Configuring OpenVPN on OpenWRT

 

This Howto has been moved to the main guide section and will be maintained there from now on.

This Howto describes the setup of an OpenVPN connection on an OpenWRT-based router. Clients behind this router will only be able to access the Internet if the OpenVPN connection to IPredator is up.

You need to configure basic OpenVPN settings from the command line first. Then you can control the OpenVPN connection from the LuCI GUI.

 

This Howto assumes that you are setting up a newly flashed OpenWRT router behind an existing router from your ISP. Have a look at the network topology.

 

If you want to handle connection speeds of above 10Mbit/s you should get an OpenWRT router that has an AR7161 CPU with 680MHz, e.g. the Buffalo WZR-HP-AG300H. Do not expect to get higher throughput then 20-25Mbit from these devices.

Use cases

There are a number of use cases where it is better to use a dedicated router to access a VPN instead of installing VPN software on each client machine:

  • Accessing the Internet either via your ISP or the IPredator VPN is as easy as switching between two wireless networks.
  • Multiple machines (notebook, tablet, NAS) can be hooked up behind a single router to access the VPN at the same time.
  • No worries if the VPN disconnects while sensitive transfers are running.
  • Using the VPN your clients are not directly exposed to the Internet anymore, the firewall on the router keeps the dirt out.
  • Guest network access can easily be granted because you do not need to care about the things your guests are using your Internet for. :)
  • Easily limit the routers upstream bandwidth thus making sure that your VPN Internet does not overload your normal Internet uplink.
 

Due to popular demand: You are a cafe or small shop owner that just wants a
working solution for his customers?
We can provide a setup including the device for 1 EUR or 10 SEK per day.
If you are interested write us an email to support@ipredator.se.

Requirements

  • OpenWRT device running ATTITUDE ADJUSTMENT.
  • Web and SSH access to the OpenWRT device.

Network topology

This Howto assumes you are using an OpenWRT router behind the router you got from your ISP.

  • The ISP Router has the internal IP 192.168.1.1 and establishes the Internet connection. It does NAT for all clients in the Home Network 192.168.1.0/24.
  • The OpenWRT Router's WAN interface has the IP 192.168.1.254 and accesses the Internet through the default gateway 192.168.1.1. The WAN IP address can either be set statically or via DHCP.
  • The Proteced Network 192.168.2.0/24 behind the OpenWRT Router is used for clients that should access the Internet through IPredator.

vpn_ipredator_openvpn.png

A few basics first so that everybody is on the same page in regards to the network setup. Some topics are cut short since this Howto is already pretty long, if you have questions feel free to visit us here.

A Regular Client behind the ISP Router accesses the Internet through the unprotected red path. The ISP can log the traffic from this client.

The OpenWRT Router establishes the blue IPredator connection.

The Client behind the IPredator VPN uses the yellow protected path through IPredator to access the Internet. Because the traffic inside the blue tunnel is encrypted, your ISP cannot look into the traffic that the Client behind IPredator generates. The ISP only sees encrypted packets traveling back and forth to IPredator.

Log into the OpenWRT router via SSH

Use Putty on Windows or plain ssh on BSD, Linux or Mac OS X from a terminal to connect to your OpenWRT router. Change into the /etc/config directory.

BusyBox v1.19.4 (2012-08-26 12:49:54 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 ATTITUDE ADJUSTMENT (12.09-beta, r33312)
 -----------------------------------------------------
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice
 -----------------------------------------------------
root@wrt01:~#

Installation

Update the package database prior to installing any new software, then install the OpenVPN package:

root@wrt01:~# opkg update
root@wrt01:~# opkg install openvpn
root@wrt01:~#
 

Depending on the firmware version you use, the OpenVPN package name can be different. Use opkg search *openvpn* to see what packages are available for your device.

