I wanted to protect my privacy in light of some draconian laws being passed in the UK (IPBill and Digital Economy Bill). The simplest thing to do was to set up a Virtual Private Network (VPN) to mask from my ISP(s) the sites I was visiting. Rather than do this for every device in the house I opted to do it at the router level so that anything connected to my network would be using the VPN.
Hardware
If you intend to do this you might be in luck and find that the router you have supports VPN already. My current router at the time (a Zyxel P-2812HNU-F1) did, but only a crude IPSec and the VPN service I had at the time only supported Cisco's IPSec (it is reported to be supported by OpenWRT but I didn't want to risk screwing up the only router I had whilst configuring OpenWRT/VPN/etc.). Cue looking for a new router. Ideally I wanted one which incorporated a VDSL modem as that is the service I receive from my ISP thanks to Fibre To The Cabinet, but I was finding it tricky to find such a router so I compromised and purchased a Linksys WRT1900ACS because I knew that Linksys had a commitment to making the WRT series open.
OpenWRT
OpenWRT is an open-source GNU/Linux based project for embedded wireless routers. Its available for a large range of devices including the Raspberry Pi if you want a cheap, low powered solution to some of these problems. Its available for the Linksys WRT1900ACS and having used it years ago on older WRT54g I opted for this. An alternative might be to try DD-WRT which is another similar distribution.
It is absolutely critical that you get the correct build of OpenWRT to flash your router with. To do this you need to know the model and version of your router. For Linksys WRT1900ACS this is printed on the bottom of the router. Do NOT let the FCC-ID confuse you its the model, if there is no version listed then you have a v1.
Flashing OpenWRT - OBSOLETE
WARNING - The old version of OpenWRT described here is vulnerable to the KRACK attacks, do NOT install anything other than LEDE >=17.01.4 as described here.
Now follow the very clear instructions on the OpenWRT Linksys WRT1x00AC Series page for installation, they boil down to…
Connect your router to your computer using a cable.
Login to the stock firmware WebUI (IP : 192.168.1.1; Username : N/A (you're not prompted for a username; Password : admin).
Backup your OEM configuration (
Troubleshooting
> //Diagnostics// > //Router Configuration// > //Backup//).
Navigate to Connectivity > Basic > Manual Update > Choose File and upload the image you have downloaded.
-
.
..if you are unsure read the documentation on the OpenWRT Wiki and ask questions in the OpenWRT Forum (there is a thread dedicated to WRT1900AC).
Securing Installation
A couple of standard precautions should be taken to ensure your router is more secure, these boil down to adding a 'normal' user to SSH into the device and ensuring they have permission to su to root whilst at the same time blocking root SSH login. At the moment I rarely want to do any configuration to the router from outside of my own network so I prevent access via SSH and uhttpd (the WebUI) from the wider internet. General advice on the OpenWRT Wiki on how to secure your routers access.
Adding a user
I'm happy adding users at the command line and using su rather than sudo which is recommended on the Wiki under Secure Access.
opkg update
opkg install shadow-useradd shadow-userdel sudo shadow-su shadow-common shadow-groupadd shadow-groupdel shadow-groupmod shadow-groups shadow-utils
mkdir /home
useradd -m -G wheel -s /bin/ash [newuser]
passwd [newuser]
Securing SSH
SSH is part of dropbear under OpenWRT and configuration is stored in /etc/config/dropbear, full options are listed here but the following will prevent root from SSH login and change the port.
config dropbear
option PasswrdAuth 'on'
option Port '2081'
option RootPasswordAuth 'off'
…however, the nice thing about this is that you can specify configurations based on the interface.
TODO Interface based settings.
Simplifying Connection
On your main computer you can take advantage of ~/.ssh/config to save the port and user you SSH to OpenWRT with.
SSH Keys
If you already use pre-shared SSH keys to automate your login between servers you can copy your key over to OpenWRT and benefit from this functionality there too. The Luci interface has a section for uploading your key under System > Administration > SSH Access but since I opted to add a user and disable root SSH password access I had to copy the key to my users /home/[user]/.ssh/authorized_keys.
