OK, fix it.
1 Like
I messed up everything trying to fix it. Don't have access to router anymore.
I'll come back when I'll get to the last step we were trying to fix
Thnaks
Reset to factory defaults, and start again.
2 Likes
What was the LAN IP address of your C7? (default 192.168.1.1)
WAN and LAN of your C7 must NOT be using same subnet, 192.168.1.x, otherwise there will be routing problems.
If you will factory reset your C7 and start from beginning, I suggest you also review the alternative LuCI based openvpn client setup guide v1.2 at bottom of wiki page.
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci
Links to:
https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=279
works with different routers and VPN providers.
2 Likes
Back again 
The router is back to life after I've bricked it (didn't know about stripped version of stock firmware and didn't know that I could flash openwrt factory using tftp).
Anyway, I'll try the process again but now you guys gave me other way to install ExpressVPN. I just want to install one that you guys are sure about so that you could help me if needed.
So which one should I go with ?
Thanks
opkg update
opkg install openvpn-openssl luci-app-openvpn
2 Likes
fwiw, just try them all. It's the only way to learn about openwrt etc. The 'alternative' tutorial/guide I linked doesn't use SSH. Also if memory serves me right, the C7 v2 with its old Atheros SoC can only reach about 16 Mbps openvpn speeds.
You can always use the Reset button to perform a 'Factory Reset' which will clear all openwrt settings if you lose access to the router and want to start from the beginning to configure openwrt.
https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset
2 Likes
Configure in command line, or ask someone to help without using SSH.
1 Like
I'm ok to configure it through command line.
opkg update
opkg install openvpn-openssl luci-app-openvpn
Ok done.
Thanks for this valuable information. Would have saved me a lot of time.
Create two files in /etc/openvpn folder: ExpressVPN.ovpn, and ExpressVPN.auth
Run from command line:
cd /etc/openvpn
openvpn ExpressVPN.ovpn
and make sure, that it connects successfully.
1 Like
root@OpenWrt:~# cd /etc/openvpn/
root@OpenWrt:/etc/openvpn# touch ExpressVPN.ovpn ExpressVPN.auth
root@OpenWrt:/etc/openvpn# ls
ExpressVPN.auth ExpressVPN.ovpn
root@OpenWrt:/etc/openvpn# openvpn ExpressVPN.ovpn
Sat Feb 8 13:54:10 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Options error: You must define TUN/TAP device (--dev)
Use --help for more information.
root@OpenWrt:/etc/openvpn#
You should create files with contents, not empty ones! See above, ExpressVPN.ovpn - configuration file, ExpressVPN.auth - file with credentials. In configuration file there is name of auth file:
auth-user-pass ExpressVPN.auth
1 Like
root@OpenWrt:/etc/openvpn# vi /etc/openvpn/ExpressVPN.ovpn
root@OpenWrt:/etc/openvpn# openvpn ExpressVPN.ovpn
Sat Feb 8 15:12:45 2020 OpenVPN 2.4.8 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb 8 15:12:45 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Sat Feb 8 15:12:45 2020 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Sat Feb 8 15:12:45 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Feb 8 15:12:45 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Feb 8 15:12:45 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.104.185.242:1195
Sat Feb 8 15:12:45 2020 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Feb 8 15:12:45 2020 UDP link local: (not bound)
Sat Feb 8 15:12:45 2020 UDP link remote: [AF_INET]185.104.185.242:1195
Sat Feb 8 15:12:45 2020 TLS: Initial packet from [AF_INET]185.104.185.242:1195, sid=8e0188e3 ee092d90
Sat Feb 8 15:12:45 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Feb 8 15:12:45 2020 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Sat Feb 8 15:12:45 2020 VERIFY OK: nsCertType=SERVER
Sat Feb 8 15:12:45 2020 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2778-1a, emailAddress=support@expressvpn.com
Sat Feb 8 15:12:45 2020 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2778-1a, emailAddress=support@expressvpn.com
Sat Feb 8 15:12:45 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sat Feb 8 15:12:45 2020 [Server-2778-1a] Peer Connection Initiated with [AF_INET]185.104.185.242:1195
