Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Help to understand /setup the combo VPS, OpenVPN & OpenWRT
New on LowEndTalk? Please Register and read our Community Rules.

Help to understand /setup the combo VPS, OpenVPN & OpenWRT

tittooo7tittooo7 Member
edited December 2015 in General

So I have a OpenVPS, an OpenWRT and I want to watch Netflix USA in my PS4 and also download some torrent with vpn on one of my computers.
I know on the computer I can install the OpenVPN client software and that I can create my own Smart DNS proxy to use in PS4 (that's what I was doing till now).

But I'm guessing it could be more comfortable to have OpenVPN installed in the OpenWRT router (or maybe I'm wrong?).

So I have go through a lot of guides to install OpenVPN in OPenWRT routers, but all of them talk about using the router as an OpenVPN server and not as a cliente client...
There is no mention about setting up something in the VPS, so I'm totally lost....

Could anyone help me?

thank you,

Thanked by 1rokok

Comments

  • netomxnetomx Member, Moderator

    What router do you have?

  • @netomx said:
    What router do you have?

    TP-Link Archer C7 v2

  • netomxnetomx Member, Moderator

    I stall openvpn-openssl, create a new interface called tun0, protocol: none

    Put that interface, in firewall, as wan.

    If you can ssh, put the ovpn config on root and run:

    Openvpn --config /root/config.ovpn

    Test

  • null_ptrnull_ptr Member
    edited January 2016

    Instructions below are going to make your router tunnel the traffic of every device connected to it (PC, phone, PS4 etc.) through OpenVPN. Router itself is going to act as a OpenVPN client, which will be connected to specified OpenVPN server.

    I'm assuming that you've already configured OpenVPN server on your VPS, if not then let me know.


    SSH to your router as root, or su - after login, or use sudo (if installed) for each command, whatever suits you best.

    Installing OpenVPN

    Update package list first:

    opkg update

    You have two OpenVPN packages to choose from:

    1. openvpn-openssl (with OpenSSL support)
    2. openvpn-polarssl (with PolarSSL support, currently also known as mbedTLS)

    I would personally recommend using PolarSSL due to smaller memory footprint (and probably it's a bit safer too).

    opkg install openvpn-polarssl

    Configuring network and firewall

    Next you need to configure your network interface for OpenVPN, and firewall.

    First of all - make a copy of /etc/config/network and /etc/config/firewall, in case if something goes wrong.

    Network

    vi /etc/config/network

    Create interface for VPN, add:

    config interface 'vpn0' option ifname 'tun15' option proto 'none'

    Save file.

    Firewall

    vi /etc/config/firewall

    Create zone definition for VPN, add:

    config zone option name 'vpn' option network 'vpn0' option input 'REJECT' option forward 'REJECT' option output 'ACCEPT' option masq '1' option mtu_fix '1'

    Find forwarding from LAN->WAN (config forwarding [...] option dest 'wan' [...] option src 'lan'), and change it to forward from LAN->VPN instead:

    option dest 'wan' change to option dest 'vpn'

    After modification it should look like this (if you somehow can't find LAN->WAN forwarding then simply add the code below):

    config forwarding option dest 'vpn' option src 'lan'

    Find WAN zone definition (config zone [...] option name 'wan'), change line:

    option forward 'ACCEPT' to option forward 'REJECT'

    You might also want to update INPUT chain policy for WAN with:

    option input 'ACCEPT' to option input 'DROP'

    After modification option input and option forward should look like this:

    config zone option name 'wan' option network 'wan wan6' option input 'DROP' option forward 'REJECT' option output 'ACCEPT' option masq '1' option mtu_fix '1'

    Find LAN zone definition (config zone [...] option name 'lan'), change line:

    option forward 'ACCEPT' to option forward 'REJECT'

    After modification option forward should look like this:

    config zone option name 'lan' option network 'lan' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT'

    Save file.

    Configure OpenVPN configuration for both OpenWRT and the client

    OpenWRT OpenVPN configuration

    vi /etc/config/openvpn

    Change the content of above file to:

    config openvpn custom_config option enabled 1 option config /etc/openvpn/client.conf

    OpenVPN client configuration

    Create OpenVPN client config dir:

    mkdir /etc/openvpn

    And chmod (and chown if necessary) for root access only:

    chown root: /etc/openvpn; chmod 700 /etc/openvpn

    Copy your OpenVPN client .ovpn file (and all other required files if they are not inlined into .ovpn, like client private key, client cert, ca cert) to OpenVPN dir (/etc/openvpn), and rename .ovpn file to client.conf.

