READ ENTIRE GUIDE BEFORE YOU BEGIN
OK - I decided to put this up on the TorGuard Forum as I could not find a tutorial anywhere with specific step by step instructions for getting Torguard OPENVPN working with OpenWrt/ Lede. In advance, I want to thank the excellent support team at TorGuard ( especially Mike & Andy ) for assisting me with getting my Lede/Openwrt VPN router up and running.
I use davidc502 firmware which is described as Moderately Customized LEDE Development Builds found here - https://davidc502sis.dynamic-dns.net/releases/ and here - https://davidc502sis.dynamic-dns.net/snapshots/ -- davidc502's forum found here - Davidc502- wrt1200ac wrt1900acx wrt3200acm wrt32x builds - Dave's builds are for Linksys WRT1900AC v1 Linksys WRT1900AC v2 Linksys WRT1900ACS Linksys WRT3200ACM Linksys WRT1200AC models ONLY !!! One of the many benefits of using Dave's custom firmware is that it comes with many pre-installed and configured software packages - including OpenVpn and Dnscrypt - I use both in conjunction on my router. For full list of packages see Dave's configuration seed found here - https://davidc502sis.dynamic-dns.net/releases/config.seed - However, the guide tutorial here will work on any and every OpenWrt/ Lede firmware based router. I also tested this with OpenWrt / Lede 18.06.0-rc1 ) found here - ( download and do fresh install of squashfs-factory.img on your device for best performance ) https://downloads.openwrt.org/releases/18.06.0-rc1/
Anyway - here we go - this is Mike's detailed original answer to my inquiry concerning my request for assistance in setting up OpenVpn on OpenWrt /Lede. I have added a few edits in order to make this more comprehensible and easier to implement. This guide will work Guaranteed if you follow instructions step by step
- Then in Luci Gui go to System > Software, do update first ( ssh command opkg update )
then search for openvpn and install openvpn-openssl and luci-app-openvpn. ( uci ssh command - opkg install openvpn-openssl luci-app-openvpn )
These are necessary - Luci is GUI frontend for Openwrt - it comes pre-installed with davidc502's firmware. Also installed on Lede stable.
Here you Generate OpenVpn config on https://torguard.net/tgconf.php?action=vpn-openvpnconfig choosing openwrt.
Login using ftp client like winscp to the router (openwrt) and the config file downloaded from the tool to be uploaded to box and renamed as /etc/config/openvpn
To make this simpler - you can copy and paste the newly generated text file to a text file on your desktop and /or download config file to your desktop. Install
nano ( preferred text editor ) - opkg install nano - if you need to install nano - ( if not already there / comes pre-installed in davidc502's builds )
to your router. SSH into router then type ( copy and paste ) -" nano /etc/config/openvpn " ( without parenthesis ) - erase all contents of file ( hold Ctrl + k ) and replace ( copy and paste ) with contents of config file you copied and downloaded earlier.
Sample of my /etc/config/openvpn config file - adjust yours as you see fit but stick with config from https://torguard.net/tgconf.php?action=vpn-openvpnconfig as your basic guide -
config openvpn 'TorGuard_AES256GCM_SHA256'
option client '1'
option dev 'tun'
option proto 'udp'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option ca '/etc/openvpn/torguard/ca.crt'
option remote_cert_tls 'server'
option tls_auth '/etc/openvpn/torguard/ta.key 1'
option cipher 'AES-256-GCM'
option comp_lzo 'adaptive' # AS of March 2018 and OpenVpn 2.4.5 use option compress 'lzo'
option verb '4'
option fast_io '1'
option auth_user_pass '/etc/openvpn/torguard/userpass.txt'
option remote_random '0'
option auth 'SHA256'
option reneg_sec '0'
option port '1195'
list remote 'ny.east.usa.torguardvpnaccess.com'
option sndbuf '393216'
option rcvbuf '393216'
option enabled '1'
option keepalive '10 120'
option auth_nocache '1'
option tls_client '1'
option setenv 'CLIENT_CERT 0'
option tls_version_min '1.2'
option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
option ncp_ciphers 'AES-256-GCM:AES-128-GCM'
option tun_mtu '1500'
option tun_mtu_extra '32'
option ncp_disable '1'
option engine 'dynamic'
option mute_replay_warnings '1'
option disable_occ '1'
option keysize '256'
option mssfix '1450'
option script_security '2'
option reneg_bytes '1073741824'
option mute '20'
option pull '1'
option log '/tmp/openvpn.log'
Then hit Ctrl + o - you will be asked to write file - hit enter to save file - then Ctrl + x to close file and go back into shell
- create folder /etc/openvpn/torguard and add under it the ca.crt, ta.key from https://torguard.net/downloads/ta.key and https://torguard.net/downloads/ca.crt and create new file userpass.txt where in it put on first line your vpn username and second you vpn password.
