Setup your VPN:
First, you’ll want to install the required packages, namely:
- openvpn-openssl, the whole OpenVPN package
- wget, since the version coming with OpenWRT is very limited
- unzip, in case your .ovpn file is inside a zip file
To do this, you connect to your router via SSH (it’s possible to do it from the interface as well, but we’re going to configure OpenVPN over SSH anyways.)
opkg update opkg install openvpn-openssl wget unzip
Now you need to create an interface for your VPN – you can either add it manually to /etc/config/network or just use this simple command using cat to append your input to the end of said file.
cat >> /etc/config/network << EOF config interface 'NAME_VPN' option proto 'none' option ifname 'tun0' EOF
Next step is getting your .ovpn file(s). How you do this depends on who is your VPN provider – some offer a direct download, some don’t. For those who do, it’s rather easy:
cd /etc/openvpn wget --no-check-certificate https://www.download-link-here.com/your_vpn.ovpn
Next, the router needs to be able to login to your VPN – we could now add Username/PW to each .ovpn file, but let’s be honest, that’s way too much of a drag. So, instead, we’ll just create a file called authuser and save them in there. You can again do this easily using cat.
cat >> /etc/openvpn/authuser << EOF YOUR_USERNAME YOUR_PASSWORD EOF
Now you can simply edit your .ovpn files. To do that, open it in your preferred text editor (vi, vim, nano) and look for the following line:
Change it to:
Still a drag? You can also try to make a generic .ovpn file without the server specified. To do that, first create a copy of your .ovpn file:
cp /etc/openvpn/yourfile.ovpn yourvpngeneric.ovpn
Next open yourvpngeneric.ovpn in your preferred text editor and remove every line that starts with
Don’t forget to add the authuser file in this file if you haven’t already.
This should give you a generic OpenVPN configuration file that you just need to feed with servers to connect to.
As one of the last steps of this part, we just need to add a new firewall zone so you’ll actually be able to access the internet. Again, cat to the rescue.
cat >> /etc/config/firewall << EOF config zone option name 'VPN_FW' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'NAME_VPN' config forwarding option dest 'VPN_FW' option src 'lan' EOF
Make sure that “NAME” is the same as in your network configuration (/etc/config/network) – otherwise it won’t work. Now, try the following command to start your VPN connection for the first time:
openvpn --cd /etc/openvpn --config /etc/openvpn/yourvpngeneric.ovpn --remote some-server.com
If your original .ovpn file had multiple remote commands, you need to append each and every single one to this command.
If everything works, you should see a wall of text ending with this:
Tue Apr 26 02:35:32 2016 Initialization Sequence Completed
Check with ifconfig if you have a tun interface. If so, good. Now, try to go on the internet. If it doesn’t work, it might have to do something with your DNS. See if your VPN offers DNS servers and add them via these commands:
uci add_list dhcp.lan.dhcp_option="6,dns1,dns2" uci commit dhcp
Now stop your VPN connection (killall openvpn), restart it and see if everything works. If not, reboot the router again. If it still doesn’t work, go over the tutorial again and see if you did everything right. Worst case, shoot me a comment.
On your phone:
This step will depend on your phone, but look for an App that advertises to execute ssh commands on the click of a button – I personally use SimpleSSH for iOS, but be warned, it’s a payed app. Once you have an app, first make sure the app can successfully connect and SSH into your router. For me, it looks like this:
Working? Good. Now, add the following commands.
(openvpn --cd /etc/openvpn --config /etc/openvpn/yourvpngeneric.ovpn --remote some-server.com &)
Try them out a few times. And if anything doesn’t work or you have corrections, let me know.