Thursday, May 9, 2019

Set Up Openwrt with VPN on Raspberry Pi

After many attempts, I have finally configured my Raspberry Pi 3B+ as a VPN Router using OpenWrt.

Here I would like to share steps that work for me.

The OpenWrt image I used is from the snapshot branch, and its version is "OpenWrt SNAPSHOT r9947-165d598"

To write to my SD Card, I used Rufus(https://rufus.ie/).

The default LAN setup of OpenWrt on Raspberry Pi is static.  Hence, the first thing to do is to change it to DHCP, so can connect to the Internet.  The commands are:

uci set network.lan.proto=dhcp
uci commit
/etc/init.d/network restart

ref: https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi


After, I use the opkg to install LUCI, so I can configure the rest using a GUI.  The commands are:

opkg update
opkg install luci
ref: https://openwrt.org/docs/guide-user/luci/luci.essentials

Although my Raspberry Pi 3B+ comes with in-built wifi, I found it problematic when it is being used in 802.11n mode.  Hence, I use a Realtek USB dongle instead.  To get it recognized, you need to install additional modules:

opkg install kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb kmod-usb-core kmod-usb-uhci
 
In addition, you need OpenSSL and OpenVPN modules for VPN support:

opkg install openvpn-openssl luci-app-openvpn
ref: https://www.makeuseof.com/tag/raspberry-pi-vpn-travel-router/

Once all done, reboot the Raspberry Pi.

With LUCI is installed, you should be able to log onto your Raspberry Pi Openwrt using a browser.

In Network -> Wireless, you should see a new 802.11bgn adapter.



Next I create a WAN interface.  I strongly advice you to name it "wan".  This is because the default OpenWrt installation comes with a set of rules defined for "wan".

This newly created WAN interface is then bound the physical "eth0" interface., and is set to be a DHCP Client.






Once the WAN setup, it is time to remove the LAN's eth0 binding, but instead bridging it to the wifi interface.



Here is the tricky part.  As in this point, you are likely to lose the connect to the Pi, and this often upset the OpenWrt setup, i.e. it may not apply all the changes.  Hence, for this part, you may need to configure this part on the Pi itself, and using it command line interface.

Here is the lan DHCP settings in my /etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dhcp_option '6,9.9.9.9,8.8.8.8'

And here is the network settings for my /etc/config/network

config interface 'lan'
        option type 'bridge'
        option netmask '255.255.255.0'
        option proto 'static'
        option ipaddr '10.0.5.1'
Reboot after changes are made. (or restart the network service)

If everything is okay, you should be able to use the IP you given to your Pi to log back into LUCI using wifi, e.g. 10.0.5.1

Test if you can connect to the Internet with the setup.  If not, check your firewall setup.  It should be similar to this.



If things are still good, then it is time to setup the VPN.

With the latest version of luci-app-openvpn, setting up VPN can't be easier.  You just need to upload the ovpn file provided by your provider to OpenWrt, and you are almost there.





Once the configuration file is uploaded and accepted by OpenWrt, you should see something similar to below:


Press the Edit button, and edit the configuration to tell OpenWrt where it can find the VPN login credential.



Find the line auth-user-pass, and append it with the full path name to your username and password file, e.g. /etc/openvpn/WindscribeHk.auth.

The auth-user-pass (the text box underneath the "section to add an option 'auth-user-pass') should have two lines.  The first line is your username and the second line is your password.

Commit the changes.

On the Overview page, tick the "enable" option and press start. (You may need to restart the router at this point)

Now, you have all the bits and pieces setup.  Time to wire them up.

Firstly, you need to setup a tunnel interface as below:




This interface is bound to "tun0" (as setup by OVPN), and with protocol Unmanaged.  This new interface is assigned to the WAN firewall group.

This is it.  You can test your new setup with sites such ipleak.net to see if you are now hide behind you VPN.

N.B. The stable branch 18.6.04 is working on Raspberry Pi 3B+ now.  However, it lacks wifi support, and you may need to use a dongle for WiFi.

As OpenWRT is running from a SD card under ext4 file system, it would be bad to just power off the Raspberry Pi without properly shutdown the system.  To shutdown the system properly, you can either ssh into the Opeenwrt and run the poweroff command.  Alternative, you can shutdown the system from LUCI if you have have the "luci-app-advanced-reboot" plugin installed.





No comments: