Table of Contents

I wanted to protect my privacy in light of some draconian laws being passed in the UK (IPBill and Digital Economy Bill). The simplest thing to do was to set up a Virtual Private Network (VPN) to mask from my ISP(s) the sites I was visiting. Rather than do this for every device in the house I opted to do it at the router level so that anything connected to my network would be using the VPN.

Hardware

If you intend to do this you might be in luck and find that the router you have supports VPN already. My current router at the time (a Zyxel P-2812HNU-F1) did, but only a crude IPSec and the VPN service I had at the time only supported Cisco's IPSec (it is reported to be supported by OpenWRT but I didn't want to risk screwing up the only router I had whilst configuring OpenWRT/VPN/etc.). Cue looking for a new router. Ideally I wanted one which incorporated a VDSL modem as that is the service I receive from my ISP thanks to Fibre To The Cabinet, but I was finding it tricky to find such a router so I compromised and purchased a Linksys WRT1900ACS because I knew that Linksys had a commitment to making the WRT series open.

OpenWRT

OpenWRT is an open-source GNU/Linux based project for embedded wireless routers. Its available for a large range of devices including the Raspberry Pi if you want a cheap, low powered solution to some of these problems. Its available for the Linksys WRT1900ACS and having used it years ago on older WRT54g I opted for this. An alternative might be to try DD-WRT which is another similar distribution. It is absolutely critical that you get the correct build of OpenWRT to flash your router with. To do this you need to know the model and version of your router. For Linksys WRT1900ACS this is printed on the bottom of the router. Do NOT let the FCC-ID confuse you its the model, if there is no version listed then you have a v1.

i.imgur.com_usucypy.jpg

Flashing OpenWRT - OBSOLETE

WARNING - The old version of OpenWRT described here is vulnerable to the KRACK attacks, do NOT install anything other than LEDE >=17.01.4 as described here.

Now follow the very clear instructions on the OpenWRT Linksys WRT1x00AC Series page for installation, they boil down to…

Securing Installation

A couple of standard precautions should be taken to ensure your router is more secure, these boil down to adding a 'normal' user to SSH into the device and ensuring they have permission to su to root whilst at the same time blocking root SSH login. At the moment I rarely want to do any configuration to the router from outside of my own network so I prevent access via SSH and uhttpd (the WebUI) from the wider internet. General advice on the OpenWRT Wiki on how to secure your routers access.

Adding a user

I'm happy adding users at the command line and using su rather than sudo which is recommended on the Wiki under Secure Access.

opkg update
opkg install shadow-useradd shadow-userdel sudo shadow-su shadow-common shadow-groupadd shadow-groupdel shadow-groupmod shadow-groups shadow-utils
mkdir /home
useradd -m -G wheel -s /bin/ash [newuser]
passwd [newuser]

Securing SSH

SSH is part of dropbear under OpenWRT and configuration is stored in /etc/config/dropbear, full options are listed here but the following will prevent root from SSH login and change the port.

config dropbear
        option PasswrdAuth 'on'
        option Port '2081'
        option RootPasswordAuth 'off'

…however, the nice thing about this is that you can specify configurations based on the interface.

TODO Interface based settings.

Simplifying Connection

On your main computer you can take advantage of ~/.ssh/config to save the port and user you SSH to OpenWRT with.

SSH Keys

If you already use pre-shared SSH keys to automate your login between servers you can copy your key over to OpenWRT and benefit from this functionality there too. The Luci interface has a section for uploading your key under System > Administration > SSH Access but since I opted to add a user and disable root SSH password access I had to copy the key to my users /home/[user]/.ssh/authorized_keys.

SSH to OpenWRT as user and create the directory and file…

mkdir ~/.ssh

Exit back to your host and then copy your public key over…

scp ~/.ssh/id_rsa.pub openwrt:~/.ssh/authorized_keys

WiFi Configuration

By default WiFi is disabled on OpenWRT, you have to login and and enable the network. The default username is root and the password should already have been changed as advised above. Navigate to Network > Wifi and you will be presented with the available WiFi interfaces. They are currently both disabled, but you can Edit them before enabling. You might to change the following…

If you give your 2.4Ghz and 5Ghz the same names and passwords then devices will utilise their choice (fastest/strongest?) network automatically (TODO - Check : laptops, Android).

