Set up your router with a VPN

Set up your router with a VPN

With a Network through via VPN

Set up access

The password:

passwd

Add your key ssh:

vim /etc/dropbear/authorized_keys

Confirm that you have access by ssh before changing the following parameters

vim /etc/config/dropbear
	config dropbear
        option RootPasswordAuth 'off'
        option Port         '22'

Update & Install packages

opkg update

We will need this packages for setting up the VPN:

opkg install vim screen mtr openssl-util openvpn-openssl ca-certificates libustream-openssl ca-bundle

Change hostname of the router

vim /etc/config/system

Reload

/etc/init.d/system reload

Setting up network

  • Add interfaces

  • Add switch rules

    vim /etc/config/network

Add the interface that will be the VPN

    config interface 'leap'
        option ifname 'leap'

Add the interface that will use the VPN

    config interface 'tunnel'
        option type 'bridge'
        option proto 'static'
        option ifname ' eth0.10'
        option netmask '255.255.255.0'
        option ipaddr '192.168.10.1/24'

Add a new switch rule (!)be careful with the numbers, don’t change the default switch_vlan(!)

    config switch_vlan
        option device 'switch0'

By default you should have other swith rules (switch_vlan) with the number 1 and/or 2, so give a new one, in this case 3:

        option vlan '3'

The identification number for the interface tunnel, eth0.10:

        option vid '10'

And finally add the port ’t' (tagged), the same number that appears in the other switch rules

        option ports '6t'

Reload with:

/etc/init.d/network reload

Setting up firewall

  • Add zones

  • Add forwarding

  • Add rules

    vim /etc/config/firewall

      config zone
          option name		leap
          list network		'leap'
          option input		REJECT
          option output		ACCEPT
          option forward		ACCEPT
          option masq		1
    
      config zone
          option name		tunnel
          list network		'tunnel'
          option input		REJECT
          option output		ACCEPT
          option forward		ACCEPT
          option log		1
    
      config forwarding
          option src 		tunnel
          option dest		leap
    
      config forwarding
          option src		tunnel
          option dest		wan
    	
      config forwarding
          option src 		lan
          option dest		tunnel
    
      config forwarding
          option src		lan
          option dest		leap
    
      config rule
          option name		ssh
          option target		ACCEPT
          option src		wan
          option proto		tcp
          option dest_port	22
    
      config rule
          option target		ACCEPT
          option name		dns-tunnel
          option src		tunnel
          option dest_port	53
    	
      config rule
          option target		ACCEPT
          option name		dhcp-tunnel
          option src		tunnel
          option dest_port	67-68
    

Reload with:

/etc/init.d/firewall reload

Setting up wireless

  • Add wifi interfaces

You can have one wifi that will give you access to the internet in clear using the “lan” network and the other that will give you access to the VPN using the “tunnel” network.

vim /etc/config/wireless


	config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '[wifi-name]'
        option encryption 'psk2'
        option key '[aGreatPassword]'
	
	config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'tunnel'
        option mode 'ap'
        option encryption 'psk2'
        option ssid '[wifi-name-VPN]'
        option key '[aGreatPassword]'

Reload with:

/etc/init.d/network reload

Adding the new interface in DHCP

vim /etc/config/dhcp

	config dhcp 'tunnel'
        option interface 'tunnel'
        option start '30'
        option limit '253'
        option leasetime '12h'

Also, add these lines in the ‘dnsmasq config’ because it is necessary for the VPN:

        list server '10.41.0.1'
        list server '1.1.1.1'	

Setting up OpenVPN

  • Add the IP’s used by the VPN
  • Add the location of the certificates that we will see in the next step “LEAP”
  • Change some parameters

Here is an exemple of a config file:

 package openvpn

#################################################
# Sample to include a custom config file.       #
#################################################

config openvpn leap

	option route_up /etc/leap/openvpn/scripts/route-up.sh

	# Set to 1 to enable this instance:
	option enabled 1
	option log /tmp/ovpn.log
	
	# Specify that we are a client and that we
	# will be pulling certain config file directives
	# from the server.
	option client 1
	
	# Use the same setting as you are using on
	# the server.
	# On most systems, the VPN will not function
	# unless you partially or fully disable
	# the firewall for the TUN/TAP interface.
#	option dev tap
	option dev leap
	option dev_type tun

	# Are we connecting to a TCP or
	# UDP server?  Use the same setting as
	# on the server.
	option proto tcp
#	option proto udp

	# The hostname/IP and port of the server.
	# You can have multiple remote entries
	# to load balance between the servers.
	list remote "212.129.4.124 443 tcp4"
	list remote "212.83.182.127 443 tcp4"
	list remote "212.129.62.247 443 tcp4"
	list remote "212.129.37.129 443 tcp4"
	list remote "212.83.165.160 443 tcp4"
	list remote "163.172.126.44 443 tcp4"
	list remote "212.83.144.12 443 tcp4"
	list remote "212.129.4.141 443 tcp4"
	list remote "212.83.146.228 443 tcp4"
	list remote "212.83.143.67 443 tcp4"
	list remote "199.58.83.12 443 tcp4"
	list remote "37.218.244.251 443 tcp4"
	list remote "37.218.244.249 443 tcp4"
	list remote "199.58.83.10 443 tcp4"
	list remote "198.252.153.28 443 tcp4"
	list remote "185.220.103.12 443 tcp4"
	option script_security 2
	option persist_key 1
	option persist_local_ip 1
	option auth SHA1
	option keepalive "10 30"