    Ensure that client.conf is instructing OpenVPN to create TUN with id tun15, so it matches network interface defined earlier:

    vi /etc/openvpn/client.conf

    Find line starting with dev tun and change it to dev tun15.

    You can change 15 to something else, but you have to update option ifname 'tun15' from /etc/config/network as well.

    Save file.

    It's also a good idea to keep OpenVPN with dropped privileges, you can either use nobody/nogroup, or you can create separate user/group, explicitly for OpenVPN.

    Create openvpn group:

    vi /etc/grou p (remove space between u and p, because CloudFlare treats that as a malicious action if it detects entire path, LOL)

    Add (you can modify GID 1200 to something else if you want):

    openvpn:x:1200:

    Save file.

    Create openvpn user:

    vi /etc/passw d (remove space between w and d, same as above, LOL^2)

    Add (you can modify UID 1200 to something else if you want):

    openvpn:*:1200:1200:openvpn:/var:/bin/false

    Save file.

    vi /etc/openvpn/client.conf

    And find lines that start with user ... [...] group ..., change them to (or add if missing):

    user openvpn group openvpn

    You can also use user nobody and group nogroup if you want, as mentioned earlier.

    Save file.

    Reload configs and apply the changes

    /etc/init.d/firewall restart; /etc/init.d/network restart

    After doing above you're going to lose connectivity to the internet from your devices (router itself is going to have it + you still will be able to SSH to your router), connectivity will be available only when OpenVPN establishes a successful connection to the end point.

    Test, configure and start OpenVPN as a service

    Test if OpenVPN works with:

    /usr/sbin/openvpn --config /etc/openvpn/client.conf

    If you are successfully capable of connecting to your VPS then kill running OpenVPN (CTRL+C).

    Enable OpenVPN service at boot:

    /etc/init.d/openvpn enable

    Start it the way it should be started:

    /etc/init.d/openvpn start

    End

    View logs if you need to check the status of OpenVPN (if you're not logging to file):

    logread | grep openvpn

    Don't forget to test if your devices are being correctly tunneled through OpenVPN by visiting for example https://www.whatismyip.com/, using your device web browser.

    If something goes wrong:

    1. Stop OpenVPN: /etc/init.d/openvpn stop

    2. Disable OpenVPN service: /etc/init.d/openvpn disable

    3. Restore your /etc/config/network/ and /etc/config/firewall, reload restored configs with /etc/init.d/firewall restart; /etc/init.d/network restart

  • Thank for the answers! I really appreciate it, honestly.

    @netomx I tried what you suggested doing the following (maybe I made a mistake):
    I created tun0 with "Unmanaged Protocol" and wan in "Firewall Settings" and also in "Physical Settings"
    Result: I wasn't able to connect it got stuck somewhere but I had to stop testing as someone else wanted to use internet so I can give more details (I'll try again once eveyone goes to sleep)

    @null_ptr you can't imagine how much I appreciate the time you took to write that detailed guide :)

    I followed your guide and I could connect, but after I did "/etc/init.d/network restart" I could see an error message saying something about "error EOF line 47". I will try to re-do the setup just in case I made some mistake.

    However what surprised me is that it seems that using openwrt as client the speed is much lower than using a windows computer as client:
    When I had my Windows 10 pc as openvpnc client I had a downlaod speed (through speedtest.net) of 30Mbps aproxximately, but using the openwrt router as openvpn client my downlaod speed is only around 3Mbps.... Is that normal??

  • netomxnetomx Member, Moderator

    Yes and no. The router doesnt have a powerful processor as your PC, but 3mbps is too slow... i have managed 30mbps easily.

    You couldnt connect when? When you opened openwrt?

  • null_ptrnull_ptr Member
    edited January 2016

    tittooo7 said: I followed your guide and I could connect, but after I did "/etc/init.d/network restart" I could see an error message saying something about "error EOF line 47". I will try to re-do the setup just in case I made some mistake.

    Perhaps you forgot to close a quote somewhere (').

    tittooo7 said: However what surprised me is that it seems that using openwrt as client the speed is much lower than using a windows computer as client: When I had my Windows 10 pc as openvpnc client I had a downlaod speed (through speedtest.net) of 30Mbps aproxximately, but using the openwrt router as openvpn client my downlaod speed is only around 3Mbps.... Is that normal??