Secondary WiFi

A second WiFi network is useful if you wish guests to connect to a separate network or if you've some wireless devices you'd rather not have pass through the VPN you're going to set up. Navigate to Network > Wifi and you will be presented with the WiFi interfaces just configured above. You want to add a new network of either of the available devices. Simply Add a new one and configure it giving it a different ESSID so your devices can distinguish between them.

Add-Ons

OpenWRT has its own package management system opkg and there is a page on Luci for installing packages. If you are connected to the internet then you can use the Luci to install packages or at the command line you can use opkg to install packages by…

opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn

…it will resolve all package dependencies and install them for you. If for some reason you are like me doing some configuration before connecting your router to the internet you can still install packages manually by downloading them from the appropriate repository (look in /etc/opkg/distfeeds.conf for the URL of the package repositories for the install you have).

# cat /etc/opkg/distfeeds.conf 
src/gz chaos_calmer_base http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/base
src/gz chaos_calmer_luci http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/luci
src/gz chaos_calmer_packages http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/packages
src/gz chaos_calmer_routing http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/routing
src/gz chaos_calmer_telephony http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/telephony
src/gz chaos_calmer_management http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/management

Download packages from the URLs then copy them to your OpenWRT installation using scp. You will have to resolve dependencies yourself, so if you are told something is not available simply download it too.

Adblocker

An Adblock package (along with LuCi addon) is available (Github project, forum thread and some more information on configuration in this thread).

OpenVPN Client

IMPORTANT - Configuration will be highly dependent on the service provided by your VPN provider. Some examples are given and they should be useful to help guide you in your own configuration but you will have to consult your provider for details of their configuration and settings.

SlickVPN

Download the SlickVPN openvpn configuration file from here whilst additional information on configuration (based on using DD-WRT) can be found here. The simplest method to get started is to save the OpenVPN configuration to /etc/openvpn/ as the instructions on the OpenWRT Wiki - OpenVPN Setup Guide for Beginners indicates that OpenVPN will attempt to load all .conf files located in /etc/openvpn

cd /etc/openvpn
wget "https://files-slickvpn.netdna-ssl.com/config_files/SlickVPN.ovpn" && mv SlickVPN.ovpn SlickVPN.conf

Now when you go to Luci and navigate to Services > OpenVPN you will find SlickVPN listed as an option and you can add additional configuration. At the very least you will need to specify one or more servers to connect to along with your username and password.

Additional Configuration

The following changes should be made (based on SlickVPN instructions for DD-WRT) under Services > OpenVPN > SlickVPN, some are under Basic Configuration others are under one of the sections of Advanced Configuration

Setting Location Value
dev Advanced > Networking > dev tun
proto Basic > Additional Field > proto udp
cipher Advanced > Networking > Additional Field > cipher AES-256-CBC
hash - -
compression Basic None
port Advanced > Networking > Additional Field > port 443 / 8080 / 8888
TLS cipher - -
NAT - enable
MTU - 1500
keepalive - 10 120
remote-cert-tls - server
redirect-gateway - -

To add your username (i.e. your SlickVPN email address) you need to save it to a file, the location of which is specified under Advanced Configuration > VPN where you then have to Add Field of authuserpass, the default is /etc/openvpn/userpass.txt which is fine but make sure you put the correct information in this file in the format…

 
uci

You can set configuration manually using uci. SSH into your device and issue the following commands…

uci set openvpn.slickvpn=openvpn
uci set openvpn.slickvpn.enabled='0'
 
uci commit

Private VPN hosted on VPS

uPnP

TODO Something separate?

