Hi,
I customized two guides on AirVPN forum (https://airvpn.org/topic/15405-using-airvpn-with-openwrt/ and https://airvpn.org/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/) regarding creating OpenVPN profiles, but couldn't achieve everything I wanted.
Here are the things I wanted:
- Creating an OpenVPN connection using Policy-Based Routing without any leakage
- Editing using OpenVPN LuCI app, when needed.
Here are the steps:
1) Unbridge the LAN interface(s). Go to "Physical Settings" of the LAN interface(s) and uncheck the "creates a bridge over specified interface(s). Check the interface button of your connected (new wireless) network.
2) Connect to your router via SSH.
3.1) Update the packages:
opkg update
3.2) Install OpenVPN and nano:
opkg install openvpn-openssl
opkg install nano
3.3) (Optional) Install LuCI component of OpenVPN:
opkg install luci-app-openvpn
4) Make it autostart, when router starts:
/etc/init.d/openvpn enable
5) Backup current OpenVPN files:
mv /etc/config/openvpn /etc/config/openvpn_old
6) Create a new interface for AirVPN:
cat >> /etc/config/network << EOF
config interface 'airvpn'
option proto 'none'
option ifname 'tun0'
EOF
Alternate way:
uci set network.airvpn=interface
uci set network.airvpn.proto='none'
uci set network.airvpn.ifname='tun0'
uci commit network
7) Use the "Config Generator" of AirVPN to create the OpenVPN files. Please select the "Advanced Mode" and check "Separate keys/certs from .ovpn file" and
"Resolved hosts in .ovpn file". Save the files on your machine.
8) Move into the openvpn folder:
cd /etc/openvpn
9) Use nano to create all the required files on your router.
Copy and paste the following files "AirVPN_.ovpn, ta.key, ca.crt, user.crt, user.key" to PuTTY folder.
Rename the "AirVPN_.ovpn" into airvpn.conf for usability.
Then, apply these commands:
nano airvpn.conf
nano ta.key
nano ca.crt
nano user.crt
nano user.key
Use ^S (Control+S) on each line.
airvpn.conf should look like this (or just use the ovpn file):
client
dev tun
proto udp
remote xxx.XXX.xxx.XXX XXX
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
route-delay 5
verb 3
ca ca.crt
cert user.crt
key user.key
tls-auth ta.key 1
10) Create a firewall zone for AirVPN (air_firewall):
cat >> /etc/config/firewall << EOF
config zone
option name 'air_firewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'airvpn'
config forwarding
option dest 'air_firewall'
option src 'lan'
EOF
Alternate way:
uci add firewall zone
uci set firewall.@zone[-1].name='air_firewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='airvpn'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='air_firewall'
uci commit firewall
11) Prevent leakage outside the VPN-tunnel:
uci del firewall.@forwarding[0]
uci set firewall.@zone[1].masq=0
uci commit firewall
12) The file /etc/config/openvpn should contain following appended strings:
uci set openvpn.airvpn=openvpn
uci set openvpn.airvpn.enabled='1'
****optional*****uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_XXX_UDP-443.ovpn'
uci commit openvpn
13) Reboot router
14) Test OpenVPN configuration:
openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf
At the end it should show "Initialization Sequence Completed"
Stop openvpn with "Ctrl-C".
Important: I've got these results:
It showed me this error:
Options error: You must define TUN/TAP device (--dev)
Then I tried this:
openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.conf --dev tun0
The output is this:
Mon Dec 10 20:44:19 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Mon Dec 10 20:44:19 2018 OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Dec 10 20:44:19 2018 library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
Mon Dec 10 20:44:19 2018 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Mon Dec 10 20:44:19 2018 TUN/TAP device tun0 opened
Mon Dec 10 20:44:19 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Dec 10 20:44:19 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Dec 10 20:44:19 2018 UDPv4 link remote: [AF_UNSPEC]
15) Use the AirVPN DNS:
uci add_list dhcp.lan.dhcp_option="6,10.4.0.1"
uci commit dhcp
reboot
Alternate way:
uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='10.4.0.1'
uci commit
config interface 'wan'
option ifname 'eth0.2'
option force_link '1'
option proto 'dhcp'
option peerdns '0'
list dns '10.4.0.1'
16) Secure against IP Leak, backup old firewall
mv /etc/config/firewall /etc/config/firewall.backup
17) Create new firewall rules
cat >> /etc/config/firewall << EOF
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan'
option input 'ACCEPT'
config zone
option name 'airvpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'airvpn'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'airvpn'
option src 'lan'
EOF
Another way:
To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then
iptables -I forwarding_lan_rule ! -o tun+ -j REJECT
fi
18) You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:
#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
Use these commands:
cd /etc/hotplug.d/iface/
nano 99-prevent-leak.sh
18) In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:
(Can be added through Startup page)
/etc/openvpn/reconnect.sh &
The content of script reconnect.sh is like:
#!/bin/sh
n=10
while sleep 50; do
t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+')
if [ "$t" -eq 0 ]; then
/etc/init.d/openvpn restart
fi
done
Test here: https://ipleak.net/
I messed something anywhere. So, I reset my router and start from the scratch.
Questions:
- What might not be needed from the above list?
- What can be done to achieve further with vpn-policy-routing and luci-app-vpn-policy-routing apps? I could not find anything easily from the forum (VPN Policy-Based Routing + Web UI -- Discussion), as I need IP based exclusions for VPN on LAN.
- Creating a profile with OpenVPN LuCI app prevents me to upload the ta.key file, but I need apps functionality in some way.
- Is using
cat >> /etc/config/XXX << EOF
config xxx
...
EOF
commands risky, while restoring some settings and even reconfiguring OpenVPN?
As a note, I gathered LuCI app configuration from a backup of the router. Here are the locations of uploaded files:
option ca '/etc/luci-uploads/cbid.openvpn.AirVPN.ca'
option cert '/etc/luci-uploads/cbid.openvpn.AirVPN.cert'
option key '/etc/luci-uploads/cbid.openvpn.AirVPN.key'
option tls_auth '/etc/openvpn/ta.key 1'
The last one was entered manually. So, it's not valid anyway.
Also, there is a line, which I did not remember entering that. Is this needed? What is its purpose?
option route_gateway '10.234.1.1'
Can someone help me on these please?
Thanks...