Set up your router with a VPN
With a Network through via VPN
Set up access
The password:
passwd
Add your key ssh:
vim /etc/dropbear/authorized_keys
Confirm that you have access by ssh before changing the following parameters
vim /etc/config/dropbear
config dropbear
option RootPasswordAuth 'off'
option Port '22'
Update & Install packages
opkg update
We will need this packages for setting up the VPN:
opkg install vim screen mtr openssl-util openvpn-openssl ca-certificates libustream-openssl ca-bundle
Change hostname of the router
vim /etc/config/system
Reload
/etc/init.d/system reload
Setting up network
-
Add interfaces
-
Add switch rules
vim /etc/config/network
Add the interface that will be the VPN
config interface 'leap'
option ifname 'leap'
Add the interface that will use the VPN
config interface 'tunnel'
option type 'bridge'
option proto 'static'
option ifname ' eth0.10'
option netmask '255.255.255.0'
option ipaddr '192.168.10.1/24'
Add a new switch rule (!)be careful with the numbers, don’t change the default switch_vlan(!)
config switch_vlan
option device 'switch0'
By default you should have other swith rules (switch_vlan) with the number 1 and/or 2, so give a new one, in this case 3:
option vlan '3'
The identification number for the interface tunnel, eth0.10:
option vid '10'
And finally add the port ’t' (tagged), the same number that appears in the other switch rules
option ports '6t'
Reload with:
/etc/init.d/network reload
Setting up firewall
-
Add zones
-
Add forwarding
-
Add rules
vim /etc/config/firewall
config zone option name leap list network 'leap' option input REJECT option output ACCEPT option forward ACCEPT option masq 1 config zone option name tunnel list network 'tunnel' option input REJECT option output ACCEPT option forward ACCEPT option log 1 config forwarding option src tunnel option dest leap config forwarding option src tunnel option dest wan config forwarding option src lan option dest tunnel config forwarding option src lan option dest leap config rule option name ssh option target ACCEPT option src wan option proto tcp option dest_port 22 config rule option target ACCEPT option name dns-tunnel option src tunnel option dest_port 53 config rule option target ACCEPT option name dhcp-tunnel option src tunnel option dest_port 67-68
Reload with:
/etc/init.d/firewall reload
Setting up wireless
- Add wifi interfaces
You can have one wifi that will give you access to the internet in clear using the “lan” network and the other that will give you access to the VPN using the “tunnel” network.
vim /etc/config/wireless
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '[wifi-name]'
option encryption 'psk2'
option key '[aGreatPassword]'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'tunnel'
option mode 'ap'
option encryption 'psk2'
option ssid '[wifi-name-VPN]'
option key '[aGreatPassword]'
Reload with:
/etc/init.d/network reload
Adding the new interface in DHCP
vim /etc/config/dhcp
config dhcp 'tunnel'
option interface 'tunnel'
option start '30'
option limit '253'
option leasetime '12h'
Also, add these lines in the ‘dnsmasq config’ because it is necessary for the VPN:
list server '10.41.0.1'
list server '1.1.1.1'
Setting up OpenVPN
- Add the IP’s used by the VPN
- Add the location of the certificates that we will see in the next step “LEAP”
- Change some parameters
Here is an exemple of a config file:
package openvpn
#################################################
# Sample to include a custom config file. #
#################################################
config openvpn leap
option route_up /etc/leap/openvpn/scripts/route-up.sh
# Set to 1 to enable this instance:
option enabled 1
option log /tmp/ovpn.log
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
option client 1
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
# option dev tap
option dev leap
option dev_type tun
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
option proto tcp
# option proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
list remote "212.129.4.124 443 tcp4"
list remote "212.83.182.127 443 tcp4"
list remote "212.129.62.247 443 tcp4"
list remote "212.129.37.129 443 tcp4"
list remote "212.83.165.160 443 tcp4"
list remote "163.172.126.44 443 tcp4"
list remote "212.83.144.12 443 tcp4"
list remote "212.129.4.141 443 tcp4"
list remote "212.83.146.228 443 tcp4"
list remote "212.83.143.67 443 tcp4"
list remote "199.58.83.12 443 tcp4"
list remote "37.218.244.251 443 tcp4"
list remote "37.218.244.249 443 tcp4"
list remote "199.58.83.10 443 tcp4"
list remote "198.252.153.28 443 tcp4"
list remote "185.220.103.12 443 tcp4"
option script_security 2
option persist_key 1
option persist_local_ip 1
option auth SHA1
option keepalive "10 30"
