VPN tunnel as a WAN Interface on OpenWRT/LEDE Router

There exists a seemingly endless number of VPN Providers with different kinds of quality, features and trustworthiness. They are not perfect and can not be considered as an anonymizer for everything, but they increase the privacy at least for specific use cases.

  • untrusted hostile network environment
  • public WiFi
  • P2P Torrent Traffic
  • ISP Data Retention
  • Censorship Circumvention

You should know when it’s time to use a VPN and when not. Depending on your threat-model this can secure your traffic.

In my case the Service Provider premiumize.me has added also a VPN Service. Though i usually use them for other services. But if it is in the basket, why not use it.

Other providers are for example, without any order:

  • https://frootvpn.com/
  • https://ipredator.se/
  • https://www.privatetunnel.com/
  • https://www.privateinternetaccess.com/
  • and many other more…

There exists a nice overview why you should not use or rely on a VPN service for anonymization. https://gist.github.com/joepie91/5a9909939e6ce7d09e29#dont-use-vpn-services

In this tutorial i’ll show how to run an OpenVPN client on your Router with OpenWRT. This makes it possible to have the connection always on, and reuse it in your network when u need it.

Install openvpn on OpenWRT

Following packages need to be installed:

 opkg update ; opkg install openvpn-openssl luci-app-openvpn openssl-util

The Service/OpenVPN section should become available in the LuCi Webinterface.

OpenVPN Luci Settings in OpenWRT

root@openwrt:~# openvpn --version
OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>

Obtaining VPN Provider Settings

First we need the Settings for our Provider to connect with OpenVPN. Premiumize hands out client settings and their CA.crt file.

Client Settings – .ovpn file

Premiumize.me – Netherlands.ovpn

remote vpn-nl.premiumize.me
verify-x509-name CN=vpn-nl.premiumize.me
auth-user-pass
client
dev tun
proto udp
cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
<ca>
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
</ca>
verb 3
reneg-sec 0

Manually test tunnel with .ovpn file

The easiest way is to use the .ovpn file directly. SCP it to your router and place it under /etc/openvpn/nl.ovpn

root@openwrt:/etc/openvpn# ls
nl.ovpn

It’s easiest possible to test the .ovpn file directly.

root@openwrt:/etc/openvpn# openvpn nl.ovpn 
Sat Feb 17 21:10:36 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb 17 21:10:36 2018 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Enter Auth Username:
Enter Auth Password:
...
...
...
Sat Feb 10 19:25:15 2018 Initialization Sequence Completed

When “Initialization Sequence Completed” is printed to the screen, the device /dev/tun0 should be available and the tunnel up. Test it with ifconfig, ping and traceroute.

root@openwrt:~# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
 inet addr:10.8.0.29 P-t-P:10.8.0.29 Mask:255.255.0.0
 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
 RX packets:1 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:100 
 RX bytes:48 (48.0 B) TX bytes:0 (0.0 B)

root@openwrt:~# ping -I tun0 blog.cavebeat.org
PING blog.cavebeat.org (31.220.43.64): 56 data bytes
64 bytes from 31.220.43.64: seq=0 ttl=58 time=59.759 ms
64 bytes from 31.220.43.64: seq=1 ttl=58 time=59.055 ms
64 bytes from 31.220.43.64: seq=2 ttl=58 time=59.755 ms
64 bytes from 31.220.43.64: seq=3 ttl=58 time=59.384 ms
^C
--- blog.cavebeat.org ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 59.055/59.488/59.759 ms

OpenWRT Settings with .ovpn

One can use the .ovpn directly in the OpenWRT Settings as an additional section in /etc/config/openvpn.

config openvpn 'nl_vpn' 
 option enabled '1' 
 option config "/etc/openvpn/nl.ovpn"

OpenWRT Settings with UCI/LUCI

Options from the .ovpn file are similar to VPN-Settings in OpenWRT. Though they are not exactly the same naming convention.

