Windscribe VPN & OpenWrt on RPi 3 b+

I am trying to get windscribe setup on OpenWrt on a RPi 3 b+ and am close thanks to this 18.06 on Raspberry Pi 3 B+ and this https://vpnrouters.zendesk.com/hc/en-us/articles/360003557533-Windscribe-VPN-setup-on-OpenWRT-LEDE-Routers

I the VPN service starts but my wireless clients aren't protected by it. If you look at the links and my screenshots below what do you think is missing? The RPi has the LAN bridged by default so it has no WAN interface like the instructions have and the firewall rules don't quite match up. Maybe I need to add the VPN_TUN to the bridge or route it through that tunnel somehow?

This does not look good, OpenVPN TUN should at least display Uptime + nonzero RX/TX.

I can only get VPN_TUN up if I bridge it but then the wireless clients can't get an IP address

This guide step 12 and 13 shows the steps followed. Something isn't right.

https://vpnrouters.zendesk.com/hc/en-us/articles/360003557533-Windscribe-VPN-setup-on-OpenWRT-LEDE-Routers

No, that's a wrong way.

Show from OpenWrt in SSH:

ps w | grep [o]penvpn
uci show openvpn

root@OpenWrt:~# ps w | grep [o]penvpn
  685 root      3672 S    /usr/sbin/openvpn --syslog openvpn(Windscribe_VPN) --s                                                                                                 tatus /var/run/openvpn.Windscribe_VPN.status --cd /
root@OpenWrt:~# uci show openvpn
openvpn.Windscribe_VPN=openvpn
openvpn.Windscribe_VPN.nobind='1'
openvpn.Windscribe_VPN.client='1'
openvpn.Windscribe_VPN.comp_lzo='yes'
openvpn.Windscribe_VPN.reneg_sec='0'
openvpn.Windscribe_VPN.dev='tun'
openvpn.Windscribe_VPN.persist_tun='1'
openvpn.Windscribe_VPN.persist_key='1'
openvpn.Windscribe_VPN.remote='us-central.windscribe.com'
openvpn.Windscribe_VPN.dev_type='tun'
openvpn.Windscribe_VPN.proto='udp'
openvpn.Windscribe_VPN.ca='/etc/openvpn/ca.crt'
openvpn.Windscribe_VPN.enabled='1'
openvpn.Windscribe_VPN.log='/var/log/openvpn.log'
openvpn.Windscribe_VPN.port='53'
openvpn.Windscribe_VPN.verb='3'
openvpn.Windscribe_VPN.auth='SHA512'
openvpn.Windscribe_VPN.cipher='AES-256-CBC'
openvpn.Windscribe_VPN.remote_cert_tls='server'
openvpn.Windscribe_VPN.tls_auth='/etc/openvpn/ta.key'
openvpn.Windscribe_VPN.mute_replay_warnings='1'
openvpn.Windscribe_VPN.tls_client='1'
openvpn.Windscribe_VPN.tls_version_min='1.2'
openvpn.Windscribe_VPN.key_direction='1'
openvpn.Windscribe_VPN.auth_user_pass='/etc/openvpn/userpass.txt'

Let's look the log and TUN-interface status:

cat /var/log/openvpn.log
ip a; ip r

TLS Handshake

Fri Aug 31 23:28:49 2018 ++ Certificate has EKU (str) TLS Web Server Authenticat ion, expects TLS Web Server Authentication - Ticket opened with Windscribe on this

Would that cause VPN_TUN tun0 to not come up?

Your help is very much appreciated btw!

