Saturday, May 25, 2019

NEXX WT3020F OpenVPN Client Setup

Although Raspberry Pi has much more powerful hardware if it is used as a VPN Router, it's wifi support and single LAN can be a problem to many.  Also I found the current OpenWRT implementation for it can be flaky at times.

There are few OpenWRT supported travel routers on the market, and NEXX WT3020F is one of them.

Although OpenWRT can work as an OpenVPN client and has the luci-app-OpenVPN package to assist the configuration, I always find it too clumsy.  This seems to change in versions after 18.6.2 (if you are 18.6.x, please follow this tutorial: https://blog.cavebeat.org/2018/02/vpn-tunnel-as-a-wan-interface-on-openwrt-lede-router/)

The luci-app-OpenVPN client in recent snapshots show that you can now configure the OpenVPN client by uploading an ovpn configuration file.  This makes things so much easier!

To configure your OpenWRT router for OpenVPN, you
1) Upload the ovpn configuration file
2) Go to setting edit, and put in your credential in the auth-user-pass section box provided, and put the path of this "file" (see highlighed) next to the auth-user-pass option.
3) Set up the tunnelling (see my Raspberry Pi VPN Setup for steps), and you are ready to go!



















Update:
If you are using OpenWRT 18.6.x, please follow this tutorial.  This tutorial is much simpler than many I found on the Internal.  It shows you how to use ovpn to setup your VPN rather than transferring it setting using the luci-app-openvpn GUI.

https://blog.cavebeat.org/2018/02/vpn-tunnel-as-a-wan-interface-on-openwrt-lede-router/

Here are steps:

Transfer the ovpn file obtained from your VPN provider to /etc/openvpn

Here are the commands I used:

touch sigavpn_ny.ovpn
vi sigavpn_nv.ovpn

The first line creates an ovpn file, and the second line opens the file for editing.  I transfer the content by simple copy and paste.

After pasting the contents, look for this line

auth-user-pass

Append this line with the path to the password file, e.g. /etc/openvpn/sigavpn_ny.auth

 Now create the password file with the path you previously put in the ovpn file, e.g.

# assumed you are already in /etc/openvpn
touch sigavpn_ny.auth
vi sigavpn_ny.auth

The password file should have two lines.  First line is your username, and the second line is your password.

Lastly, alter the openvpn file in /etc/config to link everything up, e.g.

config openvpn 'siga_vpn' 
option enabled '1' 
option config "/etc/openvpn/sigavpn_ny.ovpn"

Posted by at No comments:
Labels: , , , , ,

Thursday, May 9, 2019

Set Up Openwrt with VPN on Raspberry Pi

After many attempts, I have finally configured my Raspberry Pi 3B+ as a VPN Router using OpenWrt.

Here I would like to share steps that work for me.

The OpenWrt image I used is from the snapshot branch, and its version is "OpenWrt SNAPSHOT r9947-165d598"

To write to my SD Card, I used Rufus(https://rufus.ie/).

The default LAN setup of OpenWrt on Raspberry Pi is static.  Hence, the first thing to do is to change it to DHCP, so can connect to the Internet.  The commands are:

uci set network.lan.proto=dhcp
uci commit
/etc/init.d/network restart

ref: https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi


After, I use the opkg to install LUCI, so I can configure the rest using a GUI.  The commands are:

opkg update
opkg install luci
ref: https://openwrt.org/docs/guide-user/luci/luci.essentials

Although my Raspberry Pi 3B+ comes with in-built wifi, I found it problematic when it is being used in 802.11n mode.  Hence, I use a Realtek USB dongle instead.  To get it recognized, you need to install additional modules:

opkg install kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb kmod-usb-core kmod-usb-uhci
 
In addition, you need OpenSSL and OpenVPN modules for VPN support:

opkg install openvpn-openssl luci-app-openvpn
ref: https://www.makeuseof.com/tag/raspberry-pi-vpn-travel-router/

Once all done, reboot the Raspberry Pi.

With LUCI is installed, you should be able to log onto your Raspberry Pi Openwrt using a browser.

In Network -> Wireless, you should see a new 802.11bgn adapter.



Next I create a WAN interface.  I strongly advice you to name it "wan".  This is because the default OpenWrt installation comes with a set of rules defined for "wan".

This newly created WAN interface is then bound the physical "eth0" interface., and is set to be a DHCP Client.






Once the WAN setup, it is time to remove the LAN's eth0 binding, but instead bridging it to the wifi interface.



Here is the tricky part.  As in this point, you are likely to lose the connect to the Pi, and this often upset the OpenWrt setup, i.e. it may not apply all the changes.  Hence, for this part, you may need to configure this part on the Pi itself, and using it command line interface.

Here is the lan DHCP settings in my /etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dhcp_option '6,9.9.9.9,8.8.8.8'

And here is the network settings for my /etc/config/network

config interface 'lan'
        option type 'bridge'
        option netmask '255.255.255.0'
        option proto 'static'
        option ipaddr '10.0.5.1'
Reboot after changes are made. (or restart the network service)

If everything is okay, you should be able to use the IP you given to your Pi to log back into LUCI using wifi, e.g. 10.0.5.1

Test if you can connect to the Internet with the setup.  If not, check your firewall setup.  It should be similar to this.



If things are still good, then it is time to setup the VPN.

With the latest version of luci-app-openvpn, setting up VPN can't be easier.  You just need to upload the ovpn file provided by your provider to OpenWrt, and you are almost there.





Once the configuration file is uploaded and accepted by OpenWrt, you should see something similar to below:


Press the Edit button, and edit the configuration to tell OpenWrt where it can find the VPN login credential.



Find the line auth-user-pass, and append it with the full path name to your username and password file, e.g. /etc/openvpn/WindscribeHk.auth.

The auth-user-pass (the text box underneath the "section to add an option 'auth-user-pass') should have two lines.  The first line is your username and the second line is your password.

Commit the changes.

On the Overview page, tick the "enable" option and press start. (You may need to restart the router at this point)

Now, you have all the bits and pieces setup.  Time to wire them up.

Firstly, you need to setup a tunnel interface as below:




This interface is bound to "tun0" (as setup by OVPN), and with protocol Unmanaged.  This new interface is assigned to the WAN firewall group.

This is it.  You can test your new setup with sites such ipleak.net to see if you are now hide behind you VPN.

N.B. The stable branch 18.6.04 is working on Raspberry Pi 3B+ now.  However, it lacks wifi support, and you may need to use a dongle for WiFi.

As OpenWRT is running from a SD card under ext4 file system, it would be bad to just power off the Raspberry Pi without properly shutdown the system.  To shutdown the system properly, you can either ssh into the Opeenwrt and run the poweroff command.  Alternative, you can shutdown the system from LUCI if you have have the "luci-app-advanced-reboot" plugin installed.





Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)