pushed from the OpenVPN Server side. If you don't do this, you will get an error on the OpenVPN logs, but should work fine too. - To Enable OpenVPN log and status file:
log-append /var/log/openvpn.log # To append to log file
status /var/log/openvpn-status.log # To mantain a status file
- If you want to use the OpenVPN Server side DNS's from Streisand host:
script-security 2 system # needed to be able to use 'up' and 'down' scripts
up '/etc/openvpn/updns' # FIX DNS, we will create it later
down '/etc/openvpn/downdns' # FIX DNS, we will create it later
- Now copy the entire content of the
.ovpn
file and paste on Terminal, you should have now a new file (check for it):ls -l /etc/openvpn/streisand.conf - If you choose to use the DNS provided by OpenVPN you need to create these two files, (just copy and paste and the code and files will be created):
FIX to use DNS provided by OpenVPN server:
Add execution permission to both files:
You should have now two new files (check for it):
- All Ready!
Since we modified firewall we need to run
Since we added a new interface we need to restart network daemon (you will lost connectivity for a moment)
Start OpenVPN and see what and see what happens:
When you successfully see
Initialization Sequence Completed
you can press CTRL+C
to exit.You can do traceroute 8.8.8.8
or some other IP to see if you pass through the VPN or check online your Public IP.Important Remarks about testing if it works properly:
![Usb redirector openwrt server Usb redirector openwrt server](/uploads/1/2/5/5/125593187/133417260.png)
- Please always test VPN using
ping
,traceroute
,wget
or even browsing to an IP and not browsing to a domain, since you may have a working VPN but not working DNS. - If you reboot your router allow a 30-60sec to properly boot and bring up internet (important if you have extroot or a slow router), and additional 30-60sec to bring up VPN.
- Bonus! Enable WiFi:
If you started from scratch and you want to enable WiFi (if your router have dual-band replace
[-1]
with [0]
:- Related info:Just in case the OpenVPN client file change in future:The content config at the beginning of a working .ovpn as is (doesn't include any needed modifications):clientremote 123.456.789.012 636dev tunproto tcpcipher AES-256-CBCauth SHA256resolv-retry infinitenobindpersist-keypersist-tunns-cert-type servercomp-lzokey-direction 1verb 3route 123.456.789.012 255.255.255.255 net_gateway
Note: 123.456.789.012 represents the Streisand host IP
Configuration Pushed by the OpenVPN Server on Streisand Host (taken from
/var/log/openvpn.log
)TODO: Add necessary code to have one WiFi Network with VPN and other without (in a few days)...
braian87
- Connecting clients behind the client router
Say you're a road warrior and have setup an OpenVPN connection to the server running Streisand. You might want to connect to clients running on the OpenWrt LAN. To do this on the server running Streisand:
- Add the following line to
/etc/openvpn/server.con
:
- Create the
/etc/openvpn/ccd
directory - Create a client file in the
/etc/openvpn/ccd/
directory corresponding to the client.opvn
file you used to configure your router as a client. For example if you used:XXX-XXX-XXX-XXX-direct-2.ovpn
you would create a file called/etc/openvpn/ccd/client-2
. - Add the
iroute
option to that file as follows:
Where
192.168.10.0
is your LAN network. So you will need to adjust appropriately.Hi,
I have a router with mt7621 chipset and an mt7603/mt7612 wifi combo. The image I am using is built from OpenWRT trunk and has kernel 4.4 + all the latest mt76 and mac80211 fixes/changes. The mt7612 (used for the 5GHz) is working perfect, but I am having some issues with the mt7603 and an iPhone 6S. There might be other devices experiencing the same problems, but I dont have any available.
When I initially connect the iPhone to the 2.4 GHz wifi (i.e., the mt7603) everything works fine. However, when the phone has been idle for a while and tries to reconnect, something goes wrong. When looking at the settings on the phone, I see that it has acquired an IP and this seems to match the output in syslog. However, no traffic goes through. It seems that the traffic sent from the phone is dropped somewhere. I also see the following warning in dmesg (not sure if it is connected or not):
This error does not happen every time the device has gone into idle mode. I unfortunately do not have access to any device where I can sniff the wifi traffic, so I won't be able to provide any of those details. I hope this issue can serve as a starting point for nailing down this bug. I have tested the 2.4 wifi network with other devices too, like my laptop, and do not see the issue.
Thanks in advance for any help.