Monthly Archives: July 2014

Connect to Private Internet Access through OpenVPN on OpenWRT

Introduction

Whatever the reason you want to use a VPN, whether it’s for added security, or to get an online service that’s limited to certain countries, you may find that the device you want to connect doesn’t provide the functionality.  Such as an Xbox.

But using your router to establish the VPN tunnel will make it automatic and transparent to all of your connected devices.  Which will anonymize all traffic from your ISP, or make Netflix think you’re connecting from the right side of the border.

This is a guide that will attempt to document the steps I took to connect my router to a VPN service.

I personally use Private Internet Access, so this guide will be specific to them, although a couple tweaks should allow this to work with any OpenVPN compatible service.

Prerequisites

  1. A router with OpenWRT installed
  2. A Private Internet Access account
  3. WinSCP installed (for transferring the config files onto your router)
  4. Putty installed (for testing the openvpn connection)

Guides and References I Used

  • Private Internet Access official guide for connecting through OpenVPN in DD-WRT – Link
  • OpenVPN official howto – Link
  • A helpful forum post in the OpenWRT forums.  The user had similar frustrations to me with existing guides. – Link
  • HideMyAss Wiki article for connecting to OpenVPN through OpenWRT (Most Helpful) Link
  • List of Free and Public DNS Servers – Link

Guide

Add OpenVPN to OpenWRT:

1. Log into your OpenWRT admin console, and navigate to “System -> Software” as seen below:

system software2. Get the latest list of available software by clicking “Update lists”:

update lists3. Click on “Available packages”:

available packages4. Type “openvpn” in the filter and look for exactly that in the packages list that returns:

filter for openvpn5. Install it.

Edit: Missing Steps!

Readers have mentioned that something seemed missing, as a successful connection in the router didn’t seem to translate to the devices connected to the router.  So, I set up two virtual machines – one running OpenWRT and one running Ubuntu, which would connect through the OpenWRT VM – and discovered that the missing steps involve setting up the new interface for the VPN connection.

The below steps (5.1+) are the missing steps.

5.1 Navigate to Network -> Interfaces, and click “Add New Interface”

network - interfaces - add new5.2 Use the settings:

  • Name -> tun0
  • Protocol -> unmanaged
  • Bridge? -> unchecked
  • Cover which interfaces? -> custom: “tun0”

tun0 interface initial settings

5.2b Hit submit

5.3 In the common config of your new interface, go to Firewall Settings, and set it to wan.  Then save the settings.

new tun0 interface firewall settings

Private Internet Access OpenVPN config files:

6. Download the official config files from here: link.

7. Use WinSCP to connect to your router:
— a. Use the protocol “SCP”
— b. Use your same root credentials that you use to log into LuCI (your OpenWRT admin page)

8. Navigate to /etc/openvpn/ and copy the following files into that directory (out of the config zip you downloaded from Private Internet Access):
– a. ca.crt
– b. crl.pem
– c. (optional) an ovpn file for the destination you choose to connect to.

Above, step C was optional because we can specify the server as part of the startup command later in this process.  But you will still want an ovpn configuration file.  I took one of the location specific ones and simply removed the server and port from it, creating a type of generic configuration file I can reuse if I want to connect to different parts of the world.

I also added the option “keepalive 10 120” to it after I was experiencing some connection issues, which seemed to help.

So in the end, this is the contents of my “generic-pia.ovpn” OpenVPN config file:

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass auth
auth-nocache
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem
keepalive 10 120

8a. Create a file called “auth” which is also located in “/etc/openvpn/” with the following format:

USERNAME
PASSWORD

Which will give you this, as a recap:

winscp etc openvpn listing

Test VPN Through Putty:

9. Open Putty and connect to your router, then navigate to /etc/openvpn and run the following command:

/usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/generic-pia.ovpn --remote ca-toronto.privateinternetaccess.com 1194

If all goes well you should see this in the output, indicating a successful vpn connection from your router to PIA:

Sun Jul 27 14:11:06 2014 Initialization Sequence Completed

But, I bet if you open up a web browser, you can’t navigate the web. This is a DNS issue.

Set Your Own DNS Servers:

10. Resolving the DNS issue is fairly straightforward in OpenWRT, as it has a spot where you can specify your own.  To find a list of free public DNS servers, refer to this page.

Once you have picked the DNS server(s) you would like to use, open up your router’s admin page and navigate to Network -> DHCP and DNS, and place the IP addresses there.  Like so:

openwrt dns settings

Click save and apply, and then restart the VPN connection, you should now be able to navigate the web through your VPN tunnel.

Note: You can test this by using a website such as http://whatismyipaddress.com/.  Check the IP location matches the location of the server you chose.

Set VPN to Auto Start with Your Router:

11.  The final step is to configure the VPN to automatically start up with your router.  So that you don’t have to open up putty and reissue the command every time your router reboots.

Navigate to System -> Startup and look near the bottom for “Local Startup”.  Which is basically a place for you to enter commands you want the router to execute on boot.  This is what I have in that spot:

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

# VPN custom init
# Ensure only one VPN connection is made. 
/usr/bin/killall openvpn

# Toronto
/usr/sbin/openvpn --cd /etc/openvpn --daemon --config /etc/openvpn/generic-pia.ovpn --remote ca-toronto.privateinternetaccess.com 1194 &

exit 0

Reboot your router, and test to see that you still can browse the web, and that your IP location is in the right spot. Hopefully all went according to plan and you’re good to go.

Happy surfing.