SSH to OpenWRT as user and create the directory and file…
mkdir ~/.ssh
Exit back to your host and then copy your public key over…
scp ~/.ssh/id_rsa.pub openwrt:~/.ssh/authorized_keys
WiFi Configuration
By default WiFi is disabled on OpenWRT, you have to login and and enable the network. The default username is root and the password should already have been changed as advised above. Navigate to Network > Wifi and you will be presented with the available WiFi interfaces. They are currently both disabled, but you can Edit them before enabling. You might to change the following…
ESSID : the name for your network.
Channel : the frequency your devices operates on.
Width : the width of the signal around the frequency.
Wireless Security : It is strongly recommended that you set at WPA-PSK2 password to restrict access to authorised devices. Do not use any WEP or WPA-PSK as they are less secure and everything should support WPA-PSK2.
MAC Filter : another layer of security you can choose to allow only your devices to connect to the wireless network (its not infallible though).
If you give your 2.4Ghz and 5Ghz the same names and passwords then devices will utilise their choice (fastest/strongest?) network automatically (TODO - Check : laptops, Android).
Secondary WiFi
A second WiFi network is useful if you wish guests to connect to a separate network or if you've some wireless devices you'd rather not have pass through the VPN you're going to set up. Navigate to Network > Wifi and you will be presented with the WiFi interfaces just configured above. You want to add a new network of either of the available devices. Simply Add a new one and configure it giving it a different ESSID so your devices can distinguish between them.
Add-Ons
OpenWRT has its own package management system opkg and there is a page on Luci for installing packages. If you are connected to the internet then you can use the Luci to install packages or at the command line you can use opkg to install packages by…
opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn
…it will resolve all package dependencies and install them for you. If for some reason you are like me doing some configuration before connecting your router to the internet you can still install packages manually by downloading them from the appropriate repository (look in /etc/opkg/distfeeds.conf for the URL of the package repositories for the install you have).
# cat /etc/opkg/distfeeds.conf
src/gz chaos_calmer_base http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/base
src/gz chaos_calmer_luci http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/luci
src/gz chaos_calmer_packages http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/packages
src/gz chaos_calmer_routing http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/routing
src/gz chaos_calmer_telephony http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/telephony
src/gz chaos_calmer_management http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/management
Download packages from the URLs then copy them to your OpenWRT installation using scp. You will have to resolve dependencies yourself, so if you are told something is not available simply download it too.
Adblocker
OpenVPN Client
IMPORTANT - Configuration will be highly dependent on the service provided by your VPN provider. Some examples are given and they should be useful to help guide you in your own configuration but you will have to consult your provider for details of their configuration and settings.
SlickVPN
Download the SlickVPN openvpn configuration file from here whilst additional information on configuration (based on using DD-WRT) can be found here. The simplest method to get started is to save the OpenVPN configuration to /etc/openvpn/ as the instructions on the OpenWRT Wiki - OpenVPN Setup Guide for Beginners indicates that OpenVPN will attempt to load all .conf files located in /etc/openvpn
cd /etc/openvpn
wget "https://files-slickvpn.netdna-ssl.com/config_files/SlickVPN.ovpn" && mv SlickVPN.ovpn SlickVPN.conf
Now when you go to Luci and navigate to Services > OpenVPN you will find SlickVPN listed as an option and you can add additional configuration. At the very least you will need to specify one or more servers to connect to along with your username and password.
Additional Configuration
The following changes should be made (based on SlickVPN instructions for DD-WRT) under Services > OpenVPN > SlickVPN, some are under Basic Configuration others are under one of the sections of Advanced Configuration
| Setting | Location | Value |
dev | Advanced > Networking > dev | tun |
proto | Basic > Additional Field > proto | udp |
cipher | Advanced > Networking > Additional Field > cipher | AES-256-CBC |
hash | - | - |
compression | Basic | None |
port | Advanced > Networking > Additional Field > port | 443 / 8080 / 8888 |
TLS cipher | - | - |
NAT | - | enable |
MTU | - | 1500 |
keepalive | - | 10 120 |
remote-cert-tls | - | server |
redirect-gateway | - | - |
To add your username (i.e. your SlickVPN email address) you need to save it to a file, the location of which is specified under Advanced Configuration > VPN where you then have to Add Field of authuserpass, the default is /etc/openvpn/userpass.txt which is fine but make sure you put the correct information in this file in the format…
uci
You can set configuration manually using uci. SSH into your device and issue the following commands…
uci set openvpn.slickvpn=openvpn
uci set openvpn.slickvpn.enabled='0'
uci commit
Private VPN hosted on VPS
uPnP
Other
There are lots of other useful packages to install, but be mindful that these devices have limited space (albeit vastly increased from the WRT54g I used to use!). Some that I recommend (but haven't installed everything myself as I already use them on other systems) installed are…
Essential
nano : A basic, but feature rich text editor.
zile : An Emacs (text-editor) clone.
rsync : File transfer program to keep remote files in sync.
opkg install nano zile rsync
Optional
transmission : As the WRT1900ACS has USB ports you can hook up drives and run this excellent BitTorrent client on your router.
