OpenWrt Forum Archive

Topic: OpenWRT + OpenVPN + Netflix + BBC Iplayer Simultaneously

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
didymus
8 Sep 2012, 08:30

Just spent a while getting this to work, so thought I'd attempt to share what I needed to do to get it to work....

Step 1. Either purchase two VPN services or else buy one that allows two simultaneous connections (I used Witopia for this purpose, works great)

Step 2. Install OpenVPN on your openwrt box - there are plenty of guides on how to do this so I wont cover here.

Step 3. Configure OpenVPN - First up add your two VPNs from Luci - its much easier and allows you to upload the necessary ca, cert and key files. Then you'll need to tweek on the command line - my configs looked like this:

config 'openvpn' 'us_vpn'
    option 'float' '1'
    option 'comp_lzo' '1'
    option 'reneg_sec' '0'
    option 'management' '127.0.0.1 31194'
    option 'dev' 'tun'
    option 'proto' 'udp'
    option 'verb' '3'
    option 'persist_tun' '1'
    option 'persist_key' '1'
    option 'remote' 'VPN SERVER HERE'
    option 'ca' '/lib/uci/upload/cbid.openvpn.client_tun.ca'
    option 'cert' '/lib/uci/upload/cbid.openvpn.client_tun.cert'
    option 'key' '/lib/uci/upload/cbid.openvpn.client_tun.key'
    option 'mode' 'p2p'
    option 'client' '1'
    option 'enable' '1'
    option 'up' '/etc/openvpn/openvpn-up-us.sh'
    option 'route_noexec' '1'

config 'openvpn' 'uk_vpn'
    option 'float' '1'
    option 'comp_lzo' '1'
    option 'reneg_sec' '0'
    option 'proto' 'udp'
    option 'lport' '5717'
    option 'management' '127.0.0.1 31195'
    option 'dev' 'tun'
    option 'verb' '3'
    option 'persist_tun' '1'
    option 'persist_key' '1'
    option 'remote' 'VPN SERVER HERE'
    option 'ca' '/lib/uci/upload/cbid.openvpn.client_tun.ca'
    option 'cert' '/lib/uci/upload/cbid.openvpn.client_tun.cert'
    option 'key' '/lib/uci/upload/cbid.openvpn.client_tun.key'
    option 'mode' 'p2p'
    option 'client' '1'
    option 'enable' '1'
    option 'up' '/etc/openvpn/openvpn-up-uk.sh'
    option 'route_noexec' '1'

Note the 'route_noexec' option - I couldnt for the life of me work out how to stop each of the VPNs coming up and then becoming the default route - this option did stop this but also disables the ability to inject specific routes at this stage. The workaround is to use an 'up' script - referenced in each of the configs (eg openvpn-up-uk.sh).

Step 4. You'll need to create each of these 'up' files - basically each is an ash script that just runs a whole bunch of route commands to add the specific netflix/bbc routes to the routing table:

/etc/openvpn/openvpn-up-us.sh

#!/bin/ash

/sbin/route add -net 208.75.76.0 netmask 255.255.250.0 $1
/sbin/route add -net 128.242.0.0 netmask 255.255.0.0 $1
/sbin/route add -net 63.97.94.0 netmask 255.255.255.0 $1
/sbin/route add -net 65.200.11.0 netmask 255.255.255.0 $1
/sbin/route add -net 96.16.0.0 netmask 255.254.0.0 $1
/sbin/route add -net 216.246.75.0 netmask 255.255.255.0 $1
/sbin/route add -net 204.0.0.0 netmask 255.252.0.0 $1
/sbin/route add -net 204.200.0.0 netmask 255.252.0.0 $1
/sbin/route add -net 184.84.0.0 netmask 255.252.0.0 $1
/sbin/route add -net 62.0.0.0 netmask 255.0.0.0 $1
/sbin/route add -net 58.0.0.0 netmask 255.0.0.0 $1
/sbin/route add -net 198.76.0.0 netmask 255.252.0.0 $1
/sbin/route add -net 4.27.0.0 netmask 255.255.0.0 $1
/sbin/route add -net 8.0.0.0 netmask 255.0.0.0 $1
/sbin/route add -net 206.32.0.0 netmask 255.252.0.0 $1
/sbin/route add -net 209.84.28.0 netmask 255.255.254.0 $1
/sbin/route add -net 209.84.24.0 netmask 255.255.250.0 $1
/sbin/route add -net 209.84.16.0 netmask 255.255.248.0 $1
/sbin/route add -net 192.221.0.0 netmask 255.255.0.0 $1
/sbin/route add -net 205.128.0.0 netmask 255.252.0.0 $1
/sbin/route add -net 4.0.0.0 netmask 255.0.0.0 $1
/sbin/route add -net 204.160.0.0 netmask 255.252.0.0 $1
/sbin/route add -net 199.92.0.0 netmask 255.252.0.0 $1
/sbin/route add -net 184.72.0.0 netmask 255.254.0.0 $1
/sbin/route add -net 208.111.128.0 netmask 255.255.192.0 $1
/sbin/route add -net 50.16.0.0 netmask 255.255.0.0 $1
/sbin/route add -net 50.19.0.0 netmask 255.255.0.0 $1
/sbin/route add -net 23.23.0.0 netmask 255.255.0.0 $1
/sbin/route add -net 23.21.0.0 netmask 255.255.0.0 $1
/sbin/route add -net 107.22.0.0 netmask 255.255.0.0 $1
/sbin/route add -net 107.21.0.0 netmask 255.255.0.0 $1
/sbin/route add -net 204.236.231.0 netmask 255.255.255.0 $1