# Choose a random host from the remote
# list for load_balancing. Otherwise
# try hosts in the order specified.
# option remote_random 1
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
option resolv_retry infinite
# Most clients don't need to bind to
# a specific local port number.
option nobind 1
# Try to preserve some state across restarts.
option persist_key 1
option persist_tun 1
option user nobody
option group nogroup
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
# retry on connection failures:
# option http_proxy_retry 1
# specify http proxy address and port:
# option http_proxy "192.168.1.100 8080"
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
# option mute_replay_warnings 1
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
option ca /etc/leap/openvpn/ca.pem
option cert /etc/leap/openvpn/cert.pem
option key /etc/leap/openvpn/privkey.pem
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build_key_server
# script in the easy_rsa folder will do this.
option remote_cert_tls server
# If a tls_auth key is used on the server
# then every client must also have the key.
# option tls_auth "/etc/openvpn/ta.key 1"
option tls_client
option tls_cipher DHE-RSA-AES128-SHA
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
option cipher AES-128-CBC
# Set log file verbosity.
option verb 1
# Silence repeating messages
# option mute 20
Wait to reload or to start openvpn! You should do next step before:
Seting up LEAP
-
Make directory LEAP
-
Copy 2 scripts
-
Make directory LEAP/OPENVPN
-
Copy 2 scripts
mkdir /etc/leap mkdir /etc/leap/openvpn vim /etc/leap/renew.sh
Copy this script to renew.sh
#/!/bin/bash
#https://api.black.riseup.net:443/1/cert
DIR=/etc/leap
OVPNDIR=/etc/leap/openvpn
API='https://api.black.riseup.net:443'
wget --ca-certificate $DIR/ca.crt -O $DIR/combined.pem $API/1/cert
openssl x509 -subject -noout -in $DIR/combined.pem
openssl x509 -dates -noout -in $DIR/combined.pem
openssl x509 -purpose -noout -in $DIR/combined.pem
openssl rsa -check -inform PEM -pubout -in $DIR/ combined.pem > $DIR/pubkey.pem
if openssl x509 -in $DIR/combined.pem > $DIR/cert.pem
then
echo "cert success"
cp $DIR/cert.pem $OVPNDIR/cert.pem
else
echo "cert fail"
fi
if openssl rsa -check -inform PEM -in $DIR/combined.pem > $DIR/privkey.pem
then
echo "privkey succes"
cp $DIR/privkey.pem $OVPNDIR/privkey.pem
else
echo "privkey fail"
fi
Also,
vim /etc/leap/statopenvpn.sh
This script inside:
#/!/bin/bash
#https://api.demo.bitmask.net:4430/1/cert
#wget -O combined.pem https://api.demo.bitmask.net:4430/1/cert
OVPNDIR=/etc/leap/openvpn
/usr/sbin/openvpn --setenv LEAPOPENVPN 1 \
--nobind \
--client \
--dev leap \
--dev-type tun \
--tls-client \
--remote-cert-tls server \
--script-security 2 \
--persist-key \
--persist-local-ip \
--user nobody \
--group nogroup \
--verb 7 \
--remote 212.129.4.124 443 tcp4 \
--remote 212.83.182.127 443 tcp4 \
--remote 212.129.62.247 443 tcp4 \
--remote 212.129.37.129 443 tcp4 \
--remote 212.83.165.160 443 tcp4 \
--remote 163.172.126.44 443 tcp4 \
--remote 212.83.144.12 443 tcp4 \
--remote 212.129.4.141 443 tcp4 \
--remote 212.83.146.228 443 tcp4 \
--remote 212.83.143.67 443 tcp4 \
--remote 199.58.83.12 443 tcp4 \
--remote 37.218.244.251 443 tcp4 \
--remote 37.218.244.249 443 tcp4 \
--remote 199.58.83.10 443 tcp4 \
--remote 198.252.153.28 443 tcp4 \
--remote 185.220.103.12 443 tcp4 \
--tls-cipher DHE-RSA-AES128-SHA \
--cipher AES-128-CBC \
--auth SHA1 \
--keepalive 10 30 \
--ca $OVPNDIR/ca.pem \
--cert $OVPNDIR/cert.pem \
--key $OVPNDIR/privkey.pem \
--route-noexec \
--up $OVPNDIR/scripts/up.sh \
--route-up $OVPNDIR/scripts/route-up.sh \