USB Audio : Not an individual package but a method of streaming music from an attached USB device.
opkg install transmission
OpenVPN Client Configuration
This is where things get technical and can vary massively depending on who provides your VPN. For this write-up I have gone through two procedures, the first configuring it to use SlackVPN as that was a service I was initially using when I purchased the router. I wanted more control over certain aspects of my VPN connection though so opted to switch to paying for a VPS (Virtual Private Server) that I could install OpenVPN and set-up a server on.
You should have installed the OpenVPN client software in the above sections, you now need to configure them. The information presented below is taken from two articles on the OpenWRT Wiki OpenVPN client with TUN (Layer 3) device and OpenVPN Setup Guide for Beginners.
SlackVPN
Download the SlackVPN OpenVPN.ovpn to the router, e.g. after SSHing to the router you can…
cd /etc/openvpn
wget https://files-slickvpn.netdna-ssl.com/config_files/SlickVPN.ovpn
Open the file and modify it, adding additional remote entries, setting them to be chosen randomly (remote-random), pointing auth-user-pass to a file you will place your username and password in, passing DNS queries
# host/port of vpn server
remote gw1.mia4.slickvpn.com 443
remote gw1.man2.slickvpn.com 443
remote gw1.iom1.slickvpn.com 443
remote gw1.dub1.slickvpn.com 443
remote gw1.ost1.slickvpn.com 443
remote gw1.lil1.slickvpn.com 443
remote gw1.ams3.slickvpn.com 443
remote gw1.lux1.slickvpn.com 443
remote-random
# file containing username and password
#auth-user-pass openvpn.userpass
# ... or prompt for authentication
auth-user-pass /etc/openvpn/slickvpn
auth-nocache
# equivalent to pull, tls-client
client
# redirect all outgoing traffic to the vpn gateway
redirect-gateway
# Pull DNS names from server once connected
allow-pull-fqdn
# verify the server certificate for authenticity
remote-cert-tls server
cipher AES-256-CBC
proto udp
dev tun
keepalive 10 120
nobind
persist-key
persist-tun
# ssl certificate / key used for tls
#ca certs/ca.crt
#cert certs/client1.crt
#key certs/client1.key
<ca>
-----BEGIN CERTIFICATE-----
MIIDQDCCAqmgAwIBAgIJAM8Brk2pUr0KMA0GCSqGSIb3DQEBBQUAMHQxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEMMAoGA1UEBxMDVlBOMQwwCgYDVQQKEwNWUE4x
DDAKBgNVBAsTA1ZQTjEMMAoGA1UEAxMDVlBOMQwwCgYDVQQpEwNWUE4xEjAQBgkq
hkiG9w0BCQEWA1ZQTjAeFw0xMjAzMDMwMjExNDJaFw0yMjAzMDEwMjExNDJaMHQx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEMMAoGA1UEBxMDVlBOMQwwCgYDVQQK
EwNWUE4xDDAKBgNVBAsTA1ZQTjEMMAoGA1UEAxMDVlBOMQwwCgYDVQQpEwNWUE4x
EjAQBgkqhkiG9w0BCQEWA1ZQTjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
wY2K08N7or1Br/EsD9XBon7gs7dKflWYuymgMLJfeMFWuJloNdsn+3GARIhYBbN6
zhvFGFE214qKPqAydW1WmIIK7KoC0sgndr+Vk/au9gssFzVmmvr6+WN/nfo2L9Kv
vBMoYLrMAiyw/D4cRapZi2pXJLcMDfC+p1VWAX8TYWkCAwEAAaOB2TCB1jAdBgNV
HQ4EFgQUmyvO4rTnu5/ABnp0FngU+SdR8WAwgaYGA1UdIwSBnjCBm4AUmyvO4rTn
u5/ABnp0FngU+SdR8WCheKR2MHQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEM
MAoGA1UEBxMDVlBOMQwwCgYDVQQKEwNWUE4xDDAKBgNVBAsTA1ZQTjEMMAoGA1UE
AxMDVlBOMQwwCgYDVQQpEwNWUE4xEjAQBgkqhkiG9w0BCQEWA1ZQToIJAM8Brk2p
Ur0KMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAoB0kOuGvrzPBTIRX
IDHCCxBMdny+3sKAOllmH4+51j2aWhAJ4Pyc/yBTYyQGNoriABjmNzp+R05oiaxA
D3vTgR80juKDPtQb8LoGLBF18gL7Vtc3+hJXcJasXZaDSSoyh5f+TtGvytIT+ece
JWIrKnFXzlHOvKlyLkcZn15gwKQ=
-----END CERTIFICATE-----
</ca>
log-append /var/log/openvpn/openvpn.log
You now need to create a file with your SlickVPN username and password, for simplicity I place this in /etc/openvpn/slickvpn (as reflected in the above configuration 
). The first row should contain your SlickVPN email address, the second your password. For obvious reasons I am not placing a copy of mine in this document.