/etc/openvpn/openvpn-up-uk.sh

#!/bin/ash

/sbin/route add -net 212.58.0.0 netmask 255.255.0.0 $1
/sbin/route add -net 212.62.0.0 netmask 255.255.0.0 $1

Step 5. Once you have validated your VPNs are working properly (you should see tun0, tun1 interfaces up on the command line with IP addresses associated....run ifconfig and have a look) your next step is to add them into the appropriate firewall zone to ensure the traffic is correctly routed/masqueraded. In Luci, go to Network, Interfaces then click add. Name your first interface 'Tun0' and associate the 'tun0' interface with it. Then select 'unmanaged' as the protocol of the interface. Once you click submit you will be presented with the new interface - now select the firewall tab and ensure the tun0 interface is allocated to the WAN zone.

Step 6. Repeat the above process for Tun1, adding the interface, ensuring its set as unmanaged, submitting it and adding it to the correct firewall group (WAN).

Step 7. (Possibly not required) - in theNetwork, DHCP and DNS setting page, add a DNS forwarder for Netflix - eg /netflix.com/216.87.84.211

Step 8. Watch Netflix (you'll need to signup but its well worth it!) or BBC Iplayer!

Things to note - I have been very fast and loose with the IP routing for Netflix, have used some huuuuge blocks to make it work, simply because I didnt have huge amounts of time to finesse - anyone out there that has a more succint routing table please post it, would be very well received!

Have fun!

Post #2
alastair
12 Feb 2013, 04:43

It worked, nice one! (Although unfortunately luci-app-openvpn is broken, had to configure by hand...)

Will definitely play around with this some more.

Is the 'management' option really needed?

Post #3
VicDemented
8 Jan 2015, 16:19

I know this is old, but it's precisely what I am trying to do, however openVPN is throwing this in the log:

Jan  8 09:12:42 OpenWrt daemon.notice openvpn(custom_config)[1061]: /etc/openvpn/uk_vpn_up.sh tun0 1500 1542 10.119.75.130 10.119.75.129 init
Jan  8 09:12:42 OpenWrt daemon.warn openvpn(custom_config)[1061]: openvpn_execve: external program may not be called unless '--script-security 2' or higher is enabled.  Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.  See --help text
Jan  8 09:12:42 OpenWrt daemon.err openvpn(custom_config)[1061]: script failed: external program fork failed
Jan  8 09:12:42 OpenWrt daemon.notice openvpn(custom_config)[1061]: Exiting

Any ideas on why my up script is failing?  It's identical to didymus':

#!/bin/bash
/sbin/route add -net 212.58.0.0 netmask 255.255.0.0 $1
/sbin/route add -net 212.62.0.0 netmask 255.255.0.0 $1

EDIT:

Looking at this post on OpenVPN : https://forums.openvpn.net/topic16499.html, I figured I had to add 'script-security 2' to my config and while this got rid of the --script-security 2 message.  The log still reports that the script failed

Ok.  Figured it out.  script-security 2 is required to execute the UP script, however openWRT doesn't allow hyphenated option names, so I had to change 'script-security' to 'script_security' and it worked. 

My updated config:

config openvpn vpn_uk

    option enable 1
    option client 1
    option dev tun
    option proto udp
    list remote "vpn.london.witopia.net 1194"
    list remote "vpn.manchester.witopia.net 1194"
    option remote_random 1
    option resolv_retry infinite
    option nobind 1
    option persist_key 1
    option persist_tun 1
    option mute_replay_warnings 1
    option ca /etc/openvpn/ca.crt
    option cert /etc/openvpn/client.crt
    option key /etc/openvpn/client.key
    option ns_cert_type server
    option cipher bf-cbc
    option comp_lzo 1
    option verb 3
    option mute 20
    option route_noexec 1

    #Needed for up scripts to work but openwrt doesn’t accept hyphens
    option script_security 2

However my routes still don't look like they are working and I verified that the tun0 interface is mapped to WAN

(Last edited by VicDemented on 8 Jan 2015, 18:30)

The discussion might have continued from here.