OpenVPN

The OpenVPN configuration for IPredator will be appended to the list of available OpenVPN configurations. The IPredator connection will always use tun1337 as its network interface. The OpenVPN connection will be reestablished if it gets disconnected or terminated.

root@wrt01:~# cat >> /etc/config/openvpn << EOF
config openvpn 'IPredator'
	option enabled '1'
	option client '1'
	option dev 'tun1337'
	option proto 'udp'
	list auth_user_pass '/etc/openvpn/IPredator.auth'
	option resolv_retry 'infinite'
	option float '1'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/openvpn/IPredator.se.ca.crt'
	option ns_cert_type 'server'
	list tls_auth '/etc/openvpn/IPredator.se.ta.key'
        option tls_cipher 'TLSv1:!ADH:!SSLv2:!NULL:!EXPORT:!DES:!LOW:!MEDIUM:@STRENGTH'
	option cipher 'AES-256-CBC'
	option comp_lzo '1'
	option passtos '1'
	option remote 'pw.openvpn.ipredator.se 1194'
	option tls_client '1'
	option verb '3'
EOF

Import the IPredator CA certificate:

root@wrt01:~# cat >> /etc/openvpn/IPredator.se.ca.crt << EOF
-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi
BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50
ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex
JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw
NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI
EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl
ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT
HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX
aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf
DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi
bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68
d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd
Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm
/AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC
Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh
bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy
IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3
ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl
ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw
/n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG
M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p
tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD
CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P
BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y
-----END CERTIFICATE-----
EOF

Next import the static TLS key:

root@wrt01:~# cat >> /etc/openvpn/IPredator.se.ta.key << EOF
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
03f7b2056b9dc67aa79c59852cb6b35a
a3a15c0ca685ca76890bbb169e298837
2bdc904116f5b66d8f7b3ea6a5ff05cb
fc4f4889d702d394710e48164b28094f
a0e1c7888d471da39918d747ca4bbc2f
285f676763b5b8bee9bc08e4b5a69315
d2ff6b9f4b38e6e2e8bcd05c8ac33c5c
56c4c44dbca35041b67e2374788f8977
7ad4ab8e06cd59e7164200dfbadb942a
351a4171ab212c23bee1920120f81205
efabaa5e34619f13adbe58b6c83536d3
0d34e6466feabdd0e63b39ad9bb1116b
37fafb95759ab9a15572842f70e7cba9
69700972a01b21229eba487745c091dd
5cd6d77bdc7a54a756ffe440789fd39e
97aa9abe2749732b7262f82e4097bee3
-----END OpenVPN Static key V1-----
EOF

Create the credentials file and replace your username and password in the corresponding lines (type manually now, do not copy and paste):

root@wrt01:~# cat >> /etc/openvpn/IPredator.auth << EOF
USERNAME
PASSWORD
EOF

Interface configuration

Every time the router starts, the tun1337 interface needs to be created so that OpenVPN is able to use it. The IPredator interface can then be referenced in firewall zones.

root@wrt01:~# cat >> /etc/config/network << EOF
config interface 'IPredator'
	option ifname 'tun1337'
	option proto 'none'
EOF

Firewall zones

Firewall zones are used to easily specify how traffic is allowed to flow between interfaces.

The default installation of OpenWRT has two firewall zones configured … lan and wan. In a regular setup, traffic originating from the lan zone should access the Internet through the wan zone while being masqueraded behind the IP of the WAN interface.

In our scenario we need to add a third firewall zone with the name ipr. The IPredator interface tun1337 belongs to this zone. Traffic from the lan zone is only allowed to exit masqueraded through the ipr zone. Masquerading on the wan zone is disabled. When the IPredator OpenVPN connection goes down, traffic from the lan zone cannot pass the ipr zone until OpenVPN reconnects. This setup effectively blocks traffic from reaching the Internet without going through the IPredator VPN connection.

Overwrite the default firewall zone configuration by issuing the following command:

root@wrt01:~# cat >> /etc/config/firewall << EOF
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'wan'
	option input 'ACCEPT'

config zone
	option name 'ipr'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'IPredator'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'ipr'
	option src 'lan'
EOF

Reboot your router

To activate all configuration changes, reboot your router now. This is mandatory.