Finally you need to set uci (the configuration system on OpenWRT) to load and use this file, the following makes it possible to enable/disable it from the LuCi WebUI (see post)…
uci set openvpn.SlickVPN=openvpn
uci set openvpn.SlickVPN.enabled='1'
uci set openvpn.SlickVPN.config='/etc/openvpn/SlickVPN.ovpn'
uci commit
…this should leave the following at the end of your /etc/config/openvpn
config openvpn 'SlickVPN'
option enabled '1'
option config '/etc/openvpn/SlickVPN.ovpn'
Network Configuration
You now need to configure your internal network (LAN) so that traffic originating from it is passed through to the tun0 connection. This is described on the wiki, you create the VPN interface…
uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci set network.vpn0.auto=1
…then configure the firewall to REJECT all incoming and forwarding requests, but ACCEPT all output…
uci set firewall.vpn=zone
uci set firewall.vpn.name=vpn
uci set firewall.vpn.network=vpn0
uci set firewall.vpn.input=REJECT
uci set firewall.vpn.forward=REJECT
uci set firewall.vpn.output=ACCEPT
uci set firewall.vpn.masq=1
uci set firewall.vpn_forwarding_lan_out=forwarding
uci set firewall.vpn_forwarding_lan_out.src=lan
uci set firewall.vpn_forwarding_lan_out.dest=vpn
uci commit network
uci commit firewall
Reload your configuration…
/etc/init.d/network reload
/etc/init.d/firewall reload
Bypassing VPN
Some times its desirable to bypass the VPN, for example Netflix or BBC iPlayer are geo-restricted and if the exit node of the VPN is outside the UK they won't work. The 'trick' is to configure/route traffic from specific devices such as Chromecasts to bypass the VPN. There is a useful package vpnbypass (see also this thread) that simplifies this process. If your running the development version you can follow the instructions to install. If however you're running the stable Chaos Calmer (15.05.1) then you have to install manually. Pre-built packages are here and you have to switch from dnsmasq to dnsmasq-full, ip to ip-full and install ipset and iptables.
opkg remove dnsmasq ip; opkg install ip-full ipset iptables dnsmasq-full
cd /tmp
wget https://github.com/stangri/Files/raw/master/vpnbypass_1.0.0-5_all.ipk
wget https://github.com/stangri/Files/raw/master/luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
opkg install vpnbypass_1.0.0-5_all.ipk luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
rm vpnbypass_1.0.0-5_all.ipk luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
The default configuration routes PlexMedia past the VPN as well as the IP address' 192.168.1.80-192.168.1.88 so will likely need some tweaking, but this can be done through the LuCi interface as 'VPN Bypass' will now be listed under Services.
DNS
uci set network.tun0=network
uci set network.tun0.ifname=tun0
uci set network.tun0.dns='87.98.175.85 193.183.98.154 5.135.183.146'
uci commit
Self-hosted (VPS) VPN
There are tons of options for hosting a VPS, I can not really recommend any, my choice of OVH's VPS SSD1 was based on a cheap price which included unlimited data (essential as a large portion of my browsing will be passing through the server). This section only details configuring OpenWRT to connect and use the services you will have to setup on the VPS yourself. That process is described elsewhere and involves setting up an account, purchasing the service you want and then install and configure OpenVPN and dnssec.