    As @netomx mentioned, lower speeds are normal on hardware such as routers, we are talking here about slow CPU's (MIPS usually), with low clock frequencies, and mostly no crypto hardware acceleration.

    However throughput of 3Mbps you're getting is a bit too low.

    My router has MIPS [email protected], and I'm maxing out CPU at about 8Mbps using AES-256-CBC, which is quite low, but enough to watch a live stream fluently in 1080p (30fps).

    Yours has MIPS [email protected], so it should be way faster.

    Does running top on your router report 90-100% CPU utilization coming from OpenVPN process when you're reaching 3Mbps?

    Sometimes playing around with OpenVPN client .ovpn values like tun-mtu, tun-mtu-extra, fragment, mssfix, can decrease throughput, if done incorrectly.

    I would also recommend increasing key renegotiation time from default 3600 seconds (1h) to at least 21600 (6h), it's controlled by option reneg-sec, and it has to be set on both server and client, where server controls what value is the highest possible value to be set by client.

  • tittooo7tittooo7 Member
    edited January 2016

    @netomx said:
    Yes and no. The router doesnt have a powerful processor as your PC, but 3mbps is too slow... i have managed 30mbps easily.

    You couldnt connect when? When you opened openwrt?

    I just did the steps you mentioned and I wasn't able to connect, so I moved on to the guide of null_ptr

    @null_ptr I just tried with your setup again and I'm almost succesfull:

    ISSUE 1: SPEED
    I follow the guide, when I reach the "Test, configure and start OpenVPN as a service" part and run the following command:
    /usr/sbin/openvpn --config /etc/openvpn/client.conf

    I can connect to internet with my VPS IP :)

    However the speed results are dissapointing.. Just before trying I used my W10 computer and used it as openvpn client: speed test 65mbps download / 14 mbps upload

    Using the OpeWRT router as client my speed test are 7mbps download / 8 download only (the download speedd is almost 10 time less)

    I can't run top without doing Ctrl+C and if I do that I lose the connection as I will explain in the next lines. However from the processes page of the web interface I see the line of the openvpn command I run using only 1% of the cpu

    **ISSUE 2: CONNECTION*
    Right after i click Ctrl + C, if I try to connect again I can't, I get this error:

    Sat Jan 2 12:14:24 2016 daemon.notice openvpn(custom_config)[7257]: OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 25 2015 Sat Jan 2 12:14:24 2016 daemon.notice openvpn(custom_config)[7257]: library versions: PolarSSL 1.3.11, LZO 2.08 Sat Jan 2 12:14:24 2016 daemon.notice openvpn(custom_config)[7257]: Socket Buffers: R=[163840->131072] S=[163840->131072] Sat Jan 2 12:14:24 2016 daemon.notice openvpn(custom_config)[7257]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Sat Jan 2 12:14:24 2016 daemon.notice openvpn(custom_config)[7257]: UDPv4 link local: [undef] Sat Jan 2 12:14:24 2016 daemon.notice openvpn(custom_config)[7257]: UDPv4 link remote: [AF_INET]MY.VPS.WAN.IP:1194 Sat Jan 2 12:14:24 2016 daemon.notice openvpn(custom_config)[7257]: TLS: Initial packet from [AF_INET]MY.VPS.WAN.IP:1194, sid=943f1502 6bea77ef Sat Jan 2 12:14:25 2016 daemon.notice openvpn(custom_config)[7257]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=TitoOcioVPS, OU=TitoOcioVPSUnit, CN=TitoOcioVPS CA, ??=server, [email protected] Sat Jan 2 12:14:25 2016 daemon.notice openvpn(custom_config)[7257]: VERIFY OK: nsCertType=SERVER Sat Jan 2 12:14:25 2016 daemon.notice openvpn(custom_config)[7257]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=TitoOcioVPS, OU=TitoOcioVPSUnit, CN=server, ??=server, [email protected] Sat Jan 2 12:14:27 2016 daemon.notice openvpn(custom_config)[7257]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Jan 2 12:14:27 2016 daemon.notice openvpn(custom_config)[7257]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 2 12:14:27 2016 daemon.notice openvpn(custom_config)[7257]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Jan 2 12:14:27 2016 daemon.notice openvpn(custom_config)[7257]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 2 12:14:27 2016 daemon.notice openvpn(custom_config)[7257]: Control Channel: TLSv1.0, cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA, 2048 bit RSA Sat Jan 2 12:14:27 2016 daemon.notice openvpn(custom_config)[7257]: [server] Peer Connection Initiated with [AF_INET]MY.VPS.WAN.IP:1194 Sat Jan 2 12:14:29 2016 daemon.notice openvpn(custom_config)[7257]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Sat Jan 2 12:14:29 2016 daemon.notice openvpn(custom_config)[7257]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' Sat Jan 2 12:14:29 2016 daemon.notice openvpn(custom_config)[7257]: OPTIONS IMPORT: timers and/or timeouts modified Sat Jan 2 12:14:29 2016 daemon.notice openvpn(custom_config)[7257]: OPTIONS IMPORT: --ifconfig/up options modified Sat Jan 2 12:14:29 2016 daemon.notice openvpn(custom_config)[7257]: OPTIONS IMPORT: route options modified Sat Jan 2 12:14:29 2016 daemon.notice openvpn(custom_config)[7257]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sat Jan 2 12:14:29 2016 daemon.err openvpn(custom_config)[7257]: ERROR: Cannot ioctl TUNSETIFF tun15: Device or resource busy (errno=16) Sat Jan 2 12:14:29 2016 daemon.notice openvpn(custom_config)[7257]: Exiting due to fatal error