Other

There are lots of other useful packages to install, but be mindful that these devices have limited space (albeit vastly increased from the WRT54g I used to use!). Some that I recommend (but haven't installed everything myself as I already use them on other systems) installed are…

Essential

opkg install nano zile rsync

Optional

opkg install transmission

OpenVPN Client Configuration

This is where things get technical and can vary massively depending on who provides your VPN. For this write-up I have gone through two procedures, the first configuring it to use SlackVPN as that was a service I was initially using when I purchased the router. I wanted more control over certain aspects of my VPN connection though so opted to switch to paying for a VPS (Virtual Private Server) that I could install OpenVPN and set-up a server on.

You should have installed the OpenVPN client software in the above sections, you now need to configure them. The information presented below is taken from two articles on the OpenWRT Wiki OpenVPN client with TUN (Layer 3) device and OpenVPN Setup Guide for Beginners.

SlackVPN

Download the SlackVPN OpenVPN.ovpn to the router, e.g. after SSHing to the router you can…

cd /etc/openvpn
wget https://files-slickvpn.netdna-ssl.com/config_files/SlickVPN.ovpn

Open the file and modify it, adding additional remote entries, setting them to be chosen randomly (remote-random), pointing auth-user-pass to a file you will place your username and password in, passing DNS queries

# host/port of vpn server
remote gw1.mia4.slickvpn.com 443
remote gw1.man2.slickvpn.com 443
remote gw1.iom1.slickvpn.com 443
remote gw1.dub1.slickvpn.com 443
remote gw1.ost1.slickvpn.com 443
remote gw1.lil1.slickvpn.com 443
remote gw1.ams3.slickvpn.com 443
remote gw1.lux1.slickvpn.com 443
remote-random
 
# file containing username and password
#auth-user-pass openvpn.userpass
# ... or prompt for authentication
auth-user-pass /etc/openvpn/slickvpn
auth-nocache
 
# equivalent to pull, tls-client
client
 
# redirect all outgoing traffic to the vpn gateway
redirect-gateway
 
# Pull DNS names from server once connected
allow-pull-fqdn
 
# verify the server certificate for authenticity
remote-cert-tls server
 
cipher AES-256-CBC
 
proto udp
dev tun
keepalive 10 120
nobind
 
persist-key
persist-tun
 
# ssl certificate / key used for tls
#ca certs/ca.crt
#cert certs/client1.crt
#key certs/client1.key
 
<ca>
-----BEGIN CERTIFICATE-----
MIIDQDCCAqmgAwIBAgIJAM8Brk2pUr0KMA0GCSqGSIb3DQEBBQUAMHQxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEMMAoGA1UEBxMDVlBOMQwwCgYDVQQKEwNWUE4x
DDAKBgNVBAsTA1ZQTjEMMAoGA1UEAxMDVlBOMQwwCgYDVQQpEwNWUE4xEjAQBgkq
hkiG9w0BCQEWA1ZQTjAeFw0xMjAzMDMwMjExNDJaFw0yMjAzMDEwMjExNDJaMHQx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEMMAoGA1UEBxMDVlBOMQwwCgYDVQQK
EwNWUE4xDDAKBgNVBAsTA1ZQTjEMMAoGA1UEAxMDVlBOMQwwCgYDVQQpEwNWUE4x
EjAQBgkqhkiG9w0BCQEWA1ZQTjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
wY2K08N7or1Br/EsD9XBon7gs7dKflWYuymgMLJfeMFWuJloNdsn+3GARIhYBbN6
zhvFGFE214qKPqAydW1WmIIK7KoC0sgndr+Vk/au9gssFzVmmvr6+WN/nfo2L9Kv
vBMoYLrMAiyw/D4cRapZi2pXJLcMDfC+p1VWAX8TYWkCAwEAAaOB2TCB1jAdBgNV
HQ4EFgQUmyvO4rTnu5/ABnp0FngU+SdR8WAwgaYGA1UdIwSBnjCBm4AUmyvO4rTn
u5/ABnp0FngU+SdR8WCheKR2MHQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEM
MAoGA1UEBxMDVlBOMQwwCgYDVQQKEwNWUE4xDDAKBgNVBAsTA1ZQTjEMMAoGA1UE
AxMDVlBOMQwwCgYDVQQpEwNWUE4xEjAQBgkqhkiG9w0BCQEWA1ZQToIJAM8Brk2p
Ur0KMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAoB0kOuGvrzPBTIRX
IDHCCxBMdny+3sKAOllmH4+51j2aWhAJ4Pyc/yBTYyQGNoriABjmNzp+R05oiaxA
D3vTgR80juKDPtQb8LoGLBF18gL7Vtc3+hJXcJasXZaDSSoyh5f+TtGvytIT+ece
JWIrKnFXzlHOvKlyLkcZn15gwKQ=
-----END CERTIFICATE-----
</ca>
 