A simple install script for a secure OpenVPN Installation can be used to ease the process.
Excluding Specific Services
Increasingly these days more and more content is streamed whether thats iPlayer, Netflix, 4OD, ITVHub or any other service. Many of these are geo-restricted which means if your VPN exit node is based in a country other than the one you are in you may find that some services do not work (conversely many have been using VPNs for years to circumvent this and access content from countries that would normally be blocked by using a VPN with an exit node in the country of interest).
Whilst OpenVPN can probably be configured to bypass specific traffic on the server-side I have for now opted to simply have a second wireless network to allow certain devices (Chromecasts, PS3, TV) to connect via the ISP and not use the VPN which some providers block access from. I'll look to work around this at some point but this is my solution for now.
Factory Reset
If you cock things up and flash the wrong image all is not lost as you can factory reset these devices by pressing and holding the
Links
OpenWRT Forums
SlickVPN
A table of SlickVPN servers…
| Country | Location | Gateway |
| UK | Manchester | gw1.man2.slickvpn.com |
| Isle of Man | gw1.iom1.slickvpn.com |
| London | gw1.lhr4.slickvpn.com |
| Iceland | Reykjavik | gw1.rkv1.slickvpn.com |
| Eire | Dublin | gw1.dub1.slickvpn.com |
| Belgium | Ostend | gw1.ost1.slickvpn.com |
| France | Lille | gw1.lil1.slickvpn.com |
| Netherlands | Amsterdam | gw1.ams3.slickvpn.com |
| Luxembourg | Luxembourg | gw1.lux1.slickvpn.com |
| Spain | Barcelona | gw1.bcn1.slickvpn.com |
| Madrid | gw1.mad1.slickvpn.com |
| Italy | Milan | gw1.mxp1.slickvpn.com |
| Bulgaria | Sofia | gw1.sof1.slickvpn.com |
| Austria | Graz | gw1.grz1.slickvpn.com |
| Czech Republic | Prague | gw1.prgr1.slickvpn.com |
| Romania | Bucharest | gw1.buh1.slickvpn.com |
| Poland | Warsaw | gw1.waw1.slickvpn.com |
| Gdansk | gw1.gdn2.slickvpn.com |
| Denmark | Copenhagen | gw1.cph1.slickvpn.com |
| Sweden | Halmstad | gw1.had1.slickvpn.com |
| Stockholm | gw1.arn1.slickvpn.com |
| Latvia | Riga | gw1.rix1.slickvpn.com |
| Turkey | Istanbul | gw1.ist1.slickvpn.com |
| USA | Boston | gw1.bos1.slickvpn.com |
| Newark | gw1.ewr1.slickvpn.com |
gw2.ewr1.slickvpn.com |
| Scranton | gw2.avp1.slickvpn.com |
| Scranton | gw2.avp1.slickvpn.com |
| Washington | gw2.iad1.slickvpn.com |
| Fletcher | gw1.avl1.slickvpn.com |
| Atlanta | gw1.atl1.slickvpn.com |
gw2.atl2.slickvpn.com |
gw3.atl3.slickvpn.com |
| Tampa | gw1.tpa1.slickvpn.com |
| Miami | gw1.mia3.slickvpn.com |
gw1.mia4.slickvpn.com |
| San Jose | gw1.sjc2.slickvpn.com |
| Seattle | gw1.sea1.slickvpn.com |
| Los Angeles | gw1.lax4.slickvpn.com |
| Los Vegas | gw1.las1.slickvpn.com |
| Canada | Toronto | gw1.yyz1.slickvpn.com |
| Montreal | gw1.yul2.slickvpn.com |
| Vancouver | gw1.yvr1.slickvpn.com |
| Australia | Melbourne | gw3.mel1.slickvpn.com |
| Sydney | gw2.syd1.slickvpn.com |
| China | Hong Kong | gw1.hkg2.slickvpn.com |
| Japan | Tokyo | gw1.nrt1.slickvpn.com |
gw1.nrt2.slickvpn.com |
| Panama | Panama City | gw1.pty1.slickvpn.com |
| Brazil | Sao Paulo | gw1.gru3.slickvpn.com |
| Chile | Vina del Mar | gw1.kna1.slickvpn.com |