    I enabled OpenVPN after boot, I rebooted the router and then after 2 or 3 minutes it could load only speedtest.net (the download speed test now was 5mpbs and upload 7mbps).

    I'm doing it through ethernet, otherwise the speed tests would give me half of the speed on each case (with W10 as openvpn client and with the router as openvpn client, I already verified that)

    Now more questions:

    1-Why I can't connect after doing the test and hitting Ctrl+C. And why after the reboot it only get's connected after 2 minutes and only one speedtest.net works?

    2-To improve the speed I should just play with the values you mention?

    3-If my VPS server has tun0 as the openvpn internface, but through the edits needed on my router I'm using always tun15 (even on client.conf). Is that correct??

    4-Once/if I manage to get everything working correctly. Would be possible to tell the router that I only want the ip's 192.168.1.2 and 192.168.1.5 use the vpn internet connection (the rest I want them to connect without the vpn)?

  • null_ptrnull_ptr Member
    edited January 2016

    tittooo7 said: 1-Why I can't connect after doing the test and hitting Ctrl+C. And why after the reboot it only get's connected after 2 minutes and only one speedtest.net works?

    2-To improve the speed I should just play with the values you mention?

    3-If my VPS server has tun0 as the openvpn internface, but through the edits needed on my router I'm using always tun15 (even on client.conf). Is that correct??

    4-Once/if I manage to get everything working correctly. Would be possible to tell the router that I only want the ip's 192.168.1.2 and 192.168.1.5 use the vpn internet connection (the rest I want them to connect without the vpn)?

    1 and 2 - I would need to see more details about your configuration files to tell you more.

    3 - The difference in naming TUN between client and server doesn't matter, if that's what you're concerned about, but yes, your router is always using tun15.

    4 - Yes, it's possible with routing tables and packet marking for example.

    Would you be able to discuss that over IRC or something, because at the current rate it will take us forever to resolve this. If yes then PM me time (and include your time zone) when you would be available.

  • @null_ptr
    I found out why I can't connect again after doing the connection test and typing Ctrl + C to stop it:

    Once I do Ctrl + C, I can see in the process page of the router website that this process is still running:
    /usr/sbin/openvpn --config /etc/openvpn/client.conf
    I need to click couple of times in kill or terminate (using the process page of the website) to make it dissapear from there. And only after that I can connect again with the same command (not with /etc/ini.t/openvpn start)

    In the meantime I'm trying to fix the speed issue, but so far no luck:
    I added sndbuf 0 and rcvbuf 0 to the server.conf in the VPS and the following lines to the client.conf in the router:

    sndbuf 393216 rcvbuf 393216 push "sndbuf 393216" push "rcvbuf 393216" tun-mtu 1400 mssfix 1360

    But the improvement has been minimal, which means those lines probably didn't change anything

    PS: I sent you a PM

Sign In or Register to comment.