After your router has rebooted, log in via SSH again. For debugging purposes it is important to have an eye on log output. To verify that your VPN connection gets established properly, enter the following command to start displaying log output:

root@wrt01:/etc # logread -f
 

This command is also handy when contacting our support staff in case you have problems getting OpenVPN to run on OpenWRT.

It is very likely that you do not see any output now. Keep the SSH session open in that state.

Controlling the OpenVPN connection on the CLI

Open another shell to your router via SSH and log in as root and execute the following command:

root@wrt01:/# /etc/init.d/openvpn stop

In the log window you should see that OpenVPN has disconnected the VPN connection. Now wait for at least 30 seconds. Then execute:

root@wrt01:/# /etc/init.d/openvpn start

You should see log output again, this time it is OpenVPN starting the VPN connection:

May 27 08:58:12 wrt01 daemon.notice openvpn(IPredator)[7955]: OpenVPN 2.2.2 mips-openwrt-linux [SSL] [LZO2] [EPOLL] built on Aug 26 2012
...
May 27 08:58:12 wrt01 daemon.err openvpn(IPredator)[7955]: RESOLVE: NOTE: pw.openvpn.ipredator.se resolves to 19 addresses
May 27 08:58:12 wrt01 daemon.notice openvpn(IPredator)[7955]: Data Channel MTU parms [ L:1558 D:158 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
May 27 08:58:12 wrt01 daemon.notice openvpn(IPredator)[7955]: UDPv4 link local: [undef]
May 27 08:58:12 wrt01 daemon.notice openvpn(IPredator)[7955]: UDPv4 link remote: 46.246.36.130:1194
May 27 08:58:12 wrt01 daemon.notice openvpn(IPredator)[7955]: TLS: Initial packet from 46.246.36.130:1194, sid=d3e85996 744ea3cb
...
May 27 08:58:14 wrt01 daemon.notice openvpn(IPredator)[7955]: [pw.openvpn.ipredator.se] Peer Connection Initiated with 46.246.36.130:1194
May 27 08:58:16 wrt01 daemon.notice openvpn(IPredator)[7955]: SENT CONTROL [pw.openvpn.ipredator.se]: 'PUSH_REQUEST' (status=1)
May 27 08:58:16 wrt01 daemon.notice openvpn(IPredator)[7955]: PUSH: Received control message: 'PUSH_REPLY,route 46.246.36.130 255.255.255.255 net_gateway,route-gateway 46.246.36.1,redirect-gateway def1,topology subnet,dhcp-option DOMAIN ipredator.se,dhcp-option DNS 46.24
...
May 27 08:58:16 wrt01 daemon.notice openvpn(IPredator)[7955]: TUN/TAP device tun1337 opened
May 27 08:58:16 wrt01 daemon.notice openvpn(IPredator)[7955]: TUN/TAP TX queue length set to 100
May 27 08:58:16 wrt01 daemon.notice openvpn(IPredator)[7955]: /sbin/ifconfig tun1337 46.246.36.165 netmask 255.255.255.0 mtu 1500 broadcast 46.246.36.255
May 27 08:58:16 wrt01 daemon.notice openvpn(IPredator)[7955]: /sbin/route add -net 46.246.36.130 netmask 255.255.255.255 gw 192.168.1.1
May 27 08:58:16 wrt01 daemon.notice openvpn(IPredator)[7955]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 46.246.36.1
May 27 08:58:16 wrt01 daemon.notice openvpn(IPredator)[7955]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 46.246.36.1
May 27 08:58:16 wrt01 daemon.notice openvpn(IPredator)[7955]: /sbin/route add -net 46.246.36.130 netmask 255.255.255.255 gw 192.168.1.1
May 27 08:58:16 wrt01 daemon.notice openvpn(IPredator)[7955]: Initialization Sequence Completed

If everything went fine, the last log line from OpenVPN should contain Initialization Sequence Completed. There are some warnings and errors ... ignore them.