Sat Feb 8 15:12:46 2020 SENT CONTROL [Server-2778-1a]: 'PUSH_REQUEST' (status=1)
Sat Feb 8 15:12:46 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.68.0.1,comp-lzo no,route 10.68.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.68.0.118 10.68.0.117,peer-id 27,cipher AES-256-GCM'
Sat Feb 8 15:12:46 2020 OPTIONS IMPORT: timers and/or timeouts modified
Sat Feb 8 15:12:46 2020 OPTIONS IMPORT: compression parms modified
Sat Feb 8 15:12:46 2020 OPTIONS IMPORT: --ifconfig/up options modified
Sat Feb 8 15:12:46 2020 OPTIONS IMPORT: route options modified
Sat Feb 8 15:12:46 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Feb 8 15:12:46 2020 OPTIONS IMPORT: peer-id set
Sat Feb 8 15:12:46 2020 OPTIONS IMPORT: adjusting link_mtu to 1629
Sat Feb 8 15:12:46 2020 OPTIONS IMPORT: data channel crypto options modified
Sat Feb 8 15:12:46 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Feb 8 15:12:46 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Feb 8 15:12:46 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Feb 8 15:12:46 2020 TUN/TAP device tun0 opened
Sat Feb 8 15:12:46 2020 TUN/TAP TX queue length set to 100
Sat Feb 8 15:12:46 2020 /sbin/ifconfig tun0 10.68.0.118 pointopoint 10.68.0.117 mtu 1500
Sat Feb 8 15:12:48 2020 /sbin/route add -net 185.104.185.242 netmask 255.255.255.255 gw 192.168.2.254
Sat Feb 8 15:12:48 2020 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.68.0.117
Sat Feb 8 15:12:48 2020 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.68.0.117
Sat Feb 8 15:12:48 2020 /sbin/route add -net 10.68.0.1 netmask 255.255.255.255 gw 10.68.0.117
Sat Feb 8 15:12:48 2020 Initialization Sequence Completed
I commented the line
keysize:256
in the ExpressVPN.opvn file.
OK, nice. Make modifications to /etc/config/network, and /etc/config/firewall, similarly to https://airvpn.org/forums/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/
You can skip kill-switch configuration, so:
- add interface to /etc/config/network
- add zone to /etc/config/firewall
- add forwarding to /etc/config/firewall
Copy-paste from example:
config interface 'airvpntun'
option proto 'none'
option ifname 'tun0'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'airvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
After that change extension of ovpn file to conf, and enable openvpn:
cd /etc/openvpn
mv ExpressVPN.ovpn ExpressVPN.conf
/etc/init.d/openvpn enable
reboot
1 Like
root@OpenWrt:~# uci set network.airvpntun=interface
root@OpenWrt:~# uci set network.airvpntun.proto='none'
root@OpenWrt:~# uci set network.airvpntun.ifname='tun0'
root@OpenWrt:~# uci commit network
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdba:4e33:a2c5::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'airvpntun'
option proto 'none'
option ifname 'tun0'
root@OpenWrt:~# uci set network.expressvpn=interface
root@OpenWrt:~# uci set network.expressvpn.proto='none'
root@OpenWrt:~# uci set network.expressvpn.ifname='tun0'
root@OpenWrt:~# uci commit network
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdba:4e33:a2c5::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'expressvpn'
option proto 'none'
option ifname 'tun0'
root@OpenWrt:~# uci add firewall zone
cfg0fdc81
root@OpenWrt:~# uci set firewall.@zone[-1].name='vpnfirewall'
root@OpenWrt:~# uci set firewall.@zone[-1].input='REJECT'
root@OpenWrt:~# uci set firewall.@zone[-1].output='ACCEPT'
root@OpenWrt:~# uci set firewall.@zone[-1].forward='REJECT'
uci: Parse error
Then I copied from your code after the error :
root@OpenWrt:~# vi /etc/config/firewall
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
#config expressvpn firewall
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'expressvpn'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
# option proto tcp
root@OpenWrt:~#
OK, and what is result? Does it work? Also set Google DNS on wan, or add them to /etc/config/dhcp
root@OpenWrt:~# ^C
root@OpenWrt:~# cd /etc/openvpn/
root@OpenWrt:/etc/openvpn# mv ExpressVPN.ovpn ExpresVPN.conf
root@OpenWrt:/etc/openvpn# /etc/init.d/openvpn enable
root@OpenWrt:/etc/openvpn# reboot
root@OpenWrt:/etc/openvpn#
Wow, it seems to work my IP changed !
OK, you can add kill-switch, if you want.
1 Like