.ovpn OpenWRT
remote vpn-nl.premiumize.me list remote ‘vpn-nl.premiumize.me 1194’
verify-x509-name CN=vpn-nl.premiumize.me option verify_x509_name ‘vpn-nl.premiumize.me name’
auth-user-pass option auth_user_pass ‘/etc/openvpn/prem_userpass.txt’
client option client ‘1’
dev tun option dev ‘tun0’
proto udp option proto ‘udp’
cipher AES-256-CBC option cipher ‘aes-256-cbc’
resolv-retry infinite option resolv_retry ‘infinite’
nobind option nobind ‘1’
persist-key option persist_key ‘1’
persist-tun option persist_tun ‘1’
mute-replay-warnings option mute_replay_warnings ‘1’
verb 3 option verb ‘3’
reneg-sec 0 option reneg_sec ‘0’
ca option ca ‘/etc/openvpn/nl_prem_ca.crt’
option auth ‘sha1’
option enabled ‘1’

OpenVPN Setting in /etc/config/openvpn

root@openwrt:~# cat /etc/config/openvpn

config openvpn 'nl_prem'
 option verify_x509_name 'vpn-nl.premiumize.me name'
 list remote 'vpn-nl.premiumize.me 1194'
 option auth_user_pass '/etc/openvpn/prem_userpass.txt'
 option client '1'
 option dev 'tun0'
 option proto 'udp'
 option auth 'sha256'
 option cipher 'aes-256-cbc'
 option resolv_retry 'infinite'
 option nobind '1'
 option persist_key '1'
 option persist_tun '1'
 option ca '/etc/openvpn/nl_prem_ca.crt'
 option verb '3'
 option reneg_sec '0'
 option route_nopull '1'
 option mute_replay_warnings '1'
 option enabled '1'

It’s possible to add the settings also in Luci, but it’s easier to avoid this and add the settings manually via command line at the end of the file /etc/config/openvpn.

User Pass File

The setting auth_user_pass tells to use a Customer ID and PIN for authentication from a file.

I have created a file in /etc/openvpn and added in line 1 my Customer ID and in line 2 my Premiumize PIN.

root@openwrt:~# cat /etc/config/openvpn | grep auth_user_pass
 option auth_user_pass '/etc/openvpn/prem_userpass.txt'
root@openwrt:~# cat /etc/openvpn/prem_userpass.txt
1234567890
trustno1

CA – Certificate Authority

I have placed the ca parts from the nl.ovpn file under /etc/openvpn.

root@openwrt:/etc/openvpn# cat nl_prem_ca.crt 
<ca>
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
...
...
...
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
</ca>

Ignoring redirect-gateway

If you are running OpenVPN as a client, and the server you use is using push “redirect-gateway” then your client redirects all internet traffic over the VPN. Sometimes clients do not want this, but they can not change the server’s configuration. In our case, we just want the OpenVPN Tunnel Available as an additional WAN Interface and not push just everything into it always.

I myself prefer to set the client option “option route_nopull ‘1’” and care and control the routing myself.

.ovpn OpenWRT
route-nopull option route_nopull ‘1’
--route-nopull
 When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers.
 When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

from the OpenVPN Manpage about route-nopull

Settings in LUCI

In Luci it should be also available.

 

Create VPN Interface

In the Section Network/Interface create a new Interface with Protocol Unmanaged.

Interface Configuration

root@openwrt:~# cat /etc/config/network
config interface 'nl_vpn'
 option proto 'none'
 option ifname 'tun0'
 option auto '1'

Protocol: unmanaged/none

Bring Up on Boot / Auto

Connected Interface name: tun0

FireWall Zone – put it into a new Zone similar to your WAN Zone.