Create /etc/openvpn/torguard folder ( in ssh session into router - type - " mkdir /etc/openvpn/torguard " ( without parenthesis ) - in order to proceed -
opkg install wget ( if you need to install wget )
ssh into router use wget ( install wget if not already there / comes pre-installed in davidc502's builds ) to issue following commands in order to install necessary
files to /etc/openvpn/torguard folder which you just created : type the following commands in shell
A - " wget -P /etc/openvpn/torguard https://torguard.net/downloads/ta.key " ( without parenthesis ) - copy and paste - ( ta.key is downloaded to
/etc/openvpn/torguard folder )
B - " wget -P /etc/openvpn/torguard https://torguard.net/downloads/ca.crt " ( without parenthesis ) - copy and paste - ( ca.crt is downloaded to
/etc/openvpn/torguard folder )
C - type ( copy and paste ) " nano /etc/openvpn/torguard/userpass.txt " ( without parenthesis ) - in new text file type ( copy and paste ) in first line your
TorGuard Vpn username and on second line your TorGuard Vpn password - Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file - then (
Ctrl + x ) to close file and go back into shell - userpass.txt is now added under /etc/openvpn/torguard/ folder as well
Now - these commands are required from my past experience - still in SSH type ( copy and paste )
chmod 0777 /etc/openvpn/torguard/ta.key chmod 0777 /etc/openvpn/torguard/ca.crt chmod 0400 /etc/openvpn/torguard/userpass.txt
There are two alternative methods available in order to create the necessary openvpn network interface and complimentary firewall rules. The first one I will
feature is through the command line shell - using uci commands.
The second is simply done through the Luci Web GUI. Personally, I use the uci command line approach as I feel the firewall rules for the vpn connection are more
secure in nature using this method. For the sake of this tutorial, consider command line - uci - Scenario A - and Luci Web Gui method - Scenario B. Both will create
an interface and working firewall rules and in the end - and leave you with a working TorGuard OpenVpn configuration and subsequent connection. GUARANTEED !
Remember this is either A or B - not A AND B !!! - you can not use both. It is one or the other.
Scenario A -
TorGuard OpenVpn Network Interface Creation and Setup via command line - uci
uci set network.myvpnc=interface
uci set network.myvpnc.proto=none
uci set network.myvpnc.ifname=tun0
uci commit network
TorGuard OpenVpn Firewall Rules Setup via command line - uci
uci add firewall zone
uci set firewall.@zone[-1]=zone
uci set firewall.@zone[-1].name=myvpnc_fw
uci set firewall.@zone[-1].network=myvpnc
uci set firewall.@zone[-1].input=REJECT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].forward=REJECT
uci set firewall.@zone[-1].masq=1
uci set firewall.@zone[-1].mtu_fix=1
uci add firewall forwarding
uci set firewall.@forwarding[-1]=forwarding
uci set firewall.@forwarding[-1].src=lan
uci set firewall.@forwarding[-1].dest=myvpnc_fw
uci commit firewall
Scenario B -
TorGuard OpenVpn - Luci ( Web Gui ) Network Interface Creation and Setup and Firewall Rules Setup
1 ) Back on Luci ( Lede/OpenWrt Gui ). Go to Network > Interfaces and add new interface name the interface " MYVPN " - make sure the " Protocol of the new interface " at top of page is set to " Unmanaged " and at bottom of page select " Custom " and enter " tun0 " ( tun number zero ) in the field next to custom radio button.
Click On Submit then Save and Save and Apply Settings
2 ) Go to Network > Firewall section, click add " new zone " and make it to " "accept " ( all three up top - accept all options ) input/output/forward/masquarde, ( check " masquerade " box under where you accepting all .
Then choose - enter check mark in box next to interface VPN ( Covered networks ).
Then in bottom box " Inter-Zone Forwarding " ( Allow forward to destination zones: ) = LAN and then
( Allow forward from source zones: ) = LAN
This means click both radio buttons next to lan in last section on firewall " newzone " you just created.
Lastly, Click On Save and Save and Apply Settings -
3 ) Go to Services > Openvpn and start the VPN service.
All should be up and running after this. Support said they would post this in tutorials for Openwrt/Lede firmware. As I said, I just put this up to save folks time
if they run TorGuard VPN. By the way, it is an excellent VPN service. Easier setup than PIA VPN - specifically on Lede/Openwrt. Again - thanks to TorGuard Support.
Bonus Feature- For Adding DNS-Over-TLS support to OpenWRT (LEDE) with Unbound see here:
https://torguard.net/forums/index.php?/topic/1374-adding-dns-over-tls-support-to-openwrt-lede-with-unbound/ or here:
Adding DNS-Over-TLS support to OpenWrt (LEDE) with Unbound