log-append /var/log/openvpn/openvpn.log

You now need to create a file with your SlickVPN username and password, for simplicity I place this in /etc/openvpn/slickvpn (as reflected in the above configuration ;-) ). The first row should contain your SlickVPN email address, the second your password. For obvious reasons I am not placing a copy of mine in this document.

Finally you need to set uci (the configuration system on OpenWRT) to load and use this file, the following makes it possible to enable/disable it from the LuCi WebUI (see post)…

uci set openvpn.SlickVPN=openvpn
uci set openvpn.SlickVPN.enabled='1'
uci set openvpn.SlickVPN.config='/etc/openvpn/SlickVPN.ovpn'
uci commit

…this should leave the following at the end of your /etc/config/openvpn

config openvpn 'SlickVPN'
        option enabled '1'
        option config '/etc/openvpn/SlickVPN.ovpn'

Network Configuration

You now need to configure your internal network (LAN) so that traffic originating from it is passed through to the tun0 connection. This is described on the wiki, you create the VPN interface…

uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci set network.vpn0.auto=1

…then configure the firewall to REJECT all incoming and forwarding requests, but ACCEPT all output…

uci set firewall.vpn=zone
uci set firewall.vpn.name=vpn
uci set firewall.vpn.network=vpn0
uci set firewall.vpn.input=REJECT
uci set firewall.vpn.forward=REJECT
uci set firewall.vpn.output=ACCEPT
uci set firewall.vpn.masq=1
uci set firewall.vpn_forwarding_lan_out=forwarding
uci set firewall.vpn_forwarding_lan_out.src=lan
uci set firewall.vpn_forwarding_lan_out.dest=vpn
uci commit network
uci commit firewall

Reload your configuration…

/etc/init.d/network  reload
/etc/init.d/firewall reload

Bypassing VPN

Some times its desirable to bypass the VPN, for example Netflix or BBC iPlayer are geo-restricted and if the exit node of the VPN is outside the UK they won't work. The 'trick' is to configure/route traffic from specific devices such as Chromecasts to bypass the VPN. There is a useful package vpnbypass (see also this thread) that simplifies this process. If your running the development version you can follow the instructions to install. If however you're running the stable Chaos Calmer (15.05.1) then you have to install manually. Pre-built packages are here and you have to switch from dnsmasq to dnsmasq-full, ip to ip-full and install ipset and iptables.

opkg remove dnsmasq ip; opkg install ip-full ipset iptables dnsmasq-full
cd /tmp
wget https://github.com/stangri/Files/raw/master/vpnbypass_1.0.0-5_all.ipk
wget https://github.com/stangri/Files/raw/master/luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
opkg install vpnbypass_1.0.0-5_all.ipk luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
rm vpnbypass_1.0.0-5_all.ipk luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk

The default configuration routes PlexMedia past the VPN as well as the IP address' 192.168.1.80-192.168.1.88 so will likely need some tweaking, but this can be done through the LuCi interface as 'VPN Bypass' will now be listed under Services.

DNS

uci set network.tun0=network
uci set network.tun0.ifname=tun0
uci set network.tun0.dns='87.98.175.85 193.183.98.154 5.135.183.146'
uci commit

Self-hosted (VPS) VPN

There are tons of options for hosting a VPS, I can not really recommend any, my choice of OVH's VPS SSD1 was based on a cheap price which included unlimited data (essential as a large portion of my browsing will be passing through the server). This section only details configuring OpenWRT to connect and use the services you will have to setup on the VPS yourself. That process is described elsewhere and involves setting up an account, purchasing the service you want and then install and configure OpenVPN and dnssec.