Firewall Zone Settings

root@openwrt:~# cat /etc/config/firewall 

config zone
 option name 'vpn'
 option output 'ACCEPT'
 option network 'nl_vpn'
 option masq '1'
 option input 'REJECT'
 option forward 'REJECT'
 option mtu_fix '1'

config forwarding
 option dest 'vpn'
 option src 'lan'

VPN-WAN Interface Checks

Check your Interface is up and available in ifconfig.

root@openwrt:~# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
 inet addr:10.8.0.33 P-t-P:10.8.0.33 Mask:255.255.0.0
 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
 RX packets:64 errors:0 dropped:0 overruns:0 frame:0
 TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:100 
 RX bytes:5158 (5.0 KiB) TX bytes:912 (912.0 B)

Compare a traceroute with your Tunnel Interface and with your WAN Interface.

root@openwrt:~# traceroute -i tun0 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1 10.8.0.1 (10.8.0.1) 41.615 ms 43.000 ms 42.597 ms
 2 po-24.ce38.ams-01.nl.leaseweb.net (95.211.138.190) 42.245 ms 41.426 ms 42.694 ms
 3 te-0-5-0-10.br02.ams-01.nl.leaseweb.net (81.17.33.58) 42.514 ms xe-2-0-0.br01.ams-01.nl.leaseweb.net (81.17.33.68) 41.695 ms xe-2-1-3.br01.ams-01.nl.leaseweb.net (81.17.33.70) 41.572 ms
 4 te-0-4-0-7.bb03.ams-01.leaseweb.net (31.31.38.50) 43.000 ms te-0-0-0-7.bb03.ams-01.leaseweb.net (31.31.38.48) 42.761 ms te-0-4-0-6.bb03.ams-01.leaseweb.net (31.31.38.54) 42.602 ms
 5 unused.nl-ix.net (193.239.117.141) 43.564 ms 44.046 ms google.telecity-2-equinix-am7.nl-ix.net (193.239.117.142) 42.834 ms
 6 * * 108.170.241.193 (108.170.241.193) 44.326 ms
 7 216.239.51.171 (216.239.51.171) 44.441 ms 216.239.42.123 (216.239.42.123) 43.350 ms 108.170.230.233 (108.170.230.233) 44.816 ms
 8 google-public-dns-a.google.com (8.8.8.8) 43.820 ms 44.058 ms 44.582 ms

vs. traceroute with your WAN Interface

root@openwrt:~# traceroute -i eth0.2 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1 10.198.64.1 (10.198.64.1) 6.240 ms 6.092 ms 5.463 ms
 2 ME36X-Manzb-01.kabsi.at (195.202.135.129) 6.701 ms 6.127 ms 7.363 ms
 3 195.202.134.82 (195.202.134.82) 8.222 ms 8.433 ms 9.342 ms
 4 te0103-asr9k-upst-inx-01.net.kabelplus.at (195.202.134.233) 18.626 ms te0011-asr9k-upst-inx-01.net.kabelplus.at (195.202.135.6) 11.888 ms 9.353 ms
 5 google.peering.cz (91.213.211.170) 15.892 ms 16.902 ms 16.608 ms
 6 108.170.245.49 (108.170.245.49) 17.024 ms 108.170.245.33 (108.170.245.33) 15.660 ms 15.917 ms
 7 216.239.63.29 (216.239.63.29) 18.292 ms 108.170.237.179 (108.170.237.179) 16.173 ms 216.239.62.183 (216.239.62.183) 18.121 ms
 8 google-public-dns-a.google.com (8.8.8.8) 15.487 ms 15.610 ms 15.236 ms

A route should be added to your tun interface

root@openwrt:~# route | grep tun0
10.8.0.0 * 255.255.0.0 U 0 0 0 tun0

Search for a line with “Initialization Sequence Completed” in your Syslog

root@openwrt:/etc/config# logread | grep openvpn | grep Seq
Sun Feb 18 17:04:21 2018 daemon.notice openvpn(nl_prem)[2752]: Initialization Sequence Completed

Usage

This new VPN-WAN Interface is now available for guest LAN/WLANs, SplitTunnel or for MultiWan Setups.

Comments are closed.