#--ipchange $OVPNDIR/scripts/up.sh \
#--down $OVPNDIR/scripts/up.sh \
#--user nobody \
#--group nogroup \
Also this file:
vim /etc/leap/openvpn/route-up.sh
And copy this script into:
#!/bin/sh -x
ip='/sbin/ip'
# Checks to see if there is an IP routing table named 'vpn', create if missing
if [ $(cat /etc/iproute2/rt_tables | grep vpn | wc -l) -eq 0 ]; then
echo "100 vpn" >> /etc/iproute2/rt_tables
fi
$ip rule | sed -n 's/.*\(from[ \t]*[0-9\.]*\).*vpn/\1/p' | while read RULE
do
$ip rule del ${RULE}
#echo del: $rule
done
if $ip route add unreachable default table vpn
then
echo "default unreachable already there"
else
echo "added default unreable in table vpn"
fi
# Delete the default route setup when the OpenVPN tunnel was established
$ip route del 128.0.0.0/1 via ${route_vpn_gateway}
$ip route del 0.0.0.0/1 via ${route_vpn_gateway}
# Add routes to the vpn routing table
$ip rule add from ${ifconfig_local} lookup vpn
# Add the route to direct all traffic using the the vpn routing table to the tunX interface
$ip route add 128.0.0.0/1 dev ${dev} table vpn
$ip route add 0.0.0.0/1 dev ${dev} table vpn
exit 0
Make this file:
vim /etc/leap/openvpn/up.sh
Copy this script:
#!/bin/ash -x
#./openvpn/scripts/up.sh leap 1500 1559 10.41.0.19 255.255.248.0 init
date >> /tmp/ovpn-up.log
env >> /tmp/ovpn-up.log
ip addr show dev "$dev"
if [[ "$script_type" == 'up' ]]
then
#cat >> /tmp/ovpn-cmd.log <<EOF
#ip route add $route_vpn_gateway via $route_net_gateway table 33
#ifconfig $dev $ifconfig_local $ifconfig_netmask up
#ip route add default via $route_vpn_gateway table 33
#EOF
echo up
else
echo "not up"
fi
Launch the VPN
- Renew the certificate & Verify that is downloaded
- Stop openvpn
- Run script startopenvpn.sh & check that VPN works
- Start OpenVPN
- Check if everything works properly
First, download the certificates by running this script:
/etc/leap/renew.sh
Make sure OpenVPN is not running
/etc/init.d/openvpn stop
It uses two windows (with screen) to make checks while the script is running, once done you will do Ctrl+C to stop it.
/etc/leap/startopenvpn.sh
In the second window: Check if the “LEAP” interface appears and note the IP you use:
ip a
For exemple:
28: leap: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
inet 10.41.0.67/21 brd 10.41.7.255 scope global leap
Check with ip route, the IP 10.41.0.67 and br-tunnel should appear, like this
0: from all lookup local
32764: from 10.41.0.67 lookup vpn
32765: from all iif br-tunnel lookup vpn
32766: from all lookup main
32767: from all lookup default
If the latter does not appear, do this:
ip rule add from all iif br-tunnel lookup vpn
Check the vpn table if it appears 10.41.0.0/21:
ip route show table vpn
If it appears this:
0.0.0.0/1 dev leap scope link
unreachable default
128.0.0.0/1 dev leap scope link
You need to make these lines:
ip route del 0.0.0.0/1 table vpn
ip route del 128.0.0.0/1 table vpn
ip route add 0.0.0.0/1 via 10.41.0.1 dev leap table vpn
ip route add 10.41.0.0/21 dev leap table vpn
ip route add 128.0.0.0/1 via 10.41.0.1 dev leap table vpn
Then, check if VPN is working with:
ping -I 10.41.0.67 1.1.1.1
So, if everything works, now you can stop the script startopenvpn.sh with CTRL+C And start openvpn
/etc/init.d/openvpn start
It could happen that you need to redo renew.sh and reload openvpn. Just in case, check every single step from ip a to ping with the openvpn running and without the startopenvpn.sh script
So your wifi that uses the interface of lan goes through the internet in clear and the wifi that uses tunnel goes through the LEAP VPN, check from the device that it connects to each of the two wifi with mtr or traceroute