	# Choose a random host from the remote
	# list for load_balancing.  Otherwise
	# try hosts in the order specified.
#	option remote_random 1

	# Keep trying indefinitely to resolve the
	# host name of the OpenVPN server.  Very useful
	# on machines which are not permanently connected
	# to the internet such as laptops.
	option resolv_retry infinite

	# Most clients don't need to bind to
	# a specific local port number.
	option nobind 1

	# Try to preserve some state across restarts.
	option persist_key 1
	option persist_tun 1
	option user nobody
	option group nogroup

	# If you are connecting through an
	# HTTP proxy to reach the actual OpenVPN
	# server, put the proxy server/IP and
	# port number here.  See the man page
	# if your proxy server requires
	# authentication.
	# retry on connection failures:
#	option http_proxy_retry 1
	# specify http proxy address and port:
#	option http_proxy "192.168.1.100 8080"

	# Wireless networks often produce a lot
	# of duplicate packets.  Set this flag
	# to silence duplicate packet warnings.
#	option mute_replay_warnings 1
	
	# SSL/TLS parms.
	# See the server config file for more
	# description.  It's best to use
	# a separate .crt/.key file pair
	# for each client.  A single ca
	# file can be used for all clients.
	option ca /etc/leap/openvpn/ca.pem
	option cert /etc/leap/openvpn/cert.pem
	option key /etc/leap/openvpn/privkey.pem

	# Verify server certificate by checking
	# that the certicate has the nsCertType
	# field set to "server".  This is an
	# important precaution to protect against
	# a potential attack discussed here:
	#  http://openvpn.net/howto.html#mitm
	#
	# To use this feature, you will need to generate
	# your server certificates with the nsCertType
	# field set to "server".  The build_key_server
	# script in the easy_rsa folder will do this.
	option remote_cert_tls server

	# If a tls_auth key is used on the server
	# then every client must also have the key.
#	option tls_auth "/etc/openvpn/ta.key 1"
	option tls_client
	option tls_cipher DHE-RSA-AES128-SHA

	# Select a cryptographic cipher.
	# If the cipher option is used on the server
	# then you must also specify it here.
	option cipher AES-128-CBC

	# Set log file verbosity.
	option verb 1

	# Silence repeating messages
#	option mute 20

Wait to reload or to start openvpn! You should do next step before:

Seting up LEAP

  • Make directory LEAP

  • Copy 2 scripts

  • Make directory LEAP/OPENVPN

  • Copy 2 scripts

    mkdir /etc/leap mkdir /etc/leap/openvpn vim /etc/leap/renew.sh

Copy this script to renew.sh

#/!/bin/bash
#https://api.black.riseup.net:443/1/cert

DIR=/etc/leap
OVPNDIR=/etc/leap/openvpn
API='https://api.black.riseup.net:443'
wget --ca-certificate $DIR/ca.crt -O $DIR/combined.pem 	$API/1/cert 

openssl x509 -subject -noout -in $DIR/combined.pem 
openssl x509 -dates -noout -in $DIR/combined.pem 
openssl x509 -purpose -noout -in $DIR/combined.pem 

openssl rsa -check -inform PEM -pubout -in $DIR/	combined.pem > $DIR/pubkey.pem



if openssl x509 -in $DIR/combined.pem  > $DIR/cert.pem
then
    echo "cert success"
    cp $DIR/cert.pem $OVPNDIR/cert.pem
else
    echo "cert fail"
fi
	

if openssl rsa -check -inform PEM -in $DIR/combined.pem > 	$DIR/privkey.pem
then
    echo "privkey succes"
    cp $DIR/privkey.pem $OVPNDIR/privkey.pem

else
    echo "privkey fail"
fi

Also,

vim /etc/leap/statopenvpn.sh

This script inside:

