How to share VPN internet with OpenWrt

Thanks, but that's not correct.
With using SSH Tunnel, there's no need to have any other VPN application because with SSH, you can have a Proxy.

You could install the full openssh client. The connection would be made by the client and not the server.

If this works, you could create an image with openssh-client rather than dropbear to ensure you aren't using space

Well, I am not entirely wrong. The specific app. is Firefox and only the internet traffic from Firefox goes through the SSH tunnel in this setup. I use the same setup to RDP to my home computer from a laptop when I am traveling.

all apps are "specific", what ever that means, just as much as your RDP client.

Firefox is your specific application. So the question is how to get Firefox using the remote socket created on the router. Can Firefox do that at all (instead of a local socket)?

configure FF to use the host with the ssh tunnel open, as the proxy host ?

1 Like

That is out of my depth. I would simply find a VPN provider who supports OpenVPN client and run OpenVPN client on the router.

Running an ssh command to start a proxy is out-of-depth?

Web search?

Hi @inna ,

sad to read that thread.

My answer is gonna be a lengthy one.

It's all about OBFUSCATION and PLAUSIBLE DENIABILITY.

In Information Security, Building a Fence is usually just a bit higher, than the attacker could jump.
In your case, i'd suggest, to build your solution a few more steps than normal higher + an additional security margin.

Your SSH Tunneling is working fine, and it's easy. But let's consider a few better solutions.

At first, let's have a look at Shadowsocks.

Shadowsocks is a free and open-source encryption protocol project, widely used in China to circumvent Internet censorship. It was created in 2012 by a Chinese programmer named "clowwindy", and multiple implementations of the protocol have been made available since. Shadowsocks is not a proxy on its own, but (typically) is the client software to help connect to a third-party SOCKS5 proxy, which is similar to a Secure Shell (SSH) tunnel.

Obfuscation ++

I've found a guide here as well.

Shadowsocks is hated by the Chinese government, because it pokes holes in their Golden Firewall.

personally i have not yet tested it myself. but it's kinda famous. chinese officials are pushing hard against it's development.

###

TOR Project

Tor: Pluggable Transports


Sometimes the Tor network is censored, and you can't connect to it.

An increasing number of censoring countries are using Deep Packet Inspection (DPI) to classify Internet traffic flows by protocol. While Tor uses bridge relays to get around a censor that blocks by IP address, the censor can use DPI to recognize and filter Tor traffic flows even when they connect to unexpected IP addresses.

Pluggable Transports help you bypass censorship against Tor.

Pluggable Transports (PT) transform the Tor traffic flow between the client and the bridge. This way, censors who monitor traffic between the client and the bridge will see innocent-looking transformed traffic instead of the actual Tor traffic. External programs can talk to Tor clients and Tor bridges using the pluggable transport API, to make it easier to build interoperable programs.

I do not know about the statis right now, but OBFSPROXY from the Tor Project is encapsulation Tor Traffic inside HTTPS Traffic, so it looks like you communicate with a HTTPS Website via 443.

Obfuscation ++

old but golden. haven't used it in last years, it got a bit silent about the project.

###

Wireguard is faster than openvpn but is less able to be used as a swiss army knife.

I personally would suggest to use a hardened OpenVPN Setup in your case.

Why openVPN?

With OpenVPN you could create a nice looking Website, do SSL encryption on port 443, have a website with kitten on it. for example persian kitten. pun intended

With OpenVPN on that server with a Apache/NGINX/lighty Webserver on port 443, you could run an OpenVPN Server on the same Port.
OpenVPN is listening on public:443, if it's HTTPS Traffic, it will forward to the Webserver on 127.0.0.1:443

That would already fake the 443 port and encrypted traffic to it.
If someone is checking the homepage with the browser, he does only see kitten. does not look like a VPN-Server.

So you could get rid of 1194

From the reference Manual: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/

--port-share args
Share OpenVPN TCP with another service

Valid syntax:

port-share host port [dir]

When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh.