Verification

To verify that the VPN connection came up correctly, press CTRL-C in the log window to terminate log output. Then execute ifconfig -a on the command line and see if you got a tun interface in the network device list.

root@wrt01:~# ifconfig -a
[..]
tun1337   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:46.246.36.165  P-t-P:46.246.36.165  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:770 errors:0 dropped:0 overruns:0 frame:0
          TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:114167 (111.4 KiB)  TX bytes:4050 (3.9 KiB)

root@wrt01:~# 

Issue netstat -nr to see if the routing table got altered correctly. The following entries are essential:

  • A host route to the VPN server (in this example 46.246.36.130).
  • A new split default route (destinations 0.0.0.0/1 and 128.0.0.0/1).
root@wrt01:/etc# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         46.246.36.1     128.0.0.0       UG        0 0          0 tun1337
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth1
46.246.36.0     0.0.0.0         255.255.255.0   U         0 0          0 tun1337
46.246.36.130   192.168.1.1     255.255.255.255 UGH       0 0          0 eth1
128.0.0.0       46.246.36.1     128.0.0.0       UG        0 0          0 tun1337
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
root@wrt01:/etc#

Now do a traceroute to our public DNS server to see if traffic actually goes through the IPredator VPN tunnel:

root@wrt01:~# traceroute 46.246.46.246
traceroute to 46.246.46.246 (46.246.46.246), 30 hops max, 38 byte packets
 1  anon-36-3.vpn.ipredator.se (46.246.36.3)  28.953 ms  28.534 ms  29.030 ms
 2  anon-33-1.vpn.ipredator.se (46.246.33.1)  28.553 ms  28.295 ms  29.288 ms
 3  dns1.resolv.to (46.246.46.246)  29.580 ms  29.453 ms  29.055 ms

The first and the second hop indicate that traffic from the router follows the default route through IPredator.

Interface & Firewall overview

To check the available interfaces, open the Network tab from the web interface and select Interfaces. An additional IPREDATOR network with the tun1337 interface occurs.

openvpn_openwrt_02.png

Switch to the Firewall tab and select General Settings. The only zone that does masquerading now is the ipr zone. The wan zone accepts packets on the Input chain as opposed to the default setting, because it needs to establish and keep up the OpenVPN tunnel.

openvpn_openwrt_03.png

System startup

To make the OpenVPN connection available every time you start your OpenWRT router, open the System tab in the web interface and select Startup. Enable the Initscript for OpenVPN. You can also start and stop the OpenVPN service manually using the Start and Stop buttons here.

 

Do not use Restart. You should wait for at least 30 seconds before starting a stopped OpenVPN connection again.

openvpn_openwrt_04.png

Checking the traffic flow on the OpenVPN connection

To check the traffic flow on the OpenVPN connection, open the Status tab in the web interface and select Realtime Graphs. Switch to Traffic and select then tun1337 interface.

openvpn_openwrt_05.png

Further configuration on the OpenWRT router

To get a fully working setup you need to complete at least the following additional tasks:

  • Configure a different SSID on the OpenWRT router to be able to also access the Internet through the IPredator VPN wireless.
  • Set the DHCP network range to 192.168.2.128 - 192.168.2.254. The remaining IPs can be used for static assignments.
  • Configure IPredator's DNS server 46.246.46.46 as DNS forwarder in the DHCP and DNS settings of your router to prevent DNS leaks. This server is only reachable via the VPN and will be used by all clients behind the OpenWRT router that get IP addresses assigned via DHCP.
  • Configure the WAN interface to use the custom DNS server 194.132.32.32. This is one of IPredator's public DNS servers.
  • Add a static route to 194.132.32.32 through the ISP router. If you did not use DHCP and set up your WAN interface as detailed in the Network Topology, the ISP router has the IP 192.168.1.1. With that route in place, OpenVPN can always resolve pw.openvpn.ipredator.se and is able to reconnect properly in case the VPN connection is lost.
  • Visit http://www.dnsleaktest.com with your clients behind the OpenWRT router to check if they use the proper DNS servers.