Install OpenVPN onto the router
SSH into OpenWRT
ssh root@<openwrt>
Update OpenWRT package repositories
opkg update
Install required packages for OpenVPN
opkg install luci-app-openvpn openvpn-openssl
Download PIA certificates
cd /etc/openvpn/
wget https://www.privateinternetaccess.com/openvpn/ca.crt
wget https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt
wget https://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt
Create credentials file
# Insert your actual Private Internet Access username and password!
echo your_pia_username_here > credentials.txt
echo your_pia_password_here >> credentials.txt
Reboot and exit
reboot
Configure OpenWRT interfaces
Network > Interfaces > Add new network interface (example PIA_VPN
).
Protocol = unmanaged.
Cover the following > Custom interface : tun0
.
---
Network > Interfaces > WAN
Advanced Settings > Use DNS servers advertised by peer [disabled]
Advanced Settings > Use custom DNS servers [209.222.18.222, 209.222.18.218]
Configure OpenWRT firewall zones
Network > Firewall > Zones > wan (edit)
Covered networks [wan, wan6, pia_vpn]
Configure OpenVPN settings
Use cryptography details from the following table:
Auth | Cipher | Cert | UDP Port | TCP Port |
---|---|---|---|---|
SHA1 | BF-CBC | ca.crt | 53, 8080, 9201 | 80, 110, 443 |
SHA1 | AES-128-CBC | ca.rsa.2048.crt | 1198 | 502 |
SHA256 | AES-256-CBC | ca.rsa.4096.crt | 1197 | 501 |
Services > OpenVPN
Enter a descriptive name such as SWEDEN_AES_256_CBC_UDP
(if connecting to Sweden VPN using UDP).
Simple client configuration for routed point-to-point VPN [enabled]
Switch to advanced configuration >>
-Service > verb [3]
-Networking > port [check table above]
-Networking > nobind [enabled]
-Networking > dev [tun]
-Networking > persist_tun [enabled]
-Networking > persist_key [enabled]
-VPN > client [enabled]
-VPN > auth_user_pass [/etc/openvpn/credentials.txt]
-VPN > remote [vpn server url]
-VPN > proto [udp]
-VPN > resolve_retry [infinite]
-Cryptography > auth [consult table above]
-Cryptography > cipher [consult table above]
-Cryptography > mute_replay_warnings [enabled]
-Cryptography > tls_client [enabled]
-Cryptography > client [enabled]
-Cryptography > remote_cert_ca [consult table above]
-Cryptography > remote_cert_tls [server]
Modify OpenVPN config file
SSH into OpenWRT
ssh root@<openwrt>
Edit the OpenVPN config file
vi /etc/config/openvpn
Find and remove the 'shared-secret.ket' option
# Use / to search, enter the search text, then Enter
/shared-secret
# Delete the entire line
dd
# Save and quit
:wq
Reboot and exit
reboot
Enable the VPN and test connectivity
Services > OpenVPN [enabled]
Check connectivity
ping 1.1.1.1
ping www.google.co.uk
Confirm VPN IP
curl ifconfig.io
Visit the following websites and perform the security tests to confirm your security:
- IPv4 Leak Test: privateinternetaccess.com This leak test is a banner at the top of the page.
- IPv6 Leak Test: http://ipv6leak.com/
- DNS Leak Test: http://dnsleak.com/