A simple install script for a secure OpenVPN Installation can be used to ease the process.

Excluding Specific Services

Increasingly these days more and more content is streamed whether thats iPlayer, Netflix, 4OD, ITVHub or any other service. Many of these are geo-restricted which means if your VPN exit node is based in a country other than the one you are in you may find that some services do not work (conversely many have been using VPNs for years to circumvent this and access content from countries that would normally be blocked by using a VPN with an exit node in the country of interest).

Whilst OpenVPN can probably be configured to bypass specific traffic on the server-side I have for now opted to simply have a second wireless network to allow certain devices (Chromecasts, PS3, TV) to connect via the ISP and not use the VPN which some providers block access from. I'll look to work around this at some point but this is my solution for now.

Factory Reset

If you cock things up and flash the wrong image all is not lost as you can factory reset these devices by pressing and holding the

Links

OpenWRT Forums

SlickVPN

A table of SlickVPN servers

Country Location Gateway
UK Manchester gw1.man2.slickvpn.com
Isle of Man gw1.iom1.slickvpn.com
London gw1.lhr4.slickvpn.com
Iceland Reykjavik gw1.rkv1.slickvpn.com
Eire Dublin gw1.dub1.slickvpn.com
Belgium Ostend gw1.ost1.slickvpn.com
France Lille gw1.lil1.slickvpn.com
Netherlands Amsterdam gw1.ams3.slickvpn.com
Luxembourg Luxembourg gw1.lux1.slickvpn.com
Spain Barcelona gw1.bcn1.slickvpn.com
Madrid gw1.mad1.slickvpn.com
Italy Milan gw1.mxp1.slickvpn.com
Bulgaria Sofia gw1.sof1.slickvpn.com
Austria Graz gw1.grz1.slickvpn.com
Czech Republic Prague gw1.prgr1.slickvpn.com
Romania Bucharest gw1.buh1.slickvpn.com
Poland Warsaw gw1.waw1.slickvpn.com
Gdansk gw1.gdn2.slickvpn.com
Denmark Copenhagen gw1.cph1.slickvpn.com
Sweden Halmstad gw1.had1.slickvpn.com
Stockholm gw1.arn1.slickvpn.com
Latvia Riga gw1.rix1.slickvpn.com
Turkey Istanbul gw1.ist1.slickvpn.com
USA Boston gw1.bos1.slickvpn.com
Newark gw1.ewr1.slickvpn.com
gw2.ewr1.slickvpn.com
Scranton gw2.avp1.slickvpn.com
Scranton gw2.avp1.slickvpn.com
Washington gw2.iad1.slickvpn.com
Fletcher gw1.avl1.slickvpn.com
Atlanta gw1.atl1.slickvpn.com
gw2.atl2.slickvpn.com
gw3.atl3.slickvpn.com
Tampa gw1.tpa1.slickvpn.com
Miami gw1.mia3.slickvpn.com
gw1.mia4.slickvpn.com
San Jose gw1.sjc2.slickvpn.com
Seattle gw1.sea1.slickvpn.com
Los Angeles gw1.lax4.slickvpn.com
Los Vegas gw1.las1.slickvpn.com
Canada Toronto gw1.yyz1.slickvpn.com
Montreal gw1.yul2.slickvpn.com
Vancouver gw1.yvr1.slickvpn.com
Australia Melbourne gw3.mel1.slickvpn.com
Sydney gw2.syd1.slickvpn.com
China Hong Kong gw1.hkg2.slickvpn.com
Japan Tokyo gw1.nrt1.slickvpn.com
gw1.nrt2.slickvpn.com
Panama Panama City gw1.pty1.slickvpn.com
Brazil Sao Paulo gw1.gru3.slickvpn.com
Chile Vina del Mar gw1.kna1.slickvpn.com