#/!/bin/bash
#https://api.demo.bitmask.net:4430/1/cert
	
#wget -O combined.pem https://api.demo.bitmask.net:4430/1/cert 

OVPNDIR=/etc/leap/openvpn

/usr/sbin/openvpn --setenv LEAPOPENVPN 1 \
--nobind \
--client \
--dev leap \
--dev-type tun \
--tls-client \
--remote-cert-tls server \
--script-security 2 \
--persist-key \
--persist-local-ip \
--user nobody \
--group nogroup \
--verb 7 \
--remote 212.129.4.124 443 tcp4 \
--remote 212.83.182.127 443 tcp4 \
--remote 212.129.62.247 443 tcp4 \
--remote 212.129.37.129 443 tcp4 \
--remote 212.83.165.160 443 tcp4 \
--remote 163.172.126.44 443 tcp4 \
--remote 212.83.144.12 443 tcp4 \
--remote 212.129.4.141 443 tcp4 \
--remote 212.83.146.228 443 tcp4 \
--remote 212.83.143.67 443 tcp4 \
--remote 199.58.83.12 443 tcp4 \
--remote 37.218.244.251 443 tcp4 \ 
--remote 37.218.244.249 443 tcp4 \
--remote 199.58.83.10 443 tcp4 \ 
--remote 198.252.153.28 443 tcp4 \
--remote 185.220.103.12 443 tcp4 \
--tls-cipher DHE-RSA-AES128-SHA \
--cipher AES-128-CBC \
--auth SHA1 \
--keepalive 10 30 \
--ca $OVPNDIR/ca.pem \
--cert $OVPNDIR/cert.pem \
--key $OVPNDIR/privkey.pem \
--route-noexec \
--up $OVPNDIR/scripts/up.sh \
--route-up $OVPNDIR/scripts/route-up.sh \

#--ipchange $OVPNDIR/scripts/up.sh \
#--down $OVPNDIR/scripts/up.sh \

#--user nobody \
#--group nogroup \

Also this file:

vim /etc/leap/openvpn/route-up.sh

And copy this script into:

#!/bin/sh -x

ip='/sbin/ip'
# Checks to see if there is an IP routing table named 	'vpn', create if missing
if [ $(cat /etc/iproute2/rt_tables | grep vpn | wc -l) -eq 	0 ]; then
    echo "100     vpn" >> /etc/iproute2/rt_tables
fi

$ip rule | sed -n 's/.*\(from[ \t]*[0-9\.]*\).*vpn/\1/p' | 	while read RULE
do
        $ip rule del ${RULE}
#echo del: $rule
done

if $ip route add unreachable default table vpn
then
	echo "default unreachable already there"
else
	echo "added default unreable in table vpn"
fi

# Delete the default route setup when the OpenVPN tunnel 	was established
$ip route del 128.0.0.0/1 via ${route_vpn_gateway}
$ip route del 0.0.0.0/1 via ${route_vpn_gateway}

# Add routes to the vpn routing table
$ip rule add from ${ifconfig_local} lookup vpn

# Add the route to direct all traffic using the the vpn 	routing table to the tunX interface
$ip route add 128.0.0.0/1 dev ${dev} table vpn
$ip route add 0.0.0.0/1 dev ${dev} table vpn

exit 0

Make this file:

vim /etc/leap/openvpn/up.sh

Copy this script:

#!/bin/ash -x

#./openvpn/scripts/up.sh leap 1500 1559 10.41.0.19 	255.255.248.0 init

date >> /tmp/ovpn-up.log
env >> /tmp/ovpn-up.log

ip addr show dev "$dev"

if [[ "$script_type" == 'up' ]]
then
#cat >> /tmp/ovpn-cmd.log <<EOF
#ip route add $route_vpn_gateway via $route_net_gateway 	table 33
#ifconfig $dev $ifconfig_local $ifconfig_netmask up
#ip route add default via $route_vpn_gateway table 33

#EOF
echo up
else
	echo "not up"

fi

Launch the VPN

  • Renew the certificate & Verify that is downloaded
  • Stop openvpn
  • Run script startopenvpn.sh & check that VPN works
  • Start OpenVPN
  • Check if everything works properly
First, download the certificates by running this script:
/etc/leap/renew.sh
Make sure OpenVPN is not running
/etc/init.d/openvpn stop
It uses two windows (with screen) to make checks while the script is running, once done you will do Ctrl+C to stop it.
/etc/leap/startopenvpn.sh

In the second window: Check if the “LEAP” interface appears and note the IP you use:

ip a

For exemple:

28: leap: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
	inet 10.41.0.67/21 brd 10.41.7.255 scope global leap

Check with ip route, the IP 10.41.0.67 and br-tunnel should appear, like this

0:	from all lookup local 
32764:	from 10.41.0.67 lookup vpn 
32765:	from all iif br-tunnel lookup vpn 
32766:	from all lookup main 
32767:	from all lookup default 

If the latter does not appear, do this:

ip rule add from all iif br-tunnel lookup vpn	

Check the vpn table if it appears 10.41.0.0/21:

ip route show table vpn

If it appears this:

0.0.0.0/1 dev leap scope link 
unreachable default 
128.0.0.0/1 dev leap scope link 

You need to make these lines:

ip route del 0.0.0.0/1 table vpn

ip route del 128.0.0.0/1 table vpn

ip route add 0.0.0.0/1 via 10.41.0.1 dev leap table vpn

ip route add 10.41.0.0/21 dev leap table vpn

ip route add 128.0.0.0/1 via 10.41.0.1 dev leap table vpn

Then, check if VPN is working with:

ping -I 10.41.0.67 1.1.1.1

So, if everything works, now you can stop the script startopenvpn.sh with CTRL+C And start openvpn

/etc/init.d/openvpn start

It could happen that you need to redo renew.sh and reload openvpn. Just in case, check every single step from ip a to ping with the openvpn running and without the startopenvpn.sh script

So your wifi that uses the interface of lan goes through the internet in clear and the wifi that uses tunnel goes through the LEAP VPN, check from the device that it connects to each of the two wifi with mtr or traceroute