deVault Password

Menu Close

Month: April 2016

Kyoto at Night

2014 @ Kyoto, Japan

I can still feel the slight drizzle while walking up and down the streets of Kyoto after a good bowl of Ramen. Man, I miss Ramen.

[Tutorial] How to use OpenVPN on your OpenWRT router and start/stop it with your smartphone

Setup your VPN: 

First, you’ll want to install the required packages, namely:

  • openvpn-openssl, the whole OpenVPN package
  • wget, since the version coming with OpenWRT is very limited
  • unzip, in case your .ovpn file is inside a zip file

To do this, you connect to your router via SSH (it’s possible to do it from the interface as well, but we’re going to configure OpenVPN over SSH anyways.)

opkg update
opkg install openvpn-openssl wget unzip

Now you need to create an interface for your VPN – you can either add it manually to /etc/config/network or just use this simple command using cat to append your input to the end of said file.

cat >> /etc/config/network << EOF
config interface 'NAME_VPN'
    option proto 'none'
    option ifname 'tun0'

Next step is getting your .ovpn file(s). How you do this depends on who is your VPN provider – some offer a direct download, some don’t. For those who do, it’s rather easy:

cd /etc/openvpn
wget --no-check-certificate

Next, the router needs to be able to login to your VPN – we could now add Username/PW to each .ovpn file, but let’s be honest, that’s way too much of a drag. So, instead, we’ll just create a file called authuser and save them in there. You can again do this easily using cat.

cat >> /etc/openvpn/authuser << EOF

Now you can simply edit your .ovpn files. To do that, open it in your preferred text editor (vi, vim, nano) and look for the following line:


Change it to:

auth-user-pass authuser

Still a drag? You can also try to make a generic .ovpn file without the server specified. To do that, first create a copy of your .ovpn file:

cp /etc/openvpn/yourfile.ovpn yourvpngeneric.ovpn

Next open yourvpngeneric.ovpn in your preferred text editor and remove every line that starts with


Don’t forget to add the authuser file in this file if you haven’t already. 

This should give you a generic OpenVPN configuration file that you just need to feed with servers to connect to.

As one of the last steps of this part, we just need to add a new firewall zone so you’ll actually be able to access the internet. Again, cat to the rescue.

cat >> /etc/config/firewall << EOF
config zone
    option name 'VPN_FW'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'NAME_VPN'

config forwarding                               
        option dest 'VPN_FW'                    
        option src 'lan' 

Make sure that “NAME” is the same as in your network configuration (/etc/config/network) – otherwise it won’t work. Now, try the following command to start your VPN connection for the first time:

openvpn --cd /etc/openvpn --config /etc/openvpn/yourvpngeneric.ovpn --remote

If your original .ovpn file had multiple remote commands, you need to append each and every single one to this command.

If everything works, you should see a wall of text ending with this:

Tue Apr 26 02:35:32 2016 Initialization Sequence Completed

Check with ifconfig if you have a tun interface. If so, good. Now, try to go on the internet. If it doesn’t work, it might have to do something with your DNS. See if your VPN offers DNS servers and add them via these commands:

uci add_list dhcp.lan.dhcp_option="6,dns1,dns2"
uci commit dhcp

Now stop your VPN connection (killall openvpn), restart it and see if everything works. If not, reboot the router again. If it still doesn’t work, go over the tutorial again and see if you did everything right. Worst case, shoot me a comment.

Just to be sure, check here to see if the correct IP is displayed and check here to see if your DNS is leaking.

On your phone:

This step will depend on your phone, but look for an App that advertises to execute ssh commands on the click of a button – I personally use SimpleSSH for iOS, but be warned, it’s a payed app. Once you have an app, first make sure the app can successfully connect and SSH into your router. For me, it looks like this:

router_connect Working? Good. Now, add the following commands.

Start VPN:

(openvpn --cd /etc/openvpn --config /etc/openvpn/yourvpngeneric.ovpn --remote &)

Stop VPN:

killall openvpn

stop_vpnTry them out a few times. And if anything doesn’t work or you have corrections, let me know.

© 2018 deVault Password. All rights reserved.

Theme by Anders Norén.