Fri Aug 31 23:27:29 2018 TLS Error: TLS handshake failed
Fri Aug 31 23:27:29 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Aug 31 23:27:29 2018 Restart pause, 80 second(s)
Fri Aug 31 23:28:49 2018 TCP/UDP: Preserving recently used remote address: [AF_I                                                                                                 NET]146.88.193.131:53
Fri Aug 31 23:28:49 2018 Socket Buffers: R=[229376->229376] S=[229376->229376]
Fri Aug 31 23:28:49 2018 UDP link local: (not bound)
Fri Aug 31 23:28:49 2018 UDP link remote: [AF_INET]146.88.193.131:53
Fri Aug 31 23:28:49 2018 TLS: Initial packet from [AF_INET]146.88.193.131:53, si                                                                                                 d=6624ec44 a87a7ff5
Fri Aug 31 23:28:49 2018 VERIFY OK: depth=1, C=CA, ST=ON, L=Toronto, O=Windscrib                                                                                                 e Limited, OU=Operations, CN=Windscribe Node CA
Fri Aug 31 23:28:49 2018 VERIFY KU OK
Fri Aug 31 23:28:49 2018 Validating certificate extended key usage
Fri Aug 31 23:28:49 2018 ++ Certificate has EKU (str) TLS Web Server Authenticat                                                                                                 ion, expects TLS Web Server Authentication
Fri Aug 31 23:28:49 2018 VERIFY EKU OK
Fri Aug 31 23:28:49 2018 VERIFY OK: depth=0, C=CA, ST=ON, O=Windscribe Limited,                                                                                                  OU=Operations, CN=Windscribe Node Server 4096
Fri Aug 31 23:29:49 2018 TLS Error: TLS key negotiation failed to occur within 6                                                                                                 0 seconds (check your network connectivity)
Fri Aug 31 23:29:49 2018 TLS Error: TLS handshake failed
Fri Aug 31 23:29:49 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Aug 31 23:29:49 2018 Restart pause, 80 second(s)
Fri Aug 31 23:31:09 2018 TCP/UDP: Preserving recently used remote address: [AF_I                                                                                                 NET]207.189.26.3:53
Fri Aug 31 23:31:09 2018 Socket Buffers: R=[229376->229376] S=[229376->229376]
Fri Aug 31 23:31:09 2018 UDP link local: (not bound)
Fri Aug 31 23:31:09 2018 UDP link remote: [AF_INET]207.189.26.3:53
Fri Aug 31 23:31:10 2018 TLS: Initial packet from [AF_INET]207.189.26.3:53, sid=                                                                                                 54e013b4 67642315
Fri Aug 31 23:31:10 2018 VERIFY OK: depth=1, C=CA, ST=ON, L=Toronto, O=Windscrib                                                                                                 e Limited, OU=Operations, CN=Windscribe Node CA
Fri Aug 31 23:31:10 2018 VERIFY KU OK
Fri Aug 31 23:31:10 2018 Validating certificate extended key usage
Fri Aug 31 23:31:10 2018 ++ Certificate has EKU (str) TLS Web Server Authenticat                                                                                                 ion, expects TLS Web Server Authentication


root@OpenWrt:~# ip a; ip r
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether 3a:85:49:41:09:c6 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether b8:27:eb:47:d9:ed brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ba27:ebff:fe47:d9ed/64 scope link
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 7a:17:c7:db:ac:09 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.38/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdd5:c9ad:292f::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::7817:c7ff:fedb:ac09/64 scope link
       valid_lft forever preferred_lft forever
default via 192.168.2.254 dev br-lan  src 192.168.2.38
192.168.2.0/24 dev br-lan scope link  src 192.168.2.38

image1032×336 23.2 KB

Just a guess, but I think that the reason you aren't seeing tun0 come up is that the OpenVPN config is setting up tun, but not specifying it as tun0. If the network config is expecting tun0, it may not see tun0 and therefore not have anything to connect to.

Please post the contents of the following files:
/etc/config/network
/etc/config/firewall

Also, after you've made the connection, post the output of ifconfig from your router

I am getting closer and have the interface up. I changed openvpn.Windscribe_VPN.dev='tun' to tun0 which did not nothing but I changed the port from 53 to 443 and it came up. Any idea why 53 wouldn't work?

ISP may redirect DNS-traffic (53/tcp+53/udp) for optimization, censorship, etc.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.