Though, a really good sophisticated State-Grade Firewall thingy, could look in detail on the first handshake and probably distinguish if it's openVPN or HTTPS Traffic and filter vpn traffic, but i guess it's unlikely.

###

Next step:
Build your own certificates.
Here is a neat guide, to build up to your full root CA.
https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html

If we look back at 2011, when the iranian government breached DIGINOTAR, created their own certificates and faked Google/GMAIL Wildcard certificates, did Man in the Middle attacks and breached a lot of iranian GMAIL accounts. wasn't fun for them.
Do not trust RootCA Certificates and chains, if you could trust your own made ones.

###

There are also other methods to obfuscate the openvpn traffic.

  • obfsproxy
  • sshtunneling
  • ssl-tunneling

####

I would suggest, have a apache2 webpage with kitten pictures, probably cat videos. So it's plausible deniability. run it on port 443
have openVPN behind it on the same port. run both on the same port. run openvpn with self made certificates, so the authentication is secure.

on your client side, let's have a routed openvpn setup, which pushes the routes to that server when it connects.

you could have a second VLAN port on your router (depending on your router) so only on that network lan port is connected to the vpn-tun-WAN Interface and is used to forcing everything through that tunnel.

Do not forget to check also DNS Traffic, this has also to go through the tunnel. this is often overlooked.

####

Depending on your budget, if you could get a GL.iNet GL-AR750S-Ext (Slate) device, set it up to have a WiFi which is forced through the tunnel, have a client wifi to connect as WAN to any open/free wifi which is available.
Have an openVPN client setup ready, which you only starts when you start it manually through ssh, and have also a passwort prompt (additionally to the created certificates) needed for the vpnClient.

Therefor, if the devices is without power, anyone, someone like a basiji could pick it up, power it up, test it, find out the wifi is not working properly, puts it down again. so it does only connect to your vpn server if you manually start it via ssh connection. <-- deniability

If it's powered off, it's again a dumb AP. If a forensic guy is not soldering the UART pin, or unsolder the Flash itself and reads it, it's kind of impossible to find out the openVPN settings on the FLASH chip.

you could place that device between your home router and your clients, as an appliance. everyone behind your vpn-router is forced through the tunnel to the foreign Internet.

with a specific device, you could walk around with your own VPN server, connect it to a free-Wifi hotspot, tunnel everything through it, create your uncensored wi-fi for friends, unpower it and have a useless not working brick in your pocket.

###

Obfuscation
Plausibel deniability
Server Hardening - get rid of possible security issues
OpSec - don't talk about your vpn plans. check in this forum if you have already used names or mail adresses which could be tracked back to you. have a different set of names, mail addresses etc,... which cannot be tracked to this presence...

###

persians i know personally always look behind their shoulders every few minutes and scan the area. it's already implemented in their normal behaviour. haven't ever seen any other people paranoid like this.

"war against god" is, as far as i understood whatever the judge makes out of it and is handled with captial punishment. censorship-circumvention could be considered "war against god". Take care of yourself.

1 Like

you have a 16mb flash router, plenty of space

Name:    openvpn-openssl
Version:    2.5.3-4
Description:    Open source VPN solution using OpenSSL\\ \\
Installed size:     **192kB**

luci will be 11kB

kmod-tun i guess has to be considered as well...

you should have +8192kB free space, openvpn-openssl will take 192kB, maybe 1800kB with all dependencies (libopenssl => 1266kB).

could you please give a log from your opkg install vpn
and the error message.

i'm using openvpn on 17.x Lede router with only 8MB flash.

1 Like

I wanna say it like this:

Might wanna PM next time if configs are so serious (which I knew they were). I'm definitely canceling my travel plans now.

"Can't we all just get along." - R. King

Thanks for the very useful answer.
I'll read your answer and try to see if that would be possible to share a free internet with OpenWrt (in which I've failed up to now).
I'm a little busy to test all of them, but I'll test them.

Regarding things like basij and war against god, I'm really sorry that the I.R has been